Abort, Retry, Hack? » Hacks

Enabling Intel VT on the Aspire 8930G (and other InsydeH2O-based laptops)

marcan — Sun, 28 Jun 2009 16:30:49 +0000

It seems the ongoing trend for laptops is to integrate and hide as much as possible from the user. We’re all used to minimalistic crappy BIOS setups with two or three configuration options. However, things go way too far when OEMs remove options related to features that the hardware is capable of but which are disabled by default. This happens with Intel VT on many laptops – even if the CPU supports it, you may not be able to find the BIOS setup option to turn it on.

I certainly wanted to use a feature that I paid for, so I started investigating the BIOS and here’s what I found out.

Under the hood

The InsydeH2O BIOS is no ordinary old-style BIOS. Instead, it’s based around the UEFI platform. This goes way beyond the old BIOS paradigm and turns system firmware into practically its own separate OS, that even runs in full 64-bit mode on 64-bit machines. Unfortunately, they make no effort to expose any of this to the user. The firmware has support for booting EFI executables, there’s an EFI shell, there’s an EFI boot manager… but I haven’t been able to figure out how to access any of this.

If you want to reverse engineer EFI stuff, downloading TianoCore’s EDK2 is a must. It contains source code for a lot of Intel’s framework, which is what most vendors use as a base for their EFI support. A lot of the code is exactly the same as what’s in the Insyde BIOS (read the spec here).

As for the Setup tool, it does indeed have a huge Advanced menu with even more options than your average desktop. There’s also a hidden Power menu. EFI defines a “form browser” protocol and formats for user input, which is what Insyde uses for their setup utility (spec here). I found these tables when disassembling the Setup binary and wrote a little dump utility to turn them into text. The result is a complete dump of the Setup hierarchy, including the Advanced menu, which also includes the offsets in the non-volatile storage corresponding to each setting. Insyde stores this configuration blob into an EFI variable named Setup. Here’s my dump: the first part is the hierarchy, while at the end I added a rough auto-calculated mapping from configuration offsets to setting names (grep for [0xOFFSET in the top section for better context - the format is [0xOFFSET] for all references to the storage blob). You’ll find the tools I used here, if you’re interested, but they’re rough and need quite a bit of manual help too.

I wasn’t able to find out how to enable the hidden menus, other than that their form Subclass is 5 instead of 0 (but I haven’t found what, if anything, checks for this and whether its behavior can be altered). However, manually enabling VT support in the Setup variable is easy enough, now that we have the offset of the VT Enable byte.

Enabling Intel VT

The easiest way to enable the setting as far as I can see is to dump out the entire BIOS, patch the setting into the Setup variable (which is part of the data storage section – we aren’t modifying any actual BIOS code, as this is the equivalent of changing a CMOS setting on other BIOSes), and then flash the resulting image. These laptops use a weird flash-behind-EC hardware solution for which there is no open flasher, so instead we can just use the normal BIOS flashing tool. In short, we’ll flash the existing BIOS back on, but in the process also modify a Setup setting.

FAIR WARNING: This might apply to other similar laptops, or it might not. It might work, it might do nothing, or it might brick your expensive laptop. Even if you own an Aspire 8930G, I take no responsiblity if your laptop dies, turns into an expensive brick, melts into a pool of slag, blows up, flicks you off, develops self-awareness, or becomes Skynet. You have been warned. I have only tested this on an Aspire 8930G with BIOS Version 1.10. If you want to try this on another system or BIOS you should make sure you understand EXACTLY what is going on and are prepared to spot any problems or fix things yourself.

First, dump the exiting BIOS out. It resides at the top of the 32-bit address space, and is 2MB in size. You can use dd to dump it out of /dev/mem:

$ dd if=/dev/mem of=original_bios.fd bs=1024 count=2048 skip=4192256

It is a very good idea to back up this BIOS somewhere safe outside the laptop. Note that it not only contains your existing BIOS code, but also all your settings and manufacturer data (serial number, software license if you run an OEM version of Vista, etc).

Next, run vtenable.py. This will attempt to locate the Setup EFI variable on the non-volatile storage section and patch the VT byte to one.

$ python vtenable.py original_bios.fd vt_bios.fd

You can edit the source code to make other changes to the variable, but make sure you know what you’re doing. It’s worth reiterating that this does not patch your BIOS code. It only makes a setting change, just as if you’d turned on the VT option in the BIOS had it been there. In fact, there are two variables: Setup and Custom, and Setup is the one that changes are committed to when you use the setup utility. Restoring defaults should turn VT back off (untested). It also appears that Custom is probably what the setup defaults are, so changing that should semi-permanently enable VT.

I highly recommend performing a sanity diff between the original and modified images using vbindiff:

$ vbindiff original_bios.fd vt_bios.fd

Only two or three bytes should change: one or two adjacent bytes for the checksum (they should be decremented by one when you look at them as a 16-bit unsigned integer), and the VT enable byte should change from 00 to 01. Right after the checksum bytes you should be able to see the Setup name in UTF-16 (something like S.e.t.u.p.).

Finally, flash vt_bios.fd using the vendor-supplied flash utility. I use the DOS version (FLASHIT.EXE) with FreeDOS and a grub menu option so I don’t need to mess around with external media. Grab a base image here, then you can use mtools to copy the bios into it:

$ bunzip2 freedos_flashit.img.bz2
$ mcopy -i freedos_flashit.img vt_bios.fd ::/vt_bios.fd

To boot it using GRUB, get MEMDISK, part of SYSLINUX, and put something like this in your grub.conf:

title=BIOS Update
root (hd0,0)
kernel (hd0,0)/boot/memdisk
initrd (hd0,0)/boot/freedos_flashit.img

Of course, copy memdisk and the boot image to your boot partition, and change (hd0,0) to your boot (or root) partition everywhere and remove the /boot part if you have a dedicated boot partition.

Once you’re in FreeDOS, just type FLASHIT vt and be happy that FreeDOS supports tab-completion

Caveat: by doing this, you’re flashing the entire BIOS image. The flash tool makes no attempt to flash only the parts that changed, and the “flash only variables” commandline option seems to have no effect. You’re effectively reflashing your entire BIOS back on, so the usual BIOS flashing caveats apply: don’t turn the power off, etc. This could be accomplished a lot more cleanly if we had drivers for the flash chip / EC, since then we could use the normal EFI variable store procedure to atomically update the variable, which is completely safe.

You can use the MSR Magic tool to check whether VT is indeed enabled on your CPU.

Update: Several people are working on improved, more general tools to perform this hack across a broader range of InsydeH2O-based BIOSes. Read the comments and check them out, they’ve done some very good work.

More SPMP goodness: now with pseudo-3D

marcan — Sat, 13 Jun 2009 01:06:28 +0000

After a few days of reading very, very weird disassembled code and poking registers, the odd 2D hardware finally works (for the most part). It can draw lines, so I threw in a software 3D transform. Here’s the Stanford Bunny in a glorious 448 vertices and 1416 lines of jaggy wireframe awesomeness.

The chip has hardware line styling (stippling), and you can see 4 different settings (solid, “10″ dashed, “100″ dashed, “1000″ dashed) in sequence. At the higher setting it starts to look more like a point cloud with many more points than it has real vertices.

Also of note: I’m working inside a framework that drives operation of the SPMP from the PC. While the entire bunny transformation and rendering is happening inside the SPMP, the PC sends it the rotation matrix and tells it to go each frame (and also when to switch stippling and whatnot). So it’s slower than it would be in pure standalone hardware, because there’s still at least two serial port ping-pong commands each frame (one memory download for the matrix and one command to tell it to render the bunny with it).

You can grab the (ugly as hell) code in the Git repo.

Fun stuff: the projection is orthographic, so there’s no depth information rendered. This makes the rotation ambiguous. Do you see it rotating clockwise or anticlockwise (looking at it from above)? Can you make your brain switch between them?

Sunplus SPMP305x media player hacking

marcan — Tue, 09 Jun 2009 03:23:59 +0000

I’ve joined a bunch of friends in a quest to reverse engineer and write custom software for Sunplus SPMP305x chips. These chips are inside all sorts of chinese media players, particularly the fairly powerful kind with a camera, video playback, etc. The chip is based around an ARM926EJ-S core, but the peripherals around it are completely custom – check out the marketing blurb. Most current work is on reverse engineering the hardware interface so we can completely replace the default firmware.

If you’re interested and you have one of these or don’t mind spending $33 to get an interesting ARM machine, check out the wiki, Google Code project for the Prex port and other stuff, and my Git repository with a port of MINI and a bunch of client utilities for reverse engineering and testing the hardware stuff. Most importantly, however, come visit us at #spmpdev on the EFNet network! Most of the work and chitchat happens in the IRC channel.

Using Amarok and other iTunesDB compatible software with the iPhone 2.x

marcan — Fri, 02 Jan 2009 19:52:31 +0000

With newer iPods and the iPhone 2.x firmware, Apple decided to implement a new hash scheme for iTunesDB to prevent third-party apps from managing the iPod database. Stupid. They decided to make it part of the FairPlay codebase, including its obfuscation. Very Stupid. But just in case that weren’t enough, then they went ahead and tried to take down the iPodHash project which was attempting to reverse engineer the (annoyingly obfuscated) algorithm. Completely Stupid.

I had previously patched the check out in the MusicLibrary binary, and forgot to write it up. However, I just looked at it again, and it turns out that you can get it to work just by changing a simple XML file. I guess they didn’t really care if jailbroken iPhone users used third-party software.

Here’s how: Edit /System/Library/Lockdown/Checkpoint.xml, find the DBVersion key, and change its value from 4 to 2. Save and reboot. Voila! I haven’t tested this extensively, but it seems to work at least on 2.1 and 2.2. You can then use Amarok or any other libgpod app to transfer data to the device (using the usual sshfs mount trick which is documented elsewhere for 1.x iPhones)

Update: abu from ml_ipod pointed out that DBVersion 3 also works. This version includes the old hash which was already present in older versions. I have tested this to work on version 2.1 of the iPhone software.
Update 2: DBVersion 3 works only on some devices, better stick with DBVersion 2.