Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

p0358
p0358
Feb 10, 2019 · 7 min read

So I had a Lenovo G510 that had a pretty bad Wi-Fi card. Once upon a time I’ve decided that it needs to be replaced, the most importantly to cover 5 GHz band, since the amount of other 2.4 GHz networks was large enough to make me loose the signal in the other room frequently enough. Before buying the card, however, I went on a little search only to find out (besides others also complaining about poor pre-installed Wi-Fi card) that Lenovo had put a whitelist check in BIOS and would only let you run “authorized” cards. What a pity. Following that I did read that BIOS is write-protected and the only way to modify it (in order to remove said whitelist) was to use an SPI programmer. That sounded interesting, so I thought I’ll give it a try and bought one.

I struggled a bit to find any good resources on this topic and it is the reason I’m writing this article. Besides removing whitelist, I also wanted to delete BIOS password that I apparently had set up a long time ago and forgot. Eventually I gave up on the latter, but removing the whitelist proved to be very easy following you know how to access the needed PE image section.

Firstly, some tips related to the SPI programmer stage. Before you do anything, you need to obtain the BIOS dump. It needs to be yours and you need to later flash it on the same laptop. You cannot download a clean image from vendor or a dump from someone else. Or maybe you can, but it could cause some side effects. I personally used CH341A-based device, along with the software that came with it (and SOIC8 clip, so I didn’t have to desolder the chip). Since my exact chip model (25Q064A) wasn’t listed, I was trying both EON EN25Q64 and Winbond W25QBV, both did work for it. Now for the reading part — you should clip the chip and read it with verify, then save the result, at least 2 times. Then compare files’ checksums. That way you will make sure the dump and clipping is correct. Before saving a file, make sure the read contents are not all “FF FF FF …” ‘till the end, because that means it’s empty and the clipping is wrong — re-adjust it and try again.

If you disconnect your clip before flashing, then you want to make sure it reads correctly before that as well (tip: chip contents and checksum will change after a boot, so don’t worry then if checksums differ from your previous dumps, you can flash then still flash their modified version over with no problems). For flashing the mod after it’s complete, load the file and press Auto button. It is going to erase the chip, verify it’s empty, flash new contents and verify they’re saved correctly. Do not flash chip before first erasing its contents, it will not work properly.

For the mod part, get UEFITool. You may want to get both old engine and new engine versions. The former lets you actually replace the body of different parts of your image, so this is required for us, the latter displays names instead of GUIDs in the tree, and it has search function, which you will need.

Open your dump in UEFITool NE and search for our beloved string of “Unauthorized Wireless network card is plugged in” (tick Unicode option).

Then open the same file in older branch UEFITool and try finding the same PE32 image section in the tree (you can click in names on NE items to find out what their GUIDs are).

Then right-click it and extract the body. This is what we’ll need to modify. I personally used IDA Pro, but if you follow this tutorial, you might just as well use a hex editor.

The easiest way to find our function in IDA was to search for sequence of bytes (our string):

55 00 6E 00 61 00 75 00 74 00 68 00 6F 00 72 00 69 00 7A 00 65 00 64 00 20 00 57 00 69 00 72 00 65 00 6C 00 65 00 73 00 73 00 20 00 6E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 63 00 61 00 72 00 64 00 20 00 69 00 73 00 20 00 70 00 6C 00 75 00 67 00 67 00 65 00 64 00 20 00 69 00 6E

Then double-click on the only result to go to IDA View to find out that it was correctly identified as UTF-16LE string. Click on its autogenerated name and press X to go to Xrefs, and open the only function that pops up. Press hotkey for your decompiler if you have it installed.

We see the checks and an infinite while loop under that. This is what physically prevents our PC from booting up once it detects “unauthorized” card. We need to modify it. Go to IDA View and locate the infinite loop. It’s easy to see due to an arrow pointing back to the same location block.

Now press a jz a bit above it that either enters the loop or skips it based on the result of a test instruction above, and press Edit → Patch program → Assemble…

Change the instruction from jz to jmp, that way it will always make the jump to the location after the infinite loop.

You can also go to Hex View and change the highlighted 74 to EB manually.

But we can also see that these functions check the whitelist at all only if these variables are true:

Let’s locate what they are via Xrefs. We went back into _ModuleEntryPoint and we see that they are copied from yet another globals.

Let’s see what they are.

Bingo! Seems like this is global configuration for this module that configures whether WLAN and WWAN whitelists are enabled. It will be as simple as changing these two global bytes from 1 to 0 to mitigate our whitelist completely! Click on the respectable bytes and you will see what they are in Hex View.

To edit these, just right click, click “Edit…”, do edits, then “Apply changes” (or F2). Easy enough, right? If you don’t have IDA Pro, you should be able to reproduce these changes in any generic hex editor. Now to save modified file in IDA, go to Edit → Patch program → Apply patches to input file…

Once that’s done you can replace the image’s body in UEFITool (old engine).

After that press File → Save image file… It will ask you whether you want to load the modified file. Select Yes, and verify there are no errors, then export the modified body again and verify that its checksum matches with the file you created. If it does, you’re ready to flash your new BIOS!

This all worked for me. Definitely let me know if this article did help you in any way as well.

Links:
· https://www.youtube.com/watch?v=2Y06x1f22B0 — very good tutorial on using SPI programmer
· https://github.com/LongSoft/UEFITool — UEFITool
· https://github.com/gdbinit/EFISwissKnife — didn’t use this, but looks like it might be super-useful if I was to do more in-depth modding
· https://github.com/bdutro/ibm_pw_clear — interesting method one person used to clean a password on a server IBM
· https://web.archive.org/web/20120126182637/http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/ — interesting for password retrieval, but old
· https://highside.pl/G510.jpg — location of the BIOS chip on G510’s motherboard (yeah, we need to disassemble pretty much whole laptop to parts in order to access it)
· https://www.bios-mods.com/forum/Thread-General-method-to-remove-whitelist-from-Insyde-BIOS — kind of similar approach, although it used almost 10 year old program to mod BIOS and did modify its memory, where it stored unpacked BIOS, and it only did patch out the infinite loop; I stumbled upon this initially, didn’t work for me, maybe this EzH2O software is just too old now

More From Medium

Also tagged Modding

Also tagged Reverse Engineering

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade