[GUIDE] Fix Insyde H2O BIOS signature (5 beeps on Lenovo)

[GUIDE] Fix Insyde H2O BIOS signature (5 beeps on Lenovo)

 

I recently bought a Lenovo L440 laptop to install the Mojave macOS and I replaced the wireless card with the DW1560 because the current one is not compatible. I discovered that there was a whitelist of enabled cards that manufacturers are adopting recently (in my case it uses a Phoenix Insyde BIOS H2O).

 

I searched the BIOS Modding forums and found people who did the patch for me. But after replacing the BIOS I noticed that the computer keep beeping 5 times every time I boot. So, I went deeper into this issue and that's when I figured out how to solve it. Then I created this guide based on the information I found in some Russian forums.

 

Preface

 

When the BIOS integrity test fails, some Intel AMT functionality stops working and a sequence of 5 whistles is issued twice at boot.

After modifying to remove whitelist (enable unauthorized WI-FI cards), unlock MSR 0xe2 (hackintosh), enable advanced menu, etc. the BIOS will not pass the integrity test causing this problem.

This integrity check is done through the RSA signature of the BIOS block called TCPABIOS (more information below) with the public key in modulus 3 format also stored in the BIOS.

This TCPABIOS block stores the checksums of each BIOS volume.

 

What we will do is generate new checksum for those volumes that have been modified, generate a RSA (private and public) key pair, sign that block with the private key, and replace the public key.

 

 

Tools needed

 

- EFITool NE alpha 54: https://github.com/LongSoft/UEFITool/releases

- HxD 2.1.0: https://mh-nexus.de/en/hxd/

- OpenSSL: http://gnuwin32.sourceforge.net/packages/openssl.htm (Download -> Binaries)

- Microsoft File Checksum Integrity Verifier (FCIV.exe): https://www.microsoft.com/en-us/download/details.aspx?id=11533

 

Step by step

 

Let's open the modified BIOS, locate the TCPABIOS block and understand its anatomy.

 

1. Open the BIOS with HxD

 

(We will use the modded BIOS in the MyDigitalLife.com forum by the Serg008 user for the Lenovo B590 laptop in this guide)

 

2. Find the word TCPABIOS:

 

 

3. The block starts with TCPABIOS and ends before TCPACPUH

 

 

4. Anatomy:

 

54 43 50 41 42 49 4F 53 48 31 38 34 61 31 31 2F

32 36 2F 31 33 49 42 4D 53 45 43 55 52 00 FD 27

34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B

77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00

00 00 00 00 00 00 27 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 FF FF 83 04 D4

52 52 95 C5 D7 21 55 78 0E 5C AD 47 EE C4 3D 1D

C1 EC 69 03 2B 51 A5 42 61 96 22 F9 7B 88 57 B7

A8 9D D0 20 DB 5B 11 10 55 07 84 6C 62 DF FA 2F

6A A8 43 0C 8A 40 AF 79 0D 31 DB 5A 5D C8 2F EB

F8 7C 87 B0 A6 3D 2A 88 AE 91 9D 88 E3 AA 85 E3

5A B3 91 7F 28 68 1F BA 92 C4 7E 10 F5 1A 7E 75

A9 6F CE C0 4F BA FA 79 A5 98 2B 50 60 BA 09 73

7B 03 D1 0C 3E A2 9C 44 DF E9 F2 92 34 7B

 

Gray: Name and Block Information

Red: Volume Information (Checksum and Header)

Blue: Separation of the list of volumes and the block signature

Green: Signature of the TCPABIOS block are the last 128 bytes

 

List of Volumes:

 

Each volume has the format: 00 FD 27 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00 00 00 00 00

                                        (Prefix 3 bytes + checksum 20 bytes + offset 4 bytes + volume size 6 bytes + end delimiter 6 bytes)

 

The volumes are enumerated and use the first byte in the prefix for this (00 FD 27), starting at 0.

The BIOS used in this example has only one volume, but in the case of more than one volume, it would be: 00 FD 27 .., 01 FD 27 ..., 02 FD 27 ...

- Checksum is SHA1 calculation of the volume.

- Offset is the volume position within the BIOS. The bytes are inverted, in this case it would be 00 00 00 48, equals to 48h

- Volume Size is also with the bytes inverted, then: 1F18CEh

 

Then that's it. We need to correct this information (checksum, offset and size)

 

5. To extract the volumes open the BIOS with the UEFITool and see how to identify the volumes (our example there is only one volume if there were others would also be inside EfiFirmwareFileSystemGuid):

 

 

In the original BIOS, circled in red we can see our volume.

Note that in blue we have offset and green the size. Exactly as we checked up on HxD. In the modified BIOS we see that the size is different:

Original: 1F18CEh

Modified: 1F12D5h (we'll need this later)

 

6. Let's extract this volume to calculate the checksum by choosing the "Extract as is ..."

 

 

 

7. Use this command to get the checksum of this volume: fciv.exe -sha1 File_Volume_image_FvMainCompact.ffs

 

 

Now we have the checksum that is 396e0dc987219b4369b1b9e010166302ce635202

 

8. Replace the information in the TCPABIOS block:

 

 

Note that the volume size must have the bytes inverted, so if the total is 6 bytes and is 1F12D5h, becomes D5 12 1F 00 00 00 in place of CE 18 1F 00 00 00.

If the offset is different, also perform the same process by inverting the bytes.

Checksum change from 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 to 39 6E 0D C9 87 21 9B 43 69 B1 B9 E0 10 16 63 02 CE 63 52 02

 

Do this for each volume in the BIOS.

 

9. Now we need to generate the checksum of the whole TCPABIOS block but without considering the last 131 bytes, that is to dismiss FF FF 83 + 80 bytes from the previous signature.

 

Copy to a new file in HxD and save as tcpabios

 

 

Use the command to generate the checksum of this block: fciv.exe -sha1 tcpabios

 

 

Checksum of TCPABIOS block: 0da6715509839a376b0a52e81fdf9683a8e70e52

 

Create a new file in HxD and add 108 bytes with 00 and paste the checksum at the end and save as tcpabios_hash, thus:

 

 

10. Now let's generate the RSA private key with modulus 3: openssl genrsa -3 -out my_key.pem 1024

 

 

Sign the file tcpabios_hash: openssl rsautl -inkey my_key.pem -sign -in tcpabios_hash -raw > tcpabios_sign

 

 

Now enjoy to generate the public key: openssl rsa -in my_key.pem -outform der -pubout -out my_key_pub.der

 

 

And generate public key modulus 3: openssl rsa -pubin -inform der -in my_key_pub.der -text -noout

 

 

Copy and paste the key into a text file to use soon. Remove all ":" and put everything on a single line, thus:

 

 

11.   Open the tcpabios_sign file in HxD, copy the contents and replace the signature at the end of the TCPABIOS block:

 

 

 

12. Now let's locate the location of the public key in the BIOS and replace it. This key starts with 12 04 and ends with 01 03 FF and is after the TCPABBLK block.

 

The key looks like this: 12 04 + 81 bytes + 01 03 FF. Search for 01 03 FF to locate more easily. Verify that before the 81 bytes have bytes 12 04 to make sure you found.

 

 

 

Now substitute for the public key that was annotated in the text file previously, thus:

 

 

 

Save and you're ready. Your BIOS is signed and ready.

  On 1/22/2019 at 6:34 PM, ludufre said:

You sir, are a genius!!!

 

I'm also a Type2 - Board Vendor Name1 motherboard, Insyde BIOS H 2O, and I don't know if I can upgrade it. Most of the settings are blocked.

 

System.txt

@linxun This guide is to fix the BIOS RSA signature only. To unlock features you will have to search the internet.