Jump to content

[GUIDE] Fix Insyde H2O BIOS signature (5 beeps on Lenovo)

1 post in this topic

Recommended Posts

[GUIDE] Fix Insyde H2O BIOS signature (5 beeps on Lenovo)


I recently bought a Lenovo L440 laptop to install the Mojave macOS and I replaced the wireless card with the DW1560 because the current one is not compatible. I discovered that there was a whitelist of enabled cards that manufacturers are adopting recently (in my case it uses a Phoenix Insyde BIOS H2O).


I searched the BIOS Modding forums and found people who did the patch for me. But after replacing the BIOS I noticed that the computer keep beeping 5 times every time I boot. So, I went deeper into this issue and that's when I figured out how to solve it. Then I created this guide based on the information I found in some Russian forums.




When the BIOS integrity test fails, some Intel AMT functionality stops working and a sequence of 5 whistles is issued twice at boot.

After modifying to remove whitelist (enable unauthorized WI-FI cards), unlock MSR 0xe2 (hackintosh), enable advanced menu, etc. the BIOS will not pass the integrity test causing this problem.

This integrity check is done through the RSA signature of the BIOS block called TCPABIOS (more information below) with the public key in modulus 3 format also stored in the BIOS.

This TCPABIOS block stores the checksums of each BIOS volume.


What we will do is generate new checksum for those volumes that have been modified, generate a RSA (private and public) key pair, sign that block with the private key, and replace the public key.



Tools needed


- EFITool NE alpha 54: https://github.com/LongSoft/UEFITool/releases

- HxD 2.1.0: https://mh-nexus.de/en/hxd/

- OpenSSL: http://gnuwin32.sourceforge.net/packages/openssl.htm (Download -> Binaries)

- Microsoft File Checksum Integrity Verifier (FCIV.exe): https://www.microsoft.com/en-us/download/details.aspx?id=11533


Step by step


Let's open the modified BIOS, locate the TCPABIOS block and understand its anatomy.


1. Open the BIOS with HxD



(We will use the modded BIOS in the MyDigitalLife.com forum by the Serg008 user for the Lenovo B590 laptop in this guide)


2. Find the word TCPABIOS:





3. The block starts with TCPABIOS and ends before TCPACPUH




4. Anatomy:


54 43 50 41 42 49 4F 53 48 31 38 34 61 31 31 2F

32 36 2F 31 33 49 42 4D 53 45 43 55 52 00 FD 27

34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B

77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00

00 00 00 00 00 00 27 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 FF FF 83 04 D4

52 52 95 C5 D7 21 55 78 0E 5C AD 47 EE C4 3D 1D

C1 EC 69 03 2B 51 A5 42 61 96 22 F9 7B 88 57 B7

A8 9D D0 20 DB 5B 11 10 55 07 84 6C 62 DF FA 2F

6A A8 43 0C 8A 40 AF 79 0D 31 DB 5A 5D C8 2F EB

F8 7C 87 B0 A6 3D 2A 88 AE 91 9D 88 E3 AA 85 E3

5A B3 91 7F 28 68 1F BA 92 C4 7E 10 F5 1A 7E 75

A9 6F CE C0 4F BA FA 79 A5 98 2B 50 60 BA 09 73

7B 03 D1 0C 3E A2 9C 44 DF E9 F2 92 34 7B


Gray: Name and Block Information

Red: Volume Information (Checksum and Header)

Blue: Separation of the list of volumes and the block signature

Green: Signature of the TCPABIOS block are the last 128 bytes


List of Volumes:


Each volume has the format: 00 FD 27 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00 00 00 00 00

                                        (Prefix 3 bytes + checksum 20 bytes + offset 4 bytes + volume size 6 bytes + end delimiter 6 bytes)


The volumes are enumerated and use the first byte in the prefix for this (00 FD 27), starting at 0.

The BIOS used in this example has only one volume, but in the case of more than one volume, it would be: 00 FD 27 .., 01 FD 27 ..., 02 FD 27 ...

- Checksum is SHA1 calculation of the volume.

- Offset is the volume position within the BIOS. The bytes are inverted, in this case it would be 00 00 00 48, equals to 48h

- Volume Size is also with the bytes inverted, then: 1F18CEh


Then that's it. We need to correct this information (checksum, offset and size)


5. To extract the volumes open the BIOS with the UEFITool and see how to identify the volumes (our example there is only one volume if there were others would also be inside EfiFirmwareFileSystemGuid):




In the original BIOS, circled in red we can see our volume.

Note that in blue we have offset and green the size. Exactly as we checked up on HxD. In the modified BIOS we see that the size is different:

Original: 1F18CEh

Modified: 1F12D5h (we'll need this later)


6. Let's extract this volume to calculate the checksum by choosing the "Extract as is ..."




7. Use this command to get the checksum of this volume: fciv.exe -sha1 File_Volume_image_FvMainCompact.ffs




Now we have the checksum that is 396e0dc987219b4369b1b9e010166302ce635202


8. Replace the information in the TCPABIOS block:




Note that the volume size must have the bytes inverted, so if the total is 6 bytes and is 1F12D5h, becomes D5 12 1F 00 00 00 in place of CE 18 1F 00 00 00.

If the offset is different, also perform the same process by inverting the bytes.

Checksum change from 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 to 39 6E 0D C9 87 21 9B 43 69 B1 B9 E0 10 16 63 02 CE 63 52 02


Do this for each volume in the BIOS.


9. Now we need to generate the checksum of the whole TCPABIOS block but without considering the last 131 bytes, that is to dismiss FF FF 83 + 80 bytes from the previous signature.


Copy to a new file in HxD and save as tcpabios




Use the command to generate the checksum of this block: fciv.exe -sha1 tcpabios




Checksum of TCPABIOS block: 0da6715509839a376b0a52e81fdf9683a8e70e52


Create a new file in HxD and add 108 bytes with 00 and paste the checksum at the end and save as tcpabios_hash, thus:




10. Now let's generate the RSA private key with modulus 3: openssl genrsa -3 -out my_key.pem 1024




Sign the file tcpabios_hash: openssl rsautl -inkey my_key.pem -sign -in tcpabios_hash -raw > tcpabios_sign




Now enjoy to generate the public key: openssl rsa -in my_key.pem -outform der -pubout -out my_key_pub.der




And generate public key modulus 3: openssl rsa -pubin -inform der -in my_key_pub.der -text -noout




Copy and paste the key into a text file to use soon. Remove all ":" and put everything on a single line, thus:




11.   Open the tcpabios_sign file in HxD, copy the contents and replace the signature at the end of the TCPABIOS block:




12. Now let's locate the location of the public key in the BIOS and replace it. This key starts with 12 04 and ends with 01 03 FF and is after the TCPABBLK block.


The key looks like this: 12 04 + 81 bytes + 01 03 FF. Search for 01 03 FF to locate more easily. Verify that before the 81 bytes have bytes 12 04 to make sure you found.






Now substitute for the public key that was annotated in the text file previously, thus:





Save and you're ready. Your BIOS is signed and ready.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By kromakey
      Hello ,
      Just changed my CPU to a E5450 to be able to Run Mojave , but now I can not run not even EL Capitan    (it was working well with CORE2DUO)
      I already flashed a modified bios to be able to recognise the CPU.
      here some print screens from Verbose :
      AZUS P5K PRO  - CPU E5450 - NVIDIA 9600GT - 5G RAM 
    • By Angelo_
      Hi, I followed the rehabman guide (linked in the vanilla guide on the side of r/Hackintosh, not sure if I can link it) for laptops for my yoga 730ILW13 with an 8265u, Conexant 11870, 8gb of ram, 13.3" fhd and I found that upon booting the installer usb I get this weird issue where the screen displays what it should but the screen is incredibly dim (though it was off before using a flashlight on it) and it flashes every few seconds for a few milliseconds to the correct brightness, I used the plist for hd615-650 (including my 620), not quite sure what could be the culprit, first time hackintoshing a laptop so it might be a stupid brightness kext I forgot but didn't find any in that post or in this forum :c 
      Attached the clover zip so that anyone with more experience than me might give an idea in what could be a way to fix this.
      Thank you in advance 
    • By ciriousjoker
      I'm trying to boot MacOS on a Chromebook without UEFI. I'm stuck at getting the bootloader (Chameleon/Clover) to work.  
      My setup / context:
      I have an Acer Chromebook Spin 13.
      Available ports:
      2 x USB-C 1 x USB-A 3.0 MicroSD Slot No USB A 2.0 (I've read that Clover has problems with USB 3.0) Firmware:
      There's no UEFI firmware available and by default, it doesn't even allow booting anything other than ChromeOS. Thanks to MrChromebox (big shoutouts!), I flashed a custom legacy bios that allows me to boot anything linux related. This bios is flashed into the RW_LEGACY section of the existing bootloader (coreboot afaik) and doesn't have any configuration options. If I have to change a setting, I could try compiling his bios payload myself with the specific setting enabled.  
      What I've tried so far:
      Chameleon attempts:
      Only selected setting was "Install chameleon on the chosen path", rest was unselected.
      1 - Install chameleon first without restoring the basesystem:
      > boot0: GPT
      > boot0: done
      (hangs; pressing power button once shuts down
      Chameleon installation log is attached as "Chameleon_Installer_Log_BEFORE".
      2 - Install Chameleon after restoring the base system:
      > boot0: GPT
      > boot0: GPT
      > boot0: doneboot1: /boot       <- Exactly like that, no line break in between
      (hangs; pressing power button once shuts down)
      I haven't been able to reproduce #2 after wiping the drive and doing the same thing again. Subsequent attempts have resulted in either #1 of either Chameleon or Clover.
      Chameleon installation log is attached as "Chameleon_Installer_Log_AFTER".
      Clover attempts:
      I tried multiple settings and configurations, but all of them boiled down to either one of these.
      1 - Doesn't do anything, just hangs at "Booting from usb..."
      2 - Boots into the blue/grey mode as shown in the attached images.
      According to MrChromebox, this could be an old Tianocore DUET It doesn't detect anything (cpu frequency, ram, partitions or disks)  
      I've read pretty much every article, github readme and other types of documentation for coreboot, tianocore, clover, chameleon and MrChromebox' rw_legacy payloads and right now, I'm totally clueless as to what to try next...
      A few questions that came up:
      Why does chameleon hang? What is it looking for, /boot was clearly written to the disk by the Chameleon installer? What exactly is the blue/grey image? According to MrChromebox, it could be Tianocore DUET Where does it come from? Clover? The mainboard itself? Why does the blue/grey thing not detect my processor frequency or any partitions/drives? Can I use some sort of DUET bootloader to chainload Clover?  
      If you guys could answer any of them or if you have any other guesses or information as to what's happening, I'd be really happy!

    • By Oschly
      Hi! I have a problem with 10.14.4 on booting stage (photo).
      My specs:
      MOBO: Z390 MAG Tomahawk
      CPU: i7-8700k
      GPU: RX 580 Nitro+
      Wifi: BCM4331CD
      RAM: Corsair Vengeance LPX 3000MHz 16CL
      I've updated every kext and driver (clover version too) and only difference is that I don't have lines informing about not loading kexts (common issue here as I see).

    • By tluck
      Lenovo T460 macOS with Clover Guide
      Latest Release on GitHub (April 2019) Updated to Clover r4918 Updated Lilu kexts - ALC, WEG Merged Verleihnix' config.plist - especially to NOT inject GFX Updated BacklightInjector as option to WEG.
        Various Tweaks over Last months The zip file is a complete Clover ESP (/EFI) bundle and kext pack for the Lenovo T460. The current file bundle is tested on Sierra. 
      Note: I never got the GFX fully working on El Capitan. 
      Full Clover file set - config.plist etc. Includes all custom kexts Includes custom DSDT/SSDT scripts and patches Utility scripts The zip bundles are posted to GitHub: https://github.com/tluck/Lenovo-T460-Clover/releases
      Caveat: The T460 systems used here was configured with: i5-6300U, Intel HD Graphics 520, 1920x1080 touch screen. If you have a different system model, then extract the ACPI files and use the included scripts to create a set of files consistent with your system type and BIOS version. See below for details.
      Credits: RehabMan, Shmilee, vusun123, TimeWalker, Mieze from which, much of their work and help is/was was used to get the T460 to this point.
      Devices and aspects working:
      Ethernet -  Intel I219LM is enabled via IntelMausiEthernext.kext WiFi/BT - substitute the Intel WiFi/BT with a compatible Broadcom or Atheros chip Audio - ALC293 codec implemented via AppleALC.kext (old AppleHDA_ALC293 and CodecCommander kexts are not needed) PS2 - ClickPad + TrackPoint + all 3 buttons - using a modified VoodooPS2Controller to support new layouts - and added some custom Fn key maps based on 440/450 dsdt USB - implemented via custom SSDT + USBInjectAll kext. All USB3/USB2 ports are intel-based and work -  3 external USB and internal Camera, BT, etc  Sleep/Wake - the sleepwatcher package and custom sleep/wake scripts are used to help with sleep/wake for BT and PS2 devices. Note: have not tried to implement the SD card reader - no driver found.
      ACPI Files
      New Installation - Steps and Details
      Part 1 - OS Installation
      Part 2- Post OS Installation and Setup
      Notes on Custom Kexts