ludufre Posted January 22, 2019 Share Posted January 22, 2019 [GUIDE] Fix Insyde H2O BIOS signature (5 beeps on Lenovo) I recently bought a Lenovo L440 laptop to install the Mojave macOS and I replaced the wireless card with the DW1560 because the current one is not compatible. I discovered that there was a whitelist of enabled cards that manufacturers are adopting recently (in my case it uses a Phoenix Insyde BIOS H2O). I searched the BIOS Modding forums and found people who did the patch for me. But after replacing the BIOS I noticed that the computer keep beeping 5 times every time I boot. So, I went deeper into this issue and that's when I figured out how to solve it. Then I created this guide based on the information I found in some Russian forums. Preface When the BIOS integrity test fails, some Intel AMT functionality stops working and a sequence of 5 whistles is issued twice at boot. After modifying to remove whitelist (enable unauthorized WI-FI cards), unlock MSR 0xe2 (hackintosh), enable advanced menu, etc. the BIOS will not pass the integrity test causing this problem. This integrity check is done through the RSA signature of the BIOS block called TCPABIOS (more information below) with the public key in modulus 3 format also stored in the BIOS. This TCPABIOS block stores the checksums of each BIOS volume. What we will do is generate new checksum for those volumes that have been modified, generate a RSA (private and public) key pair, sign that block with the private key, and replace the public key. Tools needed - EFITool NE alpha 54: https://github.com/LongSoft/UEFITool/releases - HxD 2.1.0: https://mh-nexus.de/en/hxd/ - OpenSSL: http://gnuwin32.sourceforge.net/packages/openssl.htm (Download -> Binaries) - Microsoft File Checksum Integrity Verifier (FCIV.exe): https://www.microsoft.com/en-us/download/details.aspx?id=11533 Step by step Let's open the modified BIOS, locate the TCPABIOS block and understand its anatomy. 1. Open the BIOS with HxD (We will use the modded BIOS in the MyDigitalLife.com forum by the Serg008 user for the Lenovo B590 laptop in this guide) 2. Find the word TCPABIOS: 3. The block starts with TCPABIOS and ends before TCPACPUH 4. Anatomy: 54 43 50 41 42 49 4F 53 48 31 38 34 61 31 31 2F 32 36 2F 31 33 49 42 4D 53 45 43 55 52 00 FD 27 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00 00 00 00 00 00 00 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF 83 04 D4 52 52 95 C5 D7 21 55 78 0E 5C AD 47 EE C4 3D 1D C1 EC 69 03 2B 51 A5 42 61 96 22 F9 7B 88 57 B7 A8 9D D0 20 DB 5B 11 10 55 07 84 6C 62 DF FA 2F 6A A8 43 0C 8A 40 AF 79 0D 31 DB 5A 5D C8 2F EB F8 7C 87 B0 A6 3D 2A 88 AE 91 9D 88 E3 AA 85 E3 5A B3 91 7F 28 68 1F BA 92 C4 7E 10 F5 1A 7E 75 A9 6F CE C0 4F BA FA 79 A5 98 2B 50 60 BA 09 73 7B 03 D1 0C 3E A2 9C 44 DF E9 F2 92 34 7B Gray: Name and Block Information Red: Volume Information (Checksum and Header) Blue: Separation of the list of volumes and the block signature Green: Signature of the TCPABIOS block are the last 128 bytes List of Volumes: Each volume has the format: 00 FD 27 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00 00 00 00 00 (Prefix 3 bytes + checksum 20 bytes + offset 4 bytes + volume size 6 bytes + end delimiter 6 bytes) The volumes are enumerated and use the first byte in the prefix for this (00 FD 27), starting at 0. The BIOS used in this example has only one volume, but in the case of more than one volume, it would be: 00 FD 27 .., 01 FD 27 ..., 02 FD 27 ... - Checksum is SHA1 calculation of the volume. - Offset is the volume position within the BIOS. The bytes are inverted, in this case it would be 00 00 00 48, equals to 48h - Volume Size is also with the bytes inverted, then: 1F18CEh Then that's it. We need to correct this information (checksum, offset and size) 5. To extract the volumes open the BIOS with the UEFITool and see how to identify the volumes (our example there is only one volume if there were others would also be inside EfiFirmwareFileSystemGuid): In the original BIOS, circled in red we can see our volume. Note that in blue we have offset and green the size. Exactly as we checked up on HxD. In the modified BIOS we see that the size is different: Original: 1F18CEh Modified: 1F12D5h (we'll need this later) 6. Let's extract this volume to calculate the checksum by choosing the "Extract as is ..." 7. Use this command to get the checksum of this volume: fciv.exe -sha1 File_Volume_image_FvMainCompact.ffs Now we have the checksum that is 396e0dc987219b4369b1b9e010166302ce635202 8. Replace the information in the TCPABIOS block: Note that the volume size must have the bytes inverted, so if the total is 6 bytes and is 1F12D5h, becomes D5 12 1F 00 00 00 in place of CE 18 1F 00 00 00. If the offset is different, also perform the same process by inverting the bytes. Checksum change from 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 to 39 6E 0D C9 87 21 9B 43 69 B1 B9 E0 10 16 63 02 CE 63 52 02 Do this for each volume in the BIOS. 9. Now we need to generate the checksum of the whole TCPABIOS block but without considering the last 131 bytes, that is to dismiss FF FF 83 + 80 bytes from the previous signature. Copy to a new file in HxD and save as tcpabios Use the command to generate the checksum of this block: fciv.exe -sha1 tcpabios Checksum of TCPABIOS block: 0da6715509839a376b0a52e81fdf9683a8e70e52 Create a new file in HxD and add 108 bytes with 00 and paste the checksum at the end and save as tcpabios_hash, thus: 10. Now let's generate the RSA private key with modulus 3: openssl genrsa -3 -out my_key.pem 1024 Sign the file tcpabios_hash: openssl rsautl -inkey my_key.pem -sign -in tcpabios_hash -raw > tcpabios_sign Now enjoy to generate the public key: openssl rsa -in my_key.pem -outform der -pubout -out my_key_pub.der And generate public key modulus 3: openssl rsa -pubin -inform der -in my_key_pub.der -text -noout Copy and paste the key into a text file to use soon. Remove all ":" and put everything on a single line, thus: 11. Open the tcpabios_sign file in HxD, copy the contents and replace the signature at the end of the TCPABIOS block: 12. Now let's locate the location of the public key in the BIOS and replace it. This key starts with 12 04 and ends with 01 03 FF and is after the TCPABBLK block. The key looks like this: 12 04 + 81 bytes + 01 03 FF. Search for 01 03 FF to locate more easily. Verify that before the 81 bytes have bytes 12 04 to make sure you found. Now substitute for the public key that was annotated in the text file previously, thus: Save and you're ready. Your BIOS is signed and ready. 9 1 Link to comment Share on other sites More sharing options...
themacmeister Posted July 30, 2019 Share Posted July 30, 2019 On 1/23/2019 at 5:34 AM, ludufre said: You sir, are a genius!!! 1 Link to comment Share on other sites More sharing options...
linxun Posted August 20, 2019 Share Posted August 20, 2019 I'm also a Type2 - Board Vendor Name1 motherboard, Insyde BIOS H 2O, and I don't know if I can upgrade it. Most of the settings are blocked. System.txt Link to comment Share on other sites More sharing options...
ludufre Posted August 20, 2019 Author Share Posted August 20, 2019 @linxun This guide is to fix the BIOS RSA signature only. To unlock features you will have to search the internet. Link to comment Share on other sites More sharing options...
nsafarm Posted November 16, 2019 Share Posted November 16, 2019 I have succeeded on T440P and failed on X250. I now have whitelist removed, deleted anti theft/computrace and can edit any module after this long process. On newer bios the volume image is not what is checksumed; the entire FFsV2 is computed with SHA1 instead. You have to run ftic on entire EfiFirmwareFilesystemGuid.ffs... fortunately it makes the generation of the checksum much easier. I removed/changed so much and yet it stayed the same. On systems with bootguard, like the X250, it looks like bootguard key is used to sign the bios and the second volume so this modification is not possible. In fact, every attempt to modify modules failed.Maybe with a downgrade at least editing would be possible? I failed to backup the original bios and ended up with a "secure" newer one because I foolishly upgraded it. On the 440P I only used the bios 2.50, before I saw in the changelog all the fixes for Tianocore "vulnerability". Link to comment Share on other sites More sharing options...
ludufre Posted November 17, 2019 Author Share Posted November 17, 2019 Could you send me a dump of your X250 BIOS so I can analyze? I haven't seen anything about Bootguard yet. Link to comment Share on other sites More sharing options...
nsafarm Posted November 18, 2019 Share Posted November 18, 2019 Here is what I have running on it. I don't know if downgrading would prove fruitful in order to get the mods working. http://s000.tinyupload.com/index.php?file_id=72243378644638634752 Link to comment Share on other sites More sharing options...
lyndoo Posted January 2, 2020 Share Posted January 2, 2020 I failed to modify it. Please help me CLCN27WW need Fix signature.zip CLCN27WW Original edition not changed.zip Link to comment Share on other sites More sharing options...
lyndoo Posted January 3, 2020 Share Posted January 3, 2020 This is Lenovo s540 comet lake 400 Series Chipset Family Modifying BIOS content is different tcpabios cannot be found Link to comment Share on other sites More sharing options...
nsafarm Posted January 18, 2020 Share Posted January 18, 2020 I have good news on the X250 front... I downgraded to 1.32 with dosflash (skip checks) and now I can modify the bios again. Unfortunately when I did the signature I think it trips bootguard. Link to comment Share on other sites More sharing options...
lodstein Posted February 19, 2020 Share Posted February 19, 2020 On 11/16/2019 at 10:58 AM, nsafarm said: I have succeeded on T440P and failed on X250. I now have whitelist removed, deleted anti theft/computrace and can edit any module after this long process. On newer bios the volume image is not what is checksumed; the entire FFsV2 is computed with SHA1 instead. You have to run ftic on entire EfiFirmwareFilesystemGuid.ffs... fortunately it makes the generation of the checksum much easier. I removed/changed so much and yet it stayed the same. On systems with bootguard, like the X250, it looks like bootguard key is used to sign the bios and the second volume so this modification is not possible. In fact, every attempt to modify modules failed.Maybe with a downgrade at least editing would be possible? I failed to backup the original bios and ended up with a "secure" newer one because I foolishly upgraded it. On the 440P I only used the bios 2.50, before I saw in the changelog all the fixes for Tianocore "vulnerability". i am trying to checksum a t440p with 2.53 bios and i get lost in the FFsV2 step because how you said the whole FFs2 is computed, can you help me? Link to comment Share on other sites More sharing options...
pitchdown Posted May 20, 2020 Share Posted May 20, 2020 On 11/17/2019 at 4:50 AM, ludufre said: Could you send me a dump of your X250 BIOS so I can analyze? I haven't seen anything about Bootguard yet. Here same issue with my t450S bios which is mod for LCD whitelist. Can you please help me to fix this? My bios-file is at this location : https://gofile.io/d/jdmXi0 Thx for now! Link to comment Share on other sites More sharing options...
MMP748 Posted June 10, 2020 Share Posted June 10, 2020 Hello, can I add a friend? I need your help to unlock the Advanced menu. I will be very grateful Link to comment Share on other sites More sharing options...
rumpumpel1 Posted February 14, 2021 Share Posted February 14, 2021 On 5/20/2020 at 9:10 PM, pitchdown said: Here same issue with my t450S bios which is mod for LCD whitelist. Can you please help me to fix this? My bios-file is at this location : https://gofile.io/d/jdmXi0 Thx for now! Hi pitchdown, did you ever figure out how to do this for your T450s? Link to comment Share on other sites More sharing options...
Recommended Posts