Overclock.net banner

1 - 9 of 9 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter #1 (Edited)
i try to bypass the security checks to install a modded Pascal VBIOS ( http://forum.notebookreview.com/threads/mobile-pascal-tdp-tweaker-update-and-feedback-thread.806161/ ) and found an interesting node.
i think the security check starts somewhere after the "EEPROM ID"..... line.
which subroutine starts the flashing after the security check?

im not a programmer and its my first attempt so please use a more beginner friendly language here.
i had the idea after i came across this thread: http://resources.infosecinstitute.com/applied-cracking-byte-patching-ida-pro/
 

·
Registered
Joined
·
5 Posts
Discussion Starter #3 (Edited)
sub_1401D2CB0 writes the line EEPROM ID(...) : ..... , page




only sub_140111D60 and sub_1401137D0 containig all the success lines, it looks like sub_140111D60 is part of the searched flashing routine.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #4 (Edited)
when i try to save the file with pe_write.idc it doesnt save the changes i made in the database i think because the script is outdated.
there are more sections than pe_write.idc writes.

EDIT:

use the "Apply patches to input file..." option under edit>Patch program.
 

·
Facepalm
Joined
·
8,628 Posts
Wait, this allows flashing a pascal modified Bios?
 

·
Registered
Joined
·
5 Posts
Discussion Starter #6 (Edited)
Wait, this allows flashing a pascal modified Bios?
yes this is what i try with IDA Pro but its very hard to find the point(s) in the code to bypass the certification check.
learning assembly language from the sketch takes too much time i dont have so i think i wont find it by myself.

btw. this looks interesting and its part of the flashing after the EEPROM ID stuff: sub_1401B8E00
 

·
Registered
Joined
·
57 Posts
I've done some experimentation myself, I jmp over the failures and continue execution, but it does not successfully write anything to the card, the write function is returning a error indicating a incomplete verification state....

I think previously with Maxwell it was a internal check only within NVFlash, I suspect with the new license setup the the verification is likely performed on the card itself after the firmware payload has been written to a temporary buffer on the card. so I'm starting to think any amount of messing around with NVFlash will not result in a successful flash.

You can see patched and unpatched behavior in the screenshots.
 

Attachments

·
Registered
Joined
·
1,233 Posts
Interesting topic.....Does it make any callbacks to the internet or did you just stop after you starting seeing the internal and external verifications?
 
1 - 9 of 9 Posts
Top