Upload
kevin-tate
View
595
Download
94
Embed Size (px)
Citation preview
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 1/14
BDMaster ’s GUIDE to Extract Encapsulated Bios
To Extract original bios from encapsulated version You have to find "FLASH" string :
Bios has normally a lenght of 4194304 bytes (0x400000) so count from here 4096Kb to get the end.
Look as bios is : Encapsulated and Uncompressed !
If You run upgrade utility it will decompress bios and You'll find it as .bin or . rom or .fd file in %TEMP% folder and It could have a different size over 4096kb,
but only cause It is encapsulated in a dos or windows .exe program.
So look an example : Acer Aspire V3-771G bios v.2.23 VAGV223
Start 0x00000000 (MZ = Microsoft executable program)
4D5A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B0000000
MZ..............................................................
Find for "FLASH" in HexEditor : (Remember if You use the decompressed bios file there will be 4 items, but in .exe there are 5, first one don’t count)
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 2/14
1st item :
69440D538356AD4EAF7954D1882B8A35245F49464C4153485F4452565F494D470000570020F754004D5A00000000000000000000000000000000000000000000
iD.S.V.N.yT..+.5$_IFLASH_DRV_IMG..W. .T.MZ...................... Look $_IFLASH_DRV_IMG
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 3/14
2nd item :
00000000000000004923454649234452565F312E32640000244953423338A1DD42C3AE4EB5C9C2D7D613DBB8000000000000000000000000245F49464C4153485F42494F53494D470000400000004000
........I#EFI#DRV_1.2d..$ISB38..B..N....................$_IFLASH_BIOSIMG..@...@. Look $_IFLASH_BIOSIMG
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 4/14
3rd item :
2442494430313433330000000000000000000000000000000000000000000000BF5041EB1D00000000000000000000000000000000000000CD04F4FF000000000F09E9 ABFA000000000000000000F4FF0000000000000000245F49464C4153485F494E495F494D4700000100C17C0000
$BID01433........................PA.....................................................$_IFLASH_INI_IMG.....|.. Look $_IFLASH_INI_IMG and $BID01433
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 5/14
4th item :
000000000000000000000000000000000000000000000000245F49464C4153485F45435F494D475F0000100000000100020070020008222232323202054ED2AF
........................$_IFLASH_EC_IMG_..........p...""222..N.. Look $_IFLASH_EC_IMG_
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 6/14
So to find Header in encapsulated bios You have to look the 2nd item = $_IFLASH_BIOSIMG and precisely $_IFLASH_BIOSIMG..@...@.
245F49464C4153485F42494F53494D470000 400000004000 (in Litt le Endian 00 00 40 = 40 00 00 = 0x400000 = Bios len !!! ) So We have the file End too !!!!!!!!$_IFLASH_BIOSIMG..@...@.
So 400000004000 is the end of Header and after it, start real bios to extract, so create block from last 00 to the first byte of file and cut it !
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 7/14
Now, You will have real bios and Footer encapsulated togheter yet, so You have to point to Footer.
So to find Footer in encapsulated bios You have to look the 3rd item = $_IFLASH_INI_IMG and $BID01433
$BID01433 = Real Bios End + 54(Dec) or 36(Hex) bytes, look also 2 bytes repetition (may be F4 FF) they are different in bioses.
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 8/14
244249443031343333 = $BID01433
CD04 F4 FF 000000000F09E9ABFA000000000000000000 F4 FF (2 bytes repetition)
245F49464C4153485F494E495F494D4700000100C17C0000 = $_IFLASH_EC_IMG_..........p...""222..N..
So $BID01433 = Real Bios End + 54(Dec) or 36(Hex) bytes coincides with second F4 FF, this is last byte of Real Bios and all comes after it, is the Footer.
So, select from next byte to last at end of file and cut it.
We have now bios extracted and pure, save and use it.But It’s not ended here . . .
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 9/14
Into Bios Insyde UEFI version 1.xx files, We have to do a different extraction for Bios Extraction :
We have to find this Marker 0x5AA5F00Fh (It’s Palindromic) and It’s positioned always to 0x00020000h offset, then select all from this offset to the SOF (Start of File)and cut all before 0x00020000h offset remaining 5120 KB (0x00051FE00h bytes), save It, and got the Bios Extracted (Firmware) . . .
.We have now bios extracted and pure, save and use it.But It’s not ended here .
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 10/14
We can extract the Bios Region chunk only from this file so We can use It to generalize a modify, as It is pure and don’t replace any variable in VSS (Variables Store) !So let get the Extracted file which We have got here and have to find a Bios Region Signature (5F5053575F00 = _PSW_.) this is the starting offset address then the endIt will be the EOF (end of file) look here :
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 11/14
How to extract Bios Region only to use in Generalized Bios Region Flash :
In Acer Bios File You have to Extract the Decapsulated bios before, then find the Bios Region Signature Bios Region Signature (5F5053575F00 = _PSW_.) or new(4143455241424354=ACERABCT ) to know the offsets address for all Bios Regions You have to use UEFI Tool by CodeRush !!!So for this one Acer Aspire V5-171G You'll find Bios Region start at offset 0x180000 and has a size 0x380000 and can copy that hex chunck in a new file,copy from offset address 0x180000 to 0x380000 and get Bios Region Pure to use by FPT tool to reflash as Generalized Bios for all laptops :FPT –f GenBios.bin –bios !!!
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 12/14
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 13/14
7/23/2019 BDMaster GUIDE Extract Encapsulated Bios
http://slidepdf.com/reader/full/bdmaster-guide-extract-encapsulated-bios 14/14
So extract this chunk and save as Bios Region, et voila !!!!