Reverse engineer your BIOS

wooden laptop

[th0mas] has a fun guide to modifying the boot image in your BIOS. This could very easily brick your laptop, but it’s interesting to see how it’s done. He starts by dumping the plain text strings. The magic number for bitmap format appears in the file so he copies a large chunk of data starting at that point. th0mas opens this in MSPaint to maintain the format. After modifying the image it’s placed back in the BIOS file and a couple checks are performed to make sure only the image data has changed. The final section involves running the flash utility in a debugger to find where it checks the CRC. By modifying the program he can then flash the image without the program complaining.

23 thoughts on “Reverse engineer your BIOS

  1. i have a pheonix bios, its a dell, but i used a program to see that the bios is infact from pheonix, i looked around but i cant find any way to edit it my self anyways and there is no like hacked version for me…do you think that editing the bios could let me overclock

  2. Why go through all this trouble and risk bricking your laptop? You could just use a program called Bootskin that is free, and has a huge amount of different skins.

    Find it at Wincustomize.com

  3. hax0r. what program did you use to find out the company responsible for your bios. also, is it possible to reflash the bios chip if it goes horribly wrong

  4. Bootskin is for windows’ splash screen… this is a BIOS hack…. Much more complicated and dangerous (and cool!)

  5. #6: I guess the idea is to learn. It’s easy to use other peoples applications, but to know ‘how’ it actually works can be a lot more fun (and possibly worth the risk o_O).

  6. Ditto #8

    This is the same way the m:robe100 images were hacked. Minus all of the double checking (if something went wrong, it could be easily reversed).

    Not something I’d do to my laptop… But maybe to some nearly derelict ones for fun.

  7. hey guys thanks for the comments,

    #9: while it’s my only laptop I use, it is only a PII 300 so if I had lost it I wasn’t out too much – plus I just bought an EEPROM reader that I want to exercise :).

  8. BIOS modding can be accomplished in a much more sophisticated way. There is software to take it apart and put it back together. This way, even new routines and subprograms can be inserted, for example the ATA security extensions by Arne Fitzenreiter. They manage hard drive passwords and protect them against virus attacks. A great software collection is http://www.dstyles.de/bios/index2.html.

  9. It doesn’t even have to be so dangerous. Just run your BIOS in an emulator first, and if it works, chances are that it will also run in real life.

  10. This is a great hack! No more ugly Dell logo for me. hehe ;) A real shame that most motherboards don’t allow the BIOS flash to be removed. A programmer like TopWin, an adapter to PLCC 32, and some spare chips would let you play around safely.

    Just a note that some fairly modern BIOSes do allow you to make your own splash. Intel has for years: http://support.intel.com/support/motherboards/desktop/sb/cs-009045.htm

    Other Intel boards/ chipsets support similar splashes. If its possible to replace a vendor BIOS with a standard one, you can do a similar hack with a lot less risk.

    There is also LinixBIOS, which lets you do basically anything you want at boot since its Linux. Unfortunately only a few motherboards (mostly AMD Opteron) are supported:

    http://www.linuxbios.org/index.php/Supported_Motherboards

  11. One use for this – if you change your bios ID to one of the vendor specific ones like Dell or Gateway, and you set the DMI info in the motherboard, you could use their Windows XP install disks without activation. Not that this would be legal, so I’m just sayin…

  12. #15:

    Thanks for the link. When I was extracting the BMP I didn’t have internet access, so I didn’t know exactly what the offset was from the filemagic. I did, however, know that I could extract too much information, and that Paint or other image editing/viewing applications wouldn’t care.. I used that fact in my last year’s Malicious C Programming entry :).

    Cheers,
    Tom

  13. #18:
    You’ll notice that the site you reference gives guides for award and ami bioses, and mine is for a toshiba laptop (which is neither).

  14. In my experience, modding the bios is not easy. Not so much that it can’t be dissasembled, patched and checksum’d, but there are no good tools for the PC (hardware wise, no JTAG and no debuggers of any kind at this stage). If you do anything significant and the flash part is soldered on, you basically have one chance to get it right. Ive modded my system and video bios for using older display’s.
    (see http://www.ccs.neu.edu/home/bchafy/lood.html)
    But it took several hotflashes (and in the case of the video bios, eprom erase/rebrun cycles) to get it right. Also, aside from a boot logo mod, there are few avenues for help. Just my 2c.

  15. Hacking the bios does indeed bring risk, but a lot of the newer hardware has bios recovery features implemented to recover your bricked machines from bad flashes. How do you think the OEMs fix their products when people have flashes go wrong? it’s not practical to desolder the chip, reflash it, and solder it back on to the board. Most systems (especially laptops) no longer have removable bios chips, so this feature is becoming common.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s