1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Removing WLAN/WWAN BIOS whitelist on a

Lenovo laptop to use a custom Wi-Fi card
p0358 Follow
Feb 10, 2019 · 7 min read

So I had a Lenovo G510 that had a pretty bad Wi-Fi card. Once upon a time I’ve decided
that it needs to be replaced, the most importantly to cover 5 GHz band, since the amount
of other 2.4 GHz networks was large enough to make me loose the signal in the other
room frequently enough. Before buying the card, however, I went on a little search only
to find out (besides others also complaining about poor pre-installed Wi-Fi card) that
Lenovo had put a whitelist check in BIOS and would only let you run “authorized” cards.
What a pity. Following that I did read that BIOS is write-protected and the only way to
modify it (in order to remove said whitelist) was to use an SPI programmer. That
sounded interesting, so I thought I’ll give it a try and bought one.

I struggled a bit to find any good resources on this topic and it is the reason I’m writing
this article. Besides removing whitelist, I also wanted to delete BIOS password that I
apparently had set up a long time ago and forgot. Eventually I gave up on the latter, but
removing the whitelist proved to be very easy following you know how to access the
needed PE image section.

Firstly, some tips related to the SPI programmer stage. Before you do anything, you need
to obtain the BIOS dump. It needs to be yours and you need to later flash it on the same
laptop. You cannot download a clean image from vendor or a dump from someone else.
Or maybe you can, but it could cause some side effects. I personally used CH341A-based
device, along with the software that came with it (and SOIC8 clip, so I didn’t have to
desolder the chip). Since my exact chip model (25Q064A) wasn’t listed, I was trying
both EON EN25Q64 and Winbond W25QBV, both did work for it. Now for the reading
part — you should clip the chip and read it with verify, then save the result, at least 2
times. Then compare files’ checksums. That way you will make sure the dump and
clipping is correct. Before saving a file, make sure the read contents are not all “FF FF FF
https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 1/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

…” ‘till the end, because that means it’s empty and the clipping is wrong — re-adjust it
and try again.

If you disconnect your clip before flashing, then you want to make sure it reads correctly
before that as well (tip: chip contents and checksum will change after a boot, so don’t
worry then if checksums differ from your previous dumps, you can flash then still flash
their modified version over with no problems). For flashing the mod after it’s complete,
load the file and press Auto button. It is going to erase the chip, verify it’s empty, flash
new contents and verify they’re saved correctly. Do not flash chip before first erasing its
contents, it will not work properly.

For the mod part, get UEFITool. You may want to get both old engine and new engine
versions. The former lets you actually replace the body of different parts of your image,
so this is required for us, the latter displays names instead of GUIDs in the tree, and it has
search function, which you will need.

Open your dump in UEFITool NE and search for our beloved string of “Unauthorized
Wireless network card is plugged in” (tick Unicode option).

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 2/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Then open the same file in older branch UEFITool and try finding the same PE32 image
section in the tree (you can click in names on NE items to find out what their GUIDs are).

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 3/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Then right-click it and extract the body. This is what we’ll need to modify. I personally
used IDA Pro, but if you follow this tutorial, you might just as well use a hex editor.

The easiest way to find our function in IDA was to search for sequence of bytes (our
string):

55 00 6E 00 61 00 75 00 74 00 68 00 6F 00 72 00 69 00 7A 00 65 00 64 00 20 00 57 00
69 00 72 00 65 00 6C 00 65 00 73 00 73 00 20 00 6E 00 65 00 74 00 77 00 6F 00 72 00
6B 00 20 00 63 00 61 00 72 00 64 00 20 00 69 00 73 00 20 00 70 00 6C 00 75 00 67 00
67 00 65 00 64 00 20 00 69 00 6E

Then double-click on the only result to go to IDA View to find out that it was correctly
identified as UTF-16LE string. Click on its autogenerated name and press X to go to
Xrefs, and open the only function that pops up. Press hotkey for your decompiler if you
have it installed.

We see the checks and an infinite while loop under that. This is what physically prevents
our PC from booting up once it detects “unauthorized” card. We need to modify it. Go to
IDA View and locate the infinite loop. It’s easy to see due to an arrow pointing back to
the same location block.

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 4/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Now press a jz a bit above it that either enters the loop or skips it based on the result of a
test instruction above, and press Edit → Patch program → Assemble…

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 5/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Change the instruction from jz to jmp, that way it will always make the jump to the
location after the infinite loop.

You can also go to Hex View and change the highlighted 74 to EB manually.

But we can also see that these functions check the whitelist at all only if these variables
are true:

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 6/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Let’s locate what they are via Xrefs. We went back into _ModuleEntryPoint and we see
that they are copied from yet another globals.

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 7/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

Let’s see what they are.

Bingo! Seems like this is global configuration for this module that configures whether
WLAN and WWAN whitelists are enabled. It will be as simple as changing these two
global bytes from 1 to 0 to mitigate our whitelist completely! Click on the respectable
bytes and you will see what they are in Hex View.
https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 8/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

To edit these, just right click, click “Edit…”, do edits, then “Apply changes” (or F2). Easy
enough, right? If you don’t have IDA Pro, you should be able to reproduce these changes
in any generic hex editor. Now to save modified file in IDA, go to Edit → Patch program
→ Apply patches to input file…

Once that’s done you can replace the image’s body in UEFITool (old engine).

After that press File → Save image file… It will ask you whether you want to load the
modified file. Select Yes, and verify there are no errors, then export the modified body
https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 9/10
1/21/2020 Removing WLAN/WWAN BIOS whitelist on a Lenovo laptop to use a custom Wi-Fi card

again and verify that its checksum matches with the file you created. If it does, you’re
ready to flash your new BIOS!

This all worked for me. Definitely let me know if this article did help you in any way as
well.

Links:
· https://www.youtube.com/watch?v=2Y06x1f22B0 — very good tutorial on using SPI
programmer
· https://github.com/LongSoft/UEFITool — UEFITool
· https://github.com/gdbinit/EFISwissKnife — didn’t use this, but looks like it might be
super-useful if I was to do more in-depth modding
· https://github.com/bdutro/ibm_pw_clear — interesting method one person used to
clean a password on a server IBM
· https://web.archive.org/web/20120126182637/http://sodoityourself.com/hacking-
ibm-thinkpad-bios-password/ — interesting for password retrieval, but old
· https://highside.pl/G510.jpg — location of the BIOS chip on G510’s motherboard
(yeah, we need to disassemble pretty much whole laptop to parts in order to access it)
· https://www.bios-mods.com/forum/Thread-General-method-to-remove-whitelist-
from-Insyde-BIOS — kind of similar approach, although it used almost 10 year old
program to mod BIOS and did modify its memory, where it stored unpacked BIOS, and it
only did patch out the infinite loop; I stumbled upon this initially, didn’t work for me,
maybe this EzH2O software is just too old now

Reverse Engineering Idapro Ue Modding Whitelist

About Help Legal

https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a 10/10