Author Topic: Laptop Mini-PCI 'off' switch to defeat BIOS restriction on choice of wifi cards  (Read 4348 times)

0 Members and 1 Guest are viewing this topic.

Offline plishman

  • Contributor
  • Posts: 5
  • Country: gb
Hi!

This is my first post here, though I've lurked on the youtube channel for a while now!

I have a limited electronics background - a school qualification, some digital electronics at university and work, an interest in physics plus a little understanding of analogue electronics. Also, when I was a kid, a kind TV repair shop owner in the early 80s let me have a bench in his workshop on Saturdays, and he taught me a bit about the subject and got me interested.

The Problem
--------------
I've been trying to find a way to defeat the wifi card BIOS whitelist in my old HP 6710b laptop.

The BIOS whitelist is a restriction imposed by the HP in the BIOS code that only permits mini PCI express wifi cards having certain PCI vendor and device IDs (VEN & DEV ids) to be used in the computer.


Rant
-----
HP (and other vendors) argue that whitelisting is necessary to comply with FCC electromagnetic compatibility requirements, since card and computer combinations are tested as one unit - which seems a ridiculous argument, since a) not all manufacturers whitelist wifi cards, b) the aftermarket cards you buy are FCC tested and c) after they sell it to me, it's none of HP's business what I do with my computer.

Tested and Possible solutions
--------------------------------
The whitelist restriction means that I can only use a few, long out-of-date wireless cards in my laptop, which is good in other respects and now runs at a reasonable speed with the addition of an SSD hard drive.

Some people have managed to defeat the restrictions on some HP laptops by patching the BIOS, but I cannot do this because HP released a final update to the BIOS, version F.20, which did the user no good at all, but effectively locked down the computer's firmware from any further changes, for all time. (It uses a digital signing scheme to prevent flashing of a modified BIOS).

Given that I cannot flash a modified BIOS, the only other option appears to be to effectively hotplug the card after the BIOS has scanned the PCI bus, so that it cannot give me its 'Error 104 unsupported wireless network device detected' message and halt the computer before it can boot.

Some people doing experiments have found that hotplugging the card allows it to be scanned by the OS after it has booted, defeating the whitelist, but more often than not it fries the card or the mainboard.

So my question is: How can I make a circuit to effectively disconnect the wifi card for a period of time so that the BIOS POST routine thinks it is not there when it scans the PCI bus?

The solution also needs to re-enable the card a few seconds later so that the operating system will detect it when it boots.



What I have found out
-------------------------
I've had a look at the mini PCI Express pinout, and I've found that there are two types of interface used in these 52-pin cards: a USB-2 interface and a PCI express x1 interface. (See attached image mini PCI.png)

I do not know if both interfaces are implemented on the 6710b, but they need not be if the types of cards which can be used are restricted by the BIOS.



Mini PCI Express pinout


PCI express x1 Channel 0
----------------------------
The PCI express x1 channel uses LVDS (low-voltage differential signalling), meaning it requires two pins for outbound data, and two pins for inbound data. I think these are PERn0 and PERp0 (i.e., negative and positive Receive), and PETn0 and PETp0 (i.e. - and + Transmit).

There is a REFCLK+ and REFCLK- signal also, which presumably is a serial clock line using LVDS for transmitted and / or received data on the PCI express channel (this may not be simple; I think that there is some kind of PLL clock mechanism derived from the PCI data, rather than a master clock generated on the PCI bus, to prevent problems associated with clock skew happening with the high-frequency clocks used by the PCI specification).

Power
------
The card has two 1.5 and 3.3v power supplies, plus a 3.3v aux pin. [I think the the 3.3v aux may be intended to be shorted to the PERST# (reset) pin on the card when the card is not in a reset state (but I am only surmising this, because they are on adjacent pins)]. There is no 5v or 12v power pin.

USB2 interface
----------------
This is on two pins, USB_D- and USB_D+ (also LVDS?). There are grounds either side of these pins, which may also be for the USB (shielding?).

Miscellaneous - SMBUS
--------------------------
There is also an SMBUS implemented (though I do not know if it is on the HP 6710b laptop), SMB_CLK and SMB_DATA. It looks like a two-wire IIC type bus, which I am familar with, but I don't expect it is used in the implementation of common Wifi cards.


My Question
--------------
How do I implement a circuit which will make the wifi card appear to be unplugged, either electronically for a few seconds when the BIOS does a PCI bus scan, or on some kind of hard switch?

I need to do this in a way that will not risk destroying the mini PCI card or the PCI bus circuitry when the card is switched in or out.


The mini PCI bus slot in the HP 6710b is of the longer type - double the length of the most recent wifi cards, but not as long as the PCI flash drive cards.

I thought I could implement the circuit on a circuitboard the same size as the smallest form factor mini PCI cards (the latest type), and connect a wifi card of the same size to it to create a full length card of the same size as the slot in the 6710b.

If I tri-state (high impedance) the PERp0 and PERn0, and PETp0 and PETn0 lines, the REFCLK+ / - lines, and for the sake of completeness the USB_D- and + lines, for a fixed period after power on, then allow the signals to pass through the tristate buffer after that, would that do? Would the buffers be fast enough to not interfere with the operation of the PCI bus? Is there an easier way?

Please Help!

Many thanks for reading if you got this far / want to help!  :)

References:
Mini PCI express pinout: http://pinoutguide.com/Slots/mini_pcie_pinout.shtml

« Last Edit: November 20, 2016, 02:00:34 pm by plishman »
 

Offline zl2wrw

  • Regular Contributor
  • *
  • Posts: 51
  • Country: nz
Hi Plishman,

I would not try to interrupt the PERp0, PERn0, PETp0, PETn0 and REFCLK+ / - lines as these are balanced transmission lines carrying Gbps signals.

A better idea would be to interrupt the supply of 1.5V & 3.3V power to the wifi card (delay power on of the card long enough for BIOS to pass execution to the OS).

I can't guarantee that you won't fry your wifi card (or motherboard!) if you do this, but it should be much safer than hot-plugging a card that was never designed to be hot-plugged (in which case nasty things can happen like the 3.3V rail and data lines make contact before the 0V rail, resulting in 3.3V power going where it shouldn't).
 
The following users thanked this post: plishman

Offline kc8apf

  • Regular Contributor
  • *
  • Posts: 103
  • Country: us
I suggest you go read how pcie hotplug works. There is a lot more to be done than simply interrupting power or a signal. The BIOS needs to know the slot is hotplug capable so it can preallocate resources (like bus numbers) for the card to use when it is plugged in.

Sent from my Nexus 5X using Tapatalk

 
The following users thanked this post: plishman

Online blueskull

  • Supporter
  • ****
  • Posts: 11386
  • Country: cn
  • Power Electronics Guy
I don't know much about PCIe hot swapping and hot plugging, but regarding to PCIe signal, I can share with you something.
1. REFCLK is a pair of 250MHz clock, it is internally used to generate PCIe bit clock by a PLL. PCIe works without REFCLK, as it can recover clock from data lines using CDR, but that requires the PCIe host controller's clock to be a within certain amount of error. If you enable spread spectrum (an EMI mitigation method), then PCIe won't be able to track system controller's frequency since it is constantly hopping, so you need to bring in an auxiliary clock to let PLL know in advance what the bit frequency is gonna be, this is REFCLK.
2. Not sure about other manufacturers, but many Intel cards use both PCIe and USB. PCIe for WiFi, USB for Bluetooth.
3. PCIe has a card detection pin, which can be used to implement hot plugging, but whether you laptop's BIOS has this feature enabled, I don't know. You can't re-enumerate PCIe device in operating system. When boot up, BIOS will detect all existing PCIe devices, or reserved PCIe slots for hot plugging, then BIOS will construct an ACPI (the same module that handles power) table. When OS enumerates PCIe devices, the only thing it does is to read ACPI table. So far I don't know if an OS can force BIOS to regenerate ACPI table, but I've tried really hard to do this for another project with no success.
4. Don't mess around with SMBus. SMBus is optional for PCIe and not used for enumeration. The only purpose it serves it to manage device remotely using IPMI or some in-band supervisor. In a private PC, PCIe SMBus does next to nothing. On the other hand, some vital motherboard features may require SMBus, so if you mess around with it, you may see all sorts of bizarre things to happen.

I do have some recommendations: almost all PCIe to Thunderbolt adapters support hot Thunderbolt device plugging, some can even address a large amount or mapped RAM, such as the case when you hot plug a GPU card. I suggest you to dig more on how these things work. It's hard without an NDA signed with Intel, but by reverse engineering a physical card, you may see some interest things.
Another viable path is to just flash a cracked BIOS without a white list, or just flash your WiFi card, or the easiest way, just get a WiFi card that is in the white list.
 
The following users thanked this post: plishman

Offline plishman

  • Contributor
  • Posts: 5
  • Country: gb
Thanks both for your input. I had thought about switching the power lines, but then I discovered the potential for a problem called 'latchup', in which data signals, in the absence of power to the card, cause the parts of the card that the data signals reach to enter an unknown state, potentially frying them. https://en.wikipedia.org/wiki/Latch-up

I don't know if this is a real problem with a serial bus card like a mini PCI Express wifi card... but perhaps it could be. I had hoped that someone had solved this problem before me - I think it would make a great product, a mini pci card with a slot on the back edge for another mini pci card, as a general solution to wireless card whitelisting.

I'm going to monitor this thread for a few days and see if we can converge on a solution that looks doable.

Many thanks again for taking the time to think about this! :)

Edit:blueskull posted while I was writing this. I've looked at reflashing the BIOS - I could do it I think by disassembling the PC and using a SOIC test clip on the SPI EEPROM  - the kit to do this is cheap, and others have done it. The problem then is that I would also have to defeat the BIOS code signing/checksum - which could be a major headache. I've never seen this done for the F.20 bios, which basically served as a lock to prevent people modding their 6710b's, forever.

[My opinion of this sort of corporate behaviour is that it ought to be treated as criminal damage if a software or firmware update reduces the functionality of a device, as it did in this case. An extreme case was when Apple deliberately bricked iphone 6's which had had a third party replace the fingerprint sensor. Apple thought they were within their rights to destroy a £600 piece of personal property owned by their customers!]

I think that people have got Linux to do a PCI bus rescan - but as blueskull says, it is not simple. It looks like flashing the BIOS, or flashing the wireless card with a supported VEN and DEV, and patching the INF files in the driver may be my only option. (As far as I know the INF files are where the VEN & DEV numbers are specified in the driver software, but chances are there's more to it!)..

Many thanks to you all.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6164
Edit:blueskull posted while I was writing this. I've looked at reflashing the BIOS - I could do it I think by disassembling the PC and using a SOIC test clip on the SPI EEPROM  - the kit to do this is cheap, and others have done it. The problem then is that I would also have to defeat the BIOS code signing/checksum - which could be a major headache. I've never seen this done for the F.20 bios, which basically served as a lock to prevent people modding their 6710b's, forever.
This would be the approach I'd take, because it's arguably the simplest and requires almost no additional cost once it's figured out. If you can patch the whitelist checks out of the BIOS then patching the additional checks shouldn't be that much harder, since it all eventually comes down to a yes/no conditional jump. They can do all sorts of fancy crypto verifying signatures and whatnot, but if you force the code down the right path it doesn't matter.
 
The following users thanked this post: plishman

Offline plishman

  • Contributor
  • Posts: 5
  • Country: gb
Blueskull are you suggesting that the wireless card may have some kind of 'testing' mode where it can be programmed - say on the fly via JTAG or SPI to behave in certain ways that make it compatible with .. whatever device it is plugged in to? Something like that?

If it's something I can put a buspirate on it or something like it, that might make things doable for me...

« Last Edit: November 20, 2016, 04:04:20 pm by plishman »
 

Online blueskull

  • Supporter
  • ****
  • Posts: 11386
  • Country: cn
  • Power Electronics Guy
Blueskull are you suggesting that the wireless card may have some kind of 'testing' mode where it can be programmed - say on the fly via JTAG or SPI to behave in certain ways that make it compatible with .. whatever device it is plugged in to? Something like that?

If it's something I can put a buspirate on it or something like it, that might make things doable for me...

There must be a way to program its VID or PIDm unless Lenovo or HP or Dell contacted Intel to roll a custom silicon just for a special VID/PID.
 
The following users thanked this post: plishman

Offline plishman

  • Contributor
  • Posts: 5
  • Country: gb
Blueskull are you suggesting that the wireless card may have some kind of 'testing' mode where it can be programmed - say on the fly via JTAG or SPI to behave in certain ways that make it compatible with .. whatever device it is plugged in to? Something like that?

If it's something I can put a buspirate on it or something like it, that might make things doable for me...

There must be a way to program its VID or PIDm unless Lenovo or HP or Dell contacted Intel to roll a custom silicon just for a special VID/PID.

I think this can be done with linux - there is no need to use one of the whitelist approved cards for this - maybe the same vendor, different dev. e.g. http://xenomorph.net/misc/guides/flash-hp-wifi/
 

Offline RGB255_0_0

  • Frequent Contributor
  • **
  • Posts: 774
  • Country: gb
The board may not allow flashing of BIOS when it's powered up, but what about if you flash the SPI using a programmer when the system is off. Failing that, grab a new SPI chip. With a new chip you may have a problem with Ethernet Mac address and serial numbers.

Seems like you're trying the difficult route before the simple one.
Your toaster just set fire to an African child over TCP.
 

Offline rstofer

  • Super Contributor
  • ***
  • Posts: 5851
  • Country: us
I don't see where this problem is going to be solved at the 'ordinary, if accomplished, user level'.  Buy another laptop, sell the one you have and don't make the same mistake again.
Although I have an HP All-In-One, it was a tough decision.  Where I worked we had bought a bunch of HP desktops (this is '386 era) and for some reason, we had a horrible time with the network cards/drivers.  Something about the setup was 'non-standard' and caused us a lot of grief.  I had decided at the time to avoid HP forever and ever.  OTOH, the All-In-One has been pretty nice for several years.

The EU is so down on US based companies that I can almost understand HP's point of view.  The last thing they need is a off-brand card being installed and the assembled unit falling out of spec.  The EU would take the position that HP should have anticipated all possible configurations, then and into the future, and still maintained compliance.  And pay a bazillion dollar fine...

I guess I not only understand their point of view, I think, considering the market, I would do the same thing.
 

Offline grumpydoc

  • Super Contributor
  • ***
  • Posts: 2680
  • Country: gb
What would stop you removing the BIOS ROM (it's an 8-pin SOIC serial EEPROM AFAIK) and replacing it with one flashed with a patched "non whiteliet" BIOS?

You'd need hot air nozzle and a ROM programmer, obviously.
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
What if you just downgrade the BIOS version (w/o the signature protection scheme) and then flash an edited version of the BIOS with the card you want already whitelist or with the whitelist check disabled?


There are several manuals and guides here https://forums.mydigitallife.info/forums/25-BIOS-Mods
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11841
  • Country: gb
    • Mike's Electric Stuff
How do the wifi cards store their VID/PID? If its an eeprom, then may be possible to fake an old VID/PID one a new card - you may also have to hack the VID/PID on the drivers as well,
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline NottheDan

  • Frequent Contributor
  • **
  • Posts: 275
  • Country: gb
How do the wifi cards store their VID/PID? If its an eeprom, then may be possible to fake an old VID/PID one a new card - you may also have to hack the VID/PID on the drivers as well,
Seems like it is eeprom.
 

Online sleemanj

  • Super Contributor
  • ***
  • Posts: 2280
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Buy USB wifi dongle.

Job.  Done.
~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 

Offline plishman

  • Contributor
  • Posts: 5
  • Country: gb
As I understand it, PCI cards have a 256 byte block of configuration registers/eeprom, accessible via two i/o ports (the Intel IN and OUT instructions are used to access them). Optionally, PCI cards may also have a much larger block of configuration memory, within the computer's memory address space.

The VID/PID is stored (in the cases I've read about) in the 256 byte block, and can be changed.

I've tried to find an already patched bios for the 6710b, and indeed I could flash it using the SPI method, but the machine is now rather vintage, and through web rot most of the old download sites where the various forums stored their patched roms, have long since deleted them.

Yes, of course I could get a dongle. But then I can't use the computer's antenna.

I think in the short term I probably will get an ac usb dongle, but I would rather like to have the full use of my computer!

Many thanks to all who replied.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf