GitHub - hamishcoleman/thinkpad-dosflash: Attempt to Reverse Engineer the Thinkpad DOSFLASH utility

hamishcoleman / thinkpad-dosflash Public

Notifications You must be signed in to change notification settings
Fork 0
Star 26

Attempt to Reverse Engineer the Thinkpad DOSFLASH utility

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 155 Commits
fmem @ fd4b4be		fmem @ fd4b4be
kmod		kmod
radare		radare
.gitignore		.gitignore
.gitmodules		.gitmodules
LICENSE		LICENSE
Makefile		Makefile
README		README
dd_hack.pl		dd_hack.pl
dosflash.config		dosflash.config
dosflash.config.fake		dosflash.config.fake
dump_acpi.pl		dump_acpi.pl
dump_coff.pl		dump_coff.pl
dump_exe.pl		dump_exe.pl
dump_flashmap.pl		dump_flashmap.pl
dump_pfh.pl		dump_pfh.pl
fake.bios.asm		fake.bios.asm
fake.fl2.asm		fake.fl2.asm
g2uj23us.dosflash.flat.patch		g2uj23us.dosflash.flat.patch
g2uj23us.iso.orig.sha1		g2uj23us.iso.orig.sha1
kvm_flat.c		kvm_flat.c
notes.txt		notes.txt

Repository files navigation

This project is an attempt to reverse engineer the Lenovo DOSFLASH.EXE
tool that is used to flash new BIOS and Embedded Controller firmware.

The DOSFLASH tool is a djgcc compiled program with a 32-bit executable
inside it, so this project extracts the 32bit and examines it.

There is a radare project for the 32-bit flat executable.

There is also a hypervisor to run the flat executable with extensive
trapping and debug output on what it is doing.

    make kvm_flat
    ./kvm_flat g2uj23us.dosflash.flat.orig dosflash.config.fake 2>&1 |less

The theory is that the DOSFLASH program must interface with the hardware
to perform the flashing, and that this would show up as a trap in the
hypervisor - There is no physical hardware access from the hypervisor,
so any access will trap.

Current status is that the dosflash code is starting the SMI sequence
to flash the image but it now needs a valid reply packet.  So, it seems
like it could be time to start running data replays on real hardware
(currently pending hardware availabilty)