I updated my ThinkPad X131e (Intel Core i3-3227U) to the latest BIOS version (2.92, G8ETA5WW as of Dec 9, 2016) and then successfully removed the whitelist. I'm sharing the process here so I can refer back to it for future updates, and so it may help others as well.
Disclaimer: I am not responsible for any loss or damages that may result of following these instructions.
Most of the required tools must be run as administrator and I had to disable the antivirus to be able to run some of them, so again, do this at your own risk.
Tools I used:
Start by creating 3 work folders:
- 1-OLD (files from the old BIOS version, 2.59)
- 2-NEW (files from the new BIOS version, 2.92)
- 3-NEW-NWL (files from the new BIOS version, 2.92, with no whitelist)
1. First of all I dumped my current BIOS using
TestBack. This produced a
result.rar file containing a 4MiB dump, named
x64_bios-region_8.1.10.1286.bin. Copy this .bin file to folder
1-OLD.
1b. I dumped my current BIOS again, this time using Universal BIOS Backup. This produced a larger dump (12MiB) named LENOVO-G8ET99WW(2.59).rom. I assume this is a complete dump of all ROMs (8MiB+4MiB), hence the bigger size. I did not need this dump after all, but it can't hurt to have more options in case anything goes wrong and you need to flash the BIOS using an external programmer.
2. Copy
result.rar to a safe place.
2b. Copy LENOVO-G8ET99WW(2.59).rom to a safe place as well.
3. Run
PhoenixTool 2.66 as administrator. It probably requires turning off the antivirus as well.
Click the
[..] button next to
Original BIOS and open the
x64_bios-region_8.1.10.1286.bin file from folder
1-OLD.
Status text should change to
WORKING... Wait until it loads and a popup appears.
Click OK to dismiss the popup. Status should then display
EFI / Insyde BIOS.
Click
Structure button and wait until it loads the EFI Structure.
Then Click the
[+] box and browse the structure to locate this module:
Code:
DXE Driver {79E0EDD7-9D1D-4F41-AE1A-F896169E5216} - LenovoWmaPolicyDxe.efi
Once found, select the
P32+ image section within, and click
Extract.
I did not need to tick any of the Decompress.../Compress... checkboxes, so I assume the module is not compressed (though one of its parents in the structure might be. YMMV).
This will extract the module to a file named
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD in the
1-OLD folder.
Exit and close
PhoenixTool.
4. Update BIOS to the latest version using the official updater provided by Lenovo.
In my case, I updated to
G8ETA5WW (2.92) using
Lenovo ThinkVantage System Update.
5. Power off and remove any non-authorized wireless card (not in the whitelist) to be able to boot.
6. Repeat
step 1 to dump the new BIOS version, and copy the resulting
x64_bios-region_8.1.10.1286.bin to folder
2-NEW.
6b. Again, I made a second dump using Universal BIOS Backup. Its name was LENOVO-G8ETA5WW(2.92).rom
7. Copy the new
result.rar to a safe place.
7b. Copy LENOVO-G8ETA5WW(2.92).rom to a safe place as well.
8. Repeat
step 3 with the
x64_bios-region_8.1.10.1286.bin file from folder
2-NEW.
At this point you can compare both
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD files in
1-OLD and
2-NEW using
HxD. The differences should be minimal or non-existent.
9. Copy
x64_bios-region_8.1.10.1286.bin and
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD files from
2-NEW to
3-NEW-NWL.
10. Using
PhoenixTool, open the
x64_bios-region_8.1.10.1286.bin file from
3-NEW-NWL.
Browse to the LenovoWmaPolicyDxe module like before, but
do not extract it this time.
Leave
PhoenixTool open.
11. Using
HxD, open the
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD file from
3-NEW-NWL.
Edit the following hex values to disable the whitelist. Double-check the offsets and the values.
The values that need to be changed are:
offset(intel) offset(amd,untested!) original no-whitelist
00000AFE 00000AAE 0F 90
00000AFF 00000AAF 84 E9
00000B07 00000AB7 0F 90
00000B08 00000AB8 84 E9
00000B9B 00000B4B 74 EB
00000BB5 00000B65 OF 90
00000BB6 00000B66 84 90
00000BB7 00000B67 6C 90
00000BB8 00000B68 FF 90
00000BB9 00000B69 FF 90
00000BBA 00000B6A FF 90
00000BBB 00000B6B EB 90
00000BBC 00000B6C AF 90
These are the result of comparing two dumps of the same BIOS version (2.59): a stock dump, and the no-whitelist dump that BDMaster sent me.
The module is identical between stock versions 2.59 and 2.92, so the 2.59 mod works with the 2.92 BIOS.
Do not continue if you don't find the expected values in consistent offsets; in that case you will probably have to resort to editing the code in assembly to skip the whitelist check.
Original values (Intel version):
After modification (Intel version):
Original values (AMD version) (UNTESTED!):
After modification (AMD version) (UNTESTED!):
Save the changes to
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD file in
3-NEW-NWL folder.
12. Go back to
PhoenixTool, select the
P32+ image section and click
Replace (not Insert!)
Select the
79E0EDD7-9D1D-4F41-AE1A-F896169E5216.MOD file from
3-NEW-NWL folder. Wait for it to load.
Then, click
Exit button and reply
Yes to save the changes to
x64_bios-region_8.1.10.1286.bin in
3-NEW-NWL.
13. Usually, at this point you would have to
click Advanced in PhoenixTool, click Yes to accept the risks, tick Always allow user modification of modules and No SLIC, and then click Go to write the changes to x64_bios-region_8.1.10.1286_SLIC.bin in 3-NEW-NWL folder.
However, in my case the resulting
x64_bios-region_8.1.10.1286_SLIC.bin file was identical to the
x64_bios-region_8.1.10.1286.bin from the previous step, so this could be skipped. Again, YMMV.
14. Create a pure DOS boot disk and copy pflash files (
pflash.exe,
Efildr16) to this disk.
Copy
x64_bios-region_8.1.10.1286.bin from the
3-NEW-NWL folder to the disk.
Rename the
x64_bios-region_8.1.10.1286.bin in the disk to something shorter, such as
NWL2.92.
Create a batch file
flash.bat in the disk:
Code:
@echo off
@pflash.exe /sa NWL2.92
15. Boot the laptop with the DOS disk and run
flash.bat from the command prompt.
In my case, pflash complained about the checksum, but flashed anyway.
If this fails, you will have to resort to a hardware programmer to flash.
Hope this helps!