Differences

This shows you the differences between two versions of the page.

--- wireless-whitelist [2012/11/28 09:17]
joshuawise [Hacking the BIOS? Buy It Optional Service]
+++ wireless-whitelist [2012/12/19 10:11]
joshuawise [Defeating HP's Wireless Whitelist for Fun and Profit]
@@ Line 1: / Line 1: @@
 ====== Defeating HP's Wireless Whitelist for Fun and Profit ======
-//[[http://www.lulabs.net/|Chris Lu]] and I originally wrote -- and did -- this around December, 2005.  The article has been preserved for posterity.//
+//[[http://www.lulabs.net/|Chris Lu]] and I originally wrote -- and did -- this around December, 2005.  The article has been preserved for posterity.  New since then is [[http://tmeeco.eu/|Tiido Priimägi]]'s version of this hack, which takes it to another level; see below!//
 As the authors of this article discovered unintentionally, recent HP laptops (including the HP tc1100 tablet PC and the HP zv5460us desktop replacement) have a wireless whitelist built into the BIOS similar to [[http://web.archive.org/web/20090309065357/http://www.srcf.ucam.org/~mjg59/thinkpad/wireless.html|that found by Matthew Garrett on IBM Thinkpads]]. In an attempt to replace the built in Broadcom wireless card in Chris' laptop with an Atheros card, we came across this evil firmware hack on our own. In this paper, we will detail the method that we used to defeat this lockout.
@@ Line 28: / Line 28: @@
 ===== Extrapolating =====
- When the zv5460us came back, one question that came up was whether we could hotplug the mini-PCI board to avoid the BIOS seeing it. We decided that this would be too risky. In addition to putting the bus in an inconsistent state for a few milliseconds, we also determined that we'd run the risk of applying signal voltage before applying power, and hence putting the chip into a [[http://wiki-shorts.freestat.pl/23-1994-Latchup.html|latchup state]] and destroying the board. We decided that this risk was unacceptable - after all, the goal is to make the board work, not to destroy the board.
+ When the zv5460us came back, one question that came up was whether we could hotplug the mini-PCI board to avoid the BIOS seeing it. We decided that this would be too risky. In addition to putting the bus in an inconsistent state for a few milliseconds, we also determined that we'd run the risk of applying signal voltage before applying power, and hence putting the chip into a [[http://liveweb.archive.org/http://wiki-shorts.freestat.pl/23-1994-Latchup.html|latchup state]] and destroying the board. We decided that this risk was unacceptable - after all, the goal is to make the board work, not to destroy the board.
 While continuing to think of ways to have the board disappear during the BIOS board detect process, Joshua drew on prior knowledge of the PCI bus to think of disabling the board's configuration selection enable pin (IDSEL) while the BIOS was probing. This would prevent the BIOS from detecting the card and complaining.
@@ Line 82: / Line 82: @@
 {{ http://www.joshuawise.com/atheros-switch-2.jpg?600 }}
+===== Other Implementations =====
+[[http://tmeeco.eu|Tiido Priimägi]] sent me e-mail to say that he did it too.  He, on the other hand, did it with the aforementioned RC timer.  He first hacked a card in that way:
+{{ http://www.joshuawise.com/tmeeco/GotWrongWifi0.jpg?600 }}
+{{ http://www.joshuawise.com/tmeeco/GotWrongWifi1.jpg?600 }}
+He then decided that [[http://www.youtube.com/watch?v=HhGI-GqAK9c|the next step is generalized it]], so he decided to rip the mPCI connector off of his laptop and replace it with a taller one so that he could hide all the circuitry under the card and inside the machine.
+{{ http://www.joshuawise.com/tmeeco/NX6125mod0.jpg?600 }}
+{{ http://www.joshuawise.com/tmeeco/NX6125mod1.jpg?600 }}
+{{ http://www.joshuawise.com/tmeeco/NX6125mod2.jpg?600 }}
+{{ http://www.joshuawise.com/tmeeco/NX6125mod3.jpg?600 }}
+Substantial kudos to Tiido for an extremely gutsy rework.