Environment Information

System information: Windows 10 , Thankpad T430I

Tools involved: x64dbg

Test program: g1uj49us.exe (Thankpad T430I Bios update)

Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation

The file released after installation, the default program to install the driver is WINUPTP.exe

图片

Because

I recently got a Thankpad T430I notebook and wanted to upgrade to the latest Bios (2019) but for battery reasons (255% display, software can not get battery information), the official upgrade program can not detect the battery resulting in an upgrade.

图片

Result

Searching articles online, it is said that adding the -sp parameter when running can skip the battery detection, but testing found that this method is not suitable for g1uj49us, and there is also said to upgrade directly through the winflash64 BIOS file, the beginning of the article does not cover the BIOS file format, the wrong understanding led to test failure

I executed the following command.

Code:

1
WinFlash64 /64bit/tpnflhlp.sys

图片

Obviously it failed to run.

Continuing to search for related articles, I got the idea under this article.

https://superuser.com/questions/1569417/how-to-update-lenovo-bios-on-a-t460-without-battery

On Lenovo ThinkPad X230i was enough to copy BIOS (.FL1) and ECP (.FL2) files to parent folder, where WinFlash64.exe is located then run cmd.exe as administrator and enter command:

cd

WinFlash64.exe /file $01D3000.FL1

Notice that when executing WINUPTP.exe and selecting Update ThinkPad BIOS

图片

Click Next and it will release some files in the current directory

图片

See the files needed for the upgrade

Code:

1
$01D2000.FL1

Screenshot after successful upgrade
图片

Reverse Analysis

The test result shows that the upgrade can be successful without battery (also without BIOS battery), so I want to run the upgrade program to bypass this detection

Key information.

The program will return the detection results in the form of a pop-up window

图片

Click pause after the pop-up window

图片

in the stack to find the key information, the mouse wheel down

// call function will be called when the address will be pressed into the stack, and then jump to the relevant address, so you can find the relevant function call according to the stack address

图片

See some display, continue to look for this pop-up window from there

Code:

1
00EFE454 003EC655 return to winuptp.003EC655 from ?????

图片

Double click to enter

图片

Breakpoint at the top call

图片

Re-run the test

图片

After running, the pop-up window

图片

Re-run, see a judgment to execute this address

图片

Let the jump does not hold, the program abnormally exit

Stack analysis see several returns, enter in turn to see

图片

0055E57C 007ED0AA return to winuptp.007ED0AA from winuptp.007EC60F

图片

0055E598 007E30E9 return to winuptp.007E30E9 from winuptp.007ED07B

图片

I see the word OK

Keep looking and you see this string: “AC adapter/Battery check ….”

Breakpoint at the entry point (push ebp is often the entry point of the function)

图片

broken

图片

normal, jump execution (ZF = 1)

图片

change ZF value so that it does not execute (ZF = 0)

// je/jz will jump according to CMP comparison, if ZF = 1, it will jump

图片

Run

图片

can be successfully upgraded, bypassing the battery detection

Note: Security considerations, if the conditions allow the upgrade or to meet the conditions of the good, to avoid the failure of the upgrade.

This article ends here, see you soon!