diff --git a/.gitignore b/.gitignore index 818798c..099a840 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ *.iso *.iso.orig *.txt.orig +*.iso*.extract *.img *.img.orig *.img.enc diff --git a/Makefile b/Makefile index 23210e2..e35bbe3 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,7 @@ clean: *.img.enc.orig *.img.orig *.bat \ *.img \ *.txt.orig + rm -rf *.iso.extract *.iso.orig.extract # Also remove the large iso images downloaded from remote servers. really_clean: clean @@ -99,6 +100,7 @@ list_images: # All the bios update iso images I have checked have had a fat16 filesystem # embedded in a dos mbr image as the el-torito ISO payload. They also all # had the same offset to this fat filesystem, so hardcode that offset here. +# The offset value is bytes in decimal. FAT_OFFSET := 71680 # Some versions of mtools need this flag set to allow them to work with the @@ -273,6 +275,12 @@ $(DEPSDIR)/slice.insert.deps: Makefile %.dosflash.exe.orig: %.iso.orig mcopy -m -i $^@@$(FAT_OFFSET) ::FLASH/DOSFLASH.EXE $@ +# Extract the "embedded" fat file system from a given iso. +%.iso.extract: %.iso + mcopy -s -i $^@@$(FAT_OFFSET) :: $@ +%.iso.orig.extract: %.iso.orig + mcopy -s -i $^@@$(FAT_OFFSET) :: $@ + ## Use the system provided geteltorito script, if there is one #GETELTORITO := $(shell if type geteltorito >/dev/null; then echo geteltorito; else echo ./geteltorito; fi) diff --git a/docs/HACKING.txt b/docs/HACKING.txt index 4ca969f..e5b2f79 100644 --- a/docs/HACKING.txt +++ b/docs/HACKING.txt @@ -21,8 +21,8 @@ Then start radare with one of these projects: radare -p x230.G2HT35WW -Makefile targets: ------------------ +Makefile targets for patching: +------------------------------ If you expect to do development work, the following make targets are probably useful: @@ -65,6 +65,42 @@ probably useful: make patched.x230.img.test +Extracting the ISO images: +-------------------------- + +While examining a new ISO image, it is often useful to extract its +entire contents. Due to the way these images are constructed, it is +not straight forward to get the data out. + +The Lenovo ISO image is a iso9660 filesystem image with /no/ files +in it! There is a El-Torrito standard boot descriptor in this image, +and it defines a hard drive image for booting. This hard drive image +is a DOS MBR partitioned disk, with one partition. The partition is a +FAT16 filesystem, containing the actual files used in the BIOS update. + +To access the FAT16 filesystem, the byte offset of the filesystem +is calculated (via a process of unwrapping and decoding each layers +described above). So far, every ISO image file from Lenovo that has been +checked has used the same offset, so this has been hardcoded in the +Makefile as the "FAT_OFFSET" variable. + +To extract the files for examination, a make target is available which +can be used on any *.iso.orig or *.iso file. e.g: + + make g2uj25us.iso.orig.extract + make patched.x230.iso.extract + +In the case where a file needs to be modified inside the image, it is +highly recommended to use the mtools "mcopy" utility to copy files back +into the image - this is the safest method and does not require any +elevated priviledges or run the risks of mounting foreign filesystems. + +If you find you do need to directly mount the filesystem, the following +command can be used as a starting point: + + sudo mount -o loop,offset=$FAT_OFFSET $ISOFILE $MNTPNT + + References: ----------- http://forum.thinkpads.com/viewtopic.php?f=69&t=120776