Sunday, July 19, 2009

Enable VT on InsydeH2O based Sony Vaio laptops, the EFI way

**** UPDATE **** (16.10.2009)
Seems like Sony finally decided to officially enable VT in the new batch of bios updates for at least the following models:

Desktop PC
VGC-JS Series
VGC-LN series
VGC-LV Series
VGC-RT Series

Notebook PC
VGN-AW Series
VGN-CS Series
VGN-FW Series
VGN-NS Series
VGN-NW Series
VGN-P Series
VGN-SR Series
VGN-TT Series
VGN-Z Series

Good move - if they can't prevent VT any more, they enable it :)

The past couple of days I have been somewhat compelled to get VT (Virtualization Technology) running on my Sony Vaio Z11 laptop. I've bought it back in the days (about a year ago) in good faith that it supports this, for me crucial feature, but of course for some reasons, Sony decided to disable VT and give the casual user no means to enable or use it. I am not going to describe how they do it, you can read that somewhere else. Support requests have been fruitless and although I invested a couple of hours into reversing the "bios" I've soon discovered that this is everything else but a simple module-swapping bios - its InsydeH2O, an EFI 2.0 implementation ... I had known next to nothing about EFI.
University and different spare-time enjoyments kept me from pursuing this matter more actively until recently I discovered by accident this blog entry. Marcan, you also know him as a member of the Iphone-Dev team, extensively describes the inner workings of the InsydeH2O EFI implementation and wrote a set of tools to decompress and extract the firmware. Even more he also developed a tool to visualize the SetupUtility forms. Luckily, all InsydeH2O OEM customers (that I encountered up until now) decided to leave a hidden advanced form in the SetupUtility, so that it is quite easy (with Marcan's tools and a little disassembling) to match the Setup variable offsets to the forms and thus actual functionality.

Yea, about the Setup variable: In EFI, all non-volatile (and changeable) configuration is stored in the Variable Storage Space (VSS). This can be any non-volatile memory like EEPROMs, available space in the RTC (aka CMOS), ... or even in a
n Serial Peripheral Interface (SPI) flash part. The same flash part where the firmware itself is located in recent InsydeH2O based laptops. This saves costs, but also increases the risk to carry out (more importantly: reverse) any modifications.
Back to the Setup variable - it is also stored in the VSS and contains a lot of configuration data regarding system configuration, including VT. Each byte offset within the variable matches to a specific configuration setting and not all of them are modifyable within the so called "SetupUtility" (on Sony Vaio models, press F2 during boot to enter).

Well, the plan is to modify the Setup variable - one of those offsets controls the VT feature and we only need to flip a single byte (actually a single bit). There are two ways to go about it - one is described by Marcan on his blog where he has been able to modify the contents of the VSS by patching and reflashing a dump of the firmware itself. Using the vendor tool to flash back a dump is at least on my specific Vaio model a nogo: firmware images from Sony contain a lot of extra information (header?) that confused other insyde H2O tools (e.g. ezH2O cannot find a valid Firmware Volume (FV)). Maybe it works, but I didn't take the risk - instead I used flashrom on Linux (and flashed only the sector that contains the VSS). Long story short: if you aren't perfectly familiar with C-programming, embedded system programming (flash programming), and Linux you better stay away from this method (flashrom). Last but not least, here seems to be a first indication that the VSS format can be different across models/vendors. This introduces another source of error - different VSS formats require different methods of patching.

So - I continued looking into a different more easy way to modify this variable within the VSS ... and by further reverse engineering I discovered that the firmware will run EFI applications before "legacy mode" is entered where all access to the EFI from the OS is lost.
Within an EFI application (or an OS that is booted by an EFI bootmanager) EFI routines can be accessed - also routines to safely read and write variables from and to the VSS => the very same routines the SetupUtility uses to read/write the configuration.
Jackpot - the rest was simple: I took GRUB 2, added a custom command that allows the modification of the Setup variable and now - anyone on current InsydeH2O based firmware should be able to modify their Setup variable.

Before I am going to describe how to use my tool, I must also warn you about the risks and the worst case that can happen.
First the risks (things said last hopefully stick best):
- it may not work: simple as that, maybe your vendor decided to go somehow differently about things. Currently I only have success reports from people that run Vaio models. For Acer you should definitely contact Marcan and/or follow his blog. Other users from other vendors need to either wait until someone steps up or tries on his/her own responsibility (actually you're always on your own responsibility! Something goes wrong - you're the only one to blame!)
- something else may not work: the laptop still boots, but e.g. Shutdown does not work, or it reboots after a couple of minutes, etc. This could happen if you modified the wrong offset and have been lucky enough to still be able to boot. -> Reverse what you did (if you still know it). Enter the SetupUtility and restore default settings. If strangeness persists, you may need to reflash the firmware (perform a firmware update as usual: This will definitely restore a default VSS).
Now to the worst case: the laptop does not boot - You most definitely strayed from my instructions and touched something that you shouldn't have. Maybe there is a hotkey (I've heard about [fn]-[esc] or [Windows Key][ESC] during power-up) to enter a special firmware rescue mode where you can try to restore the firmware (and reset the VSS) from an USB stick -- maybe not. In the absolute worst case, you need to send your laptop in for repair. This could take a lot of time (months), and can cost money. So be warned and don't do anything stupid! :)

If you still want to go ahead, you need a firmware installed where the Setup variable offset has been verified. On Sony and Acer laptops that seem to be always 0x1af. If you want to go sure, either if you're able, do it yourself or (for Sony) comment below or (for Acer)
contact Marcan. Include a download link to the firmware. In case you can report that your firmware has the same offset, please use the comments and I'll update this post.

On to the procedure:
  • Put this EFI application (source code: patch to GRUB2-1.96+20090709 [not required to run the EFI application]) on an USB-stick that is formated with FAT32 into the following directory:


    When the stick is attached to your laptop, it should boot from it regardless of the boot order or whether your allow or deny booting from external devices (actually a security risk of the firmware itself!). Currently I have only reports of Vaio owners that this works. If it doesn't and the boot order/and or booting from external device setting has no effect for you, then I can't help you. You probably need to patch a dump of your flash contents (see Marcan's blog).

  • If everything goes well, you should see the following message

    > Welcome to GRUB!
    > Entering rescue mode...
    > error: file not found
    > grub rescue>

  • At first, type:


    and press ENTER, a license text should inform you about the risks. More importantly, you should see at the bottom that the tool is looking for the Setup variable and found it. The GUID should match the expected GUID - if it does not, don't continue (comment below the output)!

  • Next, we'll look at the current setting of the VT offset, which is at least on all recent Insyde H2o firmware based laptops that I've encountered up until now at 0x1af.

    setup_var 0x1af

    again press ENTER and verify that the variable is set to 0x0. Abort if it does not contain 0x0.

  • The last step is to set this single byte to 0x01 by executing (WARNING: THIS WRITES TO THE VSS):

    setup_var 0x1af 0x1

  • You may verify your changes by executing once more

    setup_var 0x1af

    This time the byte at the offset 0x1af should read 0x01.

  • After that you may reboot by pressing [ctrl][alt][del], remove the USB-stick and check with your favorite tool whether VT really is enabled or not.

As a side note, in all Vaio firmwares up until now, I've seen references within SetupUtility that control the suppression of the Power and Advanced forms located at offset 0x25a. You may try to set it from 0x0 to 0x1 by following the same procedure like we used to enabling VT. Within the Advanced form (SetupUtility) it is possible to control the VT setttings directly. Also, beware that there are a lot of other tuneable options concerning CPU, memory, graphics adapter and others, but I wouldn't touch them, as they could prevent the system from booting and as already said there is no easy way to restore default settings once there is no way to enter the SetupUtility anymore.

I hope this works for all of you! I am relatively confident that Sony and other vendors will close the "EFI"-hole altogether or introduce security. But then I am no longer going to buy their products, if features you just assume to be present (like VT) are kept disabled.

List of verified firmware versions:
Sony VGN-Z11, V: M3a R2168M3 05/20/2009
Sony VGN-Z17, V: R21862M3
Sony VGN-Z27, V: R2168M3
Sony VGN-Z36GD, V: R3054M3
Sony VGN-Z5xx, V: R2168M3
Sony VGN-Z31, V: M3b R3054M3 05/19/2009
Sony VGN-Z21, V: M3a R2168M3
Sony VGN-Z31, V: R3052M3
Sony VGN-Z79, V: R4040M3

ATT: (No advanced menu! - apply only the VT enable procedure on the following models - the advanced menu, if present at all, is most likely differently
disabled than on Sony Vaio models)
Acer Timeline 3810T-6415: V1.08
Acer 8731: V1.08 (SU9400)