Wednesday, January 14, 2009

Unbricking an ASUS F8VA after Changing BIOS Settings

Recently I acquired an ASUS F8VA Laptop with Vista Home Premium on it. I'll be reviewing Linux and Vista on this device, but first I'm going to note it is possible to brick the thing with BIOS settings, which I promptly did. I'll post directions for getting out of that mess first, in case any other people encounter similar problems.

My plan was to set aside the Vista disk and buy a new disk to run 64 bit Ubuntu. For some reason this laptop comes with only 32 bit Vista, and I plan to run very large virtual machines on it. As soon as 8GB of RAM becomes less the $200, I'm installing it. In the meantime I started to poke around in the BIOS as is my usual custom. I came across this innocent sounding entry: "Intel TXT(LT) [Disabled]". The help text in this machine's BIOS are really utterly useless; typically the text will be something like "Choose enable to use Intel TXT(LT) feature." No explanation of what this might be or whether it's a good or bad idea. Googling brought up this explanation:

Intel Trusted Execution Technology for safer computing, formerly code named LaGrande Technology, is a versatile set of hardware extensions to Intel® processors and chipsets that enhance the digital office platform with security capabilities such as measured launch and protected execution. Intel Trusted Execution Technology provides hardware-based mechanisms that help protect against software-based attacks and protects the confidentiality and integrity of data stored or created on the client PC. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. These capabilities provide the protection mechanisms, rooted in hardware, that are necessary to provide trust in the application's execution environment. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform.

OK, that sounds interesting. It sounds like a kind of hardware based choot jail. This laptop has a recent processor and the new Intel PM45 chipset. Actually, the hardware on this system is so new it's a bit of chore getting Linux running. What would Vista make of this being enabled? If Vista wouldn't boot, I could just F2 back to BIOS setup, right?

Wrong. This feature requires a TPM (Trusted Platform Module) chip to work properly, and if it's not there then the system will not only not boot, it won't let you get back to the BIOS settings to turn that pesky feature off. That wouldn't be exactly secure, would it? Curiously, you can boot ASUS's Splashtop environment, even though you aren't allowed into BIOS settings and can't boot the OS. I'll get back to that at the moment, but for now I'll get right to the unbricking process.

The aim of this procedure is to clear the BIOS settings by removing the motherboard battery for a few minutes. This battery provides the tiny amount of power needed to maintain the BIOS settings and to run the motherboard clock while the system is turned off. It is a large button or watch style battery, typically a CR2032, and usually lasts for many years before it needs replacing. It's also usually fairly easy to access. Usually. Not here. The battery lies between the DVD drive and the video card. You're going to have to disassemble the laptop to get at it.

You will need a small phillips head screwdriver. You might be able to use a jeweler's screwdriver but a precision screwdriver slightly larger would be ideal. You will need something like a small common or flathead screwdriver to release the keyboard. Then you'll need something to act like a pair of tweezers (tweezers are ideal, but the swiss army type are too short) or alternatively a very thin, sharp thing to pry with, like an old fashioned razorblade or (if you work on Macs) a really thin putty knife.

This procedure will void your warranty. It will also almost certainly cause a small amount of cosmetic damage to your laptop, unless you are experienced, careful, and have the appropriate tools and workspace. I chose to do this because I don't care how the laptop looks and can't be bothered waiting weeks for an RMA replacement.

(0) Prepare a work area. A large towel on the table will protect your laptop case, and provide a contrasting color to make finding those tiny screws easier.

(1) Remove the power sources from the machine. Unplug the power adapter, then turn the machine over and remove the battery. If you have trouble figuring out how to remove your battery, you should stop here!

(2) Remove the DVD drive. It is secured with two screws, one located on the bottom of the machine roughly an inch behind the DVD eject button. The other is further towards the centerline of the machine near some vent holes. I find laying out the screws on the table in the same physical relationship they have on the laptop makes reassembly faster. Pull the drive out and set it aside.

(3) Remove the hard disk. The cover is secured by three screws. Set aside the cover in your screw layout with the screws in the holes. Once the cover has been removed, the hard disk can be extracted by pulling it away from the connector, then up.

At this point let me note that I didn't completely disasemble my laptop, because doing so would require removing the strip that contains the buttons abovethe keyboard. This would probably be neater and easier, but I didn't have anything handy that woudl do it without leaving some really nasty dings in the plastic. So I opted to get the laptop apart enough that I could reach the battery with a pair of tweezers from the video card side. For that reason we'll remove the video card cover.

(4) Locate and remove the video card cover. It's a large cover located adjacent to the power adapter plug, and has your Vista sticker on it. It's held on by three or so small screws. Remove the cover, put the screws into the holes for safekeepign, and set it aside in your screw layout area.

(5) Remove the screws that would have been visible before you started removing covers and set them aside, including one that secures a little right angle cover along the rear next to the modem port. Set them and the right angle cover aside in your layout area.

(6) Remove the screw next to the wireless card, which was underneath the hard disk cover. The wireless card has black and white antenna wires attached to it. You can see that the screw next to it secures the plastic back to something below. It's been a few days, but I don't think it's necessary to remove the wireless card itself. If you do, you'll have to remember to put it back and the antenna wires; the gold connectors on the end just push on and pull off.

(7) Remove the two screws in the rear of the machine.

(8) Turn the machine over.

(9) Free the keyboard. If you look at the space above the top row of keys, you'll see four black plastic clips. They work just like the bolt attached to a doorknob; they are spring backed with a trianglular cross section, which means the pop put of the way when the keyboard is pressed down on them, but won't allow the keyboard to be pried up. Using your small flat screwdriver, push the rightmost clip back, and insert a swiss army knifeblade or similar to the right of the clip. Use the blade to gently pry up the keyboard so the top edge clears the rightmost clip.

Keeping the knife in place, push back the second clip from the right and pry up so the keyboard clears that. Repeat until the keyboard clears all four clips.

(10) Remove the keyboard. The keyboard is now attached to the computer by a thin ribbon cable. On the computer side, the cable is locked into the connector by a white strip of plastic on the connector. That strip moves a fraction of a mm in (towards the rear of the computer) to lock and out (towards the front) to unlock. Unlock the cable and gently pull it out. The keyboard is now free. Set it aside.

(11) Remove all the screws under the keybaord and set them aside.

(12) (optional) Remove any screws under panel above the keyboard that has the LEDS and buttons. I didn't opt for a complete disasembly, which would make the next steps easier. Presumably, the remaining screws are under this panel. The thin silver plastic strips to the left and right of the buttons are held in by friction (I believe). You could pry out these strips with a knife or a sharpened metal putty knife (if you work on Macs you have such a thing). The thing is that unless you have the putty knife prying tool, you're going to gouge the soft plastic. After removing this, you'd fiddle around, and presumably discover the remaining screws holding things together. Someday you'll want to do this, when the backlight of your notebook starts acting flaky. This is normally where the inverter board that powers the backlight lives.

(13) Locate the battery. If you sight down the DVD bay, you'll see the battery, which is about the size of a US quarter, in its black pastic holder, at the right of the far end of the bay. It's actually closer to the video card, but it's easier to spot this way.

(14) Gently pry apart the black bottom plastic half of the chassis from the top, from the DVD side. If you opted for complete disassembly, I guess it should just come apart at this point. If not, you're aim here is to bend the plastic enough so you can reach in to the battery from the video card side. IMPORTANT: you don't need to force this enough to break the plastic. If it doesn' t easily pry open an inch or so near the battery, look for a screw you missed. Put someting in the gap like a paperback book to keep it pried open.

(15) Remove the battery. You don't pry the battery out; it has a spring clip. If the computer is upside down, just reach in with a screwdriver and fiddle the clip and the battery will drop out.

(16) Wait for a few minutes.

(17) Replace the battery. This step takes the most dexterity. However, you aren't going to be able to send the computer back in this state, are you? So you're just going to have to fumble at it. Turn the computer right side up (otherwise you'll be fishing the battery out as it falls). Tear of a small piece of paper to insulate the battery where you'll be grasping it with your tweezers (unless you have plastic tweezers), then carefully grasp the battery by as little edge as you can manage. From the video card side, place the battery in its holder, the minus (slightly smaller side) should face toward the motherboard. It will probably drop in a bit crooked, but a little is OK. Then push the battery down with a small screwdriver until it snaps audibly into place. Fish out the piece of paper.

(18) Reassemble the computer in reverse order. The trickiest bit is getting the keyboard ribbon cable plugged back in. These connectors are zero force; you don't have to jam anything. On the minus side, there's no friction to hold the cable in place when you let go of it, until you've pushed in the locking bar, and the stiff plastic cable will want to hop out. If you have a third set of hands hold the keyboard, you can hold the cable in place while you push in the locking bar with a small screwdriver. If you removed your wifi card, remember to put it back in and plug the antenna in.

(19) Put the battery and AC power back in, and reboot, holding down the F2 key to return to BIOS setup. You'll need to set the date.

You have now undone what five seconds of curiosity did to your computer.

Remarks and Conclusion.

If you mess around with BIOS settings, you have to be prepared for some trouble. However, the BIOS writers who put it there also decided to (a) make BIOS settings inaccessible once you changed that setting and (b) not to bother including any help text to that effect. I think it's pretty bad that users can set a BIOS settings that requires a significant hardware fix.

The whole thing is pointless from a security standpoint. This exercise proves it is not difficult for a motivated person to remove the TPM hardware and circumvent the BIOS settings. In fact there is are even simpler ways to get around this, if the point is protecting the data on the hard drive. The drive can be removed and popped into an identical computer with TPM turned off in the BIOS.

Another curious aspect of this is that while it is impossible to boot to the OS or access BIOS settings, it is possible to access Splashtop, as fast booting Linux environment that ASUS has rebranded "ExpressGate". So presumably, ExpressGate is trusted by the BIOS whereas the operating system is not. Now I've noticed a number of interesting things about ExpressGate/Splashtop. One is that my USB keyboard doesn't work. I presume the idea is that ExpressGate is an isolated, self-contained environment, and so can be trusted in ways the main operating system cannot. One of the things that is possible, I believe, is to reflash the BIOS from ExpressGate, although I expect that function is probably disabled in this kind of situation.

Still, while ExpressGate/Splashtop is supposed to be isolated, and can be run from motherboard flash memory, on this machine it is not. It is in a "hidden" partition on the same disk as the operating system. "Hidden" is a misnomer; the partition isn't in any way hidden from the operating system, it's just a notation that the operating system isn't supposed to mount the filesystem in it. The partition is perfectly visible in a disk utility.

It seems to me that the kind of paranoia that locks owners out of BIOS settings is strongly undermined by trusting an operating system on the same hard disk as the user's data and OS, especially when anyone can take the hard disk out and alter the Splashtop system. Since it is Linux, it could even be modified to do something like boot the main operating system in a virtual environment, logging all the user's keystrokes.


grumpynerd said...

Although this is not the kind of thing I normally write about, I did this post to help anybody who's bricked their laptop. Specifics will be different for other laptop models and makes, but in general removing the CMOS battery should work.

One thing that was interesting: while the BIOS settings were cleared, I was surprised to find that the BIOS password I created was not. Now how could that be? It must be stored some place OTHER than in standard nvram, since that was completely cleared.

DJShotty said...

I have been having all ends of trouble with an ASUS Pro 50 N, which I followed the ASUS technical crew's advice of pushing the Emergency Power Off button underneath the piece of shit.
And stop it, it is a piece of shit, plain and simple.
What gets me is, ASUS have no support whatsoever for this rubbish. They just build it, and leave it to us to share our ideas on how to repair the bloody thing when it fucks up. There should be a wave of consensus around the world to put an end to these companies who make stuff then leave it out in the breeze with no idea on how to take it apart or fix it should something go wrong.
Anyway, tearing this Pro50N to pieces and keeping (what looks like) the CMOS backup battery out of the machine for a good half an hour may do the trick, as I write this before I get back to the little screws.
Thanks to your blog, Kamthaka, and to you, grumpynerd, for your advice...

DJShotty said...

Guess what, it's still bricked...

semite said...

I have problem with my Asus F8VA, I created my BIOS supervisor password and now I cannot enter the BIOS setup anymore. I really want to change the settings inside it. What is the best. I did what grumpynerd said by removing BIOS battery, cleared the settings, but the password still there and I cannot login. What should I do and what is the best way to crack/reset/remove the damn BIOS password?

Any help and suggestion really appreciated


P. McKelvy said...

Thanks for your post, Mr. Leo. It's interesting to know that there is a possible way out if one's BIOS gets messed up.

At the end of your post, it seems apparent that you were not aware what the purpose of a TPM is, so I thought I'd chime in real quick.

The TPM is there for the protection of the operating system and, ultimately, the user. It offers essentially no defense against an attacker gaining physical access to a machine. A TPM is principally there to retain "measurements" of the operating system, such as the last bootable OS core. It can detect alterations to the OS core when booting by, for instance, calculating a hash of the OS core and comparing the value so measured against a valid hash stored in the TPM (refer to the tool TrustedGRUB, for instance, for more details).

This is to say that the TPM is a passive defense against malware, remote hacking and other software-based attacks against "measurable" portions of the software system.