2010-12-22

The Byte That Bit Me Insyde

Since Insyde doesn't seem interested in patching its BIOS, I thought I'd share a neat way to make a laptop with an Insyde BIOS hang on boot by changing a single byte.

Caution: Back up any important data, if you're silly enough to do this on a live system; while this shouldn't mangle any of your bits, it's certainly possible it could.

Also, if you're not terribly fond of grasping naked sectors and pushing values into unfilled gaps, you might want to bail out now.

The Prerequisites:
  • Laptop with buggy Insyde EFI BIOS.
  • SSD or HDD (physical medium unimportant)
  • Two or more partitions (which is the default Windows 7 configuration, and tends to be the default Linux installation as well).
  • The SATA port configured as AHCI in BIOS.
My hardware configuration:
Acer 5810tz Timeline Notebook, with InsydeBIOS Release 1.35.

Now, with your personal favorite disk editor of choice (I'm using the very excellent, free and portable HxD):

HxD with Physical Disk 1


The Byte To Change
  • Select the first partition of your first physical disk (labelled Physical Drive 1 in HxD).
  • Go to sector 2048.    
  • Go to offset 0x19 (25 decimal) and change from 0 to any value.
  • Reboot
  • Watch your laptop with an Insyde BIOS freeze.

Don't panic!  Simply:

  •  disconnect the laptop drive,
  •  bop into BIOS (F2)
  •  change the SATA mode from AHCI to IDE.
  •  Reconnect your hard drive, and boot.  You'll hit the usual Windows BSOD complaining about you trying to boot with the wrong set of disk drivers; boot into the 32 bit recovery console (since many utilities don't yet have 64bit equivalents and the WOW64 subsystem probably won't be available (especially if you're booting a mini-xp environment off a thumb drive instead))
  •  Run your sector editor, and change byte at offset 0x19 back to 0.
  •  Reboot normally.

So, what's going on here?

Sector 2048's where Windows 7 puts the start of its first partition.  From the partition boot sector layout we can see the particular byte is part of the boot parameter block, specifically the high byte of the Sectors Per Track word, which happens to be ignored by Windows 7.

What's a BIOS doing, caring about this?

Near as I can tell, this could be an attempt at an AHCI optimization, and the BIOS code simply fails to do a sanity check on the range.

Q. Except for the occasional black hat looking for a chuckle, who'd want to hang their laptop?
A. Anyone installing Linux, BSD, or full disk encryption such as Truecrypt and PGPwde.

These, as part of their normal operation, can change that special byte, giving much excitement and hair pulling to the lucky person whose BIOS, in an effort to be a most helpful puppy, manages to decorate the newspaper with excrement after having a chew with it.

I'm so glad EFI has led us away from incompabitle, buggy BIOSes!

Tools mentioned:
HxD Hex Editor (used for sector editing)

References:
Homepage of Insyde

Others probably running into this specific issue:
Seen on HPs, blamed on encryption
And Lenovos, blamed on Truecrypt.
Seen again, attributed to AHCI+Truecrypt conflict.
Even with BSD!

18 comments:

  1. Wow. I have no idea how I finally stumbled onto this blog, but thank you so much for publishing this.

    However I'm just trying to make sure that I follow you correctly here.

    Are you saying that, following a full disk encryption (say with truecrypt) on a machine with the insyde h20 bios, it would be a good idea to change this byte on the 1st hard disk?

    The reason being that the bios will 'hang' when reading this byte and allow the boot process to continue?

    As it stands I have had to hold off on encrypting my harddrive because I am 100% convinced that the machine will not be able to boot after encryption is complete. (Acer aspire 1830T with Insyde h20 v 1.20)

    This would be such a simple fix that I'm excited to try it, but I have no spare laptop to haul the disk out to get it unencrypted if I've understood you incorrectly!

    ReplyDelete
  2. You're following me correctly, I think.

    What I would recommend is having a boot disc handy, such as UBCD or Hiren's and testing it first; ie, make sure you can boot happily off it: see the 'Don't Panic' section above. ;-)

    You won't need to decrypt the disk; you just need to be able to boot to change those bytes, which you can after you change your BIOS to use IDE mode (and then change back to SATA/AHCI to allow Windows to boot properly.).

    If you're really worried about it --- you can snag a USB <-> SATA adapter cable from Newegg, and use that on any computer with USB with your laptop hdd...

    One other issue you should know, though; if you're using a 64bit OS, TrueCrypt doesn't have signed drivers (ie, trying to use the W7 recovery console to decrypt is an exercise in frustration).

    If you're not comfortable yanking your hard drive, and TrueCrypt doesn't let you change it before the reboot (I can't remember offhand) then you might want to pass on this...

    I'd suggest the 'safe' way would be to boot a disc with TrueCrypt on it, with the BIOS already set to IDE (XP/Vista/W7 will BSoD, if it was set with SATA) and encrypt the drive. Change the appropriate MBR location (make sure you've got a hex editor on your disc), reboot, set BIOS back to SATA, boot into encrypted disc happily. :-)

    (And badger Insyde to update their blasted modules!)

    ReplyDelete
  3. Very nice work! I'm the author of the post re: the Toshiba not booting due to Truecrypt and AHCI. It's nice to know the underlying reason why that caused the BIOS to choke.

    Kudos on the thorough investigation. :-)

    -AMB

    ReplyDelete
  4. Thanks for the description. But did I get it right that this fix requires the TrueCrypt encrypted system to run in IDE mode?

    ReplyDelete
  5. No, you can run the system SATA; just have it set up as IDE until you make sure you've properly 0'd byte at offset 0x19.

    ReplyDelete
  6. Hi,

    Thank you for your reply, I am the Anonymous from above ;)
    Today I wanted to test your method with an old hard drive in my new laptop with Insyde BIOS V1.25. It is an Acer 4820TG. The same model with an older BIOS version has crashed before in the way you describd it after TrueCrypt encryption.

    I encrypted the hard drive, rebooted and didn't see a crash but was able to boot normally. I was really confused so I took the hard drive and hooked it up to another laptop via adapter.
    I ran HxD and checked offset 25 (I am not familiar with Hex so I started counting from 0 to 25) in sector 2048. It is not 0. The drives weren't labeled and I checked ard drive 1 under physical drives.

    Do you have an explanation for this? Could it be that there was an update after all!

    Thank you in advance!

    ReplyDelete
  7. It's possible there was an update... or that the system that's not crashing is in IDE mode (did you remember to look? :-) ) or that you're not looking at the right byte. OR that whatever you encrypted the drive with changed what it's putting there. Or that it's a valid 'sector per track' value: try making it 0xFF for fun and profit. :-)

    Of course, if Insyde did get around to fixing it, it'll remove a headache for a lot of folk.

    ReplyDelete
  8. I have this issue on an HP Envy 14. I tried running HxD from a USB in safe mode (from command prompt), but I got the error message 'The subsystem needed to support the image type is not present'. Is there anything I can do about this, or is there another program that will work?

    ReplyDelete
  9. Just a guess, but if you're trying to run a GUI program from a commandline, it'll fail. Also, if you're in safemode where you can run GUI programs (and just have a cmd spawned) you might get that message if you're running x64 Windows (since HxD is 32bit...). Just guessing here, what your problem is.

    Here's a link with other programs you can try:
    http://en.wikipedia.org/wiki/Disk_editor

    And also, you could download Hiren's Boot Disc or similar, if you need a way of booting a 32bit OS to fix things. ;-)

    ReplyDelete
  10. Conclusion: Don't buy laptops with Insyde BIOS systems if you care about the safety of your system.

    I am the owner of the HP Envy 14 that posted above. For 13 days I have made no progress on this error. Today I have given up, after finding that not only is Sector 2048 is apparently not where the first Windows partition starts on an HP, but also that I can't decrypt my hard disk from another computer.

    The next computer I buy, I'll be checking the BIOS system to see if it's TrueCrypt friendly. Until then, I give up.

    ReplyDelete
  11. I have an hp-g62 laptop with BIOS insydeh2o rev 3.5 F.37. Is safe to use truecrypt? Has insyde already patch this bug? regards

    ReplyDelete
  12. Truecrypt isn't the problem, the BIOS is (was?). Try installing, and if it hangs, fix with another system... or let everyone know if it's fixed. (I don't have the time to dig it up and see.)

    ReplyDelete
  13. Seth,

    Thank you very much for your response. I do not have another machine so is too risky for me to try. However, HP have all BIOS version in their webpage. I have gone through all change logs for all bios revision but I couldnt find anything relates with this issue. I just wonder if this is already fixed or not? Any clever ideas to know it without trying?
    Regards

    ReplyDelete
  14. HP had a 'safer' 'fixed' BIOS (see my other post) that fixed a hang, but introduced other bugs. With a new enough version, you're probably okay. Without tearing apart your BIOS, I can't give you a proper answer (and I can't do that without finding the VM I set up with all the tools to play with this...) but realize it's not the BIOS but the AHCI module in the BIOS you need the version number of. And, also, if you read my Don't Panic section, you can make an informed decision about whether you want to try it. Back up all your data, of course, and verify you can actually change to IDE mode in your BIOS... if so, ... it's likely better to have an encrypted drive than not. ;-)

    ReplyDelete
  15. Seth,

    Thanks for your response again.

    I have a look into your HP 'safer fixed' BIOS post. How do I know which version AHCI module I have?
    Also, I have seen your don't panic section but my BIOS doesnt not allow me to change IDE mode (it is very basic). Any suggestion how to proceed? See link below for the latest F.37 BIOS from HP site.

    Regards

    http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=ob-95792-1&cc=us&dlc=en&lc=en&os=4063&product=4106384&sw_lang=&ts=true#thankyou

    ReplyDelete
  16. From the link you posted, you've got "Serial ATA AHCI BIOS, Version iSrc 1.20_E.0024 12212009". I only looked at the 4mb .fd, (there's 1mb and 2mb in the link, as well). From what I remember, that newer version should work, but if it bombs, you'll get an 'error 23' on your screen. I wouldn't run a laptop without encryption, personally, so I'd definitely do it with your setup, were it me. However, I'm a stranger on the Internet, and you can bork your hardware. I'd suggest, at the very least, having a bootable USB flash drive (with Hiren's or similar) and a USB <-> SATA external connector, so if you end up in trouble, you can manually edit the partition table. Or, if you have access to a desktop system with SATA... and are comfortable removing your laptop drive, you could do that. If this sort of stuff makes you uncomfortable, probably best not to mess with it.

    ReplyDelete
  17. I have been trying to get Truecrypt working on HP G56 laptop with Insyde bios F.15 - sadly without success.

    I installed Win7 Home Premium, HxD (excellent program!) and encrypted the drive with Truecrypt. Before I rebooted, I checked location 0x19 on sector 2048 and it was still 0.

    I rebooted and - yet again - the bl%£y thing hung halfway through BIOS. You can't get to any settings from here - the only way out is to pull the cable to the hdd, boot to the menu (yumi) of a usb stick, hot plug the hdd (horrid), boot something like gparted, nuke the partitions on the hdd and reboot to reinstall you OS of choice.

    I'm off HP laptops and Insyde BIOS's permanently. It's the only way they'll learn.

    ReplyDelete