Sunday, January 20, 2013

Intel wifi driver brand-check removal

It's fairly common knowledge that Lenovo like many other makers uses a bios whitelist to restrict the wireless cards that can be used in their laptops. I've bypassed that with a modded bios on mine a long time ago when I upgraded various parts of the machine and I've had the original Intel 4965AGN lying around collecting dust ever since. The time has come to finally use it somewhere and ... it doesn't work!

Windows complains about failing to start the device. "This device cannot start! Code 10"

Event log contains two entries
5001 - Could not allocate the resources necessary for operation
5006 - The version number is incorrect for this driver

Head-scratching ensues then Linux is booted where the card works flawlessly.
Several other driver versions are installed on Windows yielding the same result.
Time to Google.
It seems like the issue is fairly common and usually appears when people try to use branded cards in different machines than they are originally for.. At this point I'm beginning to suspect that the Intel drivers are specifically blocking the branded cards from working in non-matching machines. 
With a very low tolerance for annoying practices like this and a free weekend I load up the driver in IDA.

I have to confess never reaching the source of the issue. I've run out of time and got the driver working so I didn't investigate any further. There could be a less nefarious explanation for the behavior, although the same driver working flawlessly with the card in a Lenovo machine would suggest otherwise.
[Update: Next weekend] -
I can now confirm that the driver checks for a special entry in the DMI table for Lenovo branded cards and checks the manufacturer name of the machine for HP branded ones. It would seem that Lenovo branded cards would work fine in HP machines without any modifications to the driver. I'm not sure that patch #2 below is required at all. Just nop-ing out all the brand-check specific ID comparisons in #1 might/should be enough to get a completely unlocked driver.


There are two areas that I patched.
#1 Seems to be doing something specifically for my card's device ID (0x4230). Since my card doesn't work right now and I'm suspecting that the driver does an extra check for branding on my card (and AFAIK the 0x4230 ID is strictly a Lenovo ID) this seemed fairly suspicious so I nop-ed out the jump at 53DF5




#2 0x4229, a generic ID is receiving some attention here that looks to be the right kind. I want in on that. Changed 0x4229 to 0x4230



A PE checksum fix and a driver reinstall later I had working wifi.

I did have a couple of cases where I had to "powercycle" the card get it to see networks or to connect to one. Not sure if that's due to the patch since I couldn't reproduce the behavior after switching to Intel's PROSet tool to manage the connection. Will update this post if the problem resurfaces but even with that issue the driver was working well once it was connected to an AP even after downloading several hundred megabytes so it could be that this driver just doesn't like being managed by XP directly.

[Update: Few Days Later]  - The problem hasn't surfaced since.

Patch info:
File: NETwLx32.sys
Version: 13.4.0.139 (but note that every newer version of the driver seems to contain the same version of this sys at least. Guess it was never developed further)


fileoffset original patch
000002B1 2E 62
000002B2 B8 BB
00043DF6 0F 90
00043DF7 84 90
00043DF8 9F 90
00043DF9 00 90
00043DFA 00 90
00043DFB 00 90
00044103 29 30

Checksum fix included

ps.
This is almost guaranteed to not work with any other card (besides device id 0x4230) as-is but working patches could be created for other cards based on the principle.. maybe.

I'm not responsible for anything you do with this information, you do it at your own risk.
Please don't ask me to patch drivers :)
Leave a comment if this has helped you get your wifi card working.

24 comments:

  1. Hi Viktor!

    Thank you very much for this hint. I've spent some time wondering why the driver did not work with the card.

    However I went for different approach to fix the problem. Luckily there is an EEPROM tool for Intel WiFi cards.

    iwleeprom - https://code.google.com/p/iwleeprom/

    So I've used it to change the Lenovo specific device id to the generic one - 0x4229.

    After the change it was possible to manually selected the driver in the device manager. Windows did not find the driver automatically. I suspect that the SUBSYS has to be changed as well to match the device identifier in the stock driver. I'll give it a try later ... perhaps.

    Thanks again!

    ReplyDelete
    Replies
    1. Great to hear :) IIRC I've read some bad things about modifying the eeprom through the controller (lockout after the first try or something along those lines) so I've never tried it, good to know it works!

      Delete
  2. Hi Viktor,

    OK, I have to admit I was a little bit too fast to judge. It was possible to change the EEPROM exactly ONCE and all subsequent attempts to change it again (after restart that is) failed.

    I tried iwleeprom on Linux and DumpIWL on Windows (with current drivers13.x.x.x and older versions 11.x.x.x as well - assuming the drivers could potentially contain different versions of the microcode) but no luck.

    I wonder ... is the card using some form of checksum and when if fails to verify it then the microcode blocks any subsequent writes to the EEPROM?

    Regards, Roman

    ReplyDelete
    Replies
    1. Ack! That's what I feared. Sorry to hear that.
      That could very well be the case, no idea. At least it sounds like that card is still usable with manual driver installation so it's not a complete loss :)
      I _think_ the eeprom is actually a discrete physical chip and not an integrated device so you could possibly desolder and reprogram it externally if it was absolutely crucial but I'm not sure now, It's been a while.

      Delete
  3. My problem exactly. Is there anywhere I can download your patched NETwLx32.sys file? I'm using Windows 8.1 64bit.

    ReplyDelete
    Replies
    1. Never made one for 64bit, sorry.
      Probably not worth the hassle though. It's an absolute pain to get newer versions of Windows (especially the 64bit versions) to accept unsigned, modified drivers from what I remember.

      Delete
    2. u can easily do that. if u turn off test signing off even in windows 10 .

      Delete
    3. Good to know that still works! You do get a permanent message on your desktop that you're running in Test Mode though from what I remember (but it's been years so who knows)

      Delete
  4. Hi, i will try to patch x64 driver for my wifi card from Lenovo T61. I will report soon:-)

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Success, card runs on win7 x64 witch patched driver, unsigned.:-)

    ReplyDelete
  7. windows 8.1 x64 works too:-) just change first occurrence 4230h to 4231h, and first occurrence 4229h to 4230h, apply PEchecksumx64, and start windows with drivers signature disabled.

    now i will try to permanently change device ID and subsystem, but i need to know what number should i set for subsystem.

    ReplyDelete
    Replies
    1. Good to know!

      According to the previous poster it's "only" relevant for detection so maybe the driver's INF will have it

      Delete
  8. Hello, it seems that i can not write to my cards eeprom. I try,but there is some verification error. Acording to this: https://code.google.com/p/iwleeprom/issues/detail?can=1&start=0&num=100&q=&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&groupby=&sort=&id=6

    For me this is death end:-)

    ReplyDelete
  9. Not death yet for me:-) i will desolder eeprom, and with spi programmator put changed firmware:-)

    ReplyDelete
  10. Viktor,
    Thank you for this post.

    I was encouraged to find a solution for my Lenovo laptop with Broadcom AC WiFi (Windows works, no Linux driver) which I replaced with Lenovo manufactured Intel 7260AC WiFi (Windows 'cannot start', Linux works).

    All I had to do was replace two bytes (je xx) for the appropriate device ID with NOPs, fix PE Checksum and sign it with test signing cert. with bcdedit TESTSIGNING ON, I am up and running on Win8.1 x64 - and potentially Win10 x64!

    ReplyDelete
    Replies
    1. Nice! Glad to hear that it still works in 2016 :)

      Delete
    2. Ooh I have the same issue and somehow I cannot get your solution to work. Could you post the driver? That would be very nice. :D

      Delete
    3. I'm sorry. The driver is signed with development certificate from my company. If I post (or hand out the driver personally) it would be a fire-able offence I guess! (The driver would not work on Win8/Win10 x64 without a signature from some certificate)

      Delete
  11. I'm trying to mod an Intel Wifi 4965 AG, I'm trying to rewrite the EEPROM with 4229 rather than 4230. But I'm getting Verfication error at 0010 when I'm trying to write it back to the card with iwleeprom. How can I get the card working? It works in Linux, but not on Windows. What should I do?

    ReplyDelete
    Replies
    1. If you can't write the EEPROM then either it's already been written to once (which locks you out permanently AFAIK) or the newer revisions don't even allow a single write. You could try to modify the driver as described in the article. I don't know of any way to bypass the write lockout (but then again I've never researched the subject after this article was written so maybe Google will be your friend). If you want something that'll work in your device without hacked drivers then you're probably better off tossing the Intel and buying another one from eBay to be honest. miniPCIe WLAN cards used to cost $20-25 but now you can buy some for ~$5 shipped even. (And I'm guessing you already took care of the bios whitelist since you got the non-matching Intel card to pass)

      Delete
    2. What files did you hack from the driver package from Intel? And with what software?

      Delete
    3. See above for both answers.

      Delete