Removing the Thinkpad BIOS WLAN Whitelist

Background

All ThinkPad laptops that ship with an internal WLAN card have a wireless device whitelist built into the BIOS. If the laptop is turned on with a card in the wireless slot whose PCI ID is not found in the whitelist the BIOS will halt with a message similar to “Error 1802: Unauthorized Wireless Card.” IBM (now Lenovo) claims that this is because the antennas built into ThinkPads require them to get FCC, EU and whatever other country regulatory administration certification for each combination of WLAN card with the antennas, thus the white list of the five or so cards allowed per model.
This is understandably annoying, as the WLAN cards which IBM/Lenovo sells for it’s models aren’t necessarily the best or the cheapest. So, what can we do?
With my old ThinkPads T41 and I assume other ThinkPads with the same BIOS from the era of the Pentium-M and Mini-PCI wifi cards (T40, T60, R50, X30, X40) this was thankfully not that hard. All you had to do was change the value in the system’s non-volatile memory, which could be done by writing to a port IO address, an easy task in DOS or Linux using the nvram kernel module and a short c program. The card would still fail the whitelist, but the whitelist check would not be run. (See ThinkWiki.)
With my new X200s this solution doesn’t work, probably because it doesn’t share the same version of BIOS and the wifi card is now of the Mini-PCIe type. However, there are two ways to defeat the whitelist.
The first way is because the BIOS only checks the card in the WLAN Mini-PCIe slot, you can install the card in the WWAN Mini-PCIe slot and put tape over pin 20. Pin 20 of the Mini-PCIe standard isn’t defined, but is usually held low (connected by a small resistor to ground.) WLAN cards use whether pin 20 is held low to enable or disable the radio circuitry, the radio killswitch toggle. It so happens that a WLAN card in the WWAN slot cannot enable it’s radio. This method works, and I’ve used it for a year, but it has two downsides. The first is that you need an empty WWAN slot, which you might not have if you use WWAN or your laptop isn’t WWAN capable. The second downside is cosmetic, in that the WLAN-status LED doesn’t work.
The second way is to modify your BIOS so that the whitelist check is disabled. This second way is more elegant, because in the end hardware works how you think it should; more fulfilling, because you have exerted your ownership and mastery of your hardware over the manufacturer’s wishes; and more dangerous, as BIOS are crufty binary hunks that are hard to fix once broken. PC BIOSs are something between clever horribleness and horrible cleverness. The BIOS found in ThinkPads is made by Phoenix Technology. Modifying a Phoenix BIOS image is difficult and tedious, so why would anyone bother to do this?
Recent versions of Windows bypass activation if it finds something called a SLIC table in the BIOS put there by an OEM. The has caused a large community of Windows PC enthusiasts to reverse engineered most of the major BIOSs. The annoying thing about this from a Linux perspective is that it means you need a working Windows install and you will have to deal with the usual didn’t-need-to-be-a-gui-but-you-made-it-one-anyways software that typifies the Windows world.

Required Resources

• A working Windows install
• The BIOS image from Lenovo
• PhoenixTool: http://mods.myftp.org/Tools/Phoenix_SLICTool/phoenixtool164.zip
• Phoenixpatch: http://www.endeer.cz/bios.tools/phnxpatch.zip
• Also need http://www.endeer.cz/bios.tools/cygwin1.dll

rw-everthing: http://jacky5488.myweb.hinet.net/ (quality software eh?)

Competency

Instructions

BEWARE: Modifying a BIOS is a potentially dangerous activity. A wrong bit somewhere WILL render the systemboard useless. Do not follow these instructions if you don’t own the laptop or don’t feel like waiting for Lenovo to replace your systemboard for a lot of money. You may want to price that first.

I do not claim any guarantee of success or correctness of the information which follows. Read at your own risk.

Using your Windows install, download the latest BIOS update from Lenovo. After it installs the files, opt not to run it automatically. Seek to ‘C:DRIVERSFLASH<version>’. Open phlash.ini and add the line ‘advanced=1′ to the [ui] section. You need to flash your BIOS with the original image so that you ensure your later patched version is the same version as the BIOS you are currently using (as we read tables out of the running BIOS later) as well as to be familiar with the process of flashing. Run winphlash64.exe (if you’re on 64-bit) and open the file ending with FL1 in the directory which is also ‘<version>WW’. Once you’ve flashed your BIOS, and felt a sigh of relief when it booted again, the fun can begin. First, run the program RW-Everything and get a dump of all your ACPI tables in the .rw format. Once you have that, open the same .FL1 file you just flashed again in phoenixtool. After churning, phoenix tool creates a dump of your BIOS in a directory named ‘DUMP’ inside the directory which holds your image. I’d keep a copy of this dump around for curiosity’s sake. Select Lenovo as the Manufacture and the .rw file you made earlier in the correct entry. Don’t select anything for the SLIC file option. Check the Log option. Select advanced. In the new dialog that pops up select “No SLIC” and “Allow user to modify other modules.” Once this is done, click Go in the main dialog. Phoenixtool will churn and then pop-up a dialog informing you that you have until you click okay to mess around the with the files in the BIOS dump directory. Notice that if you had modified the dump before clicking Go the changes were lost as the first stage of clicking Go appears to be dumping the image again.
Leave Phoenixtool waiting for a bit, and go into the dump directory. Copy the files BIOSCOD0[0-9].ROM to a new directory. I would recommend <version>/modules . Run Zender’s Phoenixpatch on the directory you made. You should end up with a BIOSCOD06.ROM.modified. Copy this file over the version of BIOSCOD06.ROM in the dump directory and click okay in the Phoenixpatch modification dialog. Phoenixpatch will create a file named the same as the .FL1 but ending in _SLIC.ROM. This is your new BIOS image. You may notice that the file is quite a bit larger than the original. This is normal as the regenerated image is not compressed. The SLIC.log should state quite clearly that Phoenixtool found BIOSCOD06.ROM to be modified.
Open up the new image using winphlash. In the advanced section ensure only the options “Verify blocks after programming”and “Disable Axx swapping automatitic detection” are selected on the flags tag and “Update: Update the BIOS and not the DMI” in the DMI tag. After this is done flash the image and cross your fingers. If all was successful, your system will reboot. Otherwise, you have to take your laptop in for servicing to get a new system board. If you system booted, try installing your new wifi card. If the BIOS lets you boot, you have 100% success.

References

• http://www.thinkwiki.org/wiki/Problem_with_unauthorized_MiniPCI_network_card
• Remove whitelist check / add ID’s to break hardware restrictions mod requests.
• Tool to Insert/Replace SLIC in Phoenix / Insyde / Dell / EFI BIOSes
• Zender’s Phoenix BIOS modding page