Don't ask how to hack password. (BIOS Passwords)
#45000 by IntuitiveNipple
Tue May 29, 2007 2:18 am
Can anyone confirm how the checksum is calculated, how many bytes it uses, and how to locate them?

As I understand it the result of summing every double-word (4 bytes) in the file should give the result 00000000. So the checksum double-word is altered to make this happen.

I'm assuming there must be a pointer to the checksum in the file header or in some control block but so far I've not been able to identify it, or deduce it from disassembling the flash tools.

In the R0200J3 BIOS of the Sony Vaio VGN-FE41Z there is no EXTD...CKSM block, but WinPlash still complains about a bad checksum in a BIOS I've modified.

I had to edit the code in ROMEXEC0 to enable VMX Virtualisation (MSR 0x3A, bit 2) because the BIOS disables it and doesn't provide a setup option to override it.

I've rebuilt the WPH by hand (Phoenix BIOS Editor 2.0.x can't handle the TCPA modules) by simply writing the hacked ROMEXEC0.MOD into place in the WPH. It was fortunate the new MOD was the same size as the original so all pointers remained correct.

I had to edit the header of ROMEXEC0.MOD once in place because it was the last one so the linked-list pointer needed to be 0000:0000.

I confirmed the values are correct with phnxdeco 0.33.

Thanks.