Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

How safe is custom BIOS?

General Questions, Rumors, Real news & More
Post Reply
Message
Author
yha
Posts: 9
Joined: Sat May 02, 2020 7:57 pm
Location: Kuwait City, Kuwait

How safe is custom BIOS?

#1 Post by yha » Thu Jun 04, 2020 7:41 pm

Hello,

I have seen practically zero complaints about custom BIOS images like Middleton's and TTav134's. And as much as I appreciate the great work these guys have done, how do I know their firmware doesn't do "evil stuff"? How do these mods work? Do they disassemble the original BIOS, modify, and rebuild? Or do they just look for clues in the images (like whitelisting tables for example, and then inject extra entries and whatnot)? If it's the former, can I get the source and try to build myself? I know I might sound paranoid, but how do I know there are no backdoors or such? (and yes, I know these exact questions apply to vendor images as well like Lenovo's BIOS images or Intel's ME, but at least these are the original manufacturers of the hardware, not some random guy on the internet). BY SAYING "SOME RANDOM GUY", I DO NOT MEAN ANY DISRESPECT TO THESE GUYS OR THE GREAT MODS THEY'VE CREATED. I just want to know if there is a way to verify that these mods are "clean".

Thanks.

MikalE
ThinkPadder
ThinkPadder
Posts: 1314
Joined: Sun Sep 13, 2015 9:51 pm
Location: Marissa, Illinois

Re: How safe is custom BIOS?

#2 Post by MikalE » Thu Jun 04, 2020 7:56 pm

Risk management.

Do the benefits outweigh the possible risks?

If you are really paranoid flash Libreboot to a T500 and use Tor browser.
A31p P-IV 2Ghz, 2MB, 2653-R6U
T500 T9600 2055-BE9
T510 i5 4384-DV7
T510 i7 4349-A64
T520 i7QM 4242-4UU Highly Modified

dr_st
Moderator
Moderator
Posts: 8597
Joined: Sat Oct 29, 2005 6:20 am
Location: Israel

Re: How safe is custom BIOS?

#3 Post by dr_st » Fri Jun 05, 2020 5:21 am

Most of these custom BIOSes have been around for almost a decade, or even longer; if there have been no reports of dangers so far, it's likely they are safe and sound.

A lot of times you can do a byte-by-byte comparison with the original BIOS and see the differences. If you know how to decipher this, you can see exactly what what was changed. If not, you can consult someone who does.

If you don't trust closed source in principle, then MikalE's suggestion to use a completely open-source firmware is a good idea.
Thinkpad 25 (20K7), T490 (20N3), Yoga 14 (20FY), T430s (IPS FHD + Classic Keyboard), X220 4291-4BG
X61 7673-V2V, T60 2007-QPG, T42 2373-F7G, X32 (IPS Screen), A31p w/ Ultrabay Numpad, A21m 2628-GXU

atagunov
Junior Member
Junior Member
Posts: 443
Joined: Thu Apr 02, 2020 3:11 pm
Location: London, UK

Re: How safe is custom BIOS?

#4 Post by atagunov » Fri Jun 05, 2020 8:31 am

yha wrote:
Thu Jun 04, 2020 7:41 pm
I just want to know if there is a way to verify that these mods are "clean"
No. However in my view Intel Management Engine is a bigger risk.
Custom BIOS may have a backdoor. Intel ME does have it.

I'm running stock BIOS mainly because I'm lazy :)
I'm planning to use custom BIOS-es when there is a reason to (X220 kbd on X230, 4-core CPU on T61, etc)

On the subject of open source BIOS-es.. Libreboot is the more religiously strong version of Coreboot. Coreboot build process I think is:
- you extract stock closed source BIOS using a hardware programmer
- extract some closed source blobs from it like VGA driver
- build Coreboot for your laptop including those blobs
- flash it with a hardware programmer
You can choose to disable Intel ME in the process too. Libreboot is Coreboot without such closed source blobs. So Libreboot supports a very small set of machines. Those where BIOS has been completely reverse-engineered. Coreboot supports a larger set of machines - but still not to all of them.

I'd say that if
- Libreboot does not support your hardware
- you trust your stock BIOS
- Coreboot supports your hardware
then Coreboot may be a good option for you - it will be a combination of open source software with publicly visible source code on github and your stock closed source BIOS - which you already trust.
X220, 2 *T520

cadillacmike68
ThinkPadder
ThinkPadder
Posts: 1213
Joined: Fri May 27, 2011 9:19 pm
Location: Florida

Re: How safe is custom BIOS?

#5 Post by cadillacmike68 » Fri Jun 05, 2020 10:14 am

I never had any problem with Middleton's BIOS on a T61. I'm going to try the TTav134 BIOSs on a T43 and a T42/41 when the systems arrive and I can get a good battery for them. I don't think there is any backdoor in either of these BIOSs. We would have heard about it by now.

The only disaster I ever had on a BIOS flash was using a factory Lenovo BIOS on a T500, which I Still haven't fixed yet.
600, 600X
760LD FUBARd
T21 2647 T22 2647 1@ 1GHz SXGA+ 4 more; T23 2647 1@ 1.2GHz SXGA+ 3 more
T30 2366-88U 2GHz; 2366-83U 1.8G; 5@ 2366-LU0/66U; 2367-KU6 FUBARd
T41 T42 T43
T61 8897 2.4GHz SXGA+; 8898 2.4Ghz; 6463 2@ WSXGA+; 7658 2.5GHz; T61p; 6 more T61s
T500 2
T530 W530

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “GENERAL ThinkPad News/Comments & Questions”

Who is online

Users browsing this forum: No registered users and 15 guests