Page 1 of 42

ThinkPad BIOS whitelist (error 1802/1804) *READ 1st MSG*

Posted: Sat Jan 19, 2008 2:20 pm
by Zender
Edit: As of Dec. 4, 2011 it has been suggested that you visit MyDigitialLife for any BIOS assistance. Thank you!

Results of this thread: If you need a modified BIOS, please SEE BELOW, until I post public page with "do-it-yourself" set of tools (1, 2). Most of the time I answer within 48 hours, please don't post to this topic because of BIOS request. Please try to wait the 48 hours before posting to the thread asking for BIOS. Is your wireless upgrade really that urgent?

Patched BIOS is available for (as of 2010-03-01): R32, R400, R500, R52, R60, R61, T43, T400, T500, T60, T61, V200, W500, X200, X200T, X300, X301, X41, X41T, X60, X60T, X61, X61T, Z60, Z61.

BIOS is not available and in near future will not be available for SL300/SL400/SL500 machines, as these use AMI BIOS (not Phoenix), which I have no experience with. If there's anyone who can do some decompression / module separation, please contact me.

Seems S10-2 has AMI (so no patch) and original S10 has Phoenix (so that might get done). Don't know about S10-3 non-T right now (if such thing exists?).


Hello everybody.

Skip this paragraph if you know what an error 1802 or 1804 is. As many of you probably know, ThinkPads have for a long time had a "feature" disallowing us to use an arbitrary Wi-Fi or WWAN card in our machines, nicely defeating all the good things standardisation brings (miniPCIe). After inserting a "not approved" miniPCIe card, the system won't boot up, saying there's an unauthorized card and that it will not continue until you remove it.

Skip to the last paragraph if you don't want to read a boring story full of weird acronyms. I plead guilty for wanting to use a WWAN card meant for T61 in my T60. A perfectly Lenovo-branded one, but it was not meant for my computer. I've done a lot of research on this topic and didn't find any working solution. T4x except for the newest can modify their CMOS, a perfectly safe solution, and disable this check, yet this has been removed from latest T43 on.

For other brands (HP, maybe Dell) doing this, there was a sort of easy solution in editing BIOS file, finding some approved device ID and replacing it with ID of device one wants to use. But Lenovo distributes the BIOS in some compressed form. I've eventually managed to find an utility able to decompress it and now have the BIOS file ready for flashing using WinSplash. Unlucikly, it's still not enough to change some device's ID. The bios file consists of some modules (acpi, vga, bootcode, ...) which can be individually compressed - and that's exactly what most of them are.

A lot of hassle later, I achieved to make phnxdeco decompose and decompress the modules. They didn't have a 27-byte header, which a non-free decomposition tool gives them, which I later discovered, and there are some magic bytes in the header, which are also present in the BIOS image. Fortunately I didn't try to flash that to my machine. Now great success is coming - there's BiosCode module 5, in which I can see the ID of Intel PRO/Wireless 3945ABG with four different subsystem IDs.

Yay. I've found it. The only problem left to solve is - how to recompose the whole BIOS from the separate modules?

Again, a lot of hassle later, I've managed to find a tool which decompressed all the modules correctly (even though it crashed in the end) and successfully used Prepare.exe and Catenate.exe to recompose "something". Comparing it with the original BIOS, it seems too different to me. Not sure why, but I'm not ready to risk that. I need a different way.

So I have the separate BiosCode 5 module and can use Prepare tool to LZINT-compress it. Searching the original BIOS file, it's there, except for a modified header. Nice. Try changing the Intel's Wifi card ID, LZINT-compress... and the file is six bytes bigger. Not that it wasn't expected. Hmm, too bad, I can't just replace it.

Okay, but I have a BIOS composition tool and can try to see what changes when the module size grows. Hmm, seems the BiosCode5 module is placed between another two and there's some free space around. The preceding module gets moved six bytes back. The grown module is also moved six bytes back and has offset and length changed. The following module has offset changed, but stays at the same place. Apart from that, only BIOS checksum has changed, there are no pointers, no other changes. Now that's easy. Replaced. Changed offsets and length. Checksummed. Trying phnxdeco and the other tool to decompose it... they seem to like it. WinSplash seems to like it. Yay.

The only thing left to do is... to try flashing it. I'm not very sure I want to brick my computer, which would cause me quite a lot of trouble now, and even though I'm pretty sure I've done everything correctly, there's always a small chance I've missed something beyond me. For any other laptop, there's a possibility to run a BIOS crisis recovery, by holding Win-B or Fn-B and a few other conditions, one can make the laptop to boot up from a USB floppy drive and restore BIOS even if it's not working. But it seems that it doesn't work for ThinkPads, or I don't know to trigger the mode.

So I ask - is there anyone with a recent machine (I can do the modification for any BIOS) willing to take the risk and flash the modified BIOS with a different Wifi/WWAN card whitelisted (you can choose)? Perhaps if someone had a mainboard with serious not-warranty-covered issues, but which could actually boot. Or if anyone was willing to send it to warranty repair afterwards, if anything went wrong, as "My computer crashed when flashing BIOS." or something. As for the reward I can only offer making a tool to do this for any Lenovo BIOS & miniPCI card.

EDIT: some information were wrong, corrected

Posted: Sun Jan 20, 2008 6:39 am
by Switchcorp
Wow Zender it's quite impressive ! The work you've done is amazing !

I own a X61T (i've seen your reply in the X6 subforum :))... but it's fresh new (6 months) ... so i'm hesitating ! (a 2000 euros Brick is no good for me :p) But on the other hand it would be very nice to put the wwan that we want (and i suppose that it's not limited to Lenovo/Sierra brand).

What would be the consequences of the flash :

- No boot at all ? or boot but with some errors/instabilities ?
- Perfect boot with support of new wwan ?

Posted: Sun Jan 20, 2008 2:40 pm
by Zender
Unfortunately, if the BIOS was really bad, it probably won't boot up at all. Phoenix BIOSes usually have a special recovery mode, which allows them to use a floppy, USB floppy or sometimes even (USB) CD-ROM to load a working BIOS image. Yet it seems this feature was not included by Lenovo.

So I wouldn't really recommend it to someone with a perfectly working machine, even though I'm pretty sure there wasn't anything I could've broken.

As for what can be achived this way, any WWAN/WLAN card should be possible (though still you would have to modify BIOS specifically for the card you want to use), but I'm not sure if all WWAN cards can just work (even if we get past the 1804 error), because they need a SIM slot and (perhaps? maybe it's standard) might not be compatible with the way it's done in ThinkPads.

Posted: Sun Jan 20, 2008 5:46 pm
by Switchcorp
I have putted an Option GMT378 in my X61T and i used to bypass the 1804 error ! My laptop had some problem with energy management because when i came back from hibernate my wwan card wouldn't start anymore and i had to reboot !

Now i've withdrawn it out of the X61T and it's back in the USB modem ... but i would like to buy a Sierra 875U modem (MC8775 inside but non lenovo) .. cheaper than the official MC8775 but with of course a different vendor ID !

It's strange that the recovery mode is unavailable ... they have to pick up a computer each time a flash of bios goes wrong !

Posted: Sun Jan 20, 2008 8:43 pm
by gator
post was locked temporarily, and is unlocked now.

Posted: Mon Jan 21, 2008 4:24 am
by BillMorrow

very interesting work you have done here..

i have two comments..

1. if you're scared to try it on your recent model thinkpad i am even more scared.. :)
so, why not modify (notice how i avoid the word "hack") an earlier bios and experiment with a far less expensive thinkpad, THEN when you prove the concept, try it on your thinkpad..

2. when doing this modification, why bother inserting different yet specific card id's and just bypass the test alltogether..
when the cpu reaches this test it probably does some sort of compare..
and sets a bit or something when true and does NOT set the bit when NOT true..
just make that bit true all the time..
or set it true for ANY comparison, right or not..

an observation:
these tests are not there to frustrate but to comply with FCC (and other nations local RF governing authorities) regs showing that this combination of devices works without causing interference with other RF devices..

meanwhile, good luck with your project here..
i wish you success.. :)

Posted: Mon Jan 21, 2008 6:22 am
by Switchcorp
If a modem WWan is approved by the FCC why would the module inside not be approved if it's putted in a computer ?!

I suppose that Lenovo has to pay for each module certification and that's the reason why it's so limited !

I think that the changes that are done are made this way because it's just a local change of number (the vendor ID). Disable this check means to modify some function in the bios and it's far different than just the vendor id ... am i wrong zender ?

Posted: Mon Jan 21, 2008 2:09 pm
by Zender
Thanks for interesting reply, BillMorrow. People only interested in what's new and not how to do some BIOS-modifications themselves can skip to the last paragraph (Conclusion).

As for point 1, I don't want to try it on my machine, because I really believe there could be someone with a partially working machine which could be used for this. And also being a student with no support from parents, I don't really feel like losing a mainboard of hard-earned ThinkPad :)

Good idea to try it on older models. Maybe even try on some non-ThinkPad notebooks with Phoenix BIOS - because these usually have the BIOS recovery option. I'll check if this would be possible.

As for point 2, I haven't really thought about it, because even though the result would be definitely more convenient, it would be also easier to screw something up and I'm not really an assembler expert :)

Still it's a nice idea and I've given it two more hours of research. Seems I've found the routine which checks device IDs against the list, it's not a problem to make it always return success and maybe even make the modified BiosCode5 same length as original. Actually now I'd say this might make things safer.

One person (not sure if he wants to be named) already said he'd be willing to try it, but when I was writing a guide how to modify the BIOS, I wanted to only use free tools and discovered some discrepancies from my previous understanding. Phnxdeco decompresses everything correctly, but does not give the modules a 27-byte header, which the non-free tool does. In the header, there are things like format identifier, module length and then four bytes, which also seem to be in the completed BIOS file, and if the header isn't present, they will be all zero.

I'm not sure what these four bytes might be for, it's definitely not a good idea not to have them present (so I'll have to modify phnxdeco to output the header), but is it enough just to put them back? Aren't they some kind of checksum? There are no module checksums, only whole BIOS checksum, in the usual Phoenix BIOS, but Lenovo likes to customize things :)

By the way, may anyone want it, phnxdeco 0.33 windows binary. I couldn't find it anywhere, only old version. Slightly modified not to try outputting files with /*?>< in their names.

Conclusion. There's no problem skipping the check. We just have to make sure the four bytes in header really don't have to be changed. For this, I'll check the BIOSes of friends' notebooks with the BIOS recovery option, and if it's there too, will try to do some harmless modification, to see if it breaks.

Small footnote. I haven't sent modified BIOS nor detailed instructions how to modify BIOS to anyone yet. It's not nice to see two topics about BIOS-bricked machines right now.

Bios Modification for WWAN

Posted: Tue Jan 22, 2008 3:22 am
by jinkazama
I'm willing to take the risk on my laptop ( IBM x60t 6365 ).
I have a MC8765 that I'd like to replace with a MC8755 ( I currently have the MC8755 so I can do the test as soon as I have a bios... ).

Posted: Fri Jan 25, 2008 4:23 pm
by diomark

Has there been any progress on this? Badly need to get past the 1802 error on a t60p:(

Posted: Fri Jan 25, 2008 4:36 pm
by Zender
Waiting for the results of testing BIOS modifications on a T41 with bad video chip. The "magic bytes" are there too, so if it can boot when modified and bypass the check, I think we can safely expect the same from T6x. The whitelist-checking routine is almost the same in T41 and T60 BIOS.

Posted: Fri Jan 25, 2008 5:23 pm
by diomark
subscribed:) anxiously waiting for updates:)

thanks for your work on this..

Posted: Tue Jan 29, 2008 8:14 pm
by Jumme

Very cusious to hear how this turns out, as I and many other R32 owners have the exact same problem.

Good work, Zender!
Though my R32 probably have a different (older) white list checking routine, im quite eager to hear if you make it work.

By the way - I seem to have read about someone getting a corrupted, (modified) flashed BIOS reflashed by USB floppy disk, on a ThinkPad.
Ill post a link, if I find it.
(Hope u get my point, and please excuse my bad english).

Posted: Wed Jan 30, 2008 11:48 am
by Zender
I've did a quick check (well, it actually took me about an hour, because I forgot it's not a good idea to search for Intel vendor code in the R32 BIOS, as there weren't any Intel wireless cards back then...) and found the whitelist checking routine, the comparison against list is identical, just some more instructions around, but seems to return success/failure the same way as the T60 and T4x ones).

The "magic bytes" I've talked earlier shouldn't be a concern, because they already were in the T4x BIOSes and you could modify the card IDs without breaking anything, so they're not checksums (or not checked at least).

The only possible problem left might be that changing the return value (a "true/false" value) might not be enough, because there could be some more (verifying?) checks later, so I still don't recommend using it on working machines, until I'm confirmed it doesn't do any harm (waiting for results).

Posted: Wed Jan 30, 2008 12:24 pm
by Jumme
Dunno if this is relevant to you, but here´s a HP owner who crashed his BIOS, but still managed to reflash with a "Phoenix BIOS Crisis Recovery Diskette".

Im gonna just try to switch a number in the whitelist with my own brandnew Broadcom Wireless mpci, I think. :roll:

Posted: Wed Jan 30, 2008 8:47 pm
by Switchcorp
Zender wrote:Waiting for the results of testing BIOS modifications on a T41 with bad video chip. The "magic bytes" are there too, so if it can boot when modified and bypass the check, I think we can safely expect the same from T6x. The whitelist-checking routine is almost the same in T41 and T60 BIOS.
When do you expect to have the results of your test ?

Now i'm hesitating between an onboard wwan (with management by using Fn+F5 to disable it) or a pcmcia wwan card with butterfly antenna (because i don't want to withdraw it from the pc).

:twisted: Why are those Lenovo Cingular branded card so hard to unlock ! :cry:

I hope that your modifications will lead to a free way to bypass Lenovo limitation :)

Posted: Wed Jan 30, 2008 10:41 pm
by Zender
A forum member here said he had a few T4x with bad video chips and would allow them to be guinea-pigs. So when he tests it, then he tests it :)

Though I can do nothing about card locks. Actually now I'm also thinking of buying generic MC8775 because of the hassle connected with unlocking the Lenovo branded one (even if I wanted to use Vodafone, it doesn't have any 3G service here).

great work, t30 for testing

Posted: Thu Jan 31, 2008 5:39 am
by bonnem
Ey Guys,

thanks for the great work so far. I still have the same 1802 with a proper (like Lenovo) Intel wireless card on my T60

I have tried modifying the BIOS also in the past, but unfortunately couldn't find the right scripts for Linux/Mac OSX (no windows here)

subscribed to this page and also waiting for an update. If it's usefull: I've got a spare T30 around for testing. Got rid of the 1802 message there by another script, but maybe Zender wants to test a modification on thatone also.

Posted: Sat Feb 02, 2008 12:55 pm
by Zender
Success has been reported with T30 - thank you very much, bonnem. A not-approved card worked without any other patch (like no-1802 or modifying the whitelist), just the modified BIOS.

Excellent News...

Posted: Sat Feb 02, 2008 1:16 pm
by maimbourg

Excellent news and great work in conquering this restriction.

I have a T60 with embedded Rev 0 Sierra Wireless 5720 card now and looking to plug in the 5725 allowing me to surf at Rev A speeds.

While I waited for someone like you to provide a work around, I have been accessing the net with a USB720 card (has the Sierra 5725 wireless mini PCI-E card inside) and I am looking forward to embedding the 5725 into my T60.

I am looking forward to loading the modified BIOS, please let us know the next steps (at your convenience of course).

Re: Excellent News...

Posted: Sat Feb 02, 2008 2:03 pm
by Jumme
maimbourg wrote:I am looking forward to loading the modified BIOS, please let us know the next steps (at your convenience of course).
+1, only with Thinkpad R32 here.

To avoid any misunderstadings with the No-1802 patch, one could always flash a working machine with newest BIOS, and then clear CMOS, BEFORE loading Zenders modified bios.
That should "undo" (remove) the 1802 patch, to avoid mix match.


Posted: Sat Feb 02, 2008 3:27 pm
by Zender
Next step is the R32, it's exactly the same modification as T30 BIOS, so nothing should go wrong.

And also will try to modify a compressed BIOS module in the T30 BIOS, as that will be needed for T60's whitelist.

Posted: Sun Feb 03, 2008 11:36 am
by Switchcorp
It sounds very interesting ! Keep going on ;)

Posted: Sun Feb 03, 2008 3:14 pm
by Jumme
darn, let me the one to post;

Zender's solved the problem.
I can happily repport a Thinkpad R32 being flashed with Zenders moddet BIOS file, skips the 1802 with a BraodCom 4306 Wireless lan card installed.

I flashed by an USB disk drive.

Congratulations, Zender, for work well done !!

T60 Next...

Posted: Sun Feb 03, 2008 6:10 pm
by maimbourg
Congratulations on your success on the R32.

Posted: Sun Feb 03, 2008 6:15 pm
by Zender
Next and last step before trying on a T60: I've modified a compressed module in the T30's BIOS, there are only three modules compressed, so I've chosen the BIOS setup and modified some place where it reads system time to load seconds as minutes. Luckily the compressed filesize didn't change. If it works alright, I think there's basically no risk for the T60.

Posted: Mon Feb 04, 2008 11:09 am
by Holmsteen
Hi. I have the X60s, i tried to fit it with this AR5008E 802.11 a/b/g/n XSPAN 300Mbps but no luck, must remove and restart... can i use this new bios fix?.

Kind regards


Posted: Mon Feb 04, 2008 1:21 pm
by SHoTTa35
hmmm :) i'd love to get my T60 with the Intel ABGN card so i can finally upgrade while keeping some of the power draw down. The IBM Thinkpad ABGN one works as far as i read but i want the Intel one :)

Oh and yeah, Subscribed!

Posted: Mon Feb 04, 2008 5:03 pm
by Zender
I've been confirmed by bonnem that modification of compressed module in T30's BIOS worked and actually did what I'd expected from it :)

I think we can now advance to current machines. I'd say the possibility of something going wrong is now as near to zero as it can be.
Still, I cannot risk being without a working laptop for days, now when it's exam period, so anyone here brave enough to try? I'm willing to pay half of the cost of a new mainboard, if my BIOS modification proves to be faulty. Any ThinkPad machine should possible, just point me to a BIOS update meant for your laptop.

Posted: Mon Feb 04, 2008 5:22 pm
by efrant
I'd be willing to try it on my T60p, but at the moment I don't have another wireless card. If someone in the Montreal area is willing to lend me a wireless card for the test, I'd be happy to test it out and return the card.