Do-It-Yourself to remove the "White-list" restrictions from Lenovo's S10 Netbook

Long, long time ago, in a story not far away.

If you read the story I wrote about a month ago regarding "How to extract, modify and install a Dell 5530 HSPA (and variant) Mini PCI-Express WWAN card on a non-Dell approved system (on a Lenovo S10, per-se)", then you should expect that eventually it will lead into the second part of the story: How to remove the "White-list" on this Lenovo S10's BIOS.

However if you don't feel like reading the previous story and putting a "TL;DR" tag on it, allow me to put the long story short for you. You see, many manufacturers such as Lenovo and HP uses a list called "White-list" in their machines BIOS to limit what peripherals you can use. Not because they are cautious about nasty complain phone calls due to incompatibility issues, but they want to charge you more to buy a commonly available product with their own brand tag on it, thus justify the premium. I ran into the problem by buying an identical WWAN card but instead of being a "Lenovo", it was a "Dell".

I have figured out how to extract the drivers from it's locked down installation files, which I have described in detail from the previous blog (link it up there), but I was stopped by the pesky "White-list" problem from using the WWAN card.

The Saga Continues

After searching online about how the White-list works, I came across some information that states each device, regardless which bus they works on, has an unique Vender ID and a Product ID. Wonder how your OS recognize what device you plugged in? The VID/PID, combines with the corresponding tags in the drivers package, tells the OS what they are and what drivers should the OS use. The BIOS is no exception. During the POST procedure, it checks all the devices for it's class and functionality, assign resources and constructs a basic map of how the OS should react to the hardware layer.

What Lenovo did was they added in some extra BIOS modules to check, if the devices on certain bus such as PCI-Express or USB are actually on the approved device list ("White-listing"). If not then it displays an error and halt the POST until you remove it. Unlike the driver package modification I did previously, this is a hardware-level operation. What does that mean? It's risky and not as easy, or straightforward compared to software-level manipulation.

So how are we going to tackle this problem? Well it's a BIOS-level job right? Not going to be Captain Obvious here, but I suspect we should start from the BIOS.

The Lenovo's S10 (not the -2, or -3s) uses Phoenix BIOS. Compared to other BIOS venders, Phoenix BIOSes are compressed, checksummed and a bit strange to work with. Good thing is, there is the official tool for building and modifying the BIOS: Phoenix BIOS Editor.

The latest version that I can find is Of course it's not supposed to be leaked out to public, but hey that's what the Internet is for right?

Upon opening the BIOS which I have modded with SLIC 2.1 injection, the editor broke the modules down.

The Phoenix's BIOS are built based on modules. The trick here is to locate the "white-list" value in one of the ROM modules, replace it with the one you want to use and rebuilt it. Good thing is with the official tool we can easily open them up and find what we need.

Now go ahead and open the BIOS, keep it open (don't close it) and navigate to the folder where you installed the Editor. By default it's under your Program Files. Now open the "TEMP" folder and you should see a huge list of broken down ROM files.


Finding a needle in a hay stack

Now what? We have all the modules broken down and exposed to us for access, but where do we find this thing?

Remember earlier that I mentioned each device has an unique VID and PID? Maybe, we should look for the value among all these files and see what we can find?

Let's see, quoting from the previous post, the possible VID and PID for the card are:

%Ericsson.Dg_DeviceDesc_WWAN% = ericssondg.ndi, USB\VID_0BDB&PID_1902&Mi_07 ; Generic DG
%Dell.Dg_DeviceDesc_WWAN% = ericssondg.ndi, USB\VID_413C&PID_8147&Mi_07 ; Dell DG
%Lenovo.Dg_DeviceDesc_WWAN% = ericssondg.ndi, USB\VID_0BDB&PID_1900&Mi_07 ; Lenovo DG
%Toshiba.Dg_DeviceDesc_WWAN% = ericssondg.ndi, USB\VID_0930&PID_130B&Mi_07 ; Toshiba DG

So if I look for VID of "0BDB" and PID of "1900", then replace them with VID of "413C" and PID of "8147", I should be in business.

Before you call out the Find & Replace function, there is a little something that you should know: the sequence of the bytes are reversed between the INF and BIOS. What does that mean? For example, the Lenovo's variant is presented as "0BDB" in the INF but in the BIOS it's actually "DB0B". The same concept applies to the PID as well so it's "0019" instead of "1900" in the BIOS.

Now we know what we are going to look for, it's just a matter of time until we find the exact hex value of "DB 0B 00 19" among one of these ROM modules. If your hex-editor supports searching multiple files at the same time, it'll save you a lot of time.

Oh look, I found it:

Let's replace it with Dell variant's VID and PID:

Save and now you can close the hex-editor.

Let's go back to the BIOS Editor. The build-BIOS function is grayed out because we didn't made any changes. That's fine, you can find something, make a little change then change it back. Now you can build the BIOS!

As long as there is no error or warnings, the modded-BIOS we just built should be fine since the tool actually recalculated the checksum and make sure that everything is in working condition before it actually tells you it's OK to use.

Brick, or not a Brick

It's time to flash. Remember, you need to turn off the "Update if only the ROM is newer" option in the WinPhalsh utility, otherwise it won't flash since it's the same version.

Honestly I wasn't sure if it's going to brick it or not. I had my doubts, especially after seeing this just to check if the modded BIOS can be opened again:

Honestly I wasn't sure if I actually broke the BIOS or not with the modification of a few bytes. But what the heck, Phoenix BIOS actually have a crisis recovery method. Google it and you shall be rewarded.

I bite the bullet and flashed it. To my surprise it actually booted and, no more nagging about"Unauthorized WWAN card" anymore!


The Aftermath

Windows sees it, Device manager sees it, Connection Manager sees it...

... and the best part? Lenovo's Wireless Connection Switch utility sees it too!

Of course the most important question is, can I connect to the WWAN? Well let's turn it on and see what happens...


Problem Solved

Finally, after a month and a few days of poking around, I am finally able to use a non-Lenovo FRU part by bypass the driver and BIOS white-list lock down! Now just wait for the SSD to arrive and this S10 will become a true, Netbook.

P.S. I haven't tried the GPS yet, but I think I'll update it once I have the SSD installed.