(omg)vflash | Fully Patched nvflash from X to Ada Lovelace [v5.780]

[Deleted member 182555]

Veii doesn't want to leak secrets.
Nobody wants..
Veii asked for secrets, I added a driver that works with GSP.
Until now, there is a problem with certificates even for RTX Turing.

meeting place of big foxes...

 

[Wotwow]

The 2080 uses TU104 while the 2080 Ti uses TU102, 2 different chips. 2080S is based on TU104.

See 10DE:XXXX

meeting place of big foxes...

Please disable bots in the topics on video card firmware.
I generally passed by, but the guys attracted me ..

 

[Deleted member 182555]

See 10DE:XXXX


Please disable bots in the topics on video card firmware.
I generally passed by, but the guys attracted me ..

which bots? avatar?

 

[Wotwow]

which bots? avatar?

It must have seemed....

 

[rootuser123]

See 10DE:XXXX


Please disable bots in the topics on video card firmware.
I generally passed by, but the guys attracted me ..

I know that all those GPUs use different device IDs, I am trying to wrap my head around Falcon GSP concept, so my understanding is, even if we implemented Veii's bypasses in the NVFlash engineering version you posted, cross-flashing won't happen due to Falcon blocking BIOSes with different device ID than the BIOS on your card.

 

[Wotwow]

I know that all those GPUs use different device IDs, I am trying to wrap my head around Falcon GSP concept, so my understanding is, even if we implemented Veii's bypasses in the NVFlash engineering version you posted, cross-flashing won't happen due to Falcon blocking BIOSes with different device ID than the BIOS on your card.

To be honest, I'm not interested.
Changing the GPU ID with a soldering iron is real.
I'm more interested in bypassing certificates.

 

[rootuser123]

To be honest, I'm not interested.
Changing the GPU ID with a soldering iron is real.
I'm more interested in bypassing certificates.

I'm not interested in changing the GPU ID itself, I just want to force flash the 2080 Super BIOS onto it for a higher PL. I don't mind it identifying itself as a 2070 Super still.

 

[Wotwow]

I'm not interested in changing the GPU ID itself, I just want to force flash the 2080 Super BIOS onto it for a higher PL. I don't mind it identifying itself as a 2070 Super still.

Want to play with me how people put graphics card data into Linux to save money and get some features?
This Linux is without stability, security is lost, there is no confidence in the hardware around the clock.
Now, if you flash video cards bypassing certificates, then this is much more stability.
That's a lot of money, Nvidia is doing everything possible to get the money.
If some functions open, then sites with the service will immediately appear. Monitor the situation and wait for the opportunity to pay.
You are unlikely to get information just like that.

 

[StViolenceDay]

TLDR:I found a workaround for

Error Code = 0x0000006C(108): NV_UCODE_ERR_CODE_CMD_EWR_OK_TO_FLASH_CHECK_FAILED

while flashing modified 1070Ti VBIOS (just swapped two letters in the boot message).
However, no actual progress - just got another error code NV_UCODE_ERR_CODE_CERT20_VDPA_NOT_FINALIZED

Detailed:
While trying to just flash a modified VBIOS - I got the

Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x00000011(17): NV_UCODE_ERR_CODE_CMD_VBIOS_VERIFY_BIOS_SIG_FAIL
Cert info block will be finalized during flash process.
Program page Start: 0x00000000 Count: 0x2000(8192)
Command id: 0x30000005 Command: NV_UCODE_CMD_COMMAND_EWR failed
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x0000006C(108): NV_UCODE_ERR_CODE_CMD_EWR_OK_TO_FLASH_CHECK_FAILED

Falcon CLOSE

However, if the correct original bios is "reflashed over itself" just before flashing the modified one - the error code changes:

Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x00000011(17): NV_UCODE_ERR_CODE_CMD_VBIOS_VERIFY_BIOS_SIG_FAIL
Cert info block will be finalized during flash process.
Program page Start: 0x00000000 Count: 0x2000(8192)
Command id: 0x30000005 Command: NV_UCODE_CMD_COMMAND_EWR failed
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x0000003F(63): NV_UCODE_ERR_CODE_CERT20_VDPA_NOT_FINALIZED

Falcon CLOSE

Attaching full log of those 3 commands executed just after each other.

PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\mod1070ti.rom -L con
PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\orig1070ti.rom -L con
PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\mod1070ti.rom -L con

 

[Wotwow]

LHR ???
Try.

NVflash FALCON_GSP ready to be used.

nvflash secret version NVIDIA ENGINEERING Firmware image updated. - New version: XX.XX.XX.XX.XX - Old version: XX.XX.XX.XX.X InfoROM image updated. - New version: G001.0000.02.04 - Old version: G001.0000.02.04 Update successful. Process Pre-OS App loading. Action: Read EEPROM image. Reading...

www.techpowerup.com

I'm tired of everything.. They want to flash only LHR and it's not clear what. Veii, come to my topic...

 

[zxTheWolfxz]

There is a difference in INFOROM.
GP100.rom (you Inforom), Quadro (Contains modified info from another card)
Your card should recover its inforom after flashing and rebooting.

See Inforom from you card to quadro

So your saying this is a modded or changed vbios that should flash to the Tesla P100?

 

[:D:D]

I wish you would understand. But reading your text, you expect that nothing can be done.

IIRC I gave 3 different examples of what could possibly be done.

Or we use this thread space to contribute information about the process, in order to speed up the research
You decide~

For some reason I felt sorry for you and thought I'd help by letting you know not to bother with 32-bit checksums to help speed up things so I don't understand why you answered like you did, lesson learned I guess.


An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.

For reference only, no modification done by TDP Tweaker program.

Note the 32-bit checksums are different. The 1050ti.rom was flashed first with a standard nvflash and a reboot performed. A backup (--save) was done and compared to confirm the flash. Next the modified VBIOS 1050tiMod.rom was flashed with the same nvflash with success and again a reboot and backup done to confirm.

 

[Wotwow]

So your saying this is a modded or changed vbios that should flash to the Tesla P100?

And so why did you even decide that you can flash it?
Have you decided to compare files by size in the topic?
Are you afraid to flash?
If you are afraid, do not flash ..
You will not sew.
And if you flash this BIOS, it will help to flash INFOROM.
So?

An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.

Related to checking the header parameters and volume size. This trick works up to rtx 3000.

 

[D007]

Can’t wait to see performance comparison charts. This is sick. Nice job guys.

 

[zxTheWolfxz]

And so why did you even decide that you can flash it?
Have you decided to compare files by size in the topic?
Are you afraid to flash?
If you are afraid, do not flash ..
You will not sew.
And if you flash this BIOS, it will help to flash INFOROM.
So?

Sorry I didn't understand your English. No I am not afraid to flash if I was I wouldn't be here.
Why is everyone in such a bad mood tonight, please get over it. Thanks for your help

 

[420frodo]

Gpu Mismatch

 

[W1zzard]

If you read the bios through GPU-Z, then it only reads the area containing some data. Ignoring the empty area.

In other words, the BIOS chip itself can have a volume of 1, 2 or 4 MB.

And in some cases, 2MB of BIOS-data can be stored on a 32MB chip. The rest of the BIOS-memory is just empty.

GPU-Z does not save the full raw flash capacity, only what's relevant. The guarantee is still that the saved images can be used to flash your card. If not, it's a bug and you should let me know

 

[Wotwow]

GPU-Z does not save the full raw flash capacity, only what's relevant. The guarantee is still that the saved images can be used to flash your card. If not, it's a bug and you should let me know

GPU-Z always saves the one changed INFOROM by the driver.
Finding a clean firmware without the modified INFORM is now becoming a problem.

 

[W1zzard]

GPU-Z always saves the one changed INFOROM by the driver.
Finding a clean firmware without the modified INFORM is now becoming a problem.

How does that affect the image? NVFlash saves it like that, too?

 

[Wotwow]

How does that affect the image? NVFlash saves it like that, too?

If the firmware got into the memory of the video card, the drivers change it (inforom). The best thing now is to download a clean firmware from the manufacturer.

 

[zxTheWolfxz]

C:\Users\GPU\Downloads\FALCON_GSP> nvflash -6 QuadroGP1002.rom --index=0
NVIDIA https://wotcheats.ru/   (Version 5.ZZZ.Z)
Copyright (C) 1993-2020, NVIDIA Corporation. All rights reserved.


Checking for matches between display adapter(s) and image(s)...

Adapter: Tesla P100-PCIE-16GB (10DE,15F8,10DE,118F) S:00,B:01,D:00,F:00


EEPROM ID (EF,6013) : WBond W25Q40EW 1.65-1.95V 4096Kx1S, page

WARNING: None of the firmware image compatible PCI Device ID's
match the PCI Device ID of the adapter.
  Adapter PCI Device ID:        15F8
  Firmware image PCI Device ID: 15F0
WARNING: Firmware image PCI Subsystem ID (10DE.11C3)
  does not match adapter PCI Subsystem ID (10DE.118F).
WARNING: None of the firmware image compatible Board ID's
match the Board ID of the adapter.
  Adapter Board ID:        EC3F
  Firmware image Board ID: EC43

NOTE: Exception caught.
Nothing changed!



ERROR: GPU mismatch

 

[Deleted member 218758]

nvflashk is the same fake

It is case sensitive ~ user error
Sometimes you need to write
y
sometimes you need to write
YES
[enter]

you wrote "yes" aka wrong expected value and flash failed.
The same will happen with my edition too.

Veii doesn't want to leak secrets.
Nobody wants..
Veii asked for secrets, I added a driver that works with GSP.

i will check it out
I found something myself while browsing how those capacitor (HW) devID rebrands work.

I'm more interested in bypassing certificates.

I'm interested in working with them.
A bypass has only short lifetime

I'm tired of everything.. They want to flash only LHR and it's not clear what. Veii, come to my topic...

Give me time, this is not my only project and was supposed to be delayed a bit.
Soon~
Need more than one GPU to research myself further.

the files are signed by some skechy russian cheat site if that doesn't raise a red flag for you
well ye been warned

Its interesting why you need specific signing.
You only need to checksum fix your PE after modification.
You could sign it too, but that is the same level as you saying the nvflash is your code.
It belongs to Nvidia

Would the size make a difference when trying to flash and make it fail?
Wondering if it might need some padding.

Wouldn't be
If too big, it will fail
If too small, it will proceed and put padding at the end

 

[Wotwow]

It is case sensitive ~ user error
You only need to checksum fix your PE after modification.
You could sign it too, but that is the same level as you saying the nvflash is your code.
It belongs to Nvidia

Because they found a security bug and Nvidia stopped releasing those versions.
I don't want people to have problems with antiviruses.

 

[Deleted member 218758]

For some reason I felt sorry for you and thought I'd help by letting you know not to bother with 32-bit checksums to help speed up things so I don't understand why you answered like you did, lesson learned I guess.


An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.

My answer was based on how you write. Everyone values your contributions.
Maybe its wrong for me to call it "checksum".

Every ID rebrand (strap) has small checksums
there are then main blob checksums
And there is a file integrity hash ontop.

Based on this foundation, then it is double signed and HMAC hashed for the newer series.
Ti's have one sig, non Ti's have double sig. You can read this out with binwalk (github).
I know that changing some bits which are unsigned flash on Pascal.
Changing bits that are signed, still flashes but driver refuses as card is reported as unsigned. ~ Code43
^ This functionality was then prevented on newer cards ~ newer falcon revision & its OS

Goal is not to cherry pick what is unsigned (although is interesting information where you can place edits to preserve file-integrity)
But goal is to flash an edited file with real edits, and later sign it.
Real goal.

First step is creating a file that is valid for falcon.
in the near future it is to sign your valid file created by an editor and give ability to work with RTX cards.
Fail 5 years ago was creating a file that will flash ~ because disabling Falcon is something we can forget
Sure the Tegra research was valuable and some old cards @ Falcon v4 can work.
But this has no future.

Modifying the driver so that your bootup (hard enough) unsigned card passes the driver check
Also is going thickhead against a brickwall. It has no future either.
It can work for a short time and publishing how also will work for a short time.
But that's not the goal. Its a big security risk, outside of trustloss.

Work with falcon not against it
Build your mods ontop of the foundation i give.
I see a chance and future success. Wouldn't have started it without any chance.

---

EDIT:
CID rebrands with signed files,
seems to be half a falcon half an nvflash issue.
At least the flash portion of it

I have to fix some things for the next update
(likely rewrite it fully once again, as eeprom access issue is a big one i can't just fix without changing approach
~ bug of my ISSI bypass for 2000 series affecting access of some other EEPROM versions // XUSB FW rebrand ability.
i'm such a novice . . .)

Then we have to see what can be done with the help of Falcon.
Nobody else can force that rebrand. HW-Mods can change falcon's outcome
But only falcon can help us. Work with it

---

EDIT2:
Here are 3-4 things which can help you/us for development

GitHub - ChairGraveyard/010-nvidia-vbios: Sweetscape 010 Editor Nvidia VBios Templates

Sweetscape 010 Editor Nvidia VBios Templates. Contribute to ChairGraveyard/010-nvidia-vbios development by creating an account on GitHub.

github.com

A mixture of
https://github.com/dmlloyd/envytools/tree/master/hwdocs for example https://github.com/envytools/envytools/blob/master/nvbios/bios.h // https://github.com/envytools/envytools/blob/master/nvbios/p.c
And

https://github.com/envytools/envytools/tree/master/docs/hw

GitHub - marysaka/ghidra_falcon: Support of Nvidia Falcon processors for Ghidra

Support of Nvidia Falcon processors for Ghidra. Contribute to marysaka/ghidra_falcon development by creating an account on GitHub.

github.com

GitHub - riscv-non-isa/riscv-elf-psabi-doc: A RISC-V ELF psABI Document

A RISC-V ELF psABI Document. Contribute to riscv-non-isa/riscv-elf-psabi-doc development by creating an account on GitHub.

github.com

Low level runs as ELF files ~ RiscV
Nvidia still uses couple of opensource projects ~ but the OS and bits of the design are proprietary.

OhGodATeam's fork is sadly also incomplete
Dump of it, just lists this ~attached file~

This is rather what we want, at very least
But,
Copyleft by a friend~

Most of the interesting values, run in the legacy section of the Bios.
It wouldn't wonder me, if the swap to UEFI and BAR, forced the double bios and annoying signing requirement/behavior.

Sadly i can't create code, i can only modify code and exploit based on logic.
So i rely on you guys.

 

[yoloSager]

Tried to replace GOP for a newest version possible I could find for 3080 (GOP Update Tool does that automatically, much less fuzz then imhexing),
Before that, running nvflashk.exe --version current.rom gave this:

Hierarchy ID          : Normal Board
Chip SKU              : 200-0
Project               : G132-0030
Build Date            : 10/23/20
Modification Date     : 03/13/21
UEFI Version          : 0x60009 ( x64 ) <-- VERSION BEFORE
UEFI Variant ID       : 0x000000000000000A ( GA1xx )
UEFI Signer(s)        : Microsoft Corporation UEFI CA 2011

after swapping the UEFI GOP module:

Hierarchy ID          : Normal Board
Chip SKU              : 200-0
Project               : G132-0030
Build Date            : 10/23/20
Modification Date     : 03/13/21
UEFI Version          : 0x60017 ( x64 ) <-- VERSION AFTER
UEFI Variant ID       : 0x000000000000000A ( GA1xx )
UEFI Signer(s)        : Microsoft Corporation UEFI CA 2011

However, nvflashk.exe cant flash it ...

C:\Users\zero\Downloads>nvflashk.exe -6 current_3080_0x60017.rom
nvflashk pre-release
github.com/notfromstatefarm/nvflashk - Safer GUI version with autorecovery coming by September!
Checking for matches between display adapter(s) and image(s)...
Reading EEPROM (this operation may take up to 30 seconds)
Current      - Version:94.02.42.C0.14 ID:10DE:2206:3842:3885
               GPU Board (Normal Board)
Replace with - Version:94.02.42.C0.14 ID:10DE:2206:3842:3885
               GPU Board (Normal Board)

Update display adapter firmware?
Press 'y' to confirm (any other key to abort):
Reading EEPROM (this operation may take up to 30 seconds)

Nothing changed!
ERROR: Invalid firmware image detected.

Too bad, would love to try this out finally

same problem with my 3090
more people have the same problem with ampere architecture