• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

(omg)vflash | Fully Patched nvflash from X to Ada Lovelace [v5.780]

  • Thread starter Deleted member 218758
  • Start date
D

Deleted member 182555

Guest
Veii doesn't want to leak secrets.
Nobody wants..
Veii asked for secrets, I added a driver that works with GSP.
Until now, there is a problem with certificates even for RTX Turing.
:D
meeting place of big foxes...
 
Joined
Apr 30, 2016
Messages
21 (0.01/day)
Location
Australia
System Name Win 11 PC / Win 7 PC
Processor InteI Core i9 10900K @ 5GHz/ Intel Core i9 9900KS @ 5GHz
Motherboard Gigabyte Z590 AORUS Master (rev 1.0) /GIGABYTE Z370 AORUS GAMING 7-OP (rev 1.0)
Cooling Noctua NH-D15 / Noctua NH-D15
Memory 128GB Corsair Vengeance LPX 3333MHz DDR4 @16-20-20-38-2T / 64GB Crucial Ballistix 3400 MHz DDR4
Video Card(s) Gigabyte RX 7900 XT Reference / Gigabyte RTX 2070 Super AORUS
Storage Intel Optane H10 512GB SSD + 4TB Samsung 870 QVO SSD / 2x 4TB Samsung 870 EVO SSD Raid 0 + Optane 32
Display(s) ACER G236HL / ACER G236HL
Case Cooler Master K350 / Cooler Master K350
Audio Device(s) Realtek ALC 1220 / Realtek ALC 1220
Power Supply Cooler Master V1200 1200W / Enermax Revolution 87+ 850W
Mouse Dell Keyboard / Microsoft Desktop 600
Keyboard Dell Mouse / Microsoft Desktop 600
Software Windows 11 Pro / Windows 7 Ultimate 64-BIT SP1
See 10DE:XXXX


Please disable bots in the topics on video card firmware.
I generally passed by, but the guys attracted me .. :D

I know that all those GPUs use different device IDs, I am trying to wrap my head around Falcon GSP concept, so my understanding is, even if we implemented Veii's bypasses in the NVFlash engineering version you posted, cross-flashing won't happen due to Falcon blocking BIOSes with different device ID than the BIOS on your card.
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
I know that all those GPUs use different device IDs, I am trying to wrap my head around Falcon GSP concept, so my understanding is, even if we implemented Veii's bypasses in the NVFlash engineering version you posted, cross-flashing won't happen due to Falcon blocking BIOSes with different device ID than the BIOS on your card.
To be honest, I'm not interested.
Changing the GPU ID with a soldering iron is real.
I'm more interested in bypassing certificates.
 
Joined
Apr 30, 2016
Messages
21 (0.01/day)
Location
Australia
System Name Win 11 PC / Win 7 PC
Processor InteI Core i9 10900K @ 5GHz/ Intel Core i9 9900KS @ 5GHz
Motherboard Gigabyte Z590 AORUS Master (rev 1.0) /GIGABYTE Z370 AORUS GAMING 7-OP (rev 1.0)
Cooling Noctua NH-D15 / Noctua NH-D15
Memory 128GB Corsair Vengeance LPX 3333MHz DDR4 @16-20-20-38-2T / 64GB Crucial Ballistix 3400 MHz DDR4
Video Card(s) Gigabyte RX 7900 XT Reference / Gigabyte RTX 2070 Super AORUS
Storage Intel Optane H10 512GB SSD + 4TB Samsung 870 QVO SSD / 2x 4TB Samsung 870 EVO SSD Raid 0 + Optane 32
Display(s) ACER G236HL / ACER G236HL
Case Cooler Master K350 / Cooler Master K350
Audio Device(s) Realtek ALC 1220 / Realtek ALC 1220
Power Supply Cooler Master V1200 1200W / Enermax Revolution 87+ 850W
Mouse Dell Keyboard / Microsoft Desktop 600
Keyboard Dell Mouse / Microsoft Desktop 600
Software Windows 11 Pro / Windows 7 Ultimate 64-BIT SP1
To be honest, I'm not interested.
Changing the GPU ID with a soldering iron is real.
I'm more interested in bypassing certificates.

I'm not interested in changing the GPU ID itself, I just want to force flash the 2080 Super BIOS onto it for a higher PL. I don't mind it identifying itself as a 2070 Super still.
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
I'm not interested in changing the GPU ID itself, I just want to force flash the 2080 Super BIOS onto it for a higher PL. I don't mind it identifying itself as a 2070 Super still.
Want to play with me how people put graphics card data into Linux to save money and get some features?
This Linux is without stability, security is lost, there is no confidence in the hardware around the clock.
Now, if you flash video cards bypassing certificates, then this is much more stability.
That's a lot of money, Nvidia is doing everything possible to get the money.
If some functions open, then sites with the service will immediately appear. Monitor the situation and wait for the opportunity to pay.
You are unlikely to get information just like that.
 
Joined
Oct 22, 2020
Messages
43 (0.03/day)
TLDR:I found a workaround for
Error Code = 0x0000006C(108): NV_UCODE_ERR_CODE_CMD_EWR_OK_TO_FLASH_CHECK_FAILED
while flashing modified 1070Ti VBIOS (just swapped two letters in the boot message).
However, no actual progress - just got another error code NV_UCODE_ERR_CODE_CERT20_VDPA_NOT_FINALIZED

Detailed:
While trying to just flash a modified VBIOS - I got the
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x00000011(17): NV_UCODE_ERR_CODE_CMD_VBIOS_VERIFY_BIOS_SIG_FAIL
Cert info block will be finalized during flash process.
Program page Start: 0x00000000 Count: 0x2000(8192)
Command id: 0x30000005 Command: NV_UCODE_CMD_COMMAND_EWR failed
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x0000006C(108): NV_UCODE_ERR_CODE_CMD_EWR_OK_TO_FLASH_CHECK_FAILED

Falcon CLOSE
However, if the correct original bios is "reflashed over itself" just before flashing the modified one - the error code changes:
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x00000011(17): NV_UCODE_ERR_CODE_CMD_VBIOS_VERIFY_BIOS_SIG_FAIL
Cert info block will be finalized during flash process.
Program page Start: 0x00000000 Count: 0x2000(8192)
Command id: 0x30000005 Command: NV_UCODE_CMD_COMMAND_EWR failed
Command Status: NV_UCODE_CMD_STS_COMPLETE
Error Code = 0x0000003F(63): NV_UCODE_ERR_CODE_CERT20_VDPA_NOT_FINALIZED

Falcon CLOSE
Attaching full log of those 3 commands executed just after each other.
PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\mod1070ti.rom -L con
PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\orig1070ti.rom -L con
PS C:\gpu-tools\nvflash> .\OMGVflash.exe -6 .\mod1070ti.rom -L con
 

Attachments

  • different-error-codes.txt
    27.1 KB · Views: 94
Joined
Jan 21, 2022
Messages
84 (0.08/day)
LHR ??? :D:D:D
Try.

I'm tired of everything.. They want to flash only LHR and it's not clear what. Veii, come to my topic... :D:D:D
 
Last edited:
Joined
Sep 8, 2022
Messages
32 (0.04/day)
There is a difference in INFOROM. :D
GP100.rom (you Inforom), Quadro (Contains modified info from another card)
Your card should recover its inforom after flashing and rebooting.

See Inforom from you card to quadro ;)
So your saying this is a modded or changed vbios that should flash to the Tesla P100?
 
Joined
Aug 27, 2023
Messages
302 (0.59/day)
I wish you would understand. But reading your text, you expect that nothing can be done.
IIRC I gave 3 different examples of what could possibly be done.

Or we use this thread space to contribute information about the process, in order to speed up the research
You decide~
For some reason I felt sorry for you and thought I'd help by letting you know not to bother with 32-bit checksums to help speed up things so I don't understand why you answered like you did, lesson learned I guess.


An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.

For reference only, no modification done by TDP Tweaker program.
Flash1050ti.png


Note the 32-bit checksums are different. The 1050ti.rom was flashed first with a standard nvflash and a reboot performed. A backup (--save) was done and compared to confirm the flash. Next the modified VBIOS 1050tiMod.rom was flashed with the same nvflash with success and again a reboot and backup done to confirm.

Flash1050tiMod.png
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
So your saying this is a modded or changed vbios that should flash to the Tesla P100?
And so why did you even decide that you can flash it?
Have you decided to compare files by size in the topic?
Are you afraid to flash?
If you are afraid, do not flash ..
You will not sew.
And if you flash this BIOS, it will help to flash INFOROM.
So? :rolleyes:

An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.
Related to checking the header parameters and volume size. This trick works up to rtx 3000. :)
 
Joined
Mar 7, 2007
Messages
3,967 (0.61/day)
Location
Maryland
System Name HAL
Processor Core i9 14900ks @5.9-6.3
Motherboard Z790 Dark Hero
Cooling Bitspower Summit SE & (2) 360 Corsair XR7 Rads push/pull
Memory 2x 32GB (64GB) Gskill trident 6000 CL30
Video Card(s) RTX 4090 Gigagbyte gaming OC @ +200/1300
Storage (M2's) 2x Samsung 980 pro 2TB, 1xWD Black 2TB, 1x SK Hynix Platinum P41 2TB
Display(s) 65" LG OLED 120HZ
Case Lian Li dyanmic Evo11 with distro plate
Audio Device(s) Klipsh 7.1 through Sony DH790 EARC.
Power Supply Thermaltake 1350
Software Microsoft Windows 11 x64
Can’t wait to see performance comparison charts. This is sick. Nice job guys.
 
Joined
Sep 8, 2022
Messages
32 (0.04/day)
And so why did you even decide that you can flash it?
Have you decided to compare files by size in the topic?
Are you afraid to flash?
If you are afraid, do not flash ..
You will not sew.
And if you flash this BIOS, it will help to flash INFOROM.
So?
Sorry I didn't understand your English. No I am not afraid to flash if I was I wouldn't be here.
Why is everyone in such a bad mood tonight, please get over it. Thanks for your help
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
28,004 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
If you read the bios through GPU-Z, then it only reads the area containing some data. Ignoring the empty area.

In other words, the BIOS chip itself can have a volume of 1, 2 or 4 MB.

And in some cases, 2MB of BIOS-data can be stored on a 32MB chip. The rest of the BIOS-memory is just empty.
GPU-Z does not save the full raw flash capacity, only what's relevant. The guarantee is still that the saved images can be used to flash your card. If not, it's a bug and you should let me know
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
GPU-Z does not save the full raw flash capacity, only what's relevant. The guarantee is still that the saved images can be used to flash your card. If not, it's a bug and you should let me know
GPU-Z always saves the one changed INFOROM by the driver.
Finding a clean firmware without the modified INFORM is now becoming a problem.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
28,004 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
GPU-Z always saves the one changed INFOROM by the driver.
Finding a clean firmware without the modified INFORM is now becoming a problem.
How does that affect the image? NVFlash saves it like that, too?
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
How does that affect the image? NVFlash saves it like that, too?
If the firmware got into the memory of the video card, the drivers change it (inforom). The best thing now is to download a clean firmware from the manufacturer.
 
Joined
Sep 8, 2022
Messages
32 (0.04/day)
Code:
C:\Users\GPU\Downloads\FALCON_GSP> nvflash -6 QuadroGP1002.rom --index=0
NVIDIA https://wotcheats.ru/   (Version 5.ZZZ.Z)
Copyright (C) 1993-2020, NVIDIA Corporation. All rights reserved.


Checking for matches between display adapter(s) and image(s)...

Adapter: Tesla P100-PCIE-16GB (10DE,15F8,10DE,118F) S:00,B:01,D:00,F:00


EEPROM ID (EF,6013) : WBond W25Q40EW 1.65-1.95V 4096Kx1S, page

WARNING: None of the firmware image compatible PCI Device ID's
match the PCI Device ID of the adapter.
  Adapter PCI Device ID:        15F8
  Firmware image PCI Device ID: 15F0
WARNING: Firmware image PCI Subsystem ID (10DE.11C3)
  does not match adapter PCI Subsystem ID (10DE.118F).
WARNING: None of the firmware image compatible Board ID's
match the Board ID of the adapter.
  Adapter Board ID:        EC3F
  Firmware image Board ID: EC43

NOTE: Exception caught.
Nothing changed!



ERROR: GPU mismatch
 
D

Deleted member 218758

Guest
nvflashk is the same fake
It is case sensitive ~ user error
Sometimes you need to write
y
sometimes you need to write
YES
[enter]

you wrote "yes" aka wrong expected value and flash failed.
The same will happen with my edition too.
Veii doesn't want to leak secrets.
Nobody wants..
Veii asked for secrets, I added a driver that works with GSP.
i will check it out
I found something myself while browsing how those capacitor (HW) devID rebrands work.
I'm more interested in bypassing certificates.
I'm interested in working with them.
A bypass has only short lifetime
I'm tired of everything.. They want to flash only LHR and it's not clear what. Veii, come to my topic... :D:D:D
Give me time, this is not my only project and was supposed to be delayed a bit.
Soon~
Need more than one GPU to research myself further.
the files are signed by some skechy russian cheat site if that doesn't raise a red flag for you
well ye been warned
Its interesting why you need specific signing.
You only need to checksum fix your PE after modification.
You could sign it too, but that is the same level as you saying the nvflash is your code.
It belongs to Nvidia :)
Would the size make a difference when trying to flash and make it fail?
Wondering if it might need some padding.
1693219293703.png

Wouldn't be :)
If too big, it will fail
If too small, it will proceed and put padding at the end
Notepad_spg1EzWmu5.png
Notepad_QNlJIwvF3g.png
 
Joined
Jan 21, 2022
Messages
84 (0.08/day)
It is case sensitive ~ user error
You only need to checksum fix your PE after modification.
You could sign it too, but that is the same level as you saying the nvflash is your code.
It belongs to Nvidia :)
Because they found a security bug and Nvidia stopped releasing those versions.
I don't want people to have problems with antiviruses.
 
D

Deleted member 218758

Guest
For some reason I felt sorry for you and thought I'd help by letting you know not to bother with 32-bit checksums to help speed up things so I don't understand why you answered like you did, lesson learned I guess.


An example for anyone else worrying about 32-bit checksums. I've taken a Pascal VBIOS and modified it by changing 2 bytes in the legacy section (in one of those unsigned blob sections) so that the 8-bit checksum remains unchanged with the addition of those 2 bytes but the 32-bit checksum doesn't.
My answer was based on how you write. Everyone values your contributions.
Maybe its wrong for me to call it "checksum".

Every ID rebrand (strap) has small checksums
there are then main blob checksums
And there is a file integrity hash ontop.

Based on this foundation, then it is double signed and HMAC hashed for the newer series.
Ti's have one sig, non Ti's have double sig. You can read this out with binwalk (github).
I know that changing some bits which are unsigned flash on Pascal.
Changing bits that are signed, still flashes but driver refuses as card is reported as unsigned. ~ Code43
^ This functionality was then prevented on newer cards ~ newer falcon revision & its OS

Goal is not to cherry pick what is unsigned (although is interesting information where you can place edits to preserve file-integrity)
But goal is to flash an edited file with real edits, and later sign it.
Real goal.

First step is creating a file that is valid for falcon.
in the near future it is to sign your valid file created by an editor and give ability to work with RTX cards.
Fail 5 years ago was creating a file that will flash ~ because disabling Falcon is something we can forget :)
Sure the Tegra research was valuable and some old cards @ Falcon v4 can work.
But this has no future.

Modifying the driver so that your bootup (hard enough) unsigned card passes the driver check
Also is going thickhead against a brickwall. It has no future either.
It can work for a short time and publishing how also will work for a short time.
But that's not the goal. Its a big security risk, outside of trustloss.

Work with falcon not against it :)
Build your mods ontop of the foundation i give.
I see a chance and future success. Wouldn't have started it without any chance.

EDIT:
CID rebrands with signed files,
seems to be half a falcon half an nvflash issue.
At least the flash portion of it

I have to fix some things for the next update
(likely rewrite it fully once again, as eeprom access issue is a big one i can't just fix without changing approach
~ bug of my ISSI bypass for 2000 series affecting access of some other EEPROM versions // XUSB FW rebrand ability.
i'm such a novice . . .)

Then we have to see what can be done with the help of Falcon.
Nobody else can force that rebrand. HW-Mods can change falcon's outcome
But only falcon can help us. Work with it

EDIT2:
Here are 3-4 things which can help you/us for development
A mixture of
https://github.com/dmlloyd/envytools/tree/master/hwdocs for example https://github.com/envytools/envytools/blob/master/nvbios/bios.h // https://github.com/envytools/envytools/blob/master/nvbios/p.c
And
Low level runs as ELF files ~ RiscV
Nvidia still uses couple of opensource projects ~ but the OS and bits of the design are proprietary.

OhGodATeam's fork is sadly also incomplete
Dump of it, just lists this ~attached file~

This is rather what we want, at very least
But,
Copyleft by a friend~
1693223089092.png

Most of the interesting values, run in the legacy section of the Bios.
It wouldn't wonder me, if the swap to UEFI and BAR, forced the double bios and annoying signing requirement/behavior.

Sadly i can't create code, i can only modify code and exploit based on logic.
So i rely on you guys.
 

Attachments

  • evga1080ti.txt
    3.5 KB · Views: 98
Last edited by a moderator:

yoloSager

New Member
Joined
Aug 28, 2023
Messages
6 (0.01/day)
Tried to replace GOP for a newest version possible I could find for 3080 (GOP Update Tool does that automatically, much less fuzz then imhexing),
Before that, running nvflashk.exe --version current.rom gave this:
Code:
Hierarchy ID          : Normal Board
Chip SKU              : 200-0
Project               : G132-0030
Build Date            : 10/23/20
Modification Date     : 03/13/21
UEFI Version          : 0x60009 ( x64 ) <-- VERSION BEFORE
UEFI Variant ID       : 0x000000000000000A ( GA1xx )
UEFI Signer(s)        : Microsoft Corporation UEFI CA 2011

after swapping the UEFI GOP module:

Code:
Hierarchy ID          : Normal Board
Chip SKU              : 200-0
Project               : G132-0030
Build Date            : 10/23/20
Modification Date     : 03/13/21
UEFI Version          : 0x60017 ( x64 ) <-- VERSION AFTER
UEFI Variant ID       : 0x000000000000000A ( GA1xx )
UEFI Signer(s)        : Microsoft Corporation UEFI CA 2011


However, nvflashk.exe cant flash it ...
Code:
C:\Users\zero\Downloads>nvflashk.exe -6 current_3080_0x60017.rom
nvflashk pre-release
github.com/notfromstatefarm/nvflashk - Safer GUI version with autorecovery coming by September!
Checking for matches between display adapter(s) and image(s)...
Reading EEPROM (this operation may take up to 30 seconds)
Current      - Version:94.02.42.C0.14 ID:10DE:2206:3842:3885
               GPU Board (Normal Board)
Replace with - Version:94.02.42.C0.14 ID:10DE:2206:3842:3885
               GPU Board (Normal Board)

Update display adapter firmware?
Press 'y' to confirm (any other key to abort):
Reading EEPROM (this operation may take up to 30 seconds)

Nothing changed!
ERROR: Invalid firmware image detected.

Too bad, would love to try this out finally
same problem with my 3090
more people have the same problem with ampere architecture
 
Top