MSFN Forums > Multi Manufacturer Pre-Activation

Full Version: Multi Manufacturer Pre-Activation

MSFN Forums > Unattended Windows Discussion & Support > Unattended Windows 2000/XP/2003

Pages: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11

FreeStyler

Sep 19 2006, 02:57 AM

@all
Some here are ahead of you with some stuff, but it looks like they are holding information, think they want to delay the project until Vista Sp1 comes out

found some stuff in the public domain that might shine some light on things, With a little help from babelfish you should find your way
http://www.crfans.com/Software/Catalog59/1961.html
http://blogxp.org/ArticleShow/81255
http://bios.net.cn/Article/wzpd/BIOSJS/bio...0060608978.html

QUOTE

I like your new app, would it be possible to also do a dump of the address range to possibly give a hint towards the area it’s located. Ie: bios header, DMI, etc. Maybe subtracting 20h from the address. IE: Gateway @ F000:E840 run 'D F000:E820' in debug. It’s not critical.

@xehqter
Thats not really needed, we seem to be able to find the exact range for specific slp locations (check the chinese sites above)

@xehqter
Can you help Siginet to makes his tool pass wintrust as well?

LG added thx, nadav

[fs]

vpn-user

Sep 19 2006, 05:54 AM

QUOTE (Bezalel @ Sep 18 2006, 09:45 PM)

QUOTE (vpn-user @ Sep 18 2006, 05:17 AM)

@Bezalel: I am asking about the rapidshare folder because you are also missing some common files. At least "Acer Travelmate" notebooks are sold very well and widely spread but your repository misses the files.

I have all non-obsolete filesets in my RapidShare folder. I will upload obsolete files upon request (if nobody downloads them, RapidShare will drop the files).

Ah that explains it, thank you! And also thank you for re-uploading some files

Siginet

Sep 19 2006, 11:34 AM

QUOTE (FreeStyler @ Sep 19 2006, 03:57 AM)

@xehqter
Can you help Siginet to makes his tool pass wintrust as well?

I think it would be a good idea for us to team up and put our ideas together.

So the wintrust... this will actually make it so the files are protected by WFP?

@Everyone can someone with the ability to read chinese grab that OEM XP tool and begin recording the areas of the bios that we need for each manufacturer? Then maybe post your findings somewhere to help us out?

BTW Why would someone want to wait for vista before releasing something like this? Were you kidding FreeStyler? Or are you serious? lol. We need a tool like this asap. My job is so much easier now that I don't have to activate over the phone so much.

xehqter

Sep 19 2006, 12:36 PM

@Siginet
As best I can see OEM XP Tool saves an image of the BIOS (0xF0000-0xFFFFF), Display’s your XP CD KEY / Product ID, and gives you a list of known OEMBIOS Address lists. It doesn’t detect the address OEMBIOS uses. Then again I can’t read Chinese. I’ll PM you the list. Is AutoIT capable of making Win32 API Calls?

FreeStyler

Sep 19 2006, 12:46 PM

@xehqter
Use Button #1 [1aAT1/4o+-o] (first button, first tab) and select each one of your OEMBIOS.SI_ or OEMBIOS.SIG files.
For the LG set it returned some chinese characters which after using babelfish read something like:

CODE

LG OEM, BIOS E000 - E200 'LG Electronics'

It only seems to recognize oembios sets which it already knows the values for, seems hardcoded

QUOTE (Siginet @ Sep 19 2006, 06:34 PM)

So the wintrust... this will actually make it so the files are protected by WFP?

Yes, this wil fix issue with sfc /scannow & wfp, even better....there is no trace in "setuperr.log" after installation, xehqter great job!

Siginet

Sep 19 2006, 03:27 PM

Yeah that is very cool!

severach

Sep 19 2006, 03:41 PM

>So allot of trail and error to get that range.

You're insane, Goldmember!

What a devilishly clever divide and conquer technique that makes the range clear in a fairly short time.

>So the wintrust... this will actually make it so the files are protected by WFP

These files are all trusted on one system or another so they definitely can be protected by WFP. Somehow you need to twiddle the API to get the new ones trusted before copying them like a service pack or hotfix does. To prevent crashes from damaged media, bad, hacked, or mismatched sets, you could check if the files are trusted before copying.

http://support.microsoft.com/kb/222193/

xehqter

Sep 19 2006, 04:01 PM

QUOTE (severach @ Sep 19 2006, 04:41 PM)

These files are all trusted on one system or another so they definitely can be protected by WFP. Somehow you need to twiddle the API to get the new ones trusted before copying them like a service pack or hotfix does. To prevent crashes from damaged media, bad, hacked, or mismatched sets, you could check if the files are trusted before copying.
http://support.microsoft.com/kb/222193/

twiddling the API

WinTrust.DLL
CryptCATAdminAcquireContext
CryptCATAdminAddCatalog
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext

Got it from disassembling / on demand debugging signtool.exe

Bezalel

Sep 19 2006, 05:54 PM

What methods are you all using to read from the BIOS. I'm keep getting an Access Voilation error with the following code.

CODE

int CmpStrToMem(char* Str,char* Mem)
{
    int i;
    if(!*Str) return 0;
    if(!isprint(*Mem)) return 2;         /* This line is causing the Access Violation */
    if(tolower(*Str)-tolower(*Mem)) return 1;
    i=CmpStrToMem(Str++,Mem++);
    if(i>1) i++;
    return i;
}

MGadAllah

Sep 19 2006, 06:09 PM

very smart indeed

xehqter

Sep 19 2006, 09:07 PM

OEMScan v1.21
http://www.msfn.org/board/index.php?showtopic=82638

Validates the OEMBIOS.BIN/SIG/DAT files against the .CAT file before copying. If they're mismatched it won't copy them over.
Copies OEMBIOS.BIN/DAT/SIG to DllCache

Many thanks to severach for the help.

severach

Sep 19 2006, 11:41 PM

Good. Maybe we can run KeyUpdateTool out of town. It seems to be only good for 3 things: checking WinTrust, telling you can't make a change that should be legal, and making your computer never boot again.

http://www.neowin.net/forum/lofiversion/in...hp/t496774.html

FreeStyler

Sep 20 2006, 02:14 AM

QUOTE (xehqter @ Sep 20 2006, 04:07 AM)

Validates the OEMBIOS.BIN/SIG/DAT files against the .CAT file before copying. If they're mismatched it won't copy them over.

Can we run this from commandline to test files "off disc" ?

Randy Rhoads

Sep 20 2006, 10:45 AM

Nice tool.

xehqter

Sep 20 2006, 11:06 AM

@FreeStyler
I knew someone would ask that.. Give me a week, I’m working on a new project OEMBIOS project, if it doesn’t work out I’ll add a command line argument that will do a dry-run without copying the files.

FreeStyler

Sep 20 2006, 11:12 AM

I am pretty sure my current files are ok, but you never know...in the future

llm

Sep 20 2006, 11:27 AM

@Bezalel

Hello,I am zl's friend.

Thanks to severach...

FreeStyler

Sep 20 2006, 11:58 AM

llm, is your OEMBIOS.CAT CRC "89799F58" ?

severach

Sep 20 2006, 01:05 PM

Bezalel, please upload to Rapishare these obsolete files.

eMachines 1B7F1F55
Equus_Computer_Systems 397A095A
NEC_&_Packard Bell 82D4D6A4

>Have you got panasonic's OEMBIOS.

Bezalel doesn't update Rapidshare right away. Panasonic will be there soon.

llm

Sep 20 2006, 07:52 PM

@FreeStyler
oembios.bin de14112c
oembios.cat 89799f58
oembios.dat 002d6594
oembios.sig 9f10320f
We got the same files.

@severach
eMachines 1B7F1F55 is already in Rapidshare
i need
Equus_Computer_Systems 397A095A
NEC_&_Packard Bell 82D4D6A4

OEMBIOS for 2k3
c20d8ff5 dell
cc6cb12c hp
is there any other version?

llm

Sep 20 2006, 08:30 PM

bacb9a77 fujitsu 2002.8.27
it seems not in our list

severach

Sep 20 2006, 09:34 PM

If you see a CRC you don't have just download it and see what it is.

Did anyone notice that you can no longer disable the download of KB905474?

[edit] False alarm. The checkbox is still available for Custom install.

Bezalel

Sep 21 2006, 12:42 AM

QUOTE (severach @ Sep 20 2006, 02:05 PM)

I've uploaded the Matsus***a set as well as the NEC and Equus sets. The eMachines set was already in RapidShare. (I'm using the names Matsus***a and NEC because these names are a closer match to the SLP Strings)

llm

Sep 21 2006, 01:16 AM

I saw your OEMBI0S.DATs
zl didn't tell me it's provided by Bezalel or severach.
I guess Bezalel did.

It's lack of amoi,fujitsu1,fujitsu siemens1,greatwall,lg,panasonic
6 at all.

RogueSpear

Sep 21 2006, 09:42 AM

QUOTE (severach @ Sep 20 2006, 11:34 PM)

Did anyone notice that you can no longer disable the download of KB905474?

I just disabled it from downloading today.

FreeStyler

Sep 21 2006, 10:13 AM

QUOTE (llm @ Sep 21 2006, 03:52 AM)

OEMBIOS for 2k3
c20d8ff5 dell
cc6cb12c hp
is there any other version?

Got a additional set from NEC here, carying CRC:5B988ABF

[fs]

xehqter

Sep 21 2006, 07:36 PM

The SLP Strings for Gateway CRC set A04597C6 are ‘Gateway’ and ‘Gateway, Inc’

I think multiple SLP entries refer to the number of different locations the string could be located. Here’s a partial list for gateway (CSI is on), I tested a few of them and they worked. Ohh and the region scanned is E000:0000 - F000:FFFF not F000:0000 - F000:FFFF

These are the 32Bit addresses.
000fe840 = F000:E840 (16bit address)

... Censured myself

never know how that data could be used.

Bezalel

Sep 21 2006, 08:23 PM

QUOTE (xehqter @ Sep 21 2006, 08:36 PM)

The SLP Strings for Gateway CRC set A04597C6 are ‘Gateway’ and ‘Gateway, Inc’

I think multiple SLP entries refer to the number of different locations the string could be located. Here’s a partial list for gateway (CSI is on), I tested a few of them and they worked. Ohh and the region scanned is E000:0000 - F000:FFFF not F000:0000 - F000:FFFF

These are the 32Bit addresses.
000e46c0 = E000:46C0 (16bit address)
000fe840 = F000:E840

List of addresses removed

The 23 SLP strings in the A04597C6 set are all "Gateway", "Gateway,Inc" does not appear in the set. Some of the addresses you listed are valid and some are not.

The actual region scanned is whatever the set specifies. The A04597C6 set searches through 2 256B regions and 21 32B regions. Since the regions are specified as 16 bit addresses any set that searches both the E000 and F000 offsets will have the same string listed twice (000EFFFF+1=000F0000 but E000:FFFF+1=E000:0000).

xehqter

Sep 21 2006, 09:45 PM

@Bezalel
Guess I’ll dig deeper into MGADiag’s code because the results you’re describing are different then mine. Sounds like you’ve been down this road before, any hint’s you’d like to throw?

Bezalel

Sep 21 2006, 10:31 PM

QUOTE (xehqter @ Sep 21 2006, 10:45 PM)

The OEMBIOS sets contain records protected by multiple methods of encryption and validated with mutiple signatures. I'm not going to explain how it is encrypted or post the unencrypted records. Instead I will post the records from one of the sets with the SLP string masked.

CODE

fe00,0010,7,XXXXX
f000,ff00,0100,XXXXX
f000,8000,6000,XXXXX
f000,0000,FFFF,XXXXX

Each entry represents a range to search in and a string to search for (in this case all the strings are the same). There exist versions of this set with only the first 2 and 3 entries. I beleive that the first entry contains an entry error (Offset FE00) and no systems were produced with just the first entry. You can see from this example that manufacturers just append information to existing sets so their newer sets would still work on older systems.

xehqter

Sep 21 2006, 10:46 PM

Ahh, okay..

... Censured myself

never know how that data could be used.

Siginet

Sep 25 2006, 11:06 AM

I went ahead and made some Integrator Addons for xehqter's OEMScan utility. Here is where you can get some.

http://siginet.ryanvm.net/forum/viewtopic.php?t=61

FreeStyler

Sep 27 2006, 03:26 AM

QUOTE (xehqter @ Sep 20 2006, 04:07 AM)

Shouldn't OEMBIOS.CAT be copied to DLLCache as well?
i believe DLLCache directory holds all 4 files, at least it does after a clean install using my original XP disc

edit, **** wrong topic

[fs]

Bezalel

Sep 27 2006, 10:08 PM

I've added the OEMBIOS set for American Future Technology Corporation. This is the Parent company of IBuyPower. I've also reuploaded all the current sets that were dropped by RapidShare. There are currently 37 sets.

http://rapidshare.de/users/LWN7M8

severach

Sep 28 2006, 11:09 PM

Ok, let's try this one more time.

Did anyone notice that you can no longer disable the download of KB905474?

Neowin Post

... because it's not there at all!

RogueSpear

Sep 29 2006, 06:22 AM

Now I'm noticing that. I'm doubtful that they would discontinue the program and I haven't seen anything in the news about some kind of court injunction. Perhaps it only gets installed if the WGA validation check fails?

pauluk83

Sep 29 2006, 06:35 AM

hello i have tryed this but it still wanted to activate, i am using a packard bell desktop, but as it was given to me foormated i just used an oem cd of xp pro and used a oem ligit cd key. any reasons why it wanted to activte still?

I used to oemscan tool to collect the necersery files and coped them to my install disk under the i386 folder? am i doing it right or have i missed something?

Randy Rhoads

Sep 29 2006, 08:45 AM

QUOTE

I used to oemscan tool to collect the necersery files and coped them to my install disk under the i386 folder? am i doing it right or have i missed something?

Some questions you need to answer.

1. Did the pc originally come with XP? (COA XP Sticker on the case?)
2. Did you use the COA key from that sticker or a SLP Key?
3. What OEMBIOS files did you use? (CRC of OEMBIOS.CAT?)

Siginet

Sep 29 2006, 10:07 AM

QUOTE (pauluk83 @ Sep 29 2006, 07:35 AM)

As far as I know it will not work with a regular OEM Windows Key. It must be a SLP key.

xehqter

Sep 29 2006, 01:25 PM

After two weeks of work I wrote an app to decrypt OEMBIOS.DAT files, here are the differences between A04597C6 and C86378C7. For the most part they both search the exact same ranges.

A04597C6
Checks F000:32F0 – F000:3310 (32bytes) for Gateway
Checks F000:3110 – F000:F130 (32bytes) for Gateway

C86378C7
Checks F000:3200 - F000:3220 (32bytes) for Gateway
Checks F000:0000 - F000:FFFF (32bytes) for EMACHINES

@Siginet
You're correct you need an SLP key not an OEM Key

pauluk83

Sep 29 2006, 01:27 PM

it is a key of my old laptop ( that is no longer in use, as i broke it )

i used
the following files and here is there crc values

OEMBIOS.SI_ - 3F656CBA
OEMBIOS.BI_ - DAA84E49
OEMBIOS.DA_ - 8C103EDD
OEMBIOS.CA_ - A6E560DE

and the winnt.sif file i modded anyway

hope this helps

xehqter

Sep 29 2006, 01:43 PM

QUOTE (pauluk83 @ Sep 29 2006, 03:27 PM)

Nope, doesn't help.

we need the uncompressed CRC32 for OEMBIOS.CA_
run "expand oembios.ca_ oembios.cat" from the command prompt and post the hash for OEMBIOS.CAT

pauluk83

Sep 29 2006, 03:52 PM

QUOTE (xehqter @ Sep 29 2006, 07:43 PM)

QUOTE (pauluk83 @ Sep 29 2006, 03:27 PM)

Nope, doesn't help.

we need the uncompressed CRC32 for OEMBIOS.CA_
run "expand oembios.ca_ oembios.cat" from the command prompt and post the hash for OEMBIOS.CAT

ahhh wel the crc is 2B9D18CF if that helps

severach

Sep 29 2006, 05:05 PM

>ahhh wel the crc is 2B9D18CF if that helps

That is the generic CRC for Single User License non preactivated CD's. A SLP key will be accepted if it's an OEM copy but it will demand activation and you won't be able to get it. Those files need to be overwritten with 4 files that are appropriate for your system. Have you followed these instructions to build a new CD?

http://www.msfn.org/board/index.php?showtopic=63258

The 4 OEMBIOS files do not need to be pulled from a running system. You can obtain the necessary files from Bezalel's Rapidshare

http://rapidshare.de/users/LWN7M8

NEC & Packard Bell E32D3612 looks like a good choice.

Google Packard Bell's PID to find a key.

0011903-00109

xehqter

Oct 1 2006, 12:08 AM

New version of my OEMScan util
http://www.msfn.org/board/index.php?showtopic=82638

New Features in V1.3
Fixed bug in BIN/SIG/DAT hash check
Removes unused dllcache\oembios.cat file
Allows you to pass a custom argument to your script
Allows you to specify an exact range to search
Changed scan range from 0xF0000-0xFFFFF to 0xE0000-0xFFFFF
Dry Run parameter to validate OEMBIOS set. run oemscan.exe /d

FreeStyler

Oct 5 2006, 04:45 AM

pauluk83, Did you get it fixed?

Siginet

Oct 7 2006, 07:44 PM

Looks like this project is slowing down a bit.

I guess that is because oemscan is working pretty well.

I have to say it is great to not have to call to activate all the time anymore.

I think I have only had to call MS once in the past 2 weeks... whereas before I was calling them 1-3 times a day!

Randy Rhoads

Oct 8 2006, 01:00 AM

CODE

Manufacturer: Dell Computer Corporation
Model: Dimension 2350
44656C6C 20436F6D 70757465 7220436F 72706F72 6174696F 6E

CODE

-D F000:E800
F000:E800  28 0E 00 00 00 00 01 00-00 01 00 01 02 00 00 00   (...............
F000:E810  00 00 00 00 00 00 1E 50-51 B8 40 00 8E D8 E9 9C   .......PQ.@.....
F000:E820  07 77 61 72 64 20 E8 17-98 CB E9 73 FF 65 EB 29   .ward .....s.e.)
F000:E830  90 63 2E 20 41 77 61 72-64 20 53 6F 66 74 77 61   .c. Award Softwa
F000:E840  44 65 6C 6C 20 43 6F 6D-70 75 74 65 72 20 43 6F   Dell Computer Co
F000:E850  72 70 6F 72 61 74 69 6F-6E 1E 56 51 BE 40 00 8E   rporation.VQ.@..
F000:E860  DE 8A CC BE 1A 00 F6 C4-EF 75 27 51 E8 78 C0 59   .........u'Q.x.Y
F000:E870  FA 8B 04 3B 44 02 75 10-B8 02 90 CD 15 FB E6 EB   ...;D.u.........
-

Randy Rhoads

Oct 8 2006, 02:16 AM

CODE

I'm assuming the list above means as long as that string is within that range they activate?

"(2003)" reflects Server 2003 and is not part of the string.

What i am trying to figure out is;

1). How can i take a range ..say "E838-E850 | Dell Inc" and know where in the Virtual PC DMI area to place that string.

2). Are some of the above ranges outside of the DMI area of the bios?

Having success with HP Pavilion & Virtual PC, i assume range "0-FFFF" is the Type 1 Manufacturer name feild of the DMI area, so i added it in the list although i havnt tested if ONLY that one string there works or if it must require it in the Type 2 area as well.

xehqter

Oct 8 2006, 11:09 PM

There are utilities that read the OEMBIOS.DAT file and output the unencrypted data, knowing the addresses contained within isn’t essential for a few reasons. If a bios contains “Dell Inc” chances are very good it’s a dell. With the exception of gateway all the current oembios file sets I’ve seen contain the obsolete filesets addresses and SLP strings. Collecting memory addresses and bios information isn’t vital to the project anymore. Collecting new OEMBIOS file sets is however.

A distinction needs to be made between specific ranges and broad ranges. For example HP Pavilion uses 0xF0000-0xFFFFF, that range encompasses most of the bios which includes among other things the DMI Tables. Dell uses 0xFE838-0xFE850 which is a very specific range inside the BIOS not the DMI tables.

I’m reluctant to give a detailed answer to your problem because the solution could very easily aid piracy and it isn’t necessary anymore

Like Siginet said, the project is slowing down. The next milestones are Windows 2003 & Vista support.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.