BDMaster’s GUIDE to Extract Encapsulated Bios

To Extract original bios from encapsulated version You have to find "FLASH" string : Bios has normally a lenght of 4194304 bytes (0x400000) so count from here 4096Kb to get the end. Look as bios is : Encapsulated and Uncompressed ! If You run upgrade utility it will decompress bios and You'll find it as .bin or . rom or .fd file in %TEMP% folder and It could have a different size over 4096kb, but only cause It is encapsulated in a dos or windows .exe program. So look an example : Acer Aspire V3-771G bios v.2.23 VAGV223 Start 0x00000000 (MZ = Microsoft executable program) 4D5A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B0000000 MZ.............................................................. Find for "FLASH" in HexEditor : (Remember if You use the decompressed bios file there will be 4 items, but in .exe there are 5, first one don’t count)

1st item : 69440D538356AD4EAF7954D1882B8A35245F49464C4153485F4452565F494D470000570020F754004D5A00000000000000000000000000000000000000000000 iD.S.V.N.yT..+.5$_IFLASH_DRV_IMG..W. .T.MZ...................... Look $_IFLASH_DRV_IMG

2nd item : 00000000000000004923454649234452565F312E32640000244953423338A1DD42C3AE4EB5C9C2D7D613DBB8000000000000000000000000245F49464C4153485F42494F53494D470000400000004000 ........I#EFI#DRV_1.2d..$ISB38..B..N....................$_IFLASH_BIOSIMG..@...@. Look $_IFLASH_BIOSIMG

3rd item : 2442494430313433330000000000000000000000000000000000000000000000BF5041EB1D00000000000000000000000000000000000000CD04F4FF000000000F09E9ABFA000000000000000000F4FF 0000000000000000245F49464C4153485F494E495F494D4700000100C17C0000 $BID01433........................PA.....................................................$_IFLASH_INI_IMG.....|.. Look $_IFLASH_INI_IMG and $BID01433

4th item : 000000000000000000000000000000000000000000000000245F49464C4153485F45435F494D475F0000100000000100020070020008222232323202054ED2AF ........................$_IFLASH_EC_IMG_..........p...""222..N.. Look $_IFLASH_EC_IMG_

So to find Header in encapsulated bios You have to look the 2nd item = $_IFLASH_BIOSIMG and precisely $_IFLASH_BIOSIMG..@...@. 245F49464C4153485F42494F53494D470000400000004000 (in Little Endian 00 00 40 = 40 00 00 = 0x400000 = Bios len !!!) So We have the file End too !!!!!!!! $_IFLASH_BIOSIMG..@...@.

So 400000004000 is the end of Header and after it, start real bios to extract, so create block from last 00 to the first byte of file and cut it !

Now, You will have real bios and Footer encapsulated togheter yet, so You have to point to Footer. So to find Footer in encapsulated bios You have to look the 3rd item = $_IFLASH_INI_IMG and $BID01433

$BID01433 = Real Bios End + 54(Dec) or 36(Hex) bytes, look also 2 bytes repetition (may be F4 FF) they are different in bioses.

244249443031343333 = $BID01433 CD04 F4 FF 000000000F09E9ABFA000000000000000000 F4 FF (2 bytes repetition) 245F49464C4153485F494E495F494D4700000100C17C0000 = $_IFLASH_EC_IMG_..........p...""222..N.. So $BID01433 = Real Bios End + 54(Dec) or 36(Hex) bytes coincides with second F4 FF, this is last byte of Real Bios and all comes after it, is the Footer.

So, select from next byte to last at end of file and cut it. We have now bios extracted and pure, save and use it. But It’s not ended here . . .

Into Bios Insyde UEFI version 1.xx files, We have to do a different extraction for Bios Extraction : We have to find this Marker 0x5AA5F00Fh (It’s Palindromic) and It’s positioned always to 0x00020000h offset, then select all from this offset to the SOF (Start of File) and cut all before 0x00020000h offset remaining 5120 KB (0x00051FE00h bytes), save It, and got the Bios Extracted (Firmware) . . .

. We have now bios extracted and pure, save and use it. But It’s not ended here .

We can extract the Bios Region chunk only from this file so We can use It to generalize a modify, as It is pure and don’t replace any variable in VSS (Variables Store) ! So let get the Extracted file which We have got here and have to find a Bios Region Signature (5F5053575F00 = _PSW_.) this is the starting offset address then the end It will be the EOF (end of file) look here :

How to extract Bios Region only to use in Generalized Bios Region Flash : In Acer Bios File You have to Extract the Decapsulated bios before, then find the Bios Region Signature Bios Region Signature (5F5053575F00 = _PSW_.) or new (4143455241424354=ACERABCT) to know the offsets address for all Bios Regions You have to use UEFI Tool by CodeRush !!! So for this one Acer Aspire V5-171G You'll find Bios Region start at offset 0x180000 and has a size 0x380000 and can copy that hex chunck in a new file, copy from offset address 0x180000 to 0x380000 and get Bios Region Pure to use by FPT tool to reflash as Generalized Bios for all laptops : FPT –f GenBios.bin –bios !!!

So extract this chunk and save as Bios Region, et voila !!!!