AES-NI support in TrueCrypt (Sandy Bridge problem)

The guy I talked to at Xotic couldn't test it unfortunately, but did sent it on to his contacts over at Asus. I also tried asking Ken Lee at Gentech, and though he seemed willing at first, I haven't heard anything from him about it after I mentioned I got a bad flash going back to the original. He could just be busy though.

In theory the modified bios should be fairly safe provided the flashing itself doesn't go wrong, but ideally I'd want someone to test it who has the ability to swap in a CPU guaranteed known to work with AES-NI, just in case. I did find a recovery procedure that might help if the CPU type is an issue, but I'd rather not people have to try it out.

 

I've gotten a response from ASUS support, it sounds almost positive, yet not.

Thank you for contacting ASUS Customer Service.
My name is XXXXXX and it's my pleasure to help you with your problem.

I'm afraid all our BIOS updates are created at our HQ in Taiwan.

I have submitted your request, unfortunately we do not have a estimated time
frame in these cases due to the number of BIOS requests we get.

We hope we have been of assistance.

 

The plot thickens. Teazle was unable to get AES-NI working with the 2630QM. A bug in the modded firmware for the G73SW was also confirmed that basically disabled the Ethernet port. With those caveats in mind, I'll release the firmware if anyone else wants to try their luck:

BIOS http://dl.dropbox.com/u/8126588/G73SW205_AES.zip

Those links are not permanent and may be taken down at any time, but I'll keep them up for now.

EDIT: removed link to AFU, as that may have been the source of the Ethernet issue. Use Easyflash from the BIOS instead if you really want to try this, but backup your original one first. It also may not have been AFU that's the problem and could be something else - caveat emptor.

 

That is correct - on my system with the modded BIOS i could not get AES-NI detected. However, as Skywise stated, I lost Ethernet.

What is more surprising though is that I've since gone back to original BIOS. And I still don't have Ethernet properly, the device cannot start Windows says.

So just to be safe: BE WARNED - there is something odd going on with BIOS-tampering and the Ethernet-port currently.

Updates will be provided as I discover anything.

 

The BIOS has only been modified to change one byte in the CPU initialization section for the MSR and a checkum byte. The rest is the same so seems odd your having ethernet problems. What did you use to flash? AFU can have problems recognizing some parts of the firmware, better IMHO to use Easyflash and it is probably better to reflash the original backup of the BIOS than a downloaded one if problems occur. Always a good idea to make an original backup before doing any flashing regardless of a normal or modded BIOS being flashed. This can also be used to order a new BIOS chip pre-programmed should things go very wrong and a lot cheaper than replacing a mainboard.

 

I've had Ethernet disappear on the normal BIOS too, so I agree with your scepticism about it, but at the moment I cannot restore Ethernet.


I might try to reinstall windows, as I have a faint recollection I lost Ethernet while fiddling with whole system encryption in TC and Windows 7. I did use AFU and did make an original backup, which I used to restore BIOS. Has so far not helped me return Ethernet. Maybe Windows 7 doesn't like you fiddling with BIOS?

I can open Ethernet PXE boot from BIOS fine, of course, it doesn't come further as I have nothing configured there.

I also tried using EasyFlash to flash back and forth, no AES-NI or Ethernet so far - Going steady on WLAN atm.

 

Teazle, would you please give a step by step from the first flash. What did you use and which option switches? How and when did you make your backup?

 

New BIOS was released for my notebook N53SN:
BIOS 207
1.Change EC firmware to 202D09
2.Restrict system memory frequency at 1333 MHz.
3.Change Intel VGA VBIOS to 2117 , and adjust timing for Samsung 15’6 FHD panel.
Let's try it, but I got no hopes for AES-NI

 

I used AFU to recover the original rom, using afuwinx64gui.exe with option save.

After this I flashed with afuwinx64gui.exe using option Program Main Bios Image, Boot Block and NVRAM.

I have Comodo Internet Security installed, with all options disabled (even one option that does not follow Systemprotection disable setting - Executioncontrol level) and AFU was run in admin mode.

Reboot computer - No AES, No Ethernet.

Tried again, from custom BIOS - to flash to custom BIOS again, this time using "Program All Blocks" in AFUWINx64GUI run in Admin-mode.

No change.

I went to EasyFlash and flashed again with the custom BIOS.

Still no luck.

Used EasyFlash to flash back to original BIOS - BIOS flashed properly but Ethernet is still gone.

next I tried AFUWINx64 from commandprompt, cmd.exe started in Admin mode. Flashed to custom BIOS with options /P /B /N /E /K /REBOOT

No change.

Reflashed to original image using afuwinx64 commandprompt using same switches.

No change.

Now, I realise I should probably have gone to original BIOS before attempt additional flashes, but alas, I did not.

Necroman: Tell us the result

 

Okay, maybe you can PM a link to a copy of your backup firmware. I wonder if Skywise used AFU to flash as well?

 

I can't make out which is the original anymore, after I did the original restore I renamed the file in all sorts of idiotic manners - I don't know which it is, it might actually even have gotten deleted. That's just bloody wonderful. I'm quite upset with myself right now.

edit: So, here I sit now: I cannot restore Ethernet capability on my laptop - using PXE boot I notice that router suddenly reacts to cable - BUT: Nothing happens, PXE Boot ROM says it doesn't recieve DHCP. it also shows MAC Adress as FF FF FF FF and GUID FFFFFFFF-FFFFF (or some such, all F's atleast) and I'm quite sure that is not normal. Until I can figure out why this is, doing anything in Windows won't restore Ethernet. Have even tried installing Linux just because to test - it cannot detect cable either.

So, a bit off topic but: Is there anyone who have an idea what I could do about this? any BIOS changes (changing version or changing settings) just won't do me any good.

 

Should be able to tell which is a backup and which isn't by looking at the beginning of the file. A backup will probably have some data after the first 16 bytes whilst the update will have only FF's.

Perhaps AFU has erased the Gbe section, erased bytes are set to FF. Personally I wouldn't use AFUxxx to flash, maybe okay for backup or checking file integrity but from my own experience it doesn't correctly recognize all of the firmware. Would be nice to know how Skywise flashed.

If you can find someone with the same notebook and working Gbe and ask if they would send a backup of the BIOS that might help too.

 

Yeah, I used AFU to flash the modded firmware too. Could very well be that's the issue.

 

Which switches did you use Skywise? Since the mod is in the BootBlock then that should be all that is needed if flashing over the same version BIOS. I would still have reservations with AFU doing things correctly though.

 

What would be your recommendation then? I'm not quite sure that it was the BIOS itself that made my error occur, as I lost Ethernet for a few hours when I first recieved my computer but didn't think much of it as I fiddled around in Windows and it started working.

Anywho, I will return my computer to ASUS in the start of next week or so - depending on the outcome, I may not be deterred from trying again.

 

My recommendation would be to not flash until an answer can be found for the disappearing LAN. At the moment it is speculation more than anything else. Did you have any luck finding your original BIOS? If not maybe you could send me a backup of the broken one.

 

Updated BIOS on my Asus N53SN to latest original v207 and guess what, AES-NI still disabled, just what I expected

 

make a technical request at vip.asus.com for a new bios with AES enabled

 

Maybe Pet4r is willing to provide a backup of the original BIOS for testing on Teazle's laptop?

I've updated the post with the BIOS link to reflect the AFU issue and backups.

 

Original full backups should only really be used on the laptop it was backed up from as it should contain information relative to that particular laptop.

I would like to see a good backup from a 100% working BIOS and one with broken LAN to see if it is indeed that the Gbe section is corrupted.

Seems G73 uses Realtek instead of Intel so forget about the GbE section.

 

Already done two times with no success, see the history in this thread

 

Just for the record...

I have a Dell Inspiron N5110 with Intel Core i7 2630QM processor. When I purchased it, indeed it had the AES-NI instructions disabled. CPU-Z showed nothing, also in the Linux kernel message log there was a line with AES-NI not detected.

However with the latest BIOS upgrade (A07 - released on 20 July) this was fixed. CPU-Z and the Intel Processor Identification Utility now reports the AES instructions. Also the Intel AES Demo application works well with AES.

 

Teazle, have you tried the official BIOS from ASUS's site? It would erase all your settings (all the available 5-6 options) but it should work. I am not sure what happens to EFI boot options in case you flash your BIOS with the official one.

I can backup my BIOS and send it to you if you want. Should I use Easyflash to backup the BIOS?

 

bszente: Cool, that would be the second (or third) one to confirm that i7-2630QM indeed does have AES-NI.

Pet4r: In EasyFlash I have not seen an option to backup a BIOS image, I've had success (atleast if I examine the files, based on my limited knowledge, with ExamDiffPro) of recovering a working one with AFUWINx64GUI.

According to Dufus me using your BIOS might not be good, but I'm willing to try just about anything at this point and take the consequences as they arrive.

 

I'm raging (politely but firmly) on the Asus Vip member support asking them to release a bios with proper flag set.

 

I suggest you get in contact with Intel if you aren't getting anywhere with Asus. They have an online support live chat feature. When I spoke to the representative they assured me there was no reason the feature should be disabled and told me to contact them again if Asus were not helpful.

 

Another guy with N53SN tried Asus support line with question about AES-NI with this simple response:
no luck, tried and got:

That's interesting how almost each single answer from Asus support is different

 

So, I got my computer back from ASUS today. And they haven't fixed jack-****, even though it says so on the return form. SOoooooo I will send it in, AGAIN. So in maybe the start of next-next week I can get back to working on AES.

 

Not so fast. I'll see what I can do about getting you a back up of my (now working) regular BIOS.

 

Okay, thank you for that, now network works again. However, flashing to the AES modified one does not get me AES-NI. But atleast it doesn't break my ethernet anymore

It would appear that it was APTIO that broke ethernet, flashing with EasyFlash2 seems to work better.

Any ideas?

 

You mean AFU, not aptio. I flashed the modded bios again using EasyFlash, and it works fine on my 2720qm now, AES-NI and Ethernet.

 

Correct, AFU, not aptio.

I'll try flashing again, though not this instant. at the moment I have ethernet, but no AES-NI

 

This is now on the bottom of every Sandy Bridge Processor Spec sheet.

Let's use this to push our OEMs harder to do this.

 

Another BIOS for Asus N53SN, but it does not look like AES-NI support was added
BIOS 208
1.Fix PCIE TV Tuner no function bug
2.Fix USB keyboard no function in DOS.。(WUT?)
3.Optimize Realtek LAN Device

 

Just for info. The new BIOS update 306 for N73SV, that is nothing else than the BIOS for X7BS, supports AES-NI now!

The encryption/decryption is now five times faster than before.

Thank you ASUS - thank you Intel for your awesome Sandy-Bridge architecture.

 

Let's hope they will push it to N53SN/SV platforms.

 

Now this is interesting - there is no mention of AES-NI on the BIOS page - it will be interesting to compare changes between the last BIOS without AES-NI and the current, what was changed... and maybe apply the same modification to other Asus BIOSes?
ASUSTeK Computer Inc. -Support- Drivers and Download N73SV

 

Just updated too.

Funny, this came two days after I got this as a response from ASUS central via local ASUS representative when I tickled them with Intel's paragraph above.

 

I really can't help you with the changes except the AES-NI support, that I didn't expect from ASUS.
But I'm really lucky now. Before the AES-NI support, Truecrypt's average HDD performance for a 200MB file was something around 500MB/s here. Now, with support, 2.6GB/s. That's a big performance boost.

 

So, I've once again flashed my G73SW with the modified 205 BIOS, I cannot enable AES on i7-2630QM, but Skywise can on i7-2720QM. There is something else blocking it in the BIOS code?

Until an update has come around for G73SW, the modified BIOS enables AES-NI for 2720QM (amongst others perhaps) but not at 2630QM.

 

Hey guys,
I have just successfully enabled AES-NI on my N53SV (with 2630QM)! This should work on most sandy-bridge laptops with AES-NI disabled.
I'll explain to you how I did it but I have to warn you: these steps are a bit involved. Also THIS IS ENTIRELY AT YOUR OWN RISK.
The idea is based on this pastebin entry describing how to do it on certain lenovo laptops: Unlocking AES-NI on certain Lenovo notebooks models with UEFI (Insyde) firmware - Pastebin.com

Ok, first we need phoenixtool, get it here (I used v1.91): Tool to Insert/Replace SLIC in Phoenix / Insyde / Dell / EFI BIOSes
Second, get the latest BIOS from the asus website (I used v214).

Now we open the bios file using phoenixtool, let it think for a while. Now select manufacturer ASUS and click the 'Advanced' button.
Tick these boxes:
- "Ask prior to each modification"
- "Allow user modification of modules"
- "Always allow user modification of modules"
- "Allow user to modify other modules"
- "Extract modules when verifying"
- "No SLIC"
- "Process all compressed modules (EFI)".
Click Done and click Go.
After a while it will prompt "You can now make manual alterations to any module in the DUMP directory", DON'T click OK yet!

I happened to have MinGW ( http://www.mingw.org/), together with MSYS installed on my system. If you read the stuff below and have absolutely no idea what I'm doing, it's actually pretty simple. First I disassemble all binaries, then I look for an instruction containing 0x13c.
I used the MinGW shell to navigate to the DUMP directory and executed the following command:

Code:

for i in *; do objdump -D -b binary -mi386 $i > $i.asm; done

But of course you can also use your favorite disassembler
Next command I used is:

Code:

find . -iname '*.asm' | xargs grep -li 0x13c[^0-9a-f] > interesting_files.txt

Which will create a list of files containing 0x13c (the address where the AES-NI configuration bits are stored)
Next command I used:

Code:

for i in `cat interesting_files.txt`; do echo $i; grep -i 0x13c[^0-9a-f] $i; done

This gives me the following output:

Code:

./2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739.ROM.asm
    2448:	bb 3c 01 00 00       	mov    $0x13c,%ebx
./A062CF1F-8473-4AA3-8793-600BC4FFE9A8_1_300.ROM.asm
   1dfd3:	67 66 26 8b 87 3c 01 	mov    %es:0x13c(%bx),%ax

The first file seemed very interesting, hence opening it and jumping to the offset yielded:

Code:

    2448:	bb 3c 01 00 00       	mov    $0x13c,%ebx ; sets EBX to 0x13c
    244d:	53                   	push   %ebx
    244e:	e8 bd 00 00 00       	call   0x2510 ; copies the AES-config to EAX
    2453:	59                   	pop    %ecx
    2454:	8b c8                	mov    %eax,%ecx
    2456:	89 55 dc             	mov    %edx,-0x24(%ebp)
    2459:	83 e1 01             	and    $0x1,%ecx
    245c:	33 d2                	xor    %edx,%edx
    245e:	0b ca                	or     %edx,%ecx
    2460:	75 10                	jne    0x2472 ; Jumps if config is already locked
    2462:	ff 75 dc             	pushl  -0x24(%ebp)
    2465:	83 c8 03             	or     $0x3,%eax ; <== Sets the first two bits of EAX to 1, WE NEED TO PATCH THIS
    2468:	50                   	push   %eax
    2469:	53                   	push   %ebx
    246a:	e8 a8 00 00 00       	call   0x2517 ; writes EAX to the AES-config

The first bit of the AES-config means it is locked for writing, the second bit means AES-NI is disabled.
So if we change "or $0x3,%eax" (first two bits) to "or $0x1,%eax" (only first bit), we will enable AES-NI. Hence 83 c8 03 needs to be changed to 83 c8 01.
I used a hex editor to open 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739.ROM, patched offset 0x2467 and set it to 01.

Now I clicked OK in phoenixtool and it created a nice new bios image, which I flashed using winflash (using /nodate as a command line argument since it would not flash otherwise because I'm not upgrading). Rebooted and it WORKED!

Remark: If your BIOS seems to contain a section 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739, it is probably the first place to look for the instruction to patch. It may even be exactly the same as mine, so you may want to try looking at offset 0x2467 first.

 

Thank you!!!! It worked like a charm on my Asus A53E! The rom and address were the same as yours which made it extremely easy to do the mod. HERE is a link to my modified BIOS. It's version 214 for Asus A53E and K53E laptops.

Proof: http://imgur.com/a/8Uxqy

 

please make bios 208 for N53SN!!!

 

It was easy. Yours has the exact same section, here is the modded version:
N53SNAS_AES.208

I'll also post mine for the N53SV since I have it laying around anyway:
N53SVAS_AES.214

Try doing this yourself first, people.

 

@carlicious

Which version of WinFlash did you use? I assume flashing with EZFlash won't work because of the build date check.

 

I used the latest from the ASUS website, just use cmd.exe and cd to the winflash directory and type winflash /nodate, it should then accept any bios image.

 

Thank you carlicious!
I flashed the modded BIOS you provided for the N53SV and it worked perfectly!

 

Do any of you have confirmation that flipping a bit in the BIOS is actually turning on AES-NI functionality on the Intel CPU? e.g. volume encryption benchmark, etc?

HP is claiming the 2630QM doesn't actually support AES-NI and HP is also claiming the Intel website cpu spec page is wrong.

 

There are 2630QM's out there with AES-NI enabled, google should help you find them.


One of the posters here flashed a modded BIOS with the MSR set to AES-NI enabled and still didn't get AES-NI. My thoughts on this is that it possible Intel initially might have released the 2630QM with AES-NI fused off and later changed the fusing (enabling CPU functions on the die) to enabled. This is something that would have to be chased up on with Intel, perhaps by trying the Intel processor support forum to start with.

Easy enough to check by showing MSR 0x13c enabled for AES-NI (MSR 0x13c bit 1 clear and bit 0 set) but CPUID still showing AES-NI not available. Also check the revision ID of the stepping.

Idk, if this were so then maybe this presents a problem with the manufactures if they enable it in BIOS and some end users have AES-NI and some don't for the same systems with earlier 2630QM and later 2630QM. Of course I'm only speculating here.

 

My ASUS N53SV-XE1 came with AES-NI disabled. After flashing the modded bios image provided by carlicious on this page it is now enabled. I´ll post later a screenshot of my computer running the truecrypt benchmark.

The notebook came with the "new revision" 2630qm (i read this revision fixed some bug). Bought it May/2011.