AES-NI support in TrueCrypt (Sandy Bridge problem)

@Teazle, no i didn't. But if ASUS doesn't release an update i will use Carlicious' firmware

@carlicious. They do release firmware upgrades with working AES. I hope the new processor i7 2670QM pushes them to upgrade the microcodes.
See this post:
http://forum.notebookreview.com/win...rypt-sandy-bridge-problem-14.html#post7897952

 

Please read the entire thread (or at least the summary on page 19). Some models, among them is the N53SV, explicitly disable AES in the BIOS (it is said to be due to export regulations). The latest N53SV BIOS already has an AES capable microcode bundled so you won't get anywhere with this.

 

Ok, now i get it. i am very disappointed at Asus. We should go and ask for refund. Nobody told me they disabled something. And by the way you can still use truecrypt without AES, this is really nonsense.

 

I've just updated my BIOS in N53SN using modded file from carlicious and it worked like a charm. Thanks a lot
Proof Before:

After:

 

There are thousands of us, disappointed and deceived and deceived customers... Luckily we got Carly, who did the job as it should be done.

 

I've tried carlicious's modded BIOS and works fine on my N53SN-SZ013.
Thanks for your help!

 

AES-NI helps accelerate the software that does the encryption. AFAIK it is the software itself that does the encryption and would be under export regulations, if any, and not the AES-NI HW instruction.

Note that where they claim this is a restriction the desktops get to use AES-NI regardless.

 

Is it possible to force winflash even if the battery is not plugged? (I know it is safer) Some switch line /nodate

 

Meaning? Does it enable AES-ni? Or prevents from doing it?

 

Meaning that the microcode is enough updated to support it but ASUS has manually disabled it.

 

Thanks. I wrote to asus support in my country (central europe). Will see how they explain why it was disabled in the first place.

 

Don't worry, they won't They will just tell You your case has been escalated by AsusTek Taiwan and afterwards tell You they won't enable it because: No.

 

Will see. maybe they will do something.

 

Tried via asus.com, refused
Tried at retailer, refused
Tried to RMA, they did not even make it a RMA case, refused.

Use what Carlicious prepared.

 

I guess we better boycott their products to teach them a lesson?! LOL.. I have more than 40k friends & followers on social networks.. I will do my best, you too guys!.....

 

I don't see how this would benefit anyone. If you want to boycott anything, boycott the US with their stupid export regulations. Intel states there exists no such thing as licensing fees for AES-NI so there is no financial reason for ASUS not to enable it. Still they don't enable it because of the hypocritical US export regulations, not because they simply want to piss off their customers. They have absolutely no interest in doing that.

 

That's exactly what they ''told'' me, first by not answering, then hooking me up with their local representative, who didn't have a clue, who raised it to Taiwan and relayed to me the word from Taipei that ''specs don't change. period''. Five days later, new BIOS comes up for my model (N73SV). Flash, computer goes off. I fire it up. AES-NI enabled, working.

The truth of the matter is - they have no effin clue.

That said, you have carlicious here. He has a clue.

Btw, I'm in Central Europe too.

 

I am reporting here the answer i just received from asus.

That said, i am going to flash carlicious' firmware.

 

I've already updated my N53SN BIOS to 208, so Carlicious' modded BIOS is detected as "old" by WinFlash and It does not let me to upgrade to the modded one.

Any solutions?

 

go to Winflash installation folder from command line (preferably administrator mode) and run using winflash.exe /nodate

 

Thanks, it worked! Now It's successfully enabled.

 

@carlicious
thank you so much for the awesome mod.. aes-ni is now enabled on my n53sn.

 

That answer is just pure nonesense written in legalese.

 

carlicious: thanks for the G73SW BIOS, I will try it. Any idea how hyperthreading can be disabled on this laptop? I played with the EFI shell but could not find the relevant vars. Also, I couldn't find the AMIBCP that works with this generation of BIOSes.

 

If hyperthreading is causing issues, you can set the affinity manually for a program in the task manager or in the command prompt:

Start an Application Assigned to a Specific CPU in Windows Vista - How-To Geek

Selecting every other core should ensure that hyperthreading doesn't kick in.

 

Skywise, any chance we could get an update of the first post to reflect recent findings?

 

Thanks Skywise, I know how to set the affinity in Windows and Linux. I'm looking for a way to disable hyperthreading in BIOS.

 

OK I got it. Thank you everybody! Special thanks to carlicious you are so great and so kind!

I recently bought this cheap laptop from a small OEM brand, the model is called K41H with SNB CPU 2410M.
After I heard about the AES-NI "processor configuration" thing I was excited, but it turned out the support don't understand what I'm talking about, and they don't even provide BIOS update to end user! (They did update their BIOS , once, to their "geniuses")

Then this whole thread gives me new hope. I found I was in similar situation with JoZy: MSR is not locked but microcode update is poor rev 12.

carlicious's summary is really magic. Every step is clear and right.
After successfully unlock AES-NI on linux (my MSR[0x13C] is 0) I went on mod my BIOS. turns out 2410M shares the same CPUID hence the same microcode update with 26x0QM. And I have AMI Aptio(EFI) BIOS but the phoenixtool works fine, while amitool failed hard.

Now TrueCrypt can do AES at 1.3G/s, half the cores half the speed I guess I'm so satisfied with this. a neat victory

Thank you everybody! Especially carlicious and Dufus! You two are HEROS!

p.s. I don't think anybody else here have the same model laptop. So I don't intend to attach mod here. If anybody need it feel free to PM me. but flash at your own risk

edit:if microcode update by linux OS, MSR is 0. If update by BIOS, MSR is 1.

 

Hello, I would like so mutch to enable AES-NI instructions on that bios, but i cant find the microcode section, if anyone may help me i would be pleased.

-Motherboard Manufacturer and Model : CCE 745B
-Bios Revision : 1.9A
-Bios Type : Phoenix Securecore Tiano
-Bios Link: Download 19_SLIC2.rar from Sendspace.com - send big files the easy way

Thank you

 

Microcode updates can be found at the start of firmware volume 2 (offset 0x1D0000). There are six, families 206A1-206A7.

 

Now this is really interesting - according to Intel specs Core-i5 2410M does not support AES-NI at all, but you said the BIOS trick worked for you

Intel® Core? i5-2410M Processor (3M Cache, 2.30 GHz)

My guess is the same situation was with Core-i7 2630QM, it had the support for AES-NI from the beginning, but they "admitted" it in specs few months after the release... Strange indeed.

 

I think they "admitted" it in another way, at bottom of the spec page they wrote:

"Some products can support AES New Instructions with a Processor Configuration update, in particular, i7-2630QM/i7-2635QM, i7-2670QM/i7-2675QM, i5-2430M/i5-2435M, i5-2410M/i5-2415M. Please contact OEM for the BIOS that includes the latest Processor configuration update."

I assume "Processor configuration update" means "microcode update". I guess you are right, the microcode shipped with those SKUs disabled AES-NI, some days later Intel changed their mind and mercifully release new microcode update to unlock it. But they forgot to change my spec page

It will be more interesting if a certain 2310M unlocked AES-NI though, since in nowhere did Intel "admit" it.

Anyway, it's cool I get bonus feature from Intel, for free, after months of usage. Definitely the first time in my life. Huge satisfaction XD

 

I wonder how's every brand's react to the BIOS update, so I've done some digging.
Here's an incomplete and inaccurate summary of the AES-NI support status of various brands:


Brands (quietly) add support by releasing new BIOS:
HP (despite support contact denied it)
TOSHIBA
FUJITSU
Apple (by releasing new efi firmware or Lion or both. Anyway it's working)
DELL (BIOS update to SNB notebook unlock AES-NI without notice. However one BIOS upgrade on a certain server disabled AES-NI last year, which leads thome to discover the undocumented MSR for controlling AES-NI. )
MSI (one tech support kindly point out we need microcode rev 1A or higher)
Acer
thinkpad

No official support case yet:

lenovo
at least one model has microcode update but deliberately disable the feature, which gives us some initial workaround focusing on MSR 0x13c

my white brand NB OEM by Wistron
They do not update microcode in BIOS. They do not release new BIOS to end user. They hardly even make new BIOS. story end

Asus
hottest here on this post. situation is different from model to model. supports all over the world give different excuse not to enable it. some models get MSR blocking, some don't get new microcode update, no NB gets AES-NI enabled, except N73SV for now.
Once they sent one BIOS to one customer which enabled it. Later they claim it's beta and the BIOS is sent by mistake. Newly released BIOS of that model still disable it.


*********************
I'm sure I've made a lot of mistakes. Please correct me. I'll edit this post later. Thank you

 

Asus N73SV:

 

Yeah Teerex we remember, however passing that as an argument for Asus to enable it on other devices (identical N53, just smaller) had no positive result.

 

Yeah, maybe they even did this one unintentionally.

My ASUS suprised me just the other day. This is what it says on the specs page:

So, no 5-in-1 or 7-in-1 option, right? So just for the heck of it, I pushed and xD card inside, and hop.. it works. I mean, even their frontpage published specs are iffy.

 

Could you see if you could work your magic on an Asus U56E?

 

My sister got Acer Aspire 5750G with Core-i5 2410M - can anybody check the latest BIOS, if it contains similar code for enabling AES-NI?
Acer Support: Downloads & Support Documents - Notebook / Aspire / Aspire 5750G

Edit: I just updated BIOS on that notebook from 1.11 (AES-NI not enabled) to 1.16 and the new BIOS supports AES-NI by default, without any BIOS editing magic - that's so cool

 

Hi @ all,

i own a ASUS G74SX Notebook with 2670qm CPU. The NB is great but i actually found out, that there is no AES enabled. Tried the step by step explanation by carlicious, but i 'm stuck in the middle. Could sb be so kind and make me an AES-enabled firmware for that notebook? The actual link to firmware 2.03 can be found here: ASUSTeK Computer Inc. - Notebooks- ASUS G74SX

Beacause of encrypting all of my data with truecrypt, i would appreciate any help. If you have a paypal account, i would spend some money for an updated firmware.

Thanks in advance!

Lomax

 

@Lomax1980
I downloaded BIOS 2.03 from that link, and it fits exactly what carlicious described, even the module names are the same. You need both microcode update and MSR unlock.

I did my best but I can't guarantee you anything. USE THIS MOD AT YOUR OWN RISK:

Download G74SxAS.203.xdelta3 from Sendspace.com - send big files the easy way

edit:above link deleted. use the working version below:
Download G74SxAES.bin.xdelta3 from Sendspace.com - send big files the easy way

It's an xdelta3 patch data represents only those bits modified so the file is tiny. You need to download xdelta3 and patch the original 2.03 BIOS directly downloaded from ASUS. xdelta3 will verify BIOS image. If you can't apply the patch, then you should not use it, because this indicates something goes wrong so it's too dangerous to flash.

Hope it works. Good luck~

 

Anybody have experience with Vostro laptops and AES-NI ?

Check my thread : http://forum.notebookreview.com/del...0-problem-aes-ni-pretty-useful-truecrypt.html


Thx

 

Hi!

I merged the files as Lomax1980 explained with xdelta3 (xdelta3.exe -d -s old_file delta_file decoded_new_file) and did a WinHEX compare of the org and new BIOS file. WinHEX shows that there are 15933 difference(s) found. This seems too much or am I missing something?

Since there are som many differences in the files then I dont dare to update my G74SX bios.

Has anyone successfully enabled AES-NI on G74SX yet?

Btw: xdelta3 did not complain when patching and WinFlash says it is a valid BIOS file (the new patched one).

 

The original BIOS image contains microcode update version 15 which is too old to unlock AES-NI, so I've inserted a new version like what @carlicious had done for G73.
The microcode update data in question is 9kB in size, and will cause some shifts in that data section. In your case a microcode update data for another CPUID is shifted, while the boundary of that data section remains the same.

So it's common to see 16kB of differences, or even way bigger. I compared the original to the one I modded here on my machine, those two files are actually different in 15933 bytes. The last four bytes are about setting MSR, rest are all about microcodes.
I'm just saying that you get the modded bios image right, it should work. But I really CAN NOT guarantee you it will work or it won't brick.

btw, there is indeed another way to unlock this AES-NI feature, which doesn't require a BIOS mod. If you read the entire thread you know all you need to unlock the feature is to load a new version of microcode to CPU every time you boot (if the BIOS microcode version is too old the corresponding MSR lock bit won't kick in), and Intel has a tool for that. It's called "BIOS Implementation Test Suite". It's basically a special version of GRUB2, so you may upload the new microcode before booting into any OS. It's too complicated to cover here, but it won't change anything permanently, if you do it right this method requires no writes to either HDD or BIOS at all (boot from pendrive or CD). The drawback is, if your NB wakes from standby mode, microcode update is gone with AES-NI feature...

 

While you can update the microcode after post, even from windows, you should be aware that the BIOS sets things according to how the CPU reports itself, i.e. CPUID and that may be different with different versions of microcode update. Although it's not always necessary, usually it is IMO best to have the microcode update happen early on during BIOS initialization.

 

totally agree with you

BITS actually have tests about BIOS implementation of CPU settings, and some working machines with stock BIOS may already fail on some of them.

I think update by BITS is even worse than update by OS. I can't imagine what will happen to full disk encryption like bitlocker when NB wakes up from standby and microcode update doesn't get reloaded. Still, it's the only alternative way that I know of, to unlock AES-NI for Windows.

 

@K41H thanks for you response!

I've applied the patched .203 BIOS to my G74SX and it didnt brick my machine
But it also did not enable AES-NI. At least not according to CPU-Z (Attached picture) and TrueCrypt.

I did some more reding on this post in this thread and found that I have the same CPU as Dufus has gotten working with AES-NI.

Any idea what the issue could be?

@K41H - I can send you a link to my modified BIOS file if you have time to bit-compare it to you file?

/Mindtripper

 

Oops
I'm pretty sure xdelta3 did some decent checks on input and output files, which is my ultra cautious way to make sure the patch suits the specific original BIOS and the patch itself is not damaged. If md5 hash of my modded bios you've just flashed is d68572f3fe3c8e9550a2e75fc2fb92a5 , then xdelta3 is not the problem.

I think the problem is that I'm too cautious so I put the new microcode update data AFTER the stocking one. Maybe new version of microcode does not get uploaded this way. Good news is we can see if this is the case, bad news is: putting new version BEFORE stocking one will cause more different bytes. (around 24k, which IMO is fine)

CPU-Z doesn't reveal microcode update revision, you need anything like HWiNFO or Intel PIU. If somewhere on the info page it says (uCU) revision 15, then microcode is the cause, and you may try the new mod below; if it says revision 23, do not flash, we may need to check on MSR. Do not confuse this revision number with the one shown on CPU-Z, which is always D2.

new xdelta3 patch file is here. md5 checksum in the description:
Download G74SxAES.bin.xdelta3 from Sendspace.com - send big files the easy way

Hope it works...this time.

 

You did it!

CPU Revision went from 15 to 23 and AES-NI is now working perfectly. I'm one extremely happy camper!
You have my gratitude for doing this and helping me achieve this goal.

This means that with K41H's xdelta3 file and ASUS .203 BIOS anyone with G74SX can enable AES-NI.

Any tips on how do do this one self with future BIOS upgrades from ASUS? Or is carlicious checklist complete?

/Mindtripper

 

I'm so glad it's working

If you want to do it yourself, just follow carlicious's posts and you'll be fine. Give it a try

 

Anyone have any info on the HP Elitebook 8560w. Apparently they too didn't enable AES-NI and none of the Bios updates do it.