AES-NI support in TrueCrypt (Sandy Bridge problem)

Seems they updated for 8760w so no reason they should not do it for yours.

http://forum.notebookreview.com/hp-...ebook-8760w-owners-lounge-42.html#post8064644

 

If only it were so simple. I've never had to deal with HP support, but man what a clueless waste of time they are. Everyone I've talked to tells me that I have to enable it on my router. Then I have to go and send links and what not to get them to understand about bios', firmware, processors/chipset.. it's insane.

 

Maybe it's their strategy is to make sure your routed. lol.

Have you checked which microcode update your using and MSR value? Details of how to are in previous posts.

 

Tried to read it in CrystalCPUID and it seems to be zero.

 

Can you check your microcode version. Looking at your BIOS it has 3 different versions for the same family 206a7 of 14,12 & 18.

What CPU do you have? If it's 2630 then I think the BIOS with pre 1A microcode will skip setting that MSR and that is maybe why it is reading 0. If you insert a microcode update of 1A or greater, then that MSR will be set to 3, disabling AES-NI so looks like both parts need modding.

 

Hmm.. this is all kind of black art to me, but the CrystalCPUID tool says it's an i7-2630QM (original oem), Microcode ID: 18, family 6/6, model a/2a, stepping 7/7. Not sure what much of that means.

 

So HP BIOS does load the newest microcode update instead of the first one it finds...unlike "AES nai(ない which means negative in Japanese)" ASUS

 

Yep, it also did it for me.
My computer is an ASUS G74SX-TZ172V.
My bios was .202 and I flash it, using the bios tool, to the .203 patched with K41H delta.
CPU-Z and truecrypt now say I have AES-NI enable.
Truecrypt benchmark went from 500MB/s to 2.5GB/s.

Thanks a lot.

 

Maybe, not sure why they would want to include older revisions, seems a bit odd. If you are right then there is space just to tack an newer version such as 0x25 on the end.

I haven't touched Insyde for over 2 years now so am a little wary of making changes to a newer BIOS. Without something to test it on this could possibly mean a higher risk of bricking.

 

Hello Guys.

I just flashed the modified BIOS for G74SX with AES "patch" and it works. AES is now enabled.

I just made an account here to post a little guide, and say big thanks to:
@carlicious
@K41H
@Lomax1980
and @mindtripper & @dragoworld235 for testing, made me believe this works.

I will be posting my own modified BIOS to, and also a summary of how you can do it yourself the easy way, the work and instructions from people above.

IM NOT IN ANY KIND, RESPONSIBLE OF WHAT HAPPENS WITH YOUR COMPUTER, THIS IS VERY RISKY AND IT IS POSSIBLE TO BRICK YOUR COMPUTER OR IF SUCCESSFUL MAY VOID YOUR WARRANTY

Before starting, close all your running applications. The more you close the less chance of a brick. We dont want the flash program to hang under flashing now do we. And disable your anti-virus software, firewall also if you really want to be on the safe side, also UAC is a plus but not necessary.

1. Download The latest BIOS from Asus website (At time of typing its version 203)
2. Download xdelta3. Downloads - xdelta - open-source binary diff, delta/differential compression tools, VCDIFF/RFC 3284 delta compression - Google Project Hosting put it in a folder of your choosing
3. The original BIOS file should be in the folder as xdelta3 exe file.
4. Open a command line (cmd) and navigate (cd) to the folder where you have xdelta3 exe file and original BIOS.
5. Download this file below, put in the same folder as original BIOS. This is the patch file that we will be using with xdelta3.
Download G74SxAES.bin.xdelta3 from Sendspace.com - send big files the easy way
5. (for me x64 version of xdelta3) type in command line "xdelta3.0z.x86-64.exe -d -s G74SxAS.203 G74SxAES.bin.xdelta3 G74SxAES.203" without "

Now there is a new file in your folder. G74AES.203 this is the new AES modified G74SX BIOS. MD5 should be 79F2137930031EA25814CBC1E3298738 very important to check or you may flash faulty BIOS and brick your G74SX.

How To flash

Download Winflash from Asus.com
ASUSTeK Computer Inc. - Notebooks- ASUS G74SX
Windows BIOS Flash Utility
365,07 (KBytes) 2011.01.05 update

In command line (again) navigate to C:\Program Files (x86)\ASUS\WinFlash or where you installed winflash.
Type "winflash /force /nodate" without the ". Winflash should start now, select your new G74SxAES.203 and you will be able to flash it. Make sure WinFlash can identify the new BIOS file. If Winflash dont start remove /force and just keep /nodate.

Here is my BIOS that i flashed to enable AES.
MEGAUPLOAD - The leading online storage and file delivery service

Now flash, exit, and start up computer. And now AES is enabled.

Good Luck and Credits goes to people listed above.

 

Asus updated the BIOS to version 213, which adds AES-NI support. Truecrypt benchmark went up 5x!

 

Probably it is preent in one of these files. I don't know yet which one it is.

 

The section you need to take a look at is definitely 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_403.
If you are unsure about the instruction to patch, just upload 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_403.ROM somewhere and I'll take a look at it.

 

Hi everyone... just to inform...
I had the same problem with AES despite newer proc (i7 2670QM) i took carlicious's approach and everything worked fine.
I got X73SV but i looked at K73SV bioses and they are the same so this should work on K/X73SV.

I didn't attached fixed bios 'cause of it's size but I'll sent for anyone who wants. Just send me an email.

 

Thank you but Winflash does now let me flash it it says the bios file is older than the one that is used at the moment and won´t let me flash it. (in the details it has the same date as the other 205 bios i have on there)

Is there a workaround?


(I have a G73SW-TZ264V Notebook.)

 

Use command prompt, winflash.exe /nodate filename

 

Thank you so much it workes!!

 

Has anyone of you tried flashing modded bios while having entire HDD encrypted by truecrypt?
I dont know whether I should decrypt first or I can flash bios regardles of hdd encryption.

 

it won't work, place the bios file on a pendrive.

 

But WinFlash flashes directly from Windows, doesn't it?

 

For me it worked with winflash, my hdd was encrypted with truecrypt at that point.

 

I flashed modded N53SN v208 bios and it worked!
Thank you very much !

 

I have to inform you all that abujafar has spotted an update for the N53SV bios on the ASUS website (version 215). I just disassembled it and it's different from 214 (it seems to enable AES when a certain variable is set). Also the download page states "new instruction support". So I just went ahead and flashed it without modification and the bios setup now lets me enable AES. In fact, it's enabled by default. Guess they gave up on bothering us

 

hell yeah!

 

waiting for the same for N53SN then

 

That would be great.

 

No new bios yet for the g74sx.

 

New BIOS update (2.09 with AES-NI support) for N53SN is out. And just as with SV model AES-NI was enabled by default.

 

Confirmed, AES-NI working as expected on my N53SN with the latest BIOS.
Btw. what's the current status, which notebooks still don't have AES-NI enabled and should have?

 

Hi,
I managed to modify my bios and enable AES but still for k73 and x73 officially is old bios 210 with blocked AES

 

Would someone please explain the realworld effects of having AES-NI enabled. What will I see different in everyday use. I have one of the first N53SV-A1 Bios 214 and love it but hesitate to update the bios just for this purpose without knowing the benifits.

Thanks for taking the time to answer my question.

Dean

 

It's quite useful for AES encryption as you'll get hardware acceleration. 6-7x speedup (2.5 GB/s vs something under 400 MB/s in TrueCrypt), which is obviously a plus if you do a full disk encryption.

 

Ok, thanks since I don't encrypt anything with this notebook are there any other good reasons or any other programs/functions that will benifit?

 

If you don't encrypt then no.

 

Not entirely true. There are benefits when using SSL (https) and some types of VPN. Also some DRM implementations rely on AES. Perhaps the most important benefit is wifi security. In WPA2, AES is used to encrypt traffic.
These are just some typical examples. There are many, many more.

 

Well, of course, anything that has to do with AES will benefit from AES-NI instructions. But will AES-NI give you noticeable effects in those examples that you just listed? I'm guessing this is the question that he is trying to get an answer to and see if the benefits outweigh the risk of accidentally bricking the BIOS chip. And I don't think web surfing really cuts it here.

 

In my experience, full disk encryption with vs without AES-NI is noticeable. I've used TrueCrypt on various computers for years now, and maybe it's just me, but my T420 (i7-2620M) experiences no slowdown or overhead, since it has AES-NI. Compared with earlier Core 2 Duo models, I do notice the difference (with HDDs, definitely, not as much with SSDs).

If you plan on encrypting your entire drive, then AES-NI is the way to go. Yes, it has other functions (VPN, WiFi, etc) as listed above, but the big deal is full disk encryption.

 

I doubt AES-NI is useful (and used) for anything other than the applications specifically coded to take advantage of its presence (e.g. TrueCrypt, BitLocker).

Browsers dont belong to this category. As for WPA2, I think that the adapter itself is tasked with encrpytion (as, for example, is the wireless router on the other end).

 

Of course everything that uses AES encryption will be speed up with AES hardware acceleration. Even if you are encrytping whole disk present processors will be enough to encrypt/decrypt on the fly (not SSD disks) but with hardware acceleration it takes less of processor load so it doesn't slow down other processes.

 

No it won't. As with other instruction sets (SSE, AVX, MMX) only the applications that actually use AES-NI in code will take advantage of it.

 

Not true. Nearly all applications employing AES don't use their own implementation but instead consult either the MS crypto API, OpenSSL or some other crypto library. Almost all of these will take advantage of AES-NI if available.

Also not true. In contrast to DES, AES is assumed to be implemented in software and therefore not specifically designed to be implemented in hardware. This makes implementing it in hardware more difficult and thus more expensive. There is no wireless chipset I know of capable of offloading AES encryption.

 

So what exactly Qualcomm Atheros' specs for AR9285, which is also used in AR9002WB-1NG that some ASUS' N53s come with, mean by claiming hardware support for AES?

 

Yes, you're right, I apologize for my haughtiness. Starting with Windows 7, and its Crypto API:Next Generation, AES-NI is in use. Apparently all this time I wasn't aware exactly how much of a daily crypto workout my 2630QM was getting.

OpenSSL supports it too.

I haven't sourced this part yet, but judging from my experience above, I suspect you're right here too.

 

I'm glad I asked the question, I think
Actually I don't even use the WIFI as I have it hardwired on my bedstand. So it appears from your your lively discussions I will not see any improvement in updating my BIOS to 215, as one bric with this otherwise great laptop was one too many!!

Thanks again,
Dean

 

In fact I was wrong and nebulus was right. Some wifi chipsets do in fact offload encryption. Among them is the Atheros AR9285, which is used in many ASUS laptops. I didn't know this for a fact because I do my routine work on linux and I haven't spotted support for offloading encryption in almost all of the linux drivers.

Anyway I would recommend anyone eligible to an update which enables AES to update because it is definitely worthwhile to my opinion. Most BIOS updates don't offer such an improvement on performance, if any at all. The risk of bricking your laptop when flashing a BIOS is grossly exaggerated if you ask me. I've never seen it going wrong when using a BIOS supplied by the manufacturer.

 

Update also fixes the boot issue among the things. And as carlicious has noted several crypto libraries (CNG, OpenSSL, NSS SSL, etc.) already support hardware acceleration. And there're no cons only pros here, as far as I see.

I feel your pain and hesitation, but let's put it this way: What are the chances you'll brick the chip again? Rather slim, don't you think. Just make sure you flash from BIOS and FAT formatted USB stick (normally they are already FAT32 pre-formatted) and you should be fine.

EDIT: And also make sure the laptop is plugged in.

 

I was wondering if AES-NI would be supported by my laptop one day, and finally it is

I have followed the two posts of carlicious ( here and here) and I have succesfully updated (on DOS with AFLASH2) my Asus G53SW.

The modified bios can be find here : G53WAS_AES.203
It is based on the only bios for G53SW (203) on Asus website.

A big thanks to all of you, particularly carlicious

TrueCrypt AES 473MB/s -> 2,5GB/s

 

I just received my new Asus U46SM-DS51 and it came with the latest BIOS version 203. AES-NI was already enabled and running great per TrueCrypt and Intel's own identifier software.

 

Not so important for me since carlicious great job but looks like asus heard the noise.

N53SN:
BIOS 209
1.Show system serial number on setup menu
2.Add CPU AES-NI function support
3.Update CPU microcode
4.Fix sometimes system can't boot after press power button.
5.Update EC firmware
File Size
1,06 (MBytes) 2012.02.24 update

 

Could someone reupload the modified bios for the G73SW