Precision M6700 GPU upgrade (K5000M to M5000M)

Discussion in 'Dell Latitude, Vostro, and Precision' started by Aaron44126, Jul 18, 2017.

  1. Aaron44126

    Aaron44126 Notebook Prophet

    Reputations:
    757
    Messages:
    4,331
    Likes Received:
    1,295
    Trophy Points:
    231
    Sign your own modified NVIDIA drivers

    I patched together some online instructions, and with a little trial-and-error, learned how to sign my own modified NVIDIA drivers. (Modifications to the INF file are needed in order to install "unsupported" GPUs, for example, the M5000M in my Precision M6700.)

    The motivation for this is, I don't want to have to run with "test mode" on (I prefer to stick with the default Microsoft policy of not allowing unsigned drivers by default), so that means that I have to reboot twice in order to update the NVIDIA drivers. (To get into "allow unsigned drivers" mode and then back out again.) So, I'm just looking to save myself reboots. If you follow this procedure, you can install modified drivers without test mode on and without rebooting to disable driver signing. The first steps to create and install a certificate only have to be completed once, and the last few steps will have to be completed every time you have a new driver to install.


    The tools needed are the Windows 10 SDK, which is available standalone or it can be installed with Visual Studio, and the Windows Driver Kit. I'm going light on the explanation and assuming that you are command-line savvy.

    https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
    https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

    Here are the commands to run to create a certificate. You may need to update the file paths depending on where you want to put stuff (I output everything into a "data\certificate" folder and I extracted the NVIDIA driver to "D:\Temporary\NVIDIA"), and the version of the SDK that is installed (10.0.17134.0 in my case). Also, you should fill in values in [brackets] (and remove the brackets).

    Code:
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\makecert.exe" -r -sv data\certificate\cert.pvk -n CN="[YourCompanyName]" data\certificate\cert.cer -len 4096 -a sha256
    (You will have to enter a password to secure your private key.)

    Code:
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\cert2spc.exe" data\certificate\cert.cer data\certificate\cert.spc
    (Enter your password when prompted.)

    Code:
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\pvk2pfx.exe" -pvk data\certificate\cert.pvk -spc data\certificate\cert.spc -pfx data\certificate\cert.pfx -po [PFXpassword]
    (Enter your password when prompted. The PFX password can optionally be different than the private key password.)

    Now, import your certificate into the Windows certificate store. You can do this just by double-clicking on the PFX file that has been created. You'll have to do it twice, once to get the certificate into the local machine trusted root certificates store, and once to get the certificate into the local machine trusted publishers store. (You need to select the option to manually choose the store to put the certificate into, and you will need to enter the PFX password both times.)

    Once that is done, you can create and sign the NVIDIA driver catalog file. Do this after you have modified the driver INF file.

    Delete the file nv_disp.cat.

    Code:
    "C:\Program Files (x86)\Windows Kits\10\bin\x86\inf2cat.exe" /driver:"D:\Temporary\NVIDIA\Display.Driver" /os:10_RS4_X64 /verbose
    This creates a new nv_disp.cat. (Note the OS version, inf2cat.exe /? will output a list of the choices for OS version.)

    Code:
    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\signtool.exe" sign /f data\certificate\cert.pfx /p [PFXpassword] /t http://timestamp.verisign.com/scripts/timstamp.dll /v D:\Temporary\NVIDIA\Display.Driver\nv_disp.cat
    If you did everything right, you should be able to right-click on "nv_disp.cat" and go to the digital signatures tab, and you will see a signature from the company name that you set up. If you click on "Details" then it should say "The digital signature is OK."

    Now, you should be able to install the driver without "test mode" turned on and without booting up in "disable digital signature check" mode. For future updates, all you have to do is...
    * Apply modifications to the INF file
    * Delete and re-create the CAT file (inf2cat)
    * Sign the CAT file (signtool)

    This can be scripted for a one-step modify-and-sign command.

    [​IMG]


    [Edit]
    Thinking through this, the fact that this is possible seems to totally break the requirement that drivers be signed? There's no reason that a malicious process couldn't automatically and silently execute all of these steps to install a nefarious driver. The only thing really needed is Windows administrator elevated permissions. Oh well...
     
    Last edited: Sep 20, 2018
  2. Aaron44126

    Aaron44126 Notebook Prophet

    Reputations:
    757
    Messages:
    4,331
    Likes Received:
    1,295
    Trophy Points:
    231
    I was messing with an unrelated custom driver thing today... Turns out that Windows will accept modified INF files signed this way, but SYS files must be signed by Microsoft in order to be accepted (without either turning on test signing or using the "disable driver signature enforcement" boot option). So... Seems safe, no way to silently bypass the signature check for modified kernel-mode code.
     
  3. Ionising_Radiation

    Ionising_Radiation ?v = ve*ln(m0/m1)

    Reputations:
    680
    Messages:
    2,865
    Likes Received:
    2,423
    Trophy Points:
    181
    Once we have done the initial certificate creation, all we need from the Windows 10 SDK and the WDK are the two 32-bit executables, inf2cat.exe and signtool.exe, correct? Are there any other dependencies, or can we copy out those executables and uninstall the rest?
     
  4. Aaron44126

    Aaron44126 Notebook Prophet

    Reputations:
    757
    Messages:
    4,331
    Likes Received:
    1,295
    Trophy Points:
    231
    I haven't tried just extracting the executables but it might work fine, give it a try and let me know... :p
    Also check the expiration date of your certificate. I made mine really long (80 years) but I think the default is 1 year. If you have a 1-year certificate you will have to recreate it periodically. When I have a chance I'll try to update the directions above to produce a long one.
     
  5. Aaron44126

    Aaron44126 Notebook Prophet

    Reputations:
    757
    Messages:
    4,331
    Likes Received:
    1,295
    Trophy Points:
    231
    Finally got around to following up on this. It looks like, by default, if you follow the commands I gave above you will end up with a certificate that expires on December 31, 2039. You can double-click on the .cer file and it will open up for viewing, and you can see the expiration date. If you would like to change the expiration date, you can pass the parameters "-e <mm/dd/yyyy>" to makecert.exe. After the certificate expires, it can't be used to sign things anymore so you will have to create a new one. But as long as you set the expiration further out than you think you will need it, you can get rid of all of the stuff except for inf2cat.exe and signtool.exe (assuming that they can be run standalone, I haven't tried myself) and be fine.

    One other note. inf2cat.exe asks for the version of Windows when you run it (/os:10_RS4_X64 in my example above). Probably it won't matter too much if you never change this, but Microsoft does dump out semi-annual Windows releases now and there's no telling when they could change... anything, so it would probably be good to pull a new copy of inf2cat.exe from time to time and update the OS version passed to the inf2cat.exe command to whatever the latest is.
     
    Ionising_Radiation likes this.
  6. Ionising_Radiation

    Ionising_Radiation ?v = ve*ln(m0/m1)

    Reputations:
    680
    Messages:
    2,865
    Likes Received:
    2,423
    Trophy Points:
    181
    Thanks for the update.

    I also tried extracting out the executables to another folder. signtool.exe works fine, but Inf2Cat.exe doesn’t, and complains about missing dependencies when run from another location.

    Apparently Inf2Cat.exe requires something within the original Windows Kits folder. I’d like to track that down, because it seems a pity to keep a giant several gigabyte-large several-thousand-file library on disk just for a couple of executables.
     
  7. spacebar311

    spacebar311 Notebook Enthusiast

    Reputations:
    0
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    5
  8. Aaron44126

    Aaron44126 Notebook Prophet

    Reputations:
    757
    Messages:
    4,331
    Likes Received:
    1,295
    Trophy Points:
    231
Loading...

Share This Page