AES-NI support in TrueCrypt (Sandy Bridge problem)

[carlicious]

Hey guys,
I have just successfully enabled AES-NI on my N53SV (with 2630QM)! This should work on most sandy-bridge laptops with AES-NI disabled.
I'll explain to you how I did it but I have to warn you: these steps are a bit involved. Also THIS IS ENTIRELY AT YOUR OWN RISK.
The idea is based on this pastebin entry describing how to do it on certain lenovo laptops: Unlocking AES-NI on certain Lenovo notebooks models with UEFI (Insyde) firmware - Pastebin.com

Ok, first we need phoenixtool, get it here (I used v1.91): Tool to Insert/Replace SLIC in Phoenix / Insyde / Dell / EFI BIOSes
Second, get the latest BIOS from the asus website (I used v214).

Now we open the bios file using phoenixtool, let it think for a while. Now select manufacturer ASUS and click the 'Advanced' button.
Tick these boxes:
- "Ask prior to each modification"
- "Allow user modification of modules"
- "Always allow user modification of modules"
- "Allow user to modify other modules"
- "Extract modules when verifying"
- "No SLIC"
- "Process all compressed modules (EFI)".
Click Done and click Go.
After a while it will prompt "You can now make manual alterations to any module in the DUMP directory", DON'T click OK yet!

I happened to have MinGW (http://www.mingw.org/), together with MSYS installed on my system. If you read the stuff below and have absolutely no idea what I'm doing, it's actually pretty simple. First I disassemble all binaries, then I look for an instruction containing 0x13c.
I used the MinGW shell to navigate to the DUMP directory and executed the following command:

Code:

for i in *; do objdump -D -b binary -mi386 $i > $i.asm; done

But of course you can also use your favorite disassembler
Next command I used is:

Code:

find . -iname '*.asm' | xargs grep -li 0x13c[^0-9a-f] > interesting_files.txt

Which will create a list of files containing 0x13c (the address where the AES-NI configuration bits are stored)
Next command I used:

Code:

for i in `cat interesting_files.txt`; do echo $i; grep -i 0x13c[^0-9a-f] $i; done

This gives me the following output:

Code:

./2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739.ROM.asm
    2448:	bb 3c 01 00 00       	mov    $0x13c,%ebx
./A062CF1F-8473-4AA3-8793-600BC4FFE9A8_1_300.ROM.asm
   1dfd3:	67 66 26 8b 87 3c 01 	mov    %es:0x13c(%bx),%ax

The first file seemed very interesting, hence opening it and jumping to the offset yielded:

Code:

    2448:	bb 3c 01 00 00       	mov    $0x13c,%ebx ; sets EBX to 0x13c
    244d:	53                   	push   %ebx
    244e:	e8 bd 00 00 00       	call   0x2510 ; copies the AES-config to EAX
    2453:	59                   	pop    %ecx
    2454:	8b c8                	mov    %eax,%ecx
    2456:	89 55 dc             	mov    %edx,-0x24(%ebp)
    2459:	83 e1 01             	and    $0x1,%ecx
    245c:	33 d2                	xor    %edx,%edx
    245e:	0b ca                	or     %edx,%ecx
    2460:	75 10                	jne    0x2472 ; Jumps if config is already locked
    2462:	ff 75 dc             	pushl  -0x24(%ebp)
    2465:	83 c8 03             	or     $0x3,%eax ; <== Sets the first two bits of EAX to 1, WE NEED TO PATCH THIS
    2468:	50                   	push   %eax
    2469:	53                   	push   %ebx
    246a:	e8 a8 00 00 00       	call   0x2517 ; writes EAX to the AES-config

The first bit of the AES-config means it is locked for writing, the second bit means AES-NI is disabled.
So if we change "or $0x3,%eax" (first two bits) to "or $0x1,%eax" (only first bit), we will enable AES-NI. Hence 83 c8 03 needs to be changed to 83 c8 01.
I used a hex editor to open 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739.ROM, patched offset 0x2467 and set it to 01.

Now I clicked OK in phoenixtool and it created a nice new bios image, which I flashed using winflash (using /nodate as a command line argument since it would not flash otherwise because I'm not upgrading). Rebooted and it WORKED!

Remark: If your BIOS seems to contain a section 2BB5AFA9-FF33-417B-8497-CB773C2B93BF_1_739, it is probably the first place to look for the instruction to patch. It may even be exactly the same as mine, so you may want to try looking at offset 0x2467 first.

[wrathchild_67]

Hey guys,
I have just successfully enabled AES-NI on my N53SV (with 2630QM)! This should work on most sandy-bridge laptops with AES-NI disabled.
I'll explain to you how I did it but I have to warn you: these steps are a bit involved. Also THIS IS ENTIRELY AT YOUR OWN RISK.
The idea is based on this pastebin entry describing how to do it on certain lenovo laptops: Unlocking AES-NI on certain Lenovo notebooks models with UEFI (Insyde) firmware - Pastebin.com

Thank you!!!! It worked like a charm on my Asus A53E! The rom and address were the same as yours which made it extremely easy to do the mod. HERE is a link to my modified BIOS. It's version 214 for Asus A53E and K53E laptops.

Proof: http://imgur.com/a/8Uxqy

[ankhazam]

please make bios 208 for N53SN!!!

[carlicious]

please make bios 208 for N53SN!!!

It was easy. Yours has the exact same section, here is the modded version:
N53SNAS_AES.208

I'll also post mine for the N53SV since I have it laying around anyway:
N53SVAS_AES.214

Try doing this yourself first, people.

[nebulus]

@carlicious

Which version of WinFlash did you use? I assume flashing with EZFlash won't work because of the build date check.

[carlicious]

@carlicious

Which version of WinFlash did you use? I assume flashing with EZFlash won't work because of the build date check.

I used the latest from the ASUS website, just use cmd.exe and cd to the winflash directory and type winflash /nodate, it should then accept any bios image.

[gh0st01]

Thank you carlicious!
I flashed the modded BIOS you provided for the N53SV and it worked perfectly!

[jobriennbr]

Do any of you have confirmation that flipping a bit in the BIOS is actually turning on AES-NI functionality on the Intel CPU? e.g. volume encryption benchmark, etc?

HP is claiming the 2630QM doesn't actually support AES-NI and HP is also claiming the Intel website cpu spec page is wrong.

[Dufus]

HP is claiming the 2630QM doesn't actually support AES-NI and HP is also claiming the Intel website cpu spec page is wrong.

There are 2630QM's out there with AES-NI enabled, google should help you find them.


One of the posters here flashed a modded BIOS with the MSR set to AES-NI enabled and still didn't get AES-NI. My thoughts on this is that it possible Intel initially might have released the 2630QM with AES-NI fused off and later changed the fusing (enabling CPU functions on the die) to enabled. This is something that would have to be chased up on with Intel, perhaps by trying the Intel processor support forum to start with.

Easy enough to check by showing MSR 0x13c enabled for AES-NI (MSR 0x13c bit 1 clear and bit 0 set) but CPUID still showing AES-NI not available. Also check the revision ID of the stepping.

Idk, if this were so then maybe this presents a problem with the manufactures if they enable it in BIOS and some end users have AES-NI and some don't for the same systems with earlier 2630QM and later 2630QM. Of course I'm only speculating here.

[gh0st01]

My ASUS N53SV-XE1 came with AES-NI disabled. After flashing the modded bios image provided by carlicious on this page it is now enabled. I´ll post later a screenshot of my computer running the truecrypt benchmark.

The notebook came with the "new revision" 2630qm (i read this revision fixed some bug). Bought it May/2011.

Do any of you have confirmation that flipping a bit in the BIOS is actually turning on AES-NI functionality on the Intel CPU? e.g. volume encryption benchmark, etc?

HP is claiming the 2630QM doesn't actually support AES-NI and HP is also claiming the Intel website cpu spec page is wrong.