Broadcom Wireless cards and Lenovo E530 Bios UEFI Whitelist

Last Updated on 24 August 2015 | Written by CodeAsm

Wireless card

Its a trouble maker, a soldering iron fire starter. The Lenovo E530 I got two(already!)years ago can sometimes be a pain.
First I destroyed the filesystem, then I borked the Bootsequence and last time I beeped flipped the Bios/Uefi variables completly.

I save those boot errors for another blog, when I try refashing it.
Wich actualy started my research for COreboot or just removing/altering the Whitelist of my beloved Lenovo.

Wait what? if you never heard of Bios whitelists, or whitelists for hardware, go read here:

So yes, My lenovo has a whitelist and I do not agree.

Click the readmore button to view some awesome images of the card without shield cover and my further research:



Posible options I have, together with my currectly expected succes rate and dificulty:


Todo Change of succes Level Description
Buy prehacked wificard 99% Easy Just buy one, could be expensive tho.
Reprogram a card mysefl 75% Medium/Hard Buy a card, reprogram it (asumtion that it is prosible)quite cheap posible
Reflash bios with removed or hacked whitelist 50% Medium Let an "Expert" hack the firmware. free
Reflash bios with removed or hacked whitelist, 50% medium/hard hack the firmware yourself. free
Flash Coreboot 20% God lvl DO all the coreboot stuff required, flash the roms and enjoy, also free

So, do you think you know what a poor student in Technical Engineering will choose?

Thats right, Im lazy, and curious, so I bought a cheap wireless card: BCM43228 wich was supossed to be compatible,
Started reading on Coreboot (still like to do that) and downloading tools for firmware modification, bought a TL866CS (hack it to version A, not required) chinese website for latest drivers and software. supports over 13137 ics already :D
and then... I hit a few walls.

Ill keep the firmware(bios) modifications for another blog post, first i try to collect information about my BCM43228 (wich is a combo card with a BCM20702 ) making it a
abgn WLAN & BT 4.0 Combo

WIch is great, because I wanted blue-tooth and 5 Ghz.. and not using a small usb stick but a proper mini PCIe card :D

Example lenovo Whitelist crap
So after trying Ubuntu and to reprogram the SPROM, I hit my second wall (first being the chinese selling me a foxconn branded card)
Why reprogram the SProm you ask?

Great question, the broadcom cards allow vendors to preprogram their hardware to communicate with certain cards and not others.
Well, thats not realy provided by broadcom, so far what I have found is that like Lenovo, they have code in place that check the subvendor ID and/or subproduct ids of hardware.

Not the famous product and vendor id's cause they stay the same for alott of devices, so most general drivers just work,
its the sub versions... Like the fab that put your card in your laptop or router.

So my card probably came from overstock from foxconn or a chinese fab (re)branded it just like it by just writing the right bits.

Other BCM43xx family chips allow you to program the SPROM wich is a writable part of the card to set things like Regulatory settings for region, power and macadresses.

And while GNU family of awesome Engineers (read, hackers) have programmed great driver support and the reprogram utility,
Its not supporting my particular IC because ... well... its not yet suported.

Over at the IRC ive already spoken with them a bit and basicly, like so many Hacker projects, if there is no support, and you like to have some,
heres a to-do list, on how to do this or try and good luck, also, please report back any questions, answers, ideas and what not.

Nothing against that, actualy... its already done for free, and they enjoy doing what they do.
But dont expect Linux to be free, as like Windows 10... ow wait.. I ...

So first I need to collect information and while I was writing this story I remember what I like to do... Drop the tips and clues and let YOU the reader, figure it out.

Thats means I do my thing, and tell you my findings, and lets hope we can figure out something.

Ill update this if I find out more, and ill post a blog update when I started to make progress on that coreboot thing or just firmware flashing:

Here are some bits from the support manuals for a Lenovo Idea pad... pretty similiar to a Edge I have.
04W3763 Cybertan BCM43228+BCM20702 abgn WLAN & BT 4.0 Combo (ThinkPad a/b/g/n)

04W3764 Liteon BCM43228+BCM20702 abgn WLAN & BT 4.0 Combo (ThinkPad a/b/g/n)

04W3765 Intel 2x2 11bgn + BT4.0 Combo Jackson Peak1 (Centrino 2230)

According to a rusian forum, in someones E530 the BCM4322 he got it was having these Sub codes.
SubVendorID - 0x14e4
SubProductID - 0x0607

Wich stands for Lenovo (please look at my dump, thats Foxconn ;)

I did some digging and the FCC id code QDS-BRCM1058 apears to lead me to some intresting pictures:

Broadcom wireless

Broadcom wirless FCC

There are also some backside images and complete test reports, but you can find them yourself and not so intresting I think.

I did however found a letter that got my attension, because it describes a "2-way Bios Lock Logic-Theory of Operation" but asks for it to remain hidden, because of it being "confidential documents".

Would this be the Vendor whitelist or something else ? Sadly, because of recent discoveries of what vendors actualy put in their hardware, I think its something clever, better than just a locked SProm with a subvendor and subproduct id locked in...

Ill give you the links soon, if you realy cant fnd them yourself.

Letter of confidentiality


Due to a break in my CMS, I wont do pagebreaks till I fixed that, for now, use this crappy facebook plugin to comment on this blogpost :P