GOP Update and Extraction Tool (Turing)

Since the introduction of the Ampere microarchitecture, NVIDIA has implemented additional digital signatures and policies to ensure the integrity of firmware, rendering current tools inapplicable to graphics cards based on Ampere and newer architectures. The presence of these increased digital signatures and policy constraints means that developing universal patches for all firmware versions will be prohibitively costly for NVIDIA. Consequently, I believe that more graphics cards will be unable to receive software patches and updates throughout their lifecycle if these restrictions are not alleviated.

Currently, the new GOP tools for graphics cards based on the Ampere and newer architectures is limited by digital signature restrictions, and only a subset of devices/firmware can be updated to the latest GOP version.

A new version of the GOP tools will be released in the future, so stay tuned.

Does this mean that I can update with GOP tool, but I would not be able to flash it because of the missing signature?

BTW, latest GOP tool has 0x7000b for Ada Lovelace.

Thank you for your attention.

Yes but not entirely, these digital signatures are saved in the firmware and verified on boot, so future versions of the GOP tools will support saving these digital signatures as well as refreshing. This also makes it impossible to change the size of the GOP until there are more options to skip digital signatures, so only firmware of specific GOP versions can be updated.

2 Likes

Thanks for your answer. What happens if I flash a firmware with broken signature now?

At least since the Turing microarchitecture, verifying digital signatures has become a mandatory requirement for device initialization. If the firmware lacks a proper digital signature, the device initialization process cannot be completed.

So, I can flash my card, but the system will not boot, right?

Firmware that does not pass digital signature verification cannot be flashed using NVFLASH, but you can still use a version with the verification removed (if available) or use a programmer to flash it. However, as mentioned before, an incorrect digital signature will prevent the device from completing initialization.

2 Likes

I was wondering if updating the EFIROM alone using the command nvflash -u file.efirom will work on 4090…
What do you think?

As mentioned in the post above, efirom does not contain a digital signature, which prevents NVFLASH from verifying the digital signature. Consequently, this method cannot be used to update the VBIOS. Additionally, the various functional modules of the VBIOS are stored in different blocks. Theoretically, unless the modules in the VBIOS are designed to be interchangeable, the flashing software will not know which block to modify.

2 Likes

new efi.zip (166.3 KB)

nv_gop_GA1xx_0x60018

nv_gop_AD1xx_0x70011

EFI of what? Your washing machine???

NVIDIA Firmware Update Utility (Version 5.821.0)
Copyright (C) 1993-2023, NVIDIA Corporation. All rights reserved.

Sign-On Message :
Build GUID : Blank
Build Number : 0
IFR Subsystem ID : Blank
Subsystem Vendor ID : 0x0000
Subsystem ID : 0x0000
Version : Unavailable (Invalid) (Disabled Image)
Image Hash : N/A
Device Name(s) : Unknown
Board ID : Blank
Vendor ID : 0x0000
Device ID : 0x0000
Hierarchy ID : N/A
Chip SKU : N/A
Project : N/A
Build Date : Blank
Modification Date : Blank
UEFI Version : No Version Found or Out-dated ( )
UEFI Variant ID : No Variant ID Found ( No Variant ID Found )
UEFI Signer(s) : Unknown signer
XUSB-FW Version ID : N/A
XUSB-FW Build Time : N/A
InfoROM Version : No Version Found
InfoROM Backup : Not Present
License Placeholder : Not Present
GPU Mode : N/A
CEC OTA-signed Blob : Not Present

EDIT: Original post edited and added the info provided by Dagal.

Thank you for your attention to this post and for sharing the new version of GOP firmware.
Unfortunately, for Ampere and newer architecture devices, firmware alone is not enough, and corresponding digital signature data is required, so the content you submitted cannot be used.
This is not your fault, I will complete the new version as soon as possible to support these contents, and I will let you know when the new version is completed.
Thank you again for sharing.

1 Like

This is efi (nv_gop_GA1xx_0x60018.efirom and nv_gop_AD1xx_0x70011.efirom without header.

1 Like

Any news for the new version?

1 Like

I support

Dear All,

Thank you for your interest in this project.

The core part of the tool has been largely completed, but there are still some tasks and analyses that need to be carried out.

As mentioned earlier, due to NVIDIA’s addition of validation for the GOP module and partition size in the VBIOS, most graphics cards—particularly those using early firmware or lacking firmware updates, such as low-cost devices—cannot be updated with the new tool. Considering this limitation, I am still exploring possible methods to change the partition size and pass the validation, and I hope to determine whether the partition size validation is related to the contents within the partition.

*Currently, the tool only supports updates to GOP versions with identical sizes, such as from 0x60010 to 0x60012 or from 0x60014 to 0x6001b.

Furthermore, starting with the Ampere architecture, the GOP module requires a corresponding digital signature to function correctly. As a necessary component of the GOP module, the new extraction tool will extract the digital signature along with the GOP module into the EFI file. The tools developed previously for the Turing architecture, as well as the EFI modules extracted using those tools, will no longer be compatible. This marks a significant change.

The digital signature is generated based on the GOP and its header configuration information, meaning that identical GOP versions with different header configurations will produce different digital signatures. Storing all this data would greatly waste storage space. Therefore, the new extraction tool supports a streamlined mode where, if an identical version is found, only the digital signature and header information are saved. This new feature is nearly complete, though some testing remains, and a few special cases still need to be addressed (such as when identical GOP versions with the same header configuration result in different digital signatures).

There have also been some efficiency optimizations for the tool targeting the Turing architecture, with restrictions to ensure it no longer supports non-Turing architecture cards, thereby guaranteeing absolute stability. Should progress be made in changing partition sizes on the Ampere architecture, this will be considered for application to the Turing architecture as well.

Although I have a test version available, I cannot release it at this stage. Releasing these tools before fully completing the specifications would lead to confusion, incompatibility, or unexpected issues. Moreover, these tools need to be released alongside comprehensive guidelines, which will take some time.

I will do my best to provide regular updates on the progress.

If you wish to support this project, please try to help me find two VBIOS versions from Turing, Ampere, or later architecture cards where only the GOP size and GOP version differ, and upload them here to help me gather more useful information.

— 2024.11.14 —
Progress Update:

The specifications for the new EFI format have now been finalized. A new tool tailored for Ampere and updated architectures has been developed and optimized. This tool is maintain the same level of efficiency and stability as the previous version, and is currently undergoing limited-scale testing.

For the Turing architecture, the core code of the extraction and normalization tool is being refactored to enable adaptability to potential future variations, which will require additional time to complete.

Additionally, we are drafting documentation on usage guidelines, important considerations, and a FAQ section for the new tool.

If progress goes smoothly, we anticipate releasing these updates by the end of the year.

5 Likes

hi thanks for your work .

Can you give an example (screenshots etc) from 2 bios that differ in the way that you explain , so that we will upload useful pairs of bios

please try to help me find two VBIOS versions from Turing, Ampere, or later architecture cards where only the GOP size and GOP version differ, and upload them here to help me gather more useful information.

@wudimobile I have downloaded 610 Turing VBIOS from Techpowerup’s GPU database and have yet to find this scenario.

The only outlier was for 50019 which has two sizes in different SKUs:

50019 v1 = 69,632 bytes (compressed)

Palit CMP 30HX 6 GB BIOS
Dell Quadro T600 4 GB BIOS
PNY QUADRO T400 2048 MB BIOS

50019 v2 = 73,216 bytes (compressed)

HP Quadro T400 2048 MB BIOS
HP Quadro 600 4 GB BIOS

Thank you for your prompt response, but unfortunately, this is not the information I need. I apologize if there was a misunderstanding due to my use of a translation tool. I will describe the required information in more detail.

Starting with the Turing architecture, NVIDIA no longer allows changes to the GOP partition size, but the content within the GOP partition is still not verified.

However, on the Ampere architecture, based on the information analyzed so far, the content in the GOP partition is verified by two digital signatures. Therefore, as long as these two digital signatures are written into the VBIOS along with the content, it will pass the verification. However, similar to the Turing architecture, the partition size cannot be modified. If the GOP is replaced with one of a different size, it will still fail verification even if these two digital signatures are used.

Due to the limited publicly available information on NVIDIA VBIOS, it is unclear what constraints are preventing these changes. However, I believe there must be code controlling the partition size or verifying the partition size. (If we cannot overcome these, the scope of modifications we can make in the future will become increasingly limited.) There are at least a dozen or even dozens of digital signatures and checksums in NVIDIA VBIOS. If we were to verify them one by one, the workload would be enormous. Therefore, I am wondering if we could find two VBIOS files from the same model or variant, compiled from the same source code version and configuration, but with different GOP versions and sizes. This way, we could narrow down the scope of analysis as much as possible.

Some additional information that might be necessary to know: In NVIDIA VBIOS version numbers, for example, 94.04.2F.00.BD:

  • 94 → Architecture
  • 04 → Applicable core
  • 2F → Source code version
  • 00 → Revision version (typically stepping from 40→80→C0, corresponding to revision version 1, revision version 2, revision version 3)
  • BD → Release number

Therefore, these two VBIOS files need to have the exact same version number, except for the release number. If they are variant models, the hardware, such as the number of fans, voltage, frequency, interface configuration, etc., should be identical or nearly identical. Additionally, they need to contain different-sized versions of the GOP.

If you are unsure or do not know which VBIOS files meet these criteria, you can use Beyond Compare or another binary comparison tool to compare the two VBIOS files. If you see that they are almost identical except for the GOP module, then that is what I have been looking for.

I am not certain if such VBIOS files exist, but they often lead to significant discoveries. For example, the new version of the tool was made possible thanks to a prototype Ampere architecture VBIOS.

2 Likes

@wudimobile I was just confirming that through examining 610 Turing VBIOS files I have not found:

two VBIOS files from the same model or variant, compiled from the same source code version and configuration, but with different GOP versions and sizes.

I appreciate the explanation and it helps explain to others what you specifically need, so thank you for all of your hard work and the information in your last post.

1 Like