You are here: Technician's functions > Appendix: installation vectors > Persistent Installation vector

Persistent Installation vector

Purpose

The Persistent Installation vector adds the agent to the target computer's firmware.

This type of infection has two great advantages:

Prepare the vector

To compile the factory with the Persistent Installation vector, load the isflash.bin firmware update file for the computer to be infected.

IMPORTANT: only computers whose isflash.bin file was obtained can be infected.

NOTE: this vector can infect most firmware products produced by Insyde®, only some versions may be able to resist infection.

How to obtain the file:

Step Action
1

Identify the exact notebook model to be infected.

2

Identify and download the correct firmware (BIOS) for that computer model from the manufacturer's website.

3

Unzip and run the .exe file: an error message appears.

CAUTION: to prevent computer damages, run the procedure on a different computer model than the one for which the firmware was downloaded.

4

With the error message window open, run cd %temp% from the Windows command prompt; temporary computer files appear.

5

In the temporary folder created when firmware file.exe was launched, find isflash.bin (usually 5, 9 or 17 MB).

6 Copy and paste the isflash.bin file in another folder.
7

Now you can close the error message window.

8 In RCS Console, compile the factory using the Persistent Installation vector upload the isflash.bin file obtained in the previous steps.
Installing the agent

Compiling a factory with the Persistent Installation vector creates .zip FactoryName_windows_persistent.zip file in folder RCS Download

CAUTION: to avoid irreparable damages to the computer, only use the firmware specific to the computer to be infected.

NOTE: two people are required to complete the procedure.

How to install the agent:

Step Action
1

Unzip FactoryName_windows_persistent.zip.

2

Copy the entire content of the unzipped .zip file to an empty FAT or FAT32 formatted key.

IMPORTANT: the key should only contain file FactoryName_windows_persistent.zip

3

Turn off the target computer and remove the battery and power cord.

4

Insert the key in the computer USB port.

5

Simultaneously press Fn + Esc + the on button and wait 5 - 10 seconds.

6

Holding the keys down, connect the power cord and wait 5-10 seconds.

7 Only release the on button and wait another five seconds.
8

Release the Fn and Esc keys: the computer boots without the monitor turning on. You will hear the fan start when the computer boots. After about 10 minutes, the computer turns off or reboots.

IMPORTANT: do not interrupt the boot procedure. The length depends on the key speed and size of the firmware to be updated.

NOTE: if the procedure fails, try again inserting the key in another USB port.

Infection activation conditions

If the agent was successfully installed, the infection is only activated the next time the computer reboots if at least one user was set. The infection only involves all users set when the infection is activated.

If installed on a computer that did not correctly follow the shutdown procedure or hybernated, the computer must be turned off and rebooted to activate the infection.

Check installation

Since the target computer shows no signs of agent installation, use RCS Console to check the installation before leaving the target's computer.

How to check installation:

If... Then...
The computer is new and no users have been set
  1. reboot the computer
  2. install Windows and set at least one user
  3. reboot the computer
  4. use RCS Console to check that the agent synchronizes and sends evidence
  5. reset the computer
users are already set on the computer
  1. reboot the computer
  2. check that the agent synchronizes with RCS Console and sends evidence
Parameters
Name Description

Firmware UEFI

isflash.bin file specific to the notebook to be infected, where the agent is installed.

RCS9.3 | User's and Installation Guide | © COPYRIGHT 2013