January 12, 2015 at 09:48OEM activation of Windows Vista / 7/8 / 8.1 under the QEMU hypervisor
OEM versions of Microsoft's OS, starting with Vista, use authentication based on a comparison of three components:
Upon successful comparison of these three components, the OS is offline activated. In this case, there is a sticker on the PC case containing the license key of a specific OS instance (and not the manufacturer), which can be used to activate the OS online if it is not installed from the image provided by the PC manufacturer, but from a “clean” (MSDN) OEM image from Microsoft.
In addition, the license key of a specific OS instance can be embedded in text form in the BIOS into the ACPI MSDM table. In this case, when installing the OS, the key will be extracted from the BIOS and sewn into a specific OS instance. The OEM sticker on the laptop case in this case may no longer contain a license key. This method is used to activate Windows 8 / 8.1. You can
view the contents of ACPI tables from WIndows using the RWEverything utility, and booting from a Linux Live-CD, for example, SystemRescueCD . The latter method is relevant when it is no longer possible to boot into the installed instance of Windows.
We have two laptops - Samsung NP305 and Acer Aspire V5-551G, the first one is preinstalled with Windows 7 OEM Home Basic x86_64, the second one has Windows 8 OEM Single Language x86_64. We will use SystemRescueCD. After loading, we look at the contents of the / sys / firmware / acpi / tables directory:
We are interested in tables SLIC and MSDM. A description of their structure can be found, for example, in this file. First, let's look at the SLIC table on a laptop with Windows 7 (the real data is “X” closed):
As you can see, licensing information is stored here in binary form.
There is no MSDM table in the BIOS of a laptop with Windows 7.
Now let's look at the SLIC table on a Windows 8 laptop:
The table is empty, so using offline activation on this laptop is not possible.
Now let's look at the MSDM table (the real data is “X” closed).
The 25-digit OS instance key is sewn into the open MSDM table.
From the / sys / firmawe / acpi / tables directory, SLIC and MSDM files can be copied to any other location in the usual way.
Now we have the SLIC and MSDM table images. It turns out that you can simulate the presence of these tables when loading Windows in the QEMU / KVM hypervisor environment using the -acpitable option. For example, we will start the installation of Windows 7 from an OEM drive, and we will not connect a network adapter to make sure that it is offline activated.
After installation, by going to Computer -> Properties, we will see that our system is not activated. This is natural, since we emulate only one of the components of the offline activation system - the SLIC table, however, for successful activation we also need a certificate (XML file with the XRM-MS extension) and an OEM key. The listed components are already embedded in the recovery image available on the laptop disk, and if we mark the recovery partition as bootable, we can activate the installation of the Windows instance, which will be authenticated immediately after installation.
If we somehow get the certificate and the key separately, we can put them in teams
You need to pay attention to that. that the utility SLMGR.VBS has been running for a long time and upon completion of work it displays a message in a separate window.
Upon completion of the SLMGR.VBS utility, a copy of Windows will be successfully activated.
I only encountered three-component offline activation on laptops with preinstalled Windows Vista / 7, for laptops with preinstalled Windows 8 / 8.1, online activation is used using a 25-digit OS instance key sewn into the MSDM table. When installing Windows 8, the key is automatically extracted from the BIOS, and, after checking for compliance with the installed version of Windows, it is written to the registry. Make sure of this:
Install Windows 8 and use the NirSoft Product Key Viewer utility . Indeed, the key of the installed version of Windows 8 and the key from the MSDM table are the same.
Unfortunately, only SeaBIOS, which comes with QEMU by default, can use ACPI user tables, but the -acpitable parameter simply ignores OVMF , which allows loading the OS in the EFI environment.
Naturally, you can use emulation of ACPI tables only by following the letter and the spirit of the license agreement with Microsoft, otherwise karmic forces will punish you.
- OEM certificate embedded in OS distribution
- a binary key embedded in the BIOS, and specifically in the ACPI SLIC table
- licensed 25-digit manufacturer key sewn into the OS distribution
Upon successful comparison of these three components, the OS is offline activated. In this case, there is a sticker on the PC case containing the license key of a specific OS instance (and not the manufacturer), which can be used to activate the OS online if it is not installed from the image provided by the PC manufacturer, but from a “clean” (MSDN) OEM image from Microsoft.
In addition, the license key of a specific OS instance can be embedded in text form in the BIOS into the ACPI MSDM table. In this case, when installing the OS, the key will be extracted from the BIOS and sewn into a specific OS instance. The OEM sticker on the laptop case in this case may no longer contain a license key. This method is used to activate Windows 8 / 8.1. You can
view the contents of ACPI tables from WIndows using the RWEverything utility, and booting from a Linux Live-CD, for example, SystemRescueCD . The latter method is relevant when it is no longer possible to boot into the installed instance of Windows.
We have two laptops - Samsung NP305 and Acer Aspire V5-551G, the first one is preinstalled with Windows 7 OEM Home Basic x86_64, the second one has Windows 8 OEM Single Language x86_64. We will use SystemRescueCD. After loading, we look at the contents of the / sys / firmware / acpi / tables directory:
ls /sys/firmware/acpi/tables/
APIC dynamic DSDT FACP FACS HPET MCFG SLIC SSDT1 SSDT2
We are interested in tables SLIC and MSDM. A description of their structure can be found, for example, in this file. First, let's look at the SLIC table on a laptop with Windows 7 (the real data is “X” closed):
> xxd /sys/firmware/acpi/tables/SLIC
0000000: 534c 4943 7601 0000 01fb 5345 4343 5344 SLICv.....SECCSD
0000010: 4c48 3433 5354 4152 0920 0701 414d 4920 LH43STAR. ..AMI
0000020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000030: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000040: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000050: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000060: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000070: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000080: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000090: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000a0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000b0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000c0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000d0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000e0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
00000f0: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000100: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000110: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000120: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000130: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000140: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000150: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000160: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX xxxxxxxxxxxxxxxx
0000170: XXXX XXXX XXXX xxxxxx
As you can see, licensing information is stored here in binary form.
There is no MSDM table in the BIOS of a laptop with Windows 7.
Now let's look at the SLIC table on a Windows 8 laptop:
> xxd /sys/firmware/acpi/tables/SLIC
0000000: 534c 4943 7601 0000 0168 4143 5253 5953 SLICv....hACRSYS
0000010: 4143 5250 5244 4354 0100 0000 3130 3235 ACRPRDCT....1025
0000020: 0000 0400 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 ......
The table is empty, so using offline activation on this laptop is not possible.
Now let's look at the MSDM table (the real data is “X” closed).
> xxd /sys/firmware/acpi/tables/MSDM
0000000: 4d53 444d 5500 0000 030b 4143 5253 5953 MSDMU.....ACRSYS
0000010: 4143 5250 5244 4354 0100 0000 3130 3235 ACRPRDCT....1025
0000020: 0000 0400 0100 0000 0000 0000 0100 0000 ................
0000030: 0000 0000 1d00 0000 XXXX XXXX XXXX XXXX ........XXXXX-XX
0000040: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX-XXXXX-XXXXX-
0000050: XXXX XXXX XX XXXXX
The 25-digit OS instance key is sewn into the open MSDM table.
From the / sys / firmawe / acpi / tables directory, SLIC and MSDM files can be copied to any other location in the usual way.
Now we have the SLIC and MSDM table images. It turns out that you can simulate the presence of these tables when loading Windows in the QEMU / KVM hypervisor environment using the -acpitable option. For example, we will start the installation of Windows 7 from an OEM drive, and we will not connect a network adapter to make sure that it is offline activated.
> qemu-img create -f qcow2 -o lazy_refcounts /media/storage/VMs/win7-slic-test.qcow2 40G
> qemu-system-x86_64 -smp cores=2 -m 1024 -enable-kvm -cdrom /media/storage/iso/Windows_7_SP1_RU/7601.17514.101119-1850_x64fre_client_ru-ru_OEM_HomeBasic-GRMCHBXFREO_RU_DVD.iso -acpitable file=/media/storage/misc/Samsung_NP305V5A/ACPI/tables/SLIC -net none -drive id=disk,file=/media/storage/VMs/win7-slic-test.qcow2,if=none -device ahci,id=ahci -device ide-drive,drive=disk,bus=ahci.0
After installation, by going to Computer -> Properties, we will see that our system is not activated. This is natural, since we emulate only one of the components of the offline activation system - the SLIC table, however, for successful activation we also need a certificate (XML file with the XRM-MS extension) and an OEM key. The listed components are already embedded in the recovery image available on the laptop disk, and if we mark the recovery partition as bootable, we can activate the installation of the Windows instance, which will be authenticated immediately after installation.
If we somehow get the certificate and the key separately, we can put them in teams
SLMGR.VBS -ILC <Файл_сетрификата.XRM-MS>
SLMGR.VBS -IPK <25-значный ключ производителя>
You need to pay attention to that. that the utility SLMGR.VBS has been running for a long time and upon completion of work it displays a message in a separate window.
Upon completion of the SLMGR.VBS utility, a copy of Windows will be successfully activated.
I only encountered three-component offline activation on laptops with preinstalled Windows Vista / 7, for laptops with preinstalled Windows 8 / 8.1, online activation is used using a 25-digit OS instance key sewn into the MSDM table. When installing Windows 8, the key is automatically extracted from the BIOS, and, after checking for compliance with the installed version of Windows, it is written to the registry. Make sure of this:
> qemu-img create -f qcow2 -o lazy_refcounts /media/storage/VMs/win8-msdm-test.qcow2 40G
> qemu-system-x86_64 -smp cores=2 -m 1024 -enable-kvm -cdrom /media/storage/ISO/Win8_OEM/HRM_CSLA_X64FREO_RU-RU_DV5.ISO -acpitable file=/media/storage/misc/Acer_Aspire_V5-551G/ACPI/tables/MSDM -net none -drive id=disk,file=/media/storage/VMs/win8-msdm-test.qcow2,if=none -device ahci,id=ahci -device ide-drive,drive=disk,bus=ahci.0
Install Windows 8 and use the NirSoft Product Key Viewer utility . Indeed, the key of the installed version of Windows 8 and the key from the MSDM table are the same.
Unfortunately, only SeaBIOS, which comes with QEMU by default, can use ACPI user tables, but the -acpitable parameter simply ignores OVMF , which allows loading the OS in the EFI environment.
Naturally, you can use emulation of ACPI tables only by following the letter and the spirit of the license agreement with Microsoft, otherwise karmic forces will punish you.