Windows7 SLICs and activation, latest news!!!

[crypto]

I can see MS requiring OEMs to use new certs & PIDs, but considering the pressure on MS & OEMs to get W7 out the door well before Black Friday (in plenty of time for Xmas shoppers), new SLICs seems a little less likely especially since it means new BIOSs....

....but this is all speculation anyways....just a few more months to see what they will actually do....

New certificates means new SLIC tables, since they are binded together.

See my post about identifying OEM certificates, and matching them with their respective SLIC tables:
http://forums.mydigitallife.info/showthread.php?t=4792

[Yen]

New certificates means new SLIC tables, since they are binded together.

See my post about identifying OEM certificates, and matching them with their respective SLIC tables:
http://forums.mydigitallife.info/showthread.php?t=4792

Yes, and new SLICs doesn't mean new certs. since they are binded to the publicKey only.

I guess there will be new SLICs, but they will be able to activate both, win7 and Vista as well.....

[crypto]

Yes, and new SLICs doesn't mean new certs. since they are binded to the publicKey only.

I guess there will be new SLICs, but they will be able to activate both, win7 and Vista as well.....

No, they are not binded by the public key only.
The Windows Marker is signed by the private key that matches the public key in SLIC.

So, Windows Marker depends of Public Key which needs to match the certificate. They are all interconnected.

Therefore, new SLICs means new certificates.

[Yen]

No, they are not binded by the public key only.
The Windows Marker is signed by the private key that matches the public key in SLIC.

So, Windows Marker depends of Public Key which needs to match the certificate. They are all interconnected.

Therefore, new SLICs means new certificates.

What I wanted to say is that one cert. can match to different SLICs. The SLICs got the same public key data, but got different marker data.
Lenovo SLICs are an accordingly example therefore. If you check the Lenovo SLIC and cert. collection you'll notice that all the certificates are the same. Can you explain that fact?

[crypto]

What I wanted to say is that one cert. can match to different SLICs. The SLICs got the same public key data, but got different marker data.
Lenovo SLICs are an accordingly example therefore. If you check the Lenovo SLIC and cert. collection you'll notice that all the certificates are the same. Can you explain that fact?

They look like different SLICs (different binary data) but they are actually the same license.
Let's see if I can explain myself a little better:

What makes a SLIC unique is the private/public key pair that is first generated by the OEM.

The OEM sends the public key + its own OEMID to Microsoft, in order to be signed. This becomes the OEM certificate, which is basically a way to recognize that the private/public key pair + OEMID is a valid Microsoft license.

The Windows Marker is also a digital certificate that is generated by taking into account the OEMID + OEMTableID. It is signed by the OEM (not Microsoft) by using the private key that matches the public key.

In the Lenovo example, they all have the same OEMID and private/public key pair, but have different OEMTableID.
This explains why the generated Windows Marker is different.

But they are still the same license (SLIC), since they are all using the same private/public key pair + OEMID, that was approved/signed by Microsoft. That's why they have the same certificate.

So, as you can see, new SLIC means new private/public key pair, which means new certificate.

[Yen]

They look like different SLICs (different binary data) but they are actually the same license.
Let's see if I can explain myself a little better:

What makes a SLIC unique is the private/public key pair that is first generated by the OEM.

The OEM sends the public key + its own OEMID to Microsoft, in order to be signed. This becomes the OEM certificate, which is basically a way to recognize that the private/public key pair + OEMID is a valid Microsoft license.

The Windows Marker is also a digital certificate that is generated by taking into account the OEMID + OEMTableID. It is signed by the OEM (not Microsoft) by using the private key that matches the public key.

In the Lenovo example, they all have the same OEMID and private/public key pair, but have different OEMTableID.
This explains why the generated Windows Marker is different.

But they are still the same license (SLIC), since they are all using the same private/public key pair + OEMID, that was approved/signed by Microsoft. That's why they have the same certificate.

So, as you can see, new SLIC means new private/public key pair, which means new certificate.

Thanks very much, that's interesting!
So the OEMtableID and the marker part is up to the OEM itself. They can create different OEMtableIDs what means it results to different maker data (binary), remaining the private/public key pair + OEMID (same public key binary data)

The question I'm still interested in: Could it be possible that the OEM sends the public key + its own OEMID to Microsoft, in order to be signed for both win7 and Vista? If yes that would mean new certs, new SLICs, but a possibility to downgrade using same cert. Also it would mean to 'upgrade' using a new modified bios and the same certificate.
The fact that you have to use a new SLIC at any case makes me believe that it doesn't matter if the new SLICs will activate win7 only or Vista as well.
The effort to 'make win7 activated' would be exactly the same. You'll need a new SLIC and a new cert. The only difference is a bonus to activate Vista as well.....
....we know that if you insert two SLICs into a bios, Vista refuses to activate.....

This question is meant in a technical aspect not in a 'political'.

[WickedNick]

...
The question I'm still interested in: Could it be possible that the OEM sends the public key + its own OEMID to Microsoft, in order to be signed for both win7 and Vista? If yes that would mean new certs, new SLICs, but a possibility to downgrade using same cert. Also it would mean to 'upgrade' using a new modified bios and the same certificate.
...

Hi, Yen!

Yes, it's possible to use new Windows 7 certificate on both Windows Vista and Windows Server 2008.
Only one limitation has place to be: the Vista must have at least SP1 installed.
The marker itself remains the same for all three versions of operating systems, but "old branded" markers can not be used in Windows 7 / Windows Server 2008 R2, you should get the new one.

[Yen]

Yes,

this marker seems to be one of the 'new branded'. It should activate WIN7 as well.....unfortunately no cert, no serial (yet).... marker from 'government tools'???

But what I don't get is that the OEMID is still the same (LENOVO)...what I guessed will come true??? Update the marker at bios ONLY + new cert+ new serial to allow to activate w7 as well????

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   01 00 00 00 B6 00 00 00  00 00 02 00 4C 45 4E 4F   ....¶.......LENO
00000010   56 4F 54 43 2D 35 4D 20  20 20 57 49 4E 44 4F 57   VOTC-5M   WINDOW
00000020   53 20 01 00 02 00 00 00  00 00 00 00 00 00 00 00   S ..............
00000030   00 00 00 00 00 00 C2 88  04 FE 2B 16 3A 4E EA 6E   ......ˆ.þ+.:Nên
00000040   2F F5 A0 F5 D4 22 A3 84  44 62 C1 93 C0 84 76 B9   /õ*õÔ"£„DbÁ“À„v¹
00000050   D7 DE FB A9 21 43 B3 19  AA DC 07 77 C7 85 49 11   ×Þû©!C³.ªÜ.wÇ…I.
00000060   53 53 90 8F D9 94 35 B3  38 E0 14 10 4F 0E A8 14   SS��Ù”5³8à..O.¨.
00000070   14 0A 47 89 01 EE A1 8B  51 09 D6 AF 31 CF 35 83   ..G‰.î¡‹Q.Ö¯1Ï5ƒ
00000080   E0 54 D1 F9 17 E0 A5 3C  F2 5C 90 18 4A 07 61 EE   àTÑù.à¥<ò\�.J.aî
00000090   B4 88 6B 75 71 3F A4 A3  F8 E9 A6 65 8B 68 EB CE   ´ˆkuq?¤£øé¦e‹hëÎ
000000A0   2C 88 31 E2 04 CD 43 92  EE 68 4A 5E EE 78 D8 65   ,ˆ1â.ÍC’îhJ^îxØe
000000B0   53 99 21 6E 4C 7A                                  S™!nLz

The right pubkey found at bios:

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 00 00 00 9C 00 00 00  06 02 00 00 00 24 00 00   ....œ........$..
00000010   52 53 41 31 00 04 00 00  01 00 01 00 69 16 4A 9F   RSA1........i.JŸ
00000020   B1 4B 3A FB 80 20 AA AF  C4 F9 3E C1 80 49 EE 6A   ±K:û€ ª¯Äù>Á€Iîj
00000030   65 26 72 1E CD BF 5F 2F  96 D6 C0 0A 92 F5 06 B5   e&r.Í¿_/–ÖÀ.’õ.µ
00000040   00 B2 3B 29 02 E2 4C 8D  C2 F2 BC 41 77 9C 70 F0   .²;).âL�Âò¼Awœpð
00000050   F3 1B 09 D2 63 5A DC A8  83 F8 5E C9 15 95 F9 FA   ó..ÒcZܨƒø^É.•ùú
00000060   FD DC 05 B7 4D 67 7F 2D  B3 84 33 20 E1 D1 79 2A   ýÜ.·Mg-³„3 áÑy*
00000070   A7 6A 77 D1 B6 20 2A 76  42 C5 D5 E9 B6 43 40 55   §jwѶ *vBÅÕé¶C@U
00000080   44 C3 C9 37 99 5F 41 97  70 F3 D1 F6 07 EC 7B 1A   DÃÉ7™_A—póÑö.ì{.
00000090   29 A1 C1 F1 91 FD 48 86  6E 3E CE CB               )¡Áñ‘ýH†n>ÎË

Ref:
http://www.bios.net.cn/bbs/thread-60307-1-1.html

[crypto]

The question I'm still interested in: Could it be possible that the OEM sends the public key + its own OEMID to Microsoft, in order to be signed for both win7 and Vista? If yes that would mean new certs, new SLICs, but a possibility to downgrade using same cert. Also it would mean to 'upgrade' using a new modified bios and the same certificate.

Yes, this is possible. We have the example of the current SLICs & certs, which are able to activate both Windows Vista and Server 2008.

Future SLICs & certs will most likely be able to activate all operating systems: Vista, Server 2008, Win 7 and Server 2008 R2, depending only on the OEM:SLP key used.

Basically, SLICs & certs seem to be backwards compatible: the newest ones will activate previous Windows editions, but the current ones won't activate newer Windows editions.

Hi, Yen!

Yes, it's possible to use new Windows 7 certificate on both Windows Vista and Windows Server 2008.
Only one limitation has place to be: the Vista must have at least SP1 installed.
The marker itself remains the same for all three versions of operating systems, but "old branded" markers can not be used in Windows 7 / Windows Server 2008 R2, you should get the new one.

If by "marker" you mean SLIC, then you are correct.

But how do you know that Vista must have SP1 installed? The only change in activation that I've seen, from SP0 to SP1, is an update to pidgenx.dll and pkeyconfig.xrm-ms, in order to accommodate new key ranges for Server 2008.

Yes,

this marker seems to be one of the 'new branded'. It should activate WIN7 as well.....unfortunately no cert, no serial (yet).... marker from 'government tools'???

But what I don't get is that the OEMID is still the same (LENOVO)...what I guessed will come true??? Update the marker at bios ONLY + new cert+ new serial to allow to activate w7 as well????

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   01 00 00 00 B6 00 00 00  00 00 02 00 4C 45 4E 4F   ....¶.......LENO
00000010   56 4F 54 43 2D 35 4D 20  20 20 57 49 4E 44 4F 57   VOTC-5M   WINDOW
00000020   53 20 01 00 02 00 00 00  00 00 00 00 00 00 00 00   S ..............
00000030   00 00 00 00 00 00 C2 88  04 FE 2B 16 3A 4E EA 6E   ......ˆ.þ+.:Nên
00000040   2F F5 A0 F5 D4 22 A3 84  44 62 C1 93 C0 84 76 B9   /õ*õÔ"£„DbÁ“À„v¹
00000050   D7 DE FB A9 21 43 B3 19  AA DC 07 77 C7 85 49 11   ×Þû©!C³.ªÜ.wÇ…I.
00000060   53 53 90 8F D9 94 35 B3  38 E0 14 10 4F 0E A8 14   SS��Ù”5³8à..O.¨.
00000070   14 0A 47 89 01 EE A1 8B  51 09 D6 AF 31 CF 35 83   ..G‰.î¡‹Q.Ö¯1Ï5ƒ
00000080   E0 54 D1 F9 17 E0 A5 3C  F2 5C 90 18 4A 07 61 EE   àTÑù.à¥<ò\�.J.aî
00000090   B4 88 6B 75 71 3F A4 A3  F8 E9 A6 65 8B 68 EB CE   ´ˆkuq?¤£øé¦e‹hëÎ
000000A0   2C 88 31 E2 04 CD 43 92  EE 68 4A 5E EE 78 D8 65   ,ˆ1â.ÍC’îhJ^îxØe
000000B0   53 99 21 6E 4C 7A                                  S™!nLz

The right pubkey found at bios:

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 00 00 00 9C 00 00 00  06 02 00 00 00 24 00 00   ....œ........$..
00000010   52 53 41 31 00 04 00 00  01 00 01 00 69 16 4A 9F   RSA1........i.JŸ
00000020   B1 4B 3A FB 80 20 AA AF  C4 F9 3E C1 80 49 EE 6A   ±K:û€ ª¯Äù>Á€Iîj
00000030   65 26 72 1E CD BF 5F 2F  96 D6 C0 0A 92 F5 06 B5   e&r.Í¿_/–ÖÀ.’õ.µ
00000040   00 B2 3B 29 02 E2 4C 8D  C2 F2 BC 41 77 9C 70 F0   .²;).âL�Âò¼Awœpð
00000050   F3 1B 09 D2 63 5A DC A8  83 F8 5E C9 15 95 F9 FA   ó..ÒcZܨƒø^É.•ùú
00000060   FD DC 05 B7 4D 67 7F 2D  B3 84 33 20 E1 D1 79 2A   ýÜ.·Mg-³„3 áÑy*
00000070   A7 6A 77 D1 B6 20 2A 76  42 C5 D5 E9 B6 43 40 55   §jwѶ *vBÅÕé¶C@U
00000080   44 C3 C9 37 99 5F 41 97  70 F3 D1 F6 07 EC 7B 1A   DÃÉ7™_A—póÑö.ì{.
00000090   29 A1 C1 F1 91 FD 48 86  6E 3E CE CB               )¡Áñ‘ýH†n>ÎË

Ref:
http://www.bios.net.cn/bbs/thread-60307-1-1.html

Yen, that SLIC is still one of the old ones (same private/public key pair as the currently known ones).
Unless someone working for one of the OEMs leaks a new SLIC, then we will only see them when computers are sold with Win 7 or Server 2008 R2 preinstalled.

[WickedNick]

If by "marker" you mean SLIC, then you are correct.

But how do you know that Vista must have SP1 installed? The only change in activation that I've seen, from SP0 to SP1, is an update to pidgenx.dll and pkeyconfig.xrm-ms, in order to accommodate new key ranges for Server 2008.

Hi, Crypto!

The SLIC table itself consists of two parts.
The first one is the Public Key (0x9C bytes). The second one is the Marker (0xB6 bytes).
Windows 7 and Windows Server 2008 R2 require a different Marker binary format (the OA version 2.1). Windows Vista SP1+ and Windows Server 2008 accept both Marker formats (OA version 2.0 and OA version 2.1). As far as I see the difference is only in version footprint (words at offsets 0x22 and 0x24 in the Marker file).
The marker that has been pulished by Yen is OA 2.1 capable. So it could be used in all Windows 7, Windows Vista SP1+ and Windows Server 2008 / 2008R2 operating systems. Only the problem is in the proper certificate file and right serial number for the OS.
As for Vista SP1 limitation for the OA 2.1, I did not tested it by myself and I believe to Microsoft opinion in this question.