Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
[REQUEST + BOUNTY] Lenovo Thinkpad P14s ...
Last Post: Dudu2002
Today 12:10 PM
» Replies: 1
» Views: 19
[REQUEST] Lenovo Yoga 2 Pro (76CNxxWW) W...
Last Post: Dudu2002
Today 10:53 AM
» Replies: 845
» Views: 317080
[REQUEST] Lenovo Thinkpad E130 (H4ETxxWW...
Last Post: Dudu2002
Today 10:51 AM
» Replies: 509
» Views: 101053
[REQUEST] Lenovo Yoga 11E (N15ETxxW) Whi...
Last Post: Dudu2002
Today 08:15 AM
» Replies: 5
» Views: 2517
[REQUEST] Lenovo G50-70 (9ACNxxWW) BIOS ...
Last Post: Dudu2002
Today 07:23 AM
» Replies: 139
» Views: 40959
[REQUEST] CPU Support for Ryzen 5 3600 o...
Last Post: flexpavillion
Today 04:32 AM
» Replies: 1
» Views: 335
Clevo P775TM1-G BIOS
Last Post: ActivatedNut
Today 01:36 AM
» Replies: 145
» Views: 55306
ASUS P5G41T-M LX2/GB Unlocked Hidden Ove...
Last Post: GangsteR23
Yesterday 04:58 PM
» Replies: 25
» Views: 64129
lenovo z570 Advanced Menu Unlocked
Last Post: Kaluva12345
Yesterday 04:58 PM
» Replies: 7
» Views: 4095
[Request] HP Elitebook 6930P WLAN Whitel...
Last Post: Maxinator500
Yesterday 02:25 PM
» Replies: 15
» Views: 6566
Lenovo ThinkCentre M715q 2nd Gen & AMD R...
Last Post: RedfieldHUN1987
Yesterday 09:23 AM
» Replies: 2
» Views: 143
L14 Gen 3 AMD , Need UEFI unlock advance...
Last Post: frankeinstein2532555
Yesterday 04:08 AM
» Replies: 0
» Views: 89
[REQUEST] Lenovo Y400 & Y500 (6BCNxxWW) ...
Last Post: freedome
03-26-2024 11:00 PM
» Replies: 188
» Views: 52172
[REQUEST] Lenovo G510 (79CNxxWW) Whiteli...
Last Post: ghostinoss
03-26-2024 09:21 PM
» Replies: 655
» Views: 167151
[Request] CPU support for Lenovo IQ57I
Last Post: DeathBringer
03-26-2024 10:02 AM
» Replies: 5
» Views: 238
unlocked Bios for Machenike s16
Last Post: Dudu2002
03-26-2024 09:06 AM
» Replies: 5
» Views: 326
[REQUEST] Bios Unlock Whitelist HP DV6-6...
Last Post: DimanTLT63
03-26-2024 03:03 AM
» Replies: 0
» Views: 139
[REQUEST] HP Pavilion G6-1252ss Whitelis...
Last Post: joseefitness
03-26-2024 01:40 AM
» Replies: 0
» Views: 125
[REQUEST] Lenovo S310 & S410 (8BCNxxWW) ...
Last Post: morgley
03-25-2024 10:43 PM
» Replies: 14
» Views: 6332
Acer Nitro ANV15-51 Bios Bin File Reques...
Last Post: Papethzkie23
03-25-2024 06:04 PM
» Replies: 0
» Views: 137

EFI boot on my HP
#1
Almost done with enabling EFI on my G62 laptop.

F9 boot menu
[Image: 66lvt0.jpg]

Here is EFI Shell from USB (internal works too)
[Image: fk0gax.jpg]

Just by mistake I discovered this.
(works only this way, boot to shell from USB,maybe works with internal too,type exit, shel quits and get reloaded,type exit again and here is it menu)

[Image: 2u8fh49.jpg]

[Image: 24ypkt2.jpg]

[Image: qsnpjn.jpg]

But I encountered one problem,if I boot from USB stick,GPT and with win7 setup after loading files (white progree bar) and "starting windows message" laptop hangs with black screen.
Same stick loaded manual from shell launched with F2 (instead of System Diagnostics) pass this step and show welcome message with menu to choose language ...

Could this be a problem of some drivers missing?
I take a look at drivers loaded by internal EFI shell and at what loaded shell in F2 mode, in one case is one more loaded , Ps2Mouse but I don't think that is problem.
Or something is not quite right

And under BIOS EFI boot menu nothing is listed in normal mode.
I see on other modules that a list is created but on this HP one that part of function doesn't exist.And no place to insert it,and to resize module and remake all addressing manual,is a hard job.Or maybe I can insert it at the end,I remember read somewhere that you can add sections to PE files.

So what remain to solve is that hang and devices listed in BIOS.
But is possible that if disk is GPT even is not listed in BIOS,and no other bootable device connected, then will boot from internal disk.Need to test that.
find
quote
#2
Installed Win7 x64 in EFI mode
Power on laptop and get some message
Remove disks or other media
Press any key to restart
No bootable device ...


Reset or power off and on again,pressing F9 show detected
Windows Boot Manager in Boot Option Menu choosing this one start loading windows then hangs with black screen.

Even in safe mode,last thing that I see is loading is disk sys driver.If i try to log startup nothing is added to log file for that session.For normal startup after disk.sys is some acpi or pnp driver loaded,at least that is logged to boot log file.

But if I press F2 during startup then EFI shell is launched from USB (replaced and renamed shell to CryptRSA),now if I load windows boot manager windows start and works fine.

In BIOS setup,normal under EFI boot nothing is listed but if I access first boot menu,F9 then decide not to choose boot device but to enter setup F10 then under EFI boot menu are listed available EFI devices and can be changed with F5 F6

Maybe BIOS is not entire switched to EFI and still work in legacy mode.
I remember that after that trick with exit and get reloaded efi shell and get access to that menu no legacy device was listed as available for boot,only that long names of attached USB and internal efi shell was listed and no hard disk and cdrom that are listed in normal mode.

In setup utility
- EFI enable disable works,if I disable I get no EFI devices or internal efi shell as boot option
- EFI device first (that is added by me) works as listing in F9 boot menu are changed according to that setting.

Now I think that problem could be from DxePlatform or StartupMenu.
If I can change what is executed in normal mode with what is executed when F2 is pressed,except last part when CryptRSa is loaded,then laptop will be started in EFI mode.
But I can't figure out where is that code insyde StartupMenu

Here is StartupMenu disassembly,maybe someone could help to identify which is normal execution flow and which path follow when F2 is pressed.
find
quote
#3
Except HP mini 311 that is 32bit and very different,did anyone find any HP that could be EFI enabled after unlocking menus?
find
quote
#4
Still working on that.
After some code inject to read some values I reach at point where I found why EFI boot is bypassed.
At
loc_180002E26:
is a check for rsp+70h (ida interpret this as [rsp+D8h+var_68]) offset, if empty jump over looking for BootX64.efi and Windows boot manager.
Can see at
loc_180002DB9:
That [rsp+D8h+var_68] = 9B41EFBBh
and become 0 after EFI_BOOT_SERVICES.LocateHandleBuffer for EfiSimpleFileSystemProtocol
At [rsp+D8h+var_68] must be found number of partition detected.

How can I query,test or reinitialize EfiSimpleFileSystemProtocol ?

[Image: ay8twi.jpg]
find
quote
#5
(07-13-2014, 08:44 PM)gabiz_ro Wrote: Still working on that.
After some code inject to read some values I reach at point where I found why EFI boot is bypassed.
At
loc_180002E26:
is a check for rsp+70h (ida interpret this as [rsp+D8h+var_68]) offset, if empty jump over looking for BootX64.efi and Windows boot manager.
Can see at
loc_180002DB9:
That [rsp+D8h+var_68] = 9B41EFBBh
and become 0 after EFI_BOOT_SERVICES.LocateHandleBuffer for EfiSimpleFileSystemProtocol
At [rsp+D8h+var_68] must be found number of partition detected.

How can I query,test or reinitialize EfiSimpleFileSystemProtocol ?

[Image: ay8twi.jpg]

You are doing a good job friend !!!
Many Thanks for your efforts, It will be clarify many things !
Continue, please We are following your discoveries !
Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#6
Which variable offset did you use when adding EFI device first option to your setup utility?
find
quote
#7
It was a modified Setup Utility,that option don't exist on original.
But seems to work since have effect, at least on F9 with modified BDS.
I remember I post some screenshot here,variable was 0x7A
That is for Setup Utility where EFI boot is 0x7E for others with EFI boot on 0x79 could be 0x75

Unlocking Setup menu and enabling-disabling EFI Boot have no real result on modules.
Dumping modules from RAM under these two conditions reveal that they are almost identical,sometimes appears few differencies but apperas too on different conditions.
To be more clear,in setup EFI disabled,few consecutive boot and dump,few differences.
EFI enabled in setup,no anything new change,if something was different was already different in other cases when EFI was disabed,

I have experimented with some extreme mod,since I can reprogram BIOS chip external.
Many modules have one blank,free area,maybe left over from debug or initial build, using LordPE change properties for this section from what is to E0000020
and here you can insert your code.Tested by me for DxeMain and BDS and works fine.
[Image: jgt7q8.jpg]
One note, don't use calls but jumps,calls modify something about stack and broke chain.
Second note,for area where you want to save something fill it with something FF by example,otherwise you'll see 00 and that may trick you that saved value was 00 but in fact nothing was done.
That you can find from where one function was called,save context,registers,count how many times a function was called etc
I say something wrong in one of my post,that one function was called 101 times,was mistake,write byte and read word,but for beginner is a excuse

Now I need to take a look at dependency for each modules,some was not loaded until replaced with others from Acer and I replaced only that was not loaded.DiskIo,Fat ...
@Donovan
Give some more info about broken motherboard,post a macro photo of area with pad missing,maybe can find schematic and board layout and board can be recovered.
find
quote
#8
Removing dependencies for DiskIo,Fat and Partition I moved one step forward.
Depex was opcode 02 that is a push for one GUID,at a search for this,only found in BDS module,don't have enough time to digg more.
No module with that GUID,so maybe is some internal function,BDS have this with Install protocol interface

At this moment,all conditions are meet,number of available partition is OK offset 7Eh where check if EFI enabled,is 0 as it should be,all conditions for BDS flowchart to check for BootX64.efi and Bootmgfw.efi are OK but still no new thing listed as available EFI boot.
find
quote
#9
I found one function that if skipped or from inside jump unconditional to end then EFI devices are listed in BIOS and on F9 press.From BIOS I can change order of boot for EFI and works,EFI first works too.
But same problem,except shell nothing works,windows and linux hang with black screen.

Could be a problem with video.
All that seems strange is that at ver command from shell in place of vendor I have same gray bars.
In system table offset for this info is same as in F2 but in F2 mode at that offset is Insyde Corp. but in normal boot have some data and since string must be 0 ended result is some gray bars.Directing output of command to text file I can see raw data instead of gray bars.
I use mm command to rewrite memory locations result was only cosmetic one, ver command looks fine after but still hangs.
Anyway didn't expect to work that,was just a try.

Looking on others BDS I can't find something similar to that function.
By flowchart of functions calls some others have something related to console,others with video,ugadraw if i remember right.

Recommend me something to test what is wrong
find
quote
#10
That is part of function I talk in previous message.
[Image: ka0l0k.jpg]
Normal execution path go to loc_180006245: then to loc_1800062DC:
Replacing jnz right before loc_180006245: with jmp or by replacing call to this function with nop I get available EFI devices listed in BIOS setup menu,disks with GPT partition are listed as available devices (original BIOS just ignore any GPT disks).
Order of EFI devices can be changed and as result I can change from what to boot.
Still problem,only EFI shell works fine.

Code:
mov rax, cs:gBootServices
lea r8, [rsp+98h+arg_10] ; void **      ; that is 0
lea rcx, gFileSetuputilityGuid ; EFI_GUID *
xor edx, edx ; void *
call [rax+EFI_BOOT_SERVICES.LocateProtocol]
test rax, rax                           ; that is 0 too
js short loc_1800062DC

I think here is problem.
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)