EFI boot on my HP

[gabiz_ro]

Almost done with enabling EFI on my G62 laptop.

F9 boot menu


Here is EFI Shell from USB (internal works too)


Just by mistake I discovered this.
(works only this way, boot to shell from USB,maybe works with internal too,type exit, shel quits and get reloaded,type exit again and here is it menu)







But I encountered one problem,if I boot from USB stick,GPT and with win7 setup after loading files (white progree bar) and "starting windows message" laptop hangs with black screen.
Same stick loaded manual from shell launched with F2 (instead of System Diagnostics) pass this step and show welcome message with menu to choose language ...

Could this be a problem of some drivers missing?
I take a look at drivers loaded by internal EFI shell and at what loaded shell in F2 mode, in one case is one more loaded , Ps2Mouse but I don't think that is problem.
Or something is not quite right

And under BIOS EFI boot menu nothing is listed in normal mode.
I see on other modules that a list is created but on this HP one that part of function doesn't exist.And no place to insert it,and to resize module and remake all addressing manual,is a hard job.Or maybe I can insert it at the end,I remember read somewhere that you can add sections to PE files.

So what remain to solve is that hang and devices listed in BIOS.
But is possible that if disk is GPT even is not listed in BIOS,and no other bootable device connected, then will boot from internal disk.Need to test that.

[gabiz_ro]

Installed Win7 x64 in EFI mode
Power on laptop and get some message
Remove disks or other media
Press any key to restart
No bootable device ...


Reset or power off and on again,pressing F9 show detected
Windows Boot Manager in Boot Option Menu choosing this one start loading windows then hangs with black screen.

Even in safe mode,last thing that I see is loading is disk sys driver.If i try to log startup nothing is added to log file for that session.For normal startup after disk.sys is some acpi or pnp driver loaded,at least that is logged to boot log file.

But if I press F2 during startup then EFI shell is launched from USB (replaced and renamed shell to CryptRSA),now if I load windows boot manager windows start and works fine.

In BIOS setup,normal under EFI boot nothing is listed but if I access first boot menu,F9 then decide not to choose boot device but to enter setup F10 then under EFI boot menu are listed available EFI devices and can be changed with F5 F6

Maybe BIOS is not entire switched to EFI and still work in legacy mode.
I remember that after that trick with exit and get reloaded efi shell and get access to that menu no legacy device was listed as available for boot,only that long names of attached USB and internal efi shell was listed and no hard disk and cdrom that are listed in normal mode.

In setup utility
- EFI enable disable works,if I disable I get no EFI devices or internal efi shell as boot option
- EFI device first (that is added by me) works as listing in F9 boot menu are changed according to that setting.

Now I think that problem could be from DxePlatform or StartupMenu.
If I can change what is executed in normal mode with what is executed when F2 is pressed,except last part when CryptRSa is loaded,then laptop will be started in EFI mode.
But I can't figure out where is that code insyde StartupMenu

Here is StartupMenu disassembly,maybe someone could help to identify which is normal execution flow and which path follow when F2 is pressed.

[gabiz_ro]

Except HP mini 311 that is 32bit and very different,did anyone find any HP that could be EFI enabled after unlocking menus?

[gabiz_ro]

Still working on that.
After some code inject to read some values I reach at point where I found why EFI boot is bypassed.
At
loc_180002E26:
is a check for rsp+70h (ida interpret this as [rsp+D8h+var_68]) offset, if empty jump over looking for BootX64.efi and Windows boot manager.
Can see at
loc_180002DB9:
That [rsp+D8h+var_68] = 9B41EFBBh
and become 0 after EFI_BOOT_SERVICES.LocateHandleBuffer for EfiSimpleFileSystemProtocol
At [rsp+D8h+var_68] must be found number of partition detected.

How can I query,test or reinitialize EfiSimpleFileSystemProtocol ?

[BDMaster]

Still working on that.
After some code inject to read some values I reach at point where I found why EFI boot is bypassed.
At
loc_180002E26:
is a check for rsp+70h (ida interpret this as [rsp+D8h+var_68]) offset, if empty jump over looking for BootX64.efi and Windows boot manager.
Can see at
loc_180002DB9:
That [rsp+D8h+var_68] = 9B41EFBBh
and become 0 after EFI_BOOT_SERVICES.LocateHandleBuffer for EfiSimpleFileSystemProtocol
At [rsp+D8h+var_68] must be found number of partition detected.

How can I query,test or reinitialize EfiSimpleFileSystemProtocol ?

You are doing a good job friend !!!
Many Thanks for your efforts, It will be clarify many things !
Continue, please We are following your discoveries !
Regards

[donovan6000]

Which variable offset did you use when adding EFI device first option to your setup utility?

[gabiz_ro]

It was a modified Setup Utility,that option don't exist on original.
But seems to work since have effect, at least on F9 with modified BDS.
I remember I post some screenshot here,variable was 0x7A
That is for Setup Utility where EFI boot is 0x7E for others with EFI boot on 0x79 could be 0x75

Unlocking Setup menu and enabling-disabling EFI Boot have no real result on modules.
Dumping modules from RAM under these two conditions reveal that they are almost identical,sometimes appears few differencies but apperas too on different conditions.
To be more clear,in setup EFI disabled,few consecutive boot and dump,few differences.
EFI enabled in setup,no anything new change,if something was different was already different in other cases when EFI was disabed,

I have experimented with some extreme mod,since I can reprogram BIOS chip external.
Many modules have one blank,free area,maybe left over from debug or initial build, using LordPE change properties for this section from what is to E0000020
and here you can insert your code.Tested by me for DxeMain and BDS and works fine.

One note, don't use calls but jumps,calls modify something about stack and broke chain.
Second note,for area where you want to save something fill it with something FF by example,otherwise you'll see 00 and that may trick you that saved value was 00 but in fact nothing was done.
That you can find from where one function was called,save context,registers,count how many times a function was called etc
I say something wrong in one of my post,that one function was called 101 times,was mistake,write byte and read word,but for beginner is a excuse

Now I need to take a look at dependency for each modules,some was not loaded until replaced with others from Acer and I replaced only that was not loaded.DiskIo,Fat ...
@Donovan
Give some more info about broken motherboard,post a macro photo of area with pad missing,maybe can find schematic and board layout and board can be recovered.

[gabiz_ro]

Removing dependencies for DiskIo,Fat and Partition I moved one step forward.
Depex was opcode 02 that is a push for one GUID,at a search for this,only found in BDS module,don't have enough time to digg more.
No module with that GUID,so maybe is some internal function,BDS have this with Install protocol interface

At this moment,all conditions are meet,number of available partition is OK offset 7Eh where check if EFI enabled,is 0 as it should be,all conditions for BDS flowchart to check for BootX64.efi and Bootmgfw.efi are OK but still no new thing listed as available EFI boot.

[gabiz_ro]

I found one function that if skipped or from inside jump unconditional to end then EFI devices are listed in BIOS and on F9 press.From BIOS I can change order of boot for EFI and works,EFI first works too.
But same problem,except shell nothing works,windows and linux hang with black screen.

Could be a problem with video.
All that seems strange is that at ver command from shell in place of vendor I have same gray bars.
In system table offset for this info is same as in F2 but in F2 mode at that offset is Insyde Corp. but in normal boot have some data and since string must be 0 ended result is some gray bars.Directing output of command to text file I can see raw data instead of gray bars.
I use mm command to rewrite memory locations result was only cosmetic one, ver command looks fine after but still hangs.
Anyway didn't expect to work that,was just a try.

Looking on others BDS I can't find something similar to that function.
By flowchart of functions calls some others have something related to console,others with video,ugadraw if i remember right.

Recommend me something to test what is wrong

[gabiz_ro]

That is part of function I talk in previous message.

Normal execution path go to loc_180006245: then to loc_1800062DC:
Replacing jnz right before loc_180006245: with jmp or by replacing call to this function with nop I get available EFI devices listed in BIOS setup menu,disks with GPT partition are listed as available devices (original BIOS just ignore any GPT disks).
Order of EFI devices can be changed and as result I can change from what to boot.
Still problem,only EFI shell works fine.

Code:

mov rax, cs:gBootServices
lea r8, [rsp+98h+arg_10] ; void **      ; that is 0
lea rcx, gFileSetuputilityGuid ; EFI_GUID *
xor edx, edx ; void *
call [rax+EFI_BOOT_SERVICES.LocateProtocol]
test rax, rax                           ; that is 0 too
js short loc_1800062DC

I think here is problem.