Forum RSS Feed Follow @ Twitter Follow @ Twitter

Thread Rating:
  • 17 Vote(s) - 3.76 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[READ FIRST] Access Advanced settings through EFI shell
#1
THIS TOPIC mostly for newest notebooks (2012-2013 years) ONLY with RSA signed BIOSes, when Phoenix tool can't open your rom file.

3 weeks ago, when I came to this forums I was a newbie for BIOS modding or accessing it's hidden options.

But I searched a lot of information over internet and found some smart hints.

Having a huge programming skills in disassembling and ASN.1 data reading/parsing I realized a good way to change bios settings without modding.

I have HP Pavillion dv7 7171er with Insyde H2O RSA signed bios.

I found the way how to get it decrypted but all attempts to flash modded bios with patched DLL was unsuccessful. Each time I had to recover my Laptop with Win+B restoring.

On 15th time when by laptop was bricked again I decided to disassemble Setup Menu and found where needed options for me are hidden and how to access them for changes.

So here is small part of decompiled Setup Menu.

As you can see, it is realy represent's what we see in reality.

Code:
╔════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ FormSet: 'Main'                                                         GUID: a04a27f4-df00-4d42-b552-39511302113d ║
╟────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╢
║ VarStore Id: '0x1234', Size: '900', Name: 'SystemConfig'                GUID: a04a27f4-df00-4d42-b552-39511302113d ║
╚════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Form Name: 'Main'                                                                                  [ ID: '0x0001' ]│
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
┌- Grayout IF:
|    Question [ ID: 0x08 ] == 0x02
|    Question [ ID: 0x07 ] == 0x01
|    AND expression
└- END IF Grayout;
Time: 'System Time' [ QId: '0x01', VarStoreId: '0x00', Help: '<Enter> selects field.' ]
  Default value: '00:00:00', Type: 0x05
Date: 'System Date' [ QId: '0x02', VarStoreId: '0x00', Help: '<Enter> selects field.' ]
  Default value: '2010/05/01', Type: 0x06
┌- Grayout IF:
|    EQ == TRUE
|    Text: 'Notebook Model'                 Default: '[Not Detected]'                 Help: ' '
|    Text: 'Product Number'                 Default: '[Not Detected]'                 Help: ' '
|    Text: 'System Board ID'                Default: '[Not Detected]'                 Help: ' '
|    Text: 'Born On Date'                   Default: '[Not Detected]'                 Help: ' '
|    Text: 'Processor Type'                 Default: '[Not Detected]'                 Help: ' '
|    ┌- Suppress IF:
|    |    Question [ ID: 0x06 ] == 0x00
|    |    Text: 'Processor Speed'                Default: '[Not Detected]'                 Help: ' '
|    └- END IF Suppress;
|    Text: 'Total Memory'                   Default: '[Not Detected]'                 Help: ' '
|    Text: 'BIOS Version'                   Default: 'Fake Data'                      Help: ' '
|    Text: 'BIOS Vendor'                    Default: 'Insyde'                         Help: ' '
|    Text: 'Serial Number'                  Default: '[Not Detected]'                 Help: ' '
|    Text: 'UUID Number'                    Default: '[Not Detected]'                 Help: ' '
|    Text: 'Product configuration ID'       Default: '[Not Detected]'                 Help: ' '
|    Text: 'System Board CT Number'         Default: 'C AAAA RR SS WW X X X'          Help: ' '
|    Text: 'Factory installed OS'           Default: '[Not Detected]'                 Help: ' '
|    ┌- Suppress IF:
|    |    Question [ ID: 0x05 ] == 0x00
|    |    Text: 'Primary Battery SN'             Default: 'N/A'                            Help: ' '
|    └- END IF Suppress;
|    ┌- Suppress IF:
|    |    Question [ ID: 0x04 ] == 0x00
|    |    Text: 'Secondary Battery SN'           Default: ''                               Help: ' '
|    └- END IF Suppress;
└- END IF Grayout;
Reference: 'System Log' [ ID: '0x0540' ]

┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Form Name: 'System Log'                                                                            [ ID: '0x0540' ]│
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Subtitle: 'System Log'
Action:                                 Help: View the system diagnostic failure results.
Text: 'Result:'                        Default: 'Time:'                          Help: 'View the system diagnostic failure results.'
┌- Grayout IF:
|    EQ == TRUE
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
|    Text: ' '                              Default: '- No Data -'                    Help: 'View the system diagnostic failure results.'
└- END IF Grayout;

So now I need 2-3 BIOSes to proof my concept.

If you need to enable AHCI for example of change something else. please post you BIOS links here.

I will test and after 100% success I will write GUIDE and provide source code.

IMPORTANT: This is related only newest BIOSes which are not encrypted.
If it is RSA signed, you will need additional steps. I will inform you in this case.


Moderators, please pin this topic for some time.
You can always unpin in the feature.

If you want thank me - HERE IS BEST WAY TO DO IT
find
quote
#2
(05-10-2013, 01:08 PM)elyavark9 Wrote: HP DV6-7280LA
-Bios Revision : 3.7
-Bios Version: F.24
-Bios Type : Insyde EFI
I need the AHCI option, and if possible, unlock the Advanced tab c:

1. Download latest version of you BIOS which is F.26
2. Flash new BIOS
3. Take USB stick and format to FAT32
4. Create directory structure EFI\Boot
5. Download BOOTX64.EFI
6. Put downloaded file to Boot directory.
7. Restart and enter BIOS setup.
8. Make sure you have following values:
Legacy Support: Disable
Secure Boot: Disable
9. Reboot and press F9 to boot from USB stick
10. Give commands:
setup_var 0x36 0x01
setup_var 0x39 0x01

11. Reboot and you Windows should find Intel AHCI controller.
12. REPORT RESULT HERE
13. Enjoy.

Here is required information from F.26 dump
Code:
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Form Name: 'InsydeH2O Setup Utility'                                                               [ ID: '0x0023' ]│
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Subtitle: 'IDE Configuration'
┌- Grayout IF:
|    Question [ ID: '0x11' ] == 0x02
|    Question [ ID: '0x10' ] == 0x01
|    AND expression
└- END IF Grayout;
Select option: 'IDE Controller'                 [ VarStore: '0x36', QuestionId: '0x1b',   Help: 'DISABLED: Disables SATA Controller. ENABLED: Enables SATA Controller.']
  Option: 'Disabled'                            [ Value: '0'   Default: 'false'    Type: 'int8'  ]
  Option: 'Enabled'                             [ Value: '1'   Default: 'true'     Type: 'int8'  ]
┌- Grayout IF:
|    Question [ ID: '0x11' ] == 0x02
|    Question [ ID: '0x10' ] == 0x01
|    AND expression
|    Question [ ID: '0x1b' ] == 0x00
|    OR expression
└- END IF Grayout;
Select option: 'HDC Configure As'               [ VarStore: '0x39', QuestionId: '0x1c',   Help: 'Set Harddisk Controller Configure Type']
  Option: 'IDE'                                 [ Value: '0'   Default: 'false'    Type: 'int8'  ]
  Option: 'AHCI'                                [ Value: '1'   Default: 'false'    Type: 'int8'  ]
  Option: 'RAID'                                [ Value: '2'   Default: 'true'     Type: 'int8'  ]

If you want thank me - HERE IS BEST WAY TO DO IT
find
quote
#3
@Falseclock Awesome! Glad you something working with RSA signed bios Smile

I was using a flashing tool a while ago called FPTW. It's an Intel tool used to dump and flash all regions of the bios chip, like ME firmware, flash descriptor, bios region, etc. I was thinking that flashing modded bios with this tool might be able to bypass any kind of RSA protection. Be careful if you use it though, It's difficult to recover if you accidentally overwrite some of the important regions.
find
quote
#4
(05-12-2013, 05:31 AM)Falseclock Wrote:
(05-10-2013, 01:08 PM)elyavark9 Wrote: HP DV6-7280LA
-Bios Revision : 3.7
-Bios Version: F.24
-Bios Type : Insyde EFI
I need the AHCI option, and if possible, unlock the Advanced tab c:

1. Download latest version of you BIOS which is F.26
2. Flash new BIOS
3. Take USB stick and format to FAT32
4. Create directory structure EFI\Boot
5. Download BOOTX64.EFI
6. Put downloaded file to Boot directory.
7. Restart and enter BIOS setup.
8. Make sure you have following values:
Legacy Support: Disable
Secure Boot: Disable
9. Reboot and press F9 to boot from USB stick
10. Give commands:
setup_var 0x36 0x01
setup_var 0x39 0x01

11. Reboot and you Windows should find Intel AHCI controller.
12. REPORT RESULT HERE
13. Enjoy.

Here is required information from F.26 dump
Code:
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Form Name: 'InsydeH2O Setup Utility'                                                               [ ID: '0x0023' ]│
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Subtitle: 'IDE Configuration'
┌- Grayout IF:
|    Question [ ID: '0x11' ] == 0x02
|    Question [ ID: '0x10' ] == 0x01
|    AND expression
└- END IF Grayout;
Select option: 'IDE Controller'                 [ VarStore: '0x36', QuestionId: '0x1b',   Help: 'DISABLED: Disables SATA Controller. ENABLED: Enables SATA Controller.']
  Option: 'Disabled'                            [ Value: '0'   Default: 'false'    Type: 'int8'  ]
  Option: 'Enabled'                             [ Value: '1'   Default: 'true'     Type: 'int8'  ]
┌- Grayout IF:
|    Question [ ID: '0x11' ] == 0x02
|    Question [ ID: '0x10' ] == 0x01
|    AND expression
|    Question [ ID: '0x1b' ] == 0x00
|    OR expression
└- END IF Grayout;
Select option: 'HDC Configure As'               [ VarStore: '0x39', QuestionId: '0x1c',   Help: 'Set Harddisk Controller Configure Type']
  Option: 'IDE'                                 [ Value: '0'   Default: 'false'    Type: 'int8'  ]
  Option: 'AHCI'                                [ Value: '1'   Default: 'false'    Type: 'int8'  ]
  Option: 'RAID'                                [ Value: '2'   Default: 'true'     Type: 'int8'  ]

Hi, first of all, I want to thank you for your help, you are a genius! Big Grin
This method if it worked, I first scared by that team it takes a few seconds to come on but after all work correctly, an important point is that I had to reinstall Windows to make it recognize the driver already had installed the SATA RAID... thank you very much, here I leave you a screenshot of the new AHCI driver c:

[Image: 968988_10201273718310809_391729879_n.jpg]

Thank you very much, sorry for my English, I'm from chile, I what you say, YOU ARE A GENIUS!!! Big Grin
find
quote
#5
(05-12-2013, 03:46 PM)donovan6000 Wrote: @Falseclock Awesome! Glad you something working with RSA signed bios Smile

I was using a flashing tool a while ago called FPTW.

can you please share detailed experience? How you patched, what you flashed, etc.

(05-12-2013, 08:21 PM)elyavark9 Wrote: Thank you very much, sorry for my English, I'm from chile, I what you say, YOU ARE A GENIUS!!! Big Grin
You are welcome Cool
I'm a little bit newbie and do not understand purpose of AHCI. Angel What is the advantage?
As far as I know people want AHCI because want to install Mac OS. Is it your case?

If you want thank me - HERE IS BEST WAY TO DO IT
find
quote
#6
Found these tool while searching for a way to overclock with software. Here's some good info on it here:

http://forum.techinferno.com/general-not...ptops.html

So get the version that's made for you chipset and read through the documentation so you can better understand the capabilities of these tools. It might be worth a shot to see if they can makde RSA bios work.

So here's how you dump your bios:

fptw64.exe -d bios.bin -bios

Then do something simple like change the splash screen logo, and here's how to flash them.

fptw64.exe -f bios.bin -bios

When I extracted my bios with this tool they were only 1.5 Mb, and the ones extracted from HP's update were 4.5 Mb. After opening them up in phonenix tool, I could see that they all had the same modules at the same sizes. I guess Insyde's flash utility just compresses them before flashing?

I've never actually flashed my bios using this tool, so be careful. You might want to try it on a donor computer first. I think fptw even has a way to verify your flash, so there's extra peace of mind. I don't think the bios region has the code responsible for Win+B, so you should still be able to recover with that method incase anything really bad happens.

Also have you been able to flash modded bios with Insyde's flash utility? What happens when your cmputer starts up after flashing? I don't have any expirence with RSA bios so I'm wondering about where other's have given up. And can you open your unencrypter bios with phoenix tool?
find
quote
#7
(05-13-2013, 01:06 AM)donovan6000 Wrote: Also have you been able to flash modded bios with Insyde's flash utility? What happens when your cmputer starts up after flashing? I don't have any expirence with RSA bios so I'm wondering about where other's have given up. And can you open your unencrypter bios with phoenix tool?

Yes, I patched InsydeFlash utility v4.2.9 which skips signature check.
It flashes successfully, but after boot just black screen and nothing.
I tried to flash stock ROM with patched utility - it always successfull.
But even I change 1 byte - it goes bricked.

So it seems HP implemented some new security checking.

And yes, I can open decrypted bios with phoenix tool.

If you want thank me - HERE IS BEST WAY TO DO IT
find
quote
#8
Inside phoenix tool's directory there is a tool called hewprsa.exe that can sign bios using a specified .sig file. Try applying the .sig file your using to recover to your modded bios. Maybe that'll work?
find
quote
#9
HP g6-2158sr
Insyde H20
Bios version: F.24
Bios type: Insyde EFI

I need to disable a Intel integrated graphics.. I need to ONLY my discrete videocard, it's possible?

Link: http://ftp.hp.com/pub/softpaq/sp60501-61000/sp60587.exe
find
quote
#10
(05-15-2013, 07:11 AM)Slbomber Wrote: HP g6-2158sr
Insyde H20
Bios version: F.24
Bios type: Insyde EFI

I need to disable a Intel integrated graphics.. I need to ONLY my discrete videocard, it's possible?

Link: http://ftp.hp.com/pub/softpaq/sp60501-61000/sp60587.exe

1. Take this BIOS.
2. Unpack with any unzip software
3. Find platform.ini
4. Edit following lines in it
Code:
[BackupROM]
Flag=1
FilePath=c:
FileName=0183AF24.BIN
5. Flash the same BIOS again with modified platform.ini
6. After reboot you will find dumped current BIOS on C drive
7. Upload dump somewhere and give download link

(05-15-2013, 07:11 AM)Slbomber Wrote: I need to disable a Intel integrated graphics.. I need to ONLY my discrete videocard, it's possible?
Theoretically it is possible, but nobody can guaranty notebook will startup without internal VIDEO, even if such option is exist in the BIOS. If black screen is happen, you can take out BIOS battery to erase VSS memory and return default options. Anyway you have to create UEFI bios recovery USB stick and test it before changing any options. This is my advice.

You should understand, possible behavior - is forever brick.
I had such experience when was enabling "disabled by default" such devices like USB, SATA, LAN

But never tested VIDEO

If you want thank me - HERE IS BEST WAY TO DO IT
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)
Expand chat
Expand chat
Expand chat

To join us in the community live chat, please register or log-in