[REQUEST] HP Pavilion dv6-3026er (BIOS F.29, InsydeH2O) — Unlock Advanced Menu

[Rompass]

System: HP Pavilion dv6-3026er
BIOS Vendor: InsydeH2O
BIOS Version: F.29 (11/07/2011)
BIOS Dump Size: 0x00280000–0x003FFFFF (1.5MB region)
CPU: Intel® Core™ i7 M 620 @ 2.67GHz
OS Used: Lubuntu 25.04 (x86_64)
Flash Tool Used: flashrom 1.4.0

CMOS access: I/O port dump (range 0x00–0xFF); real size unknown
IFR Extracted: using ifrextractor
I’m requesting help unlocking the Advanced tab in the BIOS setup of my HP Pavilion dv6-3026er laptop. The system uses an InsydeH2O BIOS (version F.29), and I’ve confirmed from the IFR that the Advanced formset exists, but is suppressed under the condition:

Code:

Suppress If:
  Variable 0x85 != 0x2
  AND
  Variable 0x86 != 0x1

This likely checks for "Supervisor-level access" and authentication, but my BIOS UI has no visible Supervisor password option, and attempts using Administrator/User passwords have not enabled the menu.
I would like to unlock this menu with minimal risk, preferably through CMOS or other soft methods. If a patched BIOS is the only option, I’m comfortable flashing only the BIOS region.
System & Flash Details

Code:

❯ sudo flashrom -p internal
Chipset: Intel HM55
Flash Chip: Eon EN25F32 (4MB SPI)
FREG0: Flash Descriptor region — read-only
FREG1: BIOS region (0x00280000-0x003FFFFF) — read-write
FREG2: Intel ME region — locked
❯ sudo flashrom -p internal --ifd -i bios -r bios_dump.bin
BIOS dump (4MB) extracted successfully, but with FF or 00 on the beginning.

Boot Mode: Legacy-only (UEFI present internally but not supported by firmware loader)
No UEFI shell available
Dumped only the first 256 bytes, which may not cover full CMOS. Some values appear duplicated (possibly mirrors or mapped copies), and others change dynamically.

Code:

Example CMOS diff (reboot only):
0x40: 0x0B → 0x0C
0x70: 0x29 → 0x55
0x8C: 0x00 → 0x40
0xF0: 0x29 → 0x55

Despite multiple tests, I couldn’t identify values matching Var 0x85 or 0x86, suggesting those may be stored in NVRAM or protected storage. The CMOS changes appear to reflect dynamic status, boot state, or other feature flags.
Attached Files:
bios_dump.bin in zip:
  bios_dump.zip (Size: 1.18 MB / Downloads: 1)  — BIOS region dump (via flashrom --ifd -i bios)
setup_ifr.txt:
  setup_ifr.txt (Size: 192.45 KB / Downloads: 1)  — IFR extracted from SetupUtility
cmos_boot_second.txt:
  cmos_boot_second.txt (Size: 3.59 KB / Downloads: 1)  — CMOS snapshot (256-byte I/O dump)
If possible, a non-invasive unlock method using CMOS flags, key combos (e.g. F10+A), or known mappings
If not, a patched BIOS image with Suppress If
condition bypassed — only affecting the BIOS region, not Intel ME/GbE/EC
(Hardware SPI flasher is available, ch341a)
I'd really appreciate any help with this. Have a great day, everyone!