Experiment: Modding HP bios to get UEFI boot support

Discussion in 'BIOS Mods' started by Tito, Jul 1, 2014.

  1. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,211
    14,768
    340
    #1 Tito, Jul 1, 2014
    Last edited by a moderator: Apr 20, 2017
    First of all, I'm still a novice bios-modder who learns everyday. Thanks to all of the bios-modders here, especially donovan6000 & BDMaster. Their tools & guides help me a lot in this case.

    Its a lazy cloudy day & my buddy has discovered his old laptop from attic. After little fixing, it is good to go (except the overheating issue of the video card). The model is HP G62-361TX; one of the rarest series whose bioses are RSA signed yet modding is possible. I have brainwashed my buddy & he allowed me to tinker with it.

    My preliminary interest is in SLIC modding but later I'm attracted to the unlocking thingy. It comes with Windows 7, so SLIC mod isn't necessary. So what are we achieve at the end of the day??

    1. Inspired by this post, EFI shell is working:

    [​IMG]

    2. I go further & have booted rEFInd:

    [​IMG]

    3. Ubuntu is booted using UEFI mode through rEFInd but stayed at the loading screen when I try to start it as live:

    [​IMG]
    [​IMG]

    4. Windows is booted using UEFI mode through rEFInd with some graphical glitches (there are three loading circles & the Windows logo is looked like exploded ~ lack of GOP driver?):

    [​IMG]

    Latest bios for this model is F.37 (sp52604). System Board ID is 1426 so 1425F37.fd is the bios for it. The modding process is simple:

    1. Unpack the bios using Phoenix Tool & allow user to modify modules in DUMP with NO SLIC method.
    2. Get the SHA-1 of CryptRSA.efi from HP System Diagnostics UEFI which is 6332436A0AD4694DB2D0A5E0C04B2EBE7A235AE2
    3. Search for the string in the DUMP folder using XSearch (thanks conghoaxa1 for the recommendation). C783CC01-82AE-48A2-A5FF-54C5B3A0E04D_1_671.ROM contains it so modify it with your desired *.efi's SHA-1.
    4. Reintegrate the module & flash the bios.
    5. Rename your desired *.efi to CryptRSA.efi & place it in a FAT32 formatted pendrive in the following folder structure:
    Code:
    X:\Hewlett-Packard\SystemDiags
    The label of the pendrive should be "HP_TOOLS" (w/o the quotes).
    6. Plug it in, start the laptop & press F2 ~ voila!!

    My next target is to avoid the pendrive & place CryptRSA.efi in the separate HP_TOOLS partition of the HDD.

    Next goal is much complicated. I have located the SetupUtility module (GUID: FE3542FE-C1D3-4EF8-657C-8048606FF670) using CodeRush's UEFITool. After parsing it with Universal IFR Extractor, I have got lots of interesting data:
    Code:
    
    
                                       Form Sets
    --------------------------------------------------------------------------------
    Offset:        Title:
    --------------------------------------------------------------------------------
    0x7C4F0        Main (0x1E from string package 0x0)
    0x7C870        Exit (0x2B1 from string package 0x0)
    0x7C920        System Configuration (0x3C8 from string package 0x0)
    0x7CFB0        Diagnostics (0x386 from string package 0x0)
    0x7D020        Security (0x1EE from string package 0x0)
    0x7D120        Power (0x234 from string package 0x0)
    0x7D600        Advanced (0x22 from string package 0x0)
    
    Code:
    0x7C959             Setting: UEFI Boot, Variable: 0x7E[1] {05 09 7E 00 01 09 00 0A 00}
    0x7C962                 Option: Enabled, Value: 0x0 {09 09 BB 03 00 00 01 00 00}
    0x7C96B                 Option: Disabled, Value: 0x1 {09 09 BA 03 01 00 00 00 00}
    0x7C974             End of Options {10 02}
    
    So it contains the code for UEFI Booting, but HP somehow crippled it. Should we need UEFI support modules from other bioses/UEFIs?? Will integrating them enable UEFI booting?? Lots of question - still unknown to me.

    I know these kind of modding can easily be done by some modders but I like to show some kind of 'discover it yourself' guide.

    BDMaster is working with CodeRush to generalize the process of menu unlocking like we have in case of SLIC modding (SSV2, SSV3, Dynamic etc.). donovan6000 is trying to find a way to tinker with (yet) unmoddable HP RSA signed bioses. BIOS-Mods.com delivers some pretty good modding examples.

    So lets start a community effort to break the wall!!


    P.S - Sorry for the horrible quality of the snapshots. ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,211
    14,768
    340
    Reserved for future :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Flipp3r

    Flipp3r MDL Expert

    Feb 11, 2009
    1,473
    626
    60
    I have an MSI CX720 notebook that I used to experiment with installs. Once UEFI became popular I had a look to see if this model could do it.
    There were no options in bios so I loaded it up into AMIBCP. It had reference to UEFI so I enabled it. Flashed ok.
    Turning on that function crippled it. Could not get back into bios. Boot menu F11 key did not work. It would try to boot hdd but blue-screen.
    Eventually I emailed MSI about bios recovery. It ended up getting sent back to them I they replaced the motherboard! It was well out of warranty & totally my fault.
    I was surprised but thankful. I still have this notbook & use it for integrating/updating wims...

    So, just be carefull with your mods... & Good luck!
     
  4. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,211
    14,768
    340
    Winkey + B is my weapon ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. donovan6000

    donovan6000 MDL Novice

    Dec 29, 2010
    33
    13
    0
    #5 donovan6000, Jul 2, 2014
    Last edited: Jul 2, 2014
    Nice post :D

    Also I'd like to mention that replacing the SHA1 hash can interfere with the crisis recovery since the process uses CryptRSA.efi to verify and launch HpBiosUpdate.efi. So be careful everyone! :p

    And big thanks to zuvieltext! Even though he doesn't know it, he inspired me to try out changing the SHA1 hash to launch different EFI applications.
     
  6. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    170
    12
    10
    Same case but different board.
    G62 A70SQ board 1439 Intel cpu
    Since I see Donovan post on blog,about method to substitute CryptRSA and change SHA1 checksum in module I use it and maybe I'm lucky but never encountered problems in recovery,except when altering too much BDS module.
    In my case I have some useless BluetoothHID function in BDS module.
    Just delete reference to it and insert other code that save some register to see why UEFI boot isn't available.
    Since my knowledge on programming is low is a hard task for me.
    Using this and dumps from RAM I can say that EFI boot options aren't present because there is a check for rsp+70h and if is 0 entire area of code that search for bootx64.efi and or bootmgfw.efi is bypassed
    [​IMG]

    Also note that in normal mode,at least in my case,GPT disk are ignored by boot option.Somehow is a check,to be more clear.

    Attached USB pen drive MBR style press F9 on startup
    device listed
    -Internal HDD
    -Optical unit
    -USB pen drive

    Attached USB pen drive GPT style press F9 on startup
    device listed
    -Internal HDD
    -Optical unit

    Why GPT disk isn't even listed?
     
  7. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    GPT drives have no MBR code, so they will normally be listed in Boot Device Selection screen only if they have FAT32 partition with /EFI/BOOT/bootx64.efi on it. If UEFI boot is implemented and not disabled, the file will be found and showed as "UEFI:DriveName"
     
  8. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,211
    14,768
    340
    @CodeRush

    Is it possible to add Secure Boot feature or BGRT table as modules to an AMI Aptio bios from another one??
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    170
    12
    10
    #9 gabiz_ro, Jul 7, 2014
    Last edited by a moderator: Apr 20, 2017
    After few test and dumps I think at [rsp+0D8h+var_68] must be number of partition detected and must be checked.
    I get this values
    2 only with HDD connected (have 2 partition, win7 system reserved an C )
    3 with HDD and one USB pen drive
    4 with HDD and two USB pen drives.

    This is after a patch that from jz to jmp
    That get GPT disk and available EFI boot found listed under F9 boot menu.

    But in normal startup or on initial run of this sub-function [rsp+0D8h+var_68] is always 0
    And there is a conditional jump
    Code:
    mov     rax, [rsp+0D8h+var_68]
    xor     esi, esi
    test    rax, rax
    jz      loc_180003084
    rax being 0 jump over check if EFI enabled in Setup and searching for \\EFI\\Microsoft\\Boot\\bootmgfw.efi or \\EFI\\BOOT\\BOOTX64.EFI

    Maybe if someone can provide some dumps from similar HW or SW version who can switch from legacy to EFI will have a start point.
    For now I can see that Enabling or disabling UEFI in BIOS Setup have no real effect on BDS module, dump of BDS are identical,even if I find part of code who check if offset 7Eh is 0 in Setup variable.
    So maybe what trigger BDS to be in EFI mode is in other module.
    I found offsets pointing to HiiDatabase,OemSetupBrowser,OemServicesDriver,MonitorKey and H19DxeServiceBody
     
  10. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    @Tito, yes, but it will be very hard to implement.
    BGRT is not just an ACPI table, it must be disabled in legacy mode, so the table is generated in runtime from BMP file. This functionality is not wrapped to a module, but a part of another one - AmiTse. You could try to replace this module with one from different board but I doubt it will work as expected.
    SecureBoot can be ported too but it requires changes to image structure, copy of default keys, special nvram variables support, special nvram driver and enabled BIOS lock to function normally, so if BGRT integration looks hard but possible, integrating SecureBoot into compiled image would be an act of heroism.
    There nothing impossible, but it will be much easier to just buy new system with this functions enabled by default.
     
  11. zft561068

    zft561068 MDL Novice

    Jul 4, 2014
    1
    0
    0
    #11 zft561068, Jul 7, 2014
    Last edited: Jul 7, 2014
    THe good new!
    I have be tested . The computer BIOS is F24 (Sp53872.exe) , I am patched F24 ,modify the XXXXXX........XXXX.rom (the CryptRSA.efi SHA1 in this rom).
    do sthing:
    1、using
    PhoenixTool open 0166cf24.bin
    2、in dump
    directory, using HxD do “SHA1 with refind_x64.efi “ replace that “SHA1 with CryptRSA.efi,
    3、make
    0166cf24_SLIC.bin by PhoenixTool
    4、rename 0166cf24_SLIC.bin to 0166cf24.bin and using insydeFlash flash this .
    5、copy refind\*.* to USBNAME:\Hewlett-Packard\SystemDiags\
    6、in USBNAME:\Hewlett-Packard\SystemDiags\ rename CryptRSA.efi to CryptRSA.efibak and rename refind_x64.efi to CryptRSA.efi
    7、now ,restart the computer ,press "F2",computer display the " refind boot gui" as same as the top Second JPG by Tito send
    8、later,halt the computer .
    9、press WIN+B and press power-button ,computer reflash F24 ok
    how much file in my USB SD:
    them is:
    \Hewlett-Packard\BIOSUpdate : CryptRSA.efi、 HpBiosUpdate.efi 、other files
    \Hewlett-Packard\SystemDiags : CryptRSA.efibak、SystemDiags.efi、 CryptRSA.efi (rename by refind_x64.efi) 、other files
    \Hewlett-Packard\BIOS : CURRENT\ 0166C.bin ,CURRENT\ 0166C.SIG them by 0166CF24.bin using PhoenixTool make.
    \Hewlett-Packard\*.* make by sp63063.exe ;
    10、F2 start refind gui and win+B recorvey BIOS also work good! and my HDD no HP_TOOLS Partition
    11、but not test in F32 ,because F32 have boot first check RAS , F24 is no have.
    12、using F2 start: bios -> \Hewlett-Packard\SystemDiags\CryptRSA.efi (rename by refind_x64.efi) checking SHA1
    using WIN+B : bios -> \Hewlett-Packard\BIOSUpdate\CryptRSA.efi not checke or who is checking ????????????:confused::confused:

    I have know little English ,not laugh me.
     
  12. HaTToR

    HaTToR MDL Novice

    Jul 11, 2014
    2
    0
    0
    Hello all,, any progress ?? i was waiting for this :)
     
  13. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    170
    12
    10
    Still working on that.
    After some code inject to read some values I reach at point where I found why EFI boot is bypassed.
    At
    loc_180002E26:
    is a check for rsp+70h (ida interpret this as [rsp+D8h+var_68]) offset, if empty jump over looking for BootX64.efi and Windows boot manager.
    Can see at
    loc_180002DB9:
    That [rsp+D8h+var_68] = 9B41EFBBh
    and become 0 after EFI_BOOT_SERVICES.LocateHandleBuffer for EfiSimpleFileSystemProtocol
    At [rsp+D8h+var_68] must be found number of partition detected.

    How can I query,test or reinitialize EfiSimpleFileSystemProtocol ?

    [​IMG]
     
  14. itsmemario1

    itsmemario1 MDL Senior Member

    Sep 10, 2012
    257
    23
    10
  15. HaTToR

    HaTToR MDL Novice

    Jul 11, 2014
    2
    0
    0
    Insyde Sofwares answer for UEFI mod.

    Mailed to Insyde Software customer support and their answer:

    Me:
    "This is what HP says. And i dont have that special skills, so i need help about this. Can anyone help me about this?



    UEFI technology enables a number of improvements in PC security and performance and is implemented in all PCs pre-installed with Windows 8. Some PCs pre-installed with Windows 7 contain UEFI technology and can be modified to deliver these features. However the process requires specialist skills to complete and at this time, HP is not providing instructions to perform this modification."


    Insyde:
    "Developing UEFI BIOS is a large job. UEFI cannot just be added to a BIOS. The BIOS has to be developed using UEFI base code.
    Insyde Software sells BIOS source code to PC manufacturers who modify the source code to meet their specific BIOS needs. Thus, each PC manufacturer has a unique BIOS. Insyde does not track the changes made to the BIOS by the PC manufacturer because the PC manufacturer has full control over the BIOS features.
    The bottom line is that it is basically impossible to add UEFI to an existing BIOS. The BIOS must be developed using UEFI technology and it appears that HP is not supporting UEFI in the notebook you have.
    Regards,
    Ed"

    Me:

    Hello, Edwin
    Thank you for your reply, i sent same message to HP also. They didnt answer me yet. This shows how Firms are looking their costumers.


    But I think you got me wrong. Because as i said in my first message, there is already UEFI implemented in my Notebook. As HP says “Some PCs pre-installed with Windows 7 contain UEFI technology and can be modified to deliver these features.” No need to develop UEFI. I just want to activate it. If you want i can attach the bios file, so you can tell me if its possible to activate it or not? Actually i dont understand why HP doesnt want to support. My guess is my notebook is without warranty. I bought it 3 years ago.


    Anyway, you can just tell me what modules i have to activate in my bios file? Any help from you will be very very appreciated. Because there are so many ppl trying to get help about UEFI support on their notebooks those are already implemented in the Bios. I can address some forums that show ppl trying to activate UEFI support on Insyde H2O bioses. There is already an option to enable UEFI in my Bios setup but some modules missing. Maybe we can get those modules from a newer bios file but i think asking to Insyde Software is an easy way to learn.


    I am waiting to hear from you, again. Thanks anyway. Have a good day.

    Insyde:
    "We unfortunately cannot provide any support on this issue. The manufacturer of your computer will be the best resource for this type of support.


    Thank you for contacting Insyde Software."
     
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    10,938
    10,475
    340
    #16 Yen, Jul 31, 2014
    Last edited: Jul 31, 2014
    "Actually i dont understand why HP doesnt want to support."
    Are you serious? :biggrin:
    HP is known to have whitelists which allow only some devices to run and they ENCRYPT / sign the EFI, why do you think they restrict???

    In fact they don't care about the consumer, they want your money and they want that you only run what they want!!!!
    The last thing they want is that you become able to modify their EFI!!!

    It sounds like they have not understood what you wanted to ask (probably with intent), to add GPT boot to your current BIOS. They wrote "UEFI cannot just be added to a BIOS." This sounds odd. It's like to say Android cannot just be added to Windows. We're talking about the ability to boot GPT ('UEFI') partitions.

    Besides of this tech challenge which rocks, one should ask oneself generally: Why do I need 'UEFI support' myself??? It is actually useless and has no real advantage.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Krutonium

    Krutonium MDL Senior Member

    Aug 27, 2013
    406
    281
    10
    Because we can.
     
  18. Mustafa Can

    Mustafa Can MDL Member

    Jul 6, 2011
    125
    56
    10
  19. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,211
    14,768
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...