HP Probook 6550b BIOS fullflash exposed and need to be edited

Discussion in 'BIOS Mods' started by flusher, Oct 22, 2011.

  1. flusher

    flusher MDL Novice

    Oct 21, 2011
    3
    7
    0
    Hi. Nice forum and info around here.
    Well i now have a new laptop which is hp 6550b with ati 540v discrete video and i like it but it has a bios locked up. can still boot up to win tho.
    so my thing is eeproms, flashes, microcontrollers and i have succesfully read the bios flash off this laptop. but what is not my thing is that i dont know how to disASM the code etc. i have an information that preflashed chip with plain binary will remove the password but will also erase all the serial numbers etc which i dont want to.
    so the thing is to find out where is the password and remove it. i dont even hope to read it for simple use.
    it is a 4mb fullflash, when bios update binary is only 2650kb.
    what i have found out. binary starts with some garbage. i dont know what is that, maybe a video bios, but i think it is not important. the bios starts at 180000 offset where you can see $LOGO.
    i have removed all the stuff till the 180000 offset and made a separate file and size equals to original bios from hp site. so the hp flasher only flashes this part of the IC. the next is most interesting. the files are almost identical (same versions of the bios) but except the 180010 offset of the bios file (not fullflash) where i think the some kind of memory table taking the place. in original bios file from hp site there are FFs. There you can see the serial numbers, product numbers, labels and other stuff like BIOS USER, BOOT OPTIONS and of course PW_RECDATA. I dont see the data there and i am stuck in here. I need a wise guy to look at this and tell me what i can try to erase here? Also if i am editing something do i need to worry about the checksum of some data? the end of the file looks the same but that hp guys could do anything inside*:)

    i am including 3 files:
    fullflash.bin - read whole chip
    bios.bin - read bios from fullflash
    68cde.bin - original bios from hp site. same F.02 version

    link to download - h**p://zalil.ru/31911932
    if any problem with it - let me know

    thanks
     
  2. flusher

    flusher MDL Novice

    Oct 21, 2011
    3
    7
    0
    #2 flusher, Oct 22, 2011
    Last edited: Oct 22, 2011
    (OP)
    i have done it by myself. put some FFs in that memory table where the users, pws data etc.
    *powered the laptop, it showed me that cmos checksum was bad and it will fix it. restarted and let me in as guest in bios. serial numbers are saved. i could change almost everything except the security settings. then i booted into win and uninstalled the hp protect tools with security manager. then booted into bios and it let me in as admin and set the password. finally full control. already updated my bios to the latest with no problem.

    and now for the guys who is looking on how to remove the bios password off your hp probook 6550b and similar. there is no free&easy solution so you can click a few buttons and password will pop up on your screen. my solution will not suit ussual users. it requires voiding your warranty, good soldering skills, serial flash programmer and good thinking on what you are doing. but if you have all that and you just need my advice - feel free to PM me
     
  3. miksonics

    miksonics MDL Novice

    Aug 11, 2010
    1
    0
    0
    hey thanks for the info,can i know which exact file of the binary u edited to ff's

    can i know details of how you did that,thanks
     
  4. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,933
    1,801
    180
    Interesting to know! Details to follow? Mini-guide?

    sebus
     
  5. TonyHart

    TonyHart MDL Novice

    Jan 5, 2013
    4
    1
    0
    I have a HP Probook 4530s that has a administrator password on BIOS. I have soldered 8 wires to the BIOS chip and read the data off using an "mbed" device through SPI, 1Mb at a time (It only has 2Mb local storage and some of that is for code). If anyone wants my code, just ask. Ive joined the 4 files up to a single 4Mb file. 0x000000 to 0x17FFFF is junk like original poster says, then 0x180000 onwards is the actual BIOS. Right at the start I also have the text $LOGO. I have also seen references to BIOS USER, BOOT OPTIONS and PW_RECDATA.

    Where do I write 0xFF's to?
     
  6. TonyHart

    TonyHart MDL Novice

    Jan 5, 2013
    4
    1
    0
    HP Probook 4330s BIOS Password locations

    I made an educated guess to the locations and it worked. On reboot I was able to get into BIOS. Here are the locations that I wrote 0x00 to:

    0x3113BE to 0x3113D1 inclusive
    0x311434 to 0x311464 inclusive
    0x3114AF to 0x3114C2 inclusive

    Be sure to check what is there in your BIOS before flashing those ranges. Here is the text that is immediately before the areas you should flash:

    HP_TempBIOSAdminScancode
    HP_BiosUser00BIOS Administrator
    HP_BIOSAdminScanCode

    The ranges should start 3 bytes after the last ASCII byte in the above text references. The ranges end on the byte before the following code: "AA 55 7F". This is what worked for me.
     
  7. laptop servis

    laptop servis MDL Novice

    Jan 21, 2013
    5
    0
    0
    Hello my friend , I`ve got question for you , same as you I have a password issue on my hp 6550b only mine is w/o ati graphics , just intel , same thing i can enter windows but no access to bios due to the password , i`ve dumped full flash from the chip and it is also 4 mb and the update file from hp site is 2.6 mb so at what adress did you find pw and filled it with ff`s ? which editor do you use for editing or combining files ?I`ve got programmer for flashing , i just need the info on the adress that i needed to be erased or filled with ff.Thanks in advance
     
  8. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,431
    1,486
    180
    seems its 180010 offset of the bios file