PDA

View Full Version : This is no request thread! HP COMPAQ bioses, how to modify the bios?



Pages : 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

Yen
10 Aug 2009, 03:26
Pyotr
From where have you got the patched rompaq.exe? It seems quite different to the original provided with the F.16 bios...

mutante
10 Aug 2009, 03:45
The HPQFlash I have posted is patched by me, I mean it's new ...

sebus
10 Aug 2009, 03:51
On my 6715b with 68YTT.BIN with HEX edited dual marker ONLY using

- rompaq.exe 4.69 from Pyotr:
rompaq starts, does NOT complain about "Error in file content read" , seems to starts flashing, but then exists from it & nothing happens (nothing good or bad)

- HPQFlash v310F1 from Yen:
starts and then gives error: "0xFA (IOCTL_FAILED)"

- HPQFlash v4253 from gregg's HPQFla_8710w.zip complains that can NOT find the version in rom.cab (as I believe it is the WRONG version for my model)

sebus

Yen
10 Aug 2009, 03:53
The HPQFlash I have posted is patched by me, I mean it's new ...

Would you please explain how to patch it? Are you able to patch the rompaq.exe as well?
sebus, what about to provide your modified bios just pack it into the cab archive..

andmail
10 Aug 2009, 03:53
You need to login to view this posts content.

sebus
10 Aug 2009, 04:09
You need to login to view this posts content.

gregg
10 Aug 2009, 04:11
You need to login to view this posts content.

Pyotr
10 Aug 2009, 04:12
Pyotr
From where have you got the patched rompaq.exe? It seems quite different to the original provided with the F.16 bios...

Yes that’s right it is actually from nx9420 package latest bios, but in that threads http://forums.mydigitallife.info/showthread.php?t=7265&page=3 page3 you get more info its bit longer story

Yen
10 Aug 2009, 04:14
You need to login to view this posts content.

yasanagy
10 Aug 2009, 04:19
You need to login to view this posts content.

gregg
10 Aug 2009, 04:21
You need to login to view this posts content.

Yen
10 Aug 2009, 04:23
You need to login to view this posts content.

sebus
10 Aug 2009, 04:39
These are the HEX values for v 3.x.x of the HPQFlash.exe
v4.x.x do NOT have such values

sebus

Yen
10 Aug 2009, 04:41
Unfortunately are these mod instruction almost unusable.....I have tried but there are more occurrences of the byte sequence when cut..mutante knows how to preform....anyway to patch the rompaq.exe would be more interesting.

Yen
10 Aug 2009, 05:02
This are the differences mutante did at 4.2.5.3. to patch:


Search for differences

1. E:\temp6\HPQFlash_patched.exe: 1.193.264 bytes
2. E:\temp6\HPQFlash.exe: 1.193.264 bytes
Offsets: hexadec.

E00EE: B8 6A
E00EF: 01 00
E00F0: 00 6A
E00F2: 00 51
E00F3: 50 8B
E00F4: 90 4C
E00F5: 90 24
E00F6: 90 18
E00F7: 90 52
E00F8: 90 50
E00F9: 90 51
E00FA: 90 FF
E00FB: 90 54
E00FC: 90 24
E00FD: 90 3C
E00FE: 90 50

16 difference(s) found.


Now have to figure how to perform at yours, sebus.

mutante
10 Aug 2009, 05:13
I can try :-)

Whe you execute HPQFlash.exe it creates and load (using LoadLibrary) flashdll.dll I have dissaembled it to see tht it uses MS Crypto API I have seen something like this

.text:10008042 mov ecx, [esp+44h+var_28]
.text:10008046 mov edx, [esp+44h+var_8]
.text:1000804A mov eax, [esp+44h+Memory]
.text:1000804E push 0
.text:10008050 push 0
.text:10008052 push ecx
.text:10008053 mov ecx, [esp+50h+var_38]
.text:10008057 push edx
.text:10008058 push eax
.text:10008059 push ecx
.text:1000805A call [esp+5Ch+var_20]
.text:1000805E push eax
.text:1000805F push offset aSignedbycompaq ; "SignedByCompaq: Verify signature in ROM"...
.text:10008064 mov [esp+4Ch+var_2C], eax
.text:10008068 call sub_10006120
.text:1000806D add esp, 8

The routine on 1000805A checks the signature, if it is OK eax will be 1, so I have changed the code to make always eax = 1

I can go deep but I don't want to make people crazy if its not necessary :-)



Would you please explain how to patch it? Are you able to patch the rompaq.exe as well?
sebus, what about to provide your modified bios just pack it into the cab archive..

Yen
10 Aug 2009, 05:19
I can try :-)

Whe you execute HPQFlash.exe it creates and load (using LoadLibrary) flashdll.dll I have dissaembled it to see tht it uses MS Crypto API I have seen something like this

.text:10008042 mov ecx, [esp+44h+var_28]
.text:10008046 mov edx, [esp+44h+var_8]
.text:1000804A mov eax, [esp+44h+Memory]
.text:1000804E push 0
.text:10008050 push 0
.text:10008052 push ecx
.text:10008053 mov ecx, [esp+50h+var_38]
.text:10008057 push edx
.text:10008058 push eax
.text:10008059 push ecx
.text:1000805A call [esp+5Ch+var_20]
.text:1000805E push eax
.text:1000805F push offset aSignedbycompaq ; "SignedByCompaq: Verify signature in ROM"...
.text:10008064 mov [esp+4Ch+var_2C], eax
.text:10008068 call sub_10006120
.text:1000806D add esp, 8

The routine on 1000805A checks the signature, if it is OK eax will be 1, so I have changed the code to make always eax = 1

I can go deep but I don't want to make people crazy if its not necessary :-)

At this matter I'm a noob ;)

Are you able to patch rompaq as well?

mutante
10 Aug 2009, 05:26
You need to login to view this posts content.

mutante
10 Aug 2009, 05:28
At this matter I'm a noob ;)

Are you able to patch rompaq as well?

I can try it but why you dont like this? which is the problem?

I'm noob to BIOS :-)

I'm sure both can learn :-)

gregg
10 Aug 2009, 05:36
You need to login to view this posts content.

Yen
10 Aug 2009, 05:38
I can try it but why you dont like this? which is the problem?

I'm noob to BIOS :-)

I'm sure both can learn :-)

You are right, mutante, and welcome here at MDL. Your disassembly skills are fascinating to me.

No, I like it........sebus sure can try...

rompaq checks for checksums at biosfile, if they are wrong it refuses to flash!
I want to know about the checksums and HPQ flash didn't update the SLIC, you can read before.

I want to know if rompaq.exe would update the SLIC.....it still remained at marker 2.0...at 2 bioses before....

Thank you for trying...;)

Remco Koot
10 Aug 2009, 07:31
Hi,

For info: I also tried the patched HPQFlash from mutante and modded flash for my 8510p , flashed normally. But after reboot no 2.1 slic.

Thanks for the hard work & progress so far...

RK

jiriteach
10 Aug 2009, 07:49
Have been trying many differnet combinations.

HPQFlash works but doesn't update to SLIC 2.1. This could be the BIOS I had?

I am trying with Yen's BIOS now and the latest HPQFlash I got from mutante.

Fingers crossed! :)

jiriteach
10 Aug 2009, 07:57
You need to login to view this posts content.

gregg
10 Aug 2009, 08:12
I have same issue with 8710w. Bios seems to be updated but SLIC is version 2.0 after update.

We hope mutante can patch rompaq and we'll try patch Bios from Dos.
We stay tuned

PS: Which dissasembler did you use to patch HPQFlash? IDA Pro?

mutante
10 Aug 2009, 15:24
I have same issue with 8710w. Bios seems to be updated but SLIC is version 2.0 after update.

We hope mutante can patch rompaq and we'll try patch Bios from Dos.
We stay tuned

PS: Which dissasembler did you use to patch HPQFlash? IDA Pro?

Yes it was IDA

Hummm when you say no SLIC 2.1, what does it mean? that SLIC 2.0 is there? or no SLIC?

Yen do you think that each ACPI table has a checksum and they are not flashed if this checksum fails?

Hotpepper
10 Aug 2009, 15:28
Hi,

ok I updated a HP nx6325 from SLIC 2.0 to SLIC 2.1 with the method of in memory exchange.

Here's how I've done it:

1. Start HPQFlash and follow procedure until it says "Next" will start the update.
2. Starting HxDen with Administration rights (as the HPQFlash).
3. Load HP SLIC 2.1 Bin into HxDen.
4. Open Memory of HPQFlash from HxDen and search for "SLIC".
5. Replace the areas of RSA Key and SLIC Marker in memory and when finished save and close HxDen.
6. Click next in HPQFlash to start BIOS update.

7. Have SLIC 2.1 :-)

jiriteach
10 Aug 2009, 16:09
Yes it was IDA

Hummm when you say no SLIC 2.1, what does it mean? that SLIC 2.0 is there? or no SLIC?

Yen do you think that each ACPI table has a checksum and they are not flashed if this checksum fails?

For me SLIC 2.0 is there. And it's still SLIC 2.0 even after the flash.

It's as if, HPQFlash or the ROM is not being applied even though it looks like its working fine.

gregg
10 Aug 2009, 16:30
Hummm when you say no SLIC 2.1, what does it mean? that SLIC 2.0 is there? or no SLIC?


Yes, SLIC 2.0 is keeped after Bios Upgrade. Bios seems to be flashed but after reboot, SLIC is not updated.

@Hotpepper: That sounds good!! I'll try to update my 8710w with HxDen tonight and give you my results

9600xt
10 Aug 2009, 17:33
You need to login to view this posts content.

mutante
10 Aug 2009, 18:21
Hi,

ok I updated a HP nx6325 from SLIC 2.0 to SLIC 2.1 with the method of in memory exchange.

Here's how I've done it:

1. Start HPQFlash and follow procedure until it says "Next" will start the update.
2. Starting HxDen with Administration rights (as the HPQFlash).
3. Load HP SLIC 2.1 Bin into HxDen.
4. Open Memory of HPQFlash from HxDen and search for "SLIC".
5. Replace the areas of RSA Key and SLIC Marker in memory and when finished save and close HxDen.
6. Click next in HPQFlash to start BIOS update.

7. Have SLIC 2.1 :-)

Could you post and screeshot please?

Thank you

Yen
10 Aug 2009, 18:43
Yes, SLIC 2.0 is keeped after Bios Upgrade. Bios seems to be flashed but after reboot, SLIC is not updated.

@Hotpepper: That sounds good!! I'll try to update my 8710w with HxDen tonight and give you my results

This is exciting....I'm very curious if the direct edit method will work at 'double' SLIC bioses....

Yen
10 Aug 2009, 18:48
Yes it was IDA

Hummm when you say no SLIC 2.1, what does it mean? that SLIC 2.0 is there? or no SLIC?

Yen do you think that each ACPI table has a checksum and they are not flashed if this checksum fails?

No, but the module that contains the SLIC table (pubkey and marker) could have a checksum.....therefore to disassemble rompaq and figure how to calculate valid sums would be great....

andmail
10 Aug 2009, 19:29
You need to login to view this posts content.

gregg
10 Aug 2009, 19:39
You need to login to view this posts content.

andmail
10 Aug 2009, 20:06
You mean SLIC 2.1?

I'm very curious to test your method tonight. It could be Great!!

No, I mean 2.0

mutante
10 Aug 2009, 20:11
You need to login to view this posts content.

dapjukebox
10 Aug 2009, 20:33
Hi,

ok I updated a HP nx6325 from SLIC 2.0 to SLIC 2.1 with the method of in memory exchange.

Here's how I've done it:

1. Start HPQFlash and follow procedure until it says "Next" will start the update.
2. Starting HxDen with Administration rights (as the HPQFlash).
3. Load HP SLIC 2.1 Bin into HxDen.
4. Open Memory of HPQFlash from HxDen and search for "SLIC".
5. Replace the areas of RSA Key and SLIC Marker in memory and when finished save and close HxDen.
6. Click next in HPQFlash to start BIOS update.

7. Have SLIC 2.1 :-)

Tried and tested on a HP530 which did have slic 2.0
The entry in the RSDT is a bit odd, SLIC_Dump tool reports the entry as "HP 30D5" but it activated non the less!

Well done Hotpepper - have a virtual beer or 2 on me.

Yen
10 Aug 2009, 21:15
Tried and tested on a HP530 which did have slic 2.0
The entry in the RSDT is a bit odd, SLIC_Dump tool reports the entry as "HP 30D5" but it activated non the less!

Well done Hotpepper - have a virtual beer or 2 on me.

Could you please post an rw-everything report?
http://forums.mydigitallife.info/announcement.php?f=4

It should not activate...

Yen
10 Aug 2009, 21:18
No, I mean 2.0

Too bad, I was afraid of. HPQFlash DOES NOT update the SLIC at bioses containing 2 occurrences of marker....last chance is to patch rompaq or to correct the sums...

TTAV134
10 Aug 2009, 21:27
You need to login to view this posts content.

Hotpepper
10 Aug 2009, 21:33
Hi,

so I think we figured out how to update a HP BIOS with just one SLIC marker in it.

Next level is how to do that with a BIOS that has 2 markers in it.

dapjukebox
10 Aug 2009, 21:35
Could you please post an rw-everything report?
http://forums.mydigitallife.info/announcement.php?f=4

It should not activate...

The machine was supplied with Vista Home and was activated with an OEM key because i upgraded to Ultimate using the HP Ultimate key.
Here's the report together with a screen dump.

I assume you only want the parts of the report concerning the RSDT and SLIC entries.

Root System Description Pointer: 0x000F7830

52 53 44 20 50 54 52 20 1B 48 50 20 20 20 20 02 RSD PTR .HP .
78 57 7E 5F 24 00 00 00 C8 57 7E 5F 00 00 00 00 xW~_$....W~_....
E0 00 00 00 ....

Signature "RSD PTR "
Checksum 0x1B (27)
OEM ID "HP "
Revision 0x02 (2) - ACPI 2.0
RSDT Address 0x5F7E5778
Length 0x00000024
XsdtAddress 0x000000005F7E57C8
Extended Checksum 0xE0 (224)
Reserved 0x00 0x00 0x00

Root System Description Table: 0x5F7E5778

52 53 44 54 50 00 00 00 01 C2 48 50 20 20 20 20 RSDTP.....HP
33 30 44 35 20 20 20 20 20 08 03 18 48 50 20 20 30D5 ...HP
01 00 00 00 00 56 7E 5F 44 58 7E 5F BC 59 7E 5F .....V~_DX~_.Y~_
F4 59 7E 5F 5C 5A 7E 5F 98 5A 7E 5F 40 44 7F 5F .Y~_\[email protected]_
64 44 7F 5F 8A 47 7F 5F 55 4C 7F 5F B4 4E 7F 5F dD._.G._UL._.N._

Signature "RSDT"
Length 0x00000050 (80)
Revision 0x01 (1)
Checksum 0xC2 (194)
OEM ID "HP "
OEM Table ID "30D5 "
OEM Revision 0x18030820 (402851872)
Creator ID "HP "
Creator Revision 0x00000001 (1)
Entry0 0x5F7E5600
Entry1 0x5F7E5844
Entry2 0x5F7E59BC
Entry3 0x5F7E59F4
Entry4 0x5F7E5A5C
Entry5 0x5F7E5A98
Entry6 0x5F7F4440
Entry7 0x5F7F4464
Entry8 0x5F7F478A
Entry9 0x5F7F4C55
Entry10 0x5F7F4EB4

Software Licensing Description Table: 0x5F7E5844

53 4C 49 43 76 01 00 00 01 DC 48 50 51 4F 45 4D SLICv.....HPQOEM
53 4C 49 43 2D 4D 50 43 01 00 00 00 48 50 20 20 SLIC-MPC....HP
01 00 00 00 00 00 00 00 9C 00 00 00 06 02 00 00 ................
00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00 .$..RSA1........
5B AB 60 56 BC 58 1E E8 C1 D2 A1 5C E5 4F BB FD [.`V.X.....\.O..
1D A9 8C 94 B4 AE 08 11 DC 13 59 D3 7F F6 3E 87 ..........Y...>.
31 B9 95 74 10 DA 3B A4 5B B5 19 82 7C 39 D7 0D 1..t..;.[...|9..
7C 22 AC 1C 2A 84 E9 0A 88 6D FA B1 E2 D8 E8 21 |"..*....m.....!
96 E1 2E 68 9A BF 44 45 3E 3C 8E 99 90 DE 37 38 ...h..DE><....78
57 0B 92 15 BC DE FF F2 07 7E B5 40 8C 51 3A C3 W........~.@.Q:.
02 48 F6 13 12 72 FB 42 78 E6 47 88 54 C7 B0 F0 .H...r.Bx.G.T...
93 9E FB 04 B7 B8 B8 90 DE DB ED 32 E1 FB 54 A6 ...........2..T.
01 00 00 00 B6 00 00 00 00 00 02 00 48 50 51 4F ............HPQO
45 4D 53 4C 49 43 2D 4D 50 43 57 49 4E 44 4F 57 EMSLIC-MPCWINDOW
53 20 01 00 02 00 00 00 00 00 00 00 00 00 00 00 S ..............
00 00 00 00 00 00 30 90 1F B4 A4 BE 80 1E E9 33 ......0........3
EC 7F FC B1 28 0E A6 CE 43 72 8C 79 30 B4 F4 59 ....(...Cr.y0..Y
EA 7D CF B7 11 8B DA 70 C5 C8 3F 79 20 08 6F 64 .}.....p..?y .od
CA 07 88 B3 B1 16 B4 BA 1A F1 85 52 B1 F5 07 55 ...........R...U
B5 70 61 EF 44 8C AA 5F 78 14 66 98 9C F3 58 D8 .pa.D.._x.f...X.
AA 48 E0 37 F8 F6 AB 64 FA DA 17 2A 62 E3 04 1D .H.7...d...*b...
32 2D D5 EA 33 66 5C 5B 3B 0E F7 09 66 42 32 AA 2-..3f\[;...fB2.
14 99 C3 EE 1A 62 3B 07 5F F0 48 44 C4 E6 32 59 .....b;._.HD..2Y
1F 14 3E F1 B2 38 ..>..8

Signature "SLIC"
Length 0x00000176 (374)
Revision 0x01 (1)
Checksum 0xDC (220)
OEM ID "HPQOEM"
OEM Table ID "SLIC-MPC"
OEM Revision 0x00000001 (1)
Creator ID "HP "
Creator Revision 0x00000001 (1)
OEM Public Key Structure
Type 0x00000000 (0)
Length 0x0000009C (156)
Key Type 0x06 (6)
Version 0x02 (2)
Reserved 0x0000 (0)
Algorithm 0x00002400 (9216)
Magic "RSA1"
Bit Length 0x00000400 (1024)
Exponent 0x00010001 (65537)
Modulus 0x5B 0xAB 0x60 0x56 0xBC 0x58 0x1E 0xE8 0xC1 0xD2 0xA1 0x5C 0xE5 0x4F 0xBB 0xFD
0x1D 0xA9 0x8C 0x94 0xB4 0xAE 0x08 0x11 0xDC 0x13 0x59 0xD3 0x7F 0xF6 0x3E 0x87
0x31 0xB9 0x95 0x74 0x10 0xDA 0x3B 0xA4 0x5B 0xB5 0x19 0x82 0x7C 0x39 0xD7 0x0D
0x7C 0x22 0xAC 0x1C 0x2A 0x84 0xE9 0x0A 0x88 0x6D 0xFA 0xB1 0xE2 0xD8 0xE8 0x21
0x96 0xE1 0x2E 0x68 0x9A 0xBF 0x44 0x45 0x3E 0x3C 0x8E 0x99 0x90 0xDE 0x37 0x38
0x57 0x0B 0x92 0x15 0xBC 0xDE 0xFF 0xF2 0x07 0x7E 0xB5 0x40 0x8C 0x51 0x3A 0xC3
0x02 0x48 0xF6 0x13 0x12 0x72 0xFB 0x42 0x78 0xE6 0x47 0x88 0x54 0xC7 0xB0 0xF0
0x93 0x9E 0xFB 0x04 0xB7 0xB8 0xB8 0x90 0xDE 0xDB 0xED 0x32 0xE1 0xFB 0x54 0xA6
SLIC Marker Structure
Type 0x00000001 (1)
Length 0x000000B6 (182)
Version 0x00020000 (131072)
OEM ID "HPQOEM"
OEM Table ID "SLIC-MPC"
Windows Flag "WINDOWS "
Reserved 0x01 0x00 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Signature 0x30 0x90 0x1F 0xB4 0xA4 0xBE 0x80 0x1E 0xE9 0x33 0xEC 0x7F 0xFC 0xB1 0x28 0x0E
0xA6 0xCE 0x43 0x72 0x8C 0x79 0x30 0xB4 0xF4 0x59 0xEA 0x7D 0xCF 0xB7 0x11 0x8B
0xDA 0x70 0xC5 0xC8 0x3F 0x79 0x20 0x08 0x6F 0x64 0xCA 0x07 0x88 0xB3 0xB1 0x16
0xB4 0xBA 0x1A 0xF1 0x85 0x52 0xB1 0xF5 0x07 0x55 0xB5 0x70 0x61 0xEF 0x44 0x8C
0xAA 0x5F 0x78 0x14 0x66 0x98 0x9C 0xF3 0x58 0xD8 0xAA 0x48 0xE0 0x37 0xF8 0xF6
0xAB 0x64 0xFA 0xDA 0x17 0x2A 0x62 0xE3 0x04 0x1D 0x32 0x2D 0xD5 0xEA 0x33 0x66
0x5C 0x5B 0x3B 0x0E 0xF7 0x09 0x66 0x42 0x32 0xAA 0x14 0x99 0xC3 0xEE 0x1A 0x62
0x3B 0x07 0x5F 0xF0 0x48 0x44 0xC4 0xE6 0x32 0x59 0x1F 0x14 0x3E 0xF1 0xB2 0x38

Yen
10 Aug 2009, 21:36
Hi,

so I think we figured out how to update a HP BIOS with just one SLIC marker in it.

Next level is how to do that with a BIOS that has 2 markers in it.

Absolutely right, I hope mutante can figure something about the sums, disassenbling / patch rompaq...

HPQ-flash doesn't update....hmmm are there some settings to change...or switches--hpq flash don't start at my PC.....

Yen
10 Aug 2009, 21:38
I assume you only want the parts of the report concerning the RSDT and SLIC entries.



Sorry I need the entire reportfile....something is strange to me....it should NOT activate...thanks again...need to know about XSDT table..

dapjukebox
10 Aug 2009, 21:45
Sorry I need the entire reportfile....something is strange to me....it should NOT activate...thanks again...need to know about XSDT table..

No problem, here it is.

Yen
10 Aug 2009, 21:50
No problem, here it is.

Ah yes.....if acpi revision = 2.0 and XSDT OEMIDs are matching to SLIC (I guess so) then RSDT OEMIDs could be different.....OK...rw-everything doesn't dump the XSDT for some reason....back to HP...thanks for the report...

dapjukebox
10 Aug 2009, 22:04
Ah yes.....if acpi revision = 2.0 and XSDT OEMIDs are matching to SLIC (I guess so) then RSDT OEMIDs could be different.....OK...rw-everything doesn't dump the XSDT for some reason....back to HP...thanks for the report...

To be perfectly honest i am just happy that the method seems to work, i just hope it leads to an easier method for those not happy with doing this.

Thanks to all you bios experts.

mutante
10 Aug 2009, 22:25
Can anybody tell me which is the message rompaq prints when fail?

Thanks

TTAV134
10 Aug 2009, 22:31
Can anybody tell me which is the message rompaq prints when fail?

Thanks
rompaq error message:

Error in file content read from disk
Please try recreating file or disk.