PDA

View Full Version : This is no request thread! HP COMPAQ bioses, how to modify the bios?



Pages : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20] 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

Yen
10 Sep 2010, 16:44
So would i be correct that this would work on a 6710b and 6715b bios ? And if so would i look for the sequence 07 FC 66 B9 9C F1 DD BE XX 00 63 FF FF 66 BF and change as above.. ?

It would be better to understand what it does. I'll decompile the modules like sebus did.....it would be cool to get another Chinese mod....
Actually we don't know what's the clue about FF--> FE
Is it always the same change?

darwusch2
10 Sep 2010, 18:53
Which means:
It adjusts the RPL (requested privilege level - stored in the bottom two bits of the selector) field of the destination (first) operand to ensure that it is no less (i.e. no more privileged than) the RPL field of the source operand.

ARPL appears in operating system software, not in application programs. It is used to guarantee that a selector parameter to a subroutine does not request more privilege than the caller is allowed. The second operand of ARPL is normally a register that contains the CS selector value of the caller.

TTAV134
10 Sep 2010, 18:56
You need to login to view this posts content.

Yen
11 Sep 2010, 01:27
Oh well..:D

I was confused I thought 66 FF is ARPL di, di
Thanks for your explanation, guys.

By developing the patch it seems there is somebody that knows much about that kind of bios. / The 'Chinese' programmer of the bios itself? :D
I never would figure that myself. It needs to be confirmed at other bioses as well.

Is that the way:
00 63 FF FF
change FF--->FE
Then replace the marker at any instance.

Tried several bioses. Should match. One hit only....untested yet. ;)

Tahunasky
11 Sep 2010, 04:00
I have downloaded the latest 6710b bios:

F.16 (8 Aug 2010)
ftp //ftp hp com/pub/softpaq/sp50001-50500/sp50197.exe

When i look for the following sequence from the 6910b modified slic 2.1 bios the closes i come to it is:


07 FC 66 B9 9C F1 DD BE XX 00 63 FF FF 66 BF - 6910b from forum post
07 FC 66 B9 9C F1 DD BE 7F 00 63 FF FF 66 BF - 6910b Bios with slic 2.0
07 FC 66 B9 9C F1 DD BE 7F 00 63 FE FF 66 BF - 6910b Modified with slic 2.1
07 FC 66 B9 9C 31 D7 BE 00 FF 63 FF FF 66 BF - Latest 6710b Bios with slic 2.0


00 63 FF FF - cant find in 6710b

I am to scared to try this on my own laptop as its the only PC i have and i need it for work.

sebus
11 Sep 2010, 04:03
6715b latest BIOS 68YTT.BIN F.0E 25 Nov 2008 does NOT have 63 FF FF sequence at all

It has MANY occurrences of 63 FF xx , so probably HPxx15b/p/s uses something different, maybe it will be figured out eventually...

sebus

TTAV134
11 Sep 2010, 04:20
hello,

the right sequence to search is 63 FF FF

A new list of SLIC 2.1 bios mod can be download here (http://forums.mydigitallife.info/threads/7681-This-is-no-request-thread!-HP-COMPAQ-bioses-how-to-modify-the-bios?p=111460#post111460)

HP540
HP541
HP2510p/2710p
HP6520s
HP6510b/6710b/6710s
HP6910p
HP8510p/8510w
HP8710p/8710w

darwusch2
11 Sep 2010, 05:54
The 6910P original bios has two instances of 63 FF FF. Only the first has been changed to 63 FF FE in the modded version.
Not the second one.

Tahunasky
11 Sep 2010, 06:15
hello,
the right sequence to search is 63 FF FF


Just to let you guys know, i modified the bios from the info provided on my 6710b laptop, and its rebooted with slic 2.1 showing up, and the laptop seems to be running ok..

Thanks guys - especially darwusch2, TTAV134's and Yen !!! If you are ever in buenos aires i will buy you a beer !!!

nando4
11 Sep 2010, 08:06
You need to login to view this posts content.

zetitres
11 Sep 2010, 16:47
You need to login to view this posts content.

TTAV134
11 Sep 2010, 17:48
You need to login to view this posts content.

pokerface
11 Sep 2010, 18:06
Downloaded the bios mod with slic 2.1. flashed de bios without problems.
Installed Windows 7 with cert. and licence and activated.
And past Windows validation.

Thanks to TTAV134 for his bios mod, and Darwusch2 who found the bios mod for this problematic Hp biosses.

Regards.

zetitres
11 Sep 2010, 19:51
Sorry to hear that there is not known solution for nx8220, my wife will have to stick to xp or use a loader. I have a 8510p running 7 with Daz loader. Have downloaded the mod bios and will flash this laptop, shall revert with result.

ghoffman
11 Sep 2010, 20:40
hello,

the right sequence to search is 63 FF FF

A new list of SLIC 2.1 bios mod can be download here (http://forums.mydigitallife.info/threads/7681-This-is-no-request-thread!-HP-COMPAQ-bioses-how-to-modify-the-bios?p=111460#post111460)

HP540
HP541
HP2510p/2710p
HP6520s
HP6510b/6710b/6710s
HP6910p
HP8510p/8510w
HP8710p/8710w

confirmed for 8510w.
thanks ttav134 and yen!

zetitres
11 Sep 2010, 22:54
it is also confirmed for 8510p. Thanks a lot for this modded bios.:D

Yen
11 Sep 2010, 22:59
The 6910P original bios has two instances of 63 FF FF. Only the first has been changed to 63 FF FE in the modded version.
Not the second one.

That's why I have suggested to search for 00 63 FF FF Location below (near to) RSDT string. If you don't get a hit, search without 00 byte and have a look what's nearest to RSDT string.
Btw: Credits go to the Chinese modder and darwush2 who have realised /discovered the mod, I only tried to understand what was patched.
Anyway a cold beer in buenos aires would be fine. :D

Yen
11 Sep 2010, 23:53
6715b latest BIOS 68YTT.BIN F.0E 25 Nov 2008 does NOT have 63 FF FF sequence at all

It has MANY occurrences of 63 FF xx , so probably HPxx15b/p/s uses something different, maybe it will be figured out eventually...

sebus

When you search for the sequence in front of you come to (also near to RSDT string):


Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

000130A0 66 B9 9C 71 9A BE 00 13 11 5F AB 84 fœqš..._„
000130B0 43 21 9A A4 60 01 B6 63 01 12 46 71 60 20 44 62 C!š`.c..Fq` Db


converted to code there is an ARPL command 63 01:


seg000:130A9 mov si, 1300h
seg000:130AC adc [bx-55h], bx
seg000:130AF test [bp+di+21h], al
seg000:130B2 call far ptr 0B601h:60A4h
seg000:130B7 arpl [bx+di], ax
seg000:130B9 adc al, [bp+71h]
seg000:130BC pusha
seg000:130BD and [si+62h], al
seg000:130C0 add [bx+di-6Ah], si
seg000:130C3 test [bp+di], ax
seg000:130C5 pop ds


I'm an noob regarding disassembly.
I wonder if that command needs to be patched....:o

sebus
12 Sep 2010, 03:19
You need to login to view this posts content.

TTAV134
12 Sep 2010, 18:43
here is a copy of IDA disassembly after changing FF to FE in a 6910p bios

mov ax, 1
push 0F389h
call far ptr 0F000h:30E7h
pop es
assume es:nothing
cld
mov ecx, 9Ch ; 156 octets
mov esi, 0FFFE6300h ; table address in NO protected zone
mov edi, 0B874h
rep movs byte ptr es:[edi], byte ptr [esi]
cld
mov ecx, 0B6h ; 182 octets
mov esi, 0FFFE6200h ; marker table adress in NO protected zone
mov edi, 0B910h
rep movs byte ptr es:[edi], byte ptr [esi]
mov ax, 0
push 0F389h
call far ptr 0F000h:30E7h

as you can see we are very lucky because changing one octet in a compress file can produce strange result.
Here the result is perfect.
This patch doesn't affect the burning algo but only the place where the SLIC table is read. Consequence: for each future bios update, we must patch it again.

for those interest by IDA have a look in attach file.

ghoffman
12 Sep 2010, 19:23
hello,

the right sequence to search is 63 FF FF

A new list of SLIC 2.1 bios mod can be download here (http://forums.mydigitallife.info/threads/7681-This-is-no-request-thread!-HP-COMPAQ-bioses-how-to-modify-the-bios?p=111460#post111460)

HP540
HP541
HP2510p/2710p
HP6520s
HP6510b/6710b/6710s
HP6910p
HP8510p/8510w
HP8710p/8710w

do these have the dualIDA_30pct_5100agn mod?

TTAV134
12 Sep 2010, 19:31
do these have the dualIDA_30pct_5100agn mod?

no, only SLIC2.1 table.

ghoffman
12 Sep 2010, 19:42
no, only SLIC2.1 table.

probably better that way!

i know it's off-topic - but is there a general way to load a dsdt table in win 7, like there is with chameleon bootloader for mac os?

TTAV134
12 Sep 2010, 20:00
@SEBUS concerning HP6715/6515 version F.0E.

once decompress the scheme is similar to others bios:

push 0F389h
call far ptr 0F000h:0EE63h
pop es
assume es:nothing
cld
mov ecx, 9Ch
mov esi, 0FFFF1300h
mov edi, 4384h
rep movs byte ptr es:[edi], byte ptr [esi]
cld
mov ecx, 0B6h
mov esi, 0FFFF1200h
mov edi, 4420h
rep movs byte ptr es:[edi], byte ptr [esi]
mov ax, 0
push 0F389h
call far ptr 0F000h:0EE63h
pop es

Unfortunately the Bios file doesn't contain the 13 FF FF expected sequence at the right place.
The solution should be to decompress with ADDCC utility, patch the 02_POST_00020100_68YTT.dec resulting file, compressing it and re injecting the result in the Bios file.
But as far as i know we don't have the compress utility.
SEMI the creator of ADDCC utility, can probably help us.

nando4
12 Sep 2010, 21:05
You need to login to view this posts content.

sebus
13 Sep 2010, 05:34
Doing it by trial and error this way seems to throw the compression into pieces ...
02_POST_00020100_68YTT.dec has 13 FF FF only once at 489C

The 13 corresponds to 13 in 68YTT.bin at 130AB, next byte is 11 (what could one need to change it to get FE, if at all it is possible...)

sebus

nando4
13 Sep 2010, 06:53
HP 6715/6515 version F.07


Unfortunately the Bios file doesn't contain the 13 FF FF expected sequence at the right place.


Doing it by trial and error this way seems to throw the compression into pieces ...
02_POST_00020100_68YTT.dec has 13 FF FF only once at 489C

The 13 corresponds to 13 in 68YTT.bin at 130AB, next byte is 11 (what could one need to change it to get FE, if at all it is possible...)

If you change FF at 13110 in 68YTT.bin to FE, then you'll have your desired "13 FE FF" and "12 FE FF" opcode sequence in the right place as shown by the resultant decompressed 02_POST_00020100_68YTT.dec snippet below:


00004980h: F0 07 FC 66 B9 9C 00 00 00 66 BE 00 13 FE FF 66 ; .fœ...f..f
00004990h: BF 74 44 00 00 F3 67 A4 FC 66 B9 B6 00 00 00 66 ; tD..gf...f
000049a0h: BE 00 12 FE FF 66 BF 10 45 00 00 F3 67 A4 B8 00 ; ..f.E..g.

Please confirm this does enable SLIC 2.1 on your 6715/6515.

sebus
13 Sep 2010, 13:55
You need to login to view this posts content.

nando4
13 Sep 2010, 14:34
You need to login to view this posts content.

sebus
13 Sep 2010, 17:09
Can always use F07 to make a SLIC 2.1 enabled 6715/6515 bios if these other newer bios don't allow for the change.

Or change notebook (which I am about to do), or stay with MAK key (which I do)

But it is always fun to play with BIOS...

sebus

Yen
13 Sep 2010, 17:37
The disassembled code makes now sense (even to me). Trying to convert compressed data into code was no good idea......:o:o

An expert for compression is apokrif. He developed a compressor / decompressor for Dell bioses. It seems difficult to figure the decompression and write a compressor. The decompression routine is found at every bios.

nando4
13 Sep 2010, 17:43
You need to login to view this posts content.

pepito2
13 Sep 2010, 23:44
Hi,

Now that there is amod for slic 2.1 I want to try to flash a "correct" bios for my 6820s. apart from changing the slic I want to modify the date.

The date of the bios is 11/04/08, so I hexedited the date to 11/04/10. I have decompressed the resultant bios and the only diff is the date in 19_FFF65366_ROMBLOCK_ROM.bin file.

So it seems to be doable, what scared me is the name of the file... I'm afraid of modifying the romblock. As I might get a non recoverable laptop, has someone tried it?

thanks

Yen
13 Sep 2010, 23:59
You need to login to view this posts content.

TTAV134
14 Sep 2010, 00:53
You need to login to view this posts content.

Yen
14 Sep 2010, 02:08
@SEBUS concerning HP6715/6515 version F.0E.

once decompress the scheme is similar to others bios:

push 0F389h
call far ptr 0F000h:0EE63h
pop es
assume es:nothing
cld
mov ecx, 9Ch
mov esi, 0FFFF1300h
mov edi, 4384h
rep movs byte ptr es:[edi], byte ptr [esi]
cld
mov ecx, 0B6h
mov esi, 0FFFF1200h
mov edi, 4420h
rep movs byte ptr es:[edi], byte ptr [esi]
mov ax, 0
push 0F389h
call far ptr 0F000h:0EE63h
pop es

Unfortunately the Bios file doesn't contain the 13 FF FF expected sequence at the right place.
The solution should be to decompress with ADDCC utility, patch the 02_POST_00020100_68YTT.dec resulting file, compressing it and re injecting the result in the Bios file.
But as far as i know we don't have the compress utility.
SEMI the creator of ADDCC utility, can probably help us.

The first MOV, which reads 9Ch bytes from 0FFFF1300h basically doesn't need to be patched. It's the public key data of the SLIC.
It's at HPQ-SLIC 2.0 AND 2.1 the same.
Only B6h need to be read from the non protected area to update the SLIC.
Don't know if that fact makes it easier to patch....

pepito2
14 Sep 2010, 03:33
For doing that be sure to have the i've upload yesterday 12 sept 16h41 (gmt -1), the new HPQFlash allow a difference of version between Vert.txt ver.sig and the date in rom.bin.
Any way if something goes wrong is improved.
nota: I've check in ROM.bin there is 3 occurrences of the date, 2 of them are partially compressed. I DO NOT recommend this modification.

Thanks for the response, though I have found 3 dates only one is the BIOS date: I have found the video bios date, the bios date and network bios date. In which modules have you find the compressed dates? The november one (11/04/08) is only once, or I have searched in a wrong way...

Thank you again

nando4
14 Sep 2010, 04:36
Thanks for the response, though I have found 3 dates only one is the BIOS date: I have found the video bios date, the bios date and network bios date. In which modules have you find the compressed dates? The november one (11/04/08) is only once, or I have searched in a wrong way...

You'd use ADDCCV3 to decompress the bios, find the dates, then alter the matching byte in the compressed bios, decompress to ensure you only hit your target date bytes and then do a checksum correction using the "wake on lan" string. A lot of work for a cosmetic change. Not worth it imho.

pepito2
14 Sep 2010, 14:41
You'd use ADDCCV3 to decompress the bios, find the dates, then alter the matching byte in the compressed bios, decompress to ensure you only hit your target date bytes and then do a checksum correction using the "wake on lan" string. A lot of work for a cosmetic change. Not worth it imho.

For the slic change, we don't correct the checksum. Why is it necesary in this one?

Also is not for cosmetic change, it is safe to say that if some bios has slic 2.1 but is really prior (2 years) to windows 7 release, it is a non genuine bios... I want to be in the safest posible bios mod.

I have edited the compressed bin. the only date which I can't change is the one whith the version... (I have found them in 09_F000_000F0000_ROM, don't know why i didn't find them earlier...)

Thanks

sebus
14 Sep 2010, 17:10
Also is not for cosmetic change, it is safe to say that if some bios has slic 2.1 but is really prior (2 years) to windows 7 release, it is a non genuine bios... I want to be in the safest posible bios mod.


If that is your only reason then DEFINITELY is not worth bothering right now

sebus

pepito2
15 Sep 2010, 16:54
If that is your only reason then DEFINITELY is not worth bothering right now

sebus

Call me paranoid... :rolleyes:

I will have to wait for a compressor...:confused2:

nachin11
15 Sep 2010, 20:21
I would like to mod my nw8240 mobile workstation bios to add SLIC table.
I have made an Uniflash copy of my bios and RW report.
Could anyone help to insert the SLIC table? :)

sebus
15 Sep 2010, 21:20
Call me paranoid... :rolleyes:


I would call it something else...

TTAV134
16 Sep 2010, 00:34
@NACHIN11
concerning NW8240
No SLIC table in this BIOS, cannot be mod, sorry.

Yen
16 Sep 2010, 01:12
Doing it by trial and error this way seems to throw the compression into pieces ...
02_POST_00020100_68YTT.dec has 13 FF FF only once at 489C

The 13 corresponds to 13 in 68YTT.bin at 130AB, next byte is 11 (what could one need to change it to get FE, if at all it is possible...)

sebus

I have fiddled with that..no chance for me as well (so far)..
But you can patch the previous version sp36583 F.07 (16 Jul 2007)

Offset 13111h FFh-->FEh.

sebus
16 Sep 2010, 03:32
Yes and no.

Yes, it can be done, BUT ONLY if one is on same or LOWER BIOS (and it works absolutely fine, 6715b WITH SLIC 2.1)

Once F.0E is installed HPQFlash (even the "adjusted" one) will not allow downgrade

09/15/2010 20:30:56.693 CConfirmFlashPage: DllhpqValidateROMCABImage failed
09/15/2010 20:30:56.708 CConfirmFlashPage: dwRetCode == DOWNGRADE_BLOCKED_BY_BIOS

I can cheat by changing ver.txt & it seems to go OK, till the actual flash is supposed to happen, then:

09/15/2010 20:41:16.664 FlashRomImage(): Write Block #1, Attempt #1
09/15/2010 20:41:16.679 Start Write Flash Rom Image Block
09/15/2010 20:41:16.789 End Write Flash Rom Image Block
09/15/2010 20:41:16.789 FlashRomImage(): Write Block #1, Attempt #1 FAILED, error code = 0x15
09/15/2010 20:41:16.804 Cannot flash block #1 because it is blocked by BIOS. dwErrCode = 0x15
09/15/2010 20:41:16.804 FlashRomImage: Failed to write block #1 to Flash ROM. dwErrCode = 0x15
09/15/2010 20:41:16.804 Flash Image failed: lBytesLeft = 1048576, dwOffsetLocation= 0, bStatus = 0
09/15/2010 20:41:16.804 Start Clear Flash-In-Progress
09/15/2010 20:41:16.914 ClearFlashInProgress(): passed. hr = 0x0, dwRetCode = 0x0
09/15/2010 20:41:16.929 End Clear Flash-In-Progress
09/15/2010 20:41:16.929 End Flash Rom Image (Write), bStatus = 0
09/15/2010 20:41:16.929 End flashing (Write) Attempt #1
09/15/2010 20:41:16.929 Flash Rom: Cannot downgrade, BIOS blocks it - Error code = 0x15
09/15/2010 20:41:16.945 ***** END FLASHING PROCESS *****
09/15/2010 20:41:16.945 Exit hpqFlashRom, bStatus = 0, dwErrorCode = 0x0015
09/15/2010 20:41:16.945 FlashRom returns bStatus = 0, dwErrorCode = 0x0015
09/15/2010 20:41:16.945 FlashRom in active mode failed, dwErrorCode = 0x0015

sebus

Yen
16 Sep 2010, 04:09
You need to login to view this posts content.

sebus
16 Sep 2010, 04:32
Even floppy recovery does not write older BIOS over the newer one!
Nor does the patched Rompaq...

True, probably not worth it, especially that ie 6715B has seen better days, ATI x1200 is not really the most Win 7 friendly

sebus

nando4
16 Sep 2010, 04:46
You need to login to view this posts content.

sebus
16 Sep 2010, 05:05
Nice find, thanks

sebus