PDA

View Full Version : This is no request thread! HP COMPAQ bioses, how to modify the bios?



Pages : 1 2 3 [4] 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

sebus
11 Aug 2009, 16:57
I've made some additionnal tests

So, I think different checksums are inserted in Bios and rompaq don't flash SLIC part because appropriate checksum is wrong.
If Mutante (our asm killer) can investigate message show by rompaq (press F10 blabla) and find which part of bios file are checked, I think we can find a solution.

Thanks all... and good night

Yes, Rompaq must check either CRC32 of the file or a checksum of a specific bit of it (which one?)
Unless we can bypass this check we will get nowhere

sebus

TTAV134
11 Aug 2009, 17:35
hello,

@YEN, SEBUS, others

As I wrote in a previous post here (http://forums.mydigitallife.info/showpost.php?p=106640&postcount=113) only the first occurrence of the slic marker have been changed in the BIOS.
we can imagine that the SLIC table is in the protected bootblock zone.
I've not yet found a way to force HPQ Flash to update the bootblock.

Any idea?

Goot
11 Aug 2009, 17:59
You need to login to view this posts content.

ADMiNZ
11 Aug 2009, 18:29
You need to login to view this posts content.

Hotpepper
11 Aug 2009, 18:36
You need to login to view this posts content.

sebus
11 Aug 2009, 18:40
You need to login to view this posts content.

TTAV134
11 Aug 2009, 18:47
You need to login to view this posts content.

Yen
11 Aug 2009, 18:58
hello,

@YEN, SEBUS, others

As I wrote in a previous post here (http://forums.mydigitallife.info/showpost.php?p=106640&postcount=113) only the first occurrence of the slic marker have been changed in the BIOS.
we can imagine that the SLIC table is in the protected bootblock zone.
I've not yet found a way to force HPQ Flash to update the bootblock.

Any idea?

That's interesting! Could you please updload the saved bios backup?
I wonder if the 'BBL' area would be updated with right sums...

are there 'hidden' options at flashtool??? Undocumented switches.....special tools here at forums? I'll have a look..

TTAV134
11 Aug 2009, 19:15
That is only ADDCC v2 with 2 BIOS files
That is nothing new.

As we said, identical checksum makes NO DIFFERENCE to the rompaq, so could we just drop this line of enquiry as it makes no sense

The only way to get it going is to STOP rompaq checking whatever it checks

sebus
hello,

First step: how to flash a mod file.

There is 3 approachs , patching the flash tool, trying to find a CRC/checksum, memory patching with HxDEN.

Now the first step was taken by memory patching with HxDEN.

Second step: How to force the protected SLIC table to be update in case of Bios with 2 occurences.

that's the challenge.

TTAV134
11 Aug 2009, 19:21
That's interesting! Could you please updload the saved bios backup?
I wonder if the 'BBL' area would be updated with right sums...

are there 'hidden' options at flashtool??? Undocumented switches.....special tools here at forums? I'll have a look..
hello,

no need to upload the "backuped file" I've check with Ultracompare, only the first marker zone is 2.1, the second one is still in 2.0, except that any difference.

regards

Yen
11 Aug 2009, 19:22
You need to login to view this posts content.

TTAV134
11 Aug 2009, 19:28
You need to login to view this posts content.

mutante
11 Aug 2009, 19:29
I think that in memory patching, rompaq patch o HPflash patch will not work, I think that when the computer resets to copy the new bios over old bios, checks new bios, so we only have one solution find how it checks it.

Or perhaps I'm missing something?

Hotpepper
11 Aug 2009, 19:35
Let me tell you only as a comment that I checked the BIOS history of my new notebook (8530p). The interesting thing is, that the first version of it's BIOS (F.02) came with a SLIC 2.0 and it was updated this year to a SLIC 2.1 by HP itself.

It only has one SLIC marker in it but it's a EFI BIOS though.

Nevertheless very interesting thing...

So there is of course a way to update the BIOS to a new SLIC. We just have to find out the way!

Yen
11 Aug 2009, 19:39
Let me tell you only as a comment that I checked the BIOS history of my new notebook (8530p). The interesting thing is, that the first version of it's BIOS (F.02) came with a SLIC 2.0 and it was updated this year to a SLIC 2.1 by HP itself.

It only has one SLIC marker in it but it's a EFI BIOS though.

Nevertheless very interesting thing...

So there is of course a way to update the BIOS to a new SLIC. We just have to find out the way!

To use a EEPROM programming device!:D:p:)

Yen
11 Aug 2009, 19:48
I think that in memory patching, rompaq patch o HPflash patch will not work, I think that when the computer resets to copy the new bios over old bios, checks new bios, so we only have one solution find how it checks it.

Or perhaps I'm missing something?

We probably have to force the tool to flash the bootblock..I guess the BBL has an additionaly checksum like other bioses as well...

mutante
11 Aug 2009, 19:48
You need to login to view this posts content.

ecpeachy
11 Aug 2009, 20:27
from what I see posted here, laptop BIOSes are very difficult to MOD, a special thread for, Dell, HP, and the Lenovo ways, no to mention Toshiba's own BIOS.

We are blessed to have this forum and all the experienced modders helping, but one question keeps humming in my head.

Which brand is easier to MOD, yea I know phoenix is hard, but is there one that wont make you wanna pull your hair off trying to figure out how to do its BIOS?

gregg
11 Aug 2009, 20:58
You need to login to view this posts content.

Yen
11 Aug 2009, 21:12
The second occurrance of SLIC.....

Well it seems HP has copied a range of B000h bytes just a second time..

First occurrance at offset E5000-EFFFFh
Second occurrance at offset F5000-FFFFFh.

The sums at both blocks according to ADDCC and my mod are the same.

It's NOT a bbl code, but a protected area..... the first seems to be updated the second is protected......what about to make the bios to read the first SLIC? I'll have a look...

Hotpepper
11 Aug 2009, 21:23
The question is why it's in the BIOS image when it's in a protected area that is not updated?

Has anyone looked at the HP DMI Tools that posted someone? There is a possibility to change the OS SKU from XP to Vista and vice versa. I don't know what notebooks are supported by this tool, but if there is such a tool, there MUST be a way to change the SLIC in the protected area.

mutante
11 Aug 2009, 21:59
I can only update my Bios tonight. But maybe "andmail" is available...
Can you detail your mod please? You patched second SLIC marker and correct checksum? Right?

Thanks mutante

Ofcourse :-)

I have update both SLIC and then corrected some text (i hope innocuous) bytes to make additive checksum match.

mutante
11 Aug 2009, 22:01
The second occurrance of SLIC.....

Well it seems HP has copied a range of B000h bytes just a second time..

First occurrance at offset E5000-EFFFFh
Second occurrance at offset F5000-FFFFFh.

The sums at both blocks according to ADDCC and my mod are the same.

It's NOT a bbl code, but a protected area..... the first seems to be updated the second is protected......what about to make the bios to read the first SLIC? I'll have a look...

This is why I hace changed rom.bin today I hace seen that only one slic table was changed ar the previous one

What do you think?

shift-del
11 Aug 2009, 22:30
First of all, I want to clarify this comment is posted as one of my friends' request. HE (not me) has done the successful update.

HP Compaq nc8430 to F.16 @ SLIC 2.1 has been flashed succesfully. The method used nfsuw's idea (http://forums.mydigitallife.info/showpost.php?p=105649&postcount=64) and has been combined with TTAV134's method (http://forums.mydigitallife.info/showpost.php?p=106203&postcount=91). So the success of this method can be confirmed. Be advised this is not valid for every HP notebook and for every BIOS version. Do it at your own risk.

Feedbacks of this method are welcome.

p4spooky
11 Aug 2009, 23:11
That's great news. I have been following this thread and trying to learn. Can you post a link (or upload) to nc8430 modified SLIC 2.1 bios?

Thanks


First of all, I want to clarify this comment is posted as one of my friends' request. HE (not me) has done the successful update.

HP Compaq nc8430 to F.16 @ SLIC 2.1 has been flashed succesfully. The method used nfsuw's idea (http://forums.mydigitallife.info/showpost.php?p=105649&postcount=64) and has been combined with TTAV134's method (http://forums.mydigitallife.info/showpost.php?p=106203&postcount=91). So the success of this method can be confirmed. Be advised this is not valid for every HP notebook and for every BIOS version. Do it at your own risk.

Feedbacks of this method are welcome.

Pyotr
11 Aug 2009, 23:18
First of all, I want to clarify this comment is posted as one of my friends' request. HE (not me) has done the successful update.

HP Compaq nc8430 to F.16 @ SLIC 2.1 has been flashed succesfully. The method used nfsuw's idea (http://forums.mydigitallife.info/showpost.php?p=105649&postcount=64) and has been combined with TTAV134's method (http://forums.mydigitallife.info/showpost.php?p=106203&postcount=91). So the success of this method can be confirmed. Be advised this is not valid for every HP notebook and for every BIOS version. Do it at your own risk.

Feedbacks of this method are welcome.

Yes but nc8430 is different HW platform Napa chipset i945pm easy upgradeable with romapq from nx9420 (also Napa platform) almost all problematic HP laptops are Santa Rosa i965pm chipset and newer. HP did change something in the newer releases and probably prevent easy upgrade of SLIC...etc

sebus
11 Aug 2009, 23:30
Same problem applies to AMD laptops like 6715b, double SLIC

sebus

Pyotr
11 Aug 2009, 23:39
That's great news. I have been following this thread and trying to learn. Can you post a link (or upload) to nc8430 modified SLIC 2.1 bios?

Thanks

http://forums.mydigitallife.info/showthread.php?t=7681&page=3

shift-del
12 Aug 2009, 00:18
That's great news. I have been following this thread and trying to learn. Can you post a link (or upload) to nc8430 modified SLIC 2.1 bios?

Thanks

There is no modified BIOS, the modification has been done in memory during re-flash the original unmodified F.16 @ SLIC 2.0. After starting the upgrade process, the updater checked the ROM for errors. After the successful check you can modify the ROM to be flashed with a hexeditor and save the changes to the memory (IIRC). Following the modification you can continue with the update process with the modified BIOS, So in reality you trick the updater program itself. I think the backed up ROM could not be flashed to another notebook because of CRC check error, but it works on that given computer. I hope I could help to clear up things.

Personally I own a 6510b so I hope someone creates a method/program which works in any circumstance.

pcotter
12 Aug 2009, 00:34
Hi

Reporting successful modding of Bios version F.0E using the following instructions:

http://forums.mydigitallife.info/showpost.php?p=106203&postcount=91

Thanks

pcotter
12 Aug 2009, 00:35
Hi

Reporting successful modding of Bios version F.0E using the following instructions:

http://forums.mydigitallife.info/showpost.php?p=106203&postcount=91

Thanks

Pyotr
12 Aug 2009, 01:01
That's great news. I have been following this thread and trying to learn. Can you post a link (or upload) to nc8430 modified SLIC 2.1 bios?

Thanks


There is no modified BIOS, the modification has been done in memory during re-flash the original unmodified F.16 @ SLIC 2.0. After starting the upgrade process, the updater checked the ROM for errors. After the successful check you can modify the ROM to be flashed with a hexeditor and save the changes to the memory (IIRC). Following the modification you can continue with the update process with the modified BIOS, So in reality you trick the updater program itself. I think the backed up ROM could not be flashed to another notebook because of CRC check error, but it works on that given computer. I hope I could help to clear up things.

Personally I own a 6510b so I hope someone creates a method/program which works in any circumstance.

What you talking about? p4spooky is asking about nc8430 which was successfully modified to SLIC 2.1 and confirmed by me and one other mdl user at least. It might not work with HPqflash and memory mod ... but it working with rompaq from nx9420 package you can find everything for flash there:
http://forums.mydigitallife.info/showpost.php?p=104021&postcount=23

ADMiNZ
12 Aug 2009, 01:10
You need to login to view this posts content.

TTAV134
12 Aug 2009, 01:28
You need to login to view this posts content.

ADMiNZ
12 Aug 2009, 01:32
You need to login to view this posts content.

TTAV134
12 Aug 2009, 01:54
You need to login to view this posts content.

ADMiNZ
12 Aug 2009, 01:55
Status: Error

gregg
12 Aug 2009, 02:11
You need to login to view this posts content.

ADMiNZ
12 Aug 2009, 02:57
You need to login to view this posts content.

Yen
12 Aug 2009, 03:11
You need to login to view this posts content.

shift-del
12 Aug 2009, 03:19
What you talking about? p4spooky is asking about nc8430 which was successfully modified to SLIC 2.1 and confirmed by me and one other mdl user at least. It might not work with HPqflash and memory mod ... but it working with rompaq from nx9420 package you can find everything for flash there:
http://forums.mydigitallife.info/showpost.php?p=104021&postcount=23

OK, I correct myself. In MY FRIEND's case no modified BIOS has been used. I know there is a modified BIOS for nc8430 but my friend's goal was to confirm the real-time memory mod worked in his case. It might help other people to modify their BIOSes with the mentioned method. He thought it is not restricted to a given model and BIOS version like your confirmed nc8430 F.16 BIOS, that's why he wanted to share the information. No offense please. :D

It's a pity it is not so general as we thought.

Yen
12 Aug 2009, 03:20
mutante, ADDCC contains a decompressor. If you cut the first FFh byte area from the biosfile it's able to decompress the modules. Do you think there is a way to make the bioscode to read the FIRST occurrence of SLIC which can be modified?
We have to find the call and modify it that it calls the first occurrence..it's the same code!!! Possible? Too dangerous?

p4spooky
12 Aug 2009, 03:30
OK, I correct myself. In MY FRIEND's case no modified BIOS has been used. I know there is a modified BIOS for nc8430 but my friend's goal was to confirm the real-time memory mod worked in his case. It might help other people to modify their BIOSes with the mentioned method. He thought it is not restricted to a given model and BIOS version like your confirmed nc8430 F.16 BIOS, that's why he wanted to share the information. No offense please. :D

It's a pity it is not so general as we thought.

No problems, I saw the response from Pyotr and will use his modified bios tonight :D

Pyotr
12 Aug 2009, 03:42
OK, I correct myself. In MY FRIEND's case no modified BIOS has been used. I know there is a modified BIOS for nc8430 but my friend's goal was to confirm the real-time memory mod worked in his case. It might help other people to modify their BIOSes with the mentioned method. He thought it is not restricted to a given model and BIOS version like your confirmed nc8430 F.16 BIOS, that's why he wanted to share the information. No offense please. :D

It's a pity it is not so general as we thought.

Ok no problem, just want to help p4spooky:D.
But now I understand thanks!

shift-del
12 Aug 2009, 04:35
Don't mention it. I hope he could manage to update his laptop. Unfortunatelly I have to wait for mine, because it is a Santa Rosa based one. :cool:

mutante
12 Aug 2009, 05:00
mutante, ADDCC contains a decompressor. If you cut the first FFh byte area from the biosfile it's able to decompress the modules. Do you think there is a way to make the bioscode to read the FIRST occurrence of SLIC which can be modified?
We have to find the call and modify it that it calls the first occurrence..it's the same code!!! Possible? Too dangerous?

I have decompressed it, but I haven't found where is it verified, I'm affraid that code to do it is not there, perhaps on some ROM hardcoded at the computer.

So the question right now is, that there is another checksum somewhere that hace to be corrected, because rompaq tell it to us.

mutante
12 Aug 2009, 05:04
Hi again Mutante.

I just flashed my Bios with RomPaq.exe and your modded Bios
With original RomPaq.exe

C:>ROMPAQ /U
Reading file...
(some seconds)
Error in file content read from disk.
Please try recreating file or disk.

With your patched RomPaq.exe


C:>ROMPAQ /U
Reading file...
(some seconds)


The code used to verify the integrity of your BIOS does not
match what is currently on your system. This could cause
parts of the BIOS to be skipped when updating leading to
unpredictable results including failure to boot. It is very
strongly recommended that you not proceed with the update.


Press
F10=Continue, ESC=Cancel
(I press F10)
Updating bank 1 (from 1 to 15)
BIOS image was updated from 68MAD.BIN (11/25/2008)
The new BIOS will be used the next time the machine is powered up


I reboot my laptop my Bios is updated but my SLIC is 2.0 (not updated) :(

Mutante, can you find asm procedure showing message (press F10 blabla) and find why this message append?

Thanks

Thank you very much I think it clearly tell us that after flashing the ROM (although it is incorrect, checksum I mean) when something is going to install it and checksum fails, it doesn't install it.

Once again a hidden checksum must be there.

Yen one question do you know where the additive checksum is stored? I can't find it.


People what do you think?

mutante
12 Aug 2009, 05:07
mutante, ADDCC contains a decompressor. If you cut the first FFh byte area from the biosfile it's able to decompress the modules. Do you think there is a way to make the bioscode to read the FIRST occurrence of SLIC which can be modified?
We have to find the call and modify it that it calls the first occurrence..it's the same code!!! Possible? Too dangerous?

Hummm I think it could be dangerous, but we'll try it is everything else fails :-)

I have asked you on another post but I'm going to repeat the question, do you know where is the additive checksum stored? (the addcc checksum) I can't find it.

And one more, Is there a compressor? the person who do the decompressor should be able to do a compressor, I think.

gregg
12 Aug 2009, 05:23
Thank you very much I think it clearly tell us that after flashing the ROM (although it is incorrect, checksum I mean) when something is going to install it and checksum fails, it doesn't install it.

Once again a hidden checksum must be there.

Yen one question do you know where the additive checksum is stored? I can't find it.

People what do you think?

I agree that hpqflash and rompack check both a hidden checksum in bios. That's why rompaq warn me about an integrity error...

I think same checksum is checked in hpqflash and rompaq, so maybe it is easiest for you to disassemble hpqflash to find checksum check routine.

For additiv checksum, ADDCC tool is made for other bios, not 68MAD with double marker. So I'm not sure the current checksum correction is really usefull for us.
If I try to patch my Bios with modded Bios and modded Bios with checksum corrected, I have exactly same messages when using your patched RomPaq... and original RomPaq is unable to read both modded Bios.

You patched RomPaq to bypass Bios file check, maybe can we made reverse enginering to find the routine checking Bios file integrity...


Thanks

sebus
12 Aug 2009, 05:33
I was saying all along, the 4 byte additive checksum (that only ADDCC seems to be able to calculate, did not find any other utility to do it) is usless in this case.
As the rompaq is provided PER BIOS file, that means that they can program it to check a very specific part of the file. Would not be surprised if it was checking exactly where the SLIC is.
So unless you guys can bypass this routine I do not think we can get lucky.

Or maybe there is a way to produce rom.sig & ver.sig for the modified rom.bin used with hpqflash?
And use it to flash with original exe, but mod BIOS file?

sebus