Found another utility driver to dump ram

https://github.com/SamuelTulach/EfiDump

This will help to analyze what’s parts of bios is in ram.

https://github.com/SamuelTulach/EfiDump

After short ram dump I was able to identify many pei drivers and programs from bios. Also parts of EC firmware are actually x86 subprograms, so EC firmware becomes more easier to understand.

Still need help with capturing spi bios rom readings from two sequences: ac plug in, poweron with healthy bios and non healthy.

There is 100 MHz analyzer need.

Also need help with reverse engineering of arm programs and possibly soon we will return modding ability to bios

Bless this fucking man for giving HP and DRM crippleware the middle finger! Say no to encrypted/locked down BIOSes!

That good article:

https://habr.com/ru/post/185764/

ProductionSignedBiosSmm / ProductionSignedBiosDxe



ENTIRE BIOS:
The BIOS begin from adress 700000h






RSA SIGN KEYS BASED ON ZBOOK G3 153 BIOS UPDATE
(HP Notebook System BIOS 01.53 Rev.A)

Zitat

---

KEY 01 (BOOTLOADER?)

Offset at update: 47C184
Offset at update (second): 701184

Offset at ENTIRE BIOS: B7C184
Offset at ENTIRE BIOS:(second): E01184

1
 

24A24812CBF4F9A9BF6A8D000C123BB77196BD2660EF1FB875A208690B05C9B75351AA16D92B08C622D35DD63E112DA1DE7F8368A2A240EA9883FADECBE917EE5A4D72F3B5E8EC479D57B3186F9BE6DEBE446F372324F2B9FFDA974F2A1409012D097740C5648D52BF1BC071216069E8A9779C92239176DB9DD60ED15718AA9358003AFD966A1486A54F684D7C28D1300EA2618335956B951BAD5E2C4FC06597FE32DB40201F02BFCE03887ADEE35ADFC8B3EA8757EEF43BA6653C8E60F57F42BFFE5D3C677A0F73E23474D7F052ED15669C4D92C5A09817B7465085D8BE7C7354C29F3EF8BD50B583B3ED801E366E3E10E11B39EAD803F0A3238945C798F01E
 

KEY 02 (EC FIRMWARE)

Offset at update: 43C208
Offset at update (second): 6C1208

Offset at ENTIRE BIOS: B3C208
Offset at ENTIRE BIOS:(second): DC1208

1
 

610AF5E7782CACA10507CB5A83188660D3900089EB1854C8214DB38A28B303649EDC041C2907BCD255A51A242B00285777605243EAD4D594E31209CB4EB0ABE012E5460312C6D1DB1F2A8C27DA7DF21BBA68C7E32F3FDE7FC4DA1AEEE486917D5826DFBFA0719DB4C770F05E2FE5F23B0B41B57CFAC212D74A9BA2B7376BF3D42CE0CC44217E1DBE2B42EADA431D0F984366A2DC48C6B1A824F013FE5F699ADE624F5BCEB7D2B6900783A953875DBF500044752874241C2AEF0B53F5B89015E84ED61F801D91C83225C36E9042EA10EFED16AB7D07199109DAB3A4B45474EF7F3C36EA8DB8A4F407A033797E7BD7C192702E5AB4A0073224759A72970702D04C
 

KEY 03 (Padding1_Volumes)

Offset at update: 48030
Offset at update (second):

Offset at ENTIRE BIOS: 48030 + 700000 = 748030
Offset at ENTIRE BIOS:(second):

1
 

46F89A6E0ACD180527B4F496636C661D5CACA13A9C64D0B07EE0EFE7904ED9EC78529839F4B48E13EF6A11EB652A1816C742462A433096DD58CECE3FE7257C868A16C9086C1E914A2118FF0D10C63B89C5F01E91A1801406D39E89449F38C67F07336F5C87FB3605D50A3CCFE7EA5DED835D1F1C5E347B75C87B2477EF5FCC40A39A0532B30C4BA36C45AB2B28506D10D5F90ADDE2814C25EACF93BCE462982DE91E78CE19DAA0E8E44F137605A0740BF8DF32A026A64589BF43C01418048B6929B537A49D2E006C99C8277357BBAEE8AA947736A2D8D77A58E92B36A174627D6E329EF95C1C415680D307209BB25A8C40F2BABF197F84A52D6E51E339DDFE74
 

KEY 04 (Padding1_Volumes)

Offset at update: 48378
Offset at update (second):

Offset at ENTIRE BIOS: 748378
Offset at ENTIRE BIOS:(second):

1
 

ECD06CFED26C4FD60D01C248E7234AC9569B6B00B24AB209F163DFBDAAB340573FCF9F95E3F6DEBC4A051241D4C1A3947D1DD84DB767E2EFDC92AE141ED1D5D7241E986B0B8364E3C4135FC37C40FEC5E36378229A4352E2EA607FFEA8B26DADE15CBAD26F7164B2CEC717C8D537999A32D773CB5E8F91733D9C1D8ABEBE1E1345037380F766735FC493BFD348D460826668F8ED8F8615B5ED1291D1C7B00476DA0403E2832885497065E9A0E9BD1E2F07F70D24ED4A105F53311584DBD03C8A92CAB9926D9BA1059D58527BC6BE130878A4CF9310C525FD94A569E1541AE607F5B8DE9AF86BB18CC59FA8DFABE996C5B8D34FBCF474CCC9217D94D52F267574
 

KEY 05 (Padding1_Volumes)
(Appears more than one time)

Offset at update: 48478
Offset at update (second):

Offset at ENTIRE BIOS: 748478
Offset at ENTIRE BIOS:(second):

1
 

953691FD3661B5C4BA1CEE79F576E196C7FB703861C50E09999F19CCB27D39335F49E317D9BD9A41935292C9CFD81E42F4067505F2219C7ABD9E27D19A41E38E1006C47DBBAE62CACC4A569CDE7DB21273B46BD684CB80DCA74B72FA1E8440FFD668345C197DD636F18B3C623E7D7FF1916A40BD14627F1831862BDFDC37F1EB50D1151C2E68753BF8B7330148E749506D80610D5F316AFEDB783A8B522A1AEFB90556F3AC367699BD0ADB692303829D6DDBD4735AE4DACB8FDAA60B1044364C07F16EDEE7D670989BADEC08E703ACD17FDAD0494FB3EFAAFCADE9999163FFD397A8E71AF343A2FA063677A3B23F2D8C25E0C0A9A937CB212A9E30DC1D25C426
 

KEY 06 (Padding1_Volumes)

Offset at update: 48578
Offset at update (second):

Offset at ENTIRE BIOS: 748578
Offset at ENTIRE BIOS:(second):

1
 

4038C6D1CFBF588B83B4B29A33DE4EDDA86CC0C366081AF001A3AFF211CADE6874E831D5EB2E387C2453202D06833E9ADF85AEC4231A4A93C01EB88337AEB324900C9FF4D03B25AC7E457E2B33AEE28899EF35621354DC5423AA32318BC7F6587A23572F87505F5C33D4D655BB391A44B6646765F6EFCC48B1FA257C46F2AB6130109EFEB645BEF8F99F6915AD3FAC1A076766E649190CDA8DB8320F457CB08B1776F45F73E924E8B907C81C1A44D117800FEF1918FE761BA15ACE1F2C0CE6BBC00D006EB5DB2DA6D6326184935805F00A01CF881BEF9EB114065773ED9DFDD91D0E86866648C8C0FB472B3751AE713D13A3F8CFCA849981294A479ED63FA2A1
 

KEY 07 (Padding2_Volumes)

Offset at update: 3F4030
Offset at update (second): 679030

Offset at ENTIRE BIOS: AF4030
Offset at ENTIRE BIOS:(second): D79030

1
2
 

5F2121D54EA52FD299565F285DA55E5063543CFB536392BB974D298F180E8115F05EEA0D134446CFAF30E9C493AE6E9EDC4B78617C21E318D06E4566E9D0E58A141B48ACAB3DC9E8EBE7C274AE0888BB7EEEBA7AECCBEA9433B6987FB2ABFB91E0C1A511531C50047F8BF4E7F567776981B469ADBB93BE0A394B576F720947C4E807B3D1ADE1A46771F3B3F1D1AC79542C4921CA438E0D20F5D1360B9044F59FA03502467165718231EB7D92A72EBE1B96E230CD626A6D78962539E9420B56CC94F38AB0E0D5FE1B6D33314AAEF7A75C56A02F8ECECF83A3CA6A04D71D0A4DA42233882D0F3EE6B0C90C52883300340657CC52AAECC4F1C72CF671AFDEB80108
 
 

KEY 08 (Padding2_Volumes)

Offset at update: 3F4130
Offset at update (second): 679130

Offset at ENTIRE BIOS: 3F4130
Offset at ENTIRE BIOS:(second): D79130

1
2
 

D9931A7AB3B09EC1237387740E4CF42448794ACC27AE401955A78FAFE796AA569E167DA027439D23C8B0F62B04A5561E940B5C7CC3C7F52E30B23CF0861D7B93E5E8F9F03038700C0D9084CD955A68DDE8927854DE78D81C3DB47705E6D83C9FF70348B3157B74659265833F67334AEFF5ED464E67265C65439C8A6F5FF9DE496066A7D279416B723F82373A85542F528234AAB88264741E59657F6032B3A1D632911330274DBC2DA7CE9825444B8C747D58709CB1448FA5CEF4E5831957EBF98F541A9B35C1CB457217BC983F24805B52A94EB4D154DA94540C77004731DB3DF279EBD4D48F17ECE6CCEBBF6A700FC3F77DCCF69AE7D80ED42B37C828000A9E
 
 

KEY 09 (Padding2_Volumes)

Offset at update: 3F4378
Offset at update (second): 679378

Offset at ENTIRE BIOS: AF4378
Offset at ENTIRE BIOS:(second): D79378

1
 

00843D038A0EAEC2F0A2AF935CC99C713A6250152640544743B553FD59F36B75346914073EC5881EC4349E59961B3AE6D78CC379E1128E0463602F91ACCE07E2F7D5DCDFDCEE14A7F06749B1A17DC1CE449CFBF13D937D773A6DBD36298ADBC656C5EDA0DCCF21185CEAB465B0C65AADAFCEF7920FB759A8F5D53FDDE10534AF0675A109AE3E3A844CCE3C7897ABA1A7EA4F907819552320999AA90AF74A2B9E1FD0E3ADC0E70525FE36BB1A6624C2FFBEF92811DF0A99FBB9BD4003351784B089E6AD3CAB353622C143B9B53CA9DD23007C2776966A5A78671409667796630A4CB6911710275058672F1618B7C0C4F105CB3C5604A76372A2E8CC164F5E0875
 

KEY 10 (Padding2_Volumes) (Appears second time)

Offset at update (first): 48478
Offset at update (second): 3F4478
Offset at update (third): 679478

Offset at ENTIRE BIOS(first): 748478
Offset at ENTIRE BIOS(second): AF4478
Offset at ENTIRE BIOS(third): D79478

1
2
 

953691FD3661B5C4BA1CEE79F576E196C7FB703861C50E09999F19CCB27D39335F49E317D9BD9A41935292C9CFD81E42F4067505F2219C7ABD9E27D19A41E38E1006C47DBBAE62CACC4A569CDE7DB21273B46BD684CB80DCA74B72FA1E8440FFD668345C197DD636F18B3C623E7D7FF1916A40BD14627F1831862BDFDC37F1EB50D1151C2E68753BF8B7330148E749506D80610D5F316AFEDB783A8B522A1AEFB90556F3AC367699BD0ADB692303829D6DDBD4735AE4DACB8FDAA60B1044364C07F16EDEE7D670989BADEC08E703ACD17FDAD0494FB3EFAAFCADE9999163FFD397A8E71AF343A2FA063677A3B23F2D8C25E0C0A9A937CB212A9E30DC1D25C426
 
 

KEY 11 (Padding2_Volumes)

Offset at update (first): 3F4578
Offset at update (second): 43C008
Offset at update (third): 679578
Offset at update (forth): 6C1008

ALSO AT FILE: Section_PE32_image_492522E7-FE60-4361-A463-A237A5A5F397_0292

Offset at ENTIRE BIOS(first): AF4578
Offset at ENTIRE BIOS(second): B3 C008
Offset at ENTIRE BIOS(third): D79578
Offset at ENTIRE BIOS(forth): DC1008

1
 

0913013D819ACCC69A5E5FA22DB6F05D28CB37505BD8E1C629BBDBDD6DCB271FB4A3CF5147ECA29D08167324EA08DBCDC8BA0A5054DE97A1B4490896778ED095C010F646E933F2C3766A57D6C7A1701890FA6608C4BC442DB59FB4A5C8580B17058F68732AC1ACB08C208C8D1F6F3B7928A365490A05803E76523C58B7D830B5C6E45DB71B57487C155D951E430898CA9122400A40D3568BDF1C20F472FA0E69C6F786BB5526A0C62B59F1A18505228D366B28A5D36F56553AD8DCEF694C2EC700C67BAA0679F5B4E9D04E4B1832FB218ACAE741E71FEE87A7B9AD72668E34FEE14A2A95461BBE2E5D7F18BFB34134ECA062BDDD6D4A28381E1693B01C6819A2
 

---

The other 2-3 keys could be hidden inside of volumes, so I will leave some space to continue

N81_0153.zip (4.95 MB)

just a thought, bigguygeo , have you tried to contact or coordinate with Coreboot community?
IIRC they made some progress about EliteBook/ZBook s’ embedded controller to enable that open sources firmware running on them.
you are doing something meaningful but pretty hard,what a man!

Hi! Sorry for late response. Most of time I’m on techpowerup forum, wx4150 vbios modding.


By the way, I have found some interesting stuff:

I made connection to Embedded controller with proper bios which is original and cut ChipSelect pin at motherboard. The trick is: Embedded controller will check signatures on fake original spi rom, but hacked rom will be connected to pch. And here is results:
- only one oem installed spi rom with wrong signature - results are next: no powering of cpu, pch powering is jumping. Embedded controller is trying to reflash spi, but it is writing same damaged bios and results are loop boot.
- if there is fake rom added, the system will power on properly, all voltages are okay but something is executed and check signatures again. Anyway there is no image or messages on screen to know which bios module to rewrite.

So that’s a method to bypass embedded controller but also need to bypass some pei modules which will hold system execute. Also I have noticed that pcie interface is hold. So system is stopped

After a lot of time spent on this project, still have no positive results. So will close project.

By the way, Binary Ninja can properly disassemble Embedded controller firmware as arm v7 thumb2. Everything is correct. But embedded controller firmware is also protected by rsa. But some code has links to rsa signatures but I have no idea how to work with arm type disassembly