InsydeH2o tests with newer RSA encryption

Hello! I need some help with InsydeH20, about accessing/modifying hidden settings.
I have used Donovan6000’s archived blog’s steps and used Andy’s SLIC tool to extract the uefi “SetupUtility” module and Donovan6000’s IFR extractor to make it readable.

Tried but failed : Using H20EZE tool to get setup menu and modifying values from there, but that errored out and now I’m trying to manually change the settings.

Background : I have extracted the “SetupUtility” Module from the UEFI update, I can see the “hidden settings” and its values, more information in the pastebin can be found.
Problem : How do I try to “Enable all/most settings”?
The statement:
“Suppress If: {0A 82}” and
“Grayout If: {19 82}”
is present throughout the entire “hidden settings” menu.
I don’t have any prior knowledge about insydeh20 modding (or if its doable/passable), would appriciate any help/any tips to know what should I do next.

Please link me to the stock BIOS download page for this system. Do you have flash programmer?
If not, I suggest you order one, and wait until it arrives and you’ve used it to get a backup made and had someone confirm it’s OK, before you attempt to flash any mod BIOS (because it may be internally RSA signed and brick upon edit)

Answering your questions :
1) I do have an external flash programmer, its the most popular one or whatevers.
2) I cant link the F.29 bios version, because the link does not exist (Reason is stated in section 2.1)
2.1) In HP support section, oldest “public” bios update is F.38 REV A (if you search trough the HP public FTP server, and check update notes, the .html thingy at every update, it should usually say - Supersedes : updatepackagenumbers.exe or whatevers )
2.2) Link da links :
ftp://ftp.hp.com/pub/softpaq/sp78501-79000/sp78534.html (for verification, that its somehow earliest version, even tho I have an F.29 version)
ftp://ftp.hp.com/pub/softpaq/sp78501-79000/sp78734.exe (actual “earliest” bios, version F.33 (this is currently disassembled!))
ftp://ftp.hp.com/pub/softpaq/sp79501-80000/sp79827.exe (version I want to flash to/modify)
Everyone hopes for the best and hopes that the bios is NOT RSA signed.
Fun notes/sightings for my bios :
In the IFR extractor/module text file I saw this interesting thing :

0x96357 Setting: H2OUVE Support, Variable: 0x1A7 {05 91 0F 15 10 15 30 00 34 12 A7 01 00 10 00 01 00}
0x96368 Option: Disabled, Value: 0x0 (default) {09 07 0B 03 10 00 00}
0x9636F Option: Enabled, Value: 0x1 {09 07 0C 03 00 00 01}
0x96376 End of Options {29 02}

What could this indicate? I am curious of that setting.

Sidenote : I am currently doing a project on HP Hardware UEFI diagnostics, and possibly modding that to allow flashing of unofficial bios via the uefi diagnostics. [help needed tho, because I do not have any experience, but I am willing to learn!]
(maybe seperate thread needed for this?)
https://www8.hp.com/us/en/campaigns/hpsu…t/pc-diags.html [Get the UEFI thing! and disassembling the SysDiags.efi file]
Super Sidenote : Links for the insyde tools that I am working with : https://gitgud.io/sapp4ire/lnsider_Bl0S_TooIs (Remove if needed!!!)
-Vechs

I would want you to link me to the latest BIOS version anyway. And you’d need to update to that using stock method first, then dump BIOS and send to me, then I edit and send back for you to program back in.
Your links above have one to many FPT’s

I can’t remember what all the H20UVE enable/disable allows, try it and see
Sorry, I can’t help with the HP Hardware UEFI diagnostics, never looked at that so wouldn’t have a clue what to do.
Unless you have already tried somethings, and receive an error. If you have, and know what BIOS module is used when you are using this feature, then maybe I could bypass the error in assembly, maybe.
Or, is what you linked only thing invoked when you run this?

Thanks for link, but I already have all Insyde tools too

Please send me the decrypted file for whichever of those BIOS included in that exe is for your specific model/family ID from the sp79827.exe
It wont run on my end to export the 8192KB sized BIOS files, only the encrypted ones I can extract (8963KB, don’t need those again).
If you can’t dump those to desktop by running the exe, then flash that BIOS as required anyway, then dump with programmer and send me the dump

Small change of plans then!
I would like to flash the version I have decompiled before, no need to work extra, this is more likely to work (single BIN file/S12 file)
Could you enable the hidden settings (most of them or ALL of them?) I do not know how to actually do that part. Do I still need to flash to the F.33 and dump the contents? would like to know!
The end result will mostly look like in the pictures I attached.
Small context for the pictures : HP service media (for independent/repair shops or something?) shut down on November 1st, but I ripped like most content from there. (not all of it.)
Included in the pictures : My possible bios simulation (visual representation of what hp technicians could see) It has lots of options that are not available on even my bios version (Reminder that i have an older version, but those options are still referenced in the IFR SetupUtility module!)
if @Lost_N_BIOS (you) can do that, I would mad appreciate and would gladly help out with existing/upcomming InsydeH20 projects! (the uefi thing mostly at the moment)


Continuing on-the-side with the EFI :
About that uefi thing : I have decompiled the .efi file, it has similar thing as seen with Donovan6000 Getting started page, modding the InsydeH20 utility in-order to get it working. [but the similarities end here.]
The main problem is that I can’t get the crossreferences what calls the actual “bios flash failed/invalid signature” message. However, I have found the actual message pop-up.
(my progress with EFI decompilation) remove if needed!

It includes : sysdiags.efi decompilation and IDAdecomp.txt
IDADecomp.txt where I found the actual message, maybe someone with advanced knowledge knows more about that.

Thanks for BIOS F.33 - Yes, if this is the BIOS you want to be on, flash it and then dump and send to me. This way all edits contain your system info and we don’t have to worry about losing that or trying to get it back in there later
* edit - that is not latest BIOS BIOS Latest BIOS you linked me to is in sp79827.exe, you sent BIOS from 78734 (yes, I see this is F.33 now, sorry I assumed you had latest). That EXE I mentioned, is F.36, I downloaded the day you started post, maybe you didn’t see they put out F.36?
So, unless you want to be on old BIOS, download the sp79827.exe and send me the decrypted bin for your family/system ID * Edit 2 - looking back at your first post, all very confusing!! You mentioend F.36 there too, so I’m lost where/why we started talking about F.33 (lets stop)
Latest BIOS is best, unless you have some known issue or want to stay on old BIOS.

If you have programmer, great, dump with that. If you do not, then dump with FPT, here’s how -

Im ordering a new kit, gonna come in mid-December or earlier, [Missing SOIC8 clip on the current kit :< until then we need to wait…]

I have tried modding bioses, but never had to actually flash anything, read lots about it and I want to start making changes.
In short : no, I haven’t flashed any bioses.

C:\MEITOOLS\IntelCSMESystemToolsv11r28\Flash Programming Tool\WIN32>FPTW.exe -bios -f biosreg.bin

Intel (R) Flash Programming Tool. Version: 11.8.65.3606
Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.

Reading HSFSTS register… Flash Descriptor: Valid

— Flash Devices Found —
W25Q64FV ID:0xEF4017 Size: 8192KB (65536Kb)


Error 368: Failed to disable write protection for the BIOS space.
FPT Operation Failed.


Both on WIN32/WIN64 FPTW executables, same error occurs.

UEFI THINGS :

http://ftp.hp.com/pub/softpaq/sp100001-100500/sp100178.exe [that’s what i had downloaded and installed]

Adding just in case a fresh&unmodded copy of the EFI hardware thing.
[includes everything that was added from the SP package to an USB drive]

UEFI errors :
When flashing a bios with H20EZE modifications (Both in Rollback BIOS update/Apply BIOS update option):
The System BIOS update failed
Unable to open BIOS signature file (this is the main error that occurs most often)
Main Menu
edit: added picture, for proof

As you can see, I have done 3 passes with reading the bios chip and can verify that backup1.bin is as same as backup3.bin and backup2.bin
Okays, so I have F.29 backup uploaded( As an archive of sorts.), will update to the F33 bios and post results shortly.
[Backup of F29! have fun!]
-Vechs

--------------------------

Sorry for tha nth post in a row!
Update time :

This is the newest HP bios, because I couldn’t flash older bioses than the newest one (i dont know why, uefi flasher told me that the bios image is not for my device/machine and wouldnt let me flash to the one i wanted)

Anyways, this is the NEWEST one, is this : sp96552.exe [from HP site ]
this was ripped straight from the bios chip (assumed to be bios chip)
[newest bios dumped, feel free to enable the h20uve plus other features. If you do somehow modify those, could you inform me, how did you modify those, what values, etc.]
Mad thanks!
-Vechs

@Vechs - Sorry I missed your reply in Dec!! Error 368 at FPT write is easy to get around, sometimes, programmer may not be needed. Use of FPTwx64 not needed or suggested

I see today you posted dump of F29 above, why? I thought you wanted to be on 33 or whatever the latest is now? Then, in last post, which I merged, is that now the latest BIOS flashed in, then you dumped it? If yes, great

Now, what do you want me to do with the BIOS?

If you want, and to preserve your flash clips limited usage times, we can move forward with FPT dump, flash, if you want and if we can disable BIOS lock?
To do that, you will have to dump vars with UVE, let me edit, then you program it back, then BIOS lock will be disabled and you can flash via FPT
^^ Never mind, BIOS lock is not set via BIOS setting or NVRAM Variable I found a few suspect areas we can test edit later, if you want? (May brick, may not, may or may not unlock it also, but we only have to test if you want) - I am not good at finding this, if it’s out of the norm (which in this case, it is )

[strike]Here, try with these two UVE’s, run command once from each folder that directly contains the EXE for each version, leave all vars.txt in place and send back to me (So we know which version created what)
And, you can also try same with command line version of the 200 UVE as well
https://ufile.io/3qcrp1w3

Run this command from folder that contains the EXE (for both versions + 200 version too)
H2OUVE.exe -gv vars.txt-/strike] << Never mind all this, I test edited and opened in UVE and EZE, and I see this BIOS is not relying on vars/NVRAM/Vss for applied settings, but is using setup module only, so any settings change can be done at setup only if we want.

The BIOS dump you posted last is F.52

What is the exact full model here too? Like this
17-w034nf
17-an0xx
17-w226u
17-Y5U16EA
17-W027NF
etc.

Here is modified dump, with H2OUVE setting enabled (both at setup and vars/NVRAM/VSS) + FD Unlocked
https://ufile.io/nampx976

BIOS May be RSA Signed so any edit may = brick, be ready to recover. If we find this is the case, then I will hunt down thread here, someone recently found a way around this, think
If we can’t get around RSA, then any/all settings may still be modified by dumping vars or setup with UVE, edit, flash back.

@Lost_N_BIOS So to clarify, just flash the bin provided in the 2nd link and see the results, right?
Removal of the bios lock would be best. [so I can experiment in my own time]
Also, yeah, I would like to try the dump everything this laptop has, in-terms of info/bios information/ME info etc.

Will provide any knowledge I know to help out to understand Insyde stuff.
Edit:
Okay, flashed the .bin and it failed.

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
 
 

hey guys you have the last version f53 of this mod?
there is anything i can help to have that file for my omen?
thanks in advance