[Problem] Modded BIOS for HP Elitedesk 800 G1 DM mini PC

@gloobox - where do you see the “one protected” PRR, I can bypass if you show me it’s location. I think I tried already on this system, but failed, I’m not great at locating this when it strays from @CodeRush example here sometimes I can find, but not often

I remember I upload it once.When running the PRR2 it show the message below.


@gloobox - Thanks, but not what I thought you meant when you mentioned you found, I thought you meant in assembly That shows only the last volume of BIOS is protected by FPRR, so FD/ME/GbE could be written (at that time, maybe you had jumper on?)
Here, try these three, 1/2 have different modules edited, #3 has combo of 1/2 (All must be tested). This is FD unlocked, NVME mod, from the dump you sent me on 9/18/19 + Today’s unlock attempts
Program in, the test FPT BIOS region (ONLY) write, repeat x3 BIOS.

Sorry I haven’t this machine at hand now,but I will feedback soon!So Did the bios you gave me adapt for all 800 G1 DM mini PC?
BTW,I think if we only flash the address of the modding area(NOT all the bios region), would it passby the FPRR or BIOS protection(in other machine)?

@gloobox - bummer! I used your personal programmer dump you sent me.
If you have someone else test, tell them ONLY do it after they make a full backup of their BIOS with programmer first, so they can put it back once they are done testing, otherwise they’ll have all details from that BIOS instead

BIOS region must be flashed to test this, it’s two modules in main DXE volume which is compressed volume so you can’t write only those exact locations even if you know the offsets

HP Systems usually have a FDO jumper to unlock the BIOS regions, [Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing

Yeah,but it still fail for flashing modded bios

Ah, sorry…should have read the whole topic :slight_smile:

Today I had tried the 3 bios you gave me and feedback.
I met ERROR 280 before shorting the FDO jumper.And I met ERROR 28 after shorting the FDO jumper.The 3 files are in same situation.

@gloobox - thanks for testing. Sorry I can’t find it to bypass in this BIOS, I’m not great at finding if/when it doesn’t follow the only example I know of bypassing these locks (CodeRush’s example here - https://www.insanelymac.com/forum/topic/…comment=1944166)
I’ve found many similar, and bypassed them in this BIOS, but we’ve tried 2-3 times, and maybe 6-8 BIOS edits, so obviously I’m not editing the correct one, I’ve bypassed all that look even remotely close to that example.
In your test, you were ONLY attempting to flash the BIOS region, correct? (FPTw.exe -bios -f file.bin)?



Many thanks to you!
Yeah,I just flashed the bios region but all failed.When ME region was protected,there should be error 25 or 26.And Error 28 is for FPRR I think.

I think the progress is interesting to solving the problem,when I have some idea of it,I will share with you at once!

@gloobox - BIOS region flash BY ITSELF is all we should be testing here, FD unlock or jumper overrides the rest and your image of what was locked showed only BIOS region being locked.
So please test ONLY BIOS region flashing >> FPTw.exe -bios -f filename.bin

Does that fail ^^ ? If yes, then all edits to bypass have failed too.
You may want to test previous edit attempts I sent you too, if you were not trying a BIOS region only flash, I may have solved it for you long ago and you didn’t know because you were not trying BIOS region only flash

I had texted “FPTw.exe -bios -f filename.bin”,but failed.

Btw,I recognize something special about FPRR.
I succeed in flashing LENOVO notebook(forget the name) by running the PRR first,so could we run or flash or do something first to destroy the FPRR before flashing the modded bios?

Yes, sometimes on some PRR/PRR2 work if FPRR/PRR is controlled by a BIOS setting, but if it’s in a module then it wont work and module needs edited and programmed in to disable it.

@Niolin @coopernick @EDECAT @gloobox - See here, if any of you still need to do BIOS mods and do not have programmer yet, DeathBringer posted solution so we can flash with FPT

@Lost_N_BIOS I have the same problem on a HP EliteDesk 800 G1 Tower. The original BIOS that I extracted using the FPT from Intel ME System Tools v9.1 is attached with this post.

Writing the same file back to the BIOS using FPT is giving me an error
Error 280: Failed to disable write protection for the BIOS space!

I tried using the UEFITool_v0.28.0 to modify the BIOS and inject the NvmExpressDxe_4.ffs into the BIN but the reload after the injection was complete gave me a checksum error.
parseFile: invalid data checksum 5Ah, should be AAh

The same thing happened when I used the small version of the FFS NvmExpressDxe_Small.ffs as well.

The software pack from HP containing the latest BIOS is present on the HP portal for this device

I have modified the file (rom.bin) present in the link above successfully using both MMTool and UEFITool but the flashing operation using the BIOS option to "Flash ROM" or using DOSFlash have both failed with "verification error". Interestingly this rom.bin is 16384KB in size while the FPT output is only 10752KB

Can you please let me know if there is something that I am doing wrong? Also, it appears that I will have to use the SPI flash programmer + SOIC8 test clip cable to fix this. I will be able to do that part once I have the right BIOS mod available.

Can you suggest if I should try using the MMTool for this? Any other options to modify the BIOS to get it to boot from the M.2 Crucial 250GB NVMe disk?

I am also in fight for nvme working properly.

Found this simple tutorial (for z220):
1. fptw64 -I which should tell you bios address start. for HP z220 it was 0xA90000
2. fptw64 -BIOS -D backup.rom
3. mod and add NvmExpressDxe_4.ffs to backup.rom save it as modded.rom
4. use a hex editor like frhed to delete the end of the file leaving only first 0x55FFFF bytes
5. fptw64 -A 0xA90000 -L 0x55FFFF -F modded.rom

And this infor for unprotected BIOS range info: for the HP EliteDesk 800 G1 mini bios starts at 0x580000 and the length should be 0x980000
to avoid the protected region. 0x580000 + 0x980000 = F0FFFF

so in a nutshell our BIOS starts at 0x580000, length to unprotected 0x980000. I have dumped BIOS, modified it with injection of NVME module, trimmed it to be 0x980000 + 1 EOF length but still when i do flashing:

fpt.exe -A 0x580000 -L 0x980000 -F modded.rom

I get Error 280: Failed to disable write protection for the BIOS space.

Any guess how to overcome this?

I made a mistake in the calculations its supposed to be 98FFFF not 980000. Luckily adding NVME boot didn’t change that far so I was fine when I did it to mine. Have you done the first part and booted up to the UEFI command and disabled write protection? I think this is the part you’re missing. Follow the the instructions in the link bellow. Just that post #6 by Deathbringer

read this post here:

Post #6 is what you’re missing. I did it all of this to my 800 g1 mini and it boots from an inland nvme drive from microcenter now. Let me know if u have any more questions. I’m lucky I checked the forums today
or I would have missed your question. I’ll keep an out in case you need help.

Its been a while so i don’t remember 980000 might have not have been a mistake. I think it was just the length of the file I wanted to upload so my changes take place.

@dman79 many thanks for this reference to the post Deathbringer, will try this as well and report back.