[REQUEST] Unlocking "Advanced Menu" BIOS -Notebook HP model_15-bw032wm(AMD processor)

Hi, I have a PC “Notebook HP - 15-bw032wm” with AMD processor.
BIOS version: InsydeH20 | Rev.5 | F.51
The BIOS link is: http://www.mediafire.com/file/asrys8q9zh…p96845.exe/file
Please help me modding and unlocking the ADVANCED MENU options. Thanks, Sir.

@ZelltronE - Please link me to the BIOS download page at HP for this system.

That will not a problem.

This is the link of HP download center: https://support.hp.com/us-en/drivers/sel…888?sku=2DW04UA

And this is the BIOS direct download link from HP servers: https://ftp.hp.com/pub/softpaq/sp96501-97000/sp96845.exe

Thanks for the interest in helping me, Sir.

Thanks. I’m not great at Insyde BIOS, but I will try to help. Main problem will be finding a way to flash in mod BIOS since this is AMD. Do you have flash programmer like CH341A + SOIC8 test clip cable?
BIOS May be RSA Signed, I see RSA signature files in the crisis recovery folder Not good sign, best you get the flash programmer first and dump BIOS, then we can safely test mod BIOS, if you don’t then any single edit may brick the system and you wouldn’t have backup to recover with.

Also, need to know which of these are your BIOS, this exe has two BIOS images for different systems

This one may be best edited by an Insyde pro BIOS editor, like someone at BIOS-mods forum. I see advanced in Intel tools, but it’s not in the setup module menu list, so someone really good at Insyde edits may have to edit this for you.

@Lost_N_BIOS Sorry for hijacking the thread, but I think it is fine to ask here: Is there any reference for unlocking tabs for Insyde bios?

I know there is the method from donovan6000, but from what I looked it cannot be applied to newer bios versions.
Unfortunately there isn’t enough people with interest in researching those bioses. And for years, at bios-mods, threads asking specifically for hp bios unlock have been ignored (pretty sure RSA signature is the reason).

I also really appreciate your efforts to help people here! Thank you very much!

@Kirfve It’s OK, I don’t think I can take this thread anywhere anyway That (donovan6000’s Guide), and a few random info posts at notebookreview forum about Insyde/Acer is all I know. I can’t do Insyde very well, so not really one that can help with that.
I can usually only get it when -
A - It’s similar to donovan6000’s guide,
B - I can find the correct routine manually in IDA AND can recognize where the bypass happens (not as easy as it sounds)
C - I can find some already unlocked BIOS to use as a reference and unlock it in my own way using those details/mods already done.

Here’s the links I have saved that I use/reference sometimes, sorry it wasn’t the forum I mentioned above . This Python stuff best done in Win7 or maybe XP, it doesn’t work very nicely in Win10

Yes, anything with RSA Signed BIOS MUST be ignored, by everyone, even the owners of such devices who own flash programmers (waste of time, nothing you can do)
I have ran into this before, but seeing as it’s not commonly referenced and comments disabled there, I doubt it works in all instances (Maybe, on that one system, on that one BIOS he did, unsure, but I know it looks odd disabling comments and then no one mentions this all the time at sight of RSA)
See link at post #2 - Insyde H2O bios unlocking/flashing

Thanks, I appreciate the kind words of support!

@Lost_N_BIOS Have you taken a look at this?
EDIT: Second link is rsa check bypass
It is specifically for hp Insyde BIOSes. It is a bit old but the second method code is very similar to my bios (but not equal).
I’m going to try on mine, but i’m not really experienced… If you want to learn/try it, I can be your guinea pig =P (I have a ch341a + clip)

PS: Those links I gave are in russian, even then, It is so well written that I was able to use google translate and comprehend very well.

Those are from member here named CodeRush. Interesting find, thanks! I was not aware that could be done, I wonder why the pro’s over at BIOS-mods don’t use this all the time now? He even mentions them in the article
Yes, I was able to translate and read it fine

See also here (For future reference), post #2 (@ 4 Beeps on Lenovo RSA) Insyde H2O bios unlocking/flashing

Send me your BIOS dump, I will check it out. Have you tried editing anything in general, not related to the above, and programming it back in? If yes, what happens?

That looks hard, Sir. Sorry but I don’t have any tools like that in my bagpack. ¿Do you can tell me where I can learn about “BIOS dump”?, I really don’t know anything about that.

@Lost_N_BIOS I don’t have the dump yet. The bios chip is not easily accessible.
This device is a pain in the *ss to assemble and disassemble. I was waiting until I get something to test so I don’t waste time opening it.
I think we can use the one from the installer, I am positive it can be flashed, I’ll link it here.

InsydeFlash.exe > Next > Copy then Next > Select a folder to deploy, then Next > Finish.
It will open the folder with various BIOSes, the one that corresponds to my device is the 0227D.bin

About the method you posted. I haven’t gone as far as to follow the method step by step using my bios (to see if it is applicable).
As I said, I followed the 2nd method from Coderush, and I was able to get to the end of it, so I’m very optimistic. But there is some differences that I think you will be able to understand better than me and be able to identify exactly what needs to be edited.

I didn’t tried programming anything yet for the same motive above: This device is very hard to assemble and disassemble so I want to get edited BIOSes to test first, then I will disassemble it, get a working dump and then test what I have available.

@ZelltronE If yours is like mine, you won’t be able to read/dump the bios under windows with any software.
You would need to have physical access to the eeprom, some tools and another computer. See these threads:
[GUIDE] The Beginners Guide to Using a CH341A SPI Programmer/Flasher (With Pictures!)
[Guide] Using CH341A-based programmer to flash SPI EEPROM

@ZelltronE - BIOS dump is using hardware flash programmer tools (cost is around $7 shipped, or more depending on where you buy from, how fast it’s shipped etc) Below is links on using, first one images are down
[GUIDE] Flash BIOS with CH341A programmer
[Guide] Using CH341A-based programmer to flash SPI EEPROM
[GUIDE] The Beginners Guide to Using a CH341A SPI Programmer/Flasher (With Pictures!)

Here is general software package - http://s000.tinyupload.com/index.php?fil…695330485827902

@Kirfve - best you dump, then we mess around, that way two things are accomplished and you will be safe. First, you will find BIOS ID and tell me, then I can tell you if certain ID needs used, or certain version software/
And second you will have backup made and I will check it to confirm it’s OK, this way you can always go back without worry and not loose your system details (Serial, UUID< LAN MAC ID etc)

I understand it’s a pain, just leave it open once you are done, well I mean leave bottom not fully screwed on, only put 2-3 screws in place while you wait, that way bottom will be held there but you don’t have to unscrew it all again once you’re ready to redo the BIOS.

Modifying a BIOS per that guide, and it working for your system without bricking are two VERY different things. So backup first, always, then play around once you are sure backup is valid and proper.

You said you edited BIOS already??? So… what do you mean you want to wait and get a BIOS to test first, you have one, the one you made, test that
But, seriously, make a backup and wait, do not test anything until I’ve checked that BIOS or you have in several tools, to confirm it’s a good dumped BIOS.

Before I download that stock BIOS exe you linked, what is the model name, so I can keep it in a proper folder.

@Lost_N_BIOS Oh, don’t worry. My plan was to edit the backup bios, then get a dump from my motherboard, and only after that I would test the edited backup. I know the bios backup may not work because there would be no system specifc IDs like you said.
If you edit the backup bios, send it to me and it happens to not work, I can look at it and see the changes you made and transfer it to a copy of the dump. I would end up learning something too =P

One of the problems is, the motherboard needs to be removed from the side of the keyboard, and unfortunately the eeprom is at the bottom side, so I need to remove the motherboard to program and put it back to test the results each time.

I didn’t edit anything yet…I just followed the 2nd method from Coderush using F.33 (older than the one I gave you) and this is what I got:
Look at the Coderush 2nd method, specifically the last image, the last 2 “blocks” of code. This should be the last step.

Edited out an image to avoid confusion. See the following posts

It is obviously not the same, but they are the most similar. But when I look at the jump lines from ida, they look completely different… That means I don’t have much clue of what to do next lol. I would edit a lot of things and see what works .
Aside from that, I followed the previous steps rigorously.

The model of the notebook is: HP Pavilion 14-v066br

Your first sentence is backward from what you should do. Proper >> Make a dump from the board >> Then edit
Backup BIOS, or dumped via programmer may have all your info in it, certainly the dumped w/ programmer one would but backup may not it depends on what you make the backup with.
Stock BIOS extracted/edited etc, will not have any of your info in it.

I understand what you mean about accessing the chip, so you wont be able to do as I mentioned and this system will have to not be used while we do all this.

In your IDA Image, I see NOTHING that looks anything eve close to being similar to second links images.
Please show me a side by side image where you think this is same thing. Maybe there is some image in that linked guide that isn’t loading on my end?

@Lost_N_BIOS Yeah I know, I wanted to try it anyway… I will see If I can make the dump today!

Definitely. That’s the problem, this is the most similar but regardless still different. I have 0 assembly experience so I got stuck =(

Well, show me side by side with IDA from your BIOS and what you were looking at in the guide that you thought was similar, then I will be able to at least see what you were thinking about (without that I can’t see any resemblance)

@Lost_N_BIOS Is there a way to take a full IDA View-A screenshot??
If not, might as well just give you the pe.bin to take a look.


CORRECTION= I apologize! Just took a look, and found a folder with some other screenshots… I think the one I posted probably was a “random” one.
Last time I was looking at my bios was 2 years ago. I must return to it so I don’t end up embarrassing myself again. Sorry!

Any screenshot program, or windows paint (prt scr, then edit paste into paint)

@Lost_N_BIOS I had no alternative other than take multiple screenshots and place them together… not ideal but works.
This is where the final steps are done, I searched for "53534824h", and found it (at the 12th block). After that, I have no clue what can be done since the example code from Coderush is different.


That’s all fine, but where is side by side with the guide, at location you thought was same/similar?

@Lost_N_BIOS I think at the “53534824h” is where the similarities end. When I said “similar”, I was mainly referring to everything until that point, where I could get through the steps with no problems. I think the first image I posted was just a point of interest, that I would edit in an attempt to get any result. I was certain that I had to just find out what needs to be edited by testing.
Maybe I’m not expressing this very well…

EDIT: Just followed the method that you posted in the first page (from insanelymac). I couldn’t get past step 1 since the bios code is different. There is no “TCPABIOS” in the bios.

And that is why I am optimistic about the Coderush method. The bios is from HP, the code is similar since I got to the last step. I’m just not experienced to determine where I can modify to make the RSA check redundant.
I hope this makes the situation clearer.
In his method, I followed everything until I got to the last step, where he finds the part in the code that need to be edited to get around reboot from failing the rsa check.
At this point any similarities I find are pure stretch/guesses just because I don’t really understand what I see, and I don’t want to give up.
This is where I need help.
Also, I must have misspoken before, sorry.