I have to see side by side image to have any clue what you are referring to. Yes, might not be exact same of course, but if you want my opinion if it’s similar enough to allow same edit possibly, if you are unsure if it’s same code area, show me side by side.
If you think it’s similar enough for coderush guide to be same thing, show me side by side and I can advise you how to bypass (Show me what you want bypassed, and make note beside it in the flow chart, what it’s hex values are)
I don’t know a lot about coding/assembly, but I do know how to bypass areas, skip something, or change jumps in many different ways
For any single line in IDA flow view, if you switch to hex view tab that command is highlighted in hex (This hex, I meant you copy/paste into image at the flow chart location where you for example wanted some jump changed or bypassed)
Thanks, I see now, it’s not same at all, you do not even have any “test” below your searched item, only a few compares, but none similar enough to his example, and none would skip to end by changing instructions either.
He’d have to look at that himself, and maybe advise you, I’m not familiar enough with assembly to know if anything is possible that would fix this for you there like in his article or not.
If he’s not too busy, maybe he will stop in and advise
@CodeRush - If/when you have time, could you check above image and see if/where he can edit to bypass per your guide here - https://habr.com/en/post/249939/
Thanks
@Lost_N_BIOS Got it!
Well, I kept looking to see if there anything remotely similar, -remembering I don’t have much clue of what needs to be done at this point- and there is a block, the 10th from bottom to top, that jumps to a “xor, eax eax” and goes to the 3 blocks that are equivalent to the last one from Coderush. It is also right after the 100h reference just like in Coderush’s example.
Question is: Can a forced jump (jnz -> jmp) do anything in this case?
Also, thank you for asking for his help
You need to make sure that EAX has 0 in it, and then perform a proper return from this function. Replacing that JNZ to JMP is a suitable way to do it.
However, in you code there’s no dead-loop that we are trying to not fall into (it’s probably in the function that calls this one now), so the only thing that your patch will be doing is “make any address it gets as a candidate for signature location to say signature is there”, which is probably not what you really want here.
@CodeRush Thank you for the info. Can you point exactly what needs to be changed into what? Or can you take a look at the pe.bin itself? If this is not too much to ask of you.
http://www.mediafire.com/file/2frpvsmnr8ufsw7/pe1.bin/file
This is where the system hangs on invalid signature:
This is where and how to patch it:
Sorry, one picture got broken, so I removed it.
Basically, we need to return success from the function with the dead loop (not just the one that locates the signature). Previously everything were in a single one, and that’s what got you confused.
The easiest way out from this function is that JNZ, that takes us either to the main body of the function (on TRUE edge) where the signature search and verification eventually happens, or (on FALSE edge) to “return EFI_SUCCESS” (xor eax, eax, …, ret). The patch then is to make sure that TRUE edge can’t ever happen, which is just to skip the whole JNZ and always take “xor eax, eax, …, ret” route instead. Patch is therefore “replace JNZ with NOPs”, 75xx->9090.
@CodeRush @Kirfve I’ve been following this thread for some time and I have a question for you. Do you need to access the BIOS currently installed via a CH341A to edit, or can I work on a copy of BIOS downloaded on HP website? From what I’ve read, I understand that you @Kirfve work on the one you get via CH341A, am I correct?
Would I also be able to flash a modded BIOS without CH341A, if I manage to work it all out? I have a HP 15-bw0xx, same BIOS as OP’s.
It’s better to use the current dump, because it ensures that none of board-specific setting and/or user setups will be lost.
It also won’t enable flashing without the programmer, but will enable modifications of DXE volume.
Oh I see, makes perfect sense. I should first purchase a programmer then, thank you.
Hey. I have exactly the same laptop as you. HP Laptop 15-bw0xx. BIOS InsydeH20. I also follow the thread of this topic, but I understand almost nothing, sorry, I wanted to know, in general, theoretically, there is an opportunity to open a tab advanced in BIOS InsydeH20 on HP ? I just wanted to tighten up a little bit. add GHz. in technical support HP I was told that this is impossible…
It’s not an unlocked model, therefore there is no way for overclocking. You may check for your cpu here:
https://www.amd.com/en/partner/processor-specifications
@CodeRush - Thank you so much for jumping in to help here
Yes, nothing hidden that’s really interesting here to unlock in the BIOS menu, especially not CPU/Memory OC related
@CodeRush
Unfortunately, the changes didn’t work.
When I flashed the bios with the rsa bypass (with the changes you suggested) and tab unlock (my attempt), the notebook turns on but screen remains off, the capslock key blinks 2x indicating bios failure.
I flashed it many times just to be sure I wasn’t missing anything.
I successfully flashed the bios of this same notebook multiple times (with stock bios), so I don’t think there is any problems with the programmer+clip or the flashing process.
Is it even possible that my attempt to unlock the tabs is the source of the problem?
This what I changed to unhide the advanced and power tabs:
This sequence only has hidden tabs. Seems like this is some sort of blacklist.
I removed the “Advanced” and “Power” references and replaced them with the other ones that I don’t care about.
While of course this is just a guess, this is the only part of the code that made sense to change.
This is the menu module unchanged: http://www.mediafire.com/file/kizvfxk33e…fitool.bin/file
I tried following some other methods but the code is very different.
I will only able to test anything more next week.
Any help is appreciated!
@Kirfve , can you please send me the original and modified dumps (via PM)? I’ll check the mod to be done correctly, because modifications of PEI volume can be tricky, and sometimes tools fail to perform them properly, making a resulting image unbootable.
Yes, I suspected that menu mod may not be correct. To test your RSA mod bypass attempt, you need to make some other simple known "should be OK" edit, like update a microcode manually
@CodeRush I think we can continue the conversation here since the bios being used to test is a stock one.
I understand this is a difficult one to crack. If you don’t want to, or don’t have time to help furthermore, I completely understand!
This serves as an advice for anyone who has a HP notebook with rsa protected bios: Don’t even bother with modification until you know the protection on your—specific—bios is bypassed.
It’s not really difficult one to remove the check, it’s much more likely a structural breakage of the modified image, or maybe some countermeasures by AMD that we aren’t yet aware of. I’ll check it out once again when I can find some spare time.