![[-]](https://www.bios-mods.com/forum/images/black/collapse.png "[-]")
Hi everyone,
after about 1 month, my request to unlock my HP Insyde BIOS was ignored, so I tried to study independently via this forum or other forums on the web.
I have come to good results to unlock several hidden BIOS features.
I would like to list the various notions learned in order to facilitate the lives of other interested parties.
i am working on a hp 630 with bios insyde.
the bios insyde seems to be one of the most difficult to unlock besides the fact that many of these bios have an RSA signature which makes changes impossible ...
in my case they managed to find in the bios network for my pc RSA and so I have worked on this.
HP 630
HP Compaq 630 - Mini 430 - Compaq Presario CQ43-414TU BDMaster
HP Mini 430 - Compaq 630 - Compaq Presario CQ43-414TU BDMaster
Versione Data Dimensione SoftPaq
F.39 12-2013 sp64612.exe RSA
F.38 03-2013 sp60723.exe RSA
F.37 11-2012 sp59757.exe RSA
F.33 01-2012 sp55626.exe RSA
F.32 11-2011 sp55356.exe RSA
F.24 10-2011 sp54776.exe RSA
F.23 09-2011 sp54697.exe RSA
F.22 08-2011 sp54181.exe RSA
F.19 07-2011 sp53673.exe possiamo bios mod
F.18 06-2011 sp53593.exe possiamo bios mod
F.17 06-2011 sp53383.exe possiamo bios mod
F.16 05-2011 sp53108.exe possiamo bios mod
F.02 03-2011 sp52301.exe possiamo bios mod
so I worked on sp53673.exe (no rsa)
this .exe is multi Fd. (fd is the unit of the bios proper and in my case within the executable of qull there are 3 different models, mine is 03676.fd)
to eject this exe file just open it with win rar or 7zip.
I learned several tricks to unlock hidden functions, but I really had to be a web astronaut.
with the "fd" file we have to try to extract it with what in the network is called "Andy tool" is a tool that opens the fd file, dumps and can therefore cook the updated fd file with the changes made by us.
link image: https://ibb.co/TKsgDg0
press ok, in the root directory of the FD file there will be new files and folders.
DUMP inside there will be many files ... to unlock the hidden functions when we are interested and almost always a file ending in FE...670_ (Module) and then with numbers (Checksums)
in my case it's called like this:
FE3542FE-C1D3-4EF8-657C-8048606FF670_649.ROM (SetupUtility)
of these, there may be more than one, but we must identify the larger one.
Ok now with a new tool called Universal IFR Extractor.exe created by Mr. Donovan6k we should read the identified ROM file.
The Universal IFR Extractor converts the code into human-readable data so that we can include the variables that condition the functions of our BIOS.
Now we will have a .txt file with what we will have to understand in our functions:
I have shortened the text file for space reasons, I just want to show an example of the system configuration field.
Method 1
if you want to try to take risks that I don't feel responsible for the damage you can do to your PC, and it would be a good thing to make sure that the BIOS is reset with a keyboard,
or even to have a terminal with a programmer to repair the bios in case something goes wrong.
In my case, for example, in the System Configuration tab, the startup function of Eufi is not visible and to unlock it and make it appear we have to make the variable false:
0x73706 Module set: System configuration {0E 24 F4 27 4A A0 00 DF 42 4D B5 52 39 51 13 02 11 3D 5B 00 FROM 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 01 00 00 00 BC 02}
0x7372A Module: System configuration, Module ID: 0x1 {01 06 01 00 5B 00}
0x73730 Subtitles: {02 04 DA 00}
0x73734 Suppress if: {0A 03 00}
0x73737 true {27 02} <--------- we must make it false by changing 28 instead of 27
so now with a hexadecimal software like hxd, i have to change this value ...
I open the file (in my case) FE3542FE-C1D3-4EF8-657C-8048606FF670_649.ROM
identified at the beginning and we open it in HxD, we go to offset 0x73737 (always in my case) and change the value from 27 to 28. and save.
we make a copy of this file, on the desktop, let's go back to Andy's tool and select these parameters :
link image1: https://ibb.co/V2MWHLX
linnk iimage2: https://ibb.co/QNmLX4N
link image3: https://ibb.co/FzcYpQZ
After the informational message, not replaced ok, you have to go to the directory of the "fd" file in the dump folder and replace the installed "rom" file and only now do ok.
Now in the folder we have several files, one of which with the name 03676_SLIC.fd, we rename it by deleting _slic and we insert this file in the original folder for the flash.
Now we can flash the new BIOS, I found a patch that allows me to do it ... it would be a change to be made to the iscflash.dll file
Method 2
There are functions, however, that cannot be unlocked with this method because they have another function that blocks them ...
for example, the Vurtualization technology in my case is blocked by this formula:
0x73800 Label: 0x1001 {1D 04 01 10}
0x73804 Suppress if: {0A 03 00}
0x73807 Variable 0x225 [1] equal to 0x0 {12 07 25 02 01 00 00} <--------------------- change change this variable
0x7380E Setting: virtualization technology, variable: 0x1B0 [1] {05 09 B0 01 01 5C 00 5D 00}
0x73817 Option: enabled, value: 0x1 {09 09 83 00 01 00 04 45 00}
0x73820 Option: disabled, value: 0x0 {09 09 84 00 00 00 05 45 00}
0x73829 End of options {10 02}
0x7382B End If {18 02}
In my case the number 45 will have to be changed to FF, so open Hxd change the value in the offset and repeat the procedure as above with the useful tool.
Method 3
these changes can also be made in other ways, without flashing the BIOS, but modifying the one already present, the shell method exists, in my case it didn't work,
so you can use the H2Ouve.exe software:
iimage link: https://ibb.co/25tMhrm
We always work on virtualization technology that the default on my laptop is disabled.
We have seen above that the variable is:
0x73807 Variable 0x225
and if deactivated the value is 00 if activated the value is 01
so to understand where to modify this variable on H2Ouve we have to take the variable 0x225 and go to the column in 220 and to the row number 5 and insert the value 01
link image: https://ibb.co/Q8TnXnn
in this case you just have to save and the setting will be saved in the BIOS.
It's not permanent if we wanted to delete it, just reset to reset the settings from the BIOS or by disconnecting the cmos battery.
unlock advanced and power boards
The methods described above do not unlock the functions of the hidden tabs as often happens (Advanced and power) but unlocking are the hidden functions of the active tabs.
To unlock the hidden cards I was still helped by Mr. Donovan with his guide even if generic and therefore they did not work for my laptop but they are close (at least I hope),
but there are neighbors (at least I hope), for this we need another softwrae called ida.exe.
It does nothing but disassemble and show us the various sequences using flowcharts to make us understand how the logic of our BIOS works.
link image: https://ibb.co/ygm5Lgb
in my case the 1800747C0 is the offset of the tabs advanced variable
link image: https://ibb.co/xzbbfp5 in this image the call is shown
In theory with this method you would need JZ (conditional jumps) and in a certain sense bypass them. I have not found them in mine, and here I ask the help of someone more experienced.
link image: https://ibb.co/BLY4DXB
I don't know how to proceed, but I feel I am very close to the solution ...
The Solution :
It will helps many users !
Regards
after about 1 month, my request to unlock my HP Insyde BIOS was ignored, so I tried to study independently via this forum or other forums on the web.
I have come to good results to unlock several hidden BIOS features.
I would like to list the various notions learned in order to facilitate the lives of other interested parties.
i am working on a hp 630 with bios insyde.
the bios insyde seems to be one of the most difficult to unlock besides the fact that many of these bios have an RSA signature which makes changes impossible ...
in my case they managed to find in the bios network for my pc RSA and so I have worked on this.
HP 630
HP Compaq 630 - Mini 430 - Compaq Presario CQ43-414TU BDMaster
HP Mini 430 - Compaq 630 - Compaq Presario CQ43-414TU BDMaster
Versione Data Dimensione SoftPaq
F.39 12-2013 sp64612.exe RSA
F.38 03-2013 sp60723.exe RSA
F.37 11-2012 sp59757.exe RSA
F.33 01-2012 sp55626.exe RSA
F.32 11-2011 sp55356.exe RSA
F.24 10-2011 sp54776.exe RSA
F.23 09-2011 sp54697.exe RSA
F.22 08-2011 sp54181.exe RSA
F.19 07-2011 sp53673.exe possiamo bios mod
F.18 06-2011 sp53593.exe possiamo bios mod
F.17 06-2011 sp53383.exe possiamo bios mod
F.16 05-2011 sp53108.exe possiamo bios mod
F.02 03-2011 sp52301.exe possiamo bios mod
so I worked on sp53673.exe (no rsa)
this .exe is multi Fd. (fd is the unit of the bios proper and in my case within the executable of qull there are 3 different models, mine is 03676.fd)
to eject this exe file just open it with win rar or 7zip.
I learned several tricks to unlock hidden functions, but I really had to be a web astronaut.
with the "fd" file we have to try to extract it with what in the network is called "Andy tool" is a tool that opens the fd file, dumps and can therefore cook the updated fd file with the changes made by us.
link image: https://ibb.co/TKsgDg0
press ok, in the root directory of the FD file there will be new files and folders.
DUMP inside there will be many files ... to unlock the hidden functions when we are interested and almost always a file ending in FE...670_ (Module) and then with numbers (Checksums)
in my case it's called like this:
FE3542FE-C1D3-4EF8-657C-8048606FF670_649.ROM (SetupUtility)
of these, there may be more than one, but we must identify the larger one.
Ok now with a new tool called Universal IFR Extractor.exe created by Mr. Donovan6k we should read the identified ROM file.
The Universal IFR Extractor converts the code into human-readable data so that we can include the variables that condition the functions of our BIOS.
Now we will have a .txt file with what we will have to understand in our functions:
I have shortened the text file for space reasons, I just want to show an example of the system configuration field.
Code:
EFI Protocol Detected
--------------------------------------------------------------------------------
String Packages
--------------------------------------------------------------------------------
Offset: Language:
--------------------------------------------------------------------------------
0xF080 eng
0x1BA68 fra
0x2941A chn
0x31DEE jpn
0x3E33C ita
0x4B3B8 spa
0x59222 ger
0x66758 por
Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x73450 Main (0xE9)
0x735D0 Exit (0x365)
0x73700 System Configuration (0x5B)
0x73DD0 Power (0x2E5)
0x746D0 Security (0x36)
0x747C0 Advanced (0xFB)
0x77B10 Main (0x4)
0x77DD0 Diagnostics (0x42)
Internal Forms Representation
--------------------------------------------------------------------------------
Offset: Instruction:
--------------------------------------------------------------------------------
0x73706 Form Set: System Configuration {0E 24 F4 27 4A A0 00 DF 42 4D B5 52 39 51 13 02 11 3D 5B 00 DA 00 00 00 00 00 00 00 00 00 01 00 00 00 BC 02}
0x7372A Form: System Configuration, Form ID: 0x1 {01 06 01 00 5B 00}
0x73730 Subtitle: {02 04 DA 00}
0x73734 Suppress If: {0A 03 00}
0x73737 true {27 02}
0x73739 Setting: UEFI Boot, Variable: 0x7E[1] {05 09 7E 00 01 D6 00 D7 00}
0x73742 Option: Enabled, Value: 0x0 {09 09 DC 00 00 00 01 00 00}
0x7374B Option: Disabled, Value: 0x1 {09 09 DB 00 01 00 00 00 00}
0x73754 End of Options {10 02}
0x73756 Setting: Quick Boot, Variable: 0x72[1] {05 09 72 00 01 48 03 49 03}
0x7375F Option: Enabled, Value: 0x1 {09 09 DC 00 01 00 01 00 00}
0x73768 Option: Disabled, Value: 0x0 {09 09 DB 00 00 00 00 00 00}
0x73771 End of Options {10 02}
0x73773 Setting: Quiet Boot, Variable: 0x73[1] {05 09 73 00 01 4A 03 4B 03}
0x7377C Option: Enabled, Value: 0x1 {09 09 DC 00 01 00 01 00 00}
0x73785 Option: Disabled, Value: 0x0 {09 09 DB 00 00 00 00 00 00}
0x7378E End of Options {10 02}
0x73790 Setting: PXE Boot to LAN, Variable: 0x74[1] {05 09 74 00 01 4C 03 4D 03}
0x73799 Option: Disabled, Value: 0x0 {09 09 DB 00 00 00 01 00 00}
0x737A2 Option: Enabled, Value: 0x1 {09 09 DC 00 01 00 00 00 00}
0x737AB End of Options {10 02}
0x737AD End If {18 02}Method 1
if you want to try to take risks that I don't feel responsible for the damage you can do to your PC, and it would be a good thing to make sure that the BIOS is reset with a keyboard,
or even to have a terminal with a programmer to repair the bios in case something goes wrong.
In my case, for example, in the System Configuration tab, the startup function of Eufi is not visible and to unlock it and make it appear we have to make the variable false:
0x73706 Module set: System configuration {0E 24 F4 27 4A A0 00 DF 42 4D B5 52 39 51 13 02 11 3D 5B 00 FROM 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 01 00 00 00 BC 02}
0x7372A Module: System configuration, Module ID: 0x1 {01 06 01 00 5B 00}
0x73730 Subtitles: {02 04 DA 00}
0x73734 Suppress if: {0A 03 00}
0x73737 true {27 02} <--------- we must make it false by changing 28 instead of 27
so now with a hexadecimal software like hxd, i have to change this value ...
I open the file (in my case) FE3542FE-C1D3-4EF8-657C-8048606FF670_649.ROM
identified at the beginning and we open it in HxD, we go to offset 0x73737 (always in my case) and change the value from 27 to 28. and save.
we make a copy of this file, on the desktop, let's go back to Andy's tool and select these parameters :
link image1: https://ibb.co/V2MWHLX
linnk iimage2: https://ibb.co/QNmLX4N
link image3: https://ibb.co/FzcYpQZ
After the informational message, not replaced ok, you have to go to the directory of the "fd" file in the dump folder and replace the installed "rom" file and only now do ok.
Now in the folder we have several files, one of which with the name 03676_SLIC.fd, we rename it by deleting _slic and we insert this file in the original folder for the flash.
Now we can flash the new BIOS, I found a patch that allows me to do it ... it would be a change to be made to the iscflash.dll file
Method 2
There are functions, however, that cannot be unlocked with this method because they have another function that blocks them ...
for example, the Vurtualization technology in my case is blocked by this formula:
0x73800 Label: 0x1001 {1D 04 01 10}
0x73804 Suppress if: {0A 03 00}
0x73807 Variable 0x225 [1] equal to 0x0 {12 07 25 02 01 00 00} <--------------------- change change this variable
0x7380E Setting: virtualization technology, variable: 0x1B0 [1] {05 09 B0 01 01 5C 00 5D 00}
0x73817 Option: enabled, value: 0x1 {09 09 83 00 01 00 04 45 00}
0x73820 Option: disabled, value: 0x0 {09 09 84 00 00 00 05 45 00}
0x73829 End of options {10 02}
0x7382B End If {18 02}
In my case the number 45 will have to be changed to FF, so open Hxd change the value in the offset and repeat the procedure as above with the useful tool.
Method 3
these changes can also be made in other ways, without flashing the BIOS, but modifying the one already present, the shell method exists, in my case it didn't work,
so you can use the H2Ouve.exe software:
iimage link: https://ibb.co/25tMhrm
We always work on virtualization technology that the default on my laptop is disabled.
We have seen above that the variable is:
0x73807 Variable 0x225
and if deactivated the value is 00 if activated the value is 01
so to understand where to modify this variable on H2Ouve we have to take the variable 0x225 and go to the column in 220 and to the row number 5 and insert the value 01
link image: https://ibb.co/Q8TnXnn
in this case you just have to save and the setting will be saved in the BIOS.
It's not permanent if we wanted to delete it, just reset to reset the settings from the BIOS or by disconnecting the cmos battery.
unlock advanced and power boards
The methods described above do not unlock the functions of the hidden tabs as often happens (Advanced and power) but unlocking are the hidden functions of the active tabs.
To unlock the hidden cards I was still helped by Mr. Donovan with his guide even if generic and therefore they did not work for my laptop but they are close (at least I hope),
but there are neighbors (at least I hope), for this we need another softwrae called ida.exe.
It does nothing but disassemble and show us the various sequences using flowcharts to make us understand how the logic of our BIOS works.
link image: https://ibb.co/ygm5Lgb
in my case the 1800747C0 is the offset of the tabs advanced variable
link image: https://ibb.co/xzbbfp5 in this image the call is shown
In theory with this method you would need JZ (conditional jumps) and in a certain sense bypass them. I have not found them in mine, and here I ask the help of someone more experienced.
link image: https://ibb.co/BLY4DXB
I don't know how to proceed, but I feel I am very close to the solution ...
The Solution :
Code:
Bios v.F.16 Model 03672 Menu Tabs Unlock Mod :
Form Sets
--------------------------------------------------------------------------------
Offset: Name:
--------------------------------------------------------------------------------
0x12300 Exit (0x158)
0x12430 System Configuration (0x5B)
0x12B10 Power (0x38E)
0x133D0 Diagnostics (0x42)
0x13440 Security (0x36)
0x13530 Advanced (0x182)
0x17730 Main (0xD0)
0x17890 Main (0x4)
065D : 74 5B to 74 00 jz short loc_1800006BA to jz $+2
0668 : 74 50 to 74 00 jz short loc_1800006BA to jz $+2
0673 : 74 45 to 74 00 jz short loc_1800006BA to jz $+2Code:
Bios v.F.16 Model 03674 Menu Tabs Unlock Mod :
Form Sets
--------------------------------------------------------------------------------
Offset: Name:
--------------------------------------------------------------------------------
0x80400 Main (0xE8)
0x806C0 Exit (0x384)
0x807D0 System Configuration (0x5B)
0x80E90 Power (0x301)
0x813D0 Security (0x36)
0x814C0 Advanced (0xF5)
0x85350 Diagnostics (0x42)
0651 : 74 50 to 74 00 jz short loc_1800006A3 to jz $+2
065C : 74 45 to 74 00 jz short loc_1800006A3 to jz $+2Code:
Bios v.F.16 Model 03676 Menu Tabs Unlock Mod :
Form Sets
--------------------------------------------------------------------------------
Offset: Name:
--------------------------------------------------------------------------------
0x73450 Main (0xE9)
0x735D0 Exit (0x365)
0x73700 System Configuration (0x5B)
0x73DD0 Power (0x2E5)
0x746D0 Security (0x36)
0x747C0 Advanced (0xFB)
0x77B10 Main (0x4)
0x77DD0 Diagnostics (0x42)
067B : 74 55 to 74 00 jz short loc_1800006D2 to jz $+2
0685 : 74 4B to 74 00 jz short loc_1800006D2 to jz $+2
068F : 74 41 to 74 00 jz short loc_1800006D2 to jz $+2It will helps many users !
Regards
![[Image: DLL-patch.jpg]](https://i.ibb.co/99wskCb/DLL-patch.jpg)
![[Valid RSS]](valid-rss.png "Validate my RSS feed")