Login

**donovan6000** · 05-23-2014, 01:58 PM

All I did was unlock what was hidden. If it looks weird, then it's how the manufacturers made it.

**gabiz_ro** · (This post was last modified: 05-23-2014, 02:35 PM by gabiz_ro.)

Quote:Insyde and HP decided to remove a lot of EFI functionality.

Indeed,but.
CryptRSA.efi is running fine as efi.
Open in IDA and I see there is one export, named InitializeDriver
If this can be extracted modded to launch bootloaders instead SystemDiagnostics and have this inserted into BIOS.
There is in BDS code that check 7E offset in NV area.
Add some code (don't know in what module) to check that 7E and if EFI enabled then call or launch this.

As already probably see in one of my message,changing a conditional jump in BDS module I get listed (if EFI enabled in BIOS) Internal EFI shell as boot option,but error on booting.
Since that function check offset 7E I was thinking that is one of that who create boot options.
Can be decoded info from dmpstore Variable Boot000X to see what is linked to EFI shell?

Looking at dumps from ram I see that BDS module call a functions inside MonitorKey module and one in OemOdmDriver or something like that (not on laptop now,and may be wrong name from memory)

Don't remember where and now I can't find it again I read about a something that return code is something LegacyBios and then all go legacy and EFI disabled but don't remember what source code was.

Also what is that VideoMem.udm,I ignored until now but opened in IDA and I see that is not related to Videomem only ,found inside functions that looks like or related to boot options

@ gujiangjiang
Something similar I encountered when I was using another SetupUtility module (FE354 ....) from other BIOS.
Some blocks of squares in some area.
Could be strings missing or in other language or wrong address for string and can't display that characters

gujiangjiang what is set as language in BIOS,switch to english if is something else.
Also that strings doesn't look right,there are strings from help area assigned to parameters name look like.

**gujiangjiang** · 05-24-2014, 01:59 AM

(05-23-2014, 02:24 PM)gabiz_ro Wrote:
Quote:Insyde and HP decided to remove a lot of EFI functionality.

Indeed,but.
CryptRSA.efi is running fine as efi.
Open in IDA and I see there is one export, named InitializeDriver
If this can be extracted modded to launch bootloaders instead SystemDiagnostics and have this inserted into BIOS.
There is in BDS code that check 7E offset in NV area.
Add some code (don't know in what module) to check that 7E and if EFI enabled then call or launch this.

As already probably see in one of my message,changing a conditional jump in BDS module I get listed (if EFI enabled in BIOS) Internal EFI shell as boot option,but error on booting.
Since that function check offset 7E I was thinking that is one of that who create boot options.
Can be decoded info from dmpstore Variable Boot000X to see what is linked to EFI shell?

Looking at dumps from ram I see that BDS module call a functions inside MonitorKey module and one in OemOdmDriver or something like that (not on laptop now,and may be wrong name from memory)

Don't remember where and now I can't find it again I read about a something that return code is something LegacyBios and then all go legacy and EFI disabled but don't remember what source code was.

Also what is that VideoMem.udm,I ignored until now but opened in IDA and I see that is not related to Videomem only ,found inside functions that looks like or related to boot options

@ gujiangjiang
Something similar I encountered when I was using another SetupUtility module (FE354 ....) from other BIOS.
Some blocks of squares in some area.
Could be strings missing or in other language or wrong address for string and can't display that characters

gujiangjiang what is set as language in BIOS,switch to english if is something else.
Also that strings doesn't look right,there are strings from help area assigned to parameters name look like.

Does this means hp laptop have chance to be boot var EFI ?

Sent from my iPhone using Tapatalk

**gabiz_ro** · 05-24-2014, 03:57 AM

Don't know sure.
But looking at Bds module from HP and from others that are EFI boot capable I see they are very similar.

Used some diff tools,zynamic bindiff if I remember right and I see that some functions are identical,some are little different and some are very different or don't exist or missing compared to others.
But changes of BDS module are very risky,I bricked many times my laptop,and when Bds is modified sometimes,very often recovery does not work,needt to program BIOS externally.
I solved problem with efiutils,was incompatible with ida python that came with ida.Updated list of guids,still have many that can't find any info about them,maybe are HP only.But for some reason update structures don't work as expected,need to manually declare structures like [rax+48h] is in fact Boot_services.freepool by example.
Also noticed something last night,I see something about install protocol,that must have some guid and other parameters usual passed in some registers but in few functions registers are xor'ed before,need to check on others laptop if that is right or wrong.
Is something like
xor registers
xor other register
call boot services install protocol

Other thing that I encountered mostly on HP modules efiutils complain about cannot rename x guid because that name is already defined and indeed same sequence of bytes exist twice in module.

**gabiz_ro** · 05-27-2014, 09:47 PM

I get Internal efi shell in F9 menu,is loading now but drivers Ps2Mouse,DiskIo,Fat and Partition doesn't get loaded as result no device are accessible.
Replaced with other drivers,Partition and Fat are loaded but no DiskIo so still no device are accessible.

**gujiangjiang** · 05-27-2014, 09:49 PM

(05-27-2014, 09:47 PM)gabiz_ro Wrote: I get Internal efi shell in F9 menu,is loading now but drivers Ps2Mouse,DiskIo,Fat and Partition doesn't get loaded as result no device are accessible.
Replaced with other drivers,Partition and Fat are loaded but no DiskIo so still no device are accessible.

It's a big step for EFI.
You can try Clover bootloader ,and try to boot from internal efi shell.

Sent from my iPhone using Tapatalk

**donovan6000** · 05-29-2014, 05:23 PM

Hey gujiangjiang,

Can you test out this rom and let me know it if bricks. This is just to test out some RSA stuff, so there's nothing unlocked. Thanks Big Grin

**gujiangjiang** · 05-29-2014, 06:26 PM

(05-29-2014, 05:23 PM)donovan6000 Wrote: Hey gujiangjiang,

Can you test out this rom and let me know it if bricks. This is just to test out some RSA stuff, so there's nothing unlocked. Thanks

Ok ,i will try and give you q feedback.

Sent from my iPhone using Tapatalk

**gujiangjiang** · 05-30-2014, 03:01 AM

(05-29-2014, 05:23 PM)donovan6000 Wrote: Hey gujiangjiang,

Can you test out this rom and let me know it if bricks. This is just to test out some RSA stuff, so there's nothing unlocked. Thanks

Hello,donovan6K,

My friend had just test this BIOS ,But sadly bricked.

Sad

**gujiangjiang** · 06-20-2014, 10:07 AM

(05-29-2014, 05:23 PM)donovan6000 Wrote: Hey gujiangjiang,

Can you test out this rom and let me know it if bricks. This is just to test out some RSA stuff, so there's nothing unlocked. Thanks

Hello ,Any other progress?

Regards

Sent from my iPhone using Tapatalk

Login
Username:
Password:	Lost Password?
	Remember me