A message to donovan6000 regarding RSA Signed bios'

[SEIKT]

In August, I requested the modification of my HP Envy 4 F.25 bios but received no response. So I asked for someone to show me how to mod my bios myself. I received a reply from you Donovan, this is what you said...

Anyone? If you can instruct me how to do it myself, I'll do it myself.

A lot of people start here. However a lot of people also give up there...

So I followed your tutorial and attempted to learn how to modify my bios. I now know how to unlock the advanced/power tabs in my bios. This is what I did.... I located the tab addresses of my bios tabs.

Code:

Viewable tabs:

0x18009813F = Tab address = 180098130 = Main (0x4 from string package 0x0)
0x180097D8F = Tab address = 180097D80 = Security (0x3C from string package 0x0)
0x180089E4F = Tab address = 180089E40 = System Configuration (0x62 from string package 0x0)
0x180097B7F = Tab address = 180097B70 = Exit (0x184 from string package 0x0)

Hidden tabs:

0x18008E78F = Tab address = 18008E780 = Advanced (0x1D7 from string package 0x0)
0x18008BE0F = Tab address = 18008BE00 = Power (0x411 from string package 0x0)
0x180097C4F = Tab address = 180097C40 = Diagnostics (0x48 from string package 0x0)
0x1800978BF = Tab address = 1800978B0 = Main (0xFE from string package 0x0)
0x18008D7CF = Tab address = 18008D7C0 = Security (0x12E from string package 0x0)

I have replaced the tab address of the security tab with the tab address of the advanced tab.

Code:

.text:000000018000153C mov r11, rsp
.text:000000018000153F mov [r11+18h], rbx
.text:0000000180001543 push rbp
.text:0000000180001544 push rsi
.text:0000000180001545 push rdi
.text:0000000180001546 sub rsp, 100h
.text:000000018000154D lea rcx, unk_18001EBC0
.text:0000000180001554 lea rax, aHilShgHnl@hlSx ; "HëL$\bSHâý HìL$@Hï+ÞÕU"
.text:000000018000155B xor esi, esi
.text:000000018000155D mov [rsp+110h+var_F0], rax
.text:0000000180001562 mov [rsp+110h+var_E0], rcx
.text:0000000180001567 mov [rsp+110h+var_C8], rcx
.text:000000018000156C mov [rsp+110h+var_B0], rcx
.text:0000000180001571 mov [rsp+110h+var_98], rcx
.text:0000000180001576 lea rax, unk_180097B70
.text:000000018000157D mov [rsp+110h+var_E8], rax
.text:0000000180001582 lea rax, aHilShgHnl@hlSY ; "HëL$\bSHâý HìL$@Hï+Þ+Y"
.text:0000000180001589 lea rbp, [rsp+28h]
.text:000000018000158E mov [rsp+110h+var_D8], rax
.text:0000000180001593 lea rax, unk_180089E40
.text:000000018000159A mov [rsp+110h+var_D0], rax
.text:000000018000159F lea rax, loc_180006B50
.text:00000001800015A6 mov [rsp+110h+var_C0], rax
.text:00000001800015AB lea rax, unk_18008BE00
.text:00000001800015B2 mov [rsp+110h+var_B8], rax
.text:00000001800015B7 lea rax, loc_18000684C
.text:00000001800015BE mov [rsp+110h+var_A8], rax
.text:00000001800015C3 lea rax, unk_180097C40
.text:00000001800015CA mov [rsp+110h+var_A0], rax
.text:00000001800015CF lea rax, aHilShgHnl@hlSm ; "HëL$\bSHâý HìL$@Hï+Þmè"
.text:00000001800015D6 mov [r11-88h], rcx
.text:00000001800015DD mov [r11-98h], rax
.text:00000001800015E4 lea rax, unk_18008D7C0
.text:00000001800015EB mov [r11-70h], rcx
.text:00000001800015EF mov [r11-90h], rax
.text:00000001800015F6 lea rax, loc_1800047B4
.text:00000001800015FD mov [r11-58h], rcx
.text:0000000180001601 mov [r11-80h], rax
.text:0000000180001605 lea rax, unk_18008E780
.text:000000018000160C mov [r11-40h], rcx
.text:0000000180001610 mov [r11-78h], rax
.text:0000000180001614 lea rax, aHilShgHnl@hlS9 ; "HëL$\bSHâý HìL$@Hï+Þ9×"
.text:000000018000161B mov [r11-28h], rcx
.text:000000018000161F mov [r11-68h], rax
.text:0000000180001623 lea rax, unk_1800978B0
.text:000000018000162A mov [r11-60h], rax
.text:000000018000162E lea rax, aHilShgHgd@ ; "HëL$\bSHâý Hâd$@"
.text:0000000180001635 mov [r11-50h], rax
.text:0000000180001639 lea rax, unk_18008E780
.text:0000000180001640 mov [r11-48h], rax
.text:0000000180001644 lea rax, aHilShgHgd@_0 ; "HëL$\bSHâý Hâd$@"
.text:000000018000164B mov [r11-38h], rax
.text:000000018000164F lea rax, unk_180098130
.text:0000000180001656 mov [r11-30h], rax

This is where I need your assistance again. I've yet to flash my modified bios because it's RSA signed and a modification to the bios will cause a brick. According to the internet, you are the only person who knows how to modify RSA signed bios'. As you can see, I have put in effort to learn how to modify my bios with zero knowledge. If you can advise me how to bypass the start-up check so I can flash my modified bios, I will be extremely grateful.

Once I'm able to flash my modified bios, I'll experiment with strings to see whether or not I can display hidden tabs without having to replace tabs.

[donovan6000]

Unfortunately I don't know how to bypass all the start-up checks yet. Here's what my ressearch has shown. When the bios is flashed via Insyde's flash tool, the PEI is verified and just that part won't be flashed if it has been modified. Everytime the computer starts up, the PEI verifies the DXE and it will halt the boot process if it has been modified. I haven't been able to confirm the existsence of any other start-up checks, however there could be more.

[SEIKT]

Ah, so you still haven't been able to crack the Da Vinci code? Bummer. Wish i could be of assistance, but I know jack Ship. Guess it's only a matter of time before you solve it. Wish you luck.

[anubhav074]

Well i got hp pavilion 1303au.But i want to change the splash screen of my laptop.But got no success til now can you please provide me a modded bios so that i can flash it.

[BDMaster]

Use this tool run It as Admin and upload here the result file :

http://rghost.net/658W4s2SF

http://rghost.net/53128665

Use AIDA64 tool too (cracked version to get FULL REPORT) and upload a Report too

let me know
Regards