In August, I requested the modification of my HP Envy 4 F.25 bios but received no response. So I asked for someone to show me how to mod my bios myself. I received a reply from you Donovan, this is what you said...
So I followed your tutorial and attempted to learn how to modify my bios. I now know how to unlock the advanced/power tabs in my bios. This is what I did.... I located the tab addresses of my bios tabs.
I have replaced the tab address of the security tab with the tab address of the advanced tab.
This is where I need your assistance again. I've yet to flash my modified bios because it's RSA signed and a modification to the bios will cause a brick. According to the internet, you are the only person who knows how to modify RSA signed bios'. As you can see, I have put in effort to learn how to modify my bios with zero knowledge. If you can advise me how to bypass the start-up check so I can flash my modified bios, I will be extremely grateful.
Once I'm able to flash my modified bios, I'll play experiment with strings to see whether or not I can display hidden tabs without having to replace tabs.
(08-28-2014 04:25 AM)donovan6000 Wrote:(08-27-2014 08:02 AM)SEIKT Wrote: Anyone? If you can instruct me how to do it myself, I'll do it myself.
A lot of people start here. However a lot of people also give up there...
So I followed your tutorial and attempted to learn how to modify my bios. I now know how to unlock the advanced/power tabs in my bios. This is what I did.... I located the tab addresses of my bios tabs.
Code:
Viewable tabs:
0x18009813F = Tab address = 180098130 = Main (0x4 from string package 0x0)
0x180097D8F = Tab address = 180097D80 = Security (0x3C from string package 0x0)
0x180089E4F = Tab address = 180089E40 = System Configuration (0x62 from string package 0x0)
0x180097B7F = Tab address = 180097B70 = Exit (0x184 from string package 0x0)
Hidden tabs:
0x18008E78F = Tab address = 18008E780 = Advanced (0x1D7 from string package 0x0)
0x18008BE0F = Tab address = 18008BE00 = Power (0x411 from string package 0x0)
0x180097C4F = Tab address = 180097C40 = Diagnostics (0x48 from string package 0x0)
0x1800978BF = Tab address = 1800978B0 = Main (0xFE from string package 0x0)
0x18008D7CF = Tab address = 18008D7C0 = Security (0x12E from string package 0x0)
I have replaced the tab address of the security tab with the tab address of the advanced tab.
Code:
.text:000000018000153C mov r11, rsp
.text:000000018000153F mov [r11+18h], rbx
.text:0000000180001543 push rbp
.text:0000000180001544 push rsi
.text:0000000180001545 push rdi
.text:0000000180001546 sub rsp, 100h
.text:000000018000154D lea rcx, unk_18001EBC0
.text:0000000180001554 lea rax, aHilShgHnl@hlSx ; "HëL$\bSHâý HìL$@Hï+ÞÕU"
.text:000000018000155B xor esi, esi
.text:000000018000155D mov [rsp+110h+var_F0], rax
.text:0000000180001562 mov [rsp+110h+var_E0], rcx
.text:0000000180001567 mov [rsp+110h+var_C8], rcx
.text:000000018000156C mov [rsp+110h+var_B0], rcx
.text:0000000180001571 mov [rsp+110h+var_98], rcx
.text:0000000180001576 lea rax, unk_180097B70
.text:000000018000157D mov [rsp+110h+var_E8], rax
.text:0000000180001582 lea rax, aHilShgHnl@hlSY ; "HëL$\bSHâý HìL$@Hï+Þ+Y"
.text:0000000180001589 lea rbp, [rsp+28h]
.text:000000018000158E mov [rsp+110h+var_D8], rax
.text:0000000180001593 lea rax, unk_180089E40
.text:000000018000159A mov [rsp+110h+var_D0], rax
.text:000000018000159F lea rax, loc_180006B50
.text:00000001800015A6 mov [rsp+110h+var_C0], rax
.text:00000001800015AB lea rax, unk_18008BE00
.text:00000001800015B2 mov [rsp+110h+var_B8], rax
.text:00000001800015B7 lea rax, loc_18000684C
.text:00000001800015BE mov [rsp+110h+var_A8], rax
.text:00000001800015C3 lea rax, unk_180097C40
.text:00000001800015CA mov [rsp+110h+var_A0], rax
.text:00000001800015CF lea rax, aHilShgHnl@hlSm ; "HëL$\bSHâý HìL$@Hï+Þmè"
.text:00000001800015D6 mov [r11-88h], rcx
.text:00000001800015DD mov [r11-98h], rax
.text:00000001800015E4 lea rax, unk_18008D7C0
.text:00000001800015EB mov [r11-70h], rcx
.text:00000001800015EF mov [r11-90h], rax
.text:00000001800015F6 lea rax, loc_1800047B4
.text:00000001800015FD mov [r11-58h], rcx
.text:0000000180001601 mov [r11-80h], rax
.text:0000000180001605 lea rax, unk_18008E780
.text:000000018000160C mov [r11-40h], rcx
.text:0000000180001610 mov [r11-78h], rax
.text:0000000180001614 lea rax, aHilShgHnl@hlS9 ; "HëL$\bSHâý HìL$@Hï+Þ9×"
.text:000000018000161B mov [r11-28h], rcx
.text:000000018000161F mov [r11-68h], rax
.text:0000000180001623 lea rax, unk_1800978B0
.text:000000018000162A mov [r11-60h], rax
.text:000000018000162E lea rax, aHilShgHgd@ ; "HëL$\bSHâý Hâd$@"
.text:0000000180001635 mov [r11-50h], rax
.text:0000000180001639 lea rax, unk_18008E780
.text:0000000180001640 mov [r11-48h], rax
.text:0000000180001644 lea rax, aHilShgHgd@_0 ; "HëL$\bSHâý Hâd$@"
.text:000000018000164B mov [r11-38h], rax
.text:000000018000164F lea rax, unk_180098130
.text:0000000180001656 mov [r11-30h], rax
This is where I need your assistance again. I've yet to flash my modified bios because it's RSA signed and a modification to the bios will cause a brick. According to the internet, you are the only person who knows how to modify RSA signed bios'. As you can see, I have put in effort to learn how to modify my bios with zero knowledge. If you can advise me how to bypass the start-up check so I can flash my modified bios, I will be extremely grateful.
Once I'm able to flash my modified bios, I'll play experiment with strings to see whether or not I can display hidden tabs without having to replace tabs.