Difference between revisions of "HP BIOS Hacking"

From wiki.N4VX.net
Jump to navigation Jump to search
Line 31: Line 31:
 
  $ '''flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.bin'''
 
  $ '''flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.bin'''
 
** you will have to define your BusPirate device <code>/dev/whatEVER</code> You can probably find this in a quick <code>dmesg</code>
 
** you will have to define your BusPirate device <code>/dev/whatEVER</code> You can probably find this in a quick <code>dmesg</code>
** you must also define your output fine (eg. flash.bin). This will become important in the next step.
+
** you must also define your output fine <code>-r flash.bin</code> This will become important in the next step.
 
* Use the above command (modified with your proper device and output filename) and start the first read. You should get a moderately verbose output from flashrom indicating that it has begun the read process and it will take quite a while (sometimes over 30 minutes) to extract the binary contents of the flash IC to your specified file.
 
* Use the above command (modified with your proper device and output filename) and start the first read. You should get a moderately verbose output from flashrom indicating that it has begun the read process and it will take quite a while (sometimes over 30 minutes) to extract the binary contents of the flash IC to your specified file.
 
* If the read was successful, change the output filename, something like <code>flash.1.bin</code> and do it again.  
 
* If the read was successful, change the output filename, something like <code>flash.1.bin</code> and do it again.  
 
  $ '''flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.1.bin'''
 
  $ '''flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.1.bin'''
* sd
+
* Now, you should have two identical binary files if your reads were valid. Let's check.
 +
$ '''md5sum ./*.bin'''
 
If you cannot get consistent reads.... DO NOT WRITE!! You have been warned My suggestion is to make sure you can get, at a minimum, THREE full binary reads that have the same checksum. If you cannot do this, you may have to resort to supplying the proper Vcc to the chip externally with proper regulation. DO SO AT YOUR OWN RISK.
 
If you cannot get consistent reads.... DO NOT WRITE!! You have been warned My suggestion is to make sure you can get, at a minimum, THREE full binary reads that have the same checksum. If you cannot do this, you may have to resort to supplying the proper Vcc to the chip externally with proper regulation. DO SO AT YOUR OWN RISK.
  

Revision as of 02:12, 10 May 2020

<<Back<<

BIOS Hacking

Using the Bus Pirate I have been successful in recovering several HP ProBook laptops that have BIOS Administrator passwords set. Below is a rough outline of the process.

25L6406e.jpg
  • Gain physical access to the BIOS chip and identify the manufacturer and model number of the IC. Mine was a 25L6406E, YMMV.
  • Obtain a datasheet for your particular IC and determine the pinout for all the necessary pins required for flashing.
  • Connections
  • The table below shows how a typical SPI flash chip (sitting in the center of the table) needs to be connected (NB: not all flash chips feature all of the pins below, but in general you should always connect all input pins of ICs to some defined potential (usually GND or VCC), ideally with a pull-up/down resistor in between).
Description Bus Pirate Dir. Flash chip Dir. Bus Pirate Description
(not) Chip Select CS 1 /CS VCC 8 +3.3v Supply
Master In, Slave Out MISO 2 DO (IO1) /HOLD (IO3) 7 +3.3v (not) hold (see datasheets)
(not) Write Protect +3.3v 3 /WP (IO2) CLK 6 CLK The SPI clock
Ground GND 4 GND DI (IO0) 5 MOSI Master Out, Slave In
    • Most SPI flash chips require a 3.3V supply voltage, but there exist some models that use e.g. 1.8V. Make sure the device in question is compatible before connecting any wires. NB: Some rather rare SPI flash chips (e.g. Atmel AT45DB series) have a completely different layout, please beware.
    • I have found that you do not need to connect the Vcc lines on any of the pins indicated if you let the laptop's power supply provide the proper regulated voltage. If you use a genuine HP power supply and do not have the battery connected, it may detect the absence of the battery and turn off the power supply after a few seconds. Also, if you use an aftermarket supply with poor voltage regulation or noise, you may experience poor consistency in your reads and SHOULD NOT flash your BIOS over SPI if this is the case.
  • Reading
$ flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.bin
    • you will have to define your BusPirate device /dev/whatEVER You can probably find this in a quick dmesg
    • you must also define your output fine -r flash.bin This will become important in the next step.
  • Use the above command (modified with your proper device and output filename) and start the first read. You should get a moderately verbose output from flashrom indicating that it has begun the read process and it will take quite a while (sometimes over 30 minutes) to extract the binary contents of the flash IC to your specified file.
  • If the read was successful, change the output filename, something like flash.1.bin and do it again.
$ flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r flash.1.bin
  • Now, you should have two identical binary files if your reads were valid. Let's check.
$ md5sum ./*.bin

If you cannot get consistent reads.... DO NOT WRITE!! You have been warned My suggestion is to make sure you can get, at a minimum, THREE full binary reads that have the same checksum. If you cannot do this, you may have to resort to supplying the proper Vcc to the chip externally with proper regulation. DO SO AT YOUR OWN RISK.




I hope to start a small library of BIOS binaries for the models I have recovered and the procedure used to recover a locked system.

HP ProBook & EliteBook

EliteBook Revolve 810

ProBook 6470b

ProBook 6560b

Sources