How to > HP BIOS MiniPCI Fix- nc6000/others

Don't ask how to hack password. (BIOS Passwords)
Loekie
New visitors - please read the rules.
Posts: 1
Joined: Mon Nov 02, 2009 4:33 pm

Trying to use N-speeds as well I bought an intel 5300, it doesn't work.
I read comments about taping off pin 20 which might work, in what way is this pin counted? Strating with the small piece on the left and then on to the bigger part? or the other way around?
Is it located on the bigger or the smaller part?
nando4
BIOS Rookie
Posts: 46
Joined: Sat Aug 22, 2009 2:44 pm

Loekie wrote:Trying to use N-speeds as well I bought an intel 5300, it doesn't work.
I read comments about taping off pin 20 which might work, in what way is this pin counted? Strating with the small piece on the left and then on to the bigger part? or the other way around?
Is it located on the bigger or the smaller part?
See the mPCIe pinout, using the mechanical key (cutout) as a point of reference.
TomNX6310
New visitors - please read the rules.
Posts: 1
Joined: Wed Nov 04, 2009 9:15 pm

Hello Whitelist-Friends,

first of all thanks to Semi for his work!!!

I am trying to get a Wifi Link 5300 to run on a nx6310.

My first try was to exchange the PCI ID with the new and to correct the checksum using the wake on lan string. The checksum have been corrected (same sum and written green) and flashing was possible. Unfrotunately the screen was blank after reboot and my pulse some beats higher :-) I got the cheapest floppy from my friend Mr. Ebay for 11.28 Euros including shipment and got the bios recovered (pressing the 4 arrow keys when starting the laptop).

I tried it a second time with changing one ID to the new and to balance the checksum with the second ID present in my bios. Same effect.

The third time I just increase one byte by one within the ID and decreased 4 bytes further the byte by one. The checksum was still the same. Also this did not work and the screen remained blank after reboot.

Does anybody succeeded in patching a nx6310 whitelist ==> means I did still something wrong.

I got the fear that there is a second check to the whitelist maybe in newer BIOS revisions...

Best regards,
TomNX6310
stilia.johny
New visitors - please read the rules.
Posts: 1
Joined: Thu Nov 05, 2009 3:02 pm

i have an hp compaq nc6000 and i try to hack hp white list but i cant///
can somebody help me..
i read the article but i cant do some steps..


help me..
kibkalo
New visitors - please read the rules.
Posts: 1
Joined: Sun Nov 08, 2009 10:35 pm

I need help with modding my Elitebook 8530w BIOS.
I do need WiMAX. And I have tried several modules - laptop doesn't turn on, saying about bad WWAN.
So I have a current original BIOS, I know the VEN/DEV IDs.
Can someone help me with exact steps?
nando4
BIOS Rookie
Posts: 46
Joined: Sat Aug 22, 2009 2:44 pm

@kibkalo - *if* you can bootup the system, suspend, attach wifimax card, resume and Device Manager scan sees it, then consider adding a switch to bypass the bios check as shown here.
MiXAL
New visitors - please read the rules.
Posts: 2
Joined: Wed Oct 28, 2009 11:06 am

nando4 wrote:@kibkalo - *if* you can bootup the system, suspend, attach wifimax card, resume and Device Manager scan sees it, then consider adding a switch to bypass the bios check as shown here.
I would like to get similar switch for my WiFi card that is blocked by NC6400's BIOS. Any tips for that?
nando4
BIOS Rookie
Posts: 46
Joined: Sat Aug 22, 2009 2:44 pm

MiXAL wrote: I would like to get similar switch for my WiFi card that is blocked by NC6400's BIOS. Any tips for that?
Switch workaround for BIOS that blocks bootup when sees incompatible wifi card

It *might* be a bit trickier for pci-e than the USB WWAN, since it requires pci-e resources to be allocated by the bios on bootup.

1/ Firstly mask pin 20 to ensure the radio is on all the time. On my 2510P I found I could get around the whitelisting but my radio would be off unless the pin20 was masked.

2/ The pci-e transmit/receive pins are 23,25,31,33 as shown in the mini pci-e pinout. Mask one of those pins, bootup into Windows, suspend system, remove cellophane tape used for masking, resume system, Device Scan. Does it pick up the wifi card? (might get an error 12: cannot allocate resources - if get that error need 3 below).

3/ If Device manager sees the wifi with error 12, then suggest using grub2 as a pci-e fixup prior to boot. grub2 is a bootloader with a cool memory write ability. So it acts between the bios bootup and OS bootup to basically do the same thing the bios does when it sees a whitelist compatible device. See here for an idea of the PCI Bridge Configuration you'd need to set.

If happy using above as a solution, then add a switch to more user friendly masking/unmasking of the wifi pin. I'd suggest masking the pin, but off the edge (no contact with socket), have wire running to your on/off switch, then from switch have a wire going back to the soldered point off the side of the socket pin. A little bit of work, but can be done.

If you've got more time then money could do this, otherwise suggest grabbing a HP wifi card off ebay. Would be good to have a pioneer try this and report there result. It *should* work so long as it's the bios that blocks the bootup. In saying that, HP have more advanced whitelisting in later models. On the 2510P, the bios is somehow settingup the pci-e configuration space so that the OS doesn't even see the wifi card when do a suspend/resume. See the workaround used for that.
gatsu_1981
New visitors - please read the rules.
Posts: 4
Joined: Fri Nov 20, 2009 8:24 pm

Hello, I tried to read the PDF included, and I watched a video, but I really get lost during "whitelist finetuning".
I get a 65% success, then I can select a chunk, but how? Should I immediately copy, 1 click, 3 clicks on next?
If i select a 12 byte chunk and try to find it inside the hex editor, I can't really find anything! I'm stuck before finding the complete VEN/DEV ID.

I have a NC2400 with 68YOP bios, can you please help me?
Old one is an Intel 3965 ABG, newest one is an Atheros 9281.

OLD: PCI\VEN_8086&DEV_4222&SUBSYS_135C103C
NEW: PCI\VEN_168C&DEV_002A&SUBSYS_03031A32

Link for my bios:
http://dl.dropbox.com/u/2491329/Rom.7z

P.s. I'm not asking to do the job for me, if you don't have enough time I will be more than happy to understand the complete process.
I'm a IT student, so learning something new is good :)
gatsu_1981
New visitors - please read the rules.
Posts: 4
Joined: Fri Nov 20, 2009 8:24 pm

BTW.

Already tried pin 20 masking --> can't boot, error 104.

Tried booting without card, entering windows, suspend, putting card in --> card not seen by OS, like it never was inserted.

Tried swapping card --> card perfectly working, Win 7 find it and configure it.

For OSX it would be good enough to swap with a 4311 card, I already tested it and it's in the whitelist, 15€ well-spended.
But I would really like to use my N card, it's really small and I think it would improve even my battery life.
nando4
BIOS Rookie
Posts: 46
Joined: Sat Aug 22, 2009 2:44 pm

A possible alternative to semi's approach. I'd suggest folks do their own testing with the linked bios save/write on their own box to see if they can save the complete bios, use a hexeditor to edit the whitelist, then write it again.

Linux Flashrom + 2510P bios read/write.
gatsu_1981
New visitors - please read the rules.
Posts: 4
Joined: Fri Nov 20, 2009 8:24 pm

Up? No one can give me directions?
Nando4 I have seen your nickname on pretty much every forum bios-related :D
From notebookreview to digitallife!

Have you used this utility for correcting checksum? I can't really understand how to proceed. Video was pretty much different from PDF and both were pretty much different from my case!
semi
BIOS Rookie
Posts: 35
Joined: Mon Oct 27, 2008 6:17 pm
Contact:

Hello Fellows,

I put myself times and the HP Compaq BIOS unpacking
algorithms "reverse engineered". I documented the whole beautifully
and directly packed into a new ADDCC version 3. The whole now is
many more efficiently there also finally the bitmaps completely correctly representably
unpacked become.

Which is NEW?!

- correct unpacking routines were implemented
- appropriate adjustments without the separate .exe files
- that find the Whitelist somewhat one adapted, is now somewhat simpler like before
- the HPQFLASH Patch function was extended with the Patch strings by TTAV134

What is contained of NEW in the package?

- the SOURCE code and explanation for the exact function of the unpacking routines
- adapted Tutorial
- A small HOW to, like one the BIOS Recovery method for its notebook to determine and test can
- some BIOS versions are additional completely unpacked ready for to download also posed

What comes next?

- Perhaps a compression
- Analysis of SLIC tables (only if I get enough assistance and support)
- Reverse engineering of the POST's and determination of the Whitelist function
- Reverse engineering of the rompaq.exe and the determination of the check sums function and the check sums position

Feedback, suggestions, referring to errors or improvements is very desired.

Greetz & Beatz
Semi

Image
tweakertje
New visitors - please read the rules.
Posts: 2
Joined: Sun Dec 06, 2009 11:01 pm

HP 2510P

I'm stuck on finetuning my bios notation.
The notation is 8680294286800111
addcc finds it with a 100% match
after clicking ok the sting is not filled in, original BIOS ID byte String field is blank
whitelist detection is set to decompressed whitelist on patched bios
copy paste dosn't work
I used addcc v 3

anny idea's
semi
BIOS Rookie
Posts: 35
Joined: Mon Oct 27, 2008 6:17 pm
Contact:

Hey tweakertje,

thats normal. If you checked "search in ... decompressed whitelist" its only
for the detection of the whitelist to watch and know there. If you take 12 Bytes from
the decompressed whitelist for changing it in your compressed bios file, it would
make no sense. Cause you cant find and change them in the compressed file.
Therefore I have removed this feature for this situation.

Take the first entrie from the decompressed whitelist, insert into BIOS notation
and check "search in ... compressed Whitelist". You have to found an ID which is
not compressed to change all your new eight bytes.
->E41411433C106313 -> FEC100E41411433C10635513

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00002510  C3 E4 14 11 43 3C 10 63 13 E4 14 11 43 3C 10 65  Ãä..C<.c.ä..C<.e
00002520  13 E4 14 11 43 3C 10 64 13 E4 14 12 43 3C 10 60  .ä..C<.d.ä..C<.`
00002530  13 E4 14 12 43 3C 10 62 13 E4 14 12 43 3C 10 61  .ä..C<.b.ä..C<.a
00002540  13 86 80 22 42 3C 10 5B 13 86 80 22 42 3C 10 5C  .†€"B<.[.†€"B<.\
00002550  13 86 80 22 42 3C 10 5E 13 86 80 22 42 3C 10 5D  .†€"B<.^.†€"B<.]
00002560  13 86 80 22 42 3C 10 5F 13 86 80 22 42 86 80 05  .†€"B<._.†€"B†€.
00002570  10 86 80 22 42 86 80 34 10 86 80 22 42 86 80 00  .†€"B†€4.†€"B†€.
00002580  10 86 80 22 42 86 80 01 10 86 80 22 42 86 80 02  .†€"B†€..†€"B†€.
00002590  10 86 80 22 42 86 80 03 10 86 80 22 42 86 80 04  .†€"B†€..†€"B†€.
000025A0  10 E4 14 28 43 3C 10 66 13 E4 14 28 43 3C 10 67  .ä.(C<.f.ä.(C<.g
000025B0  13 E4 14 28 43 3C 10 68 13 E4 14 12 43 3C 10 70  .ä.(C<.h.ä..C<.p
000025C0  13 E4 14 12 43 3C 10 71 13 E4 14 12 43 3C 10 72  .ä..C<.q.ä..C<.r
000025D0  13 E4 14 11 43 3C 10 74 13 E4 14 11 43 3C 10 75  .ä..C<.t.ä..C<.u
000025E0  13 E4 14 11 43 3C 10 76 13 86 80 29 42 86 80 00  .ä..C<.v.†€)B†€.
000025F0  10 86 80 29 42 86 80 01 10 86 80 29 42 86 80 02  .†€)B†€..†€)B†€.
00002600  10 86 80 29 42 86 80 03 10 86 80 29 42 86 80 00  .†€)B†€..†€)B†€.
00002610  11 86 80 29 42 86 80 01 11 86 80 29 42 86 80 02  .†€)B†€..†€)B†€.
00002620  11 86 80 29 42 86 80 03 11 86 80 29 42 86 80 04  .†€)B†€..†€)B†€.
00002630  11 66 50 53 51 52 56 57 33 F6 B8 79 EA B3 00 68  .fPSQRVW3ö¸yê³.h
But why you searching for the decompressed whitelist with an ID? The ADDCC v3 found exactly
the position. In 68MSP_FOE_2510P.BIN the whitelist end is at 0x2632

Cheers Semi
Post Reply