Page 2 of 2
#16 RE: HP RSA signature protection theory of Zbooks by sagael 21.08.2021 06:07

@Sweet Kitten didn't know, do you have a link for more information? I am interested in limiting the vram of the igpu

#17 RE: HP RSA signature protection theory of Zbooks by bigguygeo 21.08.2021 23:10

Okay, I get partial success: we have 10 rsa 256 bytes keys.

The theory:
1 key is protected the EC firmware. And is checking by bootloader sub program: if this one is fine, then firmware will be loaded.
5-6 keys protected volumes and checking made by firmware, if they are okay, then the EC will start system.
The next keys are validated by cpu, and concept is next: all previous keys are protected by the other keys. If all sequence is okay, then system will POST and continue boot.


What I have done?


The theory is based on: I took a volume from update and copy the rsa and volume to bios dump. The result was better then previous: the cpu voltages rises and usb voltages too.


In few days I will receive logic analyzer and will capture spi read sequence to EC, then capture the chipset read sequence from EC.

I want to confirm that bios chip transfer data to chipset through EC (Embedded controller).


Almost forgot to added: the firmware rsa is not protected by other keys: I have replaced firmware from different updates

And firmware doesn’t read spi labeled EC on logic board, the firmware only check if this one present there

#18 RE: HP RSA signature protection theory of Zbooks by bigguygeo 22.08.2021 01:44

Early mapping of spi signals. (incorrect)

Will look for boardview of hp SureStart logic boards. Interesting how spi is connected to other ICs.


adding board view of laptop with similar EC controller

#19 RE: HP RSA signature protection theory of Zbooks by bigguygeo 22.08.2021 20:17

Today I received a spi logic analyzer and planing to do capture sequence next week.

Example tutorial:
https://youtu.be/EXcSlo9EDTU

#20 RE: HP RSA signature protection theory of Zbooks by bigguygeo 22.08.2021 21:19

Also BIOS ROM contain TPM firmware and connected to that IC.



https://arstechnica.com/gadgets/2021/08/...-in-30-minutes/


https://www.youtube.com/watch?v=NFQ22SBlejk

#21 RE: HP Sure Start RSA signature protection theory of Zbooks by bigguygeo 24.08.2021 22:16

Found another utility driver to dump ram

https://github.com/SamuelTulach/EfiDump

This will help to analyze what’s parts of bios is in ram.

https://github.com/SamuelTulach/EfiDump

#22 RE: HP Sure Start RSA signature protection theory of Zbooks by bigguygeo 25.08.2021 10:12

After short ram dump I was able to identify many pei drivers and programs from bios. Also parts of EC firmware are actually x86 subprograms, so EC firmware becomes more easier to understand.

Still need help with capturing spi bios rom readings from two sequences: ac plug in, poweron with healthy bios and non healthy.

There is 100 MHz analyzer need.

Also need help with reverse engineering of arm programs and possibly soon we will return modding ability to bios :)

#23 RE: HP Sure Start RSA signature protection theory of Zbooks by User32 26.08.2021 02:26

Bless this fucking man for giving HP and DRM crippleware the middle finger! Say no to encrypted/locked down BIOSes!

#24 RE: HP Sure Start RSA signature protection theory of Zbooks by bigguygeo 07.09.2021 14:16

That good article:

https://habr.com/ru/post/185764/

#25 RE: HP Sure Start RSA signature protection theory of Zbooks by bigguygeo 07.09.2021 15:42

ProductionSignedBiosSmm / ProductionSignedBiosDxe



ENTIRE BIOS:
The BIOS begin from adress 700000h






RSA SIGN KEYS BASED ON ZBOOK G3 153 BIOS UPDATE
(HP Notebook System BIOS 01.53 Rev.A)

Zitat

KEY 01 (BOOTLOADER?)

Offset at update: 47C184
Offset at update (second): 701184

Offset at ENTIRE BIOS: B7C184
Offset at ENTIRE BIOS:(second): E01184

1
 
24A24812CBF4F9A9BF6A8D000C123BB77196BD2660EF1FB875A208690B05C9B75351AA16D92B08C622D35DD63E112DA1DE7F8368A2A240EA9883FADECBE917EE5A4D72F3B5E8EC479D57B3186F9BE6DEBE446F372324F2B9FFDA974F2A1409012D097740C5648D52BF1BC071216069E8A9779C92239176DB9DD60ED15718AA9358003AFD966A1486A54F684D7C28D1300EA2618335956B951BAD5E2C4FC06597FE32DB40201F02BFCE03887ADEE35ADFC8B3EA8757EEF43BA6653C8E60F57F42BFFE5D3C677A0F73E23474D7F052ED15669C4D92C5A09817B7465085D8BE7C7354C29F3EF8BD50B583B3ED801E366E3E10E11B39EAD803F0A3238945C798F01E
 




KEY 02 (EC FIRMWARE)

Offset at update: 43C208
Offset at update (second): 6C1208

Offset at ENTIRE BIOS: B3C208
Offset at ENTIRE BIOS:(second): DC1208

1
 
610AF5E7782CACA10507CB5A83188660D3900089EB1854C8214DB38A28B303649EDC041C2907BCD255A51A242B00285777605243EAD4D594E31209CB4EB0ABE012E5460312C6D1DB1F2A8C27DA7DF21BBA68C7E32F3FDE7FC4DA1AEEE486917D5826DFBFA0719DB4C770F05E2FE5F23B0B41B57CFAC212D74A9BA2B7376BF3D42CE0CC44217E1DBE2B42EADA431D0F984366A2DC48C6B1A824F013FE5F699ADE624F5BCEB7D2B6900783A953875DBF500044752874241C2AEF0B53F5B89015E84ED61F801D91C83225C36E9042EA10EFED16AB7D07199109DAB3A4B45474EF7F3C36EA8DB8A4F407A033797E7BD7C192702E5AB4A0073224759A72970702D04C
 







KEY 03 (Padding1_Volumes)

Offset at update: 48030
Offset at update (second):

Offset at ENTIRE BIOS: 48030 + 700000 = 748030
Offset at ENTIRE BIOS:(second):

1
 
46F89A6E0ACD180527B4F496636C661D5CACA13A9C64D0B07EE0EFE7904ED9EC78529839F4B48E13EF6A11EB652A1816C742462A433096DD58CECE3FE7257C868A16C9086C1E914A2118FF0D10C63B89C5F01E91A1801406D39E89449F38C67F07336F5C87FB3605D50A3CCFE7EA5DED835D1F1C5E347B75C87B2477EF5FCC40A39A0532B30C4BA36C45AB2B28506D10D5F90ADDE2814C25EACF93BCE462982DE91E78CE19DAA0E8E44F137605A0740BF8DF32A026A64589BF43C01418048B6929B537A49D2E006C99C8277357BBAEE8AA947736A2D8D77A58E92B36A174627D6E329EF95C1C415680D307209BB25A8C40F2BABF197F84A52D6E51E339DDFE74
 





KEY 04 (Padding1_Volumes)

Offset at update: 48378
Offset at update (second):

Offset at ENTIRE BIOS: 748378
Offset at ENTIRE BIOS:(second):


1
 
ECD06CFED26C4FD60D01C248E7234AC9569B6B00B24AB209F163DFBDAAB340573FCF9F95E3F6DEBC4A051241D4C1A3947D1DD84DB767E2EFDC92AE141ED1D5D7241E986B0B8364E3C4135FC37C40FEC5E36378229A4352E2EA607FFEA8B26DADE15CBAD26F7164B2CEC717C8D537999A32D773CB5E8F91733D9C1D8ABEBE1E1345037380F766735FC493BFD348D460826668F8ED8F8615B5ED1291D1C7B00476DA0403E2832885497065E9A0E9BD1E2F07F70D24ED4A105F53311584DBD03C8A92CAB9926D9BA1059D58527BC6BE130878A4CF9310C525FD94A569E1541AE607F5B8DE9AF86BB18CC59FA8DFABE996C5B8D34FBCF474CCC9217D94D52F267574
 





KEY 05 (Padding1_Volumes)
(Appears more than one time)

Offset at update: 48478
Offset at update (second):

Offset at ENTIRE BIOS: 748478
Offset at ENTIRE BIOS:(second):


1
 
953691FD3661B5C4BA1CEE79F576E196C7FB703861C50E09999F19CCB27D39335F49E317D9BD9A41935292C9CFD81E42F4067505F2219C7ABD9E27D19A41E38E1006C47DBBAE62CACC4A569CDE7DB21273B46BD684CB80DCA74B72FA1E8440FFD668345C197DD636F18B3C623E7D7FF1916A40BD14627F1831862BDFDC37F1EB50D1151C2E68753BF8B7330148E749506D80610D5F316AFEDB783A8B522A1AEFB90556F3AC367699BD0ADB692303829D6DDBD4735AE4DACB8FDAA60B1044364C07F16EDEE7D670989BADEC08E703ACD17FDAD0494FB3EFAAFCADE9999163FFD397A8E71AF343A2FA063677A3B23F2D8C25E0C0A9A937CB212A9E30DC1D25C426
 




KEY 06 (Padding1_Volumes)

Offset at update: 48578
Offset at update (second):

Offset at ENTIRE BIOS: 748578
Offset at ENTIRE BIOS:(second):


1
 
4038C6D1CFBF588B83B4B29A33DE4EDDA86CC0C366081AF001A3AFF211CADE6874E831D5EB2E387C2453202D06833E9ADF85AEC4231A4A93C01EB88337AEB324900C9FF4D03B25AC7E457E2B33AEE28899EF35621354DC5423AA32318BC7F6587A23572F87505F5C33D4D655BB391A44B6646765F6EFCC48B1FA257C46F2AB6130109EFEB645BEF8F99F6915AD3FAC1A076766E649190CDA8DB8320F457CB08B1776F45F73E924E8B907C81C1A44D117800FEF1918FE761BA15ACE1F2C0CE6BBC00D006EB5DB2DA6D6326184935805F00A01CF881BEF9EB114065773ED9DFDD91D0E86866648C8C0FB472B3751AE713D13A3F8CFCA849981294A479ED63FA2A1
 





KEY 07 (Padding2_Volumes)

Offset at update: 3F4030
Offset at update (second): 679030

Offset at ENTIRE BIOS: AF4030
Offset at ENTIRE BIOS:(second): D79030

1
2
 
5F2121D54EA52FD299565F285DA55E5063543CFB536392BB974D298F180E8115F05EEA0D134446CFAF30E9C493AE6E9EDC4B78617C21E318D06E4566E9D0E58A141B48ACAB3DC9E8EBE7C274AE0888BB7EEEBA7AECCBEA9433B6987FB2ABFB91E0C1A511531C50047F8BF4E7F567776981B469ADBB93BE0A394B576F720947C4E807B3D1ADE1A46771F3B3F1D1AC79542C4921CA438E0D20F5D1360B9044F59FA03502467165718231EB7D92A72EBE1B96E230CD626A6D78962539E9420B56CC94F38AB0E0D5FE1B6D33314AAEF7A75C56A02F8ECECF83A3CA6A04D71D0A4DA42233882D0F3EE6B0C90C52883300340657CC52AAECC4F1C72CF671AFDEB80108
 
 




KEY 08 (Padding2_Volumes)

Offset at update: 3F4130
Offset at update (second): 679130

Offset at ENTIRE BIOS: 3F4130
Offset at ENTIRE BIOS:(second): D79130


1
2
 
D9931A7AB3B09EC1237387740E4CF42448794ACC27AE401955A78FAFE796AA569E167DA027439D23C8B0F62B04A5561E940B5C7CC3C7F52E30B23CF0861D7B93E5E8F9F03038700C0D9084CD955A68DDE8927854DE78D81C3DB47705E6D83C9FF70348B3157B74659265833F67334AEFF5ED464E67265C65439C8A6F5FF9DE496066A7D279416B723F82373A85542F528234AAB88264741E59657F6032B3A1D632911330274DBC2DA7CE9825444B8C747D58709CB1448FA5CEF4E5831957EBF98F541A9B35C1CB457217BC983F24805B52A94EB4D154DA94540C77004731DB3DF279EBD4D48F17ECE6CCEBBF6A700FC3F77DCCF69AE7D80ED42B37C828000A9E
 
 



KEY 09 (Padding2_Volumes)

Offset at update: 3F4378
Offset at update (second): 679378

Offset at ENTIRE BIOS: AF4378
Offset at ENTIRE BIOS:(second): D79378


1
 
00843D038A0EAEC2F0A2AF935CC99C713A6250152640544743B553FD59F36B75346914073EC5881EC4349E59961B3AE6D78CC379E1128E0463602F91ACCE07E2F7D5DCDFDCEE14A7F06749B1A17DC1CE449CFBF13D937D773A6DBD36298ADBC656C5EDA0DCCF21185CEAB465B0C65AADAFCEF7920FB759A8F5D53FDDE10534AF0675A109AE3E3A844CCE3C7897ABA1A7EA4F907819552320999AA90AF74A2B9E1FD0E3ADC0E70525FE36BB1A6624C2FFBEF92811DF0A99FBB9BD4003351784B089E6AD3CAB353622C143B9B53CA9DD23007C2776966A5A78671409667796630A4CB6911710275058672F1618B7C0C4F105CB3C5604A76372A2E8CC164F5E0875
 




KEY 10 (Padding2_Volumes) (Appears second time)

Offset at update (first): 48478
Offset at update (second): 3F4478
Offset at update (third): 679478

Offset at ENTIRE BIOS(first): 748478
Offset at ENTIRE BIOS(second): AF4478
Offset at ENTIRE BIOS(third): D79478


1
2
 
953691FD3661B5C4BA1CEE79F576E196C7FB703861C50E09999F19CCB27D39335F49E317D9BD9A41935292C9CFD81E42F4067505F2219C7ABD9E27D19A41E38E1006C47DBBAE62CACC4A569CDE7DB21273B46BD684CB80DCA74B72FA1E8440FFD668345C197DD636F18B3C623E7D7FF1916A40BD14627F1831862BDFDC37F1EB50D1151C2E68753BF8B7330148E749506D80610D5F316AFEDB783A8B522A1AEFB90556F3AC367699BD0ADB692303829D6DDBD4735AE4DACB8FDAA60B1044364C07F16EDEE7D670989BADEC08E703ACD17FDAD0494FB3EFAAFCADE9999163FFD397A8E71AF343A2FA063677A3B23F2D8C25E0C0A9A937CB212A9E30DC1D25C426
 
 



KEY 11 (Padding2_Volumes)

Offset at update (first): 3F4578
Offset at update (second): 43C008
Offset at update (third): 679578
Offset at update (forth): 6C1008

ALSO AT FILE: Section_PE32_image_492522E7-FE60-4361-A463-A237A5A5F397_0292

Offset at ENTIRE BIOS(first): AF4578
Offset at ENTIRE BIOS(second): B3 C008
Offset at ENTIRE BIOS(third): D79578
Offset at ENTIRE BIOS(forth): DC1008

1
 
0913013D819ACCC69A5E5FA22DB6F05D28CB37505BD8E1C629BBDBDD6DCB271FB4A3CF5147ECA29D08167324EA08DBCDC8BA0A5054DE97A1B4490896778ED095C010F646E933F2C3766A57D6C7A1701890FA6608C4BC442DB59FB4A5C8580B17058F68732AC1ACB08C208C8D1F6F3B7928A365490A05803E76523C58B7D830B5C6E45DB71B57487C155D951E430898CA9122400A40D3568BDF1C20F472FA0E69C6F786BB5526A0C62B59F1A18505228D366B28A5D36F56553AD8DCEF694C2EC700C67BAA0679F5B4E9D04E4B1832FB218ACAE741E71FEE87A7B9AD72668E34FEE14A2A95461BBE2E5D7F18BFB34134ECA062BDDD6D4A28381E1693B01C6819A2
 









The other 2-3 keys could be hidden inside of volumes, so I will leave some space to continue

#26 RE: HP Sure Start RSA signature protection theory of Zbooks by Blossomcrown 08.11.2021 01:40

avatar

just a thought, bigguygeo , have you tried to contact or coordinate with Coreboot community?
IIRC they made some progress about EliteBook/ZBook s' embedded controller to enable that open sources firmware running on them.
you are doing something meaningful but pretty hard,what a man!

Xobor Forum Software von Xobor
Datenschutz