research_log_02 // HP Pavilion BIOS Unlock
FK'ed up Security. Use RunTime Patch S.R.E.P.
01 TARGET_SYSTEM
| Model | HP Pavilion 16 (Not Omen) |
| Platform | Intel Comet Lake (LPC: 68D) |
| Flash Chip | GigaDevice GD25B128C (16MB) |
| Chip ID | 0xC84018 |
| BIOS Type | AMI Aptio V UEFI (HP Custom) |
| ME Version | 14.1, Build 2287, Hot Fix 72 |
| BIOS Revision | F.31 |
| Boot Guard | Enabled (per HWiNFO) |
| HP Sure Start | Not Present |
02 PRIMARY_OBJECTIVE
Unhide Advanced and Chipset tabs to access critical tuning parameters.
Modification Log v.1.0
| Setting | VarStore | Offset | Outcome |
|---|---|---|---|
| CFG Lock | CpuSetup (0x11) | 0x3E | ✓ Disabled (Persists) |
| Overclocking Lock | CpuSetup (0x11) | 0xDA | ✓ Disabled (Persists) |
| OC Performance Menu | CpuSetup (0x11) | 0x1B7 | ✓ Enabled (Persists) |
| RTC Memory Lock | PchSetup (0x17) | 0x16 | ✓ Disabled (Persists) |
| BIOS Guard | CpuSetup (0x11) | 0xDB | Off by Default |
| BIOS Lock | PchSetup (0x17) | 0x17 | Persists (Ignored by HW) |
| FPRR Protection | PchSetup (0x17) | 0x6DD | Persists (Ignored by HW) |
| SPD Write Disable | PchSetup (0x17) | 0x6DB | ✓ Enabled |
| ME State | MeSetupStorage (0x19) | 0x2 | Set to Disabled |
| ME FW Image Reflash | MeSetup (0x18) | 0x5 | ✗ Reverts on Reboot |
| SystemAccess | SystemAccess (0x4) | 0x0 | ✗ Reverts on Reboot |
| Advanced Settings | Setup (0x1) | 0x443 | ✓ Persists |
| SPI Controller (PRR) | PCI 00:1F:05 | 0xDC | Write Protected (0x88) |
VarStore Reference
Primary VarStores
| ID | Name | Size |
|---|---|---|
| 0x1 | Setup | 0x179C |
| 0x4 | SystemAccess | 0x1 |
| 0x11 | CpuSetup | 0x2B0 |
| 0x14 | CpuSmm | 0x7 |
| 0x16 | SaSetup | 0x21C |
| 0x17 | PchSetup | 0x6EC |
| 0x18 | MeSetup | 0x2E |
| 0x19 | MeSetupStorage | - |
HP OEM Variables
GUID: 0EE72C08-8185-427A-A58A-855B78B7BA0B
Phantom Variables (Never Initialized)
Deep Dive Analysis
Analysis of IFR reveales why edits failed. HP suckers uses hardcoded suppression opcodes rather than variable checks for top-level menus.
VIEW FULL IFR DUMP0x2AD0B: Form FormId: 0x2710, Title: "Setup" 0x2AD11: Ref Prompt: "Main", FormId: 0x2711 // VISIBLE ; The Advanced Tab Logic 0x2AD20: SuppressIf {0A 82} 0x2AD22: True {46 02} <-- HARDCODED TRUE 0x2AD24: Ref Prompt: "Advanced", FormId: 0x2712 0x2AD33: End {29 02} ; The Chipset Tab Logic 0x2AD35: SuppressIf {0A 82} 0x2AD37: True {46 02} <-- HARDCODED TRUE 0x2AD39: Ref Prompt: "Chipset", FormId: 0x2713 0x2AD48: End {29 02} ; The Security Tab Logic 0x2AD4A: SuppressIf {0A 82} 0x2AD4C: True {46 02} <-- HARDCODED TRUE 0x2AD4E: Ref Prompt: "Security", FormId: 0x2714 0x2AD5D: End {29 02} 0x2AD5F: Ref Prompt: "Boot", FormId: 0x2715 // VISIBLE 0x2AD6E: Ref Prompt: "Save & Exit", FormId: 0x2716 // VISIBLE
The "Hardcoded" Issue
The suppression opcode 0A 82 is immediately followed by 46 02 (True).
This means the condition to hide the menu is always returns true. It doesn't check NVRAM variables like SystemAccess or DynamicPageCount — it's a constant boolean.
Requires Binary Patch
The Catch
This patch requires modifying the BIOS image. But FPT flash is blocked by hardware PRR. So its Useless
The END: FPT Flash Error 167
FPT_DUMP
SUCCESS
--- Flash Devices Found ---
GD25B128C ID:0xC84018 Size: 16384KB (131072Kb)
Using hardware sequencing.
Reading region information from flash descriptor.
Base: 0x00000000, Limit: 0x00000FFF
Base: 0x00380000, Limit: 0x00FFFFFF
Base: 0x00001000, Limit: 0x0037FFFF
DumpFlashToFile (biosreg7_garbage.bin, 0x380000, 0xc80000)...
- Reading Flash [0x1000000] 12800KB of 12800KB
- 100 percent complete.
Writing flash contents to file "biosreg7_garbage.bin"...
Memory Dump Complete
FPT Operation Successful.
FPT Operation Successful.
FPT_WRITE_ATTEMPT
FAILED> fptw64.exe -bios -f bios_efi1.bin -verbose LPC Device Id: 68D Platform: Cometlake Platform FW Status Register1: 0x90000245 FPRval 0xE2AFF8A8 BIOS space write protection is Enabled [quite idiotic] BIOS space write protection is Disabled Flash protection range is Enabled Error 167: Protected Range Registers are currently set by BIOS, preventing flash access. Please contact the target system BIOS vendor for an option to disable Protected Range Registers. > FPT Operation Failed.
Research: The BBUpdate Vector
The HP_BBUpdate Anomaly
Forum findings (WinRaid/Level1Techs) pointed to hp_bbupdate as a potential exploit vector. Analysis of the firmware dump confirmed duplicate GUIDs — a quirk shared with vulnerable HP Omen series laptops.
GUID: 5C0203AC-5118-4952-9AAE-614AAE683FD4
→ hp_bbupdate_loader (PEI Module)
GUID: 94F994D5-4F3D-4FA6-BDA1-D398C3B0BB8F
→ hp_bbupdate (PEI Module)
GUID: 5AF2FFE6-82F4-4CD4-AAA8-7BE868691FC1
→ hpcrisisrecovery (PEI Module)
Note: Same GUIDs appear twice in firmware dump
The HP_BBUpdate module runs early in PEI phase and validates BIOS integrity. Patching it requires disabling signature verification — but Boot Guard prevents even that. Fk Boot Gaurd Honestly.
The FIX: Runtime Patching
// Thx @sweet_kittenSmokeless Runtime EFI Patcher
Since R/W to the flash chip was physically blocked by hardware PRR, the solution was an Runtime Patch. S.R.E.P patches the BIOS code as it loads into RAM during boot — completely bypassing the flash chip.
- >>> Bypasses Flash Protection (PRR) entirely Good Enough
- >>> Patches Amitse Dxe Driver
- >>> Loads via USB stick in UEFI Shell - As it Pushes a Driver Entry
- >>> Non-persistent (reverts on cold boot)
Specific patch for HP 68D F.31 BIOS required.
Advanced Menu
UNLOCKED
Evidence Log
TL;DR & Conclusion
1. Extracted complete IFR dump — Checked Advanced/Chipset/Security menus exist but are hidden via hardcoded TRUE suppression.
2. DynamicPageCount variables are phantom — defined in IFR but never initialized in NVRAM.
3. Mapped all VarStores. Successfully disabled CFG Lock, Overclock Lock, and RTC Memory Lock via offsets.
4. FPT write blocked by Error 167 — PRR set by initialization code.
5. HP_BBUpdate research: Duplicate GUIDs found, but Boot Guard prevents module patching.
Solution: Smokeless Runtime EFI Patcher (SREP) patches IFR in RAM — Advanced menu unlocked!