Contribute
Register

4530S BIOS Backup and Repair [Hardware Mod]

Status
Not open for further replies.
Joined
Aug 15, 2011
Messages
961
Motherboard
HP-4540S
CPU
i5-3210M
Graphics
HD4000
Mac
  1. 0
Classic Mac
  1. 0
Mobile Phone
  1. 0
With the new BIOS release I wanted to point out how relatively easy is to

repair the chip on our Probook motherboards in case, you are the unlucky one

and spilled the drink on it.

IC used:

4330S - MX25L3206E (confirmed)
4530S - MX25L3206E (confirmed)
4570S - MX25L3206E (not-confirmed)
4430S - MX25L3205D (not-confirmed)
4540S - Winbond W25Q64FVSIG (confirmed)


MX25L3206E

size= 4MiB (4mebiBytes)
package= 8-pin SOP 200(208)mil


Programmer:
Any programmer that supports SPI Flash MX25L3205D/MX25L3206E with 200(208)mil

SOIC8 adapter.


Memory Map:

000000h-17FFFFh Random Data
180000h-3FFFFFh 68SRR.BIN


Programming:

Please take a picture of personal data displayed by pressing F1 key during bootup. Using raw update image(68SRR.bin) will result with loss of personalized laptop data and may require some tools from another site. It's better to take snapshots of different versions with original chip while moving from older revisions F.0A->F.20->F.29

Pre-programmed chips: ebay.
 

Attachments

  • 4530S.jpg
    4530S.jpg
    156.4 KB · Views: 7,908
  • 4530S1.jpg
    4530S1.jpg
    41.8 KB · Views: 8,777
  • 4530S2.jpg
    4530S2.jpg
    44.3 KB · Views: 4,804
First of all, THANK YOU big donkey for the information you put in this thread. You have provided me with some of the puzzle pieces to overcome a recent laptop problem. I just want to add some information that might help other hackintoshers.

I recently bought a used Probook 4330s with most parts missing and a broken screen. When I got it up and running, I found a password on BIOS. I tried all obvious password guesses but no luck. Technically, HP could generate a file from my UUID which when dropped into a USB key root, will break the password protection. However, I contacted them and they said I needed a new motherboard as this computer is out of warranty and they will not help me. So ...... I know chips can be flashed, but I have only ever flashed old 27C256 eeproms that my motorcycle ECU uses. After some, well lots of googling, I found this thread that fixed me onto the path of attempting to kill the password by flashing the BIOS chip.

I dismantled the computer to try and find the BIOS chip. Luckily I found exactly what big donkey has already described, a Macronix MX25L3206E 32megabit SPI flash device in a SOP8 package. So now I starting researching methods of communicating directly with the chip. You can buy commercial off the shelf solutions for flashing SPI, but I was doing this on a budget.

I started work using an Arduino Demilanove programmable device. There were a few problems with this such as it runs on 5V signals and the BIOS chip uses 3.3v. Im sure I could have succeeded with the Arduino, but I know somebody with a mbed NXP LPC1768, and best of all they were not using it. This device is very fast, runs on 3.3v, is programmed using C++ and has local 2Mb storage which gets seen as a USB key by other computers. Just the job.

I set about soldering 8 kynar wires to the chips legs and these went to a header that can be plugged into breadboard. It is quite simple to wire up this header to the mbed NXP. All the information is in the Datasheet for the BIOS chip and the NXP.

So having never programmed any C++ before (or any language since ZX Spectrum BASIC 20 years ago), I had a steep learning curve. I didn't need to do anything too complicated as the mbed NXP already has an SPI library. I wrote a small program that sends the correct command for reading out the chip memory to the mbed and the received data is then sent back to the PC using serial to be displayed as ASCII in a terminal window. Once this was working consistently, I wrote a program to dump the entire 4Mb BIOS. This turned out to be 4 programs because the mbed only has 2Mb of local storage and some of that is taken up by programs. I ended up with 4x1Mb files that were joined together using "sudo cat B1.bin B2.bin B3.bin B4.bin > BIOS.bin".

...... continued
 
I searched through the entire BIOS file and found a few areas of text such as "HP Bios User 00 BIOS Administrator" in what appeared to be a table. Between these references are strings of data which always end with "AA 55 7F". I made an educated guess that the strings of data contained the encrypted password. There was no obvious ASCII password in memory. So I chose to write 0x00 to three of these strings. Well I expected a bricked laptop and to have to reflash the entire BIOS from my captured BIOS.BIN. But …… it worked! First time! :)

If you need to do this yourself, the ranges are:

0x3113BE to 0x3113D1 inclusive
0x311434 to 0x311464 inclusive
0x3114AF to 0x3114C2 inclusive

This did take me a long time, but I was looking for a project that stretched me and re-introduced me to programming and electronics. I hope this is of use to somebody here.
 
Very interesting. I didn't have luck with direct reading and writing to the chip and opted out for removing/outside programming. As you see on the picture that can be done on 4530S without laptop dis-assembly.
How long were your wires? Do you have any pictures to post? Any additional info will be useful.

Users on mydigitallife working with hpset14b.exe program were able to restore most information seen during F1 key press. It is stored in unencrypted area of the BIOS chip. It quite possible that password is stored there as well. Maybe someone in spare time will dump the chip before and after to do diff on it.
 
Often after chip repair or replacement laptop starts with the message:

Manufacturing Program Mode set: 1 of 10.


Message can be rectified by following advisory from HP Support site

RESOLUTION

This issue occurs when a notebook is incorrectly left in Manufacturing Program Mode prior to shipment. Manufacturing Program Mode allows up to 10 attempts at use before the notebook resets itself and resumes its expected behavior.
To resolve this issue, manually reset the notebook by performing the following actions:

  1. Power on the notebook and wait for the Manufacturing Program Mode message to display.
  2. Make sure the AC adapter is connected to the notebook, then power off the notebook.
  3. Disconnect the AC adapter, then reconnect it.
  4. Power on the notebook. The Manufacturing Program Mode screen displays again and the counter increases by 1. For example, if the original message was "Manufacturing Program Mode set: 1 of 10", it then becomes " Manufacturing Program Mode set: 2 of 10" upon restart.
  5. Power off the notebook.
  6. Repeat steps 3~5 to increase the counter toward 10.

When the notebook restarts on the 10th attempt, Manufacturing Program Mode is automatically and permanently disabled and the notebook enters its correct boot sequence.
 
Very interesting. I didn't have luck with direct reading and writing to the chip and opted out for removing/outside programming. As you see on the picture that can be done on 4530S without laptop dis-assembly.
How long were your wires? Do you have any pictures to post? Any additional info will be useful.

Users on mydigitallife working with hpset14b.exe program were able to restore most information seen during F1 key press. It is stored in unencrypted area of the BIOS chip. It quite possible that password is stored there as well. Maybe someone in spare time will dump the chip before and after to do diff on it.

Reading from the chip was reliable but writing was inconsistent. I test wrote 1 byte to a large area of 0xFF's around 0x150000 (way before the 68SRR.BIN start). I only managed to write once to that area and I was not able to work out why I couldn't repeat it. When I wrote to the 3 address ranges referenced above, It worked first time. However I couldn't write to the UUID location which is just before those 3 ranges. There seems to be some mechanism of protection to certain locations. This could be done by circuitry around the BIOS or by extra features of the BIOS chip that HP have implemented. There is a way of protecting certain pages (256 bytes) of memory in the chip by writing to the BP bits in the status register. It did seem to me that to have access to the whole BIOS chip, it needs to be removed from the motherboard, but seeing as I achieved what I set out to do, I didn't need to investigate/research further.

I used HPSET152.EXE to reset my UUID. I found a 2.8MB download called "NbDmiFit-1.19.rar" that contained very recent tools that HP use on this generation of laptops.

To get access to the BIOS chip on the 4330s, you need to remove the motherboard. I didn't take any photos at the time, but the attached photo shows the equiptment I used and references the position of the BIOS chip on the 4330s.
 

Attachments

  • DSC06015.jpg
    DSC06015.jpg
    1,014.7 KB · Views: 10,133
I searched through the entire BIOS file and found a few areas of text such as "HP Bios User 00 BIOS Administrator" in what appeared to be a table. Between these references are strings of data which always end with "AA 55 7F". I made an educated guess that the strings of data contained the encrypted password. There was no obvious ASCII password in memory. So I chose to write 0x00 to three of these strings. Well I expected a bricked laptop and to have to reflash the entire BIOS from my captured BIOS.BIN. But …… it worked! First time! :)

If you need to do this yourself, the ranges are:

0x3113BE to 0x3113D1 inclusive
0x311434 to 0x311464 inclusive
0x3114AF to 0x3114C2 inclusive

This did take me a long time, but I was looking for a project that stretched me and re-introduced me to programming and electronics. I hope this is of use to somebody here.

Please,

Do you provide your BIOS.BIN for download, I need so much.

Thanks.
 
I'm wondering what programmer should we use for the Winbond 25Q64FVSIG.
 
Status
Not open for further replies.
Back
Top