POST og backup bios both need

Hi shiyab, thanks for replying!

By "both", do you mean the U19 dump and the U68 dump? Or do you mean the Original U19 dump and the G9 Unlocker modified dump?

​If you mean the U68 chip, unfortunately, I cannot read it right now because it is an SPI NAND (MX35UF1GE4AD) and my basic CH341A programmer (with NeoProgrammer) doesn't seem to support it. That is why I am currently bypassing the U68 using the hardware shunt method.
​
However, if the U68 dump is absolutely necessary to clear the password, do you know of any alternative software or trick that allows the CH341A to read this specific NAND chip?
​
The ZIP file attached to my first post contains the ORIGINAL U19 (32MB) dump.
​
Do you think you can clear the password using only this U19 file (since U68 is currently bypassed)? Let me know how I should proceed!
​
Thanks a lot.

nedd 16mb og backup

Hi shiyab,

Thank you for your patience while I performed the hardware analysis and data extraction.

I have completed the dumping process for both the U19 (32MB Macronix) and the U68 (128MB Macronix NAND). To ensure 100% data integrity, I performed three separate read passes for each chip. I am pleased to confirm that all three hashes (MD5) match perfectly for both chips, so the attached dumps are verified and reliable.

Regarding your request for a 16MB chip: I have meticulously inspected both the front and back of the motherboard and there is no 16MB SPI chip on this board. The only relevant firmware chips present are the U19 and U68.

As this is a very recent model (HP EliteDesk Mini G1a, 2025 architecture), it seems HP has updated the layout, moving away from the older 32MB+16MB configuration. I am attaching high-resolution photos of both sides of the motherboard to confirm this for your reference.

Attached files:
U19_32MB_Original_Verified.zip (Main BIOS)
U68_128MB_NAND_Original_Verified.zip (Sure Start / Security)
Motherboard_Photos_Front_Back.zip
Original Specifications.zip

With these full sets of verified data, could you please check if you can patch the firmware to clear the administrator password?

Thank you very much for your time and expertise.

try 32 mb

Hi shiyab,

Thank you so much for the modified file! I really appreciate the time and effort you put into patching this for me.

I will flash this file to the U19 chip and test the machine today.

Just one quick question before I proceed: since this is an "unss" patched file, can I just boot the PC normally to the BIOS after flashing the U19? Or do I still need to perform the physical shunt/short on pins 2 and 4 of the U68 NAND chip during the first boot to bypass the Sure Start check?

I will let you know the results as soon as I test it.

Thanks again!

Hi shiyab ,

Thank you for your help and for providing the file. I have just finished testing it, but unfortunately, the password remains active.

I performed the tests in two ways:
With the U68 shunt (bypass): The password was still there.
Without the shunt: The result was exactly the same.

In both scenarios, the machine triggers the following warning during boot: "BIOS Identity Data Recovered: The BIOS has recovered its identity data from the Embedded Controller due to data mismatch."

It seems the EC is detecting the modification in the U19 dump and performing an automatic recovery of the identity data, effectively overriding the patch.

Do you have any suggestions on how to bypass this specific EC recovery on the G9 models, or perhaps a different approach to the patch?

Thanks again for your time!​

Hi everyone,

Just a quick follow-up to reinforce this request. All technical details, serial numbers, and the original dumps are already provided in the previous posts of this thread.

shiyab
Vesko356
peste
hoaca388
SMDFlea
rethink

If any of you could spare a moment to help me with this HP G9 BIOS, I would be extremely grateful.
​
Thank you for your time and assistance!

Try this one, before flashing make sure the CMOS battery has power and do not remove it, power up the computer and let it POST. After that flash the file on the U19 chip, the computer should only reboot once not more. If it doesn't boot in manufacturing mode you might have to reprogram the Embedded Controller.

Hi marian4474 (and everyone else following),

Thank you for the file and the instructions. I followed your steps exactly (kept the CMOS battery connected, let the original BIOS POST, and then flashed your modified file to the U19 chip).

As you predicted, the machine only rebooted once. However, the password is still there.

This time, the previous "EC Identity Data" error is gone. Instead, the machine throws a new, specific HP Sure Start error screen. Here is the exact message:

"HP Sure Start Recovery: HP Sure Start detected an unauthorized change to the Secure Boot Keys. The keys were restored automatically and there is no further action required. The repeated occurrence of this problem indicates a security problem that should not be ignored."

(Note: I got this behavior despite doing multiple attempts, including with the hardware bypass/shunt applied to pins 2 and 4 on the U68 NAND).

Here is the complete system info for context, in case it helps with rebuilding the AMD PSP/BIOS structure:
Product Name: HP EliteDesk 8 Mini G1a DEsktop PC
Processor: AMD Ryzen 3 210 w/ Radeon 740M Graphics
Memory Size: 16384 MB
System BIOS: X27 Ver. 02.02.02 (Date: 07/17/2025)
Born on Date: 11/03/2025
Serial Number: 1HF5420L66
SKU Number: B02PXAV
UUID: 5875E396-E8DF-44D3-8C46-0E3E0467114E
Feature Byte: 3E476J6S6b7B7H7M7Q7T7W7maBapaqaubhcAfPguhKhZjhk8mEn7nWngpDpnpqprrNsZ.3R
System Board ID: 8DAB
System Board CT Number: PUSKE0C87LK083

Since this is an AMD G1a architecture and the Sure Start auto-recovery triggers even with the U68 NAND bypassed physically, does anyone know if the security backup is being pushed directly by the Embedded Controller? How should we approach the AMD structure for this unlock?

Thank you again for all your time and help!

Hi everyone,

I want to provide a technical summary of everything I’ve tried so far on this HP Elite Mini 8 G1a (AMD Ryzen 3 210) to see if any expert can point me in the right direction. It seems the standard patching methods are being defeated by the new EC/PSP security synchronization.

Current Status & Failed Attempts
1. Automated Patching: Tried HP G9 Unlocker V3.0 on the 32MB U19 dump.
• Result: Password still active. The tool likely doesn't support this 2025/26 offset yet.

2. Manual Patch (attempt 1): Flashed a modified U19.
• Result: Triggered EC Recovery: "BIOS Identity Data Recovered". The EC detected the hash mismatch and restored the original locked data.

3. Manual Patch (attempt 2 - marian4474's method): Flashed while keeping CMOS battery power.
• Result: Triggered Sure Start Error: "Unauthorized change to Secure Boot Keys". The AMD PSP rejected the signature of the modified BIOS.

4. Hardware Bypass (U68 Shunt/Erase): Attempted to short pins 2-4 on the U68 NAND and even tried a full erase of the chip.
• Result: Ineffective. The EC automatically re-writes the U68 firmware or forces a recovery from its internal ROM.

The Challenge
On this G1a (AMD) architecture, the Root of Trust is extremely aggressive. Even with the U68 completely erased, the EC/PSP validates the U19 integrity before allowing access to F10.

What I’m looking for:
• Does anyone have experience putting these G1a boards into Manufacturing Mode (Commit State 0) via hex editing the VSS/NVAR stores?
• Is there a known way to disable the EC's "Auto-Healing" feature on these newer models?
• Would a clean/virgin BIOS dump (with clear ME/PSP) combined with an EC reprogram be the only way?

If anyone can help me "break" this EC-to-BIOS link, I’d be very grateful! Sparo

i also tried all these methods it didn't work.

• HP MPM Tool v20 — Donor L1 Swap + Safe Patch
  
  Proven method: 630 G11 donor L1 swap + signature-based VSS2.
  Donor has H_MpmTest (no nonce enforcement) + FF-wiped SMM handlers.
  
  Pipeline:
  1. L1 SWAP → Replace 0x1B4D000-0x1D60000 with 630 G11 donor
  → Eliminates: nonces, SMM handlers, VerifyGate
  2. VSS2 → Signature-based: HP_MUD, BuildId, FactoryConfig,
  → TheftRecoveryFlags, HpMpm, UserCred (35 bytes)
  3. DXE → TpmOptions -8, VariableAuth -8, Tcg2 flip, POSTCODE01
  4. VERIFY → VerifyGate JNE→JMP (if pattern found post-swap)
  
  ✓ Donor L1 embedded (630 G11, GZip compressed, ~765 KB)
  ✓ No nonce patching needed (donor has none)
  
  Loaded: elitebook 8 g1 fresh bios reg.BIN (33,554,432 bytes)
  
  ═══ v20 DONOR L1 SWAP + SAFE PATCH ═══
  
  [1] L1 DONOR SWAP (630 G11)
  
  Loading embedded 630 G11 donor L1...
  Loaded donor from embedded resource
  __KEYM__ signing key: MATCH ✓
  L1 region: 1,263,938 / 2,174,976 bytes will change (58.1%)
  L1 donor swap complete: 1,263,938 bytes replaced ✓
  Nonces after swap: 0 (ELIMINATED) ✓
  H_MpmTest: found @ 0x01B7BDC0 ✓
  SMM handlers: FF-wiped ✓ | GetMfgStatus: FF-wiped ✓ | LockCmd: FF-wiped ✓
  
  [2] VSS2 SIGNATURE PATCH (absolute.exe method)
  
  Mode: Signature-based pattern scan (like IDA/absolute.exe)
  
  TheftRecoveryFlags @ 0x019DA3AC: state 0x3F→0x3C (invalidated) ✓
  HP_MUD @ 0x019E241C: state 0x3F→0x3C (invalidated) ✓
  BuildId @ 0x019E39FC: state 0x3F→0x3C (invalidated) ✓
  FactoryConfig @ 0x019E3664: state 0x3F→0x3C (invalidated) ✓
  HpMpm @ 0x019E47F0: data patched (proven values) ✓
  data[1]: 0x00→0x23 data[2]: 0x00→0x01 data[4]: 0x00→0x02
  UserCred @ 0x019E50B8: surgical patch (4 blocks, 21 bytes) ✓
  Block 1: data[0x08] credential count → FF FF FF FF
  Block 2: data[0x10] AdminPW name → zeroed (14 bytes)
  Block 3: data[0x3C,0x728] flags → 0x00
  Block 4: data[0x730,0x738] hash blocks → FF FF FF FF
  VSS2 total: 6 patches
  
  [3] DXE LZMA PATCHES
  
  LZMA FV @ 0x00F00000 (11,038,720 bytes)
  Decompressed: 45,699,088 bytes
  TpmOptions: 9 struct, 3 alloc patches
  VariableAuthSmm: 2 patches
  Tcg2Smm: JZ→JNZ @ +0xA2B
  Tcg2Smm: 1 total patches
  POSTCODE01: state 0xF8→0x00 (REMOVED) ✓
  Recompressing LZMA (~20-40 sec)...
  DXE recompressed: 8,550,341 bytes ✓
  
  [4] VERIFY GATE (post-swap)
  
  VerifyGate: donor has different code (0x%02X), no action needed
  
  ═══ v20 COMPLETE ═══
  
  1. L1: Donor swap complete (630 G11, no nonces, FF-wiped handlers)
  2. VSS2: HP_MUD + BuildId + FactoryConfig + TheftRecovery + HpMpm + UserCred
  3. DXE: TpmOptions + VariableAuth + Tcg2 + POSTCODE01 patched
  4. Gate: VerifyGate checked/applied
  
  v19 ( this is my revision of patch)

  1	SMM Security Handler	0x1D028EF	push ebp; mov ebp,esp; sub esp,10h	xor eax,eax; ret (31 C0 C3)
  2	GetMfgStatus	0x1D03631	push ebp; mov ebp,esp; sub esp,10h	mov eax,0x11; ret (B8 11 00 00 00 C3)
  3	LockCommand	0x1D0443A	push ebp; mov ebp,esp; sub esp,0Ch	xor eax,eax; ret (31 C0 C3)
  4	VerifyGate	0x1D30A93	jne +0x47 (75 47)	jmp +0x47 (EB 47)

  v19 DXE Driver Patches (LZMA compressed)

  TpmOptions	Bypass TPM check	Skip TPM policy enforcement
  VariableAuthSmm	Bypass auth check	Allow variable writes
  Tcg2Smm	Bypass TCG2	Skip measurement log
  POSTCODE01	Status override	Force success POST code

  v19. L1/EpSC Region Swap

  Region	0x1B4D000 - 0x1D60000
  Size	2,124 KB
  Bytes changed	1,263,938 (58.1%)
  Source	EliteBook 630 G11 (bak patched.bin)

  ​
  v19. What the Donor Provides

  __KEYM__ key	0x1B4D400	0x1B4D400 ✅ same
  __KEYM__ offset	Identical	Identical ✅
  Signing key	Match	Match ✅
  SMM Security Handler	Active enforcement	0xFF erased
  GetMfgStatus	Active check	0xFF erased
  LockCommand	Active lock	0xFF erased
  VerifyGate	Active verification	0xFF erased
  H_MpmNoncIntnl	4 instances (nonce timer)	Absent
  H_MpmTest	Absent	Present (test mode)
  Nonce enforcement	Active	None

  ​
  Side-by-Side Security Handler Comparison elitebook 8 g1 vs 630 g11 patched
  v19 Surgical 630 G11 Donor Swap
  ──────────── ──────────────────
  SMM Handler: 31 C0 C3 FF FF FF FF FF ...
  (xor eax,eax; ret) (erased, no code)
  → returns 0 → CPU fault, no exec
• GetMfgStatus: B8 11 00 00 00 C3 FF FF FF FF FF ...
  (mov eax,0x11; ret) (erased, no code)
• → returns "locked" → CPU fault, no exec
• LockCommand: 31 C0 C3 FF FF FF FF FF ...
  (xor eax,eax; ret) (erased, no code)
  → returns success → CPU fault, no exec
• VerifyGate: EB 47 (jmp, skip check) FF FF FF ... (erased)
  ARM Nonces: PRESERVED (in signed zone) ELIMINATED (H_MpmTest)​
  
  
  this is what i did now i copied their entire L1 no nonce. its identical analyzed from ida pro. i hope someone would help. and i hope hp would not see this
  i think there's something that verifies in ec because all g9 g10 doesn't have nonce check and all my post about g9 and g10 requires old version of the ec.

rbdealmeida
try this one. Remove RTC battery and power adapter, press power button for 10s, write&solder bios chipset (U19) and start unit without RTC battery.