Announcement

Collapse
No announcement yet.

HP ELitebook 840 G8 NFC activation

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    HP ELitebook 840 G8 NFC activation

    Hey guys,

    Recently I've been working on a laptop I've bought for myself, repaired water damaged board, and wanted to add few nice things. Fingerprint sensor worked just fine after installation, however the nfc chip is a stubborn one.

    (I also happen to have an old 850 G3, where the nfc activation happened in ME branding stage with nbdmifit tools) but the tools do not even recognize the status of "NFC" as its probably outdated for this platform.

    I have some previous experience with modding allowlists on lenovos' bioses, so I thought to try doing it by myself.

    What I discovered so far:
    Pulled the bios from my board (just got a new xgecu programmer, that is fast),
    Loaded that into UEFITool, searched for text "NFC".
    That got me a few results, from HPSetup (which would be the main bios program, I guess), two other images (one for electronic label rendering, and some other I didn't really go into), and one configuration image in VSS2 store named "NfcConfigBuiltinOptions" (which is 1 byte setting that keeps the 'enabled' value when device is visible in the bios).

    I used Ghidra and loaded both PE32 programs I've found in the bios image. I am not that good in RE but have deduced these programs reference "NfcConfigBuiltinOptions", "NfcOptionImplemented", and "FactoryConfigFlags". I hadn't known yet what to do with them, but decided to take another approach.

    I used IFRExtractor to retrieve all the entries and their conditions from the extracted HPSetup image.

    From what I deduced from the conditions in the text output, that NFC option is visible in "Built-in devices configuration" only when NfcOptionImplemented container exists with content set to '0x01'.
    So I proceeded to create the additional entry based on what I have found in the bios image.

    After programming and starting the laptop I was happy: I saw the option in BIOS to enable the NFC. The happiness was cut short though, as it booted into the os. The device was still not visible in the device manager, just as it had been before.

    My next guess would be "FactoryConfigFlags" have something to do with this, and when properly set - will enable communication with the chip - but I am afraid of not being qualified enough to properly reverse these programs.

    Do you have any ideas how to solve this further? Maybe some good soul would offer me their bios if they have it working? (so I could compare)
    Last edited by markownik; 11-16-2023, 12:57 PM.
    Tags: None
    #2
    Re: HP ELitebook 840 G8 NFC activation

    Small update on progress: I wanted to see a clearer picture, so I looked for any kind of efi extension for ghidra, and I have found it. It's called efiSeek. After re-analyzing the two efi programs I have found, one of them is indeed electronic label renderer, but the other one happens to set the NfcOptionImplemented container and locate/load some protocol, based on what it finds in FactoryConfigFlags container. The algorithm is a bit obfuscated, and uses RAM addresses to load a few values, so I guess the only option left for now (without a copy of a bios from a machine with working NFC) is to try to modify bytecode (assembly) to proceed without these conditions. (unless there is a way to actually live-debug efi programs) I will report later if I have succeeded or not.

    Below is the decompiled code of the function mentioned, and in the attachments you can find the extracted efi program (I guess to maybe try and analyze it yourself, if you wish)

    Code:
    void UndefinedFunction_8000137c(EFI_EVENT param_1)

{
 void *Buffer;
 uint uVar1;
 longlong lVar2;
 EFI_STATUS EVar3;
 uint uVar4;
 void **ppvVar5;
 char acStackX_18 [8];
 undefined *puStackX_20;
 void *pvStack_28;
 void *pvStack_20;
 
 pvStack_20 = (void *)0x0;
 pvStack_28 = (void *)0x0;
 acStackX_18[0] = '\0';
 FUN_80001658(param_1,0xf0f08511);
 ppvVar5 = &pvStack_20;
 lVar2 = FUN_80001538(u_FactoryConfigFlags_80003500,&DAT_80003020,(longlong *)ppvVar5);
 uVar4 = (uint)ppvVar5;
 if (-1 < lVar2) {
  acStackX_18[0] = '\0';
  uVar1 = FUN_80001cec(0,0x15);
  FUN_800019a0(uVar1,0,uVar4);
  uVar1 = FUN_80001cec(0xe,0x11);
  FUN_80001a00(uVar1,(uint *)&puStackX_20);
  uVar1 = FUN_80001cec(0,0x15);
  FUN_800019a0(uVar1,1,uVar4);
  Buffer = pvStack_20;
  if (((char)puStackX_20 == '\0') && (*(char *)((longlong)pvStack_20 + 0xd) == '\0')) {
   acStackX_18[0] = '\x01';
  }
  if (acStackX_18[0] == '\0') {
   FUN_800012a4();
  }
  (*gRS_39->SetVariable)
       ((CHAR16 *)u_NfcOptionImplemented_80003528,(EFI_GUID *)&DAT_80003010,2,1,acStackX_18);
  puStackX_20 = (undefined *)0x0;
  lVar2 = FUN_80001538(u_NfcConfigBuiltinOptions_80003558,&DAT_80003010,(longlong *)&puStackX_20);
  if ((lVar2 == 0) && (puStackX_20 != (undefined *)0x0)) {
   (*gBS_42->FreePool)(puStackX_20);
  }
  EVar3 = (*gBS_42->LocateProtocol)((EFI_GUID *)&DAT_80003060,(void *)0x0,&pvStack_28);
  if (-1 < (longlong)EVar3) {
   *(undefined *)((longlong)pvStack_28 + 1) = 0;
   lVar2 = FUN_80001538(u_NfcConfigBuiltinOptions_80003558,&DAT_80003010,(longlong *)&puStackX_20
             );
   if ((-1 < lVar2) && (acStackX_18[0] == '\x01')) {
    *(undefined *)((longlong)pvStack_28 + 1) = *puStackX_20;
    (*gBS_42->FreePool)(puStackX_20);
   }
  }
  if (Buffer != (void *)0x0) {
   (*gBS_42->FreePool)(Buffer);
  }
  (*gBS_42->CloseEvent)(param_1);
  FUN_80001658(param_1,0xf0f09511);
 }
 return;
}
    Attached Files

    Comment

      #3
      Hey, last update.

      I figured it out. Sorry it took this long, but I had to purchase another laptop preconfigured with NFC, and shipping it across the ocean with special help of customs office in my country extended it to only two months.
      As I debated before FactoryConfigFlags had one byte set differently. The first byte should be '0x00' instead of '0x01' (see attached screenshot). Afterwards ther NFC module is detected correctly and works as intended (in UEFI and Device Manager).

      Hope that helps anyone who stomps into this problem in the future.


      Attached Files

      Comment

      • SMDFlea
        #3.1
        SMDFlea commented
        01-06-2024, 03:58 PM
        Editing a comment
        An interesting thread,your determination paid off in the end.Well done
      #4
      Hi there,

      I'm trying to enable NFC on my HP EB 840 G7, I think this task is equal) but I want to understand if it's possible not to use programmer to get BIOS image.

      I have Firmware backup created using HP BIOS Recovery Program and I'll be glad if you can give me some advise on that)

      Thank you for your thread BTW, it's useful!

      Comment

        #5
        To be fair I think it would be possible to write an EFI program to make the modification from booted external pendrive, but currently I'm overloaded with my real job, but I'm still planning to do it one day!
        As with every bios mod I've ever done I would strongly recommend to

        1) Gain experience with soldering, especially hotair for this case
        2) Be confident when soldering on working device
        3) Get eeprom/flash programmer (I'm using some chinese device, xegu) but you can always find a cheaper one compatible with the chip you're working on
        4) Make a working backup of current bios state, ensure it works and save it in safe place for eventual reuse
        5) Don't rely on system/software made backup, the one directly read from chip is the best

        As to soldering topic, Louis Rossman gave me courage through countless hours of watching how he does it (the bigger the gob, the better the job, hehe).
        What to solder? You should be looking at this chip surrounded by white soldermask.
        Click image for larger version Name: Screenshot 2024-04-23 221950.png Views: 0 Size: 128.4 KB ID: 3258511
        Good luck!

        P.S. REMEMBER: ALWAYS DISCONNECT ALL BATTERIES BEFORE TOUCHING ANYTHING WITH SOLDERING IRON!

        Comment

        Previous template Next
        Working...
        X