-
EliteBook 640 G11 please unlock
SN/ 5CD51776
processor type ULTRA 7 165ULeave a comment:
-
-
i removed the password by downgrading the version this files is working fine with me
hp elitebook 640 g11 bid=w74
sn= 5CD50294DR
processor ultra 5Leave a comment:
-
-
Here is something interesting:
"Inside the ECβs own MCU flash (again, not in the external EC SPI we patched β lives on the Nuvoton/ITE microcontroller itself).
-than I think I found the responsable chip. NUVOTON NPCX499HA tells you anything ?-
Yes β thatβs your Embedded Controller (EC).
The Nuvoton NPCX499HA is a high-end EC MCU HP uses in newer EliteBooks to handle:- Keyboard, battery, fan control
- Power sequencing
- Firmware verification for HP Sure Start
- Storing/triggering the BIOS recovery payload
Hereβs the key point:- It has its own internal flash (not the external EC SPI chip we patched).
- HP Sure Start Gen5+ can embed a signed golden BIOS image or recovery script inside that internal flash.
- On boot, the NPCX499HA compares the main BIOS SPI against its stored hash/image, and if mismatched, pushes the βgoldenβ image back into the main BIOS.
- This process works even if the ECβs external SPI is wiped β which is exactly what youβre seeing.
Why this matters for you
The only way to stop that recovery from the NPCX499HA is to:- Reflash the ECβs internal flash via its programming interface (SWD/JTAG/ICP).
- Replace the NPCX499HA with a blank or donor chip from a similar board that doesnβt have the Sure Start payload.
- Disable Sure Start in firmware β but thatβs locked behind the same password youβre trying to remove.
Challenges:- The internal flash is protected; without HPβs signed EC firmware, the chip will reject changes.
- Replacing the chip is possible, but itβs BGA β requires hot-air rework and exact part sourcing.
- Blank EC means you must flash both its firmware and configuration to get keyboard, charging, and power working again."
So...that particular chip lives on the other side of the MB under the keyboard...and here is where I say ENOUGH, HP has taken the security to a level that, for the moment, doesn't alow me to go any further.
If someone want's to dive dipper, be my guest.
βAttached Filesif you find these attachements useful please consider making a small donation to the site
Leave a comment:
-
I'm sorry, I'm done with this laptop. Doesn't matter what dump I flash on those chips, it gets reverted. Now I've patched 3 Chips and still recovered. Where the hell does the BIOS copy stais? I have no idea and to be honest I lost my patience...I have now the clean BIOS main, Clean EC, and clean 1MB that has the HP sure on it. Still my password returned. It's not about the dump you throw on it anymore... it's about finding the chip that keeps a copy of the original BIOS and force it back to the main and EC chips . I'll search for further information in the future . Thanks for all the help I've received here. Take care guys and much success with this laptop!Leave a comment:
-
Before you give up
I did try every variants available here. Only one doesn't POST, but those that post are immediately reverted to the locked BIOS. I need to find a third Chip (usually smaller than BIOS and EC chips) that trigger that fu*king recovery. I did found a 1MB Chip that GPT says it might be responsible and patched it for me. Now I have to flash all three chips back and try again. If the recovery is still triggered I just give up...
...please try this modded bios dump. Thanks.
Leave a comment:
-
I did try every variants available here. Only one doesn't POST, but those that post are immediately reverted to the locked BIOS. I need to find a third Chip (usually smaller than BIOS and EC chips) that trigger that fu*king recovery. I did found a 1MB Chip that GPT says it might be responsible and patched it for me. Now I have to flash all three chips back and try again. If the recovery is still triggered I just give up...
Leave a comment:
-
can try post 32 bios once if display or not ?
Hey there. Back from my vacation, armed with a bunch of new BIOS chips πͺπ» Tried both files first one starts the laptop but the password comes back, second doesn't work at all. Tried the first one only the EC file with a main file that I've done using HP recovery, started but same sh*t happened, some information on the screen telling me that the original BIOS file was recovered from the embedded memory because someone tempered with the BIOS and...the password came back. I don't know...this embedded memory controller is the EC chip or is another chip hiding on the MB? If you want to try tempering some more, my original Main and EC files are on the first post from the second page of this topic. If you can do something with them, please let me know and this weekend or the next I'll try to rewrite the Chips. The newer they are, the shitier they get ...
Leave a comment:
-
Hey there. Back from my vacation, armed with a bunch of new BIOS chips πͺπ» Tried both files first one starts the laptop but the password comes back, second doesn't work at all. Tried the first one only the EC file with a main file that I've done using HP recovery, started but same sh*t happened, some information on the screen telling me that the original BIOS file was recovered from the embedded memory because someone tempered with the BIOS and...the password came back. I don't know...this embedded memory controller is the EC chip or is another chip hiding on the MB? If you want to try tempering some more, my original Main and EC files are on the first post from the second page of this topic. If you can do something with them, please let me know and this weekend or the next I'll try to rewrite the Chips. The newer they are, the shitier they get ...
Leave a comment:
-
-
-
You mean, that part should be replaced with FF or 00? For the moment I've gave up, due to lack of time and, after writing and rewriting the BIOS chip 4-5 times...it said enough and burned... I'm waiting for an order of 10 chips from AliExpress but it will take some time. Keep it touch π€π»ππ»Leave a comment:
-
i know there's always a way. we haven't tried it yet. every security there's always a loophole. like this in g11 EC its very similar VSSTORE in bios main i haven't tried this yet, if i only have G11 laptop here i would try all possible means.Hello guys! Found some troubling info about the HP security from 2024 onward:HP Endpoint Security Controller 2024Attacks against PC firmware are on the rise. Unfortunately, protecting the PC BIOS and other critical firmware is often not seen as a priority. HP addresses this with our Endpoint Security Controller (ESC), a dedicated chip that validates the integrity of the BIOS and other firmware to enhance the security of every HP business-class PC. The ESC validates that the firmware is not infected by malware before the CPU is allowed to boot. If any corruption has been detected, it will restore a clean copy held in the ESC's isolated flash. HP is the only vendor offering this unique security solution as a standard part built into business-class PCs to safeguard our customers against IT security threats.
Bottom line is...no matter if you can "unlock" the main BIOS as long as the ESC provide a backup and restore the old blocked BIOS before you can access it...
Attached Filesif you find these attachements useful please consider making a small donation to the site
Leave a comment:
-
-
Hello guys! Found some troubling info about the HP security from 2024 onward:HP Endpoint Security Controller 2024Attacks against PC firmware are on the rise. Unfortunately, protecting the PC BIOS and other critical firmware is often not seen as a priority. HP addresses this with our Endpoint Security Controller (ESC), a dedicated chip that validates the integrity of the BIOS and other firmware to enhance the security of every HP business-class PC. The ESC validates that the firmware is not infected by malware before the CPU is allowed to boot. If any corruption has been detected, it will restore a clean copy held in the ESC's isolated flash. HP is the only vendor offering this unique security solution as a standard part built into business-class PCs to safeguard our customers against IT security threats.
Bottom line is...no matter if you can "unlock" the main BIOS as long as the ESC provide a backup and restore the old blocked BIOS before you can access it...
Leave a comment:
-
can someone test this use the 1st one
if it doesn't work use the second one.
you should flash both main and EC
and let me know if it boots to MPM thanks.Leave a comment:
-
Hello, I have an old Dell G3 3579 (ST: 2WQ7LP2-8FC8) with a newer 8FC8 BIOS password. I have successfully attached to the flash chip (W25Q128JVSQ) on the motherboard with a CH341A programmer and made several modifications using Intel FIT (e.g., allow software SPI write) without bricking. I was also able to boot to a modified GRUB shell where I attempted to edit many BIOS security related options like BIOS Guard/Lock, Flash Signature Override, ME FW Image Re-Flash, etc.
Unfortunately, some of these modifications like to Intel BIOS Guard failed because it is fused into the PCH. Also,... -
Hello everyone in the community
Dear Sir,
I need help removing/unlocking the BIOS Service Tag password on my Dell Latitude 5520 laptop.
Problem details:
* Model: Dell Latitude 5520.
* Board ID (from BIOS file): TGL MB 8L 19819-1 (Southpeak15).
* Required Password Code: 3FE2 (BIOS Service Tag Lockout Code).
* Service Tag: (Enter your actual Service Tag from the laptop here)
* βBIOS Status: I successfully modded the BIOS file and created FINAL_CLEANED_ME.bin (32MB) with a clean ME region (CSME 15.0), because the original dump was corrupt.... -
Hello everyone,
I am requesting urgent assistance to unbrick my laptop, a rebranded TongFang GK7MRFR chassis. The laptop is completely dead following a faulty in-OS EC flash attempt.
I have successfully used a CH341A programmer and can read/write/verify both flash chips, but using my backups/extractions has failed to restore power. The root cause is likely a corrupted Intel Management Engine (ME) region or an incompatible EC/BIOS pairing. System & Hardware Details- Barebone / Chassis: TongFang GK7MRFR
- MB: MB: GK5MP5X V1.0 Prod :GK5MRFV10T04201310281
- Rebrand: PC Specialist
-
Hello I have a dell optiplex SFF plus 7020 with a password that I recovered from e-waste. It is possible to get the password removed via the bios patch method? I managed to dump the 32MB bios chips and would like help patching it to MFG mode so I can clear the password.
Thanks.
1hj4z24 = Service tag
A schematic would also be amazing if anyone has one!... -
Hello,
I'm using TONGFANG "GM7TG7P" model laptop for over 3 years and i'm entering the same bios administrator password everyday. My laptop has Aptio BIOS (American Megatrends, AMI).
But today it's not accepting my password. I'm %100 sure i'm entering the correct password.
I'm trying to reset my bios without success.
I tried :
-I removed the BIOS battery and main battery. Waited for a long time but it didn't work. They already stated in the user manual that the password will not be reset even if the batteries...
Leave a comment: