Recovery of my laptop

By Puck Meerburg

Some time ago, my setup menu disappeared from my laptop. I don’t know why, but F2 didn’t work, and it didn’t show up under the F10 app menu. During the Google Code-In 2014 winner trip I tried to fix this, with worse results: the boot menu disappeared!

So now my computer can just boot. (note: I can use an UEFI feature to actually boot into the setup menu, so hope was not all lost, I just had to be very careful not to enable SecureBoot or legacy mode!) So, I dumped the bios flash (which was not complete, 3 MB vs 8 MB, iirc) and looked through the files. After a while, I found a set of FvFile strings in the code, which (after looking on the internet) seemed to be correct (the GUID I found was the same as the one Lenovo uses, since they use the same base!). I then decided to craft my own boot entries from scratch. What’s the worst that could happen?

Answer: Everything broke! I set the boot entries, and rebooted. Black screen. This was the most I could do at the moment, so I gave up. At home, I decided to dump the hard drive, and decompile the BIOS some more. The model laptop I have doesn’t actually have any available recovery modes, and the BIOS isn’t broken, the nvram broke! so yeah, I am out of options. I decided to go for the last option, and that is opening the laptop and fix the NVRAM that way. So, I bought a SOIC clip. Some time later, when the SOIC clip arrived, I put everything together: A Raspberry Pi with flashrom, with a GPIO thing going to the breadboard, where the SOIC clip is connected. so, everything set up, connected the SOIC clip to my flash rom, and connected both. The Raspberry Pi turned off. I went after all the connections and everything seemed fine. So, I tried it again. Same result. So, I went after the connections on the flash chip (maybe I put the clip on improperly?) And here we go, the write protect pin was grounded to the ground pin, probably to avoid the boot block being overwritten, and everything can be recovered even if you tried to erase the entire flash. So I decided to disconnect the write protect pin from the Raspberry Pi. And here we go, it just reads 0xFF. So I went after the datasheet again, and turns out I switched the input and output pins, due to a stupid mistake I made. At this point I just hoped the chip still worked, and it did! I dumped the rom twice, and compared the two files. (they were the same, luckily!) I then decided to save the rom to multiple places, to make sure I don’t lose it. I then searched (using a hex editor) for my broken device path, and found it exactly (luckily!). I then decided to fix the device path, so it had an end. (7F FF 04 00) After this, I even replaced Boot0000 with Bont0000, to disable it fully. I then reflashed the rom, and connected the laptop to the charger. It worked!

After reassembling the laptop, I decided to fix the boot entries fully again, but this time I first tested it in a VM. The resulting boot entries are:

  • Boot0000: 01010000 1800530065007400750070000000 04061400 668b1c726c42864e8e993457c46ab0b9 7FFF0400 (Setup: FvFile(721C8B66-426C-4E86-8E99-3457C46AB0B9))

  • Boot0001: 01010000 180042006f006f00740020004d0065006e0075000000 04061400 40844886bb41c74293ac450fbf7766bf 7FFF0400 (Boot Menu: FvFile(86488440-41BB-42C7-93AC-450FBF7766BF))

Confusingly, if you search the boot menu GUID, it actually finds some results that mention that the GUID for them is used as setup item. (So not really globally unique :P) However, I can confirm these variables are correct for my laptop.