Login

u/CareerAdditional489

▲ 1 r/Hewlett_Packard

Hey everyone,

I recently went down the deepest of rabbit holes trying to reclaim some thermal headroom on my HP EliteBook 840 G7 (Intel 10th Gen Comet Lake, S70 platform). My goal was simple: disable CFG Lock (MSR 0xE2) and unlock the Overclocking/FIVR Lock so I could undervolt in Arch Linux (and maybe tinker with Native Hackintosh).

I spent weeks hitting a massive brick wall. If you are getting the infamous 0x8 Write Protect / Access Denied error in RU.efi or modGRUBShell, this post is for you. Here is the technical reality of HP’s enterprise security, why your software tweaks are failing, and the only way to actually fix it.

** The Problem: The "Titanium Vault"

Normally, on consumer laptops (like ASUS or MSI), you can boot into an EFI shell, use (setup_var) to change the hidden NVRAM offset for CFG Lock from 0x01 to 0x00, and you’re done.

If you try this on a modern HP EliteBook running a recent BIOS (like v01.23.00), you will fail. Why?

  1. Intel Chipset Guards: Early in the boot phase (PEI/DXE), the Intel PCH flips the BIOS Lock Enable (BLE) switch and locks the memory addresses using PRR (Protected Range Registers). Silicon physically drops your write requests.
  2. SMM (Ring -2): If you try to force the write, it triggers a System Management Interrupt (SMI). The CPU pauses your EFI shell, runs a hidden HP security script, and spits out the 0x8 Access Denied error.
  3. HP Sure Start: Even if you bypassed the Intel blocks, HP has a dedicated physical chip (Embedded Controller) constantly auditing the BIOS chip. If it sees you changed a hidden variable, it instantly cuts power and overwrites your changes with a clean backup.

** Why you can't just downgrade the BIOS via USB

Okay, so you realize the new BIOS is locked down because of Intel's Plundervolt mitigations. The solution is to flash the pre-Plundervolt "Golden Version" from mid-2020 (BIOS v01.01.05 - SP104203), right?

Wrong. You put it on a USB, go to the F10 menu, hit update, and get an "Excluded" or "Signature Failure" error—even with Unrestricted Rollback enabled, I have tried this using 2023 BIOS just to figure if HP allows downgrade,

The reason: Hardware eFuses. HP burns a Security Version Number (SVN) into the motherboard. Your current BIOS has a higher SVN than the 2020 BIOS. The hardware physically refuses to let you install an older SVN Even if you set BIOS to Unrestricted Bios Rollback.

Help Needed: I dug into but couldn't find S70 Plateform late 2021 Bios It would be appreciated if you have an archive for HP Elitebook G7 late 2021 Bios before the Plundervolt patch :) ?

** The Microcode Trap

"Fine," you think. "What if I just extract my current v01.23.00 BIOS, find the new offsets, and hardware flash the unlocked NVRAM?"
Even if you do that, your undervolt still won't work. The new BIOS contains updated Intel Microcode. The CPU has essentially been given permanent "earmuffs" to ignore any voltage offset requests from the OS to prevent Plundervolt attacks.

** The Ultimate Solution: The Hardware Heist

To get undervolting to work, you have to bypass the software guards, bypass the SVN downgrade block, and downgrade the Intel Microcode.

The only way to do this is with a CH341A SPI Hardware Programmer.

  1. Buy a $15 CH341A kit with a SOIC8 test clip from Amazon/AliExpress.
  2. Unplug your laptop battery (this is crucial—it puts HP Sure Start, the CPU, and the Chipset to sleep).
  3. Clip directly onto the Winbond SPI Flash Chip on your motherboard.
  4. Using a second PC, completely erase the chip and physically flash the extracted .bin of the 2020 v01.01.05 BIOS.

Because the laptop is dead/asleep while you do this, HP Sure Start can't stop you. The SVN eFuse can't block the downgrade. When you plug the battery back in and turn it on, HP Sure Start just assumes it has always been on the 2020 version. You are now free from the microcode earmuffs and the PRR locks, and you can finally undervolt!

:) Hopefully, this saves someone the weeks of headaches I went through trying to do this purely through software! Let me know if you have the Internet Archive links for the older HP SoftPaqs?, as HP has deleted them from their main servers.

reddit.com
u/CareerAdditional489 — 13 days ago
▲ 1 r/24hoursupport

I am working to reclaim thermal headroom and performance on an HP EliteBook 840 G7 (Comet Lake). The end goal is to enable undervolting (FIVR control) and unlock MSR 0xE2 (CFG Lock) for native power management. However, I’ve hit the notorious HP "Security Wall."

Hardware/Software Environment

The Current Block (Technical Analysis)

I have attempted to modify the UEFI variables via EFI Shell/Scripting, but the system is hardware-locked.

  1. CFG Lock Target: IntelTechnologiesOptions @ Offset 0x0F.
  2. Failure: (modGRUBShell:) setup_var_cv returns Error: 0x000000000000f. (RU.efi:) Attempts to write to 0x0F result in a Write Protect / Access Denied (0x8) error.
  3. The Problem: It appears the Protected Range Registers (PRR) are initialized early in the boot sequence (PEI/DXE phase), rendering the variable store read-only for any software-level tools.

Missing Offsets for v01.23.00

While the CFG Lock offset is known, I have not yet successfully mapped the Overclocking/FIVR variables for this specific firmware version. I am looking for the IFR-confirmed Variable Store (likely CpuSetup) and Offsets for:

  1. Overclocking Lock (To permit voltage modification).
  2. FIVR Control / XTU Interface (To expose voltage sliders).
  3. BIOS Lock (To potentially allow FPT writing).

If anyone has a PE32/IFR dump for S70 v01.23.00, your confirmation on these offsets would be invaluable to prevent a blind-write brick.

The "Golden Version" Request and My Last Option

I am seeking a specific SoftPaq (older BIOS)—ideally from late 2020 or early 2021—that was released prior to the aggressive SVN (Security Version Number) jumps and Plundervolt mitigations.

Does anyone have the SoftPaq ID or a verified .bin for a version that:

  • Accepts setup_var / RU.efi writes without PRR interference.
  • Does not have a locked SVN that triggers a signature failure during rollback.
  • Is verified to bypass the "excluded" status even with "Unrestricted Rollback" enabled in the BIOS menu.

I have a 16MB SPI dump of my current region for recovery purposes, but I am looking for the last version that treats the owner as the administrator and if you are willing to help i hv put the s70 bios in this github repo https://github.com/Silent-dude247/HP-Elitebook-840-G7-S70-Plateform-01.23.00-Bios-/blob/main/S70.zip.

Has anyone successfully rolled back an S70-platform EliteBook to a version where undervolting is functional? Any leads on specific SoftPaq numbers for older would be greatly appreciated.

u/CareerAdditional489 — 15 days ago
▲ 1 r/overclocking

[Ihelp needed here ] HP EliteBook 840 G7 (S70) – Seeking Pre-Plundervolt BIOS for MSR 0xE2 & FIVR Unlock

[Inquiry] HP EliteBook 840 G7 (S70) – Seeking Pre-Plundervolt BIOS for MSR 0xE2 & FIVR Unlock

The Objective

I am working to reclaim thermal headroom and performance on an HP EliteBook 840 G7 (Comet Lake). The end goal is to enable undervolting (FIVR control) and unlock MSR 0xE2 (CFG Lock) for native power management. However, I’ve hit the notorious HP "Security Wall."

Hardware/Software Environment

The Current Block (Technical Analysis)

I have attempted to modify the UEFI variables via EFI Shell/Scripting, but the system is hardware-locked.

  1. CFG Lock Target: IntelTechnologiesOptions @ Offset 0x0F.
  2. Failure: (modGRUBShell:) setup_var_cv returns Error: 0x000000000000f. (RU.efi:) Attempts to write to 0x0F result in a Write Protect / Access Denied (0x8) error.
  3. The Problem: It appears the Protected Range Registers (PRR) are initialized early in the boot sequence (PEI/DXE phase), rendering the variable store read-only for any software-level tools.

Missing Offsets for v01.23.00

While the CFG Lock offset is known, I have not yet successfully mapped the Overclocking/FIVR variables for this specific firmware version. I am looking for the IFR-confirmed Variable Store (likely CpuSetup) and Offsets for:

  1. Overclocking Lock (To permit voltage modification).
  2. FIVR Control / XTU Interface (To expose voltage sliders).
  3. BIOS Lock (To potentially allow FPT writing).

If anyone has a PE32/IFR dump for S70 v01.23.00, your confirmation on these offsets would be invaluable to prevent a blind-write brick.

The "Golden Version" Request and My Last Option

I am seeking a specific SoftPaq (older BIOS)—ideally from late 2020 or early 2021—that was released prior to the aggressive SVN (Security Version Number) jumps and Plundervolt mitigations.

Does anyone have the SoftPaq ID or a verified .bin for a version that:

  • Accepts setup_var / RU.efi writes without PRR interference.
  • Does not have a locked SVN that triggers a signature failure during rollback.
  • Is verified to bypass the "excluded" status even with "Unrestricted Rollback" enabled in the BIOS menu.

I have a 16MB SPI dump of my current region for recovery purposes, but I am looking for the last version that treats the owner as the administrator and if you are willing to help i hv put the s70 bios in this github repo https://github.com/Silent-dude247/HP-Elitebook-840-G7-S70-Plateform-01.23.00-Bios-/blob/main/S70.zip.

Has anyone successfully rolled back an S70-platform EliteBook to a version where undervolting is functional? Any leads on specific SoftPaq numbers for older would be greatly appreciated.

u/CareerAdditional489 — 16 days ago
▲ 2 r/Hewlett_Packard

[Inquiry] HP EliteBook 840 G7 (S70) – Seeking Pre-Plundervolt BIOS for MSR 0xE2 & FIVR Unlock

The Objective

I am working to reclaim thermal headroom and performance on an HP EliteBook 840 G7 (Comet Lake). The end goal is to enable undervolting (FIVR control) and unlock MSR 0xE2 (CFG Lock) for native power management. However, I’ve hit the notorious HP "Security Wall."

Hardware/Software Environment

The Current Block (Technical Analysis)

I have attempted to modify the UEFI variables via EFI Shell/Scripting, but the system is hardware-locked.

  1. CFG Lock Target: IntelTechnologiesOptions @ Offset 0x0F.
  2. Failure: (modGRUBShell:) setup_var_cv returns Error: 0x000000000000f. (RU.efi:) Attempts to write to 0x0F result in a Write Protect / Access Denied (0x8) error.
  3. The Problem: It appears the Protected Range Registers (PRR) are initialized early in the boot sequence (PEI/DXE phase), rendering the variable store read-only for any software-level tools.

Missing Offsets for v01.23.00

While the CFG Lock offset is known, I have not yet successfully mapped the Overclocking/FIVR variables for this specific firmware version. I am looking for the IFR-confirmed Variable Store (likely CpuSetup) and Offsets for:

  1. Overclocking Lock (To permit voltage modification).
  2. FIVR Control / XTU Interface (To expose voltage sliders).
  3. BIOS Lock (To potentially allow FPT writing).

If anyone has a PE32/IFR dump for S70 v01.23.00, your confirmation on these offsets would be invaluable to prevent a blind-write brick.

The "Golden Version" Request and My Last Option

I am seeking a specific SoftPaq (older BIOS)—ideally from late 2020 or early 2021—that was released prior to the aggressive SVN (Security Version Number) jumps and Plundervolt mitigations.

Does anyone have the SoftPaq ID or a verified .bin for a version that:

  • Accepts setup_var / RU.efi writes without PRR interference.
  • Does not have a locked SVN that triggers a signature failure during rollback.
  • Is verified to bypass the "excluded" status even with "Unrestricted Rollback" enabled in the BIOS menu.

I have a 16MB SPI dump of my current region for recovery purposes, but I am looking for the last version that treats the owner as the administrator and if you are willing to help i hv put the s70 bios in this github repo https://github.com/Silent-dude247/HP-Elitebook-840-G7-S70-Plateform-01.23.00-Bios-/blob/main/S70.zip.

Has anyone successfully rolled back an S70-platform EliteBook to a version where undervolting is functional? Any leads on specific SoftPaq numbers for older would be greatly appreciated.

u/CareerAdditional489 — 16 days ago
▲ 2 r/linuxhardware+1 crossposts

Hi everyone,

I am trying to unlock undervolting on my HP EliteBook 840 G7 (10th Gen Intel, S70 platform) running BIOS version 01.23.00 (dated 2024/2025). My goal is a silent setup on my Arch Linux (Niri compositor), but the FIVR controls are currently locked due to Plundervolt patches.

The Problem:
I have already extracted the BIOS using UEFITool and IFRExtractor, but the strings "Overclocking Lock" and "CFG Lock" are missing from the Setup IFR. HP has likely renamed or obscured these variables in this firmware version.

Additionally, my modGRUBShell USB is being ignored by the F9 Boot Menu despite disabling Secure Boot, TPM, and Sure Start. The system simply loops back to the boot menu without executing the shell.

Request for Assistance:

  1. Does anyone have the exact VarOffsets for the Overclocking Lock and CFG Lock for S70 BIOS v01.23.00?
  2. Are the standard 10th Gen offsets (0xDA for OC Lock and 0x3E for CFG Lock) still correct for this specific HP update?
  3. If the names are hidden, what technical aliases should I search for in the IFR (e.g., FIVR Lock, MSR 0xE2, or Bit 20)?
  4. How can I force the EliteBook 840 G7 to boot an unsigned .efi shell? Is there a "custom boot path" trick for G7 models?

Any help from the BIOS modding or Linux community would be greatly appreciated!

reddit.com
u/CareerAdditional489 — 17 days ago
▲ 2 r/overclocking

Hi everyone,

I am trying to unlock undervolting on my HP EliteBook 840 G7 (10th Gen Intel, S70 platform) running BIOS version 01.23.00 (dated 2024/2025). My goal is to decrease the heat and throttling, but the FIVR controls are currently locked due to Plundervolt patches.

The Problem:
I have already extracted the BIOS using UEFITool and IFRExtractor, but the strings "Overclocking Lock" and "CFG Lock" are missing from the Setup IFR. HP has likely renamed or obscured these variables in this firmware version.

Additionally, my modGRUBShell USB is being ignored by the F9 Boot Menu despite disabling Secure Boot, TPM, and Sure Start. The system simply loops back to the boot menu without executing the shell.

Request for Assistance:

  1. Does anyone have the exact VarOffsets for the Overclocking Lock and CFG Lock for S70 BIOS v01.23.00?
  2. Are the standard 10th Gen offsets (0xDA for OC Lock and 0x3E for CFG Lock) still correct for this specific HP update?
  3. If the names are hidden, what technical aliases should I search for in the IFR (e.g., FIVR Lock, MSR 0xE2, or Bit 20)?
  4. How can I force the EliteBook 840 G7 to boot an unsigned .efi shell? Is there a "custom boot path" trick for G7 models?

Any help from the BIOS modding community would be greatly appreciated.

reddit.com
u/CareerAdditional489 — 17 days ago
▲ 1 r/Hewlett_Packard

Hi everyone,

I am trying to unlock undervolting on my HP EliteBook 840 G7 (10th Gen Intel, S70 platform) running BIOS version 01.23.00 (dated 2024/2025). My goal is to decrease the heat throttling, but the FIVR controls are currently locked due to Plundervolt patches.

The Problem:
I have already extracted the BIOS using UEFITool and IFRExtractor, but the strings "Overclocking Lock" and "CFG Lock" are missing from the Setup IFR. HP has likely renamed or obscured these variables in this firmware version.

Additionally, my modGRUBShell USB is being ignored by the F9 Boot Menu despite disabling Secure Boot, TPM, and Sure Start. The system simply loops back to the boot menu without executing the shell.

Request for Assistance:

  1. Does anyone have the exact VarOffsets for the Overclocking Lock and CFG Lock for S70 BIOS v01.23.00?
  2. Are the standard 10th Gen offsets (0xDA for OC Lock and 0x3E for CFG Lock) still correct for this specific HP update?
  3. If the names are hidden, what technical aliases should I search for in the IFR (e.g., FIVR Lock, MSR 0xE2, or Bit 20)?
  4. How can I force the EliteBook 840 G7 to boot an unsigned .efi shell? Is there a "custom boot path" trick for G7 models?

Any help from the BIOS modding community would be greatly appreciated.

reddit.com
u/CareerAdditional489 — 17 days ago