RunForrest Posted October 27, 2014 Share Posted October 27, 2014 First of all. Thank you very much CodeRush! No only for making this but also for being so helpful, as I can see in this thread. Working confirmation: MSI Z87M-G43 Bios version 2.6. Patched in Windows tools. Updated with MFlash Link to comment Share on other sites More sharing options...
CodeRush Posted October 27, 2014 Author Share Posted October 27, 2014 @taetae, this warning means that the RSA signature embedded in file's header became invalid after modifications done by UEFIPatch. Some flashers are OK with it, but mostly they aren't, so the modified BIOS must be flashed some non-standard way. Nothing to worry about. @RunForrest, thanks you for testing and reporting. Link to comment Share on other sites More sharing options...
taetae Posted October 28, 2014 Share Posted October 28, 2014 so I can flash the bios without incurring any problem ?? c:\winflash /nodate file bios not valid program in the bios, weak flash, I say "old bios date" afudos: write protection Link to comment Share on other sites More sharing options...
Ousret Posted October 30, 2014 Share Posted October 30, 2014 It's won't be so easy, as I thought but there is a way to unlock BIOS from this kind of lock. It is described here and can be dangerous, but I tried it like 10 times and it worked. You need to disable Intel AntiTheft before trying it. After unlocking access to all regions, you can make a dump of Descriptor region by executing fpt -desc -d desc.bin, and edit it with Hex-editor to remove locks completely. This values are to be set: Then you can flash modified Descriptor region by executing fpt -desc -f desc.bin and modified BIOS region by fpt -bios -f mod.bin. If all things goes without error, then modified BIOS is finally flashed. This way it dangerous and can lead to BIOS loss, so I don't recommend to try it unless you have to. I do have tried this method on my laptop ASUS F750J with HM86 express chipsets. Thank to you i do have unlocked my Desc region and i've unlocked all regions.. like you explained. Reboot succesfully with desc region modded. But I can't flash the bios region anyways.. I'm out of luck. Here is a screenshot And i'm currently on ME debug mode. With or without ME debug, i've the same output when i try to write on bios region. I think that this case could interest you If anyone has any idea, i'm ready to try it if it not too much suicide ^^. Thank Do i need to modify ME region ? if yes own can i do it ? By the way i'm french, sorry for my english ^^ Edit: flashrom. Calibrating delay loop... OS timer resolution is 1 usecs, 3170M loops per second, 10 myus = 9 us, 100 myus = 97 us, 1000 myus = 963 us, 10000 myus = 9769 us, 4 myus = 3 us, OK. Initializing internal programmer No coreboot table found. Using Internal DMI decoder. No DMI table found. Found chipset "Intel HM86" with PCI ID 8086:8c49. This chipset is marked as untested. If you are using an up-to-date version of flashrom *and* were (not) able to successfully update your firmware with it, then please email a report to flashrom@flashrom.org including a verbose (-V) log. Thank you! Enabling flash write... Root Complex Register Block address = 0xfed1c000 GCS = 0xc61: BIOS Interface Lock-Down: enabled, Boot BIOS Straps: 0x3 (SPI) Top Swap : not enabled 0xfff80000/0xffb80000 FWH IDSEL: 0x0 0xfff00000/0xffb00000 FWH IDSEL: 0x0 0xffe80000/0xffa80000 FWH IDSEL: 0x1 0xffe00000/0xffa00000 FWH IDSEL: 0x1 0xffd80000/0xff980000 FWH IDSEL: 0x2 0xffd00000/0xff900000 FWH IDSEL: 0x2 0xffc80000/0xff880000 FWH IDSEL: 0x3 0xffc00000/0xff800000 FWH IDSEL: 0x3 0xff700000/0xff300000 FWH IDSEL: 0x4 0xff600000/0xff200000 FWH IDSEL: 0x5 0xff500000/0xff100000 FWH IDSEL: 0x6 0xff400000/0xff000000 FWH IDSEL: 0x7 0xfff80000/0xffb80000 FWH decode enabled 0xfff00000/0xffb00000 FWH decode enabled 0xffe80000/0xffa80000 FWH decode enabled 0xffe00000/0xffa00000 FWH decode enabled 0xffd80000/0xff980000 FWH decode enabled 0xffd00000/0xff900000 FWH decode enabled 0xffc80000/0xff880000 FWH decode enabled 0xffc00000/0xff800000 FWH decode enabled 0xff700000/0xff300000 FWH decode disabled 0xff600000/0xff200000 FWH decode disabled 0xff500000/0xff100000 FWH decode disabled 0xff400000/0xff000000 FWH decode disabled Maximum FWH chip size: 0x100000 bytesSPI Read Configuration: prefetching enabled, caching enabled, BIOS_CNTL = 0x0a: BIOS Lock Enable: enabled, BIOS Write Enable: disabled Warning: Setting Bios Control at 0xdc from 0x0a to 0x09 failed. New value is 0x0a. SPIBAR = 0x00000001000ca000 + 0x3800 0x04: 0xf008 (HSFS) HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1 Warning: SPI Configuration Lockdown activated. Reading OPCODES... done OP Type Pre-OP op[0]: 0x02, write w/ addr, none op[1]: 0x03, read w/ addr, none op[2]: 0x20, write w/ addr, none op[3]: 0x05, read w/o addr, none op[4]: 0x9f, read w/o addr, none op[5]: 0x01, write w/o addr, none op[6]: 0x00, read w/o addr, none op[7]: 0x00, read w/o addr, none Pre-OP 0: 0x06, Pre-OP 1: 0x00 0x06: 0x0000 (HSFC) HSFC: FGO=0, FCYCLE=0, FDBC=0, SME=0 0x08: 0x00000000 (FADDR) 0x50: 0x0000ffff (FRAP) BMWAG 0x00, BMRAG 0x00, BRWA 0xff, BRRA 0xff 0x54: 0x00000000 FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write. 0x58: 0x07ff0400 FREG1: BIOS region (0x00400000-0x007fffff) is read-write. 0x5C: 0x03ff0001 FREG2: Management Engine region (0x00001000-0x003fffff) is read-write. 0x60: 0x00007fff FREG3: Gigabit Ethernet region is unused. 0x64: 0x00007fff FREG4: Platform Data region is unused. 0x74: 0x00000000 (PR0 is unused) 0x78: 0x00000000 (PR1 is unused) 0x7C: 0x00000000 (PR2 is unused) 0x80: 0x00000000 (PR3 is unused) 0x84: 0x00000000 (PR4 is unused) 0x90: 0xc4 (SSFS) SSFS: SCIP=0, FDONE=1, FCERR=0, AEL=0 0x91: 0xfc4130 (SSFC) SSFC: SCGO=0, ACS=0, SPOP=0, COP=3, DBC=1, SME=0, SCF=4 0x94: 0x0006 (PREOP) 0x96: 0x043b (OPTYPE) 0x98: 0x05200302 (OPMENU) 0x9C: 0x0000019f (OPMENU+4) 0xA0: 0x00000000 (BBAR) 0xC4: 0x80802045 (LVSCC) LVSCC: BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=1 0xC8: 0x00002045 (UVSCC) UVSCC: BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0 0xD0: 0x50444653 (FPB) Reading flash descriptors mapped by the chipset via FDOC/FDOD... done. === Content Section === FLVALSIG 0x0ff0a55a FLMAP0 0x02040003 FLMAP1 0x15100206 FLMAP2 0x00210120 --- Details --- NR (Number of Regions): 3 FRBA (Flash Region Base Address): 0x040 NC (Number of Components): 1 FCBA (Flash Component Base Address): 0x030 ISL (ICH/PCH Strap Length): 21 FISBA/FPSBA (Flash ICH/PCH Strap Base Address): 0x100 NM (Number of Masters): 3 FMBA (Flash Master Base Address): 0x060 MSL/PSL (MCH/PROC Strap Length): 1 FMSBA (Flash MCH/PROC Strap Base Address): 0x200 === Component Section === FLCOMP 0x64900044 FLILL 0x00000000 --- Details --- Component 1 density: 8 MB Component 2 is not used. Read Clock Frequency: 20 MHz Read ID and Status Clock Freq.: 50 MHz Write and Erase Clock Freq.: 50 MHz Fast Read is supported. Fast Read Clock Frequency: 50 MHz No forbidden opcodes. === Region Section === FLREG0 0x00000000 FLREG1 0x07ff0400 FLREG2 0x03ff0001 FLREG3 0x00007fff FLREG4 0x00007fff --- Details --- Region 0 (Descr.) 0x00000000 - 0x00000fff Region 1 (BIOS ) 0x00400000 - 0x007fffff Region 2 (ME ) 0x00001000 - 0x003fffff Region 3 (GbE ) is unused. Region 4 (Platf.) is unused. === Master Section === FLMSTR1 0xffff0000 FLMSTR2 0xffff0000 FLMSTR3 0xffff0118 --- Details --- Descr. BIOS ME GbE Platf. BIOS rw rw rw rw rw ME rw rw rw rw rw GbE rw rw rw rw rw PROBLEMS, continuing anyway The following protocols are supported: FWH, SPI. Probing for Macronix MX25L6405(D), 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017 Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) at physical address 0xff800000. Chip status register is 0x40. Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set Chip status register: Bit 6 is set Chip status register: Block Protect 3 (BP3) is not set Chip status register: Block Protect 2 (BP2) is not set Chip status register: Block Protect 1 (BP1) is not set Chip status register: Block Protect 0 (BP0) is not set Chip status register: Write Enable Latch (WEL) is not set Chip status register: Write In Progress (WIP/BUSY) is not set This chip may contain one-time programmable memory. flashrom cannot read and may never be able to write it, hence it may not be able to completely clone the contents of this chip (see man page for details). Block protection is disabled. Reading flash... done. Restoring MMIO space at 0x1000cd8a0 Restoring PCI config space for 00:1f:0 reg 0xdc Calibrating delay loop... OK. No DMI table found. Found chipset "Intel HM86". This chipset is marked as untested. If you are using an up-to-date version of flashrom *and* were (not) able to successfully update your firmware with it, then please email a report to flashrom@flashrom.org including a verbose (-V) log. Thank you! Enabling flash write... Warning: Setting Bios Control at 0xdc from 0x0a to 0x09 failed. New value is 0x0a. Warning: SPI Configuration Lockdown activated. PROBLEMS, continuing anyway Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) at physical address 0xff800000. Reading old flash chip contents... done. Erasing and writing flash chip... Transaction error! spi_block_erase_20 failed during command execution at address 0x430000 Reading current flash chip contents... done. spi_block_erase_d8 failed during command execution at address 0x430000 Reading current flash chip contents... done. spi_chip_erase_60 failed during command execution Reading current flash chip contents... done. spi_chip_erase_c7 failed during command execution FAILED! Uh oh. Erase/write failed. Checking if anything changed. Good. It seems nothing was changed. Writing to the flash chip apparently didn't do anything. This means we have to add special support for your board, programmer or flash chip. Please report this on IRC at chat.freenode.net (channel #flashrom) or mail flashrom@flashrom.org, thanks! Link to comment Share on other sites More sharing options...
medallo Posted October 30, 2014 Share Posted October 30, 2014 I just have a question about this Tool. I've got an MSI Z97 Gaming 7 motherboard and i downloaded the bios from MSI website as a zip-file. I unzipped the file and found a file ending with .150 Should I just use uefipatch on this .150 file and then flash that generated file? Just want to make sure I do it right. I tried booting the installer but it keeps restarting into Windows so maybe flashing this will help! Many thanks for any help! same question .. better explanation. thanks .. any help .. Link to comment Share on other sites More sharing options...
CodeRush Posted October 30, 2014 Author Share Posted October 30, 2014 @Ousret BIOS_CNTL = 0x0a: BIOS Lock Enable: enabled You have BIOS Lock enabled in Setup. Try this method. If it fails, check SMI_LOCK bit to be 0: And if it's really 0, set GBL_SMI_EN bit of SMI_EN register to 0: Then try flashing again. If all above fails, you can either try AFU /GAN method (linked in old FAQ in the first post), but it's extremely dangerous on laptops, or use hardware SPI flashed to dump/patch/flash your image without any software. @medallo, sorry, but I know nothing about MSI boards. Try MFlash utility maybe? Link to comment Share on other sites More sharing options...
Ousret Posted October 30, 2014 Share Posted October 30, 2014 Thank you for your answer. BIOS Lock is set to 1. Unable to change it. SCEWIN_64 does not work. The program report ERROR4: Error [.....] HII db. > SCEWIN_64 /o /s nvram.txt /h Hii.db /v /q > ERROR:4 - Retrieving HII Database > ERROR:4 - Dumping HII Database to File Even with SCEDOS NVRAM locked I guess. No luck for me at all ^^ Every AFU tools say: Write protected.. And nothing goes on. I will look at SPI Flasher.. but damn! I was so close..! x) Link to comment Share on other sites More sharing options...
medallo Posted October 30, 2014 Share Posted October 30, 2014 hi .. CodeRush. MSI do not need .. ASUS only PB875-M LX Plus and P8Z77-M. The bios .cab of PMPatch When updating the bios ... ASUS EZ Flash 2 utility. Security verification failed. How to patch 2 bios.? Thank you. Link to comment Share on other sites More sharing options...
StoneTemplePilots Posted October 30, 2014 Share Posted October 30, 2014 Thank you for your answer. BIOS Lock is set to 1. Unable to change it. SCEWIN_64 does not work. The program report ERROR4: Error [.....] HII db. Even with SCEDOS NVRAM locked I guess. No luck for me at all ^^ Every AFU tools say: Write protected.. And nothing goes on. I will look at SPI Flasher.. but damn! I was so close..! x) please try Save current CMOS: SCEDOS /O myCMOS.txt edit, then restore using Update CMOS: SCEDOS /I myCMOS.txt Link to comment Share on other sites More sharing options...
Ousret Posted October 30, 2014 Share Posted October 30, 2014 > SCEDOS /O MyCMOS.txt > SCEDOS /I MyCMOS.txt I tried to dump the CMOS with your command. It does not work because it won't accept /o alone, he want /o /s SCEDOS /O MyCMOS.txt does nothing SCEDOS /O /S MyCMOS.txt display the same ERROR4: Thank you anyway Here is another tool to dump / write NVRAM for Aptio EFI ? Link to comment Share on other sites More sharing options...
StoneTemplePilots Posted October 30, 2014 Share Posted October 30, 2014 > SCEDOS /O MyCMOS.txt > SCEDOS /I MyCMOS.txt I tried to dump the CMOS with your command. It does not work because it won't accept /o alone, he want /o /s SCEDOS /O MyCMOS.txt does nothing SCEDOS /O /S MyCMOS.txt display the same ERROR4: Thank you anyway Here is another tool to dump / write NVRAM for Aptio EFI ? from linux maybe, tuxuser wrote a piece of code but I don't know if it's applicable for your needs. Ask him. Also read this interesting piece of text. Link to comment Share on other sites More sharing options...
Ousret Posted October 30, 2014 Share Posted October 30, 2014 Ah. I just need to remove SMI Lock in NVRAM. But not very easy anyway. Any repo where I can find nvram.c for Linux ? Thank you. Link to comment Share on other sites More sharing options...
StoneTemplePilots Posted October 30, 2014 Share Posted October 30, 2014 Ah. I just need to remove SMI Lock in NVRAM. But not very easy anyway. Any repo where I can find nvram.c for Linux ? Thank you. sorry it's efirw.c ^^ Link to comment Share on other sites More sharing options...
Ousret Posted October 30, 2014 Share Posted October 30, 2014 Thank^^ https://www.bios-mods.com/forum/Thread-READ-FIRST-Access-Advanced-settings-through-EFI-shell Seem to be very interesting ^^ According to him, we can modify BIOS option through EFI app. I will test this and report here when it's done ^^ Some hope for me ^^ Link to comment Share on other sites More sharing options...
taetae Posted October 31, 2014 Share Posted October 31, 2014 ok:-), backup and flash with AfuWin64 .... left patched up it all went well ... I fix something else in the bios to make it compatible with 10:10 ??? Link to comment Share on other sites More sharing options...
adoNai Posted October 31, 2014 Share Posted October 31, 2014 Hey there CodeRush and fellow "Hackintosh'ers"! First of all, thanks for the amazing help you guys provide for this community, it's really wonderful. So, it´s my first time trying to install OS X on my PC, but I consider my self "tech-savvy" and know my way around some stuff, but I'm having a hard time. I can't reach the installer after I boot up my USB Stick. It loads, flashes the gray screen with the Apple logo and reboots. I tried every parameter I know (-v -f -x -s...). I also deactivated the necessary settings in the BIOS (only VT-d, couldn't find CFG Lock, Secure Boot Mode). Someone said that my problem might be something related to Kernel and Intel CPU Power Management, and in order to solve this, I would need to use PMPatch (which is no longer available). With some further investigation I end up here. I read somewhere that UEFIPatch might be the solution for me. I downloaded my BIOS from the MSI website (link) and patched it, but I'm not sure if everything is good to go and I can go ahead and flash it and nor I'm sure if this tool is the solution for me. So I'm here to ask if this tool will indeed solve my problem and if yes, here is what the tool give me after I used it: patch: replaced 10 bytes at offset 0x00001366 75080fbae80f89442430 -> eb080fbae8 0f89442430 Image patched Is this ok? I can go ahead and flash it? Thank you already. P.S.: My motherboard is a MSI H87-G43 Gaming, with a Intel i5 4690, 8GBs of HYPER X RAM, and a GIGABYTE GTX 770 OC. Link to comment Share on other sites More sharing options...
Ousret Posted October 31, 2014 Share Posted October 31, 2014 from linux maybe, tuxuser wrote a piece of code but I don't know if it's applicable for your needs. Ask him. Also read this interesting piece of text. Thank to you, BlackSheep VS RustyNail, I do have found another way to dump my NVRAM without any problems. But now, I don't know what to change in there ^^ I do have attached my NVRAM, open it with Hex Editor. I can replace NVRAM, ^^ Hope we can found something related to SMI Lock in there But I can't see anything related to it for now ASUS did not do the job half the way nvram.zip Link to comment Share on other sites More sharing options...
Ousret Posted October 31, 2014 Share Posted October 31, 2014 Laptop now bricked because of NVRAM -_-" Fu$$$$ ASUS! I never thought it could have an impact like this one .. So! User with 2012 - Today, laptop mobo ASUS ! Don't try to touch NVRAM. Link to comment Share on other sites More sharing options...
ikkoku Posted November 4, 2014 Share Posted November 4, 2014 @CodeRush Great job with the tool. I have an Asus Q301LA laptop which is the same as the S301LA with H87 chipset. I downloaded the latest bios from the ASUS website and followed the instructions you gave in http://www.insanelymac.com/forum/topic/285444-uefipatch-uefi-patching-utility/page-57?do=findComment&comment=1984362 and have created a new rom file. Is there any way to check if it was done correctly? Attached is the patched rom S301LAAS.zip Link to comment Share on other sites More sharing options...
Net-burst Posted November 7, 2014 Share Posted November 7, 2014 Hello. I'm trying to disable BIOS and NVRAM lock on my Z77 motherboard. I used AMIBCP to disable SMI and BIOS lock in image file, but program produced CAP file with different firs bits, than original. UEFITool shows that I'm opening not capsule file, but rather BIOS file. I'm attaching both files here. Can someone please look at them? PS. I have Asus Maximus V Extreme motherboard with 1903 BIOS. I can only flash with Flashback because of lock. MAXIMUS-V-EXTREME-ASUS-1903.rar MAXIMUS-V-EXTREME-ASUS-1903-SMI-unlock.rar Link to comment Share on other sites More sharing options...
CodeRush Posted November 7, 2014 Author Share Posted November 7, 2014 @ikkoku, there is no way to check it without trying and I don't know any reliable method to flash modified BIOS on notebooks, so please just use Clover's patching engine, if you don't have a SPI flasher to use dump/patch/reflash approach. @Net-burst, why do you need to disable lock on your platform? NVRAM works fine with recent Clover versions, and removing those locks just make your PC more vulnerable. Newer versions of AMIBCP remove a signature from CAP file, but you can add just replace this modified header with the original one to make the modified image compatible with USB BIOS Flashback. Link to comment Share on other sites More sharing options...
Net-burst Posted November 7, 2014 Share Posted November 7, 2014 @CodeRush, I'm losing sleep and half of USB ports with it, unfortunately. One USB2 hub, to be more precise. It somehow messes up my IRQ allocation. At least I think so. Furthermore, I'm still getting rollback to old NVRAM mode in bootlog. Looks like ROG series have something different about them. How much bytes is header do I need to replace? 11? As I understand, I need to copy set number of bytes starting from first one into modified file. Am I correct? Nothing else? PS. Looking at file differences, it looks like several different modules were either replaced or moved. For example, after PMPatch, I get few different bits. However, after AMIBCP I'm getting a lot of chunks. Link to comment Share on other sites More sharing options...
CodeRush Posted November 7, 2014 Author Share Posted November 7, 2014 Capsule header is 2kb of size for your BIOS, you need to replace it as a whole. I don't know if that NVRAM patch could still work on newer platforms, but you can try anyway. P.S. make a BIOS dump with FPT -bios -d backup.bin in case of losing individual board data during your testing, you can always restore it from that file later, if anything goes wrong. 1 Link to comment Share on other sites More sharing options...
Net-burst Posted November 7, 2014 Share Posted November 7, 2014 @CodeRush, thanks. Will check it later tonight. Replaced 2kb, checked file in UEFITool. Looks like all is OK. Fortunately, I have dual bios, so I think I can revert even if something will go FUBAR PS. Z77 is old platform, so I think all will work. At least I hope so. Link to comment Share on other sites More sharing options...
ikkoku Posted November 7, 2014 Share Posted November 7, 2014 @ikkoku, there is no way to check it without trying and I don't know any reliable method to flash modified BIOS on notebooks, so please just use Clover's patching engine, if you don't have a SPI flasher to use dump/patch/reflash approach. @Net-burst, why do you need to disable lock on your platform? NVRAM works fine with recent Clover versions, and removing those locks just make your PC more vulnerable. Newer versions of AMIBCP remove a signature from CAP file, but you can add just replace this modified header with the original one to make the modified image compatible with USB BIOS Flashback. I tried to run fpt from your ftk for win, but it says it's not compatible. For some reason I can't boot usb to dos either. Link to comment Share on other sites More sharing options...
Recommended Posts