Jump to content

[UEFIPatch] UEFI patching utility


CodeRush
1,981 posts in this topic

Recommended Posts

@taetae, this warning means that the RSA signature embedded in file's header became invalid after modifications done by UEFIPatch. Some flashers are OK with it, but mostly they aren't, so the modified BIOS must be flashed some non-standard way. Nothing to worry about.

 

@RunForrest, thanks you for testing and reporting.

Link to comment
Share on other sites

It's won't be so easy, as I thought but there is a way to unlock BIOS from this kind of lock. It is described here and can be dangerous, but I tried it like 10 times and it worked.

You need to disable Intel AntiTheft before trying it.

After unlocking access to all regions, you can make a dump of Descriptor region by executing fpt -desc -d desc.bin, and edit it with Hex-editor to remove locks completely.

This values are to be set:

locki.png

Then you can flash modified Descriptor region by executing fpt -desc -f desc.bin and modified BIOS region by fpt -bios -f mod.bin. If all things goes without error, then modified BIOS is finally flashed.

This way it dangerous and can lead to BIOS loss, so I don't recommend to try it unless you have to.

 

I do have tried this method on my laptop ASUS F750J with HM86 express chipsets.

Thank to you i do have unlocked my Desc region and i've unlocked all regions.. like you explained.

Reboot succesfully with desc region modded.

 

But I can't flash the bios region anyways.. I'm out of luck.

Here is a screenshot

 

215992CaptureInsanlyMac.png

 

And i'm currently on ME debug mode.

With or without ME debug, i've the same output when i try to write on bios region.

 

I think that this case could interest you :P

If anyone has any idea, i'm ready to try it if it not too much suicide ^^.

Thank ;)

 

Do i need to modify ME region ? if yes own can i do it ?

 

By the way i'm french, sorry for my english ^^

 

Edit: flashrom.

Calibrating delay loop... OS timer resolution is 1 usecs, 3170M loops per second, 10 myus = 9 us, 100 myus = 97 us, 1000 myus = 963 us, 10000 myus = 9769 us, 4 myus = 3 us, OK.
Initializing internal programmer
No coreboot table found.
Using Internal DMI decoder.
No DMI table found.
Found chipset "Intel HM86" with PCI ID 8086:8c49. 
This chipset is marked as untested. If you are using an up-to-date version
of flashrom *and* were (not) able to successfully update your firmware with it,
then please email a report to flashrom@flashrom.org including a verbose (-V) log.
Thank you!
Enabling flash write... Root Complex Register Block address = 0xfed1c000
GCS = 0xc61: BIOS Interface Lock-Down: enabled, Boot BIOS Straps: 0x3 (SPI)
Top Swap : not enabled

0xfff80000/0xffb80000 FWH IDSEL: 0x0
0xfff00000/0xffb00000 FWH IDSEL: 0x0
0xffe80000/0xffa80000 FWH IDSEL: 0x1
0xffe00000/0xffa00000 FWH IDSEL: 0x1
0xffd80000/0xff980000 FWH IDSEL: 0x2
0xffd00000/0xff900000 FWH IDSEL: 0x2
0xffc80000/0xff880000 FWH IDSEL: 0x3
0xffc00000/0xff800000 FWH IDSEL: 0x3
0xff700000/0xff300000 FWH IDSEL: 0x4
0xff600000/0xff200000 FWH IDSEL: 0x5
0xff500000/0xff100000 FWH IDSEL: 0x6
0xff400000/0xff000000 FWH IDSEL: 0x7
0xfff80000/0xffb80000 FWH decode enabled
0xfff00000/0xffb00000 FWH decode enabled
0xffe80000/0xffa80000 FWH decode enabled
0xffe00000/0xffa00000 FWH decode enabled
0xffd80000/0xff980000 FWH decode enabled
0xffd00000/0xff900000 FWH decode enabled
0xffc80000/0xff880000 FWH decode enabled
0xffc00000/0xff800000 FWH decode enabled
0xff700000/0xff300000 FWH decode disabled
0xff600000/0xff200000 FWH decode disabled
0xff500000/0xff100000 FWH decode disabled
0xff400000/0xff000000 FWH decode disabled
Maximum FWH chip size: 0x100000 bytesSPI Read Configuration: prefetching enabled, caching enabled, 
BIOS_CNTL = 0x0a: BIOS Lock Enable: enabled, BIOS Write Enable: disabled
Warning: Setting Bios Control at 0xdc from 0x0a to 0x09 failed.
New value is 0x0a.
SPIBAR = 0x00000001000ca000 + 0x3800
0x04: 0xf008 (HSFS)
HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1
Warning: SPI Configuration Lockdown activated.
Reading OPCODES... done
        OP        Type      Pre-OP
op[0]: 0x02, write w/  addr, none
op[1]: 0x03, read  w/  addr, none
op[2]: 0x20, write w/  addr, none
op[3]: 0x05, read  w/o addr, none
op[4]: 0x9f, read  w/o addr, none
op[5]: 0x01, write w/o addr, none
op[6]: 0x00, read  w/o addr, none
op[7]: 0x00, read  w/o addr, none
Pre-OP 0: 0x06, Pre-OP 1: 0x00
0x06: 0x0000 (HSFC)
HSFC: FGO=0, FCYCLE=0, FDBC=0, SME=0
0x08: 0x00000000 (FADDR)
0x50: 0x0000ffff (FRAP)
BMWAG 0x00, BMRAG 0x00, BRWA 0xff, BRRA 0xff
0x54: 0x00000000 FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
0x58: 0x07ff0400 FREG1: BIOS region (0x00400000-0x007fffff) is read-write.
0x5C: 0x03ff0001 FREG2: Management Engine region (0x00001000-0x003fffff) is read-write.
0x60: 0x00007fff FREG3: Gigabit Ethernet region is unused.
0x64: 0x00007fff FREG4: Platform Data region is unused.
0x74: 0x00000000 (PR0 is unused)
0x78: 0x00000000 (PR1 is unused)
0x7C: 0x00000000 (PR2 is unused)
0x80: 0x00000000 (PR3 is unused)
0x84: 0x00000000 (PR4 is unused)
0x90: 0xc4 (SSFS)
SSFS: SCIP=0, FDONE=1, FCERR=0, AEL=0
0x91: 0xfc4130 (SSFC)
SSFC: SCGO=0, ACS=0, SPOP=0, COP=3, DBC=1, SME=0, SCF=4
0x94: 0x0006     (PREOP)
0x96: 0x043b     (OPTYPE)
0x98: 0x05200302 (OPMENU)
0x9C: 0x0000019f (OPMENU+4)
0xA0: 0x00000000 (BBAR)
0xC4: 0x80802045 (LVSCC)
LVSCC: BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=1
0xC8: 0x00002045 (UVSCC)
UVSCC: BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0
0xD0: 0x50444653 (FPB)

Reading flash descriptors mapped by the chipset via FDOC/FDOD... done.
=== Content Section ===
FLVALSIG 0x0ff0a55a
FLMAP0   0x02040003
FLMAP1   0x15100206
FLMAP2   0x00210120

--- Details ---
NR          (Number of Regions):                     3
FRBA        (Flash Region Base Address):         0x040
NC          (Number of Components):                  1
FCBA        (Flash Component Base Address):      0x030
ISL         (ICH/PCH Strap Length):                 21
FISBA/FPSBA (Flash ICH/PCH Strap Base Address):  0x100
NM          (Number of Masters):                     3
FMBA        (Flash Master Base Address):         0x060
MSL/PSL     (MCH/PROC Strap Length):                 1
FMSBA       (Flash MCH/PROC Strap Base Address): 0x200

=== Component Section ===
FLCOMP   0x64900044
FLILL    0x00000000

--- Details ---
Component 1 density:             8 MB
Component 2 is not used.
Read Clock Frequency:           20 MHz
Read ID and Status Clock Freq.: 50 MHz
Write and Erase Clock Freq.:    50 MHz
Fast Read is supported.
Fast Read Clock Frequency:      50 MHz
No forbidden opcodes.

=== Region Section ===
FLREG0   0x00000000
FLREG1   0x07ff0400
FLREG2   0x03ff0001
FLREG3   0x00007fff
FLREG4   0x00007fff

--- Details ---
Region 0 (Descr.) 0x00000000 - 0x00000fff
Region 1 (BIOS  ) 0x00400000 - 0x007fffff
Region 2 (ME    ) 0x00001000 - 0x003fffff
Region 3 (GbE   ) is unused.
Region 4 (Platf.) is unused.

=== Master Section ===
FLMSTR1  0xffff0000
FLMSTR2  0xffff0000
FLMSTR3  0xffff0118

--- Details ---
      Descr. BIOS ME GbE Platf.
BIOS    rw    rw  rw  rw   rw
ME      rw    rw  rw  rw   rw
GbE     rw    rw  rw  rw   rw

PROBLEMS, continuing anyway
The following protocols are supported: FWH, SPI.
Probing for Macronix MX25L6405(D), 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) at physical address 0xff800000.
Chip status register is 0x40.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Block protection is disabled.
Reading flash... done.
Restoring MMIO space at 0x1000cd8a0
Restoring PCI config space for 00:1f:0 reg 0xdc 
Calibrating delay loop... OK.
No DMI table found.
Found chipset "Intel HM86". 
This chipset is marked as untested. If you are using an up-to-date version
of flashrom *and* were (not) able to successfully update your firmware with it,
then please email a report to flashrom@flashrom.org including a verbose (-V) log.
Thank you!
Enabling flash write... Warning: Setting Bios Control at 0xdc from 0x0a to 0x09 failed.
New value is 0x0a.
Warning: SPI Configuration Lockdown activated.
PROBLEMS, continuing anyway
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) at physical address 0xff800000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Transaction error!
spi_block_erase_20 failed during command execution at address 0x430000
Reading current flash chip contents... done. spi_block_erase_d8 failed during command execution at address 0x430000
Reading current flash chip contents... done. spi_chip_erase_60 failed during command execution
Reading current flash chip contents... done. spi_chip_erase_c7 failed during command execution
FAILED!
Uh oh. Erase/write failed. Checking if anything changed.
Good. It seems nothing was changed.
Writing to the flash chip apparently didn't do anything.
This means we have to add special support for your board, programmer or flash
chip. Please report this on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org, thanks! 
Link to comment
Share on other sites

I just have a question about this Tool.

I've got an MSI Z97 Gaming 7 motherboard and i downloaded the bios from MSI website as a zip-file.

I unzipped the file and found a file ending with .150

Should I just use uefipatch on this .150 file and then flash that generated file?

Just want to make sure I do it right.

I tried booting the installer but it keeps restarting into Windows so maybe flashing this will help!

Many thanks for any help!

same question .. 
better explanation. 

 

thanks .. any help ..
Link to comment
Share on other sites

@Ousret

 

BIOS_CNTL = 0x0a: BIOS Lock Enable: enabled

 

You have BIOS Lock enabled in Setup. Try this method.

 

If it fails, check SMI_LOCK bit to be 0:

post-1111314-0-57618500-1414694934_thumb.png

And if it's really 0, set GBL_SMI_EN bit of SMI_EN register to 0:

post-1111314-0-39787300-1414695332_thumb.png

Then try flashing again.

 

If all above fails, you can either try AFU /GAN method (linked in old FAQ in the first post), but it's extremely dangerous on laptops, or use hardware SPI flashed to dump/patch/flash your image without any software.

 

@medallo, sorry, but I know nothing about MSI boards. Try MFlash utility maybe?

Link to comment
Share on other sites

Thank you for your answer.

 

BIOS Lock is set to 1. Unable to change it.

 

SCEWIN_64 does not work.

The program report ERROR4: Error [.....] HII db.

 

 

 

 

> SCEWIN_64 /o /s nvram.txt /h Hii.db /v /q

> ERROR:4 - Retrieving HII Database

> ERROR:4 - Dumping HII Database to File

 

 

Even with SCEDOS

 

NVRAM locked I guess.

No luck for me at all ^^

 

Every AFU tools say: Write protected.. And nothing goes on.

 

I will look at SPI Flasher.. but damn! I was so close..! x) 

Link to comment
Share on other sites

Thank you for your answer.

 

BIOS Lock is set to 1. Unable to change it.

 

SCEWIN_64 does not work.

The program report ERROR4: Error [.....] HII db.

 

 

 

 

 

Even with SCEDOS

 

NVRAM locked I guess.

No luck for me at all ^^

 

Every AFU tools say: Write protected.. And nothing goes on.

 

I will look at SPI Flasher.. but damn! I was so close..! x) 

 

please try

Save current CMOS: SCEDOS /O myCMOS.txt

edit, then restore using

Update CMOS: SCEDOS /I myCMOS.txt
Link to comment
Share on other sites

> SCEDOS /O MyCMOS.txt
> SCEDOS /I MyCMOS.txt

I tried to dump the CMOS with your command.

It does not work because it won't accept /o alone, he want /o /s

 

SCEDOS /O MyCMOS.txt does nothing

SCEDOS /O /S MyCMOS.txt display the same ERROR4:

 

Thank you anyway

 

Here is another tool to dump / write NVRAM for Aptio EFI ?

 

 

 

Link to comment
Share on other sites

> SCEDOS /O MyCMOS.txt
> SCEDOS /I MyCMOS.txt

I tried to dump the CMOS with your command.

It does not work because it won't accept /o alone, he want /o /s

 

SCEDOS /O MyCMOS.txt does nothing

SCEDOS /O /S MyCMOS.txt display the same ERROR4:

 

Thank you anyway

 

Here is another tool to dump / write NVRAM for Aptio EFI ?

 

 

from linux maybe, tuxuser wrote a piece of code but I don't know if it's applicable for your needs. Ask him.

Also read this interesting piece of text.

Link to comment
Share on other sites

Hey there CodeRush and fellow "Hackintosh'ers"!

First of all, thanks for the amazing help you guys provide for this community, it's really wonderful.

 

So, it´s my first time trying to install OS X on my PC, but I consider my self "tech-savvy" and know my way around some stuff, but I'm having a hard time.

I can't reach the installer after I boot up my USB Stick. It loads, flashes the gray screen with the Apple logo and reboots.

I tried every parameter I know (-v -f -x -s...). I also deactivated the necessary settings in the BIOS (only VT-d, couldn't find CFG Lock, Secure Boot Mode).

 

Someone said that my problem might be something related to Kernel and Intel CPU Power Management, and in order to solve this, I would need to use PMPatch (which is no longer available).

With some further investigation I end up here. I read somewhere that UEFIPatch might be the solution for me.

 

I downloaded my BIOS from the MSI website (link) and patched it, but I'm not sure if everything is good to go and I can go ahead and flash it and nor I'm sure if this tool is the solution for me.

 

So I'm here to ask if this tool will indeed solve my problem and if yes, here is what the tool give me after I used it:

patch: replaced 10 bytes at offset 0x00001366 75080fbae80f89442430 -> eb080fbae8 0f89442430
Image patched

Is this ok? I can go ahead and flash it?

 

Thank you already.

 

P.S.: My motherboard is a MSI H87-G43 Gaming, with a Intel i5 4690, 8GBs of HYPER X RAM, and a GIGABYTE GTX 770 OC.

Link to comment
Share on other sites

from linux maybe, tuxuser wrote a piece of code but I don't know if it's applicable for your needs. Ask him.

Also read this interesting piece of text.

 

Thank to you, BlackSheep VS RustyNail, I do have found another way to dump my NVRAM without any problems.

But now, I don't know what to change in there ^^

 

I do have attached my NVRAM, open it with Hex Editor.

I can replace NVRAM, ^^

Hope we can found something related to SMI Lock in there :)

 

But I can't see anything related to it for now :(

ASUS did not do the job half the way :(

nvram.zip

Link to comment
Share on other sites

@CodeRush

 

Great job with the tool.

 

I have an Asus Q301LA laptop which is the same as the S301LA with H87 chipset.  I downloaded the latest bios from the ASUS website and followed the instructions you gave in http://www.insanelymac.com/forum/topic/285444-uefipatch-uefi-patching-utility/page-57?do=findComment&comment=1984362

 

and have created a new rom file.

Is there any way to check if it was done correctly?  Attached is the patched rom

S301LAAS.zip

Link to comment
Share on other sites

Hello. I'm trying to disable BIOS and NVRAM lock on my Z77 motherboard. I used AMIBCP to disable SMI and BIOS lock in image file, but program produced CAP file with different firs bits, than original. UEFITool shows that I'm opening not capsule file, but rather BIOS file. I'm attaching both files here. Can someone please look at them?

 

PS. I have Asus Maximus V Extreme motherboard with 1903 BIOS. I can only flash with Flashback because of lock.

MAXIMUS-V-EXTREME-ASUS-1903.rar

MAXIMUS-V-EXTREME-ASUS-1903-SMI-unlock.rar

Link to comment
Share on other sites

@ikkoku, there is no way to check it without trying and I don't know any reliable method to flash modified BIOS on notebooks, so please just use Clover's patching engine, if you don't have a SPI flasher to use dump/patch/reflash approach.

 

@Net-burst, why do you need to disable lock on your platform? NVRAM works fine with recent Clover versions, and removing those locks just make your PC more vulnerable. Newer versions of AMIBCP remove a signature from CAP file, but you can add just replace this modified header with the original one to make the modified image compatible with USB BIOS Flashback.

Link to comment
Share on other sites

@CodeRush, I'm losing sleep and half of USB ports with it, unfortunately. One USB2 hub, to be more precise. It somehow messes up my IRQ allocation. At least I think so. Furthermore, I'm still getting rollback to old NVRAM mode in bootlog. Looks like ROG series have something different about them. How much bytes is header do I need to replace? 11? As I understand, I need to copy set number of bytes starting from first one into modified file. Am I correct? Nothing else?

 

PS. Looking at file differences, it looks like several different modules were either replaced or moved. For example, after PMPatch, I get few different bits. However, after AMIBCP I'm getting a lot of chunks.

Link to comment
Share on other sites

Capsule header is 2kb of size for your BIOS, you need to replace it as a whole. I don't know if that NVRAM patch could still work on newer platforms, but you can try anyway.

P.S. make a BIOS dump with FPT -bios -d backup.bin in case of losing individual board data during your testing, you can always restore it from that file later, if anything goes wrong.

  • Like 1
Link to comment
Share on other sites

@CodeRush, thanks. Will check it later tonight. Replaced 2kb, checked file in UEFITool. Looks like all is OK. Fortunately, I have dual bios, so I think I can revert even if something will go FUBAR :)

 

PS. Z77 is old platform, so I think all will work. At least I hope so.

Link to comment
Share on other sites

@ikkoku, there is no way to check it without trying and I don't know any reliable method to flash modified BIOS on notebooks, so please just use Clover's patching engine, if you don't have a SPI flasher to use dump/patch/reflash approach.

 

@Net-burst, why do you need to disable lock on your platform? NVRAM works fine with recent Clover versions, and removing those locks just make your PC more vulnerable. Newer versions of AMIBCP remove a signature from CAP file, but you can add just replace this modified header with the original one to make the modified image compatible with USB BIOS Flashback.

 

I tried to run fpt from your ftk for win, but it says it's not compatible.  

For some reason I can't boot usb to dos either.

Link to comment
Share on other sites

×
×
  • Create New...