Jump to content

[UEFIPatch] UEFI patching utility


CodeRush
1,981 posts in this topic

Recommended Posts

Confirmed working on Asus p8p67 Rev.3 B3. Kills onboard audio (

Realtek ALC892)

in OS X But that was expected (sound works fine in linux and windows). No power management kexts needed and speedstepping (overclocking) now works on my 2600k.

  • Like 1
Link to comment
Share on other sites

I got two mobs here:

 

nVidia 790i Ultra

Intel DX48BT2

 

Are these worth trying considering the security stuff associated with the Intel and that the nVidia board isn't exactly common/popular?

Link to comment
Share on other sites

Hi CodeRush!

Just wanted to ask you what exact command do I need to use from the FTK to flash the patched BIOS to my MoBo?

In your post on Hardforum you describe the list of commands that FTK has, but I am confused between biosrefl and reflash.

Also, to k3nny, I noticed that you have the same motherboard as me (asus p8z77-v lk), so I ask if you can describe your flashing process step by step, if you can, please?

biosrefl is enough.

 

OK, thanks.

 

What does this mean?

 

CpuPei module at 003DC1C0 not patched: Patch pattern not found.

There are two separate places for 0xE2 register lock. Onl old ME7 BIOSes is was in CpuPei module, in new ME8 BIOSes it is in PowerManagement module. So, if PM module is patched, there is a little chance that CpuPei has a lock string to patch. But in case that a lock is present in both modules, I must check both of them. In your case PM is patched, in CP there is no pattern to patch. It's OK.

 

I got two mobs here:

 

nVidia 790i Ultra

Intel DX48BT2

 

Are these worth trying considering the security stuff associated with the Intel and that the nVidia board isn't exactly common/popular?

Not an UEFI BIOS in both cases, AFAIK. Nothing to do here. :(

  • Like 1
Link to comment
Share on other sites

Hi code Rush,

Your patcher worked well, and also, what mean the Phoenix patch after the powermanagement patch ?

But then, the flashing failed :( .. it seems I've got an RSA signed bios as I get on reboot "InsydeH2o secure flash - invalid firmware image " ( VAIO SVE1712C5E )

With FTK, it tells me that the regions are locked, here's the output with "fpt -i" command

 

Intel (R) Flash Programming Tool. Version: 8.1.10.1286
Copyright (c) 2007 - 2012, Intel Corporation. All rights reserved.

Platform: Intel(R) HM76 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

--- Flash Devices Found ---
W25Q64BV ID:0xEF4017 Size: 8192KB (65536Kb)

--- Flash Image Information --
Signature: VALID
Number of Flash Components: 1
    Component 1 - 8192KB (65536Kb)
Regions:
    Descriptor - Base: 0x000000, Limit: 0x000FFF
    BIOS     - Base: 0x180000, Limit: 0x7FFFFF
    ME         - Base: 0x001000, Limit: 0x17FFFF
    GbE     - Not present
    PDR     - Not present
Master Region Access:
    CPU/BIOS - ID: 0x0000, Read: 0x0B, Write: 0x0A
    ME     - ID: 0x0000, Read: 0x0D, Write: 0x0C
    GbE     - ID: 0x0118, Read: 0x08, Write: 0x08

Total Accessable SPI Memory: 8192KB, Total Installed SPI Memory : 8192KB

FPT Operation Passed

 

After allowing writing region with pinmod, will the same code aply to unlock by a patch as you said here ?

After unlocking access to all regions, you can make a dump of Descriptor region by executing fpt -desc -d desc.bin, and edit it with Hex-editor to remove locks completely.

This values are to be set:

locki.png

 

 

Regards

Link to comment
Share on other sites

1. What mean the Phoenix patch after the powermanagement patch?

2. After allowing writing region with pinmod, will the same code aply to unlock by a patch as you said here ?

1. Your PowerManagement module is located inside another big module, I call it "nest". There are 2 kinds of nest modules with different UUIDs, one I have found on AMI BIOSes and another on Phoenix. The nest module must be unpacked, PM module inside of it must be patched and nest module must be repacked and reinserted. So says the output.

2. Yes.

 

Successfully flashed my MB with a PMPatched .cap file and FTK. You rule!

Asus p8z77-v lk motherboard, flashed in ms-dos mode as advised.

I have retained the patched bios file and backup.bin file created by FTK. Do you need them for further research?

No, I have about 10 backups of this board and need no more. :)

Glad to help.

Link to comment
Share on other sites

@CodeRush,

Sorry for going a bit off-topic but would it be possible to create a utility that patches nVida or ATi vbios to add native resolution to the cards' VESA modes? I'm basically talking about a GUI utility to automate the process described here: http://www.insanelymac.com/forum/topic/211294-information-on-vesa-modes-in-atinvidia-bios/page__hl__%20vesa%20%20mode

 

I think this'll help a lot of people and thought that you're probably the only one who could create such a utility.

  • Like 1
Link to comment
Share on other sites

Doesn't work with my bios. Is this only for sandy bridge cpus? Or has it worked on any Nehalem ones? I've looked through my bios and I think it might be locking bit 15 in the smmplatform module instead of the usual places because of this function that's in smmplatform. I'd prefer to have someone with more expirence look it over before I change anything. Thanks. I've attached my bios, the powermanagement2 module, and the smmplatform module. v4npyw.png

bios.zip

  • Like 1
Link to comment
Share on other sites

Sorry but, ¿works at asus A55VD laptop?. Like this: http://my.asus.com/N...formance/A55VD/

The patcher itself works on this BIOS, but patched BIOS must be tested.

rush@rush-netbook:~/Downloads/PMPatch/build$ ./PMPatch ~/Downloads/K55VDAS.407 ~/out.bin
PMPatch 0.5.10
PowerManagement module at 001A4F00 patched.
AMI nest modules not found.
Phoenix nest modules not found.
CpuPei module at 005A18D8 not patched: Patch pattern not found.
Output file generated.

 

@donovan6000, thank you, will look at SMM module after 5. Mar.

Link to comment
Share on other sites

Hi CodeRush,

Thanks for your hard work!

 

I am based on a B75 ASUS motherboard, the model is P8B75-M LX with CPU Intel i5-3550, running fine on Lion 10.7.5 but without any PowerManagement feature (am using NullCPU...).

 

I've just tried PMPatch on Windows and got this:

 

C:\BIOSWORK>PMPatch.exe P8B75-M-LX-ASUS-0803.CAP patched.bios

PMPatch 0.5.10

PowerManagement module at 00296508 patched.

AMI nest modules not found.

Phoenix nest modules not found.

CpuPei module at 00790D88 not patched: Patch pattern not found.

CpuPei module at 007D0D88 not patched: Patch pattern not found.

Output file generated.

-----------------------------------

 

Now, which is the next step to flash this? I suppose the Asus utilities will not allow to patch the modified one for B75 right?

 

Another thing: yesterday I tried the other method, by manually patching using Phoenixtools: have found the famous pattern (change from 75 to eb...) and then successfully flashed the new bios. But I still need the NullCPU kext, without it I have KP on the ApplePowerManagement kext. Do you think your patched bios will differ?

 

Thanks.

S.

Link to comment
Share on other sites

I stumbled here and I say congratulations for the work!

 

By cons I have a dual bios Insyde to dump it takes only the first but luckily I had an original bios downloaded from Toshiba :

 

 

Platform: Intel® HM70 Express Chipset

Reading HSFSTS register... Flash Descriptor: Valid

 

--- Flash Devices Found ---

W25Q16BV ID:0xEF4015 Size: 2048KB (16384Kb)

W25Q32BV ID:0xEF4016 Size: 4096KB (32768Kb)

 

--- Flash Image Information --

Signature: VALID

Number of Flash Components: 2

Component 1 - 2048KB (16384Kb)

Component 2 - 4096KB (32768Kb)

Regions:

Descriptor - Base: 0x000000, Limit: 0x000FFF

BIOS - Base: 0x200000, Limit: 0x5FFFFF

ME - Base: 0x001000, Limit: 0x1FFFFF

GbE - Not present

PDR - Not present

Master Region Access:

CPU/BIOS - ID: 0x0000, Read: 0x0B, Write: 0x0A

ME - ID: 0x0000, Read: 0x0D, Write: 0x0C

GbE - ID: 0x0118, Read: 0x08, Write: 0x08

 

Total Accessable SPI Memory: 6144KB, Total Installed SPI Memory : 6144KB

 

FPT Operation Passed

 

 

 

fpt.exe -bios -d PLCSF8dump.fd

 

Intel ® Flash Programming Tool. Version: 8.1.10.1286

Copyright © 2007 - 2012, Intel Corporation. All rights reserved.

 

Platform: Intel® HM70 Express Chipset

Reading HSFSTS register... Flash Descriptor: Valid

 

--- Flash Devices Found ---

W25Q16BV ID:0xEF4015 Size: 2048KB (16384Kb)

W25Q32BV ID:0xEF4016 Size: 4096KB (32768Kb)

 

 

- Reading Flash [0x600000] 4096KB of 4096KB - 100% complete.

Writing flash contents to file "PLCSF8dump.fd"...

 

Memory Dump Complete

FPT Operation Passed

 

 

This one from original Toshiba Bios patched and flashed all right :

 

PMPatch.exe PLCSF8_SLIC.fd PLCSF8_PATCH.fd

PMPatch 0.5.10

PowerManagement modules not found.

AMI nest modules not found.

Trying to apply patch #1

Nested PowerManagement2.efi module at 010368DA not patched: Unknown module state

.

Nested PowerManagement2.efi module at 01238738 patched.

Phoenix nest module at 00222048 patched.

CpuPei modules not found.

Output file generated.

 

How i can dump bios & me region on one file like original Toshiba bios ?

 

Because impossible to flash with just bios (4096KB) with insydeflashutile.

 

 

fpt.exe -me -d PLCSF8MEdump.fd

 

Intel ® Flash Programming Tool. Version: 8.1.10.1286

Copyright © 2007 - 2012, Intel Corporation. All rights reserved.

 

Platform: Intel® HM70 Express Chipset

Reading HSFSTS register... Flash Descriptor: Valid

 

--- Flash Devices Found ---

W25Q16BV ID:0xEF4015 Size: 2048KB (16384Kb)

W25Q32BV ID:0xEF4016 Size: 4096KB (32768Kb)

 

 

 

Error 26: The host CPU does not have read access to the target flash area. To en

able read access for this operation you must modify the descriptor settings to g

ive host access to this region.

Link to comment
Share on other sites

Hi CodeRush,

 

Thanks for sharing your awesome job!

 

I have a dell xps 17 702x (with i5 2410M)

I use the 0.5.10 version on bios A19, here's the result :

 

PowerManagement modules not found.

AMI nest modules not found.

Nested PlatformSetupAdvancedDxe.efi at 00717238 patched.

Trying to apply patch #1

Nested PowerManagement2.efi module at 00CC3F90 patched.

Phoenix nest module at 00622690 patched.

Dell RAW file checksums corrected.

CpuPei modules not found.

Output file generated.

 

It's seems to work. I didn't try to install osx eversince. I'm new and next time I'm gonna try to understand better what I'm doing...

 

Tschüs!

Link to comment
Share on other sites

@rocket12, have you tried to flash patched BIOS file with native tools? Can you flash the image dumped with fpt.exe -bios -d image.bin to SPI chip using fpt -bios -f image.bin? If so, patch that image.bin with PMPatch and flash it back.

 

@tibou, all things look good, you can flash this modified BIOS and use native CPUPM in OS X. But if you don't have one and don't plan to install it - no patching is required. BTW, thanks for testing.

 

@all, I have found some interesting info on unlocking access to all regions on HP Elitebook 8560p. Thanks to Thomas S. from [H].

I have an HP Elitebook (Probook) 8560p (i5 and QM67).

On this NB is an descriptor lock and so you can't access the whole BIOS chip.

But there is an "hotkey" to remove the lock:

 

1. Set boot device to USB (and have an USB-Stick with the tools plugged in)

2. Shut down NB. For save work use both line power and battery

3. press the WIN | left arrow | right arrow button (all three together and hold them)

4. power on the NB

5. on the first message on the display release the buttons.

 

You see then an new message on the first line:

HDA_SDO. To lock SPI' date=' do global reset or remove AC & DC then boot after updating SPI.

 

Well, thats it: full dump of BIOS chip is possible, FPT reported no error..

I have not tested full access to flash it [img']http://hardforum.com/images/smilies/wink_anim.gif[/img] (don't want to brick my NB)

Link to comment
Share on other sites

Coderush - thanks for all your hard work here. I will be testing this on the MSI Z77MA-G45 and the MSI B75MA-P45 over the next few days, and will post back here just to confirm those specific models.

 

Just to be clear, this patch eliminates the need for one of http://biosrepo.wordpress.com/ solutions, correct? Rather than repackaging a specific BIOS (say, 1.4) it actually modifies the latest BIOS (say, 1.7)?

Link to comment
Share on other sites

Hey Coderush!

 

I have an ASUS p8z77-v LX2.

 

I have patched the bios but i think that my board don't have the USB FLASHBACK

 

 

PMPatch 0.5.10

PowerManagement module at 003FC7C0 patched.

AMI nest modules not found.

Phoenix nest modules not found.

CpuPei module at 007910E8 not patched: Patch pattern not found.

CpuPei module at 007D10E8 not patched: Patch pattern not found.

Output file generated.

 

I have tried with DCPimanager but it return and error.

 

Can u help me?

 

Thank you in advance!!!

 

from DOS with FLASHROM.exe works.

 

with this commands in P8Z77-v LX

i made a backup first (bkup.bat) with:

flashrom -p internal:laptop=this_is_not_a_laptop -r backup.rom

 

flash with Mod.bat contents:

flashrom -p internal:laptop=this_is_not_a_laptop -w mod.rom

 

i have SPI USB programmer if anyone needs to recover and bootblock recovery is not working.. u can send chip to me and i send chip back flashed in Tampa, FL USA

Link to comment
Share on other sites

@CodeRush is it possible to put inside UEFI BIOS HFSPlus.efi driver ? Can you made option like that for PMPatch ?

It is possible but it's harder then a simple patch. If I will work on it, it will be another project. I'm not a fan of do-all-you-can-imagine kind of utilities, because they are hard to code and debug.

 

Just to be clear, this patch eliminates the need for one of http://biosrepo.wordpress.com/ solutions, correct? Rather than repackaging a specific BIOS (say, 1.4) it actually modifies the latest BIOS (say, 1.7)?

The patch tries to unpack, patch and repack an input file and write a result to output file. It can be 1.4, 1.7, X.Y or even BIOS dump made by FPT or flashrom. Yes, it eliminates a need of BIOSes provided by BiosRepo.

  • Like 2
Link to comment
Share on other sites

The patch tries to unpack, patch and repack an input file and write a result to output file. It can be 1.4, 1.7, X.Y or even BIOS dump made by FPT or flashrom. Yes, it eliminates a need of BIOSes provided by BiosRepo.

 

Excellent! Only the latest BIOS from MSI supports my RAM, but BiosRepo has one from a couple versions ago. I'll test and post results, vielen dank für deine arbeit!

Link to comment
Share on other sites

from DOS with FLASHROM.exe works

This method isn't good enough on ASUS P8xxx boards because of individual data loss. FTK is mush better. Please read the guide linked in my signature to know more the whole situation with BIOS recovery and data recovery on ASUS P8xxx boards.

  • Like 1
Link to comment
Share on other sites

×
×
  • Create New...