I was contacted by Jose Philips today via Skype, he has found a BIOS file, that can't be patched by PMPatch. It's normal to find one, but this file is definitely special and worth telling it's story.
Behold, a new version 2209 of Intel UEFI BIOS for old Intel DP67BG board. Looks like normal UEFI BIOS, behaves like normal UEFI BIOS, what's special about it?
First, it can't be patched by any current patch included in PMPatch, I'm OK with that, next.
Second, it can be opened by PhoenixTool 2.14, big thanks go to AndyP, it's cool, next.
Third and finally, this file is an Intel's tribute to Inception movie, because it has modules with 12 (twelwe!) levels of inclusion (EFI Capsule->Firmware Volume->File->File->...->File).
The module with locking code has only 9 levels of inclusion, which is a kid level for this UEFI BIOS.
Intel has also removed all UI sections from their modules, so we can name one a "PowerManagement module" or something. There are only GUIDs, they are for real men.
The module with 0xE2 locking code has 62D171CB-78CD-4480-8678-C6A2A797A8DE GUID and there are 2 copies of this module in that BIOS.
The locking code itself is nothing special:
0000000000005E4E: B9 E2 00 00 00 mov ecx,0E2h ; copy 0xE2 MSR number to ECX
0000000000005E53: E8 EA AE 00 00 call 0000000000010D42 ; rdmsr inside
0000000000005E58: 48 89 44 24 28 mov qword ptr [rsp+28h],rax ; copy read value of 0xE2 from RAX to some memory address
0000000000005E5D: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h] ; copy the same value back to RAX (not sure if too smart or just stupid)
0000000000005E62: 48 25 00 80 00 00 and rax,8000h ; set all bits of RAX except 15 (LOCK) to 0
0000000000005E68: 48 85 C0 test rax,rax ; test if lock bit is already set
0000000000005E6B: 75 31 jne 0000000000005E9E ; if so, jump over the next 10 lines
0000000000005E6D: B9 E2 00 00 00 mov ecx,0E2h ; if not, copy 0xE2 MSR number to ECX again
0000000000005E72: E8 CB AE 00 00 call 0000000000010D42 ; rdmsr inside
0000000000005E77: 48 89 44 24 28 mov qword ptr [rsp+28h],rax ; RAX to memory
0000000000005E7C: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h] ; memory to RAX (I like to move it, move it ...)
0000000000005E81: 48 0D 00 80 00 00 or rax,8000h ; set bit 15 (LOCK) of RAX to 1
0000000000005E87: 48 89 44 24 28 mov qword ptr [rsp+28h],rax ; RAX to memory
0000000000005E8C: 48 8B 44 24 28 mov rax,qword ptr [rsp+28h] ; memory to RAX (You like to move it, move it ...)
0000000000005E91: 48 8B D0 mov rdx,rax ; copy RAX to RDX
0000000000005E94: B9 E2 00 00 00 mov ecx,0E2h ; copy 0xE2 MSR number to ECX
0000000000005E99: E8 62 4D 00 00 call 000000000000AC00 ; wrmsr inside
0000000000005E9E: E8 79 AB 00 00 call 0000000000010A1C ; execution continues here
The patch itself is 73 31 to EB 31, which disables WRMSR part of this code. Can be done with PhoenixTool now.
I have no plans for integrating this patch to PMPatch, because will be really a chalenge to implement 9 levels of inclusion traversal without any traversal code. Will be done some day, I hope.
Modified BIOS file is attached.