Jump to content

[UEFIPatch] UEFI patching utility

BIOS patch power management UEFI

  • Please log in to reply
1710 replies to this topic

#621
badaxe2

badaxe2

    InsanelyMac Geek

  • Members
  • PipPipPip
  • 148 posts
  • Gender:Male

It's ready to flash. Nothing else done.

Cheers mate, I just tried to flash and I get this error - 0x18 Error: Unable to start a Secure Flash session.

 

Any ideas ?



#622
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

Cheers mate, I just tried to flash and I get this error - 0x18 Error: Unable to start a Secure Flash session.

 

Any ideas ?

 

signed UEFI, try using use intel ftk or DOS flashtool of OEM vendor and flash from DOS!

for intel ftk: you have to use the version that matches your chipset.



#623
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

BonBon6, this problem has notnig to do with checksums, but with LZMA compression parameters. Andy has implemented a nice routine, that tries to fit a recompressed module by tweaking LZMA algorithm parameters, so PhoenixTool can fit a modified module (almost) always. I have no time for PMPatch about 3 months in a row, so I didn't implement such routine, that is why there are some BIOSes with that problem.

As for segfault in OS X - I have no idea what is going on with CLang Release configuration on my code. Debug works OK, so next version will be compiled as debug. I don't have OS X installed, so I can't replace it for now.

Thank you for patching that BIOS with PT, BTW. Less work for me. :)

 

badaxe2, try using Intel FPT to flash it. What is your motherboard name?



#624
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

kenny, I have found the code that actially sets a locking bits, but there are no place to mod it, and it uses NVRAM to store default values anyway.

Thank you very much. :beer:

BIOS and SPI lock setup butes are definitely in NVRAM, storage "StdDefaults", variable name "Setup", offset 0xB0 (SMI) and 0xB1 (BIOS) from the beginning of storage.

That offsets are constant, because there is simply a storage of SB_SETUP_DATA structure.

If someone with ASUS Z87 board with UBF support willing to test the unlock - post here, I will make it.



#625
k3nny

k3nny

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 560 posts
  • Gender:Male

kenny, I have found the code that actially sets a locking bits, but there are no place to mod it, and it uses NVRAM to store default values anyway.

Thank you very much. :beer:

BIOS and SPI lock setup butes are definitely in NVRAM, storage "StdDefaults", variable name "Setup", offset 0xB00 (SMI) and 0xB01 (BIOS) from the beginning of storage.

That offsets are constant, because there is simply a storage of SB_SETUP_DATA structure.

If someone with ASUS Z87 board with UBF support willing to test the unlock - post here, I will make it.

Very nice. Can you please point me to the place where the locking bits are set? I just would like to know where it is.

What about the changes in module "AMITSE", besides NVRAM? Did you take them into account or do you know what they represent?

 

So after all, the write protection was there all the time - it just wasn't enabled.



#626
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

kenny, I have found the code that actially sets a locking bits, but there are no place to mod it, and it uses NVRAM to store default values anyway.

Thank you very much. :beer:

BIOS and SPI lock setup butes are definitely in NVRAM, storage "StdDefaults", variable name "Setup", offset 0xB0 (SMI) and 0xB1 (BIOS) from the beginning of storage.

That offsets are constant, because there is simply a storage of SB_SETUP_DATA structure.

If someone with ASUS Z87 board with UBF support willing to test the unlock - post here, I will make it.

 

Bon jour CodeRush,

 

do you think you can implement the unlock in your next pmpatch release?

 

Btw, as you know I own a Z77 board from ASUS, and I'm young willing and able to test it (SPI flasher).

Uploaded my ROM << here.

 

Friday my TUMPA arrived :D from canada.

 

Au jaaa!

 

best regards



#627
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

No problem. It's in SbDxe module, InstallDxePchPlatformPolicy function, that calls GetSbSetupData function, which has built-in defaults (locks are disabled there), and tries to load defaults from Setup NVAR, where the settings are located.

mPchPolicyData.LockDownConfig->GlobalSmi    = gSbSetupData->SmiLock;
mPchPolicyData.LockDownConfig->GpioLockDown = gSbSetupData->GpioLock;

SB_SETUP_DATA stucture is big, but stable, and that settings are in the very beginning, so they are hardly be moved somewhere. On locked boards of Z87 and X79 platforms there are 0x01 on this bytes, on unlocked old BIOS versions - 0x00, so I think this is it, but it need further testing.

AMITSE is user interface module, so if there are no interface to that bytes, so it's useless to modify something there.

And yes, this protection was here from the very beginning, and it's not ASUS-specific at all.

 

UPD: corrected the code path.

---

BonBon6, change it manually, it's very simple. Offset 0x00180110, first 2 bytes, change from 0x01 0x01 to 0x00 0x00. Flash it and try using FPT 8.xx for writing.

Attached File  Change.png   35.05KB   3 downloads



#628
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

No problem. It's in SbDxe module, InstallDxePchPlatformPolicy function, that calls GetSbSetupData function, which has built-in defaults (locks are disabled there), and tries to load defaults from Setup NVAR, where the settings are located.

mPchPolicyData.LockDownConfig->GlobalSmi    = gSbSetupData->SmiLock;
mPchPolicyData.LockDownConfig->GpioLockDown = gSbSetupData->GpioLock;

SB_SETUP_DATA stucture is big, but stable, and that settings are in the very beginning, so they are hardly be moved somewhere. On locked boards of Z87 and X79 platforms there are 0x01 on this bytes, on unlocked old BIOS versions - 0x00, so I think this is it, but it need further testing.

AMITSE is user interface module, so if there are no interface to that bytes, so it's useless to modify something there.

And yes, this protection was here from the very beginning, and it's not ASUS-specific at all.

 

UPD: corrected the code path.

---

BonBon6, change it manually, it's very simple. Offset 0x00180110, first 2 bytes, change from 0x01 0x01 to 0x00 0x00. Flash it and try using FPT 8.xx for writing.

attachicon.gifChange.png

flashrom shows still the same:

flashrom -p internal
flashrom v0.9.7-r1711 on Darwin 13.0.0 (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Mapping low megabyte at 0x0000000000000400, unaligned size 0xffc00.
Mapping low megabyte, 0xffc00 bytes at unaligned 0x0000000000000400.
Found chipset "Intel Z77". Enabling flash write... Warning: BIOS region SMM protection is enabled!
Warning: Setting Bios Control at 0xdc from 0x2a to 0x0b on Z77 failed.
New value is 0x2a.
Warning: SPI Configuration Lockdown activated.
PROBLEMS, continuing anyway
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) at physical address 0xff800000.
No operations were specified.

I'll try fpt now ;)



#629
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

Nope, not working. :(

Will dig further.


Make sure it was changed and not somehow regenerated from another source.



#630
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

Nope, not working. :(

Will dig further.


Make sure it was changed and not somehow regenerated from another source.

2znspzc.jpg

 

dumped the rom and found the fix is stored in eeprom as patched.



#631
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

Cool, thanks for testing. It appears that some code is setting locks regardless of the NVRAM config. The setting code is located in somewhere in PchInitDxe or PchInitPeim, I will look for it now.



#632
k3nny

k3nny

    InsanelyMac Legend

  • Members
  • PipPipPipPipPipPipPip
  • 560 posts
  • Gender:Male

@BonBon6: Just a thought. Could it be possible that afuwin uses different flashing routines as Asus' tools, for example EzFlash, and does not perform a platform reset?

I used the built-in EzFlash when doing the tests, maybe it is worth giving it a try.

EDIT: Nevermind.


Edited by k3nny, 08 September 2013 - 11:50 AM.


#633
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

@BonBon6: Just a thought. Could it be possible that afuwin uses different flashing routines as Asus' tools, for example EzFlash, and does not perform a platform reset?

I used the built-in EzFlash when doing the tests, maybe it is worth giving it a try.

K3nny, the afudos for aptio does a platform reset for sure, everytime when I downgrade to 0401 which has writing option enabled the ME is downgraded an reset too.

EZflash does not accept bin files, only signed CAP files and I don't have a tool to sign the ROMs, so I flash from Intel FTK.

But I can definetely try to flash it again and do a global platform reset with fpt -greset.

I'll try it now.



#634
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

At first, we have the code that sets lock on SPI HSFS register, here in PchInitDxe

mov     edx, 8000h        ; Loading value with only bit 15 (B_PCH_SPI_HSFS_FLOCKDN) set
lea     ecx, [r14+3804h]  ; Loading address off r14 (RCBR)+ 0x3804 (R_PCH_SPI_HSFS)
call    sub_180009E48     ; Performing Or16 between parameters


#635
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

 

At first, we have the code that sets lock on SPI HSFS register, here in PchInitDxe

mov     edx, 8000h        ; Loading value with only bit 15 (B_PCH_SPI_HSFS_FLOCKDN) set
lea     ecx, [r14+3804h]  ; Loading address off r14 (RCBR)+ 0x3804 (R_PCH_SPI_HSFS)
call    sub_180009E48     ; Performing Or16 between parameters

looks promising:

flashrom -p internal -V |grep HSFS
Mapping low megabyte at 0x0000000000000400, unaligned size 0xffc00.
Mapping low megabyte, 0xffc00 bytes at unaligned 0x0000000000000400.
Warning: BIOS region SMM protection is enabled!
Warning: Setting Bios Control at 0xdc from 0x2a to 0x0b on Z77 failed.
New value is 0x2a.
Warning: SPI Configuration Lockdown activated.
0x04: 0xe008 (HSFS)
HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1

FLOCKDN=1 is flashlockdown : ) you're on the right track



#636
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

Found the code that sets SMI lock. That is in PchInitDxe, here:

lea     rbx, [rdi+rsi+0F80A0h]   ; Loading address of rdi+rsi+0F80A0h (PciD31F0RegBase + R_PCH_LPC_ACPI_BASE)
mov     dl, 10h                  ; Loading value 0x10 (B_PCH_LPC_GEN_PMCON_SMI_LOCK) to DL
mov     rcx, rbx                 ; Copying loaded address from RBX to RCX
call    sub_180009DB4            ; Performing Or8 between parameters

But all this code can be suppressed by changing JZ to JMP, making the check if (PchPlatformPolicy->LockDownConfig->GlobalSmi == PCH_DEVICE_ENABLE) always false and the SMI lock effectively disabled no mater where it becomes enabled earlier.
The code that sets BiosInterfaceLock and BiosLock are right next to SmiLock, so I can patch it out by altering only one module - PchInitDxe.

BonBox6, here is the file to test:Attached File  ASUSTeK P8Z77-V LX 2204_unlock.zip   4.33MB   7 downloads

Patched to remove SMILock, BIOSLock and BiosInterfaceLock. FLOCKDN register remains untoched.



#637
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

Found the code that sets SMI lock. That is in PchInitDxe, here:

lea     rbx, [rdi+rsi+0F80A0h]   ; Loading address of rdi+rsi+0F80A0h (PciD31F0RegBase + R_PCH_LPC_ACPI_BASE)
mov     dl, 10h                  ; Loading value 0x10 (B_PCH_LPC_GEN_PMCON_SMI_LOCK) to DL
mov     rcx, rbx                 ; Copying loaded address from RBX to RCX
call    sub_180009DB4            ; Performing Or8 between parameters

But all this code can be suppressed by changing JZ to JMP, making the check if (PchPlatformPolicy->LockDownConfig->GlobalSmi == PCH_DEVICE_ENABLE) always false and the SMI lock effectively disabled no mater where it becomes enabled earlier.
The code that sets BiosInterfaceLock and BiosLock are right next to SmiLock, so I can patch it out by altering only one module - PchInitDxe.

BonBox6, here is the file to test:attachicon.gifASUSTeK P8Z77-V LX 2204_unlock.zip

Patched to remove SMILock, BIOSLock and BiosInterfaceLock. FLOCKDN register remains untoched.

flashrom shows:

flashrom -p internal -V |grep HSFS
Mapping low megabyte at 0x0000000000000400, unaligned size 0xffc00.
Mapping low megabyte, 0xffc00 bytes at unaligned 0x0000000000000400.
Warning: SPI Configuration Lockdown activated.
0x04: 0xe008 (HSFS)
HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1

from windows:

$>fpt -rewrite -f bios-unlocked.bin

Intel (R) Flash Programming Tool. Version:  8.1.10.1286
Copyright (c) 2007 - 2012, Intel Corporation. All rights reserved.

Platform: Intel(R) Z77 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

    --- Flash Devices Found ---
    W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)

PDR Region does not exist.
GBE Region does not exist.

- Erasing Flash Block [0x800000] - 100% complete.
- Programming Flash [0x800000] 8192KB of 8192KB - 100% complete.
- Verifying Flash [0x800000] 8192KB of 8192KB - 100% complete.
RESULT: The data is identical.

FPT Operation Passed


#638
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

Show me the full log, please.



#639
BlackSheep VS RustyNail

BlackSheep VS RustyNail

    InsanelyMac Sage

  • Members
  • PipPipPipPipPip
  • 363 posts
  • Gender:Male
  • Location:Mödling, Austria

Show me the full log, please.

 

BIOS_CNTL = 0x09: BIOS Lock Enable: disabled, BIOS Write Enable: enabled ??

GCS = 0xc64: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x3 (SPI)
Top Swap : not enabled
SPIBAR = 0xfed1c000 + 0x3800
0x04: 0xe008 (HSFS)
HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1


#640
CodeRush

CodeRush

    InsanelyMac Sage

  • Developers
  • 412 posts
  • Gender:Male
  • Location:Deggendorf, Germany

I will test it on my Zotac Z77ITX a bit later and try to figure out, where the aditional locking code is and why setting NVRAM to zeroes is not working.

Perhaps there are some additional ASUS routines besides standart AMI ones.

 

BobBon6, appears to be working. :)

Try read the whole chip with flashrom -p internal -r dump.bin and then write it back with flashrom -p internal -w dump.bin.







Also tagged with one or more of these keywords: BIOS, patch, power management, UEFI


5 user(s) are reading this topic

0 members, 4 guests, 1 anonymous users

© 2014 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Mac Netbook  |   PHP hosting by CatN  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy