Jump to content
InsanelyMac Forum
  • Announcements

    • Allan

      Solution to create a topic or post.   04/24/2018

      Hello guys. The majority of you are having issues to create a topic or post here. This are a problem with our current theme InsanelyMac.  Now the theme will be the Default IPS. Sorry for any inconvenience.
CodeRush

[UEFIPatch] UEFI patching utility

Recommended Posts

Nothing to do here with software methods now, if your ASUS x8x board doesn't support USB BIOS Flashback.

There is no way to flash modified BIOS on such boards, except external SPI programmer.

I heard some rumors about AMI Flash Utility able to flash BIOS on this platform, but I have no chance to test, that is why I don't recommend to try, unless you have SPI programmer to correct possible failure. But if you ask me about that, it appears that you don't have one.

 

I am having this same problem. I was told that this board (H87i-plus) most likely had the MSR unlocked. Is this true?

If not, am I able to flash the board using FTK?

Share this post


Link to post
Share on other sites
Advertisement

I am having this same problem. I was told that this board (H87i-plus) most likely had the MSR unlocked. Is this true?

If not, am I able to flash the board using FTK?

just try it, nothing bad happens than an error message [280?] if flashlocked. Before you'll have to cut the capsule header, bios starts at 800h in your case.

Or the better way:

 

dump with:

fpt -d bios.bin

rewrite with:

fpt -rewrite -f bios.bin
fpt -greset

for sure it's locked ;)

Share this post


Link to post
Share on other sites

just try it, nothing bad happens than an error message [280?] if flashlocked. Before you'll have to cut the capsule header, bios starts at 800h in your case.

I apologize, I'm not terribly familiar with all of this. Could you go into a little more detail?

 

I thought I read something about the first part of the bios file being for security -- so I assume you're telling me I have to cut this out?

I've only tried to update it through the EZ flash 2 updater in the UEFI, and it failed the security verification.

How would I go about cutting this out? What tools do I need?

Share this post


Link to post
Share on other sites

I apologize, I'm not terribly familiar with all of this. Could you go into a little more detail?

 

I thought I read something about the first part of the bios file being for security -- so I assume you're telling me I have to cut this out?

I've only tried to update it through the EZ flash 2 updater in the UEFI, and it failed the security verification.

How would I go about cutting this out? What tools do I need?

That's long ago, you mean

descriptor region hack,

it doesn't work anymore for latest intel hardware and especially ASUS is sealing their ROMs against modifications.

 

You won't be able to flash any kind of modified ROM without special hardware, as CodeRush mentioned an SPI programmer.

But you can even try it with intel ftk version for Intel series 8 ;) and see what happens.

 

For sure EZflash won't accept a modified bios as it's from ASUS.

 

From a technical point of view the #WP (write-protect) pin of the bios chip is

undervolted or unpowered but needs a #WP-high signal to get flashed. The power is triggered via GPIO and it's off by default.

Only unlock with SPI programmer help in this case.

 

Or recalculation of the capsule header checksum which is impossible - it's RSA signed and the key has not been leaked for now.

 

But I've been thinking about somthing else: reverse engineering afuwinx64.exe ; ) so it could accept any firmware.

We've been discussing it here earlier.

Share this post


Link to post
Share on other sites

That's long ago, you mean descriptor region, it doesn't work anymore for latest intel hardware and especially asus is sealing their ROMs against modifications.

So you won't be able to flash any kind of modified bios without special hardware, as CodeRush mentioned an SPI programmer.

But you can even try it with intel ftk version for Intel series 8 ;) and see what happens.

I'm in a little over my head. If I get a board with bios flashback, will that work for sure? If so, why will that work, but the method through the UEFI won't work?

Also, can anyone tell me how to tell if these boards even need flashed to load OS X? I was under the impression that some of the newer asus boards didn't need patching.

Share this post


Link to post
Share on other sites

I'm in a little over my head. If I get a board with bios flashback, will that work for sure? If so, why will that work, but the method through the UEFI won't work?

Also, can anyone tell me how to tell if these boards even need flashed to load OS X? I was under the impression that some of the newer asus boards didn't need patching.

but as I read here it HAS bios flashback!

 

"Just plug in a USB flash drive containing the BIOS file and press the RESET button for 3 seconds with the power supply connected. Hassle-free updating for ultimate convenience!"

 

sounds just good, wait I'll create an unlocked pmpatched ROM and you can flashback as described.

 

Put it on a FAT32 formatted USB stick as is, don't rename the extracted file H87IP.CAP < that's the recovery filename

and start the recovery process. Would be nice - for the community - to report if it worked for you!

 

This procedure won't work when the recovery checks for a functional capsule header too, don't know.

Share this post


Link to post
Share on other sites

but as I read here it HAS bios flashback!

 

"Just plug in a USB flash drive containing the BIOS file and press the RESET button for 3 seconds with the power supply connected. Hassle-free updating for ultimate convenience!"

 

sounds just good, wait I'll create an unlocked pmpatched ROM and you can flashback as described.

 

Put it on a FAT32 formatted USB stick as is, don't rename the extracted file H87IP.CAP < that's the recovery filename

and start the recovery process. Would be nice - for the community - to report if it worked for you!

 

This procedure won't work when the recovery checks for a functional capsule header too, don't know.

That might be an earlier revision or something.

http://www.tonymacx86.com/mavericks/103788-just-warning-asus-mobos.html

 

I don't see a flashback button on my board.

 

Also, how do I know if my board need flashing in the first place?

Share this post


Link to post
Share on other sites

That might be an earlier revision or something.

http://www.tonymacx86.com/mavericks/103788-just-warning-asus-mobos.html

 

I don't see a flashback button on my board.

 

Also, how do I know if my board need flashing in the first place?

you can try to force recovery mode on AMI boards powering off the machine,

keep pressing <ctrl>+<home> while powering on & keep holding this shortcut until you hear two beeps and 

the USB port gets accessed to reflash the ROM.

Share this post


Link to post
Share on other sites

you can try to force recovery mode on AMI boards powering off the machine,

keep pressing <ctrl>+<home> while powering on & keep holding this shortcut until you hear two beeps and 

the USB port gets accessed to reflash the ROM.

Which USB port would I use? And do you know how to tell if I need to flash the BIOS in the first place?

Share this post


Link to post
Share on other sites

Which USB port would I use? And do you know how to tell if I need to flash the BIOS in the first place?

 

I'd recommend using USB2.0 port, not the blue USB3.0 ones.

Also you can cut the first 800h byte and save the cut copy as amiboot.rom - more info here.

 

I figured it out, there's a secret switch : )

skip the damn capsule header check and flash! no more lock.

 

Just created a description @ MDL.

Share this post


Link to post
Share on other sites

This is great. Can't say it makes SPI programmer unneeded, but it really makes things easier for desktop users.

Yeah, all this RSA-signed capsule code is unimportant and no more tinkering cause of that.

It would be really interesting to get out the piece of code that triggers the GPIO on, with something

like a visual debugger. It could help on other bios types either.

Share this post


Link to post
Share on other sites

I think it's not about GPIO toggle, but about right way to call build-in SMI handler, that disables all protection routines.

We need to study afuwin code now to know more, but I have no time for anything except work now.

---

Development of PMPatch successor is not stalled, BTW, and the FFS traversal code now works as supposed for PI 2.0 UEFIs, support for PI 1.x is about to be added in 1-2 weeks.

I will not release it until all things will work as supposed, but if someone (;)) with SPI programmer willing to test the alpha versions - you are welcome.

There are much work to do in that project, and now one can only extract all regions, volumes, files and sections from BIOS image (repacking code is in active development and comes later), but it is written in pure C, so it can be compiled for everything, OSX included.

Share this post


Link to post
Share on other sites

I think it's not about GPIO toggle, but about right way to call build-in SMI handler, that disables all protection routines.

We need to study afuwin code now to know more, but I have no time for anything except work now.

---

Development of PMPatch successor is not stalled, BTW, and the FFS traversal code now works as supposed for PI 2.0 UEFIs, support for PI 1.x is about to be added in 1-2 weeks.

I will not release it until all things will work as supposed, but if someone ( ;)) with SPI programmer willing to test the alpha versions - you are welcome.

There are much work to do in that project, and now one can only extract all regions, volumes, files and sections from BIOS image (repacking code is in active development and comes later), but it is written in pure C, so it can be compiled for everything, OSX included.

there's also a switch called /OEMSMI: but I don't know any arguments ;)

Share this post


Link to post
Share on other sites

can somebody please help me?

 

i got the bios rom and pmpatched it, but my BIOS says it cannot be flashed (i think for CRC-signed code reason)

the mainboard is the asrock z87extreme3 and this is the bios

 

ftp://europe.asrock.com/bios/1150/Z87%20Extreme3(2.10)ROM.zip

 

this is the dos flash program

 

ftp://europe.asrock.com/bios/1150/Z87%20Extreme3(2.10)DOS.zip

 

thank you guys. ^_^

Share this post


Link to post
Share on other sites

can somebody please help me?

 

i got the bios rom and pmpatched it, but my BIOS says it cannot be flashed (i think for CRC-signed code reason)

the mainboard is the asrock z87extreme3 and this is the bios

 

ftp://europe.asrock.com/bios/1150/Z87%20Extreme3(2.10)ROM.zip

 

this is the dos flash program

 

ftp://europe.asrock.com/bios/1150/Z87%20Extreme3(2.10)DOS.zip

 

thank you guys. ^_^

 

http://rghost.net/49098964

 

upgrade method for DOS, Win x86, Win x64 included.

Just execute upgrade.bat. Check your inbox for pass.

 

best regardz

Share this post


Link to post
Share on other sites

It worked, thank you very much. I definetly got a boot and install, on actual system boot i get a not so random (boots fine 1 in 30 tries) "PCI Configuration begin" hang but i think it can be resolved by a working DSDT.

I tried the various -x -f npci pcirootuid dart darkwake options with no luck

any advice?

Share this post


Link to post
Share on other sites

It worked, thank you very much. I definetly got a boot and install, on actual system boot i get a not so random (boots fine 1 in 30 tries) "PCI Configuration begin" hang but i think it can be resolved by a working DSDT.

I tried the various -x -f npci pcirootuid dart darkwake options with no luck

any advice?

use

 

dart=0 -v npci=0x2000

 

alternative

 

dart=0 -v npci=0x3000

 

A fixed DSDT can be burnt in also in your ROM ;)

Btw. download counter shows 0. If you used the ROM I patched, you can flash now with fpt (dos, win) and flashrom (linux,mac,win), it's flashunlocked.

Share this post


Link to post
Share on other sites

Hi CodeRush,

 

So sorry if I'm being stupid here.  I've read through the instructions so many times.  The attached screenshot shows what I'm trying to do with my Z87 Deluxe Dual Asus board.  I open the patch in terminal, drag in the BIOS file twice, write PATCHED at the end of the second file and it say's it's output the file  But I can't see it?

 

Apologies if I'm wasting your time, but wanted to check I've got this right.  Thanks in advance!

 

Nick

post-1218968-0-26377100-1380734944.png

Share this post


Link to post
Share on other sites

Successfully patched and flashed BIOS 2104 for ASUS P8Z77-V Pro. Thanks again CodeRush!

 

Note that the only way to flash a modified BIOS on these boards is with "USB BIOS Flashback" - see your motherboard manual for more info.

Share this post


Link to post
Share on other sites

hi

 

any chance someone send me a patched bios for an AsRock H87M pro4...

I can't install mavericks...it reboots just after loading drivers ..extra/extensions.mkext, ganged video card,subs,hds.and so on

used several boot loaders..just after choose the HD ..it reboots

 

'cause I have no idea or expertise to patch one...

thank you for any information about...

c.frio

Share this post


Link to post
Share on other sites

hi

 

any chance someone send me a patched bios for an AsRock H87M pro4...

I can't install mavericks...it reboots just after loading drivers ..extra/extensions.mkext, ganged video card,subs,hds.and so on

used several boot loaders..just after choose the HD ..it reboots

 

'cause I have no idea or expertise to patch one...

thank you for any information about...

c.frio

patched ROM

Share this post


Link to post
Share on other sites

Successfully patched and flashed BIOS 2104 for ASUS P8Z77-V Pro. Thanks again CodeRush!

 

Note that the only way to flash a modified BIOS on these boards is with "USB BIOS Flashback" - see your motherboard manual for more info.

Can you upload your patched bios 2104 ple

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.



  • Posts

    • Monitor EDID often contains OEM string in Details Timing section. For example Extracted contents: header: 00 ff ff ff ff ff ff 00 serial number: 06 10 df 9c 00 00 00 00 1a 15 version: 01 04 basic params: 95 1d 12 78 02 chroma info: ef 05 97 57 54 92 27 22 50 54 established: 00 00 00 standard: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 descriptor 1: c2 23 a0 d4 50 84 1a 30 40 2a 36 00 1e b3 10 00 00 18 descriptor 2: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 descriptor 3: 00 00 00 fe 00 4c 50 31 33 33 57 50 31 2d 54 4a 41 37 descriptor 4: 00 00 00 fc 00 43 6f 6c 6f 72 20 4c 43 44 0a 20 20 20 extensions: 00 checksum: 7a Manufacturer: APP Model 9cdf Serial Number 0 Made week 26 of 2011 EDID version: 1.4 Digital display 6 bits per primary color channel DisplayPort interface Maximum image size: 29 cm x 18 cm Gamma: 2.20 Supported color formats: RGB 4:4:4 First detailed timing is preferred timing Established timings supported: Standard timings supported: Detailed mode: Clock 91.540 MHz, 286 mm x 179 mm 1440 1504 1546 1652 hborder 0 900 903 909 926 vborder 0 -hsync -vsync Dummy block ASCII string: LP133WP1 Monitor name: Color Checksum: 0x7a (valid)  
    • "copy to clip board" - "скопировать" "log copied to clip board!" - "журнал скопированного"   First one is better.   Good! I think to reduce EDID as talking above. 
    • And my config.plist I will also try iMacPro1.1 SMBIOS on my build. This may help clarify something
×