Jump to content
CodeRush

[UEFIPatch] UEFI patching utility

1,990 posts in this topic

Recommended Posts

Advertisement

For Dell machines with Phoenix Secure Core Tiano UEFI 2.0, such as Vostro 3750, L502x etc you can apply the patch straight to the .exe you have got from Dell.

Then flash it as if it was a stock updater thereafter. As said in the original post it will unlock all the advanced menus available for a particular machine you are patching for. The patch sequence used in this utility has originated from bios-mods, you can read this article for in-depth details on the advanced menus.

Share this post


Link to post
Share on other sites

k3nny, FTK for Windows is easier to use and don't have any CAP verification at all, but I still don't recommend to flash BIOS under Windows - it's way too risky.

Any other system program or driver can interfere with flashing process and make unpredictable results. With strong antivirus or virtual machine enabled this chance is rather high.

It's less dangerous to use flashrom under Linux or OS X, but DOS or is still better, because nothing can interfere with flashing process in single task system (if a bunch of drivers and/or TSR's don't loaded, of course).

More to say, flashing with non-Asus tools leads to individual data loss, so now you have to restore your SMBIOS UUID, LAN MAC and Motherboard S/N using FD44Editor and then reflash BIOS to write the restored data.

Read my post on [H] linked above.

Share this post


Link to post
Share on other sites

buoo, yes and no.

The pattern to find is also 75080fbae80f89442430, but there are 6 different patch variants that the program is trying to perform.

I have made an analysis of that assembly (warning, crappy Google-translate from Russian) and now is a bit more complex then just patching 0x75 to 0xeb.

Different patch variants are needed because after 0x75 to 0xeb patch the compressed module is often 1 byte bigger than original and there are BIOS versions that don't have even 1 byte of free space to insert it.

Share this post


Link to post
Share on other sites

Lenovo ThinkPad R61i 8932-FDG (Phoenix)

Not an UEFI, can't be patched with this program.

Intel SC5520SC

Has different module organisation and doesn't have PowerManagement or CpuPei modules to patch.

Is a patch required for this board to work with native AppleICPM.kext? Is there any patched BIOS for this board anywhere?

Share this post


Link to post
Share on other sites

Lenovo ThinkPad R61i and Intel SC5520SC require patching AICPUPM.kext. I haven't seen anyone who patched Intel EFI BIOSes.

 

EDIT: about Lenovo:

 

UEFI BIOS Version 8JET42WW (1.36) 
UEFI BIOS Date 2012-05-15

Share this post


Link to post
Share on other sites

oswaldini, 8JET42WW can be patched by version 0.5.9 after unpacking, BIOS file to patch is $0A8J000.FL1

There is no problem to patch Intel EFI file, the main problem is to flash patched file to BIOS chip on Intel boards.

I don't know any method to flash modified Intel BIOSes with standard Intel tools, but I do know two methods to unlock access to whole BIOS and flash it with Intel Flash Programming Tool.

Another possible way to flash modified BIOS is described by phpdev32 in his mail:

I can report that the Intel DQ77KB thin mITX build I made this weekend worked just fine. Naturally I tested the newest ROM with PMPatch before I even bought the parts (just to be safe)' date=' but the F7 BIOS flasher worked just fine. I'm pretty sure the recovery flash didn't work, restarted several times without flashing, but that isn't critical. I imagine anyone wanting to repair the BIOS could flash the stock first using recovery, then flash the patched using F7 after rebooting.[/quote']

Share this post


Link to post
Share on other sites

The utility is BSD-licensed and available on GitHub.

Compiled versions for Windows and OS X are here.

Latest version is 0.5.9

 

Much better and easier than doing it under windows with Phoenix tools and an hex editor. :)

Thumb up.

 

I need testers with different boards from different vendors to make the utility better, so if you have enough courage or a spare BIOS chip - please try it and report in this topic.

Thank you in advance.

 

Tested on my Asus P8B-WS, bios 2106 (previously patched) with a Xeon E3-1230v2.

Works without any problem, a binary file compare show differences with my "hand-patched" bios but I can't see any differences under UEFI bios screens nor working under ML 10.8.2

Sleeps and wakes as usual, speedstep is the same using the same SSDT with modified iMac12_2.plist :

 

MSRDumper PStatesReached: 16 20 27 33 35 36 37.

 

Nice work !

Share this post


Link to post
Share on other sites

I can't see any differences under UEFI bios screens nor working under ML 10.8.2

It's normal, for AMI UEFI it only patches PowerManagement module and nothing more. Thank you for report.

Share this post


Link to post
Share on other sites

Did not work for me on Intel DZ77GA70K. I press F7 and then select .bio file and PC reboots and tries to flash but then reboots again and boots into Windows.

 

C:\>pmpatch GA0061.bio GA0061A.bio
PMPatch 0.5.9
PowerManagement module at 0045CC8C patched.
AMI nest modules not found.
Phoenix nest modules not found.
CpuPei module at 001FE83C not patched: Patch pattern not found.
Output file generated.

Share this post


Link to post
Share on other sites

Intel is famous for difficulties on flashing modified BIOSes...

I know a way to overcome it, but it isn't simple.

Please download FTK for Windows from the link in third post, then open Administrator console, cd to FTK/Win32 and execute fpt -i command.

I need the output to guide you further.

Share this post


Link to post
Share on other sites

Intel is famous for difficulties on flashing modified BIOSes...

I know a way to overcome it, but it isn't simple.

Please download FTK for Windows from the link in third post, then open Administrator console, cd to FTK/Win32 and execute fpt -i command.

I need the output to guide you further.

 

C:\FTK_0.9.4_win\Win32>fpt -i

Intel (R) Flash Programming Tool. Version:  8.1.10.1286
Copyright (c) 2007 - 2012, Intel Corporation. All rights reserved.

Platform: Intel(R) Z77 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

   --- Flash Devices Found ---
   W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)

   --- Flash Image Information --
   Signature: VALID
   Number of Flash Components: 1
    Component 1 - 8192KB (65536Kb)
   Regions:
    Descriptor - Base: 0x000000, Limit: 0x000FFF
    BIOS	   - Base: 0x1C0000, Limit: 0x7FFFFF
    ME		 - Base: 0x003000, Limit: 0x1BFFFF
    GbE	    - Base: 0x001000, Limit: 0x002FFF
    PDR	    - Not present
   Master Region Access:
    CPU/BIOS - ID: 0x0000, Read: 0x0B, Write: 0x0A
    ME	   - ID: 0x0000, Read: 0x0D, Write: 0x0C
    GbE	  - ID: 0x0118, Read: 0x08, Write: 0x08

Total Accessable SPI Memory: 8192KB, Total Installed SPI Memory : 8192KB

FPT Operation Passed

Share this post


Link to post
Share on other sites

OK, as we can see, ME and GbE regions are locked, BIOS region is not.

Execute fpt -bios -d dump.bin command, if it works, patch this dump.bin file with PMPatch (pmpatch dump.bin mod.bin) and flash patched file with FPT by executing fpt -bios -f mod.bin command. If it works, reboot your computer.

Share this post


Link to post
Share on other sites
C:\FTK_0.9.4_win\Win64>fpt -bios -f mod.bin

Intel (R) Flash Programming Tool. Version:  8.1.10.1286
Copyright (c) 2007 - 2012, Intel Corporation. All rights reserved.

Platform: Intel(R) Z77 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

   --- Flash Devices Found ---
   W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)


Error 280: Failed to disable write protection for the BIOS space!

Share this post


Link to post
Share on other sites

It's won't be so easy, as I thought but there is a way to unlock BIOS from this kind of lock. It is described here and can be dangerous, but I tried it like 10 times and it worked.

You need to disable Intel AntiTheft before trying it.

After unlocking access to all regions, you can make a dump of Descriptor region by executing fpt -desc -d desc.bin, and edit it with Hex-editor to remove locks completely.

This values are to be set:

locki.png

Then you can flash modified Descriptor region by executing fpt -desc -f desc.bin and modified BIOS region by fpt -bios -f mod.bin. If all things goes without error, then modified BIOS is finally flashed.

This way it dangerous and can lead to BIOS loss, so I don't recommend to try it unless you have to.

Share this post


Link to post
Share on other sites

No thanks. I don't want to risk to break anything, i can't afford to buy another board if this breaks. I rathed use NullCPU or patch DSDT. There is no AntiTheft on this motherboard.

 

I don't understand why it works to flash with F7 on Intel DQ77KB http://www.insanelym...y/#entry1878932 but not on my board, they have similar BIOS.

 

My motherboard has Intel® BIOS Vault Technology but so does DQ77KB.

 

Virtually incorruptible BIOS that provides fault-tolerant and secure firmware operating and upgrade environments.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Slice
      Since rev 4844 Vector Themes are supported and there are ready-to-use Clovy by Clovy, cesium by Slice and BGM_SVG by Blackosx.
      You may see it's structure to create own theme
      -------------------------------------------------------------------------------------------------------------------------------------------------------
       
       
      Now I want to add vector graphics support in Clover. See rev 4560 and later.
      It is not working yet but designers may begin to create Vector Themes.
      It supposed to consist of SVG elements and has design size. It will be rendered to any screen size scaled from design size.
       
      What application in macOS can create SVG graphics?
      Inkscape is not working in macOS 10.11+. Pity.
      LibreOffice Draw works with SVG but buggy.
      Boxy SVG cost 10$ but looks good enough. It creates the best in simplicity files and have more then enough features.
      Illustrator is good but expensive.
       
      How to improve SVG file?
      Clover has restricted support for SVG. It is your job to make compatible file and as small as possible to speedup rendering.
      Some helps:
      Help:Inkscape – From invalid to valid SVG Inkscape files
      From invalid to valid SVG Adobe Illustrator files
      From invalid to valid SVG files of other editors: BKchem, ChemDraw and CorelDRAW
      Help:Illustrator – Assistance with creating and saving SVG images in Adobe Illustrator that will pass W3C validation
      User:Quibik/Cleaning up SVG files manually
      Later I will write own instructions specific to Clover abilities.
       
      How to create SVG fonts?
      You can google to find ready-to-use SVG fonts.  I found some problems with too beaty fonts: slow rendering and overflow crash. Be careful.
      You can get ttf or otf fonts and convert them into svg by using online WEB services. Not a problem to google.
      But then I want to find a way to simplify the font to reduce a size and speedup rendering.
      You can create own font by FontForge It is opensource and available for Windows, Mac and GNU+Linux. It creates otf font which you can convert to svg font.
       
      Pictures from Badruzeus
      https://www.insanelymac.com/forum/applications/core/interface/file/attachment.php?id=301597
    • By grisno
      Hi people,
       
      Installer to activate the sound card REALTEK ALC282-v2 (10ec:0282) with LayoutID 1 or 3 in MacOS. This installer does not contain AppleHDA patched Kext. To work properly, it must be installed over vanilla AppleHDA.kext.
       
      I want to thank the whole community for their efforts and content provided, because without these it would not be possible to create this installer.
       
      I would appreciate comments and suggestions!!
       
      Status:
      Speakers : OK Headphones : OK HDMI Audio : OK (Intel HD4K Tested) LineIn : N/A (Model Without LineIn) MicInt : OK MicIntNoiseReduction : OK MicExt : N/A (Model Without MicExt) AutoDetectLineIn : N/A (Model Without LineIn) Sleep : OK WakeUp : OK AutoSleep : OK Hibernate : OK Siri : OK   Tested Laptops:
       
      - HP Pavillion 15-D002SS
       
      Coming Soon:
       
      - Unified installer for the different supported operating systems.
      - Support model with LineIn jack.
       
      Modified Verbs:
      01271C20 01271D00 01271EA0 01271F90 01471C10 01471D00 01471E17 01471F90 01871CF0 01871D00 01871E00 01871F40 01E71CF0 01E71D00 01E71E00 01E71F40 02171C30 02171D10 02171E21 02171F00 01470C02   DSDT:
       
      Patch to apply with MaciASL in your DSDT
      ######################################### HDEF v1.00######################################## into method label _DSM parent_label HDEF remove_entry;into device label HDEF insertbeginMethod (_DSM, 4, NotSerialized)\n{\n If (LEqual (Arg2, Zero)) { Return (Buffer() { 0x03 } ) }\n Return (Package()\n {\n "layout-id", Buffer() { 0x01, 0x00, 0x00, 0x00 },\n //"layout-id", Buffer() { 0x03, 0x00, 0x00, 0x00 },\n "hda-gfx", Buffer() { "onboard-1" },\n "PinConfigurations", Buffer() { },\n })\n}\nend;  
    • By ludufre
      [GUIA] Correção de assinatura BIOS Insyde H2O
       
      Recentemente comprei um notebook Lenovo L440 pra instalar o macOS Mojave e fui substituir a placa wireless pela DW1560 porque a atual não é compatível. Descobri que existia uma whitelist de placas permitidas que as fabricantes estão adotando recentemente (no meu caso utiliza uma bios Phoenix Insyde BIOS H2O).
       
      Procurei em fórums de BIOS MODDING e encontrei pessoas que fizeram o patch pra mim. Só que após substituir a BIOS notei que o computador ficava apitando 5 vezes todas vez que ligava e fui me aprofundar no caso. E foi aí que descobri como resolver isso e por isso criei esse guia baseado nas informações que achei em alguns fóruns russos.
       
       
      Prefácio
       
      Quando a BIOS falha no teste te integridade, algumas funcionalidades Intel AMT param de funcionar e é emitido uma sequência de 5 apitos duas vezes no boot.
      Após modificar para remover whitelist (habilitar placas WI-FI não autorizadas), destravar MSR 0xe2 (hackintosh), habilitar menu avançado, etc. a BIOS não vai passar no teste de integridade causando esse problema.
      Essa verificação de integridade é feita através da assinatura RSA do bloco da BIOS chamado TCPABIOS (mais informações abaixo) com a chave pública no formato modulus 3 também armazenada na BIOS.
      Esse bloco TCPABIOS armazena os checksums de cada volume da BIOS.
       
      O que faremos é gerar novos checkums para esses volumes que foram modificados, gerar um para de chaves RSA (privada e pública), assinar esse bloco com a chave privada e substituir a chave pública.
       
       
      Ferramentas necessárias
       
      - EFITool NE alpha 54: https://github.com/LongSoft/UEFITool/releases
      - HxD 2.1.0: https://mh-nexus.de/en/hxd/
      - OpenSSL: http://gnuwin32.sourceforge.net/packages/openssl.htm (Download -> Binaries)
      - Microsoft File Checksum Integrity Verifier (FCIV.exe): https://www.microsoft.com/en-us/download/details.aspx?id=11533
       
      Passo a passo
       
      Vamos abrir a BIOS modificada, localizar o bloco TCPABIOS e entender sua anatomia.
       
      1. Abra a BIOS no HxD
       

      (Vamos utilizar nesse guia a BIOS modificada no fórum MyDigitalLife.com pelo usuário Serg008 para o notebook Lenovo B590)
       
      2. Busque a palavra TCPABIOS:
       


       
      3. O bloco começa com TCPABIOS e termina com antes de TCPACPUH
       

       
      4. Anatomia:
       
      54 43 50 41 42 49 4F 53 48 31 38 34 61 31 31 2F
      32 36 2F 31 33 49 42 4D 53 45 43 55 52 00 FD 27
      34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B
      77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00
      00 00 00 00 00 00 27 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 FF FF 83 04 D4
      52 52 95 C5 D7 21 55 78 0E 5C AD 47 EE C4 3D 1D
      C1 EC 69 03 2B 51 A5 42 61 96 22 F9 7B 88 57 B7
      A8 9D D0 20 DB 5B 11 10 55 07 84 6C 62 DF FA 2F
      6A A8 43 0C 8A 40 AF 79 0D 31 DB 5A 5D C8 2F EB
      F8 7C 87 B0 A6 3D 2A 88 AE 91 9D 88 E3 AA 85 E3
      5A B3 91 7F 28 68 1F BA 92 C4 7E 10 F5 1A 7E 75
      A9 6F CE C0 4F BA FA 79 A5 98 2B 50 60 BA 09 73
      7B 03 D1 0C 3E A2 9C 44 DF E9 F2 92 34 7B
       
      Cinza: Nome e informações do bloco
      Vermelho: Informações dos volumes (Checksum e Cabeçalho)
      Azul: Separação da lista de volumes para a assinatura do bloco
      Verde: Assinatura do bloco TCPABIOS são os últimos 128 bytes
       
      Lista de Volumes:
       
      Cada volume tem o formato: 00 FD 27 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 48 00 00 00 CE 18 1F 00 00 00 03 00 00 00 00 00
                                                      (prefixo 3 bytes + checksum 20 bytes + offset 4 bytes + tamanho do volume 6 bytes + separador do fim 6 bytes)
       
      Os volumes são enumerados e utilizam o primeiro byte no prefixo para isso (00 FD 27), começando do 0.
      A BIOS utilizada nesse exemplo possui somente um volume, mas no caso de mais de um volume, seria: 00 FD 27 .., 01 FD 27 ..., 02 FD 27 ...
      - Checksum é o cálculo SHA1 do volume.
      - Offset é a posição do volume dentro da BIOS. Os bytes ficam invertidos, nesse caso seria 00 00 00 48 ou seja: 48h
      - Tamanho do volume também está com os bytes invertidos, então: 1F18CEh
       
      Então é isso. Precisamos corrigir essas informações (checksum, offset e tamanho)
       
      5. Para extrair os volumes abra a BIOS com o UEFITool e veja como identificar os volumes (nosso exemplo há somente um volume, se houvessem outros estariam também dentro de EfiFirmwareFileSystemGuid):
       

       
      Na BIOS original, circulado em vermelho podemos ver o nosso volume.
      Observe que em azul temos Offset e verde o tamanho. Exatamente como verificamos acima no HxD. Já na BIOS modificada vemos que está diferente o tamanho:
      Oridinal: 1F18CEh
      Modificada: 1F12D5h (vamos precisar disso mais tarde)
       
      6. Vamos extrair esse volume escolhendo a opção “Extract as is...”
       
       
       
      7. Utilize esse comando para obter o checkum desse volume: fciv.exe -sha1 File_Volume_image_FvMainCompact.ffs
       

       
      Agora temos o checksum que é 396e0dc987219b4369b1b9e010166302ce635202
       
      8. Substitua as informações no bloco TCPABIOS:
       

       
      Observe que o tamanho do volume precisa ter os bytes invertidos, então se o total são 6 bytes e é 1F12D5h, fica D5 12 1F 00 00 00 no lugar de CE 18 1F 00 00 00.
      Se o offset for diferente, também realizar o mesmo procedimento invertendo os bytes.
      Checksum alterar de 34 2A 35 AB 41 26 39 E3 32 E5 B6 8A D6 49 5B 0B 77 F9 82 58 para 39 6E 0D C9 87 21 9B 43 69 B1 B9 E0 10 16 63 02 CE 63 52 02
       
      Faça esse procedimento para cada volume na BIOS.
       
      9. Agora precisamos gerar o checksum de todo o bloco TCPABIOS mas sem considerar os últimos 131 bytes, ou seja desconsiderar de FF FF 83 + 80 bytes da assinatura anterior.
       
      Copie para um novo arquivo no HxD e salve como tcpabios
       

       
      Utilize o comando para gerar o checksum desse bloco: fciv.exe -sha1 tcpabios
       

       
      Checksum do bloco TCPABIOS: 0da6715509839a376b0a52e81fdf9683a8e70e52
       
      Crie um novo arquivo no HxD e adicione 108 bytes com 00 e cole o checksum no final e salve como tcpabios_sha, ficando assim:
       

       
      10. Agora vamos gerar a chave privada RSA com modulus 3: openssl genrsa -3 -out my_key.pem 1024
       

       
      Assinar o arquivo tcpabios_sha: openssl rsautl -inkey my_key.pem -sign -in tcpabios_hash -raw > tcpabios_sign
       

       
      Agora aproveite para gerar a chave publica: openssl rsa -in my_key.pem -outform der -pubout -out my_key_pub.der
       

       
      E gerar modulus 3 da chave pública: openssl rsa -pubin -inform der -in my_key_pub.der -text -noout
       

       
      Copie e cole a chave em um arquivo de texto para utilizar daqui a pouco. Remova todos os “:” e coloque tudo em uma única linha, ficando assim:
       

       
      11.   Abra o arquivo tcpabios_sign no HxD, copie o conteúdo e substitua a assinatura no final do bloco TCPABIOS:
       
       
       
      12. Agora vamos localizar na BIOS o local da chave pública e substituir. Essa chave começa com 12 04 e termina com 01 03 FF e fica após o bloco TCPABBLK.
       
      A chave fica assim: 12 04 + 81 bytes + 01 03 FF. Faça uma busca por 01 03 FF para localizar mais facilmente. Verifique se antes dos 81 bytes tem os bytes 12 04 para ter certeza que achou.
       

       

       
      Agora substitua pela chave pública que ficou anotado no arquivo de texto anteriormente, ficando assim:
       

       
       
      Salve e está pronto. Sua BIOS está assinada e pronta.
       
×