[UEFIPatch] UEFI patching utility

[Riley Freeman]

Excited to try this out! I think there should be a DOS version as well. My X79 only has OS X installed so I can't use the windows one.

 

I found a copy of scedos but got a "Memory Allocation Error" when I tried to run it. Maybe it's not the Aptio version.

 

Will that SMI lock open up NVRAM writing for BIOS versions like mine where it's read-only?

[StoneTemplePilots]

Excited to try this out! I think there should be a DOS version as well. My X79 only has OS X installed so I can't use the windows one.

 

I found a copy of scedos but got a "Memory Allocation Error" when I tried to run it. Maybe it's not the Aptio version.

 

Will that SMI lock open up NVRAM writing for BIOS versions like mine where it's read-only?

 

yes, there's a dos version too, but to edit the dump from dos is pain

even I don't suggest to unlock SMM, as it's a security feature

[Riley Freeman]

Have you a link for the DOS version? I'm still looking here.

 

I can edit the dump on another PC so that's OK.

[StoneTemplePilots]

Have you a link for the DOS version? I'm still looking here.

 

I can edit the dump on another PC so that's OK.

 

Riley, click on the link I posted above, they linked even the efi version of this tool.

[Riley Freeman]

Thanks! I dug through that thread and found one that worked. But I don't have any of those locks in my output. Guess it's not for X79.

[StoneTemplePilots]

Thanks! I dug through that thread and found one that worked. But I don't have any of those locks in my output. Guess it's not for X79.

can you attach the file for review?

[Riley Freeman]

Sure. Here it is.

 

 

NVRAM.TXT

[StoneTemplePilots]

Sure. Here it is.

It's fully compatible, the dump is okay, but the values for

Setup Question    =

vary from Z77. So it will be a search for the right position to switch the value.

 

Are you even sure your board has a bios-flashlock?

[Riley Freeman]

Yep. I can only write modified BIOS files via USB Flashback. FPT can't do anything.

 

The NVRAM lock is as big an issue as it prevents us from fully using the Ozmosis bootloader (can't set SMBIOS variables in NVRAM).

[StoneTemplePilots]

Yep. I can only write modified BIOS files via USB Flashback. FPT can't do anything.

 

The NVRAM lock is as big an issue as it prevents us from fully using the Ozmosis bootloader (can't set SMBIOS variables in NVRAM).

if you want you can upload your rom and I'll remove the lock manually

[Riley Freeman]

I was planning to follow your tutorial for unlocking at some stage, but if you could do it for me that would be great. I can always go back and use it as a reference later.

 

I'm running the latest bios from Asus. Here's the download link for it.

[CodeRush]

The method worked on ASUS Z87 Plus. 

[StoneTemplePilots]

The method worked on ASUS Z87 Plus. 

thanks for feedback, exactly what I thought never doubt your own comment!

 

@ Riley, this X79 looks very special, I can't find the required pattern in any of the modules nor a PchInit.Dxe for patching.

I'm sorry.

This needs reverse engineering due to totally different presuppositions compared to Intel Series 7 / Series 8, and I suggest

no one will do it, X79 is rarely sold.

[Riley Freeman]

Thanks for looking. I probably would have spent ages trying to find something that wasn't there.

[shiecldk]

@CodeRush

I encountered some errors with my Gigabyte's P67A-UD3R-B3 UEFI Bios using UEFITool:

 

And could you tell me how to compress modules with UEFITool?

 

@Mr. Light Server System

Could you unlock P67A-UD3R-B3's nvram for me?

Thanks for your help.

[CodeRush]

It's a bug in LZMA SDK compiled by clang, will be solved in next build. Try version for Windows.

You can't compress a file with UEFITool now, this feature will be added in a pair weeks.

[Tebogo]

Hello Code Rush,

I'm stuck in the FTK flash process. I use the UEFI BIOS for ASUS X550CA, found here: http://dlcdnet.asus.com/pub/ASUS/nb/X550CA/X550CAAS212.zip

I use PMpatch to patch the BIOS. Used all native Bios -Flash options (WinFlash etc.) but all fialed.

 

Then I used FTK for Dos, and get the following error.

Any suggestions?

Thanks, Tebogo

[CodeRush]

FTK is not meant for notebooks. Are you sure that AFU /GAN method doesn't work for you?

[yangshun1029]

MacPro:new SHUN$ ./PMPatch X79E4_3.40 X79E4_3.40-P

PMPatch 0.5.14

PowerManagement module at 00591B38 not patched: Patch pattern not found.

PowerMgmtDxe/PowerManagement2.efi modules not found.

AMI nest modules not found.

Phoenix nest modules not found.

CpuPei module at 0079CA10 not patched: Patch pattern not found.

 

I have uploaded my bios,plase help me!

X79E4_3.40.zip

[StoneTemplePilots]

MacPro:new SHUN$ ./PMPatch X79E4_3.40 X79E4_3.40-P

PMPatch 0.5.14

PowerManagement module at 00591B38 not patched: Patch pattern not found.

PowerMgmtDxe/PowerManagement2.efi modules not found.

AMI nest modules not found.

Phoenix nest modules not found.

CpuPei module at 0079CA10 not patched: Patch pattern not found.

 

I have uploaded my bios,plase help me!

Yangshun,

simply no need for a patch?

You are able to boot os x as I see on your cmd powermanagement isn't locked, test with msrdump.

As an alternative you can use AICPMPatch.

[Tebogo]

FTK is not meant for notebooks. Are you sure that AFU /GAN method doesn't work for you?

 

Sorry, I didn't realize is was not meant for laptops. I'll try later this day the AFU /GAN method.

 

I found your article about that: http://www.win-raid.com/t286f16-Guide-Flashing-modified-AMI-Aptio-UEFI-using-AFU.html#msg3571

 

Or should I follow: http://www.insanelymac.com/forum/topic/285444-pmpatch-uefi-patching-utility/page-39?do=findComment&comment=1951029

 

Thank you!

[CodeRush]

Nope, it's a new variant of lock in PowerManagement module, here is the disassembly:

mov ecx, 0E2h                      ; 0xE2 MSR to ECX
mov [rsp+28h+arg_8], rax           ; Old register value stored in RAX to structure in memory
bts dword ptr [rsp+28h+arg_8], 0Fh ; Test and set bit 15 (LOCK)
mov rdx, [rsp+28h+arg_8]           ; Locked value to RDX
call sub_180004CCC                 ; WRMSR inside

It can't be patched with PMPatch right now, but will be patched by hand.

[StoneTemplePilots]

Nope, it's a new variant of lock in PowerManagement module, here is the disassembly:

mov ecx, 0E2h                      ; 0xE2 MSR to ECX
mov [rsp+28h+arg_8], rax           ; Old register value stored in RAX to structure in memory
bts dword ptr [rsp+28h+arg_8], 0Fh ; Test and set bit 15 (LOCK)
mov rdx, [rsp+28h+arg_8]           ; Locked value to EDX
call sub_180004CCC                 ; WRMSR inside

It can't be patched with PMPatch right now, but will be patched by hand. I will do the mod in 20 min. 

Where did you gather this awesome assembler knowledge? I'm stunning!

[yangshun1029]

Nope, it's a new variant of lock in PowerManagement module, here is the disassembly:

mov ecx, 0E2h                      ; 0xE2 MSR to ECX
mov [rsp+28h+arg_8], rax           ; Old register value stored in RAX to structure in memory
bts dword ptr [rsp+28h+arg_8], 0Fh ; Test and set bit 15 (LOCK)
mov rdx, [rsp+28h+arg_8]           ; Locked value to EDX
call sub_180004CCC                 ; WRMSR inside

It can't be patched with PMPatch right now, but will be patched by hand. I will do the mod in 20 min. 

thanks

[CodeRush]

I just know what to search for.

The patch is "0F BA 6C 24 38 0F" -> "0F BA 74 24 38 0F" (Bit Test and Set command -> Bit Test and Reset command with the same argument).

X79E4_3.40_PM.zip