[UEFIPatch] UEFI patching utility

[Regi Yassin]

confirmed, works with asrock z777 extreme 4 bios 2.80

[CodeRush]

Zotac Z77-ITX BIOS

I have tested a patched BIOS on this board myself, but there was on version 0.5.8, and now PMPatch produces slightly different file, so it needs to be tested again. Please report after flashing this modified BIOS.

 

My HP Elitebook 8460p won't let me load the bios because it needs a signature match. Any ideas?

RSA signed BIOSes are tough to patch. Will try to find a solution, but can't promise anything.

UPD: try patched EROMPAQ utility for DOS to flash your modified BIOS. And read about BIOS recovery procedure linked there.

[eurisko]

eurisko$ ./PMPatch H61MS1.80 MODH61MS1.80

PMPatch 0.5.10

PowerManagement modules not found.

Trying to apply patch #1

Nested PowerManagement module at 00AD74D4 patched.

AMI nest module at 001C0900 patched.

Phoenix nest modules not found.

CpuPei module at 003BDBE0 not patched: Patch pattern not found.

Output file generated.

eurisko$

 

Thank you CodeRush!

 

Edit:

Jus rebooted!

Oh yeah it's working!!!!

[giacomoleopardo]

MacintoshHealer, on 04 February 2013 - 02:27 AM, said:

 

Zotac Z77-ITX BIOS

I have tested a patched BIOS on this board myself, but there was on version 0.5.8, and now PMPatch produces slightly different file, so it needs to be tested again. Please report after flashing this modified BIOS.

 

CodeRush, I've patched successfully the latest bios for Zotac Z77 ITX WiFi, but flashing it with Windows tool (successfully done) caused boot loop, no more bios screen. Now, you don't have to tell me how dumb I am (I know myself) but my questions are:

- do you think it could be related to a bad flashing operation, or maybe that patched bios was corrupted?

- what options do I have, at this point, to restore the system, besides replacing chip (that I already ordered, by the way)?

[CodeRush]

We can't figure out the true reason now, only after your BIOS chip comes and we can test that BIOS after correct flashing.

If you have another board based on Z68 or Z77 chipset (any vendor), you can use BIOS hotswap to restore your BIOS.

After receiving your new BIOS chip you can flash anything to old chip using same technique.

And that is what we will do to test if there is a bug in PMPatch or in the flasher.

BTW, I don't recommend any Windows flashers on any board, too many things may go wrong in multiuser multitasking system.

More to say, Zotac uses AFUWIN to update BIOS, and AFU is well known for it's ability to corrupt even working BIOS.

Use hotwap or wait for your BIOS chip and after your board boots we will make some tests.

[giacomoleopardo]

Unfortunately I don't have any other motherboard at the moment...Asus p8z77i deluxe will be on its way soon, but until then I just have to wait for new chip, I guess.

In the meantime, could you link me to some hotswap guide? I'm totally noob to this kind of jobs.

[lignicolos]

Confirmed working on ASUS P8Z77-V LK v0908 CAP (capsule) file.

 

What did you use to flash the modified BIOS? I have an ASUS P8Z77-V LX and i used PMPatch to modify the bios, but when I went to flash it in the EZ Flash utility it failed a security check and wouldn't flash.

[CodeRush]

lignicolos, use FTK to flash modified BIOS on ASUS P8xxx boards. Link is in my signature.

 

giacomoleopardo, I will write a simple guide here, if you need it, but only tomorrow, no time for forums today.

[LoBlanc]

Hi CodeRush. Tvm for your work.

I own an Asus Notebook n76vz-v2g-t1031h (Core i7-3610QM, Geforce GT 650M), AMI (EFI). Need any tests on this? How safe/succesful do you estimate the chances here?

[CodeRush]

LoBlank, BIOS structure is the same with ASUS desktop boards, so I'm 99,9% sure that patched BIOS will work.

You can try to flash it with EZ Flash or BUpdater, but if they refuse to flash and you don't know BIOS recovery procedure for your laptop, it's better not to try another ways.

One thing you can try without much risk: download FTK for Windows, unpack it, go to FTK/Win32 or FTK/Win64 and run spiinfo.bat and biosbck.bat as Administrator. Send me screenshots of both command windows and resulting biosbck.bin file via PM.

[LoBlanc]

Hi Thanks. Cannot find spiinfo.bat anyway neither in FTK/Win32 nor in FTK/Win64. Am I missing anything?

[CodeRush]

No, it's my fault. Will update FTK archives a bit later.

 

[taney]

No, it's my fault. Will update FTK archives a bit later.

 

 

Keep us posted. I'm interested to know the result of this.

 

 

Thank you again!

[giacomoleopardo]

giacomoleopardo, I will write a simple guide here, if you need it, but only tomorrow, no time for forums today.

 

I'm googleing a bit, of course, but assuming you're like a "bios guru" that would be really appreciated!

[newlife229]

Hey Coderush!

 

I have an ASUS p8z77-v LX2.

 

I have patched the bios but i think that my board don't have the USB FLASHBACK

 

 

PMPatch 0.5.10

PowerManagement module at 003FC7C0 patched.

AMI nest modules not found.

Phoenix nest modules not found.

CpuPei module at 007910E8 not patched: Patch pattern not found.

CpuPei module at 007D10E8 not patched: Patch pattern not found.

Output file generated.

 

I have tried with DCPimanager but it return and error.

 

Can u help me?

 

Thank you in advance!!!

[CodeRush]

My English isn't good enough for writing comprehensive guides, but I'll try my best.

Power users only. Don't blame me, if anything goes wrong.

---

BIOS Hotswap

 

Requirements

BIOS hotswap is a recovery method that can recover BIOS from unbootable state, but only if this requirements are met:

1. BIOS chip from faulty board is not damaged physically.

I will call it "bad chip" in guide's text.

2. You have another working board with same sort of BIOS chip (pin- and protocol-compatible).

Best board for hotwap is a board of the same vendor from the same product line, but it's not strictly required.

I will call this board "flasher" and BIOS chip from this board "original chip".

3. Flasher has BIOS chip is socket, so it can be replaced fast and without soldering.

4. You are able to replace BIOS chip on the fly without dropping it to the board surface, shorting chip legs or doing any other damage to the chip or the board.

There are special extractor tools for doing that, but in many cases just a pair of paper clips or a tweezers is enough.

 

DOS-bootable USB-drive with Flashing Tools

If you are sure that all requirements above are met, you must now prepare a DOS-bootable USB-drive with flashing tools. That can be tools from your vendor (i.e. BUpdater for ASUS boards, AFUDOS for Zotac, phlash16 for Phoenix-based boards, etc.), but I recommend flashrom for AMD boards and FPT for Intel ones. This two flashers are generic and don't have problems with incompatible board ids and stuff like that. Bootable USB Drive Creator and flashing tools are attached to this post.

Now I must separate this guide to Intel-specific and AMD-specific parts. I will describe Intel-specific part now, because like 95% of OS X users are using Intel-based boards, but I will describe AMD-specific part later, if anyone wishes.

 

BIOS Structure of Modern Intel Board

BIOS chip of every modern Intel board can consist of the following parts (called regions):

1. Descriptor region. Always present. Has BIOS region map, lock settings for all BIOS regions and PCI straps. Normally it's not affected by vendor's flashing tools, so if your bad chip became corrupted after flashing with normal tools, then you don't need to reflash this region. Presence and correctness of this region is viable for boot process.

Opened for reading and locked for writing by default.

2. GbE region. Present only on boards with Intel 82579 LAN chip (most of desktop boards with Intel LAN have it, exceptions like ASUS Z77 WS are rare). Has MAC of Intel card and some settings, that are viable for card to start. Motherboard will boot up with incorrect GbE region, but Intel LAN will not work (code 10 in Windows device manager). Not affected by vendor's flashing tools.

Opened for reading and locked for writing by default.

3. ME region. Always present. Has Management Engine code and data, Intel WLAN firmware, clock settings, DRAM settings and many more. Presence of this region is viable for board to boot up, correctness is viable for normal operation of DRAM, Turbo-multipliers, integrated GPU and many other things. Normally it's not affected by vendor's flashing tools, except special cases of "ME Update" in BIOS changelog. There are several methods of updating ME that a vendor can use, but there are very rare situations of ME region destruction by vendor's tools, that leads to unbootable system.

Locked for reading and writing by default.

4. PDR region. Extremely rare, must have specific vendor data, but I haven't seen any BIOS dump with this region present. Default lock settings (if any) are unknown to me.

5. BIOS region. Always present. Has actual bootloader and BIOS code, VideoBIOS, OptionROMs and all other stuff that people call BIOS. Presence is viable for board to boot, correctness is viable for board to work properly. The only region affected by vendor's tools, so if your BIOS is bricked by vendor's tool, it's 95% chance that only this region is affected. Most vendors are storing individual board data like SLIC tables, SMBIOS UUID, motherboard S/N, keys for technologies like Nvidia SLI or DTS UltraPC and so on in this region, so it must not be reflashed without extracting this data.

Most vendors (especially laptop vendors) supply updates only for BIOS region in downloadable BIOS images, and this images are often compressed, packed to capsule file or even encrypted, so they must be specially prepared and modified before flashing to BIOS chip can be possible.

Because of that, the best BIOS file you can use a source for BIOS recovery is a full BIOS dump of the same board. Dumps like that can be found by asking on laptop-repairmen's forums or downloaded from special dump archives, that can be googled. I personally don't have a collection of laptops dumps, so please don't ask me about them.

BIOS images for desktop boards are mostly complete and can therefore be used as BIOS dump after some modifications, like removing 2kb capsule file header on ASUS Z77 boards.

 

Choosing a Right Flasher Board

There are two issues on Intel-based boards, that prevent successful hotswap flashing between any two of them:

1. BIOS region lock are read and set during boot, so if the particular BIOS region is locked on the flasher board, it can't be flashed after swapping BIOS chips.

To be able to flash all regions you must either unlock all regions on your flasher board (will be described later, if anyone wishes) or use a board with all regions unlocked by vendor, like Asus Z77 boards, Asus Z68 boards with 3xxx BIOS verision and Gigabyte Z77 boards.

2. BIOS chip capacity are read and set during boot, so if the flasher has 4MB BIOS chip, it can't flash 8MB BIOS chips correctly, because only 4MB of this chip will be accessible.

That prevents using P68 boards to restore Z77 ones and so on. There is a method to get rid of that, but it's complex and I don't want describe it here (it involves flashing 4MB BIOS dump to 8MB BIOS chip, then booting from 8MB chip, then performing a BIOS modification to add this 8MB chip to the list of supported chips, so it's definitely not for this guide).

Long story short: the best flasher for SPI-chips in DIP8 case (like one on the picture below) is ASUS Z77 board.

 

Preparing to Hotswap

Prepare you flasher board and your bad chip.

If you have problems with easy access to BIOS socket on the flasher, take it out from the case and build your flasher system as an open stand.

Power the system off and try replacing original chip with bad chip using any tool you want. I'm using tweezers, but DIP-extractor is recommended.

Try not to short chip legs and not to drop the chip on the board surface.

If you can do the replacement without any difficulties and broken legs, you are now ready.

Plug original chip to flasher, power it on, boot DOS from prepared USB-drive with FPT and a prepared BIOS file to flash on bad chip, then execute

fpt -d -bios bios.org

This command will create an image of BIOS region from original chip. If it doesn't fails for some reason, execute

fpt -d fulldump.org

This command will create a full dump of original chip, but only if your flasher board has no locked regions, or it will fail with Error 26.

If the file is created, it's time to do and actual hotswap.

Replace your original chip with bad chip using a tool you like and a method you developed after several tries.

Now you have your bad chip inside the flasher.

Execute fpt -d -bios bios.bad if your flasher has locked regions or fpt -d fulldump.bad if not.

If it doesn't fail, you now have a dump from bad chip, that you can use later as a source of individual board data described above.

You can flash your prepared BIOS now.

Execute fpt -f -bios newbios.bin to flash only BIOS region (it's a single option on locked flasher) or fpt -f newdump.bin to flash a complete BIOS to the bad chip.

If flashing doesn't fail, power the flasher off and replace bad chip with original.

You bad chip is now reflashed, try booting with it on you previously faulty system. If it boots - congratulations, if not - it's probably because your newbios.bin or newdymp.bin have different format, then needed for your board. Compare it with bios.bad dump, see the difference, prepare and flash a new dump. If still don't work - buy a new preprogrammed BIOS chip for your board.

Now you must restore your board data, but this topic is too complex to describe here and specific for every board vendor, so please find the way to do it yourself.

Data restoration on ASUS P8xxx, M5xxxx and similar ROG boards are possible with FD44Editor.

 

Conclusion

This method is rather complex and it's definitely better to buy (or build) yourself a cheap SPI-prorammer and flash what you want where you want when you want without using another board, but if you already have one - then why not.

Intel_FPT_v8.zip

Intel_FPT_v7.zip

[giacomoleopardo]

Wow, amazing! As soon as my new chip will arrive I'm going to try your FTP method and post results. Should I use FTP 8 or FTP 7?

Thanks in advance, man, for your outstanding work!

[CodeRush]

Use FPT 8, it has better support of Z77 boards.

[CodeRush]

I must fly to Russia from 9. Feb. to 5. Mar., so I will monitor this thread less frequently and could not produce new versions. Please be patient.

[giacomoleopardo]

Good news for Intel DH77DF! Take a look here

You're the man!

[MacDELLintosh]

{censored} you rule dood, dont stop, keep it coming for forever mang

[beta992]

Is everything OK?

Last line looks weird. (Patch pattern not found)

 

C:\xx>PMPatch.exe original.bios patched.bios
PMPatch 0.5.10
PowerManagement module at 0031FBC8 patched.
AMI nest modules not found.
Phoenix nest modules not found.
CpuPei module at 003DC1C0 not patched: Patch pattern not found.
Output file generated.

[k3nny]

Yes, it is. "PowerManagement module at 0031FBC8 patched.".

[PandaMadness]

Hi CodeRush!

Just wanted to ask you what exact command do I need to use from the FTK to flash the patched BIOS to my MoBo?

In your post on Hardforum you describe the list of commands that FTK has, but I am confused between biosrefl and reflash.

Also, to k3nny, I noticed that you have the same motherboard as me (asus p8z77-v lk), so I ask if you can describe your flashing process step by step, if you can, please?

[beta992]

Yes, it is. "PowerManagement module at 0031FBC8 patched.".

OK, thanks.

 

What does this mean?

 

CpuPei module at 003DC1C0 not patched: Patch pattern not found.