@boombastik
See the mCodeFIT version, it should be 0.2.5, аlso use the UBU version 1.69.15. These versions show the actual position of the microcodes.
Use UEFITool NE for additional verification FIT
Hello
To update the microcode (UBU 1.70)
What is the difference between option C and M ?
What is the best ?
Thanks
C - automatic selection of all available microcodes in the BIOS file
M - manual select only one microcode
@SoniX Thank you for your excellent work on this tool. May I request that you include updates for the SATA / RAIDDRIVERS to the ones that Fernando found to be the best? For example:
Recommended for Intel X99 systems, usable with all Windows Operating Systems from Win7 (32/64bit) up.
Best matching Intel RAID ROM resp. EFI “RaidDriver” BIOS modules: v14.8.2.2397
According to my benchmark tests (look >here<) these drivers are the best choice for Intel 100-/200-Series Chipset systems running Win10 on a RAID0 array. They are usable with all Windows Operating Systems from Win7 (32/64bit) up.
Best matching Intel RAID ROM/EFI “RaidDriver”: v15.5.1.3017
These RaidDrivers aren’t options in your tool currently.
If I want to recover the microcode 2B, I used the bios 1004 (Rampage VI Extreme) which contains it, extract the microcode, to integrate it in UBU 1.70
The CPUID is the same, but not the "plateform", is it good ?
cpu50654_plat97_ver0200002B_2017-08-09_PRD_5FFAAE55
cpu50654_platB7_ver02000043_2018-01-26_PRD_4840163E
Thanks
You are right.
With previous UBU versions it was possible to copy the desired “pure” Intel RaidDriver (as *.efi file without header) into the UBU subfolder Modules\IRST<b>User and to choose the option “U”, when it comes to the update of the IRST modules, but this option is not available anymore.
Hi, I have already used UBU, back in the 1.49 version and it worked just fine.
Today I decided to try and run it on my MSI GT72 BIOS, and I ended with a 6MB file when I started with a 3MB one.
Downloaded the latest UBU and crutch from the .ru site, extract it, Windows complains about it having this trojans and virustotal also reports 6 hits…
I know that given that its oROM’s and what not maybe its false positives, but the old 1.49 didn’t had this…
So, now using the 1.69 version I get this when I try to update any oROM:
The MMTool window shows this:
Saving secure rom as unsigned
And then the UBU:
* Generate FFS Intel RAID Driver GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F …Ok!
* Update EFI Intel RAID Driver GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F …Error!
* Update OROM Intel RST Device ID 282a …Error!
But if I run the scan again it reports that it updated the oROM, given that this all smells fishy I wont try to flash this resulting bios file.
Any ideas what can be causing this?
Latest microcode revision guidance February 26 2018 released!
https://newsroom.intel.com/wp-content/up…te-guidance.pdf
To follow up on this, I went ahead and did some additional scans again on the three UBU zips from MEGA, as well as an individual scan of MCE.exe to Virus Total. Regardless of your stance on “taking it up with the antivirus vendors”, clearly there are multiple vendors that are flagging this, probably for good reason. For something as low level in terms of security with a BIOS, you’re going to want to be absolutely certain that what you’re dealing with is a validated and secured set of tools before you go modifying your setup, otherwise you’re going to be compromising and further levels of security. For many of the people mentioning this on the forum or taking interest in the tool recently, I’m sure they are here because of the recent Meltdown/Spectre fiasco, and are having to take things into their own hands for securing their platform. It doesn’t build much confidence when as soon as you go to work on doing this and un-rar the files, Windows Defender by default will flag the file as a Trojan and remove it from your system, and to expect the user to just accept that it’s a false positive and to carry on with creating their modified BIOS. I’m not really pointing fingers or passing blame to the creator of MCE.exe, I think a better approach would be to find out why this is getting flagged and to take action upon that instead of telling users to ignore the warning. You will also see in the Virus Total link I posted below, someone has posted a comment analyzing why exactly it is getting detected it seems. If anyone absolutely does need to use this tool to modify a BIOS still I would advise caution and to use a Virtual Machine (Virtualbox/etc) to run the tool and not to execute this on their main system, as you may potentially be compromising that systems security / integrity.
UBU_v1.69.14-fixed_without-MMTool.rar
https://www.virustotal.com/#/file/d25b72…703e3/detection
UBU_v1.69.15.1_without-MMTool.rar
https://www.virustotal.com/#/file/550e6d…38615/detection
UBU_v1.70.a12-DEV_without-MMTool.rar
https://www.virustotal.com/#/file/0402c9…9efab/detection
MCE.exe (from the .rar files)
https://www.virustotal.com/#/file/6999c2…1e6fd/detection
EDIT: I’ve also submitted this to Microsoft for re-analysis and Hybrid Analysis as well which is a site similar to Virus Total. Both links below.
https://www.hybrid-analysis.com/sample/6…vironmentId=100
https://www.microsoft.com/en-us/wdsi/sub…8b-3bf8293c16e8
@boktai1000 :
Welcome to the Win-RAID Forum and thanks for your report!
This didn’t happen to me while extracting the same tools. The Windows Defender of my Z170 system running Win10 v1803 didn’t show a warning.
Did you already get a reply?
Regards
Dieter (alias Fernando)
@Fernando :
As of right now - per the Microsoft re-submission this is the status
mce.exe
Submission ID: 77196593-f714-461d-918b-3bf8293c16e8
Status: In progress
Submitted by: Anonymous
Submitted: Feb 28, 2018 12:00:07 PM
Thank you! For the Microsoft re-analysis it’s currently in progress, and status can be checked at the submission link in my post above. I don’t know how long it takes them to evaluate or re-test though, or what the process looks and consists of on their end.
Regarding not happening to you though with Defender, I can confirm that it did indeed happen to me again as of the writing of my post a couple hours ago on Win10 v1709 with latest Defender Definitions.
EDIT by Fernando: Unneeded fully quoted post replaced by directly addressing to the author (to save space within this already very voluminous thread)
Latest version of 1.69.15 checks out clean with Eset Antivirus on my end.
I downloaded from the supposed dev link that ends in .ru and it gets more hits than the ones form Mega.
Besides this, it might be false positives, I’m not pointing fingers, at all!
Any ideas why its dying trying to patch an Aptio 4 BIOS?
Today I extracted “UBU_v1.69.15.1_without-MMTool.rar” and the Windows Defender doesn’t detect anymore the “Trojan:Win32/Tiggre!plock”.
“UBU_v1.69.14-fixed_without-MMTool.rar” is also not detected anymore.
I have virus definition v1.261.1717.0 updated 19h09 pm (europe time) on a Windows 7 x64 bit, which was not the case yesterday and before yesterday and was still detecting the trojan in MCE.exe at extraction with 7-Zip.
Not sure if it’s still safe to use for flashing bios, i suggest to wait some more feedbacks if you’re not in a hurry.
The status and final determination on the Microsoft Analysis is still “Pending / In progress” at least as far as their link goes, so any results you see right now from it I would say are inconclusive until this finishes. Resubmitting for analysis may do something to the definition, I have no clue - but I do know that it’s being re-evaluated, and still is. Hybrid Analysis flags it as “Malware” as well, which my expectations of a false positive would be “Suspicious” since some of the behavior may be interpreted as such with modifying and inject microcode into a BIOS file. The Hybrid Analysis website also gives some details on how the executable works with python files, sqlite databases, etc and how it executable itself runs and processes these changes, the behavior and coding of such is heuristically similar to that of malware. Anyways as I mentioned, I would wait to see what Microsoft comes back with in regards to their re-evaluation at least. In addition to this, I am trying to familiarize myself a bit with what has been going on with the UBU tool and it sounds like part of it or maybe the entire thing was due for a rewrite because of the MMTool module, I am wondering if this portion (MCE) is another thing that would be modified as well. I don’t know if this is a reasonable ask, but I can see the benefits of open source code review being beneficial for a project like this, but with dealing with proprietary tools and what not currently I’m sure that makes it difficult.
What lets you think, that the project to patch AMI Aptio 4 BIOSes is dying? If the users adds the MMTool v5.0.0.7, everything works as before.
@SoniX
I am trying to update the Gigabyte x299 Gaming 7 Pro Bios (Aptio 5) with the new microcode. Used UBU 1.70 with patched mmtool and original F2 which was the latest final version without any protections and all seemed ok except for having after one microcode when the orginal bios showed several. Used the microcode contained in folder 2066 from latest UBU. Don’t know if I must update with other microcodes along with the Skylake-X one.
The thing is that process went ok and flashed the bios with the modded efifllash from this forum, however I found after rebooting that firmware was working very slowly and the reason was the cpu was fixed at 700Mhz, even after doing a manual overclock.
Am I missing something or maybe I must use the latest beta which contained microcode 3C???
Thanks.
EDIT: Updated the F3b and this is the result:
https://mega.nz/#!Rix2QCIQ!Ar1Uet27suPuf…w58E03er-EYdRXk
Haven`t flashed it yet, waiting for your reply.
I think the false positive in some/serveral viruscanners is simply caused by the wrapper that converts *.py into *.exe…the heuristics of such file possible match harmful (.py) files that are converted to exe
Here is the original python (.py) file, https://github.com/platomav/MCExtractor
But than again…if you don’t trust it…don’t use it
@boktai1000
MCE stands for MC Extractor and it is a free open source (GPL 3) python project which is developed by me. The official github page can be found here. Anyone who believes it is malicious is more than free to thoroughly review its code. Anyone who doesn’t trust the frozen script (executable) is more than free to freeze it themselves. I use PyInstaller which is another free open source project, of much acclaim & popularity, which freezes python scripts into Windows/Linux/MacOS executables. Everything is explained in MCE’s Readme, including how to freeze it yourself. For the record, any decent anti-virus (Windows Defender is not, as proven by independent researches, I use Avira) should not detect PyInstaller executables as viruses. So yes, what @SoniX said is right. It is the developers of such “anti-virus” who must be informed of false positives in order to fix their products (Microsoft’s Windows Defender included).
Using the UBU tool vUBU v1.69.15.1- with UEFITool v22.3 I also upgraded the following not 4 days ago:
EFI IRST RAID for SATA 12.7.0.1936 ----> 14.8.2.2398
EFI GOP Driver Haswell 5.0.1036 ----> 5.5.1034
EFI Intel Pro/1000 UNDI 5.4.19 ----> 6.6.04
EFI Realtek UNDI 2.020 ----> 2.043
CPU microcode 19 ----> 24
Parenthetically, the above UBU works with MMTool v4.50.0.23 or v5.0.0.7.
Result: Very stable and reliable NVMe boot drive and system for my “ancient” Asus Z87-Deluxe mobo with i7-4770K cpu sporting an Aptio 4 BIOS/UEFI;
which now runs like a top on the latest Windows 10 Preview Build 17110 RS4.
The proposition that the Aptio 4 bios updates are dying is vastly overstated; as this one is working splendidly.
Cheers 