Bios downgrade without TPM key reset

BIOS/UEFI Modding BIOS Modding Guides and Problems
1

Hi,

I am trying to solve the problem with Lenovo Yoga 700 14isk BIOS update. It was accidentally flashed to a newest firmware but without Bitlocker suspending. After that, OS found BIOS version change and wants recovery keys instead of taking it from TPM module. Unfortunately a pendrive with restore keys was lost, so the only chance is to downgrade the BIOS. It’s based on Phoenix.
I run the OS from external HDD and tried to downgrade it, but it shows warning that downgrade will cause TPM module clear. This notebook has Intel PTT enabled, so the decryption keys are wrote somewhere at Intel’s chip.

bios-down.jpg



I created bootable DOS usb, but I didn’t try to flash it by DOS tool, because I am not sure which options should be marked.
I am attaching unpacked BIOS images (newest and previous) in CAP container with dedicated flash tools.

https://1drv.ms/f/s!AhSrYdRl4bnajUJl1KsXDmq_goKS

I spent a few days trying to find a solution, but I got nothing. So maybe someone from this forum could help me?
Any ideas how to flash it without TPM clear?

Thanks for help!

2

@D3F :
TPM keys are expected to be lost on BIOS change. I am unaware of a way around it.

Assuming that you can boot into Windows, you should be able to export the BitLocker recovery key again:
https://www.tenforums.com/tutorials/3973…ndows-10-a.html

Do you use TPM for anything else?

3



TPM aren’t lost already. The status of TPM module shows that it’s owned by other system, so definitively it wasn’t cleared.




As I wrote I booted the other OS from different HDD, so I cannot export key or suspend Bitlocker.

I think that notebook doesn’t have external TPM chip, at all. It has only Intel’s Platform Trust Technology (PTT) which is compatible with TPM standard.
The key is stored inside of some memory in the chipset or flash chip (shares with BIOS).
So I need to know how to safely flash the bios without erasing TPM (or Intel PTT).

Bitlocker checks hardware changes during boot process. If I could recover the previous state it should let me in.

I think that Windows during booting with Bitlocker checks only Bios version or maybe checksum.

Down here I attach list of commands embedded with flasher.



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 

bak      [filename]       Backup BIOS ROM before flash.
bbl                       Flash boot block.
bcp      [EVSA binary]    Overwrite BCP data.
bcplogo  [BCP name] [file name] [Image ID] Replace logo image stored in BCP.
cac                       Check AC power is on.
cbp      threshold        Check battery power in percentage.
cvar                      Clear variables.
dat      string           Specify the asset tag DMI string.
dmc      string           Specify the chassis manufacturer DMI string.
dmm      string           Specify the motherboard manufacturer DMI string.
dks      string           Specify the SKU number DMI string.
dms      string           Specify the system manufacturer DMI string.
dos      [string;string2;...]|[index1 string1 ...] Specify the OEM DMI strings.
dpc      string           Specify the chassis asset tag number DMI string.
dpm      string           Specify the motherboard product ID DMI string.
dps      string           Specify the system product ID DMI string.
dsc      string           Specify the chassis serial number DMI string.
dsm      string           Specify the motherboard serial number DMI string.
dss      string           Specify the system serial number DMI string.
dus      [uuid] [overwrite] Specify the UUID DMI string.
dvc      string           Specify the chassis version DMI string.
dvm      string           Specify the motherboard version DMI string.
dvs      string           Specify the system version DMI string.
endkey                    Required key press after flashing.
errorkey                  Required key press after flashing error.
ese                       Enable security examiner.
exit                      Exit program after flash completed.
file     filename         Indicate BIOS image file for flash.
help                      Show command list.
ipf      [region name]|all Flash specific region
logo     filename [ImageId] [filename] [ImageId] ... Replace logo.
ls       [ImageId] ...    Reserve logo in BIOS ROM.
mod      filename         Replace a FFS module.
nodelay                   No delay after flash.
nodrom                    No decomposing ROM when crisis recovery.
noerror                   Do not display error messages.
nowarn                    Do not display warning messages.
oc       string           Specify the OEM command line.
p                         Production mode. Disable simple text output.
prog     start size       Flash specific area. Both parameters in hexadecimal.
patch                     Patch mode. To patch particular data to current BIOS.
raw      GUID filename [Index] Replace raw section of FFS module.
rsbr     GUID1 GUID2 ...  Reserve sub-regions with specified GUIDs.
sd                        Skip BIOS build date time checking.
silent                    Silent operation (no beeps).
slp      filename         Replace SLP marker or MSDM key.
spu      filename 20|21   Replace SLP public key.
ss                        Skip all SLP sub-regions.
sn                        Skip part number checking.
shutdown                  Shutdown after flash completed instead of reboot.
v                         Enable flash verification.
vbl                       Enable Microsoft Bit-locker check.
vcpu     [filename]       Update variable size CPU microcode.
wb                        Flash without skipping same content blocks.
write    filename start [fdla] Write a binary file to specific physical address or FDLA.
wsbr     GUID filename    Write a binary file to specific sub-region.