I think i will just use an external programmer to overwrite the descriptor area, however the protected area still persists.
Edit: The registers are different for Skylake/Kabylake:
1 2 3 4 5
Flash Protected Range 0 (BIOS_FPR0) = Offset 0x84 This register cannot be written when the FLOCKDN bit is set to 1.
Flash Protected Range 1 (BIOS_FPR1) = Offset 0x88 This register cannot be written when the FLOCKDN bit is set to 1.
1 2 3 4 5 6
Hardware Sequencing Flash Status and Control (BIOS_HSFSTS_CTL) = Offset 0x4
Flash Configuration Lock-Down (FLOCKDN): When set to 1, those Flash Program Registers that are locked down by this FLOCKDN bit cannot be written. Once set to 1, this bit can only be cleared by a hardware reset.
Can you explain how correctly make changes and to flash them to bios? It is clear to me how to change variables. But this is not a variable, meaning that after changes are made they must be flashed via fptw, but if bios is locked, how to flash it? Also using UEFITool to extract BiosRegionLockDxe.efi , afterwards changing from 0x80 to 0x00 then inserting changed BiosRegionLockDxe.efi - UEFITool rebuilds bios backup completely. Is this is a good way to change?
@Wootever - if you’re around chime in if you can, thanks!
@ziga34 - if you cannot write BIOS with FPT or other tools, due to lock you can try to unlock the variables in grub shell boot, did you try that already? If yes, and no luck, you may need flash programmer to get the initial flash w/ unlock in there, then next BIOS flash do the edit in BIOS modules first then they should remain post flash.
Shortly what I have and what I did: I own 2018 model mi notebook 13 air 8550u mx150 which has Insyde UEFI there are totally 3 partitions: Descriptor, ME and BIOS After inspecting descriptor there are r/w access to ME and BIOS Using UEFITool I’ve extracted SetupUtility and then used IFR Extractor to convert it to readable txt file Inside txt I found these variables which responsible for securing bios and some extra vars which I’m not sure if has any effect on bios: RTC Lock BIOS Lock Flash Protection Range Registers SPD Write Disable BIOS Guard Flash Wear Out Protection CFG Lock Me FW Image Re-Flash MC Lock Local FW Update
Then I’ve extracted list with all vars using H2OUVE tool (so this is probably the same thing as doing it through grub shell boot)
Looking at the SetupUtility I’ve found each variable in variable list and disabled every possible protection - basically changing 01’s to 00’s Again using same H2OUVE I’ve pushed changes back to bios - successfully, no errors. Again extracted list to make sure that all vars was changed - yes it was.
Then removed secured boot and forced secure boot, removed all keys and etc. Booted to system - success launch CMD elevated FPTW64.exe -d bios.bin -bios - success FPTW64.exe -f bios.bin -bios - fail (Error 316: Protected Range Registers are currently set by BIOS, preventing flash access. Please contact the target system BIOS vendor for an option to disable Protected Range Registers. FPT Operation Failed.)
Then I’ve discovered this post by Wootever that there is FLOCKDN inside BiosRegionLockDxe, and I have the same structure inside - meaning that it is active. And from this point I’m not sure how to proceed, because BiosRegionLockDxe doesn’t rely on any vars - there are just functions/routines and making changes inside this file and then inserting back to my bios backup via UEFITool it rebuilds bios completely - it’s not the same as changing vars.
Hope this explains
So I’m curious how Wootever did that. If there is a method without SPI programmer…
I assume the PRR/FLOCKDN removal only applies to editing and then flashing the BIOS moving forward on next BIOS releases, once lock is removed in current onboard BIOS via flash programmer, but yes @Wootever will need to confirm if this is possible without a programmer
Ok, so I bought SPI programmer and I removed FLOCKDN the same way Wootever did - it worked no more FLOCKDN after flashing modified BIOS. But now I’m not sure how to remove PRR0 and PRR1 protection. Using RWEverything I’ve tried to search memory address SPIBAR + 0x84 (3800 + 84) and SPIBAR + 0x88 (3800 + 84), but everything was filled only with ‘AF’ values… Anyone knows how to do it correctly?
@johnnync21 - If you have programmer you do not need to unlock anything, only write in the BIOS you want already modified. I don’t know where the chip is, show me some images of your board and I can help you ID it