Using pinmod I was able to perform a complete dump of the SPI flash with the command: fpt.efi -D FULL_BIOS.bin
I then dumped the individual regions with the commands: fpt.efi -DESC -D DESC.bin fpt.efi -BIOS -D BIOS.bin fpt.efi -ME -D ME.bin fpt.efi -GBE -D GBE.bin
I opened the DESC.bin file with HxD and changed the offset 0x60 bits for reading and writing the ME, BIOS and GBE regions. DESC.bin: 0x6000 00 0B 0A 00 00 0D 0C 18 01 08 08 FF FF FF FF DESC_MOD.bin: 0x6000 00 FF FF 00 00 FF FF 18 01 FF FF FF FF FF FF
I then flashed with the command: fpt.efi -DESC -F DESC_MOD.bin
At this point I am able to write to the DESC, ME and GBE regions but not the BIOS.
when I try to flash with command: fpt.efi -BIOS -F BIOS.bin
I get error : Error 7: Hardware sequencing failed. Make sure that you have access to target flash area!
This happens even if I try to flash the BIOS region without changes with the commands: fpt.efi -BIOS -D BIOS.bin fpt.efi -BIOS -F BIOS.bin ← This tells me there are no changes. fpt.efi -BIOS -F BIOS.bin -REWRITE ← This gives me error 7
What am I doing wrong!?
Currently my base OS is linux, I can dump the flash with the command: flashrom -p internal -V -o backuplog.txt -r BACKUP.bin but I haven’t tried writing with flashrom.
For bios mod I’m using a Windows VM with UEFITools and AMI APTIO4 Tools.
Intel(R) MEInfo Version: 8.1.56.1541
Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved.
FW Status Register1: 0x1E000255
FW Status Register2: 0x69000106
CurrentState: Normal
ManufacturingMode: Enabled
FlashPartition: Valid
OperationalState: M0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
ICC: Valid OEM data, ICC programmed
Get ME FWU info command...done
Get ME FWU version command...done
Get ME FWU feature state command...done
Get ME FWU platform type command...done
Get ME FWU feature capability command...done
Get ME FWU OEM Id command...done
FW Capabilities value is 0x9301C6C
Feature enablement is 0x9301C6C
Platform type is 0x11415422
Intel(R) Manageability and Security Application code versions:
BIOS Version: ENB7510H.86A.0046.2013.0704.1354
MEBx Version: 8.0.0.0066
Gbe Version: 1.3
VendorID: 8086
PCH Version: 4
FW Version: 8.1.20.1336
FW Capabilities: 0x09301C6C
Intel(R) Small Business Technology - PRESENT/ENABLED
Intel(R) Anti-Theft Technology - PRESENT/ENABLED
Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Get iCLS PCH allowed feature information command...done
Get iCLS PCH allowed feature information command...done
Level III Manageability Upgrade State: Upgrade Capable
Get iCLS permit information command...done
Command response status indicates permit not found
Get iCLS CPU allowed feature information command...done
CPU Upgrade State: Upgrade Capable
Cryptography Support: Enabled
Last ME reset reason: Global system reset
Local FWUpdate: Enabled
Get BIOS flash lockdown status...done
BIOS Config Lock: Enabled
Get GbE flash lockdown status...done
GbE Config Lock: Enabled
Get flash master region access status...done
Host Read Access to ME: Enabled
Host Write Access to ME: Enabled
SPI Flash ID #1: EF4017
SPI Flash ID VSCC #1: 20052005
SPI Flash ID #2: EF4016
SPI Flash ID VSCC #2: 20052005
SPI Flash BIOS VSCC: 20052005
Protected Range Register Base #0 0x0
Protected Range Register Limit #0 0x0
Protected Range Register Base #1 0x0
Protected Range Register Limit #1 0x0
Protected Range Register Base #2 0x0
Protected Range Register Limit #2 0x0
Protected Range Register Base #3 0x0
Protected Range Register Limit #3 0x0
Protected Range Register Base #4 0x0
Protected Range Register Limit #4 0x0
BIOS boot State: Post Boot
OEM Id: 00000000-0000-0000-0000-000000000000
Capability Licensing Service: Enabled
Get iCLS permit information command...done
Command response status indicates permit not found
Get iCLS permit information command...done
Command response status indicates permit not found
Get iCLS CPU allowed feature information command...done
Get iCLS PCH allowed feature information command...done
Get iCLS PCH allowed feature information command...done
Capability Licensing Service Status: Permit info not available
Get ME FWU OEM Tag command...done
OEM Tag: 0x00000000
Get System Integrator ID command...This slot is unused.
Slot 1 Board Manufacturer: Unused
Get System Integrator ID command...This slot is unused.
Slot 2 System Assembler: Unused
Get System Integrator ID command...This slot is unused.
Slot 3 Reserved: Unused
Get M3 Autotest command...done
M3 Autotest: Disabled
Get ME FWU Platform Attribute (WLAN ucode) command...done
Localized Language: English
Get ME FWU Info command...done
Independent Firmware Recovery: Enabled
Given that I’m starting to study this topic.
I think you are referring to this: SPI Read Configuration: prefetching enabled, caching enabled, BIOS_CNTL = 0x2a: BIOS Lock Enable: enabled, BIOS Write Enable: disabled Warning: BIOS region SMM protection is enabled! Warning: Setting BIOS Control at 0xdc from 0x2a to 0x09 failed.
I should change this BIOS_CNTL right?
inteltool -s
CPU: ID 0x206a7, Processor Type 0x0, Family 0x6, Model 0x2a, Stepping 0x7
Northbridge: 8086:0100 (2nd generation (Sandy Bridge family) Core Processor (Desktop))
Southbridge: 8086:1e49 (B75)
IGD: 8086:0102 (Intel(R) HD 2000 Graphics)
============= SPI / BIOS CNTL =============
BIOS_CNTL = 0x002a (IO)
0x0000 = BIOSWE - write enable
0x0001 = BLE - lock enable
0x0002 = SPI Read configuration
0x0000 = TopSwapStatus
0x0001 = SMM BIOS Write Protect Disable
0x0000 = reserved
============= SPI Bar ==============
0x0bff0580 = BFPR - BIOS Flash primary region
0x0000e008 = HSFSTS - Hardware Sequencing Flash Status
0x00003f00 = HSFCTL - Hardware Sequencing Flash Control
0x00bfffc0 = FADDR - Flash Address
0x00000000 = Reserved
0xffffffff = FDATA0
0x0000ffff = FRACC - Flash Region Access Permissions
0x00000000 = Flash Region 0
0x0bff0580 = Flash Region 1
0x057f0003 = Flash Region 2
0x00020001 = Flash Region 3
0x00001fff = Flash Region 4
0x00000000 = FPR0 Flash Protected Range 0
0x00000000 = FPR0 Flash Protected Range 1
0x00000000 = FPR0 Flash Protected Range 2
0x00000000 = FPR0 Flash Protected Range 3
0x00000000 = FPR0 Flash Protected Range 4
0x00000080 = SSFSTS - Software Sequencing Flash Status
0x00000006 = PREOP - Prefix opcode Configuration
0x0000043b = OPTYPE - Opcode Type Configuration
0x0000019f05200302 = OPMENU - Opcode Menu Configuration
0x00000000 = BBAR - BIOS Base Address Configuration
0x00003008 = FDOC - Flash Descriptor Observability Control
0x00000000 = Reserved
0x00000007 = AFC - Additional Flash Control
0x00802005 = LVSCC - Host Lower Vendor Specific Component Capabilities
0x00002005 = UVSCC - Host Upper Vendor Specific Component Capabilities
0x00000000 = FPB - Flash Partition Boundary
I did some research and I seem to have understood that I cannot modify the BIOS LOCK register because it is written in the bios region on which I cannot write. Correct?
I have read that in some cases there are some exploits that allow modification of the registers but I don’t think I really understood how they work.
So my question is Can I change the bios via an external programmer?
I did a search on the CH341 but I don’t understand the difference between version A and B, does anyone know the differences?
Version A and B of what… what are you referring to?
All mod on Intel motherboards, usually can only be flashed with a CH341A, just search for other Intel board users experiences, on the forum.
EDIT: Oh that… never research it for that info, i had only CH341A (Black edition)
You’ll have to search yourself for that, sorry.
Thanks for the reply.
I searched Amazon and found this: CH341A and this: CH341B
I searched for the CH341B datasheets but found it only in Chinese
I could use ESP32 or RPI as an external programmer but I don’t have the clip to flash without soldering.
So the most practical solution is to buy the complete kit, can the one I linked be suitable?
Anyone of those should do the job, but keep in mind that these cheap programmers are not for medium/long time use or as professional tool.
Besides a more expensive/professinal programmer, there’s a lot of accessories like clips, interface cables, IC adapters to buy with more quality than these cheap kits.
I know they are not tools for professional use.
I’m learning and I don’t think my use of it will ever be professional (never say never!)
what do you mean with “these cheap programmers are not for medium/long time use”
Means they don’t last…obviously, what else could these words mean?
Usually the clip contacts and wires get broken, depends also on the handling…but its all cheap stuff, period.
EDIT: Better…a bit, regarding the programmer itself, the rest of the accessories are equal and ordinary as the CH341A kits. Still a loosy clip…
The main issue here is a good clip with firm connection to the ICs, the connection to it is very sensible and requires training and a steady hand/grip.
Thats it, the rest is getting experience, training and your money pocket.
Good luck.
Thank you very much for the explanation, I owe you a beer!
I understand your advice but at the moment it is an excessive expense, I want to practice and learn first.
I decided to go with an EZP2023+
just one last doubt can I use EZP2023+ on linux?
Thanks!
I have been looking into the EZP2019 - EZP2023 issue in Linux. I contacted the manufacturer of the programmer (http://www.yaojiedianzi.com/) asking for the source code. The manufacturer said he would think about it and did not reply again.
@MeatWar I own a TL866II plus, but I almost never use it. It’s a fine device but the software is very restrictive when using it on a chip not desoldered. It’s either a short or a bad contact.
I like the ‘stupidity’ of a CH341, but one should know how to check the results.
Thanks to all for the help.I ordered this EZP2023+ but from what I read I’m already thinking of canceling the order…
I tried to write to the seller if there are software or sources available for Linux, I hope (but not too much) for a positive response.
Now there are 3 options
Purchase a CH341A instead of the EZP2023+ (What would be the limitations?)
Use the Windows VM with the supplied software (Probably the best thing to do)
Purchase the clip and use ESP32/RPI as a programmer (why complicate your life Jimmy?! He already is!)
waiting for your opinion, show me the ways of the force!