Dell Precision M4600 - trying to unlock ME SPI via UEFI / BIOS hidden setting

Hi guys,

I am trying to unlock ME region for SPI dumping via FPT on Dell Precision M4600

I’ve read the Guide on Unlocking Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing, used UEFITool+IRFExtractor to find and extract the “SetupPrep” section and found that my BIOS image (A01) has the hidden menu called “Debug” with the following options:



Apparently, there is an option to remove write protection from re-flash via SPI "Intel AMT SPI Protected" at 0x1E9 which I would like to try.

However, when I load into the EFI Shell provided in the attachment of the "Guide on Unlocking Intel Flash Descriptor" thread (Setup_EFI_Shell.rar), I receive the warning/error when I try to use setup_var:



Booting into Windows 7 (UEFI) and the ME region is still locked for read and write.

As I noticed, the EFI Shell is configured for some different GUID and string called ‘Setup’, while in my case it’s ‘SetupPrep’ with a GUID 899407D7-99FE-43D8-9A21-79EC328CAC21

I also noticed that despite of the error, the 0x1E9 var was set to 0x01 initially, which may mean it’s a correct variable.

Any suggestions on how to get or make a correct EFI shell for this case, or maybe a method to access the hidden “Debug” menu directly?


I am attaching the BIOS dump made with FPT that contains that menu. Also its extracted IRF version. Also attaching the dumped FD just in case.

EFI_Shell_warnings.jpg

M4600_BIOS_A01_SetupPrep_extracted.txt (342 KB)

M4600_BIOS_A01_FPTdumps.zip (1.81 MB)

Your errors/image above is normal/expected, and you did change 0x1E9 to 0x0 instead of 0x1. You can confirm that by running setup_var 0x1E9 again without any setting at end, and it will show you current value.
What you are changing above is related to AMT/ME FW Protection, during AMT usage, I believe.

Unsure what your goal is here, but these would be what you should change if you want to dump or change ME FW, but this could only be done with Intel FW Update tool and only if ME FW is not currently corrupted.
Me FW Downgrade, Variable: 0x1F0[1] {05 09 F0 01 01 45 04 46 04}
0x3FBD5 Option: Disabled, Value: 0x0 {09 09 04 00 00 00 13 00 00}
0x3FBDE Option: Enabled, Value: 0x1 {09 09 03 00 01 00 10 00 00}

Setting: Local FW Update, Variable: 0x1F1[1] {05 09 F1 01 01 47 04 48 04}
0x3FBF2 Option: Disabled, Value: 0x0 {09 09 04 00 00 00 10 00 00}
0x3FBFB Option: Enabled, Value: 0x1 {09 09 03 00 01 00 13 00 00}

To dump with FPT, you need to unlock the FD, this can only be done with flash programmer or pinmod (via E.1 here - [Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing)
OR, you may have 2 pin service jumper on your motherboard, look all around, and don’t forget to look next to the memory thumb-tabs. If there is one it would be labelled Service, FD, FDO etc.

Thanks for replying!



Actually, 0x0 is the value I wanted to have because it’s a value of the ‘Disabled’ state of that var called ‘AMT SPI Protection’, logically, so I believe there was no mistake. Also, it was set to 0x1 before I discovered it. Anyway I have tested it having both the values of 0x01 and 0x00 and they don’t affect anything.

The Local FWUpdate (FWUpdLcl.exe) is working (both -SAVE and -F) independently of this variable’s value , but it’s not the format I would like to have. I need exactly a full ME dump from FPT.



I am aware of that, but I’ve seen a lot of posts on various forums where people unlock ME SPI region by modifying an NVRAM var, for example there is a guy that does it on Dell Precision M4800 and M6800, in his case the NVRAM var unlocks the FLASH region for FPT via an EFI shell, that’s why I wanted to try it first before trying pinmod.

I am also curious about the 0x1E1 var, which is just “Intel AMT” being “Disabled/Enabled”, what would be its supposed purpose? I tried both values 0x01/0x00 and they don’t affect anything obvious.

That’s what I meant, that you did change it to 0x0, sorry for any confusion.

If you need FPT dump only, then my comments above apply in regard to FPT. People do not usually unlock ME Region in a manner that you think, they change variable sometimes to allow ME FW update that is all.
Even in the guide you linked, he’s only changing a setting similar to the ones I gave you above (ME Re-Flash in that link = Local FW Update in your BIOS) to allow ME FW Update via ME FW Update tool (not FPT)
BIOS/SMI lock they change allows BIOS region to be flashed by FPT, but this does not affect ME Region, rest of variables discussed there are not relevant to our discussion.

Google Intel AMT, I do not use this so am not familiar, but I know it’s a management feature to be used remotely. Not really related to anything you want either.
You need to either do pinmod, or get a flash programmer, if you cannot find a two pin jumper header like I mentioned above (it would not be in manual, so look on board yourself)



There must be some confusion, because in his post he is showing a screenshot from FPT that says ‘ME’ region has READ and WRITE access (says “YES”). And it’s not a FWUpdate access, it’s a full access to ME region (either 1.5MB or 5MB). Also, his .bat tools use ‘fptw’, not ‘fwupdlcl’.
FPT has zero relation to FWUpdate feature and format.
I did already reflash full ME region (not FWUpdate) on another laptop using pinmod via FPT and it’s the exact behavior as on the screenshot when you have the FD unlocked via pinmod, except he doesn’t have FD unlocked in that case, which I don’t need to have. I only need ME region read/write as he has on the screenshot.

Anyway, I have also just performed a little test here some minutes ago: I’ve changed a Local FW Update (0x1F1) var to Disabled / 0x00 just to check if it would affect FWUpdate access, and I continue having access to FWUpdates…
MEInfo reports Local FWUpdate: Enabled and I am still able to use -SAVE and -F using FWUpdLcl.exe
This would mean I am doing something wrong in regard to using EFI shell correctly in order to modify NVRAM. Changing NVRAM vars do not reflect on my system as supposed. Any suggestions?

@xroxto - That’s not due to anything he did in that guide itself, when you see that it means FD (Flash Descriptor) is unlocked to read/write ME Region. That can only be done as I described above, OR if you have the jumper on your board.
He shows you this on first few lines of that guide, a link to another thread/post >> “Descriptor - contains basic info about flash and permissions. Full access after doing permanent unlock mod. Otherwise, only Read access.<< = Pinmod
Yes, I know FPT and FW Update tool are not same, I edit BIOS all day long for 15 years

Yes, so you are familiar with pinmod and unlocked FD etc, that is what you need here, and what’s been done in his FPT screenshot

Your grub does not look like any I’ve ever used to do this kind of edit using setup_var, so it could be that, in regards to what you asked about last.
The one I’ve always seen used has black background, you can get copy here in this guide - [GUIDE] Grub Fix Intel FPT Error 280 or 368 - BIOS Lock Asus/Other Mod BIOS Flash
But, I doubt this will make any differences to what you are testing.

Stop wasting your time on this, you need jumper on the board, pinmod, or flash programmer, otherwise you will never be able to unlock FD to allow FPT read/write to ME Region.
That is how this works, by design, for security reasons, there is only these ways around it.



Yes, I understand and respect that and honestly your posts helped a lot in the past to me. But you also should understand that if someone registered on WIN-RAID yesterday it not always means it’s his first day using a computer :wink:

I perfectly understand a difference between unlocked and locked FD and what here we are talking about. I think you are generalizing your overall experience and applying it for this specific case, which may be slightly different.
Actually I came here with a specific issue and if I wanted to use pinmod I would have it done already without bringing this topic. I KNOW it would have resolved the problem faster :slight_smile: But! I would still like to understand and try the method “E6. OEM/ODM Hidden BIOS-UEFI Options” described in the Unlocking guide topic, which logically means ‘Unlocking’ something, so if it’s there, I believe it is somehow a valid method, because it was written by a reputable user in a same way such as you.




No, his screenshot doesn’t show unlocked FD. His screenshot shows unlocked ME without unlocked FD. Please observe it again with more attention.




In that specific context - YES - he is talking about FD write/read access while mentioning pinmod! BUT, right after this he provides a guide to unlock only ME region, which you are ignoring. I don’t need FD read/write access. I only need ME region access and would like to try to unlock it without pinmod, such he does in his first post. I believe not all computers are same and from case to case it’s possible to unlock specific regions without unlocking the FD itself, such as the guy with M4800 has done and there is a proof of that in his post and users who confirmed his method is working in his thread. Given the parameters from the hidden BIOS menu, I am sure there is a possibility of modular unlocking, unless it was completely locked up by Dell after a production phase.

The screenshot of his FPT with unlocked ME region means exactly what it shows - it means he has read/write access to a ME region, not a FD region. I will repeat once again: I don’t need write access to the FD region right now, otherwise I wouldn’t create this topic! It’s OK if it will fail and you are right, but I still would like to try, since my BIOS and machine is not mentioned anywhere around on the Internet on modding forums, including win-raid.

------------------------------



1
2
3
4
5
6
 
E:\EFI\Boot>C:\fciv.exe -sha1 bootx64.efi
393dd9d789471879338847c6878ad5225145ad04 bootx64.efi
 
E:\EFI\Boot>C:\fciv.exe -sha1 "C:\Users\POLI\Downloads\f16t3908p57740n9_tUYizTrR\EFI-Setup-FPT-Universal-IFR-Extractor\efi Setup\boot\bootx64.efi"
393dd9d789471879338847c6878ad5225145ad04 c:\users\poli\downloads\f16t3908p57740n9_tuyiztrr\efi-setup-fpt-universal-ifr-extractor\efi setup\boot\bootx64.efi
 
 


The EFI shells I used and what you provided in this topic are same.

The EFI shell I have on E:\EFI\Boot\bootx64.efi is from this topic.

I didn’t even check your registration date, or look at how many posts you have etc. I’m only replying to posts here

No, I am looking at, and talking about this specific case only. Your BIOS does not have such options, other than possibly having a jumper on your board you do not have OEM options the guide discusses, it does not apply to all cases.

You are correct, I did not look at the FD read/write status, since it’s not relevant to your concern here, I only looked at ME Read/Write AND what he wrote at the start of the guide (Ie he did pinmod, then made that image)
Obviously he didn’t unlock FD, which is irelevant, he dumped his FD via pinmod and unlocked whatever he wanted (in this case, ME/BIOS region etc) and then programmed it back. FD edit is the only way you get FPT to show you FD read/write values Yes per xx region
So, all I mentioned above applies, he specifically tells you that as I outlined, at the very beginning of the guide you linked.

No, you cannot unlock ME in the way you want (For FPT) via anything other than FD edit, the rest ONLY applies to ME Re-Flash or local ME FW update etc, with ME FW Update tool.
I am not ignoring anything in his guide, only trying to explain to you that you are combing two different things into one (FPT ME Write and BIOS ME access options which apply ONLY to ME FW Update tool), and that his guide starts with pinmod otherwise FPT cannot write me region via FTK batch file which uses FPT

Yes, some BIOS have OEM options that may unlock ME Region for use with FPT, yours does not. So the guide applying to your case ends there, until and unless you unlock ME region via FD edit, or have jumper on the board to put in service mode.

You are correct, he edited FD and unlocked ME Region, that is the ONLY way you see read/write yes in FPT, this is the only thing FPT is looked at (FD region)
FD region controls read/write access to all the BIOS regions (FD, ME, GbE etc) When you run FPTw.exe -i command you are checking this set of read/write registers in Flash Descriptor (FD)

The ONLY way you are going to see Read/Write Yes in FPT for ME region is if you edit FD to allow ME Region access, otherwise it will ALWAYS say what it says by default set in the FD region per manufacturer.
You MUST edit FD, if you want to do as you asked in the reason for your creation of this topic >> FPT access to ME Region << This controlled ONLY by FD region, or a jumper on your board if you have one.

You are correct about the grub, sorry i didn’t see same version and thought that had blue background in your image.
Anyway, not relevant here as your BIOS does not have any settings that can change the controls/locks that are contained in the FD region of the BIOS


The way you describe it is not present in his topic at all, thus it’s only your assumption. He mentions the pinmod only for a ‘Permanent unlock’, while he still says that the UEFI method is a ‘Temporary’ firmware unlock solution:

> After doing this mod you’ll unlock ALL flash regions permanently (read/write) and there would no need unlocking ME region every time when you need to flash modified fw.

There is no mention that he modified his FD via pinmod before, because the first post suggests completely the opposite to what you’re saying.

Also:

> Full access after doing permanent unlock mod. Otherwise, only Read access. <<<< this is related only to FD.

Also, to prove my point there is also this guy who unlocked ME without using pinmod. However it’s all different hardware.



Well I didn’t even mention FWUpdate in my first post and the name of this topic suggests ‘SPI’, because I knew the difference already, so I didn’t even want to bring FWUpdate here. We both have used FWUpdate in some subsequent contexts which affect the main question in order to perform some analysis, but it’s not because I don’t understand the difference.


I just hope you are 100% sure regarding M4600 not having such an option.

I would still like to know why they mention ‘SPI’ in "Intel AMT SPI Protected"

You’ve already explained it as “related to AMT/ME FW Protection, during AMT usage, I believe.” but I would like to obtain some proof or confirmation of that still, because the name suggests SPI. Also, since I have tried changing some related values and they have not affected the way AMT/ME software reacts, I continue thinking there are some unanswered questions remaining.

I’ve googled “Intel AMT SPI Protected” and found the datasheets from various vendors that have exactly the same list as we have here. And look what we got there:

From https://www.manualsdir.com/manuals/73418…67.html?page=52 which is a manual for EPIC QM67 which directly relate to my chipset QM67 Sandy Bridge:

1
 
[0x1E9 in my case] Intel AMT SPI Protected  => Enable/Disable Intel AMT SPI write protect.
 


I think they are not relevant to FWUpdate as you say, because the options that affect writing/reading from FWUpdate are Me FW Downgrade (0x1F0) and Local FW Update (0x1F1) and they are in the group of so-called 'ME Features', such as KVM. SPI-related things belong to a different group of options, worth noticing.

I believe this issue is still subject for further investigation. Sorry that I oppose to your opinion, which for sure has a reason to be, but I didn't find any mentions of this specific subject on the whole forum, thus I have a reason to assume that this concrete option was not well researched here.

p.s. this machine has Intel BootGuard disabled.


---------------------- UPDATE --------------------------------

1. It seems the grub errors/warnings are really unrelated. I've been able to modify various BIOS options from the EFI shell. Though, not sure why AMT-related options do not reflect, none of them.

2. After trying countless combinations of AMT/ME-related options, I think you're absolutely right about there is no way of unlocking ME separately in this specific case. I didn't try newer BIOSes to confirm 100% but I think the result will be the same.

3. Still curious about "Intel AMT SPI Protected" purpose

So, since you have the answers, why are you asking questions??

I explained how this all works above, several times, you do not agree, thus here we are.
Sorry to sound abrasive, but you seemed to deny my answers continuously, even though I am the only one replying to you.

I assumed nothing above, only you keep assuming (That I’m assuming something?) I only explain to you how all this works. Pinmod is NOT permanent, at all… I thought you’ve done pinmod before?
Pinmod is temporary, for one boot only, then you can edit the FD to make whatever changes you want to allow or block, then you can put back to original with another pinmod on next reboot if you wanted to set things back to original once you were done doing whatever

I can read, he did pinmod and says such in the first line of the guide, which would be where he unlocked ME region that you see read/write yes in FPT, that is the ONLY way it shows ME Region unlocked in FPT because that is the ONLY thing FPT is reading (FD) for those results
The 7xxx link you gave are not related here, different BIOS, with actual options that would work for what you want here (to dump entire BIOS or ME FW only with FPT) Your BIOS does not have such options, so you are limited to what I mentioned above.

Yes, you can read/write ME region without doing an FD edit, many ways, sometimes ME Region is already unlocked in FD for read or write, or both, or sometimes IF YOUR BIOS has options, you can make certain changes to allow certain methods of updating ME
However, if you want to see ME read/write YES in FPT, and or read/write ME region with FPT, FD is the area of the BIOS that controls that and this is what allows FPT to write to ME Region, when you do not have access in other ways.

I mentioned ME FW Update because you are talking BIOS options, which only concern ME FW Update tool methods 99% of the time. BIOS Options generally have nothing to do with FPT and ME FW, so that is why I mentioned ME FW update tool.

Yes, before I replied at all, I downloaded the BIOS and looked through it for such options because I intended to give you the correct variables to edit, if there were there was any relevant options.
I wasn’t replying to you about your BIOS without looking at the BIOS

Yes, as I mentioned, those errors are normal and expected with grub/setup_var, it always looks that way when it’s working, when it’s not you will see much different error.

If you want to read or write to ME Region with FPT, and you currently cannot read or write with FPT to ME region, then your only option is to edit the FD to unlock ME Region read/write access via pinmod, service jumper on the board, or flash programmer

For your AMT / SPI setting question, I cannot answer, sorry, I’m not familiar with AMT and am not a ME FW expert. I never said this had anything to do with ME FW Update tool, only those other two I gave you in my initial reply were in regards to that, apologies if there was any confusion there
plutomaniac Would be the person that would be able to answer this for you, which I’m sure he will once he’s around and sees this thread. I’m sure he’ll also confirm the above for you about FD and ME read/write access for FPT



It’s called an open discussion. I thought your forum welcomes new information on the hardware that is lacking information on forums, sorry if I was wrong.



Actually you did assume something about the article that wasn’t there, so it’s ok to be called an “assumption”. I even quoted what exactly you have assumed.
Now, let me bring some clarity to what I meant by putting the “permanent” word near the “pinmod”, because sometimes you seem to read fast skipping the principal context:

1. I have never called pinmod “permanent” at all. I was quoting the article and did mark the quotes in the [ i ] > … [ /i ] tags purposely. I thought you would understand that, but I was wrong. I should have used [ QUOTE ] tags instead to make it more clear.

2. the article about M4800 calls “temporary” unlock via NVAR

3. the article about M4800 calls “permanent” unlock via pinmod because the author also unlocks the FD and flashes it, thus it is called “permanent” in the article. Once again: I am not the author of that article.

And yea I did pinmod in the past and it’s not something extraordinary to do, to assume that someone couldn’t have done it (“I thought you’ve done pinmod before?” - yea it’s also an assumption by question. So please next time choose words more carefully if you don’t want someone to tell that you assumed something without a reason).



Sincerely upon creation of this topic I was in hope of hearing plutomaniac’s opinion in the first place, however, thank you for all the help.

It’s seems we’re going in the wrong direction already and the topic is a complete offtopic now… Sorry about my intervention in your space there :slight_smile:

I will just leave the IDT 92HD90B2X5 chip location for performing pinmod on it so anyone who is seeking information on this laptop could find it.

Dell_M4600_HDA_Chip_location.jpg

Dell_M4600_IDT_92HD90B2X5.jpg

I guess since I know how this works with FPT, I read his article as it’s written, and since you aren’t sure on how some things unlock you may see or understand it differently.
I can’t explain it any differently, answers are above for FPT ME Read/Write = Yes

You are correct, he did say for a permanent unlock to do pinmod, and then edit FD (This also not permanent, you can edit and change anytime) Semantics, who cares
He did edit his FD, otherwise he would not be able to show ME Read/Write = Yes in FPT

I did not assume anything above, I saw what you quoted and it’s not an assumption, he describes what and how he did that (pinmod and unlock FD, again what you see in FPT access info relies ONLY on what is set in the FD region).
Without that, you would see ME Read/Write NO/NO or Yes/NO, in 90% of motherboards (Gigabyte aside, and some cheap Chinese brands also leave all unlocked in FD)

And yes, I do apologize, I also thought you said permanent unlock via pinmod. And I meant “Come on man, you’ve done this before, you said” Not “Surely, you can’t do a pinmod, it’s too hard”
I guess we’re both pulling each others chain too hard

You are fine, I wasn’t offended too much , only a little unsure why you were against my answers once you didn’t agree (#5 onward), and started semantics over words
Unlocked FD to me, in this discussion - what you were after (ME), only meant I looked at the FPT image and ME was unlocked = unlocked FD in the general sense you were after (ie ME unlocked). That is all I meant about that image and unlocked FD

For your board, this is the answer >> That article does not apply, other than settings unrelated to what we’re discussing, or the link to do pinmod.
FD edit, however you want to do it, or jumper, is the only way you will see ME Read/Write access Yes in FPT

plutomaniac will surely stop in when he’s around and has time, right now he’s a little busy and doesn’t have a lot of free time like he used to, but he will be back in full force soon

I can’t really read all this wall of text but yes, pinmod is temporary until the next reboot. In general, to unlock the FD for read/write access to the Engine region, you need to follow the relevant guide.

Thank you!

Please note: the topic name is “trying to unlock ME SPI via UEFI / BIOS hidden setting” and the overall goal of this topic was researching a possibility of performing the unlock of ME region using the UEFI NVARs, not performing pinmod, because pinmod is obvious&easy and wouldn’t need a separate discussion topic. It became a pinmod discussion just because Lost n bios insisted :slight_smile:

> I can’t really read all this wall of text but yes, pinmod is temporary until the next reboot. […]

And yes, I have never said pinmod is permanent. The fact of someone misread what I said before doesn’t make me the originator of this statement. I was just quoting the text, which also have no mention of it’s being permanent. I have no idea why someone assumed it is permanent.


Then [Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing > E6

I only intended to answer your exact question, and follow-up info/question.

1. Your BIOS does not offer such security options, thus…
2. FPT’s info output of the Flash Descriptors status for ME Region read/write status can only be changed via service jumper, FD edit to unlock ME region, or flash programmer.

plutomaniac
Care to confirm the above for him so he doesn’t think I’m crazy
AND - what all does AMT SPI Write Protect setting do? I know AMT would need enabled, but if this will change his FD’s ME read/write status then we will do

You can change the FD once it is unlocked. If you change it to be unlocked then you won’t need to unlock it next time a repair is needed or similar. I don’t know what that option does, each OEM can give whatever name they want at NVARs. The interesting option is usually called “Me FW Re-Flash” or similar, as explained at the guide.