It’s good that you were able to get a complete dump of your firmware with fptw. You have now a valid backup!
Don’t work on the dump, always use a copy so that your dump is still available!
Read the guide to the letter otherwise you’ll brick your machine!
The only mentioning of SMIP signing key is in paragraph 7 and 13 which have the words
“If you are working on a CSTXE 3-4 SPI/BIOS image” in the beginning.
The ME from the repository is an unconfigured ME, not a region ready to flash. It always has to be configured with FIT. Using it by just cutting it in size for example would brick your machine!
Right, so this threw me off as the steps down to 14 seemed only to relate to SMIP signing.
So I can try the guide for unlocking flash descriptor, however,
if I redo the guide only skipping 7 and 13, for cleaning ME region, using the ME region only dump I have, then I should end up with a configured but cleaned ME dump I can reflash by itself?
In that way, I won’t have to worry about the locked regions, right?
Right, so theoretically padding out the cleaned ME only bin would give me a file that could be applied to the ME region (Mostly asking this theoretically, to get some understanding of how this all works).
What my options then are right now, is try the guide for unlocking write access then write the cleaned version of the whole memory dump.
Or
Get a programmer, desolder the NVRAM IC and read that (with a big catch being that the Surface Pro seems to come with 2 of such ICs.???)
I think I’ll try the no-soldering-method first. For actually using an SPI programmer, what do I do about the 2 ICs situation?
It’s normally different- unlock FD and try to flash ME region separately (fptw64 -ME -f me-region.bin)
Or use a programmer and program the complete chip.
Desoldering isn’t always neccessary, a soic clamp will do for may cases, there are special adaptors for WSON packages, don’t forget to check the voltage of the SPI chip, there’s 3V and 1.8V, for the latter you meed an adapter.
A CH341 programmer is a cheap and useful tool, ‘nice to have’ in any case.
Ah okay, I was just looking at the ICs found in the machine and there was both a Macronix MX25U1635F and Winbond 25Q128JVPQ and it appears from a youtube video I came across that the latter is what I am after. Indeed this is a WSON package with a supply voltage of 3.3v.
You say flash just ME region and not full region, but you recommended a full flash. Regardless, I’ll try just padded ME to fit ME-only-dump size and see how it goes.
Worst case I can resort to the SPI programmer I got in the mail now.
Be careful, both chips have the same (correct) size of 128MBit
So I recommend to make two dumps of the chip which have to be a 100% identical and have a structure in UEFIToolNE! Just in case it’s not the correct chip overwriting without backing up its content would be very unwise.
I said I prefer working on a full dump- it’s easier. One might as well extract the ME region from this complete image when one has access to flash it with fpt (service jumper / unlocked FD / …) afterwards.
I decided that given the chance of breaking my bios, I might as well go the whole way and desolder the chip.
I have desoldered it and read it. Fit with software dumped.
Now I just need to figure out how to unlock the regions in BD so I’m able to re-flash without desoldering one more time, in case that turns out to be needed.
Issue is just that I can’t seem to find where in the bin those are, no matter how much I re-read the guide and try.
FIT made a new dump that had quite a lot different, so just built 2 bins from FIT with and without changed permissions, then used the diff to find and change the hex values in my cleaned dump. I’ve written it back to the IC and will try to solder that back on the board.
