[GUIDE] Grub Fix Intel FPT Error 280 or 368 - BIOS Lock Asus/Other Mod BIOS Flash

@Lost_N_BIOS
Humm… I’ll have to think about it
Just to know, in order to be able to flash from a native DOS environment, what I will have to do is:
1- Boot from EFI shell (grub) to disable bios lock (because the bios re-locks at each power down)
2- Reboot from a DOS environment boot media (with the FPT tools and bios files located somewhere on it)
3- Execute the relevant FPTw command line for flashing

Is that right?

@Neutral67fr - BIOS lock stays disabled once you set it from grub using setup_var, it’s only re-enabled if you reflash a stock BIOS region.
Yes, you are correct though, if you currently are using stock BIOS region, unlock BIOS lock again, boot to DOS and flash using DOS FPT and see if you get same error. DOS FPT is in package with the windows one, just in DOS folder.
Put all those files on USB along with stock and mod BIOS regions, and then try the FPT flash there instead (No w after FPT in DOS)

@Lost_N_BIOS
OK, one step ahead but still not arrived… I could flash the modded bios file successfully from DOS. So the issue from Windows could be a driver matter.
I then flashed the modded bios (the latest one you have revised built with the small NVMe module inserted as compressed) but the bios doesn’t seem to handle the NVMe driver. I have tried to install Windows from my USB install media, but the system can’t reboot on the SSD, there is no UEFI boot found.

@Neutral67fr - good you were able to finally flash mod BIOS from DOS! So yes, must be a driver or windows version issue.

For NVME system install, you must follow all steps exactly as written in step #4 of this guide, many people suffer issues trying to install and think the mod failed if they do not follow the guide
[Guide] How to get full NVMe support for all Systems with an AMI UEFI BIOS

Do not skip any step, or it will fail. You now have NVME Mod BIOS flashed in successfully, leave it there and ask for help on the thread above, users there will be able to best advise you based on the errors you get or where it stops/fails during installation so be sure to describe exactly what’s happening.

@Lost_N_BIOS
I followed the steps of the guide for the install (no other drive connected, boot from an UEFI windows install stick, disabled CSM and secure boot, deleted keys… and so on…) so it must be written somewhere that I don’t have to use a NVMe SSD in my laptop
The SSD has returned into its packaging and my older 2.5" Sata SSD retrieved his place ^^
I don’t want to have to tinker with the system each time I will have to reinstall the system (it surely will happen) or to let all this stuff to the next owner in case I resell the laptop (which may happen as I’m surely going to buy a ne one)…

Thank you one more time for all your precious time and efforts , but NOW I definitely give up.

@Neutral67fr - Once you get it installed you can then image that install and have a clean image NVME ready that you can restore with anytime, so much less hassle then doing a clean install any time in the future.

You’re welcome, but sorry you was not able to get this going! I’m sure if you ask in the NVME thread they’ll have the answer for you right away.
I’ve never used NVME, so I’m not a person who can help you with that, which is why I said you needed to ask in that thread for a proper answer now that your BIOS is flashed and NVME ready.

Hi everyone! New user here, so, sorry if I ask something that’s really obvious, but I’ve been scouring this forum, MDL, bios-mods, and the wayback version of donovan6000’s site for almost a week now and I’m still not 100% sure.

First of all, my end goal is to mod my vBios to undervolt my GPU or and/change its clocks. My GPU starts thermally throttling at 70c, and reduces itself to 1/4 normal performance when that happens.

HP Zbook Studio G3 laptop. I’ve been able to dump, extract, and modify my vBIOS, and pack it back into a system ROM, but I can’t flash using HP’s tools, FPTw, or AMIAFU.

I keep reading about RSA signatures, but I’m not 100% sure my BIOS is signed, or if it is, by what mechanism. Andy’s Phoenix tool doesn’t say anything in SLIC.log about decrypting anything. My ROM I extracted from a BIOS update is a .BIN file, not .FD. I read @CodeRush 's russian blog posts on removing RSA checks, but I couldn’t find anything that definitely looked like a RSA-1024 key in any of the padding sections, even after a couple hours of staring at the hex.

I think I also read somewhere @Lost_N_BIOS was saying with RSA-verified HP BIOSes, often the Option ROM sections aren’t verified, and I’ve seen people able to make small changes to things like this, so I got sorta encouraged that this might work.

Flashing using HP’s tool looks like it works fine in windows, but what it looks like it’s doing is copying the ROM file to the EFI partition under \EFI\HP\BIOS\New then rebooting into a EFI program that gives me “Signature Verification Failed” when it tries to actually flash the modified ROM.

FPTw dumps the BIOS fine, but when I try to flash back the unmodified BIOS I just dumped, it gives Error 368. I’ve checked with MEInfo that there’s no Measured Boot, Verified Boot, or Boot Guard. I’ve checked for such settings in my BIOS using HP BIOS Configuration Utility. I was able to find a few settings there, BIOS Rollback Policy, Lock BIOS Version, BIOS Data Recovery Policy, and SureStart Production Mode. I’ve set all of these to disabled, but I still get Error 368 from FPTw. I found the Setup DXE and used Universal IFR Extractor on it, but I couldn’t find any additional “Lock BIOS” type settings that are hidden in the menus.

Sooo, that’s where I’m at. I’m at the point where the only other thing I can think to try is to use a SPI programmer and flash the chip manually. I don’t have a CH341A programmer, but I have a raspberry pi and some arduinos, and I’m sure I could solder 8 wires to the winbond w25q128 chip I’ve identified as probably being my BIOS.

I’d rather not resort to that if I can help it though. Is there anything I’ve missed in the software world?

And then, if I do flash it with a programmer, what do you suppose the odds are it’ll work?

Thanks in advance if anyone can help me!

@pseudolobster - undervolting for GPU cannot be done in BIOS usually, change clocks can sometimes if it’s the onboard GPU inside the CPU. Otherwise all that is done inside vBIOS for the card, if dedicated (not onboard, inside CPU)
Sounds like you sorted all that out though, sorry was replying while I read your comments

Please link me to your BIOS, preferably your FPT dump of BIOS region (FPTw.exe -bios -d biosreg.bin) That’s what you modified correct? If not, modify that now instead, and send me that.
Error 368 in FPT is BIOS lock, so seems like it’s set we just need to find

Your mention of HP Sure Start is not a good sign! Often, once you do flash in a mod BIOS on a system that has Sure Start, after reboot Sure Start kicks in and auto recovers stock BIOS back to the chip.
There is a few versions of this though, so not sure how they all act with mod BIOS, but you’ll find out soon enough This also applies the same when using a programmer, unfortunately, that’s how I first ran into Sure Start, helping someone here on a few HP’s with a programmer.

I checked stock BIOS N82, and I can’t find your setuputility module, what is it’s GUID

Sure! See attached. Edit: Hosted here: https://u.teknik.io/aa05o.zip. I’ve been working with version 1.18 because it’s what I’ve got flashed right now. It’s one of the oldest versions I can revert to (in 1.15 there was a change that prevents previous versions) but there’s not much change in the layout of future versions. I can flash and redump and remodify a 1.37 copy if needed.

If I’m not mistaken it’s A0A3FEC9-FE9D-4CE7-8DB4-9C54F3F19E5A_0117.

@pseudolobster - Thanks for the GUID, that only looks like half the BIOS, correct?. What all menu sections do you see in the BIOS? Can you zip me up and image of each one, just a single shot of each main section, maybe with that I can find the rest.
How did you find this GUID anyway? I looked for a while and no luck, but of course I didn’t know any exact BIOS settings to use as search terms either, but none of the usual brought up anything good.

Idk if it’s the total, complete, full bios as stored on the chip, I’ve never dumped it directly with a programmer. However, all the HP updates are 9MB, as are what I’ve dumped from FPTw, so I assume it’s complete. The chip holds 16MB, but the images only seem to be 9216KB.

Here’s a dump of the EFI DXE module I think is the setup, as well as the extracted IFR from it, as well as a listing of all the BIOS settings for this laptop, and what their current settings are. https://u.teknik.io/NwKaZ.zip

I forget what I searched for but it was something like "Boot Order" or some other setting I found in the BIOS.

Edit: I just remembered it was "Backlit keyboard timeout" I searched for, in unicode. The other match for it, module 3CC7F52A-C18F-4EF4-BEF9-C36C69A0F1F2 didn’t parse with IFR extractor.

Oh yeah, so about surestart. It looks like with my BIOS version, SureStart has a few options that can be changed. "BIOS Data Recovery Policy" can be set to manual or automatic. If it’s automatic, it reflashes without user intervention. If it’s set to manual, the system boots up and starts flashing numlock/capslock lights, and you must enter a keyboard shortcut to reflash (ESC + Up + Down, I think)

The following settings are related to Sure Start:

Verify Boot Block on Every Boot
BIOS Data Recovery Policy
Prompt on Network Controller Configuration Change
Restore Network Controller Configuration to the factory defaults
Lock BIOS Version

Most of these are missing in the config dump I posted, since they all seem to be controlled by one setting, "SureStart Production Mode". This setting is greyed out in the BIOS, but using the HP BIOS Config utility I was able to change the setting. And it seemed like it worked, too. Next time I rebooted I got a prompt like "Are you sure you want to disable Sure Start".

So, I’m cautiously optimistic, but I think that might have disabled Sure Start.

More info about surestart here: http://h10032.www1.hp.com/ctg/Manual/c05163901

@pseudolobster - I meant that module and it’s IFR output, that’s not the complete BIOS setup that you see when in BIOS correct? Looked like a few sections missing, but maybe not, I only looked at the included title sections at the top when I mentioned that.
I don’t need dumps or IFR from you, I get that myself once you showed me the GUID. I’ll check out your BIOS settings list though, thanks!

Yes, that sounds like the updated version of Sure Start that I researched previously, so no you cannot modify this BIOS or it will auto recover.
Some things can be updated without this happening, such as ME and microcodes, possibly a few other items, but nothing in setup module can be modified (already tested this at length on a few different HP Models with Sure Start, tested with FPT flash and via programmer same outcome)
Disabling Sure Start only means disabling your availability of changing the settings, I know that doesn’t make sense but it’s explained in several Sure Start PDF’s I read back when I first ran into this terrible HP creation!
I know all about Sure Start, have read several in depth articles not by HP, and several generations of HP PDF’s too.

We can test a change if you want, but I already know the outcome here, instant auto-recovery on reboot (So it’s safe to test, but bad for the goal here)
Can’t find BIOS Lock to disable anyway, but even if we did it would auto recover, and even if you had a flash programmer you’re changed vBIOS module will invoke Sure Start Disabled or not, and it will be replaced.
Unless it’s one of the non-protected modules, we didn’t test this previously, so you may get lucky, but I doubt it since we tested many things within main volume and all failed miserably

So where we’re at now is you need CH341A and SOIC8 test clip, both are around $2.50 on ebay, but take 3-5 weeks for delivery, you can pay more on ebay or amazon or other places and get them shipped faster if you don’t want to wait.
And once that arrives, Sure Start will be invoked upon programming in modified BIOS, so up to you if you want to put in the few $$ and time waiting to confirm that for yourself (I already know )

I’m not sure. I mean it looks complete, and it even has some disabled advanced chipset settings that’d be fun to unlock if possible. But it’s 250kb and it’s hard to read, so I can’t really tell if anything’s missing.

Ugh. That’s really unfortunate to hear. I don’t really need to change anything in setup though. Maybe there’s a chance the option roms, specifically the vbioses are in unprotected space?

If there’s nothing else anyone can think of software-wise to flash this, no way to get around Error 368, I think I’ll have to go this route. I’m foolish and impatient though, so instead of waiting 3-5 weeks I think I’m going to desolder the chip and see if I can flash it with an arduino or raspberry pi.

The dump I got from FPT should be suitable to flash as-is? I’m not going to lose my serial number or SLIC or break my ME or anything weird by using that dump? Or should I try and dump the eeprom contents via SPI then do mods on that?

Thanks so much for your help!

So that is the only main sections in your BIOS, these four below?
Main (0x225 from string package 0x0)
Security (0x31C from string package 0x0)
Advanced (0x18B from string package 0x0)
UEFI Drivers (0x350 from string package 0x0

Yes, you are correct and we never tested if vBIOS was in protected area or not, but we did change out a few different things in volume that contained setup and all failed and invoked Sure Start recovery. But yes, vBIOS was not tested, so you could get lucky,

No, you cannot program FPT dump, that’s only partial BIOS (BIOS region only, there is FD, ME, GbE and possibly other regions too aside from BIOS region). Dump with your programmer setup once you get it off the board, then re-apply your vBIOS change to that file, then program back in.
FPT dump contains everything in your BIOS region on the board, such as serial, UUID etc anything like that, but you can’t use it for this. Dump with programmer will also contain everything on chip, then edit it, then put back, all will remain same as it is now.
No, SLIC, ME etc all will be fine as long as you program them back in as complete BIOS. Dump entire BIOS, modify, reprogram entire BIOS, done and then we see if Sure Start auto recovers the board or not.

Before you do any of that make sure your vBIOS modification was done correctly, if you extracted body make sure you insert body, if you extracted as-is make sure you replace as-is, and if you extract/replace as-is, make sure UEFITool corrects the header upon rebuild.
Also, if there is a checksum on the vBIOS make sure you correct it after your mod changes are done.

Yep, those are the four tabs at the top of the screen. No lock that you can see, eh? Nuts. I thought it might be:

0x46A65 		Checkbox: Lock BIOS Version, VarStoreInfo (VarOffset/VarName): 0x2, VarStore: 0x1C, QuestionId: 0x11 {06 8E 01 03 02 03 11 00 1C 00 02 00 00 00}
 

I can’t find BIOS lock, but it’s normally in setup, let me look through it in assembly and see if I can find it there. The setting you mentioned above looks to be a lockout from flashing, to lock in current BIOS version only.

Yes, you’re correct, when it fails to accept a mod BIOS Sure Start auto recovers from another chip (Which we also modified, and it still recovered from some third source which we could not find on the board)

Greetings, I have been trying to modify one DAMNING parameter, Which is HT for a laptop of ASUS TP501UQK.

I have tried to use fptw64, saying bios is locked and follow the guide, Still can’t find a thing to pass through.

@1337umbra - if you really only need to change one setting, you can use grub w/ setup_var to change that setting (instead of BIOS lock, change HT Setting value), instead of modifying a BIOS image and then flashing mod BIOS.
I see what your issue is though, both IFR extractors I have can’t get valid IFR output from the setup module - please dump your BIOS via FPT and send me a copy to see if that works better or not, sometimes this does >> FPTw.exe -bios -d biosreg.bin (Don’t use FPTw64, and you must be using Admin command prompt too)
Never mind, I figured it out! You have to use MMTool (5.02) to extract setup (As-is), then IFR output can be generated properly. I’m not sure why this works, since I tried extracting the entire setup module as-is with UEFITool too and it failed (These outputs both are hex identical match) - got that to work to finally, but selecting the file, wait a bit, hit extract, wait a bit, then save

Your BIOS lock Variable >>
One Of: BIOS Lock, VarStoreInfo (VarOffset/VarName): 0x89E, VarStore: 0x1, QuestionId: 0x95B, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 06 08 07 08 5B 09 01 00 9E 08 10 10 00 01 00}
Default: DefaultId: 0x0, Value (8 bit): 0x1 {5B 06 00 00 00 01}
One Of Option: Disabled, Value (8 bit): 0x0 (default MFG) {09 07 04 00 20 00 00}
One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}

Your HT Variable >>
One Of: Hyper-Threading, VarStoreInfo (VarOffset/VarName): 0x4AD, VarStore: 0x1, QuestionId: 0x60, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 8E 01 8F 01 60 00 01 00 AD 04 10 10 00 01 00}
One Of Option: Disabled, Value (8 bit): 0x0 {09 07 04 00 00 00 00}
One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 07 03 00 30 00 01}

Here is your setup module extracted As-is (Entire module, not PE32) with UEFITool and it’s IFR output
http://s000.tinyupload.com/index.php?fil…311422513059684

If you want to change the HT setting instead of flashing in a mod BIOS, at grub prompt >> setup_var 0x4AD 0x0
That will disable it, default is enabled. (0x1)

Hmmmmmm. I have read the setup (which is 899407D7 somehow) via a being you implied, have read the note
Although the version is 301, I might flash 306 later to follow up.

It is revealed the hyper threading is enabled by default and there was no way to modify, I also act foolish to ask the seller if there is a way to tune. Of course they knew, they do too evil compared with some brand-aware competions. If these sellers only let users use actual cores or giving a choice to use actual cores or fake cores, then the issue would be minimized. I have been following a major client for days, has discovered only using actual cores after checking CPU models, there is six actual cores so user is safe in mose cases.

May I ask , where I can find suitable Grub to set up? I only have found efi shell for the time being.





I used to follow a client who purchases an enginnering sample system with four CPUs ( each contains ten actual cores) , if HT enabled, a prefered program, which is a rendering software, acts as junk