HP Compaq Elite 8300 SFF, Intel Q77 Express, BIOS K01 v03.08
I’ll just leave it here in case something will be looking for the same.
I was trying first to integrate a NVMe module, then since I’ve already dig down, I’ve decided to upgrade the ME as well.
7 tools were used for that: UEFITool 0.28.0, UEFITool NE A59, Flash Image Tool v22.214.171.1246 (FIT) and Flash Programming Tool (FPT) (DOS variant under FreeDOS 1.3 Live CD) from ME System Tools v8 r3, WinMerge for ME DATA comparison, Hex Editor Neo Professional for hex comparison and corrections.
MMTool Aptio 4.50.0023 was corrupting a pad file thus was thrown away.
UEFITool was corrupting both a ZeroVector and a Checksum of this BIOS region root filesystem.
Flash Image Tool was reordering a ME/BIOS/(empty)PDR regions while building an image.
Problems & Solutions
Original BIOS file is signed by HP, so HP user tools won’t flash a modified BIOS it because of the signature mismatch unless you’ll find out how to generate the proper signature: you may need a quantum computer for that in case HP uses a strong signature.
BIOS update file provided by HP contains ME region as well as expected BIOS region but while flashing it using a HP UEFI flash menu invoked by pressing Esc - ME region stays intact in spite of an unlocked write-unprotected ME region, I don’t know why. Maybe ME region could be updated only by HP DOS update tool provided with the BIOS file or even only under Windows using their Windows tool from the same package. I’ve lost so much time playing around, that at the end of the day it was easier to build a complete flash image for me from several pieces.
Since both MMTool and UEFITool were generating image files with some discrepancies and senior members of the forum were telling me that they don’t see any problems - I’ve decided that I need to dump the whole SPI flash image for a backup purpose in a worst case scenario, not only some specific regions of a flash memory.
Flash Programming Tool was used for that but it won’t succeed to read a ME region unless you unlock it.
Later, after making a full dump, I’ve discovered, that BIOS region is locked for writing: I was trying to flash my full original dump.
Flash Descriptors region with unlocked variables flashing, HDA_SDO/GPIO33 (a.k.a. “Pinmod”) shorting, pressing Win+[left arrow]+[right arrow] or Win+B while powering up, setting a variables from a DXE “Setup” driver using a EFI shell - none of these attempts were succeeded. (link for the reference)
There were two pairs of (un?)documented pinheads and one (un?)documented pair of pin pads on a board.
Pin pad BBR - according an internet search results this is a boot block recovery for a crisis situation. I didn’t try this, but I assume it will load a BIOS file from the root of FAT32 storage device or optical disk drive attached by USB/SATA. I’m not sure if it validates the signature and if it unlocks all regions. This was not my first goal to dump the flash image.
FDO pin heads - appears to be a Flash Descriptor Override.
After booting with a shorted FDO I could dump the whole flash image by Flash Programming Tool.
But I wasn’t able to flash it back: BIOS region was write-restricted. (Error 28: Protected Range Registers are currently set by BIOS, preventing flash access.)
BB pin heads - I’m not sure if it stands for a BIOS Block or Boot Block, but booting with a shorted BB and FDO pins I could dump the whole flash image and write it as well.
8-pin test clip connection for flashing with a hardware SPI programmer either desoldering / programming / soldering back looks hardly possible on this board because the chip is located very close to a RAM slot. Pins are right under the RAM slot lock, so I couldn’t get there neither with soldering iron I have nor with a clip. Soldering without destroying a RAM slot is possible, but I don’t have enough skills and a proper soldering iron for the task. Test clip - maybe this is possible after cutting things off from a test clip.
Since I’ve found out a way to dump the whole flash image (fpt -d spi.bin), I’ve prepared and flashed the whole image (not by regions) as well (fpt -f spi.bin, fpt -greset). I’ve updated the BIOS to the latest version from HP prior to dumping it.
5.1. For NVMe module - UEFITool 0.28.0 was used (thanks for a manual). Original ZeroVector and a Checksum of a BIOS region root filesystem was reverted manually using a hex editor - due to some unexpected behaviour of UEFITool creating a discrepancy while rebuilding images.
At this step I got a proper flash image with a NVMe module.
ME region from my dump was very old, older than the update from HP, I don’t know why it was not updating even with FDO pins shorted.
In case I could update ME region using HP tools - maybe I would skip the next part. Anyway, I was going to use AMT but latest BIOS update from HP had it older than here.
5.2. I’ve extracted the whole ME region as is from HP BIOS update file using UEFITool NE A59 and have replaced the same whole region in my full flash image using UEFITool 0.28.0.
At this step I got a proper flash image with a NVMe module and with a latest available HP ME update.
5.3. I’ve decompressed my image using Flash Image Tool, because I need to preserve a DATA part from HP BIOS update file ME region upgrading only a CODE part to ME 8 5MB v126.96.36.19902. I’ve replaced the ME Region.bin (thanks for a manual) and built the image. However, Flash Image Tool has reordered the regions, also there were some discrepancies between the master header / Flash Descriptors of the image. So I’ve extracted the whole ME region as is from this corrupted image using UEFITool NE A59 and simply replaced the same whole region in my full flash image using UEFITool 0.28.0.
At this step I got a proper flash image with a NVMe module, with a ME DATA from the latest available HP ME update, with a ME CODE upgraded to the latest available from the firmware repository on this forum.
I’m unable to share my image file since it does have my unique GBE MAC address / maybe some other serial numbers. I think it is pretty easy to prepare update files that could be flashed by fpt -bios -f bios.bin and fpt -me -f me.bin.
Other variants of this laptop hp-dk-xxxx seem to have a native functioning m.2 nvme slot and they have the same bios as per the hp support website
After soldering in the m.2 drive, the nvme ssd I had did not get detected in bios and didn’t work (though it would get warm)…which meant it was either a hardware issue (missing components) or it was blocked in BIOS.
To maximize my chances of getting a working drive, I ordered an m.2 nvme to m.2 a/e adapter (x1 lane limitation on adapter) and plugged it into my wifi module slot (after removing the wifi card). This worked and I was able to clone my emmc drive into this nvme and make it bootable. I expected at least 500-600 MB/s speeds for the x1 lane, however I am getting read speeds around 200 MB/s (the drive is rated at 2400MB/s for x4 lanes). On checking the CPUz utility, I saw that link width for the NVME was at 2.5 GT/s (and showed PCI 2.0 even though my laptop mainboard is a PCI 3.0). It also showed the native emmc was operating at SATA II even though SATA III was available.
Seeing the above scenarios, 2 thoughts came to mind:
The m.2 nvme slot (whose socket was factory unsoldered), may actually be disabled in BIOS
There is probably an m.2 speed bottleneck and m.2 pcie version setting (and also perhaps sata speed settings) within the BIOS
I went ahead and opened up my backed up BIOS (using the universal bios backup tool) and opened it within the AMIBCP aptio tool as per advise from youtube user Barricuda (Bios menu unlock via IFR edit - YouTube). Thats where I found the the Advanced features in the bios. I used Barricuda’s technique to unlock the Advanced settings and create a .rom BIOS file (Points 2,3 and 4 of the pdf document)
I basically had the following queries:
i) Am I on the right track to unlock the Advanced settings and what is the risk of bricking the Bios ?
Would I likely get any “checksum” errors as I have heard newer bioses (2015 onwards) have some sort of security protection that will either cause a flash failure or cause a bricked and unusable bios [incidentally the size of the bios rom file remains the same after making the changes using your method- since I think I am just moving the code out of the if-endif loop and not adding or subtracting information ?..does this mean there is no chance of a checksum error or a very low chance?..
If there is a risk of a checksum error in making the hidden Advanced option visible using this method, would it be safer for me to just try and toggle and change the pcie speed from x1 to x4 in the AMI BCP tool menu, and not unhiding the whole Advanced options, as I have that option as well ]
ii) Flashing procedure:
which flash tools would you recommend ? I am planning on using the AMI Aptio 5 flash tool but would it be better to use the Flashrom utility ?
if the bios is corrupted on flashing, whats the best bios recovery method…would it be by using a usb bootable disk with the old stock Bios .rom file and reflashing using tools like “flashrom” or “Flash programming tool” or is there a chance that the usb drive won’t boot since the usb boot drive might need the bios to be able to “find it”.
My hp laptop also has a usb bios recovery drive method where you can boot the computer and press “windows key + B + power on” but sometimes this doesn’t work.
Is using the ru.efi tool a better option than flashing ?
iii) Do you think the m.2 nvme drive is disabled or somehow enabled as a SATA port ? It is a key m port so I would assume it was an nvme (like the laptops other variants)…would switching off the sata ports (also in the advanced menus)
Thanks so much for bearing with the long post.
Welcome to the Win-RAID Forum!
Since I never tried to flash a modded BIOS into a HP mainboard, I cannot really help you.
Many of your questions are off-topic and should be asked within a better matching Sub-Forum. Regarding the M.2 slots you should check their functionality (WiFi/Storage) and data transfer protocol (NVMe/AHCI), before you start with the BIOS modding.
Dieter (alias Fernando)
Thanks for the super prompt reply. Just had one lingering doubt that was more of a “general” BIOS modding related question for which you may have experience- during the flashing procedure itself, will the flashing program let me know for sure whether the procedure (just the flashing part itself) was a) a success; or b) a failure (perhaps causing an immediately bricked BIOS) ?
The reason I ask this is lets say the flashing was a failure, but did not immediately “brick” the laptop, I could then immediately reflash the original BIOS back…but if the “bricking” is only evident on restarting the computer, then perhaps there is more risk I can’t boot into a USB recovery, etc. to reflash the BIOS with the original rom file.
Lastly, I am getting an option to flash the main BIOS region or all regions and there are some other minor options too (AFUWIN_flashing_options.jpg - Google Drive) …which is better ? Also, are there some options seen here that I should be careful to enable/unable before starting the flashing ?
Read the links to understand the procedures and perform as admin CMD: FPT.exe -d SPI.bin (a full backup to store safelly)
and FPT.exe -bios -d biosreg.bin, if successful reading, in this one only a bios region only backup will be created.
Then this file if FPT.exe -bios -f biosreg.bin can be flashed, it means that its unlocked and you may use it to flash a mod bios region.
If you had read the links Fernando provided, then you already have know that AMI tools will not work as the ASUS bios security prevents modified files from being flashed, if it was possible all this guides and the alternatives i posted weren’t needed right…
Same situation prevents it in bios with EZ Flash… welcome to the mod world…
Hello! It seems that the /GAN command is missing…even though i’ve downloaded the 64bit version of the afuwin. Is there another version that the GAN command will work? When I try, it feels like nothing work. The only message there was, “Press any key bla bla bla” The description on the text was “AMI Firmware Update utility(APTIO) for pure 64bits WINDOWS.”
Did I use the wrong version?
Yes, you obviously used a not working AFUWIN version, because you haven’t read the related part of the start post.
Bad consequence for MeatWar and me: We both wasted our free time unnecessarily for you.
Don’t expect any further support from my side.