[Guide] Manual AMI UEFI BIOS Modding

Hi!
I checked both dumps, - also without changes. I tried to change the BIOS Security Configuration (BIOS interface lock) in two places: in menu Chipset & PCH-IO Configuration, and Main & DIR(no name). Also tried this combination with all dumps (BIOS interface lock>disabled and RTC Ram Lock>disabled).
This bios is probably bewitched ?!..

BIOS interface lock doesn’t have anything to do with this, so no need to waste time there. Give me some more time and I will try other methods instead.

Sorry @alex0506 - I can’t figure this one out - If I learn method for similar BIOS like this one I will remember and come back to let you know

Thank you for taking the time for me.

Hi everyone,

I have an Intel S1200BTS (Server) Board. It has AMI Aptio 4 firmware.
It has Winbond W25Q64BVSIG SOIC16 (16pin-EEPROM-flash-Chip) with size of 8192 KibiBytes

UEFI-BIOS Files:
https://downloadcenter.intel.com/de/down…_02.00.0044.zip

I was and am unsure which file to mod for new CPU-microcodes:
there are three 8192 KiByte Files in it:
BTP_044_LC.ROM : 8192 KiBytes =8,388,608 Bytes
BTP_044_RM.ROM : 8192 KiBytes =8,388,608 Bytes
BTP_044_SE.ROM : 8192 KiBytes =8,388,608 Bytes

BML.rom : 3,407,872 Bytes
iFlash32.efi : 8,517,120 Bytes

ME_02_02_00_049_LC.cap : 1,903,632 Bytes
ME_02_02_00_049_SE.cap : 1,903,632 Bytes

R0044.cap : 4,916,208 Bytes <==BIOS-Update-file <=see ReleaseNotes_BIOS_02.00.0044.txt
R0044Rec.cap : 5,571,568 Bytes <=(Bootable-recovery-image?) <=see ReleaseNotes_BIOS_02.00.0044.txt

That R0044.cap, and those three (8192-Bytes-BTP*.ROM) all include CPU-microcodes:

First I had updated BIOS to 02.00.0044 and ME firmware the regular way via EFI shell see (ReleaseNotes_BIOS_02.00.0044.txt =>INSTALLATION NOTES). Worked fine: "Copy IFlash32.efi and BIOS .CAP file to an HD or USB Flash Drive
(Do not use the Rec.CAP file as it will clear NVRAM and should
only be used for Recovery - See Recovery Instructions below {…} )"

–
Then for modding, I was unsure which file to take for the CPU microcode update mod for flashing being suitable for proper board function after flashing.
I didn’t want to bother forum, so I modded the “R0044.cap” BIOS-update-file with UEFI-BIOS-updater (older version 1.70, from ca. Nov 2018)
And replaced the original R0044.cap with modded R0044.cap and used that in the regular EFI-environment-flash-update-procedure, microcodes succesfully updated.

After flashing the mainboard booted fine, also OS: Xeon E3-1260L V1 (Sandy Bridge) Microcode-CPUID 206a7
Then I ran memtest with Multithreading, after few minutes the mainboard suddenly turned off.
It seems to not turn on completely/correctly now, not sure, not booting (but status LED shining).
CMOS reset didn’t help. The built-in-recovery-mode via Jumper also din’t help.
I fear modding R0044.cap was not correct file.
Updated was to cpu-microcode “cpu206A7_plat12_ver0000002E_2018-04-10_PRD_576F65DE.bin”.
This microcode works fine, tested with memetest in Multithreading e.g. tested on an other board (Gigabyte Z77X-UD5H),
so I can exlcude microcode issue.

I now got my TL866II Plus Programmer by ICSP-port via-In-Circuit and a 16Pin SOIC-test clip and a 4µF Capacitor between Vcc and GND, and MISO and MOSI with 30pF capcitor to ground, (using a small breadboard).
PSU attached and board turned on via PSU-ATX-green-wire conencted with blacked wire and played a bit with edge-triggered-reset or power-button
RST-BUTTON-Pin, and board beeping, but not booting.

The Chip-ID from W25Q64BVSIG EEPROM from S1200BTS server board is now detected correctly and I’ve backuped EPROM content cucessfully, and reread EEPROM contents a few times, checksum identical.
Also erased EEPROM and rewrote EEPROM backup content a few times, checksum identical.

Now I’d like to try to recover the original mainboard’s firmware
but I’m not sure which of those to take for the programmer (see on the top and attched download link)

I’m not sure which of those files suitable for recovery mainbaord with programmer.
I’d need a tip? Or do I need a tool extract an suitable 8192 Byte firmware image, or just grab one of those three BTP_044.ROM-8192-KiByte-files? (matching to EEPROM size)

Intel BIOS can usually only be modified by dump with programmer, then mod, then program back. However, the main reason for that is normally it’s impossible to flash mod Intel BIOS, seems you were able to do that on this system
Please dump your current BIOS and upload a copy. I am unsure your final question, only thing suitable for recovery back to stock is a copy of your dumped BIOS before you flashed in the edited BIOS.

BTP_044_LC.ROM
BTP_044_RM.ROM
BTP_044_SE.ROM

To know which of those is used in your system, run the stock flasher, doesn’t it show you system ID or platform SKU etc?

I checked, and startup.nsh and updBIOS.nsh both flash BIOS via this command >> iflash32 /u /ni R0044.cap

This is all I see related/similar to the ROM’s in the release notes
- R0038 supports the BTP RM SKU. BTP_038_RM.ROM is used to update BIOS ROM on BTP RM SKU. The ME capsule is the same one as LC SKU.
- R0038 and above cannot be downgraded to R0037 or earlier version On BTP RM SKU. On LC/SE SKU, it has not the limitation.

So that file used to update BIOS normally, none of the above .ROM files used for any stock updating (Since partial BIOS update is used to update the BIOS)
I’d need to see your original dumped BIOS before you did anything to tell you which of those rom’s is most similar to your stock BIOS< if you can’t find proper SKU/ID info.
Maybe with current dumped BIOS I can figure this out and fix it for you.

When you “Updated normal way” what BIOS did you use? You said “BIOS.CAP” which is not part of the BIOS download package, this is why I asked to clarify.
Modifying R0044.CAP would possibly work, and as you saw it updated the microcodes, but that’s not how I would do this and I’m unsure how you can correct it unless you have a pre-all this backup made.

Hi all, i’m new to the forum and have been spending the last couple of days reading all the wonderful AMI EUFI modding guides from Fernando, Lost_N_Bios and Sonix.
I hope some of you guys can help me out with something:

I own a MSI notebook with a AMI Aptio V BIOS (Intel 6700HQ, HD520, intel 100 series chipset) and i’m trying to update the microcode since MSI isn’t going to release a new BIOS for my system anymore.

The easist way would be to use UBUtool but since MSI has a OEM BIOS Flash protection and Bios Lock I cannot flash the modded bios using the buildin UEFI Bios flash utility. Got ‘invalid format’ error like some Gigabyte boards here.

So i’m stuck extracting and flashing the the BIOS using the appropriate Intel FPT utility for my ME version or the public AMI AFUWIN tool. Problem is that UEFITool NE crashes when I try to open these extracted rom’s.
Opening them in MMTool or standard UEFITool works Ok, but UEFITool displays the message “parseVolume: volume has FFS file with invalid size” and “parseBios: volume parsing failed with error Invalid file”.

Is it save for me to mod the extracted rom using the default UEFITool and afterwards flashing using FPT (after removing the write protection by changing the Setup Variable) or do you guys advise me to back off what i’m doing before I brick my lovely laptop?

Hey @snixel - Great you have been reading around, hope you have absorbed some good knowledge!!
I hate MSI… At least for BIOS Menu editing, but I’m learning to kick it’s but more and more each time I do one, so win/win for me!

Since you only need microcodes for now, lets discuss how you tried to flash mod BIOS first. Did you edit stock BIOS, then rename your mod BIOS to stock bios name and extension and then try to flash from within BIOS, this often works for MSI?

BIOS Lock only needs disabled if you dump your BIOS region with FPT, modify that, and then reflash it. And if you do that, you shouldn’t try to be flashing that within BIOS built in flash utility anyway, only flash FPT dump with FPT and never flash stock BIOS anything with FPT
Also, best to not use anything AFU dumped with FPT, and since you can use FPT on your board you should, never use AFU. If you have ever used AFU, please reflash stock BIOS using stock method (M-Flash) from within the BIOS, before you give me the FPT dump requested below.

I cannot tell what’s going on here, so best for me to look at your BIOS before I give you any specific answers. Please link me to your stock BIOS package from MSI, and also upload a copy of your dumped BIOS region from FPT (FPTw.exe -bios -d biosreg.bin)

Your last question there is not defined enough for me to answer you. I’m not sure what “extracted rom” is or how you got it, and “Default UEFITool” is confusing as well unsure what you mean by that, but I can tell you no, do not flash with FPT (See above)

Yeah, seems I picked the wrong brand for BIOS modding But I’ll post a guide here for MSI boards if i’m successful!

Yes that’s the only thing I tried so far. Modded the original BIOS with UBUTool, renamed it to the original file and tried the build-in BIOS flash, but then I get ‘Invalid BIOS image’.

I’m aware to only flash modded FPT dumps with FTP or only AFU dumps with AFU, but I haven’t tried this yet since this is my first attempt at BIOS modding and my notebook only has one BIOS chip so I’m not so confident on trying for now as for the BIOS Lock, I read here it was necessary to be able to flash with FPT, so I first tried to see if I was able to disable it before proceeding to the actual flashing.

With extracted rom I meant the BIOS dump from FPT. If I dump the BIOS using FPT (or AFU for that matter) the size is 6MB vs 8MB on the original BIOS file (I guess because it only contains the bios region) and when I try to open the dump with UEFITool NE it crashes, thus I cannot use UBUTool on the dump either because it uses UEFITool NE to do the mods.

With "Default UEFITool" I mean the older 0.26.0 version, that one doesn’t crash when opening the FPT dump but it displays the above errors giving me the bad feeling that isn’t right either.

Only thing that works with the FPT dump is MMTool. I added the new microcode patch with MMTool (removing all the older microcode patches) and then saved it again, that works, but since you guys talk about the FIT table that has to stay intact and since I can’t check the FIT table because UEFITool NE crashes, I haven’t tried flashing that either (too scared to brick :p)

Strange thing is that UEFITool NE doesn’t crash when I use the original stock BIOS. So I had this crazy idea to do the mods using UBUTool on the original stock BIOS, then opening it in MMTool and extracting the newly added CPU patch and updated ROM modules, then afterwards open the FPT dump in MMTool and replace the cpu patch and rom modules with the extracted ones. I figured this way I have a modded FPT dump that I can use to flash with FPT, but I think I’m the first one to try it that way, so again I didn’t try because I’m afraid to brick my notebook

Anyway I should first learn how to walk before running, so attached you can find an FPT dump from my stock bios (bios.bin) together with a modded version where I only added the latest CPU microcode patch with MMtool (bios_mod.bin). Nothing else was modified.
Does the BIOS need to be reset to defaults before dumping with FPT? Because I did not do that atm.

You can download the official MSI bios for my system here: http://download.msi.com/bos_exe/nb/E14A1IMS.113.zip

Thanks for taking the time to help a newbie out

bios.zip (5.89 MB)

@snixel - It’s OK,MSI BIOS mod for just CPU microcodes is no issue. It’s the unlocking of BIOS menus that’s often a pain, for me anyway, but I’m starting to be able to mess with them more no.
Other mainstream brands same chipset or BIOS type/series etc = no problem, MSI just does things different than most, I assume to try and stop people from easily doing modifications.

UBU does not always make a good BIOS, so this could be why you are getting the error. I’ll have to check and see.

FPT Dumped BIOS should open fine in UEFITool, however since I don’t know the model of this board it could be crashing or not loading due to not being a UEFI BIOS.
Again, I’ll have to check the BIOS out and your dump and then I can tell you more.

Thanks for explaining what you meant about default UEFITool. To me, that is regular UEFITool, and then NE is more advanced but only for inspection or information etc, that the regular one can’t offer.
Both are new, just different usages. And both should be able to open your BIOS, if it’s UEFI BIOS type. Since you can open stock, but not your FPT dump, maybe something is wrong with the dump. Did you use FPT from V11 ME System tools? If not, maybe that is why.

BIOS does not need reset before dumping with FPT.

What is your full model name? I find a few when googling that model, so want to be sure, so I can keep it in a proper folder. Is it MSI GS40 6QE Phantom

* I checked your BIOS files now, your FPT dump and modified FPT dump open fine for me with UEFITool NE (51-55) and regular (I use 25, but did also check 26). So something wrong on your end, redownload those tools maybe?
FIT in your mod is OK, as is microcode edit in general, as long as your intention was to only have a single microcode in there (506E3). FIT is not 100% properly edited, should have entry count fixed and last 3 entries removed, but is OK to use that way

Your BIOS mod in general, aside from the FIT thing, it should be bootable and OK. So, this simply means you cannot flash mod BIOS using the built in M-Flash app, not all MSI BIOS allow this.
Plus, you cannot flash that without rebuilding it back into a proper full BIOS anyway, so this could also be the reason why it’s telling you no. So you can either still rebuild this into a full 8MB BIOS and again try M-Flash, or just reflash the BIOS region via FPT.
To create full 8MB BIOS, open stock BIOS with UEFITool (25 or 26, in this instance 26 IS OK) and replace BIOS region as-is with your mod FPT BIOS region. Then rename that to stock name and extension and try again. If you still get error, then you will have to flash via FPT

Yes thats correct, it’s a MSI GS40 6QE Phantom

Do you use the Windows build of UEFITool? I re-downloaded and tried on two different computers, seems only version A54 and A55 crash on the FPT dump. Earlier versions like A53 work fine.
Is there any particular reason why you still use an older version?

Thanks for checking the dump for me I’ll fix the FIT table with the older A53 version of EUFITool and try to flash with FPT tomorrow.

Yes, I use Windows 7 x64. Your files open fine for me in UEFITool regular version 25/26 and NE 51. You are correct, 54-55 crash, sorry I didn’t notice before and thought I checked them all (I keep NE 51 open and use it all day long for all mods, only open 55 when I correct FIT)
No, no reason I only use 51, just like it I guess. For the regular version yes, there is a reason I only use 25 for modifications, this is due to 26 can break many more BIOS than 25, so I never use 26 unless someone asks me to check something.

For FIT correction, you need to change the entry count from 08 to 05 and that is all. I checked, and the additional entries have all been FF’d already, it just looks off due to the count being incorrect so additional blank entries are shown at FIT in UEFITool NE
Change >> 5F4649545F20202008 >> To >> 5F4649545F20202005

@Lost_N_BIOS you are amazing!!!

I fixed the FIT table like you advised, disabled bios write protection and flashed with FPT. To my amazement it actually worked! System info now shows Microcode patch ‘CC’

On to the next step, update the RST RaidOrom and EFI RaidDriver
Is there a guide somewhere on howto replace Orom modules with UEFITool? I only found the guide written by Fernando on how to replace EFI modules.

Also is it safe to update the GOP driver for a mobile system? I mean is there a difference between mobile and desktop for the GOP driver? Because the ones included with UBUTool looks like they are for desktop chipsets.

@snixel - Great, and you’re welcome!

RST (oRom) can be updated using MMTool or UEFITool, you just have to make sure you replace w/ header or w/out header depending on what the file you have in hand to replace with starts as.
Here is general orom guide I think, MMTool suggested in this probably, but I prefer UEFITool on this too.
AHCI & RAID ROM Modules
Intel EFI “RaidDriver” and “GopDriver” BIOS Modules

GOP driver fine to update on mobile, however I am not sure if you need some specific GOP files (never seen this discussed, best to ask in the GOP thread) And if I was you, while doing that I would also update the vBIOS
Sorry, I have no clue what’s in UBU, I don’t use that as a source to get files for modifications, however it is useful in this manner to get GUID of the modules. (See spoiler below) GOP driver/modules are located in one of the above RAID threads (oddly)
Here is vBIOS/BMP thread, but sadly the vBIOS BSF/Dat package downloads are scattered throughout (look through last ten pages or so and hopefully you can find latest) - [Guide] Transfer of specific Intel VBIOS settings by using Intels BMP tool

For some intel boards, there is a jumper to put the bios in recovery mode. Most intel boards have a recovery bios within the download you can mod this (R0044Rec.cap) just make two USB (One original recovery usb and one recovery usb with mod), when system flashed original and reboots just go to EFI shell and do manual flash of the modded one.
Seems like recovery mode disables some firmware checks.


Works for me on 2600CP Intel.

HI all,

So I’ve added NVME to my Intel S2600cp server board and now looking into unlocking some more options:

Original firmware:

https://drive.google.com/drive/folders/1…8VN?usp=sharing

As many of you know Xeon V2 (2680V2) are having locked multipliers so no overclocking using multiplier howerver perhaps it’s possible to make the boost frequencies last longer if thermal allows it, this bios has lots of options to change boost pattern look into the cpu advanced power management tabs (Uploaded some screens to Gdrive) however all of those are hidden.

Does someone now if it’s possible to unhide them, all info would be nice

Update:

Added setup_extr:

https://drive.google.com/file/d/1Hvhe5Qb…iew?usp=sharing

Best Regards,

Toetje583

@Toetje583 - yes, the hidden settings in CPU power management (And elsewhere) can be made visible.
This is done by un-suppressing, here is a general example of how to do that, which I posted yesterday (See spoiler) Gigabyte Aero 15 OLED BIOS Unlocking and Modding Issue

Many thanks will look into it

Is it enough to do this just on the menu entry or all items below it aswell?

I managed to unlock the menu and can now acces it using the bios, many thanks

@Toetje583 - This only needs done on suppressed items, each “suppress if” will be followed by an “End If” either directly after the setting it’s blocking, or after 2-3-5 etc whatever amount of settings it’s blocking right there until the next one that isn’t blocked.
Then next setting you see suppress if on again will need similar edit. Sounds like you got it all sorted out yourself now, good job

Hello
Fernando, Lost_N_BIOS and SoniX, you seem to be very knowledgeable.
Don’t know if this is the right forum.

Trying to teach me how to modify UEFI.
The software I am trying to modify my UEFI with is
"AMIBCP 5.02"
"MOB: GA AX370 K7"
"UEFI mod: F23D"
Want to update my UEFI to F25.
But see that all the values in ▼ CAD Bus Drive Strength are set to 120 Ohm, which I think is far too high or?
Just change to “Auto” and then overwrite the original UEFI file?
Thanks in advance