[Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing

Hi. I have the same problem with my Lenovo Y70-70 Touch. I following your instructions, but in my case only E6 give some positive results. I can change option Me FW Image Re-Flash (in my bios code 0x1EE) to enable, but when i boot my system (Win 10) i still have write acces disabled. But after second try to change this option in EFI Shell i noticed that this option is still enable. What should I do now?

LENOVO-9ECN30WW(V1.13).rom.zip (2.3 MB)

I’m also interested.


What does it mean if you set "Me FW Image Re-Flash" to Enabled then the machine reboots instantly and changes it back?

Hey, I’m also wondering this, because this is exactly what my machine does.

I have an LG Gram 17 laptop (model 17z990-R.AAS7U1). It ships with the Intel Advanced Menu options enabled in the bios if you press ctrl+alt+f7 to reveal it. I’m trying to flash the manufacturer’s BIOS update package (W1ZD1250.zip), inside which they included:
1) the shell flash (entire bios flash package I guess), with a W1ZD1250.cap file (the bios itself), W1ZD1250_WUFU.cab which I guess is the signed Windows drivers?, ShellFlash64.efi, and “s.nsh” script plus the Winflash64.exe program and corresponding w.bat script.
2) the flash-flash (lol) - fpt.efi (and FPTW64.exe); W1ZD1250.rom file; fparts.txt, and f.nsh (+f.bat for windows) which simply runs

fpt.efi -f W1ZD1250.rom

LG was extremely unclear on how to use this bios update package, and in their support forum, multiple people were asking about it, until a rep finally confirmed you’re supposed to run w.bat as admin.
I did this a while ago but since then I suspect I may have gotten some kind of malware/rootkit? possibly in my firmware, after noticing a lot of strange behaviors and network rerouting (like mDNS [multicast] enabling by itself), in both windows and Ubuntu linux. Which is why I’ve been trying to figure out how to use the flash programming tool to reset my BIOS flash to whatever LG included in that update package.

But yeah, so since I have the Intel ME submenu available in the advanced bios, I set the “Me FW Image Re-Flash” option to Enabled as well, but upon rebooting, before it boots into my USB stick with EFI shell on it, it displays the splash screen for a split second before turning itself off again and THEN powering on once more into the shell. And if I interrupt it to check the bios settings, yep, sure enough that option has reset itself to Disabled, and I get Error 238 when trying to run f.nsh.

However after reading some of these forums, now I’m not so sure I even want to do this. If I flash the .rom file from my manufacturer directly, will that overwrite some of the unique identifiers in the ME, BIOS, PDT... regions specific to my PC that I need? If so, what will happen as a result? Would that brick the computer/stop it from booting or something?

If that’s not a good idea, then is there any way I can at least verify the contents of my flash/bios to make sure there’s nothing malicious that might be different from the manufacturer defaults? LG’s update package did also come with a BIOS_checksum.txt file, with an 8-digit hex value in it (0xCBXXXXXX something I can’t remember), but I don’t know how to find the checksum of my currently installed bios to compare.

I’m seeing the same odd behaviour as a.mihail91 and jdally987. I’ve got an InsydeH2O bios where it was possible to use h2ouve text edit to show hidden options - one of which is me fw reflash enable/disable. But it won’t let me enable this setting (it will set it back to disable). Reason for wanting to allow reflash is to apply modified ME / full dump with extra ICC profile for some minor bclk adjustment. The unhidden bios options also don’t allow me to do any RAM overclocking, guess the h2ouve method only shows all settings but doesn’t truly unlock them?

Hi guys, it looks like i have SPI blocked.

More in the thread:

Dell Precision M4600 Bios update failed bug A08 Signature Firmware

I have a hardware programmer CH341A, can anyone help clean / disable Intel ME - in the attached bios file?


download_BIOS.zip (5.23 MB)

I have a rampage IV black edition board with bricked ME. I was able to unlock the engine region with E6. OEM/ODM Hidden BIOS-UEFI Options. It took my little brain about 3 days to figure out what is what, assemble all the files and eventually find my way into efi shell. I consider myself a slightly advanced user but not advanced enough to consider using option E7. Hardware SPI Programmer. I had tried pulling out one of 2 bios chips from the board just to see if it would come out before ordering the hardware programmer. Unfortunately it didn’t move at all, so I gave up on the idea.

I used UEFITool on the bios verion 801 from the asus website, which happened to be the bios I have on this board. When searching for the “setup” string, I did exactly what the guide said “select one-by-one only those that are located in “UI” (User Interface) sections until you find the DXE driver” with name “Setup.” But in my case, “setup” was not in the name category but text. Then I had to right click and "Extract [the] body from “subtype GUID” not the PE32 image. Only then I was able to extract the information using universal IFR Extractor. I used a simple notepad program to search for all the interesting keywords listed on the page but was unable to find anything that would grant me ME subsystem access. I was about to give up when I entered the keyword “update”, which led me to ME update section of the bios. Here it talked about how to enable or disable ME subsystem. The variable I found for this bios is 0x15D and 0x1 for Enabled and 0x0 for Disabled.

I was really happy about it, until I found out I wasn’t able to enter the command since I used an incorrect efi shell file. It took me another day to find the correct setup EFI shell file which happened to be at the bottom of the first comment. After I put the file in the usb and disabled secure boot, only then the setup_var 0x15d 0x01 command went through. My CPU was able to gain access to ME subsystem. Anyway I just want to share the info for people with the similar board and assure you guys that it can be done. I also like to say to the person who wrote the guide that whoever you are, you have my eternal gratitude.

Unlocking via pinmode methode can do same benefits as editing descriptor bits or pinmode give more ??

How to use software to flash the Phoenix BIOS that the programmer backup
The BIOS URL is :https://share.weiyun.com/FtbVw108

What software?

FPT and phoenix-uefi-winflash-1.5.66

The Phoenix is backuped by programming device,how can I flash it use FPT or phoenix-uefi-winflash? My laptop is made by the elitegroup computer system.

BenQG41SUS45INE1MB8L.rar (3.26 MB)


I changed the hidden bios setting named Me FW Reflash(…)
And it worked. (only for ME region)
But how does it give the permission needed for flashing?
It’s locked by intel descriptor too, isn’t it?
Can bios override descriptor’s read/write permissions?

The pinmode method worked for me. Thanks!!!

Please, i need help. I have Dell Latitude E6410 laptop and i need unlock bios write access permission.
I backuped bios (i’m new user and can’t attach, but will add link), i can open it in UEFITool 0.28 or UEFITool_NE_A59, it’s Ok. I found GUID - 899407D7-99FE-43D8-9A21-79EC328CAC21 (Setup), exported it as is and as body.
But then with Universal IFR Extractor v0.5 i can’t extract it, in one case Extractor tell: “Protocol: Unknown”, in another case it extract blank txt without significant data, only headers…
Maybe i need another IFR Extractor or what?
link to bios: Dell Latitude E6410 Compal NCL01 LA-5472P nvidia Bios + EC.rar - Google Drive

Hello, I’ve tried to unlock my DELL Precision M4800 to flash a modded BIOS (enabled SPD write, tried to also unlock hidden settings), I have unlocked ME Reflash (setup_var 0x2BC 0x1, HWINFO64 shows that ME section is completely missing after that though), but FPTW64.exe outputs Error 25.

No miracles here and what you want is a very risky operation on this OEM machines, even worst on a laptop workstation, they do usually contain various security, TPM/EC spare chips etc…
The error is due to bios region is locked and all the info regarding this operations on certain motherboards/systems is in the forum. Also HWinfo not showing ME information is not sign of a good “unlocked ME” work…

Radical users, that can spare a machine, have SPI programmer and has advance user skills, have been seen to do manual edits to the FW with the Intel FIT tool/HEX edit to the SPI/FW FD…but very few and very few cases of success.

And nothing more i can add, wait for another user opinion, good luck.

I feel like previous owners were doing something with it, before I received it. I have original BIOS dumps though, and I also have a CH341A (3.3V mod). Why I am trying to do it in a “software” way? Because this machine is tough to disassemble completely (Well, it is not, actually, it is all because of a place where I live, but that’s for another conversation). So that’s the reason why I am doing it this way. It also has a little “ME DISABLED” sticker under a battery.