[Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing

https://idream.ink/Images/8M.fd   //same as the attach file

Thank you , here is the original FLASH file backed up by CH341A.
I tried use IFR and InsydeUVE to fix the variable from "PchSetup 0x17" to 0x01, but it seems doesn't work.

8M.zip (5.35 MB)

@Lost_N_BIOS How about my Error 238?

@wilson98 - plutomaniac replied to you about this, you have to see options page one, your only options for locked FD are pinmod or flash programmer like CH341A usually (You also need SOIC8 test clip with cable if BIOS is soldered to board)

@andy7y - Unlocked FD, Fixed FIT Checksum, Disabled BIOS Lock (error 368), which you would get if you only disabled FPRR & Disabled FPRR (error 238) in Setup module + VSS/NVRAM (this = x4 individual byte change edits) - http://www.filedropper.com/xiaomi-notebo…andy7y-unlocked
Edited modules and original included for everything but FIT Checksum edit, so you can see how/what/where was edited.

I dumped the vars with UVE and see PCH var 0x17 is 01 by default (enabled) 01 = enabled - so you are enabling instead of disabling This should already be set to 01/enabled by default, so if you did try to set it to 01 there would be nothing for you to change in vars with UVE.
For your info on future edits, for this one setting (BIOS Lock) you are looking for anything in vars from “Varstore 5” Which = 4570B7F1-ADE8-4943-8DC3-406472842384, so this included [17} Custom and [03E] PCHSetup in this example.
UVE edit may not always edit/apply the change to the correct VSS/NVRAM store either, some BIOS there is shadow copy outside of normal VSS/NVRAM volumes, so you’ve got to edit both (In this case, does not apply, only letting you know for future reference)

there is something not okay, so I make a theard there, please help me.
[Request] Unlock BIOS Xiaomi Notebook PRO GTX @8th CPU

Who can tell me which FD v I have 1,2, or 3 ???


@Lost_N_BIOS @plutomaniac , Hi i accidentally flashed my old motherboard SPI Dump file to my new motherboard (FX505GE) , so now i already flash back the NEW motherboard SPI DUMP file but the Intel ME not working properly it not showing in HWinfo and fptw64 not able to locate ME Device. Both bios file is working fine without problem.
Error 20: Cannot locate ME device.
FPT Operation Failed.

@klaxklax3 - That is FD v2-3, you can tell by line 80, and or line 60 not looking like FD v1

@wilson98 - Do you have unlocked FD? If you are not sure, please dump and send me the file >> FPTw.exe -desc -d fd.bin

Hi @all
i try to make the Unlock Methods for SPI Servicing in section E for my Asus Z270-A mainboard. Where can i find the two pins to short them?

Best regards

Hello everybody!

First of all: @plutomaniac - what an amazing inventory of guides concerning Intel Management Engine you have created here! Thanks for all of your hard work!

### EDIT: oh dear, I’m so stupid. Please disregard the rest of this post, because now I actually found other posts of yours (1,2,3) in this forum describing system behaviour that is similar to mine. I really should have googled more than I did. Sorry!!

EDIT2: I tried the two other methods for HP laptops:

1) holding the key combination “WIN + LeftArrow + RightArrow” while pushing the power button → same behaviour as with "pinmod"
2) holding only “LeftArrow + RightArrow” (without “WIN”) while pushing the power button → laptop boots normally and flash descriptor is still locked

So I’m experiencing the same behaviour as others did with HP laptops. Unfortunately, I can’t get into chip programming and stuff so that’s it for me.


Original post:

I have an HP ProBook 430 G4 laptop and I ran into that common problem with a “corrupted” Intel ME, e.g.:

- in BIOS it says that ME Firmware Version =
- “Hibernate”, “Sleep” and “Restart” all don’t work → instead the system always shuts down
- Shutting down takes a very long time (much, much longer than it should do with an SSD and a 7th Gen i5)
- and so on…

So I read through your guides and I am currently stuck at the “pinmod”. I have attached:

- a picture of the audio chip on the motherboard
- the schematic of that audio chip
- the pin configuration or pinout (the pin numbers) of a similar chip from the same manufacturer (Conexant) that has the same amount and distribution of pins (I hope this is applicable to the chip on my board?)

On all three of these pictures I marked the two pins: HDA_SDO as well as the DVDD (or in this case, the “DVDD_IO”).

So here is what happened as well as my actual problem: I kept shorting the pins and started up the system via the power button. The fan immediately starts to spin and, shortly after that, stops to spin. Up to this point, this is usual behaviour. But then, instead of booting, the system completely shuts down after two seconds or so. If I do not (!) short the pins and start up the system, it succesfully boots as usual.

Long story short: if I short the two pins, the laptop refuses to start up.

So my question is: have you guys ever experienced something similar or heard of someone who reported similar behaviour? Or am I shorting the wrong pins?

Any help would be greatly appreciated! :slight_smile:




You’ve already found my prior discussions regarding HP and their unique ways of unlocking the FD. Since I don’t know much else about HP laptops, I suggest you try whatever possible, otherwise use a programmer.

Hi. I have the same problem with my Lenovo Y70-70 Touch. I following your instructions, but in my case only E6 give some positive results. I can change option Me FW Image Re-Flash (in my bios code 0x1EE) to enable, but when i boot my system (Win 10) i still have write acces disabled. But after second try to change this option in EFI Shell i noticed that this option is still enable. What should I do now?

LENOVO-9ECN30WW(V1.13).rom.zip (2.3 MB)

I’m also interested.


What does it mean if you set "Me FW Image Re-Flash" to Enabled then the machine reboots instantly and changes it back?

Hey, I’m also wondering this, because this is exactly what my machine does.

I have an LG Gram 17 laptop (model 17z990-R.AAS7U1). It ships with the Intel Advanced Menu options enabled in the bios if you press ctrl+alt+f7 to reveal it. I’m trying to flash the manufacturer’s BIOS update package (W1ZD1250.zip), inside which they included:
1) the shell flash (entire bios flash package I guess), with a W1ZD1250.cap file (the bios itself), W1ZD1250_WUFU.cab which I guess is the signed Windows drivers?, ShellFlash64.efi, and “s.nsh” script plus the Winflash64.exe program and corresponding w.bat script.
2) the flash-flash (lol) - fpt.efi (and FPTW64.exe); W1ZD1250.rom file; fparts.txt, and f.nsh (+f.bat for windows) which simply runs

fpt.efi -f W1ZD1250.rom

LG was extremely unclear on how to use this bios update package, and in their support forum, multiple people were asking about it, until a rep finally confirmed you’re supposed to run w.bat as admin.
I did this a while ago but since then I suspect I may have gotten some kind of malware/rootkit? possibly in my firmware, after noticing a lot of strange behaviors and network rerouting (like mDNS [multicast] enabling by itself), in both windows and Ubuntu linux. Which is why I’ve been trying to figure out how to use the flash programming tool to reset my BIOS flash to whatever LG included in that update package.

But yeah, so since I have the Intel ME submenu available in the advanced bios, I set the “Me FW Image Re-Flash” option to Enabled as well, but upon rebooting, before it boots into my USB stick with EFI shell on it, it displays the splash screen for a split second before turning itself off again and THEN powering on once more into the shell. And if I interrupt it to check the bios settings, yep, sure enough that option has reset itself to Disabled, and I get Error 238 when trying to run f.nsh.

However after reading some of these forums, now I’m not so sure I even want to do this. If I flash the .rom file from my manufacturer directly, will that overwrite some of the unique identifiers in the ME, BIOS, PDT... regions specific to my PC that I need? If so, what will happen as a result? Would that brick the computer/stop it from booting or something?

If that’s not a good idea, then is there any way I can at least verify the contents of my flash/bios to make sure there’s nothing malicious that might be different from the manufacturer defaults? LG’s update package did also come with a BIOS_checksum.txt file, with an 8-digit hex value in it (0xCBXXXXXX something I can’t remember), but I don’t know how to find the checksum of my currently installed bios to compare.

I’m seeing the same odd behaviour as a.mihail91 and jdally987. I’ve got an InsydeH2O bios where it was possible to use h2ouve text edit to show hidden options - one of which is me fw reflash enable/disable. But it won’t let me enable this setting (it will set it back to disable). Reason for wanting to allow reflash is to apply modified ME / full dump with extra ICC profile for some minor bclk adjustment. The unhidden bios options also don’t allow me to do any RAM overclocking, guess the h2ouve method only shows all settings but doesn’t truly unlock them?

Hi guys, it looks like i have SPI blocked.

More in the thread:

Dell Precision M4600 Bios update failed bug A08 Signature Firmware

I have a hardware programmer CH341A, can anyone help clean / disable Intel ME - in the attached bios file?


download_BIOS.zip (5.23 MB)

I have a rampage IV black edition board with bricked ME. I was able to unlock the engine region with E6. OEM/ODM Hidden BIOS-UEFI Options. It took my little brain about 3 days to figure out what is what, assemble all the files and eventually find my way into efi shell. I consider myself a slightly advanced user but not advanced enough to consider using option E7. Hardware SPI Programmer. I had tried pulling out one of 2 bios chips from the board just to see if it would come out before ordering the hardware programmer. Unfortunately it didn’t move at all, so I gave up on the idea.

I used UEFITool on the bios verion 801 from the asus website, which happened to be the bios I have on this board. When searching for the “setup” string, I did exactly what the guide said “select one-by-one only those that are located in “UI” (User Interface) sections until you find the DXE driver” with name “Setup.” But in my case, “setup” was not in the name category but text. Then I had to right click and "Extract [the] body from “subtype GUID” not the PE32 image. Only then I was able to extract the information using universal IFR Extractor. I used a simple notepad program to search for all the interesting keywords listed on the page but was unable to find anything that would grant me ME subsystem access. I was about to give up when I entered the keyword “update”, which led me to ME update section of the bios. Here it talked about how to enable or disable ME subsystem. The variable I found for this bios is 0x15D and 0x1 for Enabled and 0x0 for Disabled.

I was really happy about it, until I found out I wasn’t able to enter the command since I used an incorrect efi shell file. It took me another day to find the correct setup EFI shell file which happened to be at the bottom of the first comment. After I put the file in the usb and disabled secure boot, only then the setup_var 0x15d 0x01 command went through. My CPU was able to gain access to ME subsystem. Anyway I just want to share the info for people with the similar board and assure you guys that it can be done. I also like to say to the person who wrote the guide that whoever you are, you have my eternal gratitude.

Unlocking via pinmode methode can do same benefits as editing descriptor bits or pinmode give more ??

How to use software to flash the Phoenix BIOS that the programmer backup
The BIOS URL is :https://share.weiyun.com/FtbVw108

What software?