http://s000.tinyupload.com/?file_id=57792850678742017659 here is the files
@carson512 - Yes, this is FD + ME FW regino >> ME-25Q64FVSIG-8M
SYSTEM-25Q128FVSG.bin << This is BIOS region as you mentioned. It’s also a dual image BIOS region, either for two systems, or for single model but configured differently for some variants etc
Have you edited this at all? FIT Table is broken. lots of errors too, but those could be normal I’d have to see stock BIOS to be sure. How did you dump that? Some of the errors could also be corrupted from dump if via programmer and incompatible software used.
For W25Q128FV, CH341A software 1.18 can read properly but not write, aside from that I think only Colibri or ASProgrammer can read/write properly (At least from what I see confirmed here)
Do you have a copy of stock BIOS? If yes, please upload for me to check, thanks. Also, please zip up for me an image of the BIOS so I can see all visible to you sections across top of however it’s shown to you (so I can see main, advanced, boot, exit etc, which are visible.)
This is “Insyde” BIOS, that is why AMIBCP can’t open it 
TDP is only mentioned once in BIOS settings >>
Config TDP Level, VarStoreInfo (VarOffset/VarName): 0x12F3, VarStore: 0x1, QuestionId: 0xBBF, Size: 1, Min: 0x0, Max 0x2, Step: 0x0 {05 91 B4 15 B5 15 BF 0B 01 00 F3 12 10 10 00 02 00}
One Of Option: Nominal, Value (8 bit): 0x0 (default) {09 07 B6 15 30 00 00}
One Of Option: Level 1, Value (8 bit): 0x1 {09 07 B7 15 00 00 01}
One Of Option: Level 2, Value (8 bit): 0x2 {09 07 B8 15 00 00 02}
If you can see this submenu inside Advanced >> Advanced Power Management Configuration << Then I can make above TDP setting visible to you in BIOS without issue
I can also make this submenu visible in there too, if you can’t see it now >> OverClocking Feature
Have you generated an IFR readout from the two platform modules? If yes, after looking around in there, what do you need visible in there that you can’t see now?
If you’ve not done this, let me know, I will send you the IFR’s and you can look and see all the possible settings, then let me know what you need visible.
I think you did this already, since you mentioned changing variables via RU. So yeah, let me know what you need visible
All the roms was backup form the Original state without edited. and double check with programmer
readout files they are the same.
I split the BIOS region with two bios files.The UEFI Tool(May 8 2020) don’t show the FIT error.Maybe HP do that or I check it in error way.
Use a ch341a i can read and write the spi…And double check with fpt or exploits way file all the same…
Hele is the imgs for the menu below.So is there a guide for how to visible Insyde bios menu…I’m not sure which menu to visible.For now TDP、OverClocking、PCIE(Form: IIO 0,IIO 1,IIO 2,IIO 3).
I already generated an IFR readout from moudle ‘Platform’.Is the other one ‘RbsuSetupDxe’?
And maybe help me about the microcode.remove the code ‘306F2’.to make sure i do it the right way.
Thanks.
img.zip (773 KB)
@carson512 - Show me what you mean about UEFITool not showing you FIT error if BIOS split. I didn’t split, but know how if necessary to check. My main concern there was invalid load of microcode due to microcode entry in FIT table broken
FIT is blank in version 51 and only half populated in version 57, but that is with BIOS region as a whole. It may be that way from HP, some stock BIOS are just not built properly 
Thanks for BIOS images, I will look and see if I can translate those into the actual BIOS sections in the BIOS itself, since they do not use the actual section names (Main, Advanced, boot, Security)
There is two platform modules, this is dual BIOS image, one half on top and one half on bottom. Search BIOS Lock Unicode with UEFITool NE and you will find both platform modules, or here is the GUID for both ABBCE13D-E25A-4D9F-A1F9-2F7710786892
There is no guide for this. On microcode, some systems simply cannot run without one. How did you remove it, FF the module out, or FF the body out only? Try the latter, leaving header in place.
PCIE and TDP are not menu/submenu sections, so you need to be more specific there. I get what you mean about the IIO’s, I will see what submenu they are in and try to make visible for you.
For now, please test this BIOS below and tell me if you can see OverClocking Feature now, look in Performance Options and Advanced Options, not sure where it will go (if anywhere).
Also, please show me what you can see inside both of those before you flash this, from top to bottom of each at root level inside. While you are doing that, please also show me inside root level of PCI Device enable/disable.
I’ll have to dig around, it may be they are not using platform at all for the displayed menu, since nothing matches name-wise I think this is the case and we’ll have to find what is being used and hopefully same options are there and hidden too (or no luck making visible)
http://s000.tinyupload.com/index.php?fil…808057347274898
* Edit - Yes, it looks like RBUSetup is what is actually being shown/used, same as Platform there is two as well . If the settings you wanted are not in here, then you may not be able to make them visible (but we can directly change via BIOS edit, dumping vars possibly, or RU etc)
And on that front, please also test this BIOS, and show me what all you see now at root of BIOS/Platform config page, can you now see >> Service Options, Special Settings, Debug Options?
http://s000.tinyupload.com/index.php?fil…604454629292267
here the v2.72 and v2.30 bios part FIT info.
the SYSTEM-25Q128FVSGMOCFeatTest.7z bios can’t boot with the error
the SYSTEM-25Q128FVSGMRBSUTest.7z bios can boot and see more info
@carson512 - Yes, that is broken FIT table in both, incorrect microcode offset in the FIT table causes that blank entry (We can fix).
Thanks for test result, the code/info does not help me, and I did not use invalid opcode, so not sure what it’s referring to? I could however do the same edit a few alternate ways, but kinda waste of time due to >>
But, that is platform edit anyway, so not visible to you now that I’ve seen BIOS images now, so we don’t need to worry about this one further.
So, now we know edits to RSBU can be made and function properly, please look over IFR output from those setups and let me know if anything missing that you need to be visible, or any of that can help with what you originally wanted etc?
I cannot make items in platform visible, only what’s in RSBU can be made visible (if hidden)
The RSBU menu is enough.May be in the bios menu need use specially key to open the Platform menu.I can use IFR and RU.tool to do the same.Really appreciate for that.
Now is the microcode remove which is the originally wanted.
1. I try to change the HEX that CPUID of microcode.Than use UEFI Tool 57 shows:
is there a way to calculate the checksun…
2. I try to use UEFI tool 0.28 to extract 197DB236-F856-4924-90F8-CDF12FB875F3 to a raw fil which have microcode.remove the all 306F2 part from the raw file.than replace the bady.A new rom here.
Than use UEFI Tool 57 to open the new rom which FIT and Secuity info all gone…Is the UEFI Tool error?Or the FIT table error.
Which way is easier or need specified version UEFI TOOL to replace.
Is there a possibility that replace the Bios Region with other C612 board?
I found the supermicro have the two cpus board…But it’s bios region is 12M larger than 8M.
zip it to 8M or change the desp to use the entire 16M chip
which it easy?
There is several ways to remove microcode generally, for that kind of mod. Remove only microcode itself, or remove the entire microcode module, or remove only the microcode entries and leave the header of the module, which are you doing?
And, what tool are you using to do the actual edit? To fix checksum you mentioned is easy, but if you remove microcode there would not be any checksum shown by UEFITool 57, since that long microcode checksum like you showed above is part of the actual microcode.
In this BIOS, microcodes (x2) are located in 8C8CE578-8A3D-4F1C-9935-896185C32DD3 >> 197DB236-F856-4924-90F8-CDF12FB875F3 as you mentioned, there is two of these volumes in the BIOS so you need to edit both same/same
And yes, FIT always needs corrected after you edit microcodes for sure, and often any other BIOS edit too. FIT was broken by default in this BIOS, and incorrectly setup too if the offsets were even correct to begin with (which they are not)
FIT needs entry count increased to 2 microcodes by default not one, and then correct microcode offsets added. If you are removing microcodes, then you need to decrease total entry count by one (so remove original single microcode entry value)
And then fix offsets of all other items in the FIT table via straight hex edit on entire BIOS as a whole.
So you want BIOS with 306F2 removed and FIT fixed? If yes, I can make for you from the dump you sent me. Don’t use UEFITool 28, it breaks this BIOS, and removes padding at PEI volumes on rebuild
Sorry, didn’t see your other reply until I posted the above. No, you can’t replace BIOS region from one board to another, too many things differ between boards for stuff like that usually (rare occasions maybe)
* Edit @carson512 - here is BIOS including mods I already did for you + 306F2 removed and FIT table fixed for microcode entry (so you will see fixed entry for microcode now, but only 406F1 is there)
Additionally included is BIOS with fixed FIT table on BIOS that includes both original microcodes, so you can see how FIT Table should have been initially from HP
http://s000.tinyupload.com/index.php?fil…215321482320073
here is the test result:
MRBSUTestUEFI25306F2REMFITFix.bin can’t boot with tha same error that i remove the microcode…
SYSTEM-25Q128FVSGMRBSUTest-FITFixed.bin can boot normal.Check the debug log with the backup bios.Look like the same.
here is the end part of debug log with first one MRBSUTestUEFI25306F2REMFITFix.bin
here is the normal boot log near
that may the key is ‘Loading PEIM at 0x000FFFBDC40 EntryPoint=0x000FFFBF870 HpSecPhaseErrorReportingPei.efi’
and try to use IDA with this efi file
change that ‘jz’ to ‘jnz’
than make other error.
Maybe the HpSecPhaseErrorReportingPei just a error handler module? The code 275 was pass to the HpSecPhaseErrorReportingPei?
@carson512 - SYSTEM-25Q128FVSGMRBSUTest-FITFixed.bin is same BIOS I sent you already at post #12, but with FIT Fixed for both microcodes, so you can see how it should look in UEFITool NE
Other BIOS = fail, this means your system cannot boot without microcode for the CPU, not all can and this must be one of those. Does the board have a service or management jumper? If yes, try that BIOS again with jumper in place and see if that matters or not.
Not sure on the assembly, if that would help or not I mean, if you want to bypass all that, I’d change that JZ to JMP >> hex >> 74 37 >> EB 37, so flow them becomes as you see below
There is two modules “HpSecPhaseErrorReportingPei”, Edit both and make the edit via direct hex editing on entire BIOS as a whole, that way PEI volume does not get rebased.
Check post-edit file in UEFITool NE and make sure you don’t then need to correct checksum for those two modules, if so re-edit via direct hex on BIOS as a whole.
there is a System maintenance switch On board. I try MRBSUTestUEFI25306F2REMFITFix.bin with change Reserved SW(S3,S4,S8,S9,S10,S11,S12) to ON.Nothing changed…still show the ‘unsupported’ error.
in the debug log :
S3、S4、S12 add one log ‘Maintenance Switch** is set.’
S4 may change the debug log level. add some like 'Loading PEIM at 0x000FFF97FC0 EntryPoint=0x000FFF98B78 HpStatusCodeHandlerPei.efi ’ in the log
at this phase can’t find nothing different.
there is 4 jumpers with pins. two of them is the COM pin(RX TX GND VCD),One is NMI functionality jumper(An NMI crash dump creates a crash dump log before resetting a system which is not responding.).One is just 3 pins near ME rom One GND and two 3.3V,and not mention in the guide.
with the debug log is loaded 13 modules before the unsupported error
The microcode check must in this module.
Is that possible use IDA to chek which module call the HpSecPhaseErrorReportingPei.efi to show the unsupported error or just HpSecPhaseErrorReportingPei.efi itself.
use winhex to edit the bios file directly 74 >> EB
the system boot without the ‘unsupported’ error and continue the progress.
until the red screen show ‘PiSmmCore+00BA8Eh RIP address out of range’ error same as jnz or remove the HpSecPhaseErrorReportingPei module.
but i realize that jmp is much better than jnz when the cpu change …
The PiSmmCore is the modulethat load all SMM module?
And searching the rom just PiSmmCpuDxeSmm module with the ‘RIP address out of range’ string and a SMM module.
here is the part debug log with ‘EB’bios
here is the part debug log with normal bios
before ‘SMM IPL closed SMRAM window’ this line. the log seem the same.
in normal boot next progress is to load the EF827D89-960E-485B-9D0F-2850E6CB2BB0 which is HpstatusCodeHandlerSmm
is that possible that the HpStatusCodeHandlerPei call the HpSecPhaseErrorReportingPei than HpstatusCodeHandlerSmm couse the RIP address out of range error.
All log in the zip file below.
by the way.i just think the two bios region was stand alone. Beacuse just change the firest 8M bios part will effect.Unless in the bios menu to change the backup rom…Maybe the FIT will looks good after cut.
debuglog.zip (322 KB)
Maybe test that jumper and see on/off what happens, or is it maybe ME FW disable etc?
Sorry, I can’t help with the logs or assembly, I know very little in this area. Maybe @Mov_AX_0xDEAD or @CodeRush could advise here, I think maybe they are only ones I know that knows this much about assembly/BIOS
Yes, sorry, I forgot only one part of the BIOS applies to your system, so only one needs edited
No, I checked, remember, you sent me partial/split BIOS, FIT is broken still there too.
test all three pins.With jumper one 2 pins the system can boot like press the power button…
i will try to update the bios from hpe web and compare the bios later.make sure the FIT is broken or hp’s doing…
I just found in UEFItool File GUID: AAE07B90-4CF8-5986-AD2A-48B72CAB98A8.
there is a pad-file.What this file use for? I saw “Header checksum: E8h, valid Data checksum: AAh, valid”.When i change the ‘jz’ to ‘jmp’ this checksum don’t change. is that possible the error couse by the checksum?
AAE07B90-4CF8-5986-AD2A-48B72CAB98A8 should not be edited using tools, due to being in PEI Volume, only direct hex edited changes on the entire BIOS as a whole.
I did the edit with tools, and SH + Rebuild those modules, to check about the checksum for you, and that does not change on rebuilds, so that is normal/expected and would not be the cause of any error here.
About the jumper, I don’t understand what you mean? position 1-2, what happens, position 2-3, same? Boot to windows or BIOS with either, and see if ME FW disabled, and test if you can dump FD with FPT and write it back or not (FPTw.exe -desc -d fd.bin >> FPTw.exe -desc -f fd.bin)
Also, I meant to test these with the mod BIOS I sent you (With microcode removed), once you find which one boots OK, or both etc.
the jumper thing.position 1-2 just like the power on pin funtion the system boot up.position 2-3 press the power button nothing change cpu fan even not run.Nothing about the ME.
Than i use this tool https://github.com/corna/me_cleaner close ME.than use MRBSUTestUEFI25306F2REMFITFix.bin and jmp one still can’t boot with unsupported error or RIP error.
how to check the ME funtion been closed or not.
I try to clear the cmos and nvram than reflash the webdownloaded bios.The same with the backup one "SYSTEM-25Q128FVSG.bin".So the FIT error maybe the hp’s problem.
Than I found the S3 S4 was the debug log funtion switch.
With S12 is shows
On screen and debug log.
But when SW12 os ON with the microcode removed bios MRBSUTestUEFI25306F2REMFITFix.bin can’t boot either.still the unsupported error.
-----------------------------
Was this bios a EDK2 base UEFI ROM?
@carson512 - ME Cleaner should not be used here, please PROGRAM back some non ME Cleaner edited BIOS.
Yes, FIT error can be HP issue, some manufacturers do not care/pay attention etc.
S12 - “Certain Security Protections” that is what we want to override to use FPT I bet But you have programmer, so none of that matters really.
EDK2, I have no idea what that is or if this is that, sorry.
Best to maybe just used known supported CPU, at stock unedited specs? Unless DeathBringer has time and can help on this one
@DeathBringer - Can you help here, BIOS need to modify is SYSTEM-25Q128FVSG.bin in post #4, or last link on post #12 for menu edited BIOS we’ve been using
Need to make Max Turbo edit, and or make BIOS bootable for 306F2 microcode removed (or is this system not one that can boot with no microcode?)
Unlocking mods aren’t interesting to me.
ok i will program back the ME bios.
there is a GUID: 1BA0062E-C779-4582-8566-336AE8F78F09 which subtype was ‘SEC core’ in UEFITOOL.
with the error moudle HpSecPhaseErrorReportingPei name. maybe the SEC part find a error and show by the moudle.
So use IDA to check the SEC core PE32 img.
there is a cpuid check.
change the jnz 75 to jz 74
but can’t boot with blackscreen…
any idea…
--------------------
still thanks for you help.
@carson512 - Are you wanting to -
1. Make it avoid >> manufacture’s diagnostic checkpoint (POST code) and end up at >> movd esi, mm3
OR
2. Make it definitely go to >> manufacture’s diagnostic checkpoint (POST code)
If #1 is goal >>
At loc_FFFFEBDC >> Change JNZ >> 75 15 >> Change to >> 75 00
At loc_FFFFEBE8 >> Change JNZ >> 75 0D >> Change to >> 75 00
At loc_FFFFEBF0 >> Change JNZ >> 75 05 >> Change to >> 75 00
IF #2 is goal >>
At loc_FFFFEBDC >> Change JNZ to JMP >> 75 15 >> Change to EB 15