[Guide] Howto Unlock/Flash an Insyde H2O UEFI BIOS

@DvL thx, i saw this topic already

Unfortunately recovery flash via FN + ESC didnt work for me

if certificate is missing there is nothing you can do, the process will end up with similar result

0IMG_20190423_162312.jpg


0IMG_20190422_220558.jpg


0IMG_20190424_193511.jpg

Did you try using Flash Tool: InsydeH2OFFT from https://www.insyde.com/downloadcenter already?

Because it’s not easy to pass that “wall” and get the download, I uploaded InsydeH2O_Dibbler_05.22.04.0011 at https://www.dropbox.com/s/brzls1iztezzlw…08.18.zip?dl=1 (only the Insyde flash tool, not the standard BIOS for OEMs)

Or else, just try find a download for an universal Windows GUI “Insyde h20fft” flash tool (not DOS like above) that looks like this:

@DvL

i have this tool already!

all my attempts end up with "InsydeH20 - Secure Flash Error : Invalid firmware image!!!" or "it only supports to flash secure BIOS on current platform. the image to be updated is not secure BIOS"

no matter what values i put into platform.ini

H2OFFT-Wx64.exe is included with your stock BIOS as you mentioned @klaxklax3 - you need to edit iscflash.dll to bypass that error (Or simply dump with your programmer, edit, and then reprogram as I mentioned on the other thread)
platform.ini will be ignored if you put BIOS image back into the stock.FD file because there is a platform.ini in that FD that’s used instead. If you feed the H2OFFT-Wx64.exe an extracted actual BIOS image without the embedded platform.ini then it will use the one in the folder
The embedded ini can also be extracted and edited, then replaced if you wanted to do that instead too - 0x800CDC is it’s starting location at the stock FD file, and it’s 10000h

I’ll check your iscflash.dll now, since I see your exact error mentioned above, but read my huge reply on the other thread just now, your mod BIOS is broken
CHECKING BIOS CHECKSUM, CALCULATION AND REPLACEMENT

@Lost_N_BIOS huge thanks for important information, it helps to understand the structure but how i can edit DLL?

P.S
I hold my programmer as a last resort, still hoping to flash the bios using software =D

You’re welcome, please wait, I will tell you how to edit the .dll - in general, this is done in assembly/hex, in assembly you find the coding that checks and invokes this error and bypass it by either jumping past it, or making it not happen (NOP it out >> No Operation Possible >> 9090)

Thank you for the interesting post you linked at post #2 above, although he disabled replies, so you can’t see the amount of success vs failure with that method, it does look valid and proves a long drawn out edit can be done to fix the issue as well.
That is a lot of edits though, so on a non-personal level (ie someone making a mod BIOS for someone else) it’s easier to just bypass the secure BIOS check by editing the iscflash.dll
However, that does not work on some more recent BIOS, it only causes another error instead, then you can’t get around that one either unless you do the edit via programmer to the onboard BIOS first.

I wonder if that method, gets you around RSA Internally Signed BIOS or not, or only the RSA check at the flashing level. It’s too bad he’s disabled comments on that, I’m sure that would have been discussed and tested at length.
Why create such a guide, and then not allow discussion!?!?

Please be patient, I will let you know once I’ve found the edits on your iscflash.dll (I’m using slow computer right now, so the search within the file is very slow)

* Edit - I see your edit and raise you >> Last resort is fine, but since you have it and you are trying to flash in mod BIOS, I suggest you use your programmer now to get a valid and verified backup made, that way you know you can recover and you know what version software works for your setup.
If you don’t do that, and have to recover later with stock BIOS only, you can never get NVRAM/VSS back, and it will be a huge pain to find and put back in your system details

@Lost_N_BIOS thank you for advice, i will keep that in mind …

Hard to say … FPT doesnt recognize my system nor in GPT/UEFI nor in Legacy/MBR nor in DOS nor in WINDOWS …

H2OFFT end up as

error.jpg

@klaxklax3 - You have TXE MW FW, you can see that in UEFITool or with ME Analyzer, you need to use TXE V2 FPT, from this thread in section “C2” - Intel Trusted Execution Engine: Drivers, Firmware & System Tools

Please show me image of this error you get >> Invalid firmware image << With stock included H2OFFT-Wx64, I do not see this exact message in iscflash.dll, similar but not exact and there is a few, so I need to see the exact error or you need to confirm which it is
"The BIOS image to be updated is invalid for Secure Flash or current BIOS does not support Secure Flash" << This one, or this one >> Signature Invalid

Dismantle laptop now and get backup made is much better than dismantle laptop later to try and recover with partial BIOS download from the web.
You can’t get full backup with FPT unless you unlock FD First via pinmod, but you might be able to with Universal BIOS Backup Toolkit, try and see (window cannot move, press read, then once it’s done press backup). This may setoff virus warnings for you, ignore or disable before you download and use
https://www.majorgeeks.com/files/details…up_toolkit.html

In my comments, for backing up via programmer and FPT etc, programmer will give you complete BIOS dump, FPT will get you a “BIOS Region” dump.
Region dump is all you absolutely need to recover from failed flash/bad flash ect with your programmer, but you would need to build a complete BIOS file with a stock BIOS Image (FD/ME and then add your BIOS region backup instead of the stock, then program)

You’re “Saving” comments, that’s a function of your hex tool, or whatever you are using to edit the BIOS, completely normal if you’ve set it up that way or that’s it’s default preference/setting
Please edit your posts to add in a new comment, no need for a new post every time you need to add something new, thanks!

For your H20FFT image above, that’s probably/maybe because you’re trying to flash that broken BIOS? Or, you already have V2.x BIOS flashed in the board now? That is V1.19 BIOS you are editing, in case you were not sure.

@Lost_N_BIOS

looks like I finally have all necessary software on my PC …

I believe version 2.x belong to ME Firmware bcz i never had bios other than 1.18 or 1.19

Let me do couple more attempts and will report depending on a result

@Lost_N_BIOS

OK, I have intalled packages

have no idea what to do next but meanwhile I passed couple tests

error2.jpg

@klaxklax3 - From Flash Programming Tool folder, inside that find the Windows or Win/Win32 folder. Select that Win folder, hold shift and press right click, choose open command window here (Not power shell).
At the command prompt type the following command and send me the created file to modify/check etc, and this is the file you should use from now on (redo your edits on this, flash via FPT etc) >> FPTw.exe -bios -d biosreg.bin
Once you dump this file, immediately try to reflash the dumped biosreg.bin back, so we can see what error you get and I can tell you how to get around that so you can flash mod BIOS >> FPTw.exe -bios -f biosreg.bin
Show me image of error if any, if red/size error stop and DO NOT proceed, show me command/error image

V2 on FFT error, must be due to the broken BIOS, that has nothing to do with ME (And if it did that would be wrong too, because you already have V2 ME and are trying to flash BIOS with V2 ME in it too, so unrelated things here)

If you’ll answer my question from post #11 I can tell you how/where to edit iscflash.dll - or is that what you are showing above? If yes, that’s not the original “invalid error” you mentioned earlier/always until now… So as you can see, I still need to know which error you need to bypass.
But, I still say that is broken BIOS too and I would not flash it, but if you want to try I need to know exact error it gives you when you try, then we can bypass.



If someone here is planning to (or has successfully) edited the DLL, maybe sharing it here will benefit others that are blocked by the same issue.
Preferably, modify the latest known version of H20FFT Flash tool (ver 5.74 from 2017). Attaching the file: H20FFT_x86_WIN_5.74.zip to this post, so others can try at the same time I will try to hack the checks out.
if I succeed myself, I will also post it here.

Instead of having to reverse/debug it, do you already know the address of that check?

H20FFT_x86_WIN_5.74.zip (1.56 MB)

@DvL - This needs to be done on a case by case basis, at least for most BIOS packages since the files all differ. But yes, it could be done for that “Standard/stock” Flash package too, but I’m not sure what all BIOS are compatible with that tool anyway, have you flashed anything non-modified with it successfully?
For the version and files you linked, I need to know the exact error you want to bypass, so I can search for it via search instead of manually digging through 100’s of coding blocks (Which I’m not going to do, it’s too tedious)

@Lost_N_BIOS

as expected I get mystic "Error: Signature not found ($IHISI)"

hey, did you succeed in modding the dll?

i could need it :wink:

Where can I find the QA.pfx?

Hi Lost_N_BIOS

First of all, thank you for explaining such useful information which I’ve been searching for months. As you mentioned, no matter what parameter we change in platform.ini. InsydeFlash would ignore them because those parameters embedded inside BIOS.fd so I’ve tried to hex edit fd file to change parameters inside the file but I get error message after computer reboot into BIOS.
----------------------------------------------
InsydeH20 - Secure Flash
Error : Invalid firmware image!!!
Please press any key to reset system…
------------------------------------------------
Then I know for sure, it does checksum before flashing. You also mentioned that modifying iscflash.dll could bypass this error. I use debuging program to search for string “Invalid firmware image!!!” but I can’t find it. Now I come to the dead end.

I hope to hear from you soon.

@Rexkh - Stock BIOS package and model name would help a lot here. If we cannot bypass by editing iscflash.dll, or FPT/H2OUVE flash/bypass then you will need flash programmer.

Here is the BIOS file. If somehow we can force flasher to use parameters from platform.ini instead of from fd file, I would be able to remove the password. Please take a look.

ZQS_218.zip (3.04 MB)

Does anyone have an Alienware M17x R4 A15 unlocked BIOS please?

Thanks.