Lenovo Ideapad 720s-13IKB Me Firmware Re-Flash Bios Option

Hello! I bought a Lenovo Ideapad 720s-13IKB, BIOS version 5SCN38WW a month ago and it’s been a pretty great machine. However, I installed a Intel Management Engine Firmware update from the official website and it somehow crashed right at the end of the procedure. Now, my laptop takes 30 seconds to POST and get to the Lenovo splash screen, and I can’t install the MEI software, but anything else seems to be fine. I created a thread on the Management Engine topic, and @plutomaniac suggested me that I need to enable a option in my BIOS called “Me FW Re-Flash”. I followed this tutorial and I was able to get a PE32 image text file using Universal IRF Extractor, and I also found inside the text file, on line 16684 something called “Me FW Re-Flash”, but the value after VarStoreInfo is 0x3, and I can’t use it for unlocking the option using a GRUB flash drive. Is there a way to unlock this specifical option or, even better, unlock all BIOS settings? These are the two files I have:
1. 5SCN38WW.bin file, which I have from @plutomaniac ;
2. the PE32 text file from my BIOS dump (I used FPTW and apply the “fptw.exe -d bios.bin” command to get a Bios dump).
Thank you very much for any help!

bios.rar (5.08 MB)

pe32.txt (1.59 MB)

@marianFCBT - The first problem here will be writing back mod BIOS, if you can’t use grub/setup_var (May be able to use H20UVE instead though)
Can you do this, dump BIOS region with FPT, and tell me what error you get >> FPTw.exe -bios -d biosreg.bin

Right after you do that, try to write back the BIOS Region dump and see if you get any error, if you do show me image of the command entered and the error given >>
FPTw.exe -bios -f biosreg.bin

So, at grub prompt, what happens when you type >> setup_var 0x3 0x0

Ohh, never mind, I see this same VarOffset/VarName is used for several items. This will have to be done either by mod BIOS reflash, or by using H20UVE and dumping the vars, editing, then programming back
Do the above with FPT and let me know, later tonight when I get back I will let you know if we should try FPT flash first and how to make it possible, or I’ll give you info on how to dump the vars with H20UVE

Unlocking BIOS, we can figure out after you get the ME stuff sorted out.

Hi, and thanks for the input! When executing the " FPTw.exe -bios -d biosreg.bin" command I get the "Memory dump complete. FPT Operation Succesful" message, so no problems here.

Indeed, there are more 0x3 values and, as a consequence, the "setup_var 0x3 0x0" command doesn’t work. I tried the "setup_var2 0x3 0x0" command, and it reported "Operation successful", but the new option didn’t show in my BIOS. I’ve read serveral posts online where people such as @BartoszB had much worse problems, like not being able to even boot from other devices or the laptop hanging at the boot screen and so, I really hope that my problem isn’t that severe and that we can fix it trough software. Thank you very much for help, and I’ll wait for your response, @Lost_N_BIOS !

Still waiting on you to try writing back BIOS region using FPT >> FPTw.exe -bios -f biosreg.bin

What error do you get? Set BIOS sleep mode to S3, go into windows, put system to sleep (S3, not hybrid), wait one minute, wake up system and try FPT flash of BIOS region again, now what error do you get?

Please download this package, keep everything in original folders, and for the text outputs when you send those back to me, rename each one to the version folder that created it (so we use same version to write back, that originally created the dump)
http://s000.tinyupload.com/index.php?fil…391605444324174

Run the following commands from each of the versions folders and see if we can get any output files. Rename all vars.txt to each version name that made it, or shortened name (like 9.2.txt 16.8.txt etc)
H2OUVE.exe -gv vars.txt
H2OUVE.exe -gs -all Setup.txt

If you don’t know how to run command prompt from an exact folder location easily >> Select the version folder you want to run, with the exe immediately inside the folder, with the folder selected hold shift and press right click, choose open command window here (Not power shell).

If you are stuck on Win10 and cannot easily get command prompt, and method I mentioned above does not work for you, here is some links that should help
Or, copy all contents from the Flash Programming Tool \ DOS folder to the root of a USB Bootable disk and do the dump from DOS (FPT.exe -bios -d biosreg.bin)
https://www.windowscentral.com/how-add-c…creators-update
https://www.windowscentral.com/add-open-…menu-windows-10
https://www.laptopmag.com/articles/open-…ator-privileges

Hello! Sorry for responding so late, I was really busy yesterday.

After I write this command, I get this message :"Error 368: Failed to disable write protection for the BIOS space.
FPT Operation Failed."

Sadly, my BIOS does not have this option, so I don’t know if my sleep mode is already set to S3 or not. I will try to run the H20UVE commands you sent me though. Thank you for help, and sorry I made you wait so much!

EDIT: I found this "powercfg -a" command online, ran it in a Command Prompt and it reports the following:
"The following sleep states are available on this system:
Standby (S3)
Hibernate
Hybrid Sleep
Fast Startup"
I checked my power options and it seems the "Allow hybrid sleep" is set to off, so I will try to run the FPTw.exe -bios -f biosreg.bin command again.

EDIT 2: After resuming my laptop from sleep, I get the same error when running the fptw command.

-------------------

Hello again! I’ve run the H2OUVE commands on each version you sent me, and this are the results:
On version 100.00.9.2:
1. Running the first command doesn’t give any errors (I attached the text file)
2. Running the second command gives me this error:

C:\Users\Marian\Desktop\H20UVE\H20UVE_100.00.9.2\H2OUVE_100.0.9.2\H2OUVE>H2OUVE.exe -gs -all Setup.txt
Insyde H2OUVE (UEFI Variable Editor) Version 100, 0, 9, 2
Copyright (c) 2012- 2013, Insyde Software Corp. All Rights Reserved.
 
Can't open data file ""
Failed!!
Error: invalid parameter
 

9.2-cmd1.txt (140 KB)

No worries about being late, no one is in a hurry here and I’m only around certain times too.
Please edit your posts if you want to add more info, especially if it’s been a short while and no one has replied - thanks

Error 368 is easily overcome, so if needed we can do that and FPT flash in a mod BIOS.

Yes, S3 mode is enabled, but I can’t tell if when AC Power connected if S4/S5 also enabled, same for battery only mode. You may need to test with and without AC connected, and without AC and only battery. Just don’t choose Hibernate or Hybrid in windows option, choose Sleep/Standby (S3)

Please put that txt file in a zip so I can download it, and yes, this is what we’re looking for. I will edit it, send it back to you, and tell you how to write it back to the system, how to confirm that, and then you reboot and test.
For this edit, I will disable BIOS Lock (giving you the 368 error) and I will enable ME Re-Flash too. SO, once you reboot after that, you’ll be able to FPT flash BIOS region, and do your ME Re-Flash via FPT.
Don’t reflash BIOS region first though, or you’ll have to redo the vars write again to unlock it again.

* Edit - Please also, do the grub / setup_var (original) for me, and show me image, and then do setup_var2 and var3 and show me image there too.
Please only enter the command to make the edit once per each setup_var version run, that way I can read all the info on-screen, so I can find the right GUID or Custom value etc.
Put these three images in a zip, thanks

Hello back! Sorry for the quality of the photos. I hope they are readable enough, my phone’s camera has seen better days!

important stuff.rar (3.97 MB)

Looks good, just the info I needed, thanks. Except looks like you didn’t use the correct grub for setup_var3 - https://github.com/datasone/grub-mod-setup_var/releases
Try again with that one, and send me image too

Hi! I’ve ran the setup_var_3 command, and thid is the result (I split the result in two photos, to increase the overall quality of the text)

setup_var_3.rar (3.35 MB)

@marianFCBT - Thanks, almost got it on Var3 I think But, I guess all those are showing already set to 0x0 anyway, so it would fail even if it could write to EFI.
We’ll get it with H20UVE!

Wait!! We are wanting to set 0x1 to enable this setting, not 0x0. Try var2 and var3 again with 0x1 to enable ME FW RE-Flash. I assume this will fail too, but maybe it’s only failing due to already set to 0x0
Sorry about this, it’s my fault I gave you wrong instruction above, I’m used to disabling a setting usually I doubt it will matter though, I expect same error, but do go ahead and try this before using below


Here, write this back using the command below, then immediately dump the vars again using command below with new name, so we can double-check it wrote in the changes correctly.
After you write vars back, and get this new dumped vars send it to me and wait, DO NOT reboot the system until I give you the go-ahead.
http://s000.tinyupload.com/index.php?fil…729227144815467

Be sure to use exact version that was used to create this vars.txt
Program back in >> H2OUVE.exe -sv 9.2varsM.txt

Once done, dump again via >> H2OUVE.exe -gv 9.2redumpvars.txt

Then, do not reboot until I checked this file and gave go ahead

Once you get here, and I tell you to reboot, then ME FW will be disabled, so fan may spin at 100%, memory or CPU may run at wrong speed etc. This all normal/expected, so don’t freak out
Once we are at this stage, and you’ve rebooted and all OK, then you can shut down anytime you want. I will create you new BIOS if you want, with BIOS Lock disabled and FPRR disabled by default (Forgot to disable this in above vars edit)
Anyway, first you will need to reflash the ME with your prepared ME FW file (I assume plutomaniac made for you, correct?) This is done via >> FPTw.exe -me -f MEfilename.bin
Follow that command once it’s done with this one >> FPTw.exe -greset

Then system should reboot, if not you can reboot it and then shut down. If it didn’t reboot by itself with greset command, then shut down, remove main battery and power cable, then press and hold the power on button for 10-15 seconds, then let system sit for one minute without power.
Then you can put battery back, plus in PSU and boot system. At this point ME FW will still be disabled, due to ME FW reflash setting enabled.
To fix this, you can either program back in original vars.txt, or let me make you a new one with FPRR disabled too, then I can disable BIOS Lock/FPRR in a mod BIOS, you can FPT flash that mod BIOS in, and then these will always be disabled (Until you ever reflash a stock BIOS again)

@Lost_N_BIOS Here are the photos I took by using the “0x3 0x1” parameters. In the case of setup_var2 and setup_var_3, now the end result is “Operation successful”, but the GUID values seem to match with the ones I’ve already sent you, so I will go ahead with using H2OUVE.

0x1.rar (3.29 MB)

GUID values will always remain the same, this tells you what entry it’s editing (like what vars - variable store)
For instance, in the vars I edited, there is two setups, one setup and one “custom” so I edited both as needed there (For BIOS Lock), and for the ME re-Flash this is stored in other GUID/Var called MESetup and another similar custom.
So I edited 4 var entries for the same changes it’s trying to make with setup_var2/3, only for that one setting only (ME FW RE-Flash) it only needs to edit the two GUID’s show immediately below (No edits for this in setup or it’s custom, but it’s OK that it makes a change there)
ME example below, since it’s much smaller than the setup ones

[02B] MeSetup
GUID: 5432122D-D034-49D2-A6DE-65A829EB4C74
Attributes: 0x7
DataSize: 0x2D
Data:
00000000: 02 06 00 00 00 00 00 01 00 00 01 00 00 00 00 01 << target we change for ME FW Re-Flash (variable 0x3)
00000010: 01 00 00 00 01 02 00 00 00 00 00 00 00 00 00 00
00000020: 00 01 01 00 00 00 00 00 00 00 00 01 01

Also >> [01D] Custom
GUID: 5432122D-D034-49D2-A6DE-65A829EB4C74
Attributes: 0x7
DataSize: 0x2D
Data:
00000000: 02 00 00 00 00 00 00 01 00 00 01 00 00 00 00 01 << target we change for ME FW Re-Flash (variable 0x3)
00000010: 01 00 00 00 01 02 00 00 00 00 00 00 00 00 00 00
00000020: 00 01 01 00 00 00 00 00 00 00 00 01 01

The “Setup” GUID’s are below, you’ll see these and the one above in your setup_var images
GUID: 4570B7F1-ADE8-4943-8DC3-406472842384 = Custom
GUID: A04A27F4-DF00-4D42-B552-39511302113D = Setup


Var2 and Var3 are not helpful images, I need to see full output on each. I don’t see success on either var2 or var3 images

However, if you did not get any errors, and it reports back value is now 0x1 then it’s changed.
You can do setup_var2 variableonly (no setting value after variable) or var3 variableonly and it will give you current values (Example >> setup_var 0x3)

So, I ran the two commands, and here are the results!
Running the first command was successful, I got the following message: “Flash complete. Successful save variable from “9.2varsM.txt” to rom”.
Running the second command gave me the file I uploaded.
Hopefully everything worked just fine! I’ll wait for your input to know if I can reboot or not!

9.2redumpvars.rar (23.2 KB)

Please do not reboot. You have not sent me the new vars dump to check! >> Once done, dump again via >> H2OUVE.exe -gv 9.2redumpvars.txt
* Edit - I see it now, please wait, I didn’t see anything attached at first

* Edit - please wait, I see error, new vars coming for you to flash and then redump again, then it should be OK
* edit - @marianFCBT - sorry about that, I missed one! Here, redo same as before, flash vars, then dump with new dump name so you know it’s new one.
If BIOS lock is still enabled it’s OK, I left it in one entry for now because I was not 100% sure, if it’s still enabled then we can unlock it later with FPRR one too (if needed)
http://s000.tinyupload.com/index.php?fil…575704727225636

Once done, send me new re-dump and I’ll check.

Here is the new var dump I made:

9.2redumpvarsNew.rar (23.2 KB)

Looks good, you can reboot now and test if you can flash ME via FPT >> FPTw.exe -me -f mefilename.bin

Sorry, but I have to run for now, will be back tomorrow night Hope all goes smoothly!!

Do not try to press forward with FPT if you are unsure about anything, or get any red or size errors, just stop there and wait for help or you can brick the board.

* Edit @marianFCBT - Hey, you know what! Sorry, I don’t think I ever asked you at the beginning what error you were getting with FPT when trying to write ME Region.
ME Re-Flash setting is not for allowing ME reflash via FPT, this is to allow it via ME FW Update tool, and that only works if your ME FW is not corrupted, so changing this setting has nothing to do with you being able to (or not) write ME FW region via FPT.
The only thing stopping you from that is possibly FPRR, which I didn’t change.

Please show me what error you get with FPT when trying to flash ME Region, then we’ll go from there. Very sorry I didn’t think of this until now!

Hey, @Lost_N_BIOS ! I was getting, and I still get the "Error 451: The host CPU does not have write access to the target flash area. To enable write access for this operation you must modify the descriptor settings to give host access to this region. FPT Operation Failed. " Sadly, I still get this error, even though I didn’t get any error when flashing the vars.

You don’t need to be sorry! I didn’t know that FPT requires a healthy ME Firmware, and I’m not in a hurry anyway, so thanks for your response and, if you will have the time, maybe we will fix this problem!

@marianFCBT - Thanks, I just tried to find your original post, where you and plutomaniac had discussions and I can’t find it. He’s great at ME, so he would have known this ME Re-Flash would not help in this situation, unless he just forgot accidentally which he usually never does with ME stuff
FPT doesn’t require a healthy ME FW, but ME FW Update tool does (which is what you enable ME FW Re-Flash to use). Since your ME FW is corrupt, you can’t write to ME FW w/ ME FW Update tool, thus ME FW Re-Flash option will be of no use here to fix this.

What you need is FPRR disabled, and this may not may not easily be done via the settings only. There is a setting for this, but there is also sometimes BIOS modules that this lock needs edited out of, so you may not have any thing you can do except purchase flash programmer and SOIC8 test clip with cable.
vars writing has nothing to do with Flash Protected areas covered by Flash Protection Range Registers (FPRR). Sorry again I didn’t notice and ask about this error at beginning, I assumed you spoke with Plutomaniac as mentioned, and he correctly told you what was needed here, I didn’t realize until later this was wrong.

Please first try changing this variable via grub w/ setup_var (normal) >> setup_var 0x612 0x0
Only use regular setup_var grub, don’t use the var2/var3 one. Then if same error (Can’t write to efi), just do below. If you do not get this error, then go ahead and reboot and try to FPT flash ME region only.

If you do get same error above, please program in this vars and dump back for me, then once I check reboot and try FPT flash of ME region only again and show me error (if still same, one more I can change I think)
This is to disable BIOS Lock and FPRR only (variables 0x17 and 0x612)
http://s000.tinyupload.com/index.php?fil…417965659964659

@Lost_N_BIOS Hi, I’ve tried running the setup_var 0x612 0x0 command from GRUB, but I got the same “Can’t write to efi” error. I flashed the variables you sent me, and I dumped the file I attached. I will wait for your response to know if I can restart or not!

BL-FPRR_dump.rar (23.3 KB)

Lost,

The original thread is found at Corrupted Management Engine Firmware on Lenovo Ideapad 720s-13IKB. You’ll see there that the laptop is brand new so a programmer might not be a good idea while warranty exists.

Also, ME Re-Flash BIOS option is exactly what is needed here as it temporarily unlocks FD access for servicing. But as I’ve explained at the FD unlock guide, it may not work in some cases because the BIOS option was never tested or intended to be used by the OEM or it gets reset to default at every boot etc. Just wanted to clarify that.