Lenovo M93p Fan white List Removal.

Hi,

the Lenovo M93p detects, if you switch the CPU fan with another Fan. Maybe through different RPM of the fans or Amps usage.

It beeps twice and displays a error message :https://forumscdn.lenovo.com/old_attach/…469A7621BA9.jpg

YOu can skip it with F2 and use the PC as normal, and also the new Fans will work.

I want to disable this error message.

There is no setting in the BIOS where I can change that.

How can I mod that into the BIOS to ignore this error message and allow any CPU Fans.
I’d be interested in learning how to do that myself and not only get a ready made Bios to flash.

Is there any guide on how to do such changes?

@Spam00r - Dump BIOS chip or both chips if two with flash programmer, then send me the dumps and I will bypass this error for you
I will show you how to do as well

BTW, this is not a fan whitelist, but most likely your new fan RPM starts too low so it sets of warning about fan is dead/dying

We may be able to do via FPT, not sure, you can try below, let me know what you get at step #2 and then we’ll try to bypass

If you have already modified the BIOS in ANY way, you will need to re-flash it back to factory defaults using factory method (NOT FPT)!!!
Additionally, please remove all BIOS passwords, disable secure boot, and disable TPM or Encryption if you have enabled. Do this before moving on to below


If you do not have Intel ME drivers installed, install them now from your system driver download page, then start over here after reboot.
Check your BIOS’ main page and see if ME FW version is shown. If not then > DOWNLOAD HWINFO64 HERE <

Once HWINFO is open, look at the large window on the left side, expand motherboard, and find the ME area.
Inside that section is the ME Firmware version. Take note of the version. (ie. write it down or get a screenshot)

Once you have that, go to the thread linked below, and in the section “C.2” find and download the matching ME System Tools Package for your system.
(ie if ME FW version = 10.x get V10 package, if 9.0-9.1 get V9.1 package, if 9.5 or above get V9.5 package etc)
> DOWNLOAD " ME System Tools " packages HERE <

Once downloaded, inside you will find Flash Programming Tool folder, and then inside that a Windows or Win/Win32 folder (NOT x64).
Highlight that Win/Win32 folder, then hold shift and press right click. Choose “open command window here” (Not power shell! >> * See Registry file below *).

If you get an error, reply to this post with a screenshot of it, OR write down the EXACT command entered and the EXACT error given.

((If “open command window here” does not appear, look for the “Simple Registry Edit” below…))

Step #1

Now you should be at the command prompt.
You are going to BACKUP the factory un-modified firmware, so type the following command:
Command: " FPTw.exe -bios -d biosreg.bin "

>> Attach the saved "biosreg.bin ", placed into a compressed ZIP/RAR file, to your next post!!! <<

Step #2

Right after you do that, try to write back the BIOS Region dump and see if you get any error(s).
Command: " FPTw.exe -bios -f biosreg.bin "
^^ This step is important! Don’t forget! ^^

If you get an error, reply to this post with a screenshot of it, OR write down the EXACT command entered and the EXACT error given.

Here is a SIMPLE REGISTRY EDIT that adds “Open command window here as Administrator” to the right click menu, instead of Power Shell
Double-click downloaded file to install. Reboot after install may be required
> CLICK HERE TO DOWNLOAD CMD PROMPT REGISTRY ENTRY <

If the windows method above does NOT work for you…
Then you may have to copy all contents from the Flash Programming Tool \ DOS folder to the root of a Bootable USB disk and do the dump from DOS
( DOS command: " FPT.exe -bios -d biosreg.bin " )

At step 2 I get Error:

Error 280: Failed to disable write protection for the BIOS space!

But Step 1 worked fine.

Bios Dump attached.

I hope we can do it via software. Using the Bios Dumper is a pain in the ass and I wanna avoid that.

I tried following that guide: [GUIDE] Grub Fix Intel FPT Error 280 or 368 - BIOS Lock Asus/Other Mod BIOS Flash

But there is no “BIOS Lock” variable inside the Setup module.

biosreg.rar (4.17 MB)

@Spam00r - From this thread - Lenovo M92p Q77 Tower BIOS Bricked - Recovery with CH341A Programmer SUCCESS.
You have FD/FDO/ME/Service/management 2-3 pin jumper on this model correct? Or is that only on the M92? If there is jumper on here, put it on, reboot to windows 2-3 times as you mentioned in 2019, then try #1-2 again and see if pass or not.
Also, before you do that, you can also test if your current BIOS has S3 sleep bug. Put system to sleep (S3, not hibernate) for 1+ minute, then wake it up and try #1-2 again and if #2 passes we can use this method to flash in mod BIOS, if not, see about jumper

Yes the Board has the ME Jumper. And the S3 Bug does work but with older BIOS only.

I read somewhere that BIOS older than 2014 don’t even have BIOS Lock. So theoretically I would be able to just Downgrade to an older BIOS from 2013 and then be able to flash from within Windows.

For Thinkpad Laptops, there is a project that exploits this: https://github.com/n4ru/1vyrain

Which BIOS fixes this vulnerability can be found here: https://support.lenovo.com/in/de/product…%3Fp&source=psa

For Thinkcentre M93p its BIOS Version: FBKTA5A

So older BIOS Versions have the S3 Bug.

But the script does not support Thinkcentre Boards.

Without an automation script like 1vyrain, I don’t feel comfortable to exploit the S3 Bug right now, as this is my production system right now and I need it daily and cant risk it getting it bricked. I’ll have more PC’s available in a few weeks time and then might try tinkering with it. But I first need some useful usecase to start tinkering with the BIOS.

Remember when you fixed the BIOS for me and after that I was able to flash from within Windows?

Can you remember which BIOS version you used that you linked in this Post of yours: Lenovo M92p Q77 Tower BIOS Bricked - Recovery with CH341A Programmer SUCCESS.

I can’t figure out, why I was able to flash with FPTW after using that BIOS.

I remember that after I flashed that BIOS with the hardware programmer, I could write bios with FPTW. But after that I used FTPW to flash the latest Stock BIOS and then I think I forgot that flashing the Stock BIOS would also LOCK the FD again and after that I could not flash with FTPW anymore due to BIOS LOCK.

But you also wrote that you didn’t unlock the FD in that file. But I think I unlocked the FD myself. I remember setting the FD Unlock Bits in hex editor myself using the tutorial you linked.

Is it correct that with even the ME Jumper set, the BIOS Lock will be inplace and we would need to set the FD Bits first to be able to unlock the BIOS and write it.

I remember that after flashing the Stock BIOS again, I was not able to flash any Modded BIOS wether the ME Jumper was set or not.

The ME Jumper is not the Problem but what scares me is to have to use the hardware flasher, because the BIOS chips are so thin and it is so difficult to get a grip on them with the SOP CLip.

I’m 100% sure that I was able to Flash BIOS with FPTW , but I’m unsure why. Was it because you or I unlocked the FD, or because you used an older BIOS version that had no BIOS Lock? Or Was it because The BIOS that you used had the S3 Bug?

Having a script like 1virain also for Thinkcentres will make thinks much easier.

WHat do you make about what I wrote about not having “BIOS Lock” variable inside the Setup module? How can we disable BIOS Lock in this BIOS then? Is the method described for Asus not possible with this BIOS?



EDIT: I also noticed that the Setup IFR has:

0x3D74E Suppress If {0A 82}
0x3D750 QuestionId: 0x102 equals value 0x1 {12 06 02 01 01 00}
0x3D756 One Of: ME Flash Descriptor Override, VarStoreInfo (VarOffset/VarName): 0x90, VarStore: 0x1, QuestionId: 0x43E, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 FD 02 FE 02 3E 04 01 00 90 00 14 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x3D77C Default: DefaultId: 0x0, Value (8 bit): 0x0 {5B 0D 00 00 00 00 00 00 00 00 00 00 00}
0x3D789 One Of Option: Disable, Value (8 bit): 0x0 {09 0E FF 02 00 00 00 00 00 00 00 00 00 00}
0x3D797 One Of Option: Enable, Value (8 bit): 0x1 {09 0E 00 03 00 00 01 00 00 00 00 00 00 00}
0x3D7A5 End One Of {29 02}


So we might be able to change FD via EFI Shell.

@Spam00r - Well since Jumper and S3 bug here, mod BIOS can be flashed back in either of those ways. If you are on newer BIOS that does not have the S3 sleep bug, then we just use ME Jumper
For the S3 sleep bug thing, there is no script or exploit we’d need to run/use, simply sleep for 1 minute, wake and then do our FPT thing and that is all.

I have a folder for you in M93p folder, but I don’t have any older folder named for you, but I do have a CH341A dump folder from 3/19/19, maybe that was you/us?
In there I also have a compiled, FD unlocked 12MB file (also 4/8 split), but unsure what/who’s this is (MAC ID 44:8A:5B:A7:13:71, you can check if this is you that way)
I can’t tell from that folder what was being done though, except unless BIOS recover/NVRAM replacement etc (looks like that was main goal of this folder), so not sure if it was us working on what you mention above or not.
If this was you, and that was the unlocked BIOS etc, just program that back in, or let me know and I can edit this first, then you program it back in again.

Yes, if we unlocked it, and then you could use FPT without sleep bug or jumper, then you’ll have to find that BIOS. And yes, if you flashed stock BIOS after that, and FD was written over or BIOS lock enabled again then all would be locked once more.
Can you link me to that thread where this happened, maybe it will help my locate exact files on my end?

BIOS region can be locked by FD, or BIOS Lock settings, or BIOS lock in an actual module, so various ways. Generally FD does not lock out BIOS region, so it was likely all in a BIOS setting
I just checked, not a BIOS setting, so we must have edited out actual BIOS Lockout in a module, or simply overridden it with ME Jumper (it’s rare I can find and remove lock when in a module, sometimes I can but I don’t see any evidence of doing that in this folder)

ME ME Flash Descriptor Override = same as using jumper, and that (jumper) is ideal method to flash mod BIOS here if you are on BIOS that is not affected by the S3 sleep bug
This is temporary if/when set in BIOS, although it could be hard set, but that’s not ideal especially when you can just use jumper.

The only stock BIOS I have in this folder is fbjyd4usa

Don’t let flash programmer scare you, yes, sometimes it’s a pain to use, but it shouldn’t be scary

Also, looking at the error module, and due to the way this is split between assembly file and unicode text module, I cannot tell for sure which error is which to bypass, so we’d need to test one by one or bypass them all at once.
So that itself may be an issue for you too due to your concerns and BIOS flashing etc, especially if you can’t get into easily flashable FPT state via Jumper or S3, or programming back in unlocked BIOS.
It may be best for you to order a fan with the original fan’s same RPM’s, or an exact/similar model replacement so the error does not happen

The post you sent me the files in was: Lenovo M92p Q77 Tower BIOS Bricked - Recovery with CH341A Programmer SUCCESS.

That was an M92p.

I have not sent you any dumps from a M93p system except in this post above.

I see several ways to disable the FD on this system. I think the EFI Shell is the easiest way for me. I might try it.

How would you disable or skip a error message in the BIOS? Can you explain it. I’d like to know how you can do it.

I thought you also discussed and we edited M93p in that thread too, no? And I thought you also confirmed this in post #5 here too, you said we edited/unlocked and you FPT flashed etc?
For the errors, generally speaking I find the error in BIOS module, extract that, then in assembly make it so it bypasses the error no matter what. Do you have any experience with assembly?

I was referring to M92p when I talked about flashing via FPT. I never edited the M93p BIOS as my M93p systems all run smoothly.

Yes I have experience in Assembler and do work with IDA occassionally.

I know what and how I would have to change the assembler code in an hex editor.

But I wonder how you would find the correct jump instruction to change?

That’s the key question here.

I checked the code in IDA but couldn’t find a useful way to find the correct address.

I’m continuing a bit from where OP left of. I am yet to be able to actually flash a bios but before I go further with that, I was wondering if there’s anyone here who could actually help remove fan detection from the M93p (Tiny) BIOS?