Lenovo P50 Bricked by BIOS update

@Lost_N_BIOS Would you please give me a hint which areas you mean? I identified the first volume with the 2 VSS2 stores, the FTW store and the EVSA store as NVRAM. Where can I find other parts of NVRAM?

bios.jpg



Otherwise you have possibly read this document, nice explanation of P50 EC firmware update process: https://i.blackhat.com/USA-19/Thursday/u…-Controller.pdf

@IanP50 Chip for ME would possibly be MEC1653 (BGA chip?)

@lfb6 - I’m talking about the VSS2 expandable stores, above what you are showing expanded in that image (And then non-expandable VSS2 only in bricked, other users known good dumps, or stock BIOS etc)
I have not seen/looked at the BIOS you are showing there, in the two VSS2 at top, is there PCHSetup entries?

Thanks for link at blackhat, I will check. That’s usually about hacking, and hopefully his EC FW is on SOIC chip, if his EC FW is messed up

ME FW is in the main BIOS chip only, so no other chip. Not sure what you meant about MEC1653, but if there is a chip there it’s not ME FW

@IanP50 - Did you test this graphics/monitor thing, before you updated to 1.62 BIOS?
If not, go back to older BIOS, and check, maybe it’s a BIOS bug, or some changed hidden or visible setting in BIOS is different than in the older BIOS you were originally using

@Lost_N_BIOS MEC1653 is mentioned as chip for EC in the blackhat pdf- MEC1653 picture

The complete NVRAM stores were different with a masses of ‘invalid’ VSS entries after using stock bios without using the bytes following “LNVBBSEC” and “INVALIDINVALID” Those bytes were restored before updating to 1.62. NVRAM has still a lot more ‘invalid’ VSS entries than bricked and found good bios.

(Successfull) Steps were:

1.) Stock bios 1.59 with empty NVRAM (FD, ME, GbE from bricked bios) NO bytes following “LNVBBSEC” and “INVALIDINVALID” changed, all FF

1111.jpg



masses of ‘invalid’ VSS entries

2.) Dumped bios 1.59 with freshly populated NVRAM VSS2 stores. EVSA store from bricked inserted. NO bytes following “LNVBBSEC” and “INVALIDINVALID” changed, all FF

3.) Newly dumped bios 1.59, now “FB” after “LNVBBSEC” and “15 DF 01 49 81 B0 29 8D 69 F5” after “INVALIDINVALID” put in place.

4.) Update to 1.62 after all seemed to work. BUT still large differences in NVRAM structure.

That’s the reason why I proposed to try with the ‘Good bios’ region with transfered personal EVSA store and original sequences LNVBBSEC"FB" and "INVALIDINVALID “15 DF 01 49 81 B0 29 8D 69 F5”. That’d be anyway version 1.59, would have a working NVRAM and all individual information from IanP50s laptop.

That’d be “Good_BIOS_region_own_EVSA_PAD.zip” from #78 and “p50_desc_gbe_me.zip” from #11

Wow, you guys have been busy. Sorry it’s taken a while to respond, but I had to strip it down to the bare motherboard to go hunting for eeproms. I think I may have found it though. See attached file for the dump. It was a SOIC package, slightly smaller, but my programming clip fitted fine.

@Lost_N_BIOS - Followed your procedure for removing the Nvidia driver/device, but the result was the same. Still get error code 43. Same error in Event Viewer also.

No, I didn’t think to test the external monitors before updating to 1.62. I’ve just flashed the bios back to 1.59 as requested by lfb6, but no change.

@lfb6 - I combined ‘Good_BIOS_region_own_EVSA_PAD.zip’ from #78 and ‘p50_desc_gbe_me.zip’, flashed to the chip, but still no change. All boots up fine, but same error (Code 43) with the Nvidia GPU in Device Manager.

Thanks,
Ian.

W25Q80BLNIG_dump.rar (161 KB)

@lfb6 - OK, yes, that may be EC FW in that chip, but not ME FW. If it is as they say, then CH341A can’t be used, unless method is outlined there to use it via ribbon cable or otherwise

Stock BIOS that has not been powered up is not ideal to look at for what we’re discussing, since it’s empty and unpopulated, please look at BIOS post-power on, or other users dumps etc.
Then you will see what I mean about NVRAM stores usually in there, inside the expandable VSS2 volumes.
Invalid entries are not of concern, those will be replaced/removed as NVRAM is populated, entries are rebuilt, BIOS is used etc.
However, since you mentioned this at #1 above, with that image, I don’t see any (invalid entries) there, so not sure why you mention this?

#4 - NVRAM will always look different, as you use the system it’s rebuilt, stuff swaps around, stuff deleted/replaced/tossed out/marked invalid etc.
So this is nothing to worry about.

See ME FW question below

Here, in last post, confirmed working BIOS dump, with clean ME FW, but costs $3 to download (I don’t have membership)
https://vinafix.com/threads/thinkpad-p50…51.26576/page-2

Schematic and other paid downloads here
https://bios-fix.com/index.php?threads/l…bios-bin.37480/
Unsure of prices to join, how long etc, because you can’t see any of that until you join and login, then you upgrade account via below to download stuff
https://bios-fix.com/index.php?threads/h…-account.26821/

@IanP50 - Thanks for confirmation on all that, bummer to hear going back to 1.59 didn’t help. That may mean it’s an EC FW issue, hopefully the chip you found is EC FW and it’s not the chip lfb6 found at the blackhat guide
Bummer! That is KBC FW, not EC FW. It looks OK. So, that guide lfb6 found is probably correct, and you can’t flash this chip easily. If it’s even part of the issue?
All I know for sure is sometimes EC FW is updating during BIOS flash, and your system bricked during BIOS flash, so it could have been during, or before that and EC FW is messed up.
Likely not before, otherwise if it was that, and OK, and this was the issue, then flashing back in 1.59 would solve it

All below, from the PDF lfb6 linked above (Matthew Chapman link on page 21)
It says here, that EC FW is updated after BIOS, so if/when brick, that may not have happened, or may have been cut off mid-way etc, no way to know without looking at contents
http://zmatt.net/unlocking-my-lenovo-laptop-part-2/

Discussion of how to dump/flash the EC FW via JTAG is there at same area (near bottom)
https://ascnb1.ru/forma1/viewtopic.php?f=70&t=109179

From here, we now see method to update EC FW via windows!
This is done with Lenovo stock tools and stock EC FW .FL2, so we can reflash this just to be sure all is OK, without even having to check it’s current contents.
Do this while on 1.62 BIOS, with .FL2 from 1.62 package
http://zmatt.net/unlocking-my-lenovo-laptop-part-3/

Do you notice any other issues? Such as fan speeds high always, Memory speed or timings off?
Maybe ME FW is messed up. Did you guys clean ME FW, if yes, what ME FW was used as base? << lfb6?w

Speaking of ME FW, Did you update the ME FW yourself in “BrickedP50” BIOS?
If yes, how did you do that, what method, and was it OK/bootable after that, before the BIOS bricked?
Generally stock BIOS/ME does not contain “Latest” ME FW, and your stock package does not even contain ME FW at all,
But this bricked BIOS has latest ME FW, so I assumed you updated it, in some manner, at some point.

@Lost_N_BIOS Didn’t mention ME in the last posts?

ME Fw isn’t cleaned, results of MeInfo -fwsts, MeInfo -verbose, MEMAnuf -verbose are in #49.

ME update is offered bey Lenovo, link, using FWUpdLcl



@IanP50 Very sorry to hear that, I hoped it could have somthing to do with improper hardware initialisation…

I don’t think that either EC firmware update or cleanimg ME will resolve this issue , but it’s certainly worth a try.

@lfb6 & @Lost_N_BIOS - It’s staring to look like this is a hardware problem. I guess there’s nothing to lose by flashing the EC firmware.

Even if we can’t get the discrete GPU and/or external video ports working, we should be proud that we managed to bring it back to life as far as we have.

Thanks,
Ian.

@IanP50 Thank you.

Seems that Lenovo changed their flash environment to efi. I can’t make the tools in the Windows package working, they claim they need a (newer) Phoenix bios and refuse to give even the help text. Syntax seems familiar from older Phoenix tools though…

What I could extract from iso attached, maybe Lost_N_BIOS has another good idea!

cd1 - Copy (2).zip (1.19 MB)

@lfb6 - I was just asking if you did ME FW ever, cleaned it, and if so what did you use as base etc.
MEinfo reports don’t always show issues, so I just wondered if you guys had tested cleaned updated ME, from either main BIOS sources you’d been using

For the EC FW Flash, did you try with the 4x winflash tools that are NOT from the ISO, but from the exe instead? Extract n1euj42w.exe with Inno, then you have your toolset for windows, and the EC FW file .FL2
I ran two (32/64) last night while I mentioned all that, on Win10, and it ran fine, looked like it didn’t like my system not being for the package but it showed runtime feedback and said I needed to use Phoenix BIOS and gave a TDK error etc

@IanP50 - I can’t believe it would be hardware issue, unless something shorted out or was dropped/damaged somehow during your working.
Surely it’s BIOS or other FW related. Yes, can’t hurt to try EC FW Flash, if it was me I’d do it on 1.62, then if no change, go back to 1.52 and test the one from that package then too.

Are you sure all ribbon cables inside are installed perfectly? Go ahead and install the ME FW update linked at #101

Here is BIOS extracted package - https://ufile.io/y5v24bo0

Open CMD Prompt at this folder and run the command below. May need to be admin CMD prompt, if so, here is reg key, install, reboot and right click, open Admin CMD here anywhere in the folder

winflash32.exe /sd /ipf ec /file N1EET86W$0AN1E00.FL2

If it gives error, show me. We may have to run from USB (Mkusbkey.bat file is there). Command to use it, first format USB To FAT32, then from Admin CMD Prompt >> mkusbkey.bat X: << Change X to letter of target USB
Then remove .FL1 from the USB, so it can’t flash BIOS again, boot to Shell and run this command >> SHELLFLASH.EFI /sd /ipf ec /file N1EET86W$0AN1E00.FL2

@Lost_N_BIOS I made a cleaned ME in the beginning, I followed the guide, transfered all settings according to the book. Cleaned ME 8.1, v9.0/0.1 before, but not 11.x. We discussed that in the beginning- there was a warning regarding AMT being configured. Cleaned ME was in #41. Anyway- the machine powered off at once when IanP50 used this ME. Maybe that’s related to BootGuard?

Yep, these Windows tools for Phoenix did say same thing on my system.

(The Lenovo bios updates do have an extract option when starting the Windows exe)

@lfb6 - Thanks for info. Sorry, I don’t remember discussion about ME FW before, this is long thread and I help in too many threads to remember all each day V11 is same as V9, just follow guide and then all will be done correctly.
Sounds like maybe something was not done correctly if instant power off, no it would not be related to boot guard (it’s not covered). And even if ME FW corrupted or missing, usually still bootable just with failed ME FW, but, sometime can brick, so hard to know, maybe he inserted wrong?
For testing, if you want to test I will make cleaned/UPD ME FW, but I would like answers to my questions about ME FW first from IanP50 first (Asked at end of post #100), so I know if I should use someone else’s BIOS for ME FW base or his.

@Lost_N_BIOS You mean the questions about updated ME? At least bricked bios came with updated ME. And it’s not very likely that he inserted it wronlgy since it was the complete first 7 MB: FD, GbE, FD as one block.

Yes, those questions at end of post #100 - And yes, I know “Bricked” BIOS has updated ME FW, that’s the reason I started asking my questions
Users not familiar with BIOS editing can insert things wrong in many ways (hex, or body instead of as-is, as-is instead of body etc) If you feel he did the insert correctly, or have checked that file etc, then the ME FW was not updated properly is the only thing left to make that brick.

@Lost_N_BIOS - I believe the ME FW has been updated in the past, although It’s not something I ever went looking for. Lenovo periodically push bios/ME updates to the machine and ask if you want to install them. I generally say yes. This is what happened when I got bricked. I’m afraid I don’t recall if the ME FW was in the list of updates when this happened, but I’m pretty sure it’s been updated this way before.

I think lfb6 has covered your questions about the cleaning of the ME FW. I don’t think I’ve done anything wrong when I’ve combined GbE, ME, FD with bios region. I just open both in HxD, copy bios region, and paste insert the bios region at the end of the GbE, ME, FD. This gives a full 16MB file that I then flash to the eeprom.

I don’t see how the hardware could have got damaged either. I’ve never worked on anything while power was attached, so unlikely to be a short. Nothing was dropped, and I don’t think I damaged anything physically. Everything on the motherboard is fairly self contained, and there’s not really much to leave disconnected. There’s several ribbon cables, but only for things like keyboard, touchpad, fingerprint scanner & screen colour calibrator. There’s connectors for screen, camera, WiFi antennas, speakers and power button, but nothing else. All of the good stuff is part of the motherboard.

I’ve tried the ME FW update linked in #101. It all installed fine, but no change to the Nvidia GPU error.

Thanks,
Ian.

@IanP50 I’d propose tah you try to update the EC firmware like @Lost_N_BIOS said: Use the bios update 1.59, download the tool from Lenovos website, exceute it, but don’t choose ‘install’ but ‘expland’. please open an administrator command prompt in this directory. Execute all 4 Winflash??? commands with ‘-help’, should give you an output with the options. Might also be -? or /help or /?

When you found the correct command for the syntax- run all 4 commands again and redirect the output to a textfile, this way it’s easiest to attach. For example “Winflash64 -help > Winflash64.txt”, “Winflash64s -help > Winflash64s.txt”,…
Please attach these four files so that we can be sure about the syntax of these tools!

@Lost_N_Bios I tried to clean a ME yesterday, but there’s something that I didn’t understand. In IanP50s bricked bios there are some uncorrect settings in the FD:
Region access settings:
BIOS: 00Bh 00Ah ME: 00Dh 00Ch
GbE: 008h 008h EC: 020h 020h

FIT will not allow 020h for EC (read and write) and 008h isn’t a correct value for GbE Read Access. Do you think these values matter in this situation? Is the EC the FD refers to really the EC IanP50 is going to reflash?

The older ‘good’ bios had BIOS: 00Bh 00Ah ME: 00Dh 00Ch GbE: FFFh 008h EC: FFFh FFFh


I compared the ME settings (xml file) for the foreign ‘Good’ and the ‘bricked’ ME, there’s no difference.

I can attach a cleaned ME, but would really like you to check it.

ME_NEWERFIT.zip (3.5 MB)

@IanP50 - Thanks for the answer. Seems unusual that ANY OEM or Brand company would put out, or push update to, latest ME FW, that’s usually only something us end users do, so that’s why I asked.
99.9% of the time, most manufacturers are many versions behind on everything, so while they may push or include an updated ME FW in BIOS or update package, it’s very rare that it would actually be the "very latest"
So that’s what caught my eye and made me ask you (because if done wrong, this would be something we need to fix with someone else’s ME FW as base

Yes, if you just pasted in correctly, then that just means that was a bad ME FW UPD in that FD/ME/GbE partial you compiled.

See post #104, do that, and see if it helps or not.

@lfb6 - For the FD stuff you mentioned while working with FITc, let it set whatever it wants, then just unlock the FD once you are done, problem solved
EC read/write access in the FD only pertains to whatever the descriptor locks/allows to write to the EC. You can put it all back to OG once you are done, or do as suggested above, unlock it all.
Either way, the EC FW update tool/method will be allowed to write to EC FW

ME FW XML only shows settings for comparison, many things in the ME FW can be messed up other than settings, sometimes you can see those errors if BIOS dropped on ME Analyzer, sometimes you can notice a pause (often this can mean some issue too, while no error show)
You can also add these flags after you drop the file on there before you hit enter, to check for more errors >> -unp86 -bug86 << Then scroll up and look through all the output after it’s done with the scan.

Sometimes ME FW can be messed up, but no errors found in any checking methods too.
I’d say in this case, if/when he tested/used that other known good BIOS, and the same issue with graphics still happens, this probably has nothing to do with ME FW because I doubt that ME FW would also messed up in a similar way, if at all.
Probably EC FW issue here

He should update the EC FW, using the matching EC FW from whatever BIOS he is on. If on 1.59, use the tool and EC FW in that package, if on 1.62, use that package tools and EC FW etc.
I linked extracted package and outlined command to use on post #104

Sorry, I can’t really check ME FW, other than how I mentioned above, I am not a ME FW pro, that would be plutomaniac’s arena. Only thing I know about ME FW is how to update and clean ME following the guides, and check the files how I mentioned etc.
In cases where ME FW base source is questionable, I will often grab other known good dump from google, if I do not already have in model folder from some other user who I helped to mod or fix BIOS.

@lfb6 & @Lost_N_BIOS - Tried updating the EC FW, but get the following error:

SCT Flash Utility for Lenovo
for Windows V1.0.3.9
Copyright (c) 2011-2017 Phoenix Technologies Ltd.
Copyright (c) 2011-2017 Lenovo Group Limited.

SecureFlash BIOS detected.
Read BIOS image from file.

ERROR 081 - Failed to load BIOS image file!

Not sure where to go from here.

Thanks,
Ian.

@IanP50 Not sure what you did. Which commandline did you use? The set and commandline from #104?

As proposed, execute all the 4 winflash programs and try to let them release their commandline options, possibly switch ‘-help’. Found one manual which stated other switches/ no longer had the /ipf ec switch.

@lfb6 - I used this:

winflash64.exe /sd /ipf ec /file N1EET89W$0AN1E00.FL2

I’m currently running 1.62 bios, so used the later update files, so N1EET89W instead of N1EET86W.

I’ve attached the help outputs from all 4 winflash programs.

Thanks,
Ian.

Winflash32.txt (3.78 KB)

Winflash32s.txt (3.78 KB)

Winflash64.txt (3.78 KB)

Winflash64s.txt (3.78 KB)

@IanP50 Thanks a lot, all the same, and old-style, switches corresponding to the article. Anyway “ERROR 081 - Failed to load BIOS image file!” Seems that the program didn’t find the file? Or there is a configuration file somwhere that tells the programm to search for the main bios file?

Try all the programmers with the syntax. One might work. (It’s not understandable, but of 4 programs in a Samsung flash only one 32-bit version worked (in 64 bit Windows).

If that doesn’t help: Try to copy the file to the same directory, possibly the error will change to missing manifest or something like that?

Try to find the syntax/ switches of Winuptp, found one reference that stated it was only program which worked for EC?

And try to find the backup switch in addition, it might give as somthing to compare with the original file, maybe… (bak [filename] Backup BIOS ROM before flash)