Lenovo t460p BIOS downgrade r07uj12ww

I want to downgrade bios.

However, I can not get down to the desired version r07uj12ww because of security version restriction.

Target is lenovo t460p.

So I want to change to SPI Programmer, but I can not get SPI Full image of r07uj12ww.

Ho can i create an SPI image from an FL1 file or tell me how to extract uncapulated bios?


Using SPI to downgrade bios, but i don’t have target version spi image…

help me plz!!!

here is linke to download https://download.lenovo.com/pccbbs/mobiles/r07uj12ww.exe

@jhong - Give me link to the exe of the version you want to use. Be sure you make a backup image using your programmer first, make sure it verifies after reading, and then make sure it opens in BIOS tools so you know it’s a valid dump, and check via hex to be sure it’s not all FF or 00

oh Thank you!!!

here is linke to download https://download.lenovo.com/pccbbs/mobiles/r07uj12ww.exe

"make sure it verifies after reading, and then make sure it opens in BIOS tools so you know it’s a valid dump, and check via hex to be sure it’s not all FF or 00"

I verify SPI Dump image.

I have been little analysis Dumped Image Using UEFITool.

It is recognize Intel Image of Descriptor, ME, BIOS etc region

And, I have a question.

From Target FL1, I extracted BIOS Image that not decompressed (I guess)

Maybe I replace the extracted BIOS Image on the Dumped Image, Will it work right?

@jhong - What is the problem here, and what is your goal, then I can best advise you on how to move forward? If you are only wanting to downgrade BIOS itself, then BIOS region is all you need to replace.
You can do that by extract BIOS region in UEFITool in one BIOS, then replace in the other, then program with programmer. But you may loose system specific details that way, serial, UUID, possibly LAN MAC ID depending on where it’s stored.

FL1 is an encapsulated file, and this is unusual BIOS structure so I can’t advise you until I see your BIOS dump made with programmer, please upload your dump then I can give you best advice (or make file for you etc)

First, My goal is DCI(Direct Connect Interface) enable,

To get the goal, Maybe I think exist many mehtods…

Here’s what I’ve done:

Referring to the https://gist.github.com/eiselekd/d235b52…c6b3912731ab9b2, LF1 from r07uj17ww.exe have not “DCI enable (HDCIEN)” value if exist in 2.13 version (https://download.lenovo.com/pccbbs/mobiles/r07uj12ww.exe)

Now, State, I try to change bios for downgrade.

Sorry, you lost me there . What is your BIOS version now? Which BIOS has what you want in it?
In the exe you sent me on post #3, FL1 BIOS I find the following, disabled by default, we can enable that to default if you cannot see this option in BIOS.

One Of: DCI enable (HDCIEN), VarStoreInfo (VarOffset/VarName): 0x8, VarStore: 0x5, QuestionId: 0x2D8, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 8C 04 8D 04 D8 02 05 00 08 00 10 10 00 01 00}
One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 07 04 00 30 00 00}
One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}

Now my bios version is 2.20 (https://download.lenovo.com/pccbbs/mobiles/r07uj17ww.exe)

r07uj12ww is my goal of downgrade!!!

(Now)------------>(I want)
(Not exist DCI) ---->(Exist DCI)
r07uj17ww --------> r07uj12ww (downgrade)

But, do you need downgrade BIOS, or only need DCI Enabled? If you only need that enabled, and it’s hidden form you in BIOS (Not visible), I can enable it for you if it’s there, even if still hidden I can change default value to enabled.
Never mind, I checked 2.20, setting is removed! Please send me dump from programmer of current BIOS, I will make you new BIOS with 2.13 and keep your system details in place, then you reprogram.

Please first, run MEInfoWin and show me bottom of report. Check BIOS on main page for ME FW Version, if you do not find download HWINFO64 and in large window on left in motherboard section find ME firmware version
then download from this thread in section C, ME System Tools Package of matching FW version. Inside you will find MEInfo folder, run from command prompt at that folder location (hold shift, press right click, choose open command window here)
MEInfoWin.exe and show me bottom of report (We’re looking to see if Measured and Verified Boot are enabled on the left FPF side)
Intel Management Engine: Drivers, Firmware & System Tools

if i can enable dci, i dont need downgrade

The current spi is separate.

It is possible that there is a person who is attached to work.

Maybe I can confirm the above contents tomorrow.

here is download link


Sorry if I was not clear, in BIOS 2.20 there is no DCI enable (HDCIEN) setting So we can’t change to enable anyway, setting is removed.

You need to confirm ME stuff I asked about before I send you mod BIOS, otherwise it can brick your machine if Boot Guard is enabled, this is what we’re checking for. If this is enabled, we can’t modify BIOS to change setting.
I know you have programmer so it’s OK, but still want to check before changing anything

Before, when you used BIOS 2.13 did you have this setting visible? Or it’s always hidden and now you need downgrade to 2.13 again + hidden setting changed from disabled to enabled?

Maybe i remember Bootguard is disable

Emm… i guess this image

it have DCI enable menu

??? 2.jpg

Disable may be what you set/see in the BIOS, but we need to see what’s burned into the chipset, if enabled there then it’s enabled no matter what.
Thanks for image, looks like you did have it visible. So you need swap BIOS regions and keep system specific details, I will do for you if I can (I did quick check, and system details are not easily found or legible like other BIOS, so may not be able to save those). LAN MAC ID I can save, it’s outside BIOS region in GbE

Why can’t you backflash instead? I see this method, use 2.13 BIOS and this method

Or better, use this method with WinPhlash - trying to help you keep system details is my main goal with all these other solutions

These are the methods that have already been tried. However, rollback is not supported under the secure version. : ( thank you

You tried Raymond.cc blog? Why did that not work? It’s never “Supported”, you have to make it happen

The final result of the software approach was the following image.

And if there is a lot of difference in the version, I could not try it.


@jhong - What is that image of, using Raymond.cc method? If you do not care about serial, UUID etc I can swap BIOS regions for you.

Or give me your serial off bottom of case, and then also the output of these two commands in command prompt, maybe then I can find in BIOS and edit into the swapped BIOS region.
wmic csproduct get uuid
wmic baseboard get serialnumber

Really Thanks

Imag file following Blog is LF1 of bios version 2.13

I just put a SPI to target haha;;

then, Command result is here

wmic csproduct get uuid

wmic baseboard get serialnumber

And I have a Question…

How you make a custom bios…?

I am really wonder method

Do you recommend reference or blog?

@jhong - thanks for board detail info, will work on this for you shortly. Do you get error using 2.20 and Raymond.cc method?
Method is very involved, I do not know of any guides or blogs. I use hex editor and UEFITool. I found your serial in ME region, and within second VSS2 region (NVRAM)
Volumes must be cut/removed from the stock image, then any edits made like below, then cut/edit region replaced into dump to swap region (or individual volumes will need swapped out after).
So even without putting back in board details etc, it’s not a direct swap from FL1 file to dumped BIOS region.

This info along with serial @ ME region


3230465743544F315757 = 20FWCTO1WW Also @ 239000 block

53444B304A34303730392057494E = SDK0J40709 WIN

4C31484636385930304430 = L1HF68Y00D0

UUID, scrambled @ 239000 block
4C748EE33A20B211A85CE7074E26809C / 4C748EE33A20-B211-A85C-E7074E26809C

Also @2387D0 - 4C748EE33A20B211A85CE7074E26809C

For your LAN MAC ID, this will be safe always with BIOS region swap, it’s outside BIOS region, but copy is stored in VSS2/NVRAM, however this probably gets written in after startup even from stock blank VSS2/NVRAM module
From GbE in main dump LAN MAC ID

^^ Also found at VSS2 inside BIOS region @3738h - unicode
Additionally UUID inside VSS2 @37C5h - 4C748EE33A20B211A85CE7074E26809C

Will work on swap tonight for you

* Edit - @jhong - Here is mod BIOS, hopefully should be working! It took MANY Edits to get that swapped around proper, and even a single edit gives error in UEFITool NE parser “BG Protected Ranges Hash mistmatch - image may refuse to boot”
I see that often in edited BIOS, usually OK, but like I mentioned if Boot Guard is active and burned in on the FPF side to chipset then this or any edit will fail due to active bootguard. Remember I asked you to check, but you never provided MEInfoWin image output.

Now!! I am searching MEInfoWin.exe File

but I can’d find it and download ㅠㅠ