"ME FW Image Re-Flash" and "Disable ME" bios options

I found two hidden options "ME FW Image Re-Flash" and "Disable ME" in my Dell Venue 7130 bios. If I enable "ME FW Image Re-Flash" in linux via the efivars sysfs, does this overrule the flash descriptor access control and can I read/write the ME region with fpt? Would you recommend to disable the ME as well?

As the option says, “Re-Flash” allows you to rewrite the ME region of the SPI chip by unlocking the FD. The latter might make the platform unstable so I advise against using it. Both are used for firmware servicing.

Thanks for your advise. I found similar options in the bios of my Lenovo ThinkPad 8 tablet. This is a BayTrail device with a TXE instead of a ME. My tablet has a 32-bit bios and I want to flash a 64-bit bios. Is the TXE region of a 32-bit bios identical to that of a 64-bit bios?


Yes, should be.

Nice find! If that works, there is no need for disassembly to unlock the FD anymore.

How did you manage to edit those from Linux? The Setup var is hidden in Linux for me on kernel 4.13, so I still sticking to the patched grub for now.


Actually, I have tried it only with my Lenovo Thinkpad 8 tablet and Ubuntu 15.04 (which I modified so that I can boot it on any device no matter whether it has a IA32 or X64 bios). The Setup var isn’t hidden in the Lenovo. I didn’t try it yet with my Dell tablet, but indeed with my Dell E7440 laptop the Setup var is hidden. Luckily the patched grub works on the Dell and I will try later on to unlock the FD this way.

Here is some pretty cool news for DELL Venue 7130 and Dell E7440 laptop users and very likely it will work with many other Dell models. It is possible to unlock the Flash Descriptor by disabling the ME and setting ME firmware reflash. Both are hidden bios options at offset 0x2d4 and 0x2bc respectively of the Setup EFI NVAR.
Just set both of them to 0x01 using the attached bootx64.efi and reboot into windows. You can then dump and flash the entire SPI. There is also a BIOS overwrite protection EFI NVAR at offset 0x75 which should be set to 0x00.

Detailed instructions:
- format a USB pen drive with FAT32 and create the subfolders \EFI\BOOT, copy bootx64.efi to \EFI\BOOT
- connect a usb hub to your tablet (no need for that with Dell laptops) and plug the pen drive and a keyboard to the hub
- reboot and press F12 to enter the extended Dell boot menu
- select the pen drive uefi device
- at the grub> prompt enter these four commands:
setup_var 0x2bc 0x01
setup_var 0x2d4 0x01
setup_var 0x75 0x00
reboot

- boot into windows and do your thing with ftpw :slight_smile:

Note: after fixing any bios issues, it makes sense to boot again into grub and switch on the ME again and disable the ME firmware reflash:
setup_var 0x2d4 0x00
setup_var 0x2bc 0x00

bootx64.rar (654 KB)

That’s great! So I guess it works like a pinstrap override - FD is still locked but you have full access. Good to know for the future :slight_smile:


Nearly full access, the only part that cannot be overwritten is the flash descriptor :slight_smile: The full spi can be dumped, but to flash you must flash the individual regions (bios, me, gbe). That sounds like a limitation but actually it isn’t.

I had to update my instructions in the post above. Actually, two hidden options, “ME FW Image Re-Flash” and “Disable ME”, must be set to 0x01 at the same time. I did only notice that after retesting the method on my laptop. During first tests I found the “ME FW Image Re-Flash” NVAR wasn’t sticky as it always changed back to 0x00 after reboot. I then thought that option can be ignored. Later I noticed it is sticky if “Disable ME” is set to 0x01 in the same grub session and that both must be enabled to unlock the ME region.

A typical fpt dump session in Windows then looks like this:
fptw64 -d spi.bin
fptw64 -d fd.bin -desc
fptw64 -d bios.bin -bios
fptw64 -d me.bin -me
fptw64 -d gbe.bin -gbe

And a typical flash session of all 3 main regions:
fptw64 -f bios.bin -bios
fptw64 -f me.bin -me
fptw64 -f gbe.bin -gbe

The entire spi and all parts can be dumped and all parts can be flashed except the flash descriptor (fd)

@jockyw2001

Will this method work on other motherboards besides Dell or is this a Dell specific hack?

I found the same thing in other firmwares

I am also same situation, Acer vn7-592g laptop.
Bios Fd unlocked, but Me region can’t do anything.
Difficult to dis-assemble. For pin-mod.
I already see in my bios ME FW image re-flash, and Me status (enable , disable) options ,
Can i do this method for FD region unlock ?
I try to clean Me region. so, I need Me-region.bin.
Pls help
@Lost_N_BIOS
@plutomaniac

@sahafdeen - if your FD is unlocked, then dump it and send to me, I will edit it to actually unlock it so you can read/write ME region with FPT
FPTw.exe -desc -d fd.bin

^^ That will dump your FD so we can edit, if you cannot write back via following command, then FD is not unlocked >> FPTw.exe -desc -f fd.bin
If you can’t write FD using above command, then it’s not unlocked and you’d have to use pinmod or programmer to unlock FD so you can edit it to actually have fully unlocked FD

If your ME FW is currently corrupted (see 0.0.0.0 or N/A for ME version, or it doesn’t show up), then your only option to fix is via FPT, which requires the above (pinmod, or programmer, or already unlocked FD)

I upload Dumb FPTw.exe -desc -d fd.bin FD.bin + Bios Reg.bin
I get FPT operation successful.But 4 KB only.
After edit send back, i write and check FD unlocked status.

******
Pls Edit, My bios Reg file Too, and send back. I write…


bios reg_Edit.jpg




My ME FW already updated latest version, My FItc version very old. so, you Recommend clean Me Region.
I worry about Fit version(old)

ME info.jpg



Thank you!

@sahafdeen - “FITc” version is simply the software version used to build that BIOS image or ME FW image, this has nothing to do with your actual ME FW
If you’ve already updated to latest ME FW, nothing to do here, all is done, your ME is clean (you have no ME FW related issues, correct?)
How did you update ME FW?

YOu can check FD unlocked status right now, at least for the FD region >> FPTw.exe -desc -f fd.bin << Using the fd.bin file you created, if error FD is locked, at least for write to FD region

Yes, FD.bin should be 4KB only. This is your region’s status per FD current permissions, so you can ONLY read/Write with FPT to BIOS region and GbE region, you cannot write FD or ME with FPT (So above FD write will fail with error)
BIOS access table:
-------Read Write
Desc —Yes No
BIOS —Yes Yes
ME -----No No
GbE —Yes Yes
PDR —No No
EC ----No No

FPTw.exe -desc -f fd.bin : FD write will fail with error 411 , Host can’t access Region.

I have no ME Related issues now, before have auto shut down_sleep. after i update ME to latest No issues.
Acer given ME only updates for many models. so, I download from official website,Extract and check with ME Analyzer, and re-pack latest ME Firmware image. Finally flash with official method.I get success !
Every firmware update, I follow this method.

I already post our Forum : ME update post

Can you Explain. official update>>>>Unlock FD and update firmware >>> lock again . its correct ?

@sahafdeen - Odd error #, but yes, I expected error since FD is locked from write.

Re-pack latest ME FW? Were stock and what you put in the RGN (region stock) and the package updates ME FW with ME FW update tool (FWUpdLcl.exe/FWUpdLcl64.exe)? If yes, OK
*Edit - I checked your post you linked, good, this is what you did

No, FD permissions in regards to ME region only apply to using Intel FPT program to flash ME region, so when using ME FW update tool instead of FPT, this does not matter
ME FW update tool does not matter what FD permission/restrictions are, you can use ME FW Update tool anytime as long as your ME FW is not corrupted (shows as 0.0.0.0 or N/A)