[REQUEST] Enable undervolting on Comet Lake's ThinkPad X13 Yoga with Boot Guard / i7-10510U

Dear Community,

I’ve got a brand new Lenovo ThinkPad X13 Yoga / i7-10510U. After a number of stress/performance tests with my other laptops, I’ve found it running on par with HP EliteBook x360 830 G6 / i5-8365U and a half of performance of Apple MacBook Pro 13 2020 / i5-1038NG7 – this is a weird result and potentially i7-10510U seemed to be a superior choice but practically I’m observing a severe thermal throttling. Was wondering to undervolt but this functionality was blocked by manufacturer because of plundervolt threats. So, my motivation is to enable undervolting on X13 Yoga to tweak processor settings.

MEInfo reports that my system is Boot Guard enabled. UEFITool reports that CFG Lock sits in the yellow segment (Boot Guard protected?). Attempts to setup_var in GRUB Shell fail with “unable to write data” error.

I’m looking for an advice whether any further steps can be taken to enable undervolting.

Thanks

meinfo.png

uefitool.png

bios_dump.png

bios_cpusettings.png

grub_shell.jpg

@Bloody_Nokia_Adept - Yes, due to Boot Guard you cannot edit BIOS menu, but you can change any setting hidden or visible via NVRAM Edit (with grub/setup_var or RU method)
The setup_var may be failing for you due to “Secure Boot” enabled in the BIOS, or UEFI mode etc. Disable Secure boot, and change to legacy mode if you can, then also remove any BIOS password, and disable TPM/Encryption

You cannot disable Boot Guard, and CFG lock only helps if you want to boot to MAC OSX (just in case you was not sure). The only way to disable Boot Guard is to replace the PCH with a clean one without key burned into fuse.

Here, if setup_var keeps failing you, try RU method (Adjust as needed, since what you change may not be in “Setup” varstore, which this guide is directed towards)
Go to section 2.2 and make bootable USB with RU program, then read 2.3-2.5
http://forum.notebookreview.com/threads/…-issues.812372/

From there, you can change any BIOS setting from the setup IFR


@Lost_N_BIOS thanks for the advice – looks like I’ve disabled 'em all, see attached screenshots of BIOS screens.


Yes, I’ve followed this procedure. Please see RU.efi screenshots attached. Nothing changed – upon Ctrl+W it silently do nothing, after reboot values stay unchanged.
I’ve even found a BIOS Lock var in the PchSetup store but doesn’t help either – I cannot reset it.

I was trying to find some RU guides and found quite interesting thing there https://docs.google.com/document/d/1gIs0…D-_Xe3dd8M/edit
It says:


Do you know whether this is valid for Comet Lake (since it is still kind of one from Sky Lake architecture)? Is there any further reading on it?

Looking forward for advices! So far, no progress and BIOS is still locked.

Thanks

bios_security_boot.jpg

bios_restart.jpg

ru.jpg

ru_cpusetup_cfg_lock.jpg

ru_cpusetup_overclocking_lock.jpg

bios_lock.png

ru_pchsetup_bios_lock.jpg

bios_security_chip.jpg

bios_security_device_guard.jpg

bios_security_intel_sgx.jpg

bios_security_memory_protection.jpg

bios_security_password.jpg

bios_security_uefi_bios_update.jpg

bios_security_virtualization.jpg

bios_startup_boot.jpg

@Bloody_Nokia_Adept - That comment about line 80-90 does not apply to all BIOS, see this thread, section B, spoiler two, image one or two.
Some BIOS it’s line 60 and either way not all needs FF’d for FD type #1 (line 60) or FD type #2 (line 80/90)
[Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing

If you are not sure what type you have, dump FD with FPT (FPTw.exe -desc -d fd.bin) and compare to those images above, then edit as shown in those images with RU

BIOS will always remain locked here, not sure what you think you are going to accomplish by changing the BIOS lock setting, or anything in Flash descriptor either?
As I mentioned, due to boot guard, the only thing you can change in NVRAM variables, so ignore all the stuff you are looking at now, and change the settings you want to change instead

BIOS Lock you need to change may be the one in PCHSetup, it wont help you do anything here though, but for this model I’m not sure, you didn’t link me to your BIOS yet?
So I don’t know what varstore #5 is (please link me to BIOS download page), and the one I see on their site does not match the version info in your images at post #1
But BIOS Lock will not help you do anything, so as mentioned, ignore/forget about this and get going on your actual desired BIOS setting changes.
Sorry, I cannot view all those images like that, I am on limited internet. If there is something there you want me to see or check, put in a zip.

You may end up having to get a flash programmer (CH341A) + SOIC8 test clip.
But, even then, you will not be able to edit anything in BIOS main DXE region (ie menu changes), due to Boot Guard, but you will then not have ANY issues editing NVRAM variables directly.

If this BIOS needs PowerManagement module modified, which most systems do to run MAC OSX, along with CFG Lock settings change, then you will not be able to use this system for MAC due to boot guard stopping you from modifying modules in the main DXE Volume.
The only way you’d be able to do that would be to replace the PCH with a clean one. I will check this for you, once you link me to the BIOS.

@Lost_N_BIOS appreciate your patience and the level of support you are providing! I will need some time to digest your response. Meanwhile, here is a link to BIOS download, take to Linux version as more straightforward to unpack https://pcsupport.lenovo.com/us/en/produ…nloads/DS544145

@Bloody_Nokia_Adept - Thanks, I will grab windows exe and unpack, not a problem
Now that I checked BIOS, yes, BIOS Lock setting (0x17) is in PCHSetup section of NVRAM (GUID - 4570B7F1-ADE8-4943-8DC3-406472842384)

This is a multi-model/system BIOS Image, and one one of the BIOS images main DXE section is not covered by boot guard. Lets confirm which applies to your system and if menu editing is covered by boot guard or not
Please dump BIOS region via FPT using info below, just do step #1 and send me this file >>

If you have already modified the BIOS in ANY way, you will need to re-flash it back to factory defaults using factory method (NOT FPT)!!!
Additionally, please remove all BIOS passwords, disable secure boot, and disable TPM or Encryption if you have enabled. Do this before moving on to below


If you do not have Intel ME drivers installed, install them now from your system driver download page, then start over here after reboot.
Check your BIOS’ main page and see if ME FW version is shown. If not then > DOWNLOAD HWINFO64 HERE <

Once HWINFO is open, look at the large window on the left side, expand motherboard, and find the ME area.
Inside that section is the ME Firmware version. Take note of the version. (ie. write it down or get a screenshot)

Once you have that, go to the thread linked below, and in the section “C.2” find and download the matching ME System Tools Package for your system.
(ie if ME FW version = 10.x get V10 package, if 9.0-9.1 get V9.1 package, if 9.5 or above get V9.5 package etc)
> DOWNLOAD " ME System Tools " packages HERE <

Once downloaded, inside you will find Flash Programming Tool folder, and then inside that a Windows or Win/Win32 folder (NOT x64).
Highlight that Win/Win32 folder, then hold shift and press right click. Choose “open command window here” (Not power shell! >> * See Registry file below *).

If you get an error, reply to this post with a screenshot of it, OR write down the EXACT command entered and the EXACT error given.

((If “open command window here” does not appear, look for the “Simple Registry Edit” below…))

Step #1

Now you should be at the command prompt.
You are going to BACKUP the factory un-modified firmware, so type the following command:
Command: " FPTw.exe -bios -d biosreg.bin "

>> Attach the saved "biosreg.bin ", placed into a compressed ZIP/RAR file, to your next post!!! <<

Step #2

Right after you do that, try to write back the BIOS Region dump and see if you get any error(s).
Command: " FPTw.exe -bios -f biosreg.bin "
^^ This step is important! Don’t forget! ^^

If you get an error, reply to this post with a screenshot of it, OR write down the EXACT command entered and the EXACT error given.

Here is a SIMPLE REGISTRY EDIT that adds “Open command window here as Administrator” to the right click menu, instead of Power Shell
Double-click downloaded file to install. Reboot after install may be required
> CLICK HERE TO DOWNLOAD CMD PROMPT REGISTRY ENTRY <

If the windows method above does NOT work for you…
Then you may have to copy all contents from the Flash Programming Tool \ DOS folder to the root of a Bootable USB disk and do the dump from DOS
( DOS command: " FPT.exe -bios -d biosreg.bin " )

@Lost_N_BIOS , please see a multi-part RAR archive attached. In there you’ll find: BIOS dump, console output from the BIOS dump and an Intel ME report by HWInfo64.

Thanks!

X13Yoga-biosreg.part1.rar (5.37 MB)

X13Yoga-biosreg.part2.rar (5.32 MB)

@Bloody_Nokia_Adept - Thanks, just needed the BIOS region only No help there, bummer! What a messy BIOS, WOW!
Both images are flashed into your system too, so that’s either how Lenovo does it, or someone programmed it in there wrong etc (either way, very odd!)
So, we can’t tell from that, only a brick test (edit menu on purpose, to see if boot guard bricks or not) would let you know for sure, but you need flash programmer for that.


As you may see in the attached TXT file, this is exactly the BIOS region as per command line parameters used and system prompts…


Yes, exactly.


Well, I’m not long for a brick test as of now :slight_smile:


This becomes way too hardcore… I was only about to play with UEFI settings and modify hidden ones – if this turns to be another “let’s play with copper and wires” I’d rather pass here…

@Bloody_Nokia_Adept - Yes, I know this is the BIOS region My comment stands as I wrote it, that was towards Lenovo making a mess there, not you doing anything wrong

You can change BIOS settings using RU, if you can disable Secure boot and boot legacy mode, which I assume you can already do since you’ve been using RU
Get in there and change BIOS settings, not the ones you tried above as those are not really BIOS settings anyone would need to change except for other then when trying to flash in a mod BIOS
CFG lock you should be able to change the setting for, this is a good example of something I know you wanted to change for MAC and should be able to change easily with RU
CFG Lock, VarStoreInfo (VarOffset/VarName): 0x3E, VarStore: 0x3 >> (VarStoreId: 0x3 [B08F97FF-E6E8-4193-A997-5E9E9B0ADB32])

Flash programmer is not playing with copper and wires, it’s a clip on thing with USB Dongle, don’t let it scare you, people use all the time to recover from bricked BIOS
But yes, that’s only something we could do, if and when you wanted, to confirm if Boot Guard would cause a brick on menu edit here or not (assume so, that is why programmer required if you wanted
But, this also applies to if you have to do CPU Power Management edit for MAC/OSX too, since one of those is in Boot Guard Covered PEI volume (and other is not)
I checked, this edit is needed for this system to run MAC OSX (MSR 0xE2 edit), x2 locations (due to dual BIOS images in there), but it’s located in SiInitFsp PEI (299D6F8B-2EC9-4E40-9EC6-DDAA7EBF5FD9) in this BIOS
81E10080000033C1 Needs changed to → 9090909090909090

So you can’t run attempt to run MAC here without flash programmer, and even then it may not be possible if the one module that requires the 0xE2 edit is the boot guard covered one

Hello Lost_N_BIOS.

Since my model is quite simmilar to this model, I made an attemp to check my BIOS too.

CFG lock offset was same, ME info was same too. I came here while searching how to run mac os on my thinkpad.

I don’t know I’ve understood right : I can’t disable CFG lock without SPI-programmer, right? I could only make a dump of my bios using intel flash programmer on windows cause I found out that my chip is winbond w25q256fv which is WSON package type - can’t connect to clip.

Hi @bomdurup , yes, I’ve got the same perception that the clip-on flasher needed. My further experiments went nowhere and I stopped this for a while bit… Going to write a petition on Lenovo forum to enable this feature for advanced users much like Dell did on their Precision workstations with an advanced option to disable Intel ME in the configurator – it was there on the 9th gen processor based systems but seems to gone away with latest 10th gen processors… bummer! https://www.dell.com/en-us/work/shop/wor…=configurations

@Lost_N_BIOS could you please kindly confirm?