The parts different from what you intend to flash are
0x5000 ME Boot1 BPDT partition table header = 0x2C6000
0x21A000 ME Data FPT partition table header
0x21B000 ME Data Padding 3
0x299000 ME Data FITC
0x2A1000 ME Data CDMD
0x2C6000 ME Boot2 BPDT partition table header = 0x5000
0x4DB000 ME Boot3 BPDT partition table header
0x3EEFF00 to 0x3EEFFFF bios region cryptic
The pad between ME region and bios region is
EC x 2
Stock bios region
The 16MB file
0xF00 last 0x100 sig of FD
0x1000 to 385D5F ME FWUpdate 0x1000 to 385D5F
E00000 TPMD…NTC 2 lines
E01000 - E3B88D compressed/encrypted fw backup possibly
F00000 TPMD…IFX 2 lines
F01000 - FE0CE7 compressed/encrypted fw backup possibly
The parts of the 64MB chip that are re-written are stuff that’s neither in you original dump or the modified file or uncompressed/unencrypted in the 16 MB file, most probably encrypted and/or compressed in the 16 MB file.
It’s unclear for me why these mentioned address- ranges in the 64MByte chip can’t be rewritten now. Later chips have the ability to protect certain address- ranges, never investigated that any further- and will be difficult from distance.
The compressed/encrypted ranges in the 16 MB file each have a header where the first letters are TPM*, one could take that as a hint. And they’re referenced in the (at least for UEFIToolNE) unstructured padding of the second VSS2 store.
I can’t help you any further here (and I don’t think there’s a way out of this for now).