Read the datasheets, these chips come as well in SOP16 package, it naive to link this to the package form.
Otherwise read the datasheet regarding ‘Software Protection Mode’
-The Block Protect (BP4, BP3, BP2, BP1, and BP0) bits define the section of the memory array that can be read but cannot be changed.
- Individual Block Protection bit provides the protection selection of each individual block.
- Hardware Protection Mode: WP# goes low to protect the BP0~BP4 bits and SRP0 bit.
- Deep Power-Down Mode:
In Deep Power-Down Mode, all commands are ignored except the Release from Deep Power-Down Mode command and reset command (66H+99H).
=> You have the chips, try to find out if you can read these registers and if they were used to protect the mentioned areas.
You still think that a modded firmware would work if just properly flashed. But this is still a firmware messed with and the anti- tampering measures would step in. In addition you wouldn’t be allowed to flash anything by proper means if you don’t happen to have Lenovos / Intels private keys for signing and the knowledge to prepare your update properly this is afaik not possible to circumvent.
The only possibility I could think of for changing the HAP bit would be to directly change this single bit in the FD, if Flash Descriptor Verification is set to disabled. But the vendor might have enabled additional checks that I’m not aware of to ensure an untampered FD or the ME firmware parts needed for the next verifiacation steps get disabled by HAP and the machine won’t boot because of a stop in verification / measurement process. You’ll need some more T14s to find out.
=> Read about measured boot / measured boot to TPM / verified boot / Bootguard.
=>Every time before modding a newer machine run a MEInfo / MEINfo -verbose and check what it says about “CSME Measured Boot to TPM”, “Verified Boot”, “Measured Boot” and Flash Descriptor Verification.
Only possibility to revive this board would be to desolder the 64MB chip, examine if it’s really has protected blocks and either to reprogram it with the first dump or replace it with a properly programmed new chip. But even then there’s the possibility that kinda "unrecoverable firmware’ switch already is set in the TPM / security chip / EC controller.
But I’m out of this at this point. Good luck.