Un-hiding PCI Subsystem Menu in ASRock J3355M BIOS

Hello -

I have an ASRock J3355M board which has Aptio V BIOS. My objective is to enable "Above 4G Decoding" under the "PCI Subsystem" menu in BIOS.

Problem: PCI Subsystem menu is not visible, so I cannot access this feature.

I am a complete novice at BIOS modding, but here is what I have done so far.

In AMIBCP 5.02, I have found the "PCI Subsystem" menu exists, but is not referenced from the "Setup" menu (so is not accessible in Setup).

I was able to use MMTool to dump out the "Setup" and "PciDynamicSetup" UEFI files, and use IFR Extractor Tool on them.

- By reading IFR Extractor output for PciDynamicSetup, I can see desired "Above 4G Decoding" menu option.
- By reading IFR Extractor output for Setup, I can see that it corresponds to what I can see in Setup menu (and as expected no link to PCI Subsystem menu).

Somehow I need to link the PciDynamicSetup form into the Setup menu form… but I am not quite sure how to do it. I think it would naturally go in "Advanced" section, but am not particular about where it shows up as long as I can access it.

One guide I read suggested hex editing AMITSE UEFI file to add it in place of a null entry for the top-level menu. But I cannot locate AMITSE in my BIOS. So that will not work. Additionally my setup uses some GUI so not sure how it would render (perhaps this is why I cannot locate AMITSE?).

I am wondering if there is another place to create the link (or perhaps I could modify Setup menu somehow to point to his hidden PCI subsystem menu).

Attaching some screenshots of AMIBCP, IFR text dumps, and original unmodded BIOS in hopes that someone can help.




pciDynamicSetup IFR.txt (5.28 KB)

setup IFR.txt (18.2 KB)

J3355M(1.90)ROM.zip (4.78 MB)

An update, I managed to locate AMITSE after all - it did not show a filename, but was able to locate it by GUID B1DA0ADF-…

So now I have made following edits via hex editor:

- Edited AMITSE to point to more complete "Advanced" menu
- Edited Setup to replace NVMe Configuration with a pointer to hidden PCI Subsystem menu I wanted to expose.
- Re-imported the modified PE32 images into my BIOS w/ MMTool

So I put resulting mod bios image onto a flash drive and tried doing the update w/ ASRock Instant Flash tool in the UEFI menu. Unfortunately, I got the "Secure Flash Check Failed" message.

I read in one of the other guides that there is an additional mod required to bypass this check, and that perhaps the UBU tool would take care of it by loading the modded image and writing it back out again. But for me that does not seem to make the required modification. If there is any further detail on how to bypass the security check I would be grateful!


Some updates:

Tried this sequence:
- Dump BIOS w/ flashrom
- Open with MMTool and replace Setup and AMITSE binaries w/ my hex-edited versions
- Write BIOS w/ flashrom

I had to add argument --ifd -i bios --no-verifyall for both read and write (per intruction on flashrom.org/ME) to dump and flash only the BIOS region, as some portion of the flash was read protected. Perhaps something about that modification made it not work.

This bricked my mobo (no boot).

I was able to restore the bios region from my BACKUP.ROM using a bus blaster and programming external (boots again). Also dumped the entire flash while I was at it via the cable.

Will keep twiddling on this time permitting. Not sure why modifications to setup/AMITSE caused system to not boot.

After more study, decided there were many potential flaws in my approach.

I had been using MMTool due to some problem with UEFITool not being able to parse the image. But realized I was not being careful ensuring that MMTool updates any necessary FFS checksums, etc, and also not even 100% certain image replacement (from edited, uncompressed efi file) was ocurring correctly. Decided I really would have a better shot w/ UEFI tool as this seems to be very tried and true and there is a good ability to check that the final modded rom is sane (parses correctly, checksums check, etc).

Discovered this discussion between CodeRush and plutomaniac regarding parsing problems on Apollo Lake BIOSes and discoverd I had exactly the same problem described (post #191 onward, here ME Analyzer: Intel Engine Firmware Analysis Tool Discussion (13)).

Edited my full dump of the BIOS (that I had made w/ external programmer) as follows in HxD:

- Updated FvLength and Block Count for the volume located at 0x384000 to be size 0x37A000 instead of 0x417000.
- Updated length of OBB partition (0x384000) in partition table located at 0x381000 from 0x417000 → 0x37A000. <— not sure this step was strictly necessary to get UEFI parsing, did not seem to be needed in the linked thread.

At this point, UEFI tool was able to parse.

- Finally, fixed the checksum of the volume using the expected value supplied by UEFITool.

Now UEFI tool can parse, and shows checksum is correct.

Now I was able to dump out the Body of AMITSE and Setup files, hex edit them as follows:
- Update AMITSE to use full-capability Advanced menu instead of limited one (change form ID from 0x271E → 0x2712)
- Update Advanced menu (form 0x2712) in Setup to replace NVMe Configuration menu entry with a new “PCI Express” (found string at 0x0852) menu entry pointing to Form ID 0x06 in pciDynamicSetup file (changed GUID to point to pciDynamicSetup instead of nvmeDynamicSetup)

Now used UEFI tool to replace body of AMITSE and Setup w/ my edited efi files and save out the new resulting ROM image.

Also used UEFI Bios Editor (link: http://iorlvskyo.blogspot.com/2016/06/uefi-bios-editor.html) to parse the updated menu IFR to make sure my hex edit was done correctly (nice tool).

Also was able to get UBU toolkit to parse the image and remove “Instant Flash” protection (and confirmed file was actually modified).

Have not tried flashing yet, but will make an attempt this evening (either with flashrom or Instant Flash method). Methodology feels much better this time around so I am hopefully this will work better than last time.

Will try

No joy this evening.

After flashing BIOS region with flashrom, no boot (just a blank screen).

Instant Update rejected the BIOS (security check failed).

At least I am getting very proficient at restoring the busted BIOS via flashrom + bus blaster.

Could definitely use some suggestions on why the above mods are causing system to not boot… wondering if some checksum or security measure getting triggered somehow that I am not aware of.

Tried flashing the image with no changes except fixing the volume sizes and updating checksum. Also doesn’t boot. :-/

Confirmed the working and non-working images only differ by the few changed bytes and doing all flashing externally at this point…

Any suggestions for validating my images or how I am causing non-boot would be most welcome…

and if you check that setting in AMIBCP you’ll see it has no enable/disable option. i have that same PCI Subsystem in dell laptop menu, but is not showing anything. also have another USB related setting that has no enable/disable option in AMIBCP and that feature seems broken as changing it in BIOS does not change any bit in NVRAM
flash your mod via external programmer and dump back to compare checksums, so you can be sure everything is written in place

I am thinking this may be the issue (very similar board to mine): new ASRock Aptio 5 bios on J4205-ITX

Will try to verify using some of the tools mentioned.

also looking to enable “Above 4G Decoding” on a lenovo 1151 board, my menu looks identical as op in AMIBCP but this system doesn’t use a GUI bios setup… is it easier to enable?