Why is this BIOS update ROM larger than the flash chip?

A friend cut power to their Lenovo laptop in the middle of a BIOS update, thinking it was a “hacker” installing a virus Needless to say, the laptop is now bricked.

I’ve disassembled it and extracted the remnant BIOS with a buspirate, and I’ve also downloaded the latest BIOS update from Lenovo. After unpacking the update, however, the .ROM file is bigger than the laptop’s flash chip: the .ROM is 8,979KB while the flash chip is only 8,192KB (8MB). So the update ROM is 787KB larger…

I’ve thought maybe the Insyde flasher (H2OFFT-Wx64.exe) has to “interactively” extract pieces from the .ROM file and then flash those piece by piece, condensing or ignoring some parts of the ROM or padding, rather than just a simple straight flashing of an entire 8192 KB ROM file all at once. But just a guess.

Anyone have any ideas on what I should do here?

I’ve attached the laptop’s extracted damaged BIOS + the extracted Lenovo update BIOS. For reference, the laptop is Lenovo 520S-14IKB (Type 81BL). Thanks!

Lenovo (Laptop Damaged SPI Extracted BIOS).zip (5.26 MB)

CIUSA213 (Official Lenovo Update BIOS).zip (5.22 MB)

@Coldblackice - Rom from exe package will have 4-5 other images in it plus the BIOS, you need to cut out 8MB (800000 bytes) BIOS via hex. You will need to copy in his board specific details from the dump, if they are still intact after this issue. I mean serial, UUID, LAN MAC ID etc.
For me to try and find those board specific details for you, you’ll have to send me images of all stickers on the motherboard, and inside the back casing, and outside the back casing, also look between and underneath the memory sticks for stickers as well.
All those will likely contain serial, UUID and possibly MAC, if MAC ID cannot be found on stickers you may need to try and find in his router logs. While you have the back off, look at the metal casing around the LAN port too, sometimes sticker on the port itself.
I think I’ve found some of this data, but I need to see stickers to confirm what’s what and if it’s valid and not corrupted, and then copy into stock BIOS image at correct location.
BIOS region itself, well main “BIOS” volume of the BIOS region is corrupted in that dump, so hopefully none of the info we can’t find otherwise is stored there

Here is stock BIOS extracted from the rom you provided. This should get the system running for now, but will be missing all system specific details such as serial, UUID, any “ID” type version/number etc, and may also not be able to keep windows activated due to the serial/UUID Missing, Ethernet port may not work either.
If you want to do yourself, so you can learn, Open that rom in hex and search for “$_IFLASH” without the quotes. Each result is an “image” BIOS is the second one and the size with and without header will be following "$_IFLASH_BIOSIMG"
BIOS image starts at 0x97310h and ends at 0x89730Fh, select this or start at 0x97310h and select a block/range of 800000 bytes then copy paste into new image, done
http://s000.tinyupload.com/index.php?fil…278909645146457

You are the man! Thanks for the help!

And just like you predicted, I’d like to learn to do myself to learn, so thanks for that. So do you not use a tool like UEFI Tool for this then? When I opened the Roms in UEFI Tool, I couldn’t find any “BIOS” section. Instead, there were many many smaller sections, smaller sections that looked like individual drivers/modules/OROMs.

So in the future, should I not use an “automated” tool for extracting like UEFI Tool? Is it better to manually extract parts/areas via hex?



Also, is there a specific number of ID’s I should be looking for? How do you know the number of ID’s that should be present in a BIOS? I did a comparison between the stock ROM you posted vs. the extracted damaged ROM, and I can see where one of the serials is placed in both ROMs. It doesn’t appear to have any sort of distinguished placement… I wouldn’t have known where to look for it had I not already had the ID and searched for it in the damaged ROM (and then looked at that same offset in the stock ROM).

I’m surprised there are so many ID’s stored not only in just one location, but also stored in something as volatile and at risk for loss as a flash/BIOS chip. How come the ID’s aren’t just puilled electronically from the hardware components themselves?

No, UEFITool not used for what I did, only hex editor. After that you can use UEFITool for certain things though if you want.

On your last post, I am not sure what ID’s exactly you mean? As for serial # in one vs the other, it’s the same file, I only cut out the actual BIOS bin file, so anything within that space will be same as the original file.
Any serial number in there would not be a serial # anyway, rather some other ID or a general placeholder for your actual #, due to that stock BIOS file is made to be used by everyone.
Unless you meant your damaged BIOS vs the stock one, I see some board specific details in second padding file using UEFITool, this is where they would be placed back into the stock rom before you reprogram too. Extract that padding file, edit via hex, then place back via replace
This info is usually stored in the BIOS in 2 locations, sometimes 3 (sometimes copied into NVRAM areas too), it’s just how they do it, it would cost more to add some chip to board to store such details vs no additional cost to stick in BIOS instead.



Thanks for the info. I apologize I wasn’t more clear (though your answer still helped nonetheless), what I meant to ask is:

Now that I have a stock BIOS, I first must inject all the various personalized ID’s, serials, MACs, etc. necessary into the ROM before flashing, however:

  • How does one know what ID’s need to be found + inserted?
  • How does one know how many ID’s in total need to be copied/inserted?
  • How does one know the precise offsets in the BIOS each one must be inserted?

If I had a working backup of the laptop’s BIOS (before it was borked), I would do a byte-compare between it and the stock BIOS, locating all the offsets that differ, and then determining which of those were ID’s vs. BIOS settings. But with only a damaged BIOS, how do I know all of the ID’s that I need to insert and where to insert them?

I’m assuming there isn’t a specific centralized section in the ROM where all of the personalized ID’s/MACs go (which would make it easy to determine what ID’s need to be copied from the motherboard/case/etc).

Thanks again!

You’re welcome, and I gotcha now!

It depends on how you flash this stock extracted BIOS, if you have to put in the personal details or not, I will answer in general for anyone reading later and then specific for this case last.
If you flash using stock flash update method and that’s not using FPT, such as AFU or InsydeFlash/Flashit, Winphlash, then no you do not need to as they’d already be in the onboard BIOS and skipped during update.
If you are using FPT or flash programmer such as CH341A or other, then yes as this will not skip anything and will program in exactly what you give it.

For your specific recovery case, yes, you need to put these details in since the onboard BIOS contents are corrupted and you wont be reflashing via stock methods.

To your Q’s points.
1. Usually this varies, serial, UUID, model ID, asset tags, etc + you usually need to put back the LAN MAC ID as well
2. This depends on the dumped BIOS contents, if corrupted you must find another to use as source to find details and location of this info (Which is often tough to do since you don’t know the randomly found dumps details to be able to easily search for them within the BIOS)
3. See #2 & differs for all BIOS/brands/series etc.

It’s a tough one, this instance, since main BIOS volume is corrupted. We need to get a dump from working board and then try to locate the info, and then dig through the corrupted volume and possibly/hopefully find some of your details.
Or, you can get some of the details usually off stickers on your board, if laptop usually inside the casing, on the board itself, under/between memory slots and on desktops sides of 24 pin, top/bottom sides of PCI/PCIE slots, around/on the metal LAN Block (For LAN ID) sometimes, front and back of board (all stickers)

Sometimes yes, there is a standard location used, for some things, and for some BIOS, other times it’s a few well known locations for possibly finding.
If you want me to try and help you find all this in the corrupted BIOS, see what I mentioned at post #2 and if you can find another users dump send me a link (if not, let me know and I’ll try to locate one)
If you want, I can build you a BIOS with what I’ve found (x2, one with NVRAM copied in too), then you can test and see if it all works OK or not?



Thanks VERY much, super helpful reply! All of that made a lot of sense.

I haven’t been able to find another user’s dump of this BIOS yet, unfortunately. I did flash the stock BIOS image you uploaded, and it works! Well, it turns on again, but it boots realllly slow, and even once it reaches the login screen, it’s still slow/sluggish (unfortunately I don’t have the person’s PIN/password, so I’m unable to log in to see if errors start popping up).

Would you be able to send that BIOS you mentioned with what you found? That would be awesome. I can flash that right now and hopefully it works even better. Unfortunately, my "tinkering" time with this has run out as the person suddenly needs their laptop, so I only have a few hours till they need it :confused:

Thanks again!

EDIT: I hope I didn’t bork things further by turning it on without the ID’s reinserted? I’m suddenly concerned wondering what if a new UUID/SLIC was generated, suddenly throwing a chain-reaction of issues toward the install Windows 10 OS, perhaps now having an "IDentity crisis"!

You’re welcome! You need to ask this person, do they want it fixed, or worse than before but able to be powered on??? pgrin] Tell them wait, and you’ll get it sorted out BIOS work is not something you can rush through, as you’ve found out already
It’s their fault due to how they caused this, tell them you’re still working on it and will return once it’s in working order. They probably heard you say “It’s running again” and though “great, give it back” you should have held off on discussing anything with them until it’s fixed.
And really, how did that happen anyway? BIOS Updates are user invoked, and you have to go specifically planning to update the BIOS, knowing you are downloading and about to update the BIOS, so how could they even think that???

Nothing new will be generated in the BIOS, it will all just be blank/incorrect info parsed to windows when collected by certain apps, windows activations etc. So yes, SLIC/Windows activation may be affected, until we fix, yet another reason to tell them to just wait longer or be in worse situation.

If I were to make you BIOS to test, it would involve 2-3 BIOS and only one may even be bootable, so it’s not something you could rush through testing.
This is due to one or more of the issues could also be in the NVRAM volumes, so I’d make 1 BIOS with 1, second BIOS with both NVRAM volumes, and then third BIOS with the additional details volume added back in too.
So, even if I sent you files now, which I can’t, you need more time to test and see if any worked, and if not then you’d send me another dump from current running setup and I’d put I details module only without NVRAM.
In the end, it may never run correctly without getting another dump from working system, and then copying over their board specific details. For this I will have to hunt down a BIOS dump, but then once I find that it will be easy to fix it all, for now I cannot find and I’ve been looking too
All this takes time, so back to first line above

* Edit - @Coldblackide - Here, try these, program in the NVRAMVSSFDC-Padx2-FIT-CHKSum first, if it fails then try the NVRAMVSSFDC-Padx2
If both fail, it’s due to some of the corruption occured in teh NVRAM/VSS/FDC area too (or the padding files), and more tests would be needed to narrow down and try to go around the problem while still getting user details all back in there.
This is “cram it all in at once”, rather than one module/area at a time, which is the more ideal route when time permits, if these fail as mentioned above, then more time is needed.
http://s000.tinyupload.com/index.php?fil…473615074920378

Hello!
Im having the same issue with Asus P8z68 Deluxe. The BIOS FLASH has only 4mb and the ROM (oficial rom from website) has 8mb.
How can I fix it?
I alterady open in the HEX editor but I not found the text "$_IFLASH"!
I see a lot of "blank space" (FF) inside, but how can I fix it?

The board has information about the error, got code 78 → "ACPI INITIALIZATION ERROR". My technical say to me that bios is all empty, so I thing trying to flash the BIOS can fix the problem…

thanks a lot.

@dcbasso - sounds like you have the wrong model, or maybe you have dumped BIOS incorrectly to get 4MB file. This doesn’t happen like that with Asus boards and nothing here applies to Asus BIOS types

Please confirm which the motherboard has printed on it P8z68 Deluxe, or P8z68 Deluxe/GEN3
https://www.asus.com/Motherboards/P8Z68_…/HelpDesk_BIOS/
https://www.asus.com/us/Motherboards/P8Z…/HelpDesk_BIOS/

If you are programming with programmer, please send me a copy of your dumped BIOS contents so I can check it for you.
Also, tell me the BIOS chip ID, so I can tell you if you maybe need to use another software version or pick different ID when dumping BIOS contents.

Hello!
I don’t have the right tools to flash the bios but I got a friend that could help me with bios flashing and dumping…
I buy a used board, works for a few hours and got error 78 (acpi initialization error). I think this board is not the gen3, is the Asus p8z68 deluxe.

The BIOS is: winbond 25q64bvalg1123 (not sure because it’s too small)

[Guide] Using CH341A-based programmer to flash SPI EEPROM (7)

Say something about: Been experimenting flashing onto a 25q64bvaig Winbond a P8Z68 Deluxe bios for testing purposes and after the 1.18 ver of software completes its flash the verification fails and says in disagreement…

@dcbasso - Don’t guess, be sure, look at the board itself, if it does not have /GEN3 at the end of the model name printed on the board then it’s not /GEN3 model.

Use software 1.30, or 1.34, for W25Q64BV << This is 8MB chip
http://s000.tinyupload.com/index.php?fil…257455007472602

Did you dump the chip before you started writing? If yes, or if not even since writing is still failed, please be sure to dump and have someone check it for you before you erase or write to the chip, so you can try to keep your UUID, serial, DTS key and LAN MAC ID easily
If not, you’ll have to send images of all stickers on the board and I can insert all again for you except original UUID/DTS key.

Error 78 - ACPI?? This sounds like some windows error, correct? Can you boot to BIOS now? If yes, then you simply need to reflash using EZ Flash

Post error 78, There is a display at bottom of the board. The board even start the boot process or show anything on screen. Could be a hardware problem, not only bios.

I Will ask to make a copy of rom before doing some process over.

The board does not have gen3 printed…
I don’t know nothing about the flashing problem, only some stuff about the technical person: t"he dump image is empty", “the bios only have 4mb space and the ROM image has 8mb”.
I think it’s not good enough to make this process and now I found a old friend, who works with as a technician of notebooks. (Sorry my English)

OK, I gotcha now! Yes, dumped image may be empty due to incorrect software version used, that is why I linked you to package with 1.30 and 1.34 to try instead, I’ve tested these same BIOS chips with those versions and all OK
For W26W64FV I have to choose BV, so it may be possible with BV you need to choose FV, but do try correct ID first with 1.30 software.

The BIOS only have 4MB vs 8MB actual is due to not choosing correct BIOS size or ID, depending on software you are using. If general CH341A Software 1.18 I think you meant, then probably wrong ID used or software is too old. Use 1.30 and try again.
This can be done with tools you have, it’s common issue to have incorrect dump size, empty dump, etc, until you use the correct version of software for certain BIOS chips.

Please try again with 1.30 in above linked package, and choose W25Q64BV, then if still empty try W25Q64FV instead. Power may need to be applied to board too (not powered on, just Battery and main power cable connected)

Do you think that the error (ACPI Initilialization error) could be a BIOS problem?
I will talk with my friend tomorrow and I explain to him what we are arguing here.

really thanks for your attention!

I don’t know, sometimes yes it can be, but maybe not always. I looked around, and do see reports of people fixing it by reflashing and reprogramming BIOS.

No one is arguing I’m trying to help, show you best ways to do this, ways that will work etc.




Hello!
Good news, my motherboard is saved! The first technician was using the wrong software, doing the wrong process or anything like that…
So I bring to my friend, a better technician and him fix it for me, very very easy he say so.

Thanks a Lot man!