[Sony VAIO] BIOS modding/hacking/unlocking - Some Questions

Hi there, i have a Sony VAIO Pro 13 (Lynx Point-LP) with an AMI APTIO 4 UEFI.

I want to update all available ROMs inside the BIOS and unlock most if not all locked options in the BIOS. It is possible to open the BIOS with AMIBCP 4.55 and change some settings. What i think is interesting:
If you open the BIOS with AMIBCP there seem to be two sections with 13 entries each (take a look at the attached screenshot). It seems that the second section is just a copy of the first one that just got renamed and made accessible for the user. Also some handles were changed. The funny thing is that this second user exposed section won’t show you every option. The second section will only have a few entries in it where the first section is the full blown version with everything in it. What i don’t understand is that fact that there are two different handles used for the same entry. XD-Bit has the handle 0211 in the first section and 0C54 in the second section. Is it not possible to use the same handle twice or why is another handle used?
I could change every setting to USER but i think there is a better way to do so. I think there is one simple condition inside the UEFI which triggers which section to show. The questions are:
how do i find it?
Is my assumption right?
where do i find it or where is the best place to look for?

When i change all settings to USER then i will have everything twice. Maybe there is key combination to unlock all those settings?

I downloaded the latest BIOS from Sony (http://download.sony-europe.com/PUB/VAIO…P0000321606.exe) and extracted it. What i don’t understand is why there are two flash tools inside it (WBFLASH and AFUWINx64). WBFLASH comes with a file named WBFLASH.SCR which seems to hold the information about the BIOS file to flash (eg version, etc.) and compares it with the actual BIOS. There is also a file named UPDTW64.BAT which calls AFUWINx64: Afuwinx64 V710440B.CAP /Capsule /P /B /N /ECX /S. So it seems that those two programs do the same but i really don’t know why. This question is essential for me when i want to flash my modded BIOS and don’t want to fuck up my BIOS. On the “old” (pre 8-Series) Laptops one would normally use WBFLASH for flashing but seems Sony switched to AFUWIN. Could this be possible and which options is saver?
I updated my ME firmware to the latest version. When i flash my modded BIOS do i have to reflash the ME firmware again? If i have to isn’t better to change the ME firmware inside the BIOS and flash this one?

— EDIT —
I think i know now why these two sections do have different handles for the same functions. There are two modules (Setup and SonySetupCallback) which handle the different sections but only the SonySetupCallback seems to get called/loaded. The SonySetupCallback module is smaller and i think it is based on the Setup module. The funny thing is that when i extract the SonySetupCallback with IFR i get the following:

0x2D7F1 Main (0x6)
0x3C660 Advanced (0x20)
0x4464C Chipset (0x22)
0x4CBD8 Boot (0x24)
0x4D621 Security (0x3F)
0x4DEBF Save & Exit (0x53)
0x4E1B1 Main (0x7E9)
0x4E3F4 Advanced (0x803)
0x4E840 Boot (0x811)
0x4EDC5 Security (0x3F)
0x4F528 Exit (0x82A)

I would have suspected that there is something like “surpress Main (0x6) if foobar” but there isn’t anything like it and i really can’t understand what the fuck sony did there ^^
Also the order isn’t right: In the actual BIOS it reads Main | Advanced | Security | Boot | Exit but refering to IFR it should read Main | Advanced | Boot | Security | Exit. So Security and Boot are switched. Any suggestion on why this happening?

If i do the same with the Setup module i get the following:
0x37A51 Main (0x6)
0x468C0 Advanced (0x20)
0x4E8AC Chipset (0x22)
0x56E38 Boot (0x24)
0x57881 Security (0x3F)
0x5811F Save & Exit (0x53)

And now comes the strange/funny part: The first section (or the first entries) in the SonySetupCallback are exactly the same as in the Setup module. So i think what Sony did was just lazy: They copied the original Setup. Hide everything and just added their stuff. But the facts say something different since the SetupCallBack module is 318kB in size while the Setup module is 354kB in size (extracted). Does that make sense to anyone?

And then the strange things go on: the latest option that AMIBCP shows me is Recovery (attached screenshot) but it isn’t listed nowhere in the IFR. These options are in another module called ReFlash (030B). If i change anything with AMIBCP (like Show or USER) then the changes take place in the AMITSE modul. So i think that this module triggers everything. Does anyone know what this module does? I really dunno how to go on now. Should i change AMITSE? Or should i change SonySetupCallback?

Is it OK if i change the modules and replace them with MMtool or will i get a corrupted UEFI afterwards? If read about this RSA signing stuff and the checksums but nothing that really clarified the situation.

I really hope that you could help me with this since it is a bit of a mess i think :wink:

Unbenannt.png

Not sure if you are going to get all of your answers, but I am hoping they send you in the right direction. I’m interested to see where this goes because I am currently trying working on a Sony VAIO Pro 13 at the moment, but you did deliver a loaded question.

What are you trying to accomplish with the modded BIOS?
I am currently researching if I need to mod the BIOS to get the computer to recognize a PCIE SSD that I just installed.

@ e.v.o:
Unfortunately I cannot answer your questions, but I hope, that someone else knows more about your special modding problems and can help you.


@ Viabobed:
Welcome at Win-RAID Forum!

Which PCIe SSD model is it? Shall it work as bootable system drive?

Regards
Dieter (alias Fernando)

Thanks for the warm welcome @ Fernando.
It is a Samsung MZHPV256HDGL PCIE M.2 Form Factor SSD.

Windows / Linux is able to recognize the drive so I know it is installed correctly, but I could tell that AHCI is not enabled and the BIOS does not want to acknowledge it that it is installed. The laptop originally being configured with a similar Samsung 128GB PCIE SSD.

Ran a program called Boot-Repair thinking it was an OS issue at first. http://paste.ubuntu.com/12121846/

@e.v.o hopefully we are able to keep bumping your thread.

The BIOS may not show it, but obviously detects and handles it. Otherwise neither Windows nor Linux would see the drive.

@Fernando Would modding the BIOS help me turn it into a bootable drive? The UEFI BIOS won’t let me boot into the drive. I have been reading your guides, and gathered MM-Tools + more to start.

Maybe it will help, if you insert a special Samsung M.2 EFI module into the mainboard BIOS. The BIOS of my ASRock mainboard contains a module named “Samsung_M2_DXE”, but I don’t know, whether it is usable with your Sony VAIO.

There are two main things i wanna achieve:
- Update all ROM (ME/GOP/SATA/etc.)
- Unlock most if not all Options in the BIOS
→ If unlocked it is possible to Change the thermal specs of the terrible fan ^^

As far as i know Sony has delivered the Vaio Pro 13 with Toshiba SATA (using AHCI) SSDs (like mine) in Europe. Since you are saying that you had a Samsung SSD in it could it be that you life in the US or have a custom build model? There was a big concern when Sony launched the Ultrabook cause some models where delivered with M.2 SATA SSD not using the PCIe Standard whereas other models were delivered with a M.2 PCIe-AHCI SSD. The Sony Vaio Pro 11/13 is capable of using M.2 SATA SSDs and M.2 PCIe-AHCI SSDs but it is incapable of using M.2 PCIe-NVMe SSDs since the BIOS doesn’t hold a NVMe module.

So there are two Options for you:
- implement a NVMe ROM
- get the XP941 model which is the predecessor

But before i am doing any sort of modding to the BIOS i have to sort out what Sony did with the Options and how they fucked it up :smiley:
I also Need to sort out which is the best method for flashing the BIOS …

(sry for my bad english… this only because of the built-in auto corretion that’s german :smiley: )

— EDIT —
Someone on the Internet suggested that the SSD will Show up in the BIOS when you put it into another PC and install Windows on it. Then you could plug it into the Sony, boot up your USB-Stick (hopefully created with RuFus) and could hopefully Format the drive once again for a clean install.

@Fernando
Hab mir das DXE ROM von deinem ASRock mal gezogen und werde es mir mal ansehen… welche BIOSe kennst du die ein NVMe ROM haben und am besten noch Intel Series-8 Chipsets sind?

— EDIT —
Further investigation revealed that the Vaio Pro supports the maximum of 4 PCIe lanes. When i read the specs correctly every M.2 controller should Support SATA, PCIe-AHCI and PCIe-NVMe. So there could be two Problems we’re facing: that the Controller doesn’t Support PCIe-NVMe and that the BIOS doesn’t Support it. How can one find out which Controller is used for the M.2 port?

evo you can unlock your chipset tab with this article :slight_smile: i did it and worked

http://forums.mydigitallife.info/threads…nus-MSR-unlock!

@temroa
Thanks! For which BIOS/Modell did you achieve this and which method did you use to Flash?



İts for ami aptio 4 and my notebook is asus x552cl-sx029h and i used afuwingui for flashing here you can download http://www.ami.com/download-license-agre…ate_Utility.zip

Perfect! Thanks for the Reply! One less question on my list.

I think i will just try to update my BIOS later… hopefully it works :smiley:

Maybe we should make up a private FTP or better a cloud account (OneDrive or DropBox) where we could all work togehter and collect all tools? Just thinking…

its very easy to do its not a need i think
1.right click setup and extract body save this as setup.bin
2.open setup.bin in hxd search 010100010101(in my notebook default is this)
change it to 010101010101 so menu is disabled its 00 if its enabled its 01
save it as setup_mod.bin
after right click setup module and click replace body use setup_mod.bin
save the bios and flash it with afuwingui.with afuwingui you can save or flash compatible bios :slight_smile:

but read the article first :slight_smile:



edit:but if you say that i can’t i can do it for you

Although I understand your question very well, I will not answer.
This is a "clean" single language Forum, because only this way all Forum visitors will be able to read and understand all contributions. I neither am willing to do it nor am having the time to answer the same questions in different languages.
If you have any questions, please post them in English language.

Hoping for your understanding
Dieter

Thanks. I already modded some BIOS/UEFI with MMTool and AMIBCP but my Problem after examining the Vaio BIOS was that there were those two sections there were in seperate modules (Setup and SonySetupCallback). Maybe i should fire up IDA to dive deeper into the problem but i think the name of the Sony module makes it clear: The Setup module calls the Sony module via a callback function which then overrides the Setup module.

But two question remains even if everything mentioned here is true:
- What’s with the last option (Recovery) that gets shown under AMIBCP but isn’t listed when using IFR.
-IFR lists Security first and then Boot but in the actual BIOS it is switched. Why is that?

Regarding the second question i found the following:
In AMIBCP every major point has a name (like Main, Advanced) expect the second security option which has no name and is filled with FFFF handles. The IFR table (from the SonySetupCallback module) tells us that this option is the only one that sports the exact same handle (0x3F) as the one in the first section. All other options have unique handles. I think that this says the module to load the security section from the Sony module but overwrite it with the functionality provided in the first section from the Setup module. So i have to look for this:
00 00 00 00 00 00 01 01 01 01 01

And yeah, there really is this sequence. Since it’s in both modules my guess that the Sony module overrides the Setup module becomes clear. But wait… in the Setup module the byte sequence has 12 entries! The Sony module only says that there are 10 (which is correct since it lacks the Security and Recovery options!) entries just like one would expect from AMIBCP. And guess what? The last byte there is 01 but 00 in the SonySetupCallback module. So i have to append one more Byte to the sequence above (01) to get the Recovery option visible. But i really don’t know what will happen to the Security options since this will get loaded twice…

Sorry for writing so much but i like to share my thoughts and findings :wink:

I’m going to change the Sony module first, will flash the result and tell you what happend. As i always say: what could possibly go wrong? :smiley:

Sorry for that double post and sorry for posting in german!
Do you know any NVMe cappable Intel 8-Series BIOS?



I can’t flash the file… i first tried with 3.07:

1
2
3
4
5
6
7
8
9
10
11
 
C:\afuwin>AFUWINx64.EXE ExtMOD.cap /P /B /K
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.07.00 |
| Copyright (C)2014 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
Reading flash ............... done
- ME Data Size checking . ok
Secure Flash enabled, recalculate ROM size with signature... Enable.
- FFS checksums ......... ok
Loading capsule to secure memory buffer ... done
18 - Error: Secure Flash Rom Verify fail.
 


Then i tried the /CAPSULE Switch:
1
2
3
4
5
6
7
8
9
10
 
C:\afuwin>AFUWINx64.EXE ExtMOD.cap /CAPSULE /P /B /K
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.07.00 |
| Copyright (C)2014 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
Reading flash ............... done
- ME Data Size checking . ok
- FFS checksums ......... ok
Loading capsule to secure memory buffer ... done
18 - Error: Secure Flash Rom Verify fail.
 


Then i tried it with /GAN
1
2
3
 
C:\afuwin>AFUWINx64.EXE ExtMOD.cap /GAN
Unknown command or option : /GAN
1 - Error: Unknown command.
 


Then i used a "old" 3.01 Version:
1
2
3
4
5
 
C:\afuwin>AFUWINx64.EXE ExtMOD.cap /GAN
Reading flash ............... done
- ME Data Size checking . ok
- Error: BIOS doesn't support all ROM flashing function.
1
 


Then i tried the /P /B /K Switches:
1
2
3
4
5
6
7
8
9
10
11
 
C:\afuwin>AFUWINx64.EXE ExtMOD.cap /P /B /K
+---------------------------------------------------------------------------+
| AMI Firmware Update Utility v3.01.V02 for Foxconn |
| Copyright (C)2012 American Megatrends Inc. All Rights Reserved. |
+---------------------------------------------------------------------------+
Reading flash ............... done
- ME Data Size checking . ok
- FFS checksums ......... ok
Loading capsule to secure memory buffer ... done
- Error: Unable to start a Secure Flash session.
1
 


Well.. think i have to go another way... hm..

lol why are you working a lot for it you just need afuwingui

https://www.sendspace.com/file/k3brjs

download it and open afuwingui then open bios then flash

have a nice day

That’s ok.

AFAIK there is not a big difference between Intel 8- and 9-Series Chipsets regarding the NVMe support capability, but neverteless the mainboard manufacturers only put the required module into the BIOS of 9-Series mainboards.
So I think, that you can use any NVMe module you find within an Intel Z97 chipset mainbord BIOS.