Hi There,
I have a D2550 board with EMT64 locked. The attachment is the UEFI image file dumped by afulnx.
Please help to modify the UEFI image to support EMT64.
Best Regards.
st-d2550.zip (1 MB)
Hello @lvqier
Try to go with this: [REQUEST] HP Insyde Bios EM64T
But we didn’t solve the issue due the questioner get over it (at the end he was struggling with RSA signature protection plus hard issues with powering programmer the right Voltages)
The problem is most probably that OEM set two bits of msr 0x122 which have to be modded in way to has zero value.
It is doable but it require lot of work and testing and you’re still on the verge of brick.
Hi @DaCou , thank you very much. It will be a good start with your reply. Never worry about the verge of brick, I can rewrite the flash chip directly using programmer.
Before I got here, I have tried another UEFI image with EMT64 supported which is dumped from a different board with same CPU. My board can boot with that image, but something like power LED, restore on ac power loss does not work correctly.
I have made a try to reverse engineering on the CpuPei module, find the same code as @Alif posted at <#23 | RE: HP Bios 64 Bit unlock and MC update>:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
0x000004ea add eax, 0x30
0x000004ed adc ecx, ebx
0x000004ef push rcx
0x000004f0 push rax
0x000004f1 push 0x79 ; 'y'
0x000004f3 call fcn.000026a8
0x000004f8 add esp, 0xc
0x000004fb and esi, 0xfffffff0 ; 4294967280
0x000004fe cmp esi, 0x30660
0x00000504 jne 0x526
0x00000506 cmp byte [rbp - 1], bl
0x00000509 je 0x53f
0x0000050b mov esi, 0x122
0x00000510 push rsi
0x00000511 call fcn.000026a1
0x00000516 or edx, ebx
0x00000518 push rdx
0x00000519 or eax, 3 ; may be change to eax, 0 here?
0x0000051c push rax
0x0000051d push rsi
0x0000051e call fcn.000026a8
0x00000523 add esp, 0x10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
0x00001169 add esp, 0x48
0x0000116c mov dword [rax], ecx
0x0000116e call fcn.000028a6
0x00001173 and eax, 0xfffffff0 ; 4294967280
0x00001176 cmp eax, 0x30660
0x0000117b jne 0x1198
0x0000117d mov edi, 0x122
0x00001182 push rdi
0x00001183 call fcn.000026a1
0x00001188 or edx, esi
0x0000118a push rdx
0x0000118b or eax, 3 ; may be change to eax, 0 and here?
0x0000118e push rax
0x0000118f push rdi
0x00001190 call fcn.000026a8
0x00001195 add esp, 0x10
0x00001198 push qword [rbp - 8]
0x0000119b push 0xfffffffffffbf6ee
0x000011a0 push 1
0x000011a2 push rsi
Should I modify 'or eax, 3' to 'or eax, 0' at the both place?
In addition, the attachment is the image that has EMT64 supported.
zm-d2550.zip (1.15 MB)
Hi @lvqier
It sounds good the different image from same mobo vendor went well with your mobo.
I wouldn’t touch of code Alif posted yet.
There are more places than one for setting of 0x122.
I can’t help you directly because of my Sata cable is went wrong so now I am on Linux live USB which means it get me hard time to get Ida Pro work on Linux. I am Linux noob.
Basically I would first search in UefiTool for appearances all opcodes of “mov esi 122” in both your Bios images, than put modules to the Ida or the other disassembler in order to find the differences of 122 code.
Be carefull don’t forget search for opcodes mov ecx 122 and push 122 as well.
It could be actually very easy work if our assumption that 122 code is on the blame was right.
The bios image which worked for you is most probably setting different value 122 so it is mostly task of finding of what the value it is.
Secondly let’s download Rweverything and explore 122 value on both Bios images.
If it has differnt value than it can go straight to bios mod. If it is same that would ment the problem is somewhere else in bios.
I am not good in english so sorry if something is bad explained.
Hi @DaCou
I got "Invalid FFS File" error when try to replace CpuPei module with the one I modified today. It may be something like checksum mismatch, which need deep inspect into the EI module format. I think I will give up this way.
As another approach, I replaced the CpuPei module and MicroCodes from the image that has EMT64 support, it works!
Here is the different CPU flags with EMT64 supported or not:
1
2
3
4
2
3
4
// EMT64 Supported
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl tm2 ssse3 cx16 xtpr pdcm movbe lahf_lm dtherm arat
// EMT64 Not supported
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl tm2 ssse3 xtpr pdcm movbe lahf_lm dtherm arat
Thank you very much!
@ivqier Doesn’t the D2550 run on a 32-bit UEFI with 32-bit drivers? Intel does weird things with Atom hardware like locking you into 32-bit OS.
Hi @chinobino
Yes, the D2550 ran with 32-bit OS smoothly for me. In order to run some vender provided 64-bit-only software, I have to enable the EMT64 support or replace the entire machine.
I am running amd64 Debian on D2550 now, I will update here if there’s anything werid. But what kind of things does Intel do as you mentioned? I am quiet curious.
@lvqier If you are already running AMD64 Debian then that is good news, you should be able to patch the UEFI to enable EMT64.
As for weird things that Intel does I was just referring to the locking/disabling of features or instruction sets seemingly at random.
@chinobino ,
Yes I also thought it run some 32 bits Uefi code because of procedure mov esi. All bioses what I have seen has mov ecx instead.
@lvqier So you are basically cross flashed cpuPei module from diferrent machine?
Nice to see it work!
Hi @DaCou , after running for a couple days with CpuPei replaced image. I can confirm that EMT64 works, but Hyper-Threading does not work. Changing settings of CPU in the Aptio Setup made no effect.
I think I have to turn back to the reverse engineering way.
I can extract the PE file from UEFI image and modify it, but the board does not boot after replacement using UEFITool.
Do you have any idea about it? Appreciate if you can help.
Here’s a good news. I finally reach the goal!
I extract the CpuPei pe32 image using UEFITool, edit it with Cutter, replace the original one using UEFITool. Then I extract the whole CpuPei ffs module using UEFITool, replace the original one in MMTool.
Hello @lvqier
It seems, you are very creative and clever man
So how was it, have you enabled EMT64 and HT remained in working state?
@DaCou Yes it is!
The key modified point is nop out ‘or eax,3’ in both places, and use MMTool to rebuild the UEFI image.
@lvqier Looks like you could understand the assembly right? If you have some time, can you please look into my BIOS image and see what’s wrong? The thing is I have very poor knowledge about x86 assembly and so I can’t understand what is going on. Would be a great help if you respond. I have attached the firmware dumped from the SPI flash here.
Thanks
bios.zip (1.11 MB)
@lvqier Exactly as same as your problem. There are two places where MSR 0x122 is set. But the problem is they have different value. You can just look for 0x122 in cutter/radare2 that you just used. The problem is just same, EM64T locked in the machine
@lvqier , sorry I couldn’t attach so much details because I was on my phone. But here is my problem.
Just like you, I have two places where 0x122 is set. I am attaching the screenshot for reference. I just want to know what setting two and then one means. Does it involve any other MSRs right here? Please have a look into the image. In UEFITool, the modules with 0x122 are OemItl15Callback and a PEI module with numbers as name. Please have a look at the BIOS and these screenshots.
@Alif Sorry for late reply. Instruction ‘or eax, 2’ means make bit[1] of the number in eax set to 1, then ‘or eax,1’ means make bit[0] of the number in eax set to 1. While 3 = 1 or 2, it is same as ‘or eax,3’ if you combine those two together.
I have no time to make deep analysis for you this week due to heavy work, but next week will be fine.
Okay, @lvqier , Thanks a lot for your look-into the issue, I will be looking forward for further info. But the thing is, these two places where 0x122 is set is on two different places. The first one where 2 is set is in a DXE volume. But the place where 1 is set is in a PEI module. I just can’t get over this confusion.
Hello @lvqier , hope you are doing good. If you get some free time shall we look into my issue as well? I seriously need this and this would be a huge help to hear about your opinion, afterall I have no experience in x86 assembly.
Thanks