AMI unlock to flash your modified ROMs [works on Intel Series 7]

Discussion in 'BIOS Mods' started by nexus76, Sep 28, 2013.

Tags:
  1. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #1 nexus76, Sep 28, 2013
    Last edited: Jan 21, 2014
    AMI unlock to flash your modified ROMs [works on Intel Series 7/Series 8]

    Ladies & Gentlemen,

    update 19.01.2014

    WARNING: DON'T DO IT IF YOU DON'T NEED TO MOD YOUR ROM!
    FIRST OF ALL CREATE A BACKUP WITH AFU (AFUWIN/DOS BACKUP.ROM /O).
    APPLY AT YOUR OWN RISK BEING AWARE OF EVENTUAL NEGATIVE CONSEQUENCES.
    NOT ANY AMI APTIO-ROM IS STANDARD-COMPLIANT.
    AS REPORTED THIS METHOD WON'T WORK ON EVERY MAINBOARD.
    FEEDBACK ABOUT YOUR RESULTS IS APPRECIATED.

    found a new method using scewin to remove flashlock on
    Intel Series 7/8 Chipset with AMI Aptio.
    No need to explain it twice. BIOS Flashlock removed, method explained here.

    *****************************************************************************************

    outdated method:

    before you can flash an unlocked ROM you should downgrade, it's a good idea to use the very first bios version avaiable.
    You can do this from DOS with afudos for aptio with afudos bios.cap /p /b /n /k ...
    After reboot you can flash a prepared unlocked ROM as described:

    Extended unlock method, credits :chef: to CodeRush who cooked it out:

    Polish your ROM & apply this BIOSLOCK-DEATHSTROKE:

    If you wanna be able to mod and flash your ROMs with tools like Intel FTK and flashrom, then I'll show you here how to make it work.
    Open your UEFI ROM in AndyP's Tool and click on structure, tick decompress .... & compress ..., search for PchInitDxe and extract:

    [​IMG]

    Open the extracted module with HxD or your favorite Hexeditor and search for 48 8B 41 50 F6 00 10:

    [​IMG]

    write/replace the last three hex bytes F6 00 10 with 48 31 c0, then it looks like 48 8B 41 50 48 31 c0:

    [​IMG]

    Save the file with your hexedior and replace the mod with AndyP's tool:

    [​IMG]

    If necessary cut the CAP header and flash with method descibed above.
    "What the hell is that?" you'll ask, read on at insanelymac how CodeRush developed this fantastic mod.

    Now you are able to flash with FTK and flashrom too, all areas.

    : )

    Do yourself a favour and create a FULL ROM-BACKUP before any action.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    #2 CodeRush, Sep 28, 2013
    Last edited: Sep 28, 2013
    Tested by jjxaker@overclockers.ru, works on ASUS Z87 boards, but individual data transfer with FD44Copier/FD44Editor is still required for ASUS boards. BIOS regions, that are locked for write access will not be reflashed by the method, but it can be bypassed via HDA_SDO pinmod.
     
  3. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #3 nexus76, Sep 28, 2013
    Last edited: Sep 28, 2013
    (OP)
    Even if we unlock PchInitDxe.ffs before flashing with this method?
    I'd suggest flashrom or fpt -rewrite will flash everything then.
    CodeRush, I'll extend the thread with your unlock method.

    Right, it doesn't update all regions. I'm trying to patch afuwin to jmp anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    Nexus76, there are 2 types of protection, that can be on: locked descriptor and SMI-based checks.
    The first is old and easy to bypass if you have access to HDA chip on your board, but it's totally unrelated to modified BIOS flashing, because it locks regions other then BIOS: ME, GbE and descriptor itself.
    The second one is made on about 6 months ago (but was implemented and ready to be enabled in 2011) and protects BIOS region from flashing with "unauthorised" tools like FPT or flashrom. Your awesome finding, that /GAN key that was hidden since ages, can bypass that "new" lock, making flashing of modified BIOSes possible for people without programmers or USB BIOS Flashback.
    The interraction between both locks must be further tested, but please return your message about /GAN to the first post - it's much more valuable, then my PchInitDxe method, because it makes this art of patching unneeded at all.
     
  5. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #5 nexus76, Sep 30, 2013
    Last edited by a moderator: Apr 20, 2017
    (OP)
    CodeRush,

    that's the problem, I wasn't able to unlock the board with amiflash /GAN switch.
    We need to further investigate what this switch does.

    The "Updating All Block" does a very short job:

    Code:
    erasing   1000h - 113000h (?)
    updating 105000h - ?
    verifying ~107000-7fa800
    and repeatedly different areas, started 3 times and three different results using the same ROM.

    As long as we don't know which regions get flashed by this switch exactly it's not a useful info. Even main bios block does not get flashed.

    I don't want someone using the switch resulting with a dead board (bios) condemning me for false info.

    At least I wasn't able to remove the flashlock this way on my Z77 board.
    That's why I removed the info - I'm not a poser, just wanna present relevant info that's valueable plus applicable.
    Do you have positive feedback, someone who unlocked the BIOS?

    Btw I was spending the night from saturday to sunday reverse engineering afu and found out a few things inverting jumps from 7c to 7e and 74 to 75, 00 84 to 00 85 and so on:
    afuwinx64.exe

    Code:
    19f3 : ignore capsule
    1c05h : ignore capsule
    2b74h : unable to access port
    3d26h : Power Write DCValueIndex data failure
    3d62h : Power Write ACValueIndex data failure
    3d86h : PowerSetActiveScheme failure
    4047h : PowerReadACValueIndex data failure
    4088h : PowerReadACValueIndex data failure
    40c5h : Power Write ACValueIndex data failure
    40ffh : Power Write DCValueIndex data failure
    4123h : PowerSetActiveScheme failure
    74e4h : Error: ROM file ROMID is not compatible with existing BIOS ROMID
    8781h : exit / quit
    Anywere in between I would have been even able to read and flash but it stopped telling me the ROM size doesn't match using the 8192 kB bin file.
    Maybe it would have been possible to use a patched capsule file here. AFU holds 1631 test routines, that's a monster job ;) ...
    http://forums.mydigitallife.net/vb4_style/smilies/sorry.gif But at 5:00 am I was was slightly too tired due to a © brain buffer overflow to figure it out at this time.
    I need to work it out furthermore.

    This would be the best option to flash any ROM from my point of view.
    There's a lot of code for verification inside and some outsb and outsd function to get or set registers via dx.
    I think the best option was to invert the SMI check and load the unlocked status module anyway (int 0x21?).

    best regardz
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    #6 CodeRush, Sep 30, 2013
    Last edited: Sep 30, 2013
    Will test in 2 days and report.
    UPD:
     
  7. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #7 nexus76, Sep 30, 2013
    Last edited: Sep 30, 2013
    (OP)
    it's modded and flashunlocked? I'm stunning now :eek:
    ok, I'll downgrade to an earlier release and test it again now.
    Maybe my problems were caused cause of using the same version!?!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    I wasn't unlocked but definitely modded.
    And I have more reports from ASUS Z87 owners, that rightly prepared file (FD44Editor to add individual data and remove capsule header, OROM Replace to update OROMs and EFI drivers, FITC to update ME and GbE regions, etc.) can be flashed on locked BIOS and works after reboot with all things updated and modified.
     
  9. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #9 nexus76, Sep 30, 2013
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Interesting, I just tested it and downgraded with afu 0401.cap /P /B /N /K.

    After reboot with this unmodified ROM I cut 1603 cap header and saved 1603.bin, which I was sure it's unlocked for ftk.
    I flashed with afu /gan and on reboot my PC kept black screen, stonedead.
    I saw after reading the update started at position 18000h - not at 1000h as it should! For sure the bootblock has not been flashed ;) that's why it failed.

    I'm in the lucky position to have a spi programmer but others would have a serious problem at this point.
    That's the reason why I removed the info for the moment.

    Maybe the /gan switch MUST be combined with the /X: switch in any way, look:

    [​IMG]

    As we can see here the /X: switch can take arguments! We're missing something. Whereever I saw %s it meant switch ;)
    But which switch, the supeЯunknown "Voodooswitch" is the missing link we need to investigate.
    I wasn't even aware /X can take arguments as it's stated "/X - Don't Check ROM ID" but now it's getting pretty clear.
    No read, no verify, not an update > full flash!

    Stupidly this /X: switch does not return even one usable hint what to place here:

    [​IMG]

    As long as it's reading we can be sure it's only updating regions instead of serving a full flash process.

    Do you have an idea how to get out the possible switch-args for /X:?
    Cause only then we see the warning

    we can feel safe to force a 100% flash which means everything's running down the throat ;) straight into the bios chips.
    Otherwise I'd recommend it's too risky. New found:

    @ ~47700h are the args :D - a lot of things to find out here.

    loaded handles on Win7 x86:

    Code:
    ADVAPI32.AdjustTokenPrivileges
    ADVAPI32.CloseServiceHandle
    ADVAPI32.ControlService
    ADVAPI32.CreateServiceA
    ADVAPI32.DeleteService
    ADVAPI32.LookupPrivilegeValueA
    ADVAPI32.OpenProcessToken
    ADVAPI32.OpenSCManagerA
    ADVAPI32.OpenServiceA
    ADVAPI32.RegCloseKey
    ADVAPI32.RegCreateKeyA
    ADVAPI32.RegOpenKeyExA
    ADVAPI32.RegQueryValueExA
    ADVAPI32.RegSetValueExA
    ADVAPI32.StartServiceA
    KERNEL32.CloseHandle
    KERNEL32.CreateFileA
    KERNEL32.CreateMutexA
    KERNEL32.CreateNamedPipeA
    KERNEL32.CreateThread
    KERNEL32.DeleteCriticalSection
    KERNEL32.DeleteFileA
    KERNEL32.DeviceIoControl
    KERNEL32.EnterCriticalSection
    KERNEL32.ExitProcess
    KERNEL32.FlushFileBuffers
    KERNEL32.FreeEnvironmentStringsA
    KERNEL32.FreeEnvironmentStringsW
    KERNEL32.FreeLibrary
    KERNEL32.GetACP
    KERNEL32.GetCommandLineA
    KERNEL32.GetConsoleCP
    KERNEL32.GetConsoleMode
    KERNEL32.GetConsoleOutputCP
    KERNEL32.GetCPInfo
    KERNEL32.GetCurrentDirectoryA
    KERNEL32.GetCurrentProcess
    KERNEL32.GetCurrentProcessId
    KERNEL32.GetCurrentThreadId
    KERNEL32.GetEnvironmentStrings
    KERNEL32.GetEnvironmentStringsW
    KERNEL32.GetFileType
    KERNEL32.GetFullPathNameA
    KERNEL32.GetLastError
    KERNEL32.GetLocaleInfoA
    KERNEL32.GetModuleFileNameA
    KERNEL32.GetModuleHandleA
    KERNEL32.GetModuleHandleW
    KERNEL32.GetOEMCP
    KERNEL32.GetProcAddress
    KERNEL32.GetProcessHeap
    KERNEL32.GetStartupInfoA
    KERNEL32.GetStdHandle
    KERNEL32.GetStringTypeA
    KERNEL32.GetStringTypeW
    KERNEL32.GetSystemDirectoryA
    KERNEL32.GetSystemTimeAsFileTime
    KERNEL32.GetTickCount
    KERNEL32.GetVersionExA
    KERNEL32.GetWindowsDirectoryA
    KERNEL32.HeapAlloc
    KERNEL32.HeapCreate
    KERNEL32.HeapFree
    KERNEL32.HeapReAlloc
    KERNEL32.HeapSize
    KERNEL32.InitializeCriticalSectionAndSpinCount
    KERNEL32.InterlockedDecrement
    KERNEL32.InterlockedIncrement
    KERNEL32.IsDebuggerPresent
    KERNEL32.IsValidCodePage
    KERNEL32.LCMapStringA
    KERNEL32.LCMapStringW
    KERNEL32.LeaveCriticalSection
    KERNEL32.LoadLibraryA
    KERNEL32.LocalFree
    KERNEL32.MultiByteToWideChar
    KERNEL32.QueryPerformanceCounter
    KERNEL32.RaiseException
    KERNEL32.ReadConsoleInputA
    KERNEL32.ReadFile
    KERNEL32.RtlUnwind
    KERNEL32.SetConsoleCtrlHandler
    KERNEL32.SetConsoleMode
    KERNEL32.SetEndOfFile
    KERNEL32.SetFilePointer
    KERNEL32.SetHandleCount
    KERNEL32.SetLastError
    KERNEL32.SetStdHandle
    KERNEL32.SetThreadExecutionState
    KERNEL32.SetUnhandledExceptionFilter
    KERNEL32.Sleep
    KERNEL32.TerminateProcess
    KERNEL32.TlsAlloc
    KERNEL32.TlsFree
    KERNEL32.TlsGetValue
    KERNEL32.TlsSetValue
    KERNEL32.UnhandledExceptionFilter
    KERNEL32.VirtualAlloc
    KERNEL32.VirtualFree
    KERNEL32.WideCharToMultiByte
    KERNEL32.WriteConsoleA
    KERNEL32.WriteConsoleW
    KERNEL32.WriteFile
    SHELL32.ShellExecuteA
    USER32.BlockInput
    USER32.CreateWindowExA
    USER32.DefWindowProcA
    USER32.DispatchMessageA
    USER32.ExitWindowsEx
    USER32.GetMessageA
    USER32.MessageBoxA
    USER32.RegisterClassExA
    USER32.SystemParametersInfoA
    USER32.TranslateMessage
    USER32.wsprintfA
    
    
    used dll:

    Code:
    ADVAPI32.dll
    afuwin.exe
    GDI32.dll
    IMM32.DLL
    kernel32.dll
    KERNELBASE.dll
    LPK.dll
    msvcrt.dll
    ntdll.dll
    RPCRT4.dll
    sechost.dll
    SHELL32.dll
    SHLWAPI.dll
    USER32.dll
    USP10.dll
    
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    Maybe I found something useful » here «

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #11 nexus76, Oct 3, 2013
    Last edited by a moderator: Apr 20, 2017
    (OP)
    interesting, there's an engineering mode included. found it as I patched
    Code:
    0040177A 7522                    jne 0040179E
    to
    Code:
    0040177A 7422                    je 0040179E
    [​IMG]

    switch is /EGM: but it takes args ; )

    [​IMG]

    edit: found the args section : )

    [​IMG]

    edit:
    needs further investigation.

    4 (rather useless) args discovered:

    /EGM:info (INFO - Show BIOS Information)
    /EGM:meinfo (MEINFO - Show ME Information)
    /EGM:s24 (S24 - No Run SMI24 and Reboot) << what's that???
    /EGM:npslp (NPSLP - No Preserve SLP2.0 Key)

    maybe there's an elevated "engineering edititon" but looks the sugarplum-functions are missing in the
    standard version we get for download from ami site.

    EOL.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. goldfinger

    goldfinger MDL Junior Member

    Dec 29, 2010
    87
    14
    0
    That just looks too easy. Now I wish I still had that locked ECS to test this. :cool:
     
  14. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #14 nexus76, Jan 19, 2014
    Last edited: Jan 20, 2014
    (OP)
    reports

    Coderush tested it on ASUS Z87 Plus ;) , I tested it on my P8Z77-V LX, but every feedback about your results
    is very appreciated and recommended.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    219
    646
    10
    It was SoniX aka LS_29 who had tested it on Z87+. :)
    And it produces empty NVRAM.txt file on my Zotac Z77ITX, so it definitely need more testing, especially on non-ASUS boards.
    But it's the only unlock method we have that needs no flashing, so if it works - it rocks. :cool:
     
  16. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    Thanks for your feedback, it's most likely a question of AMI standard compliance too.
    I'm not sure if it would work flawlessly on Gigabyte. At least ASUS is the best-selling vendor ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,213
    14,773
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. e.v.o

    e.v.o MDL Novice

    Aug 28, 2015
    7
    0
    0
    #18 e.v.o, Sep 1, 2015
    Last edited by a moderator: Apr 20, 2017
    It's not a brain fart, just look at the Release Note:
    Code:
    Release Notes
    ==============================================================================
    3.07.00/5.07.00
    [AFU][Modify]
    01.Modify disable all hide commands.
    I think it says "hidden".. so 3.06 is the latest flasher with /GAN support
     
  19. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,213
    14,773
    340
    @e.v.o

    Thanks; anyway to get those?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...