[UEFITool] UEFI firmware image viewer and editor

Discussion in 'MDL Projects and Applications' started by CodeRush, Oct 8, 2013.

  1. aler+

    aler+ MDL Novice

    Dec 23, 2014
    5
    0
    0
    Hi, All !
    Tell me, please, can I take the ME region, which is protected, without SPI Programmer? I tried several soft for this (Intel FPT, Copernicus, Chipsec), tried to use InsydeFlash with creation backup existing rom. In all cases i received ME Region, filled with 0x00 or 0xFF...
    P.s.: FPT result with error "The host CPU does not have read access to the target flash areas..."

    Some information about my Insyde H2O)

    Intel (R) Flash Programming Tool. Version: 8.1.51.1476
    Copyright (c) 2007 - 2013, Intel Corporation. All rights reserved.

    Number of LPC Devices supported: 174
    LPC Device Id: 1E57.
    Platform: Intel(R) HM77 Express Chipset
    Initializing SPI utilities
    Reading HSFSTS register... Flash Descriptor: Valid
    Region Limits as programmed into the SPI Registers
    FREG0 - DESC Region:Base Address: 0x000000 Limit : 0x000FFF
    FREG1 - BIOS Region:Base Address: 0x180000 Limit : 0x5FFFFF
    FREG2 - ME Region:Base Address: 0x001000 Limit : 0x17FFFF
    FREG3 - GbE Region:Base Address: 0x1FFF000 Limit : 0x000FFF
    FREG4 - PDR Region:Base Address: 0x1FFF000 Limit : 0x000FFF
    Address Limit 0x600000 Maximum Memory 6144kB
    --- Flash Devices Found ---
    W25Q32BV ID:0xEF4016 Size: 4096KB (32768Kb)
    W25Q16BV ID:0xEF4015 Size: 2048KB (16384Kb)
    Using hardware sequencing.
    Reading region information from flash descriptor.
    Base: 0x000000, Limit: 0x000FFF
    Base: 0x180000, Limit: 0x5FFFFF
    Base: 0x001000, Limit: 0x17FFFF
    FW Status Register1: 0x1E000245
    FW Status Register2: 0x300A0106
    --- Flash Image Information --
    Signature: VALID
    Number of Flash Components: 2
    Component 1 - 4096KB (32768Kb)
    Component 2 - 2048KB (16384Kb)
    Regions:
    Descriptor - Base: 0x000000, Limit: 0x000FFF
    BIOS - Base: 0x180000, Limit: 0x5FFFFF
    ME - Base: 0x001000, Limit: 0x17FFFF
    GbE - Not present
    PDR - Not present
    Master Region Access:
    CPU/BIOS - ID: 0x0000, Read: 0x0B, Write: 0x0A
    ME - ID: 0x0000, Read: 0x0D, Write: 0x0C
    GbE - ID: 0x0118, Read: 0x08, Write: 0x08
    Total Accessable SPI Memory: 6144KB, Total Installed SPI Memory : 6144KB
    FW Status Register1: 0x1E000245
    FW Status Register2: 0x300A0106
    Current ME State ( 0x3 ) : Policy
    FPT Operation Passed

    Intel(R) MEInfo Version: 8.1.56.1541
    Copyright(C) 2005 - 2014, Intel Corporation. All rights reserved.
    FW Status Register1: 0x1E000245
    FW Status Register2: 0x300A0106
    CurrentState: Normal
    ManufacturingMode: Disabled
    FlashPartition: Valid
    OperationalState: M0 with UMA
    InitComplete: Complete
    BUPLoadState: Success
    ErrorCode: No Error
    ModeOfOperation: Normal
    ICC: Valid OEM data, ICC programmed
    Get ME FWU OEM Id command...done
    FW Capabilities value is 0x1101C60
    Feature enablement is 0x1101C60
    Platform type is 0x12420321
    GBE Region does not exist.
    Intel(R) ME code versions:
    BIOS Version: F.25
    MEBx Version: 0.0.0.0000
    Gbe Version: Unknown
    VendorID: 8086
    PCH Version: 4
    FW Version: 8.1.0.1248
    UNS Version: 8.1.10.1300
    LMS Version: 8.1.10.1300
    MEI Driver Version: 8.1.10.1275
    Wireless Hardware Version: 0.2.70
    Wireless Driver Version: 15.4.1.1
    FW Capabilities: 0x01101C60
    Intel(R) Anti-Theft Technology - PRESENT/ENABLED
    Intel(R) Capability Licensing Service - PRESENT/ENABLED
    Protect Audio Video Path - PRESENT/ENABLED
    Intel(R) Dynamic Application Loader - PRESENT/ENABLED
    Level III Manageability Upgrade State: Upgrade Capable
    CPU Upgrade State: Not Upgradable
    Cryptography Support: Disabled
    Last ME reset reason: Power up
    Local FWUpdate: Enabled
    Get BIOS flash lockdown status...done
    BIOS Config Lock: Enabled
    Get flash master region access status...done
    Host Read Access to ME: Disabled
    Host Write Access to ME: Disabled
    SPI Flash ID #1: EF4016
    SPI Flash ID VSCC #1: 20052005
    SPI Flash ID #2: EF4015
    SPI Flash ID VSCC #2: 20052005
    SPI Flash BIOS VSCC: 20052005
    Protected Range Register Base #0 0x570
    Protected Range Register Limit #0 0x5FF
    Protected Range Register Base #1 0x0
    Protected Range Register Limit #1 0x0
    Protected Range Register Base #2 0x0
    Protected Range Register Limit #2 0x0
    Protected Range Register Base #3 0x0
    Protected Range Register Limit #3 0x0
    Protected Range Register Base #4 0x0
    Protected Range Register Limit #4 0x0
    BIOS boot State: Post Boot
    OEM Id: 00000000-0000-0000-0000-000000000000
    Capability Licensing Service: Enabled

    P.s.: 1. i'm not find in PCHInitDxe any checks bit №5 in BIOS_CNTL, only his initialization with some value;
    2 RWEverything says, what BLE=1(Lock Enabled) and SMM_BWP=1 (BIOS region SMM protection is enabled)

    Thanks.
     
  2. BDMaster

    BDMaster MDL BIOS/EFI Modifier

    Aug 2, 2009
    821
    313
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. bosshogs

    bosshogs MDL Novice

    Jul 16, 2009
    10
    0
    0
    CodeRush, would you know how to get over the security checksum with Asus BIOS after modding them?
     
  4. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    221
    668
    10
    aler+, I do think such software can be found somewhere deep inside intel.com, but there is none I know or used. All motherboards I know capable of descriptor override are doing it by using GPIO line connected to HDA_SDO, i.e. built-in pinmod.
     
  5. aler+

    aler+ MDL Novice

    Dec 23, 2014
    5
    0
    0
    From readme for me_tools:
    "me_util.py
    ========
    This script allows you to send HECI (MEI) messages to the ME..."

    From "Manufacturing with Intel ME 8.x on Intel 7 series / C216 chipset family" (11.2011):
    "HMRFPO = Host ME Region Flash Protection Override. This message allow the BIOS (or a software tool working through the BIOS) to request that the ME Region of SPI Flash be temporarily unlocked..."

    So I thought that I could send a message "HMRFPO" to the ME region and it will be temporarily unlocked. And i wanted to use for this me_tools...
    I mistaken?

    P.s.: about Igor works: i read his presentation from Breakpoint 2014 - very nice job...
     
  6. butterneck

    butterneck MDL Novice

    Sep 26, 2014
    3
    0
    0
    Sorry to bother you @CodeRush, but I'm experiencing some problems flashing the patched BIOS. I get an error "failed, wrong image format". I'm running an MSI GE70 2OE

    File-names etc. are correct (same as org.) and the output of the path process is:

    patch: replaced 10 bytes at offset 0x00001366 75080FBAE80F89442430 -> EB080FBAE80F89442430
    Image patched

    I appreciate any help, but totally understand if it's too much to ask.

    Kind regards,
    Peter
     
  7. butterneck

    butterneck MDL Novice

    Sep 26, 2014
    3
    0
    0
    Thanks CodeRush. I've tried that, both the patched kernel and the KernelPM=true flag in Clover, still get early reboot. Installing osx works fine though. I'm a bit clueless right now...
     
  8. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    221
    668
    10
    @luke, add MT7 to the MBSN as 3 first symbols and it will be OK for that board.
     
  9. luke

    luke MDL Senior Member

    Jun 22, 2007
    461
    35
    10
    Thanks for the DTS Key sticker i have one off a old board which no longer works i was going to use this but its 4 characters to sort do i just put some random numbers in front of it ?
     
  10. CodeRush

    CodeRush MDL Member

    Jun 20, 2011
    221
    668
    10
    I don't think you need DTS key at all for this board, but yes, you can write anything there.
     
  11. luke

    luke MDL Senior Member

    Jun 22, 2007
    461
    35
    10
    I was going to use it to make a UUID but the DTS key is 4 characters to sort to use as a UUID thanks.
     
  12. luke

    luke MDL Senior Member

    Jun 22, 2007
    461
    35
    10
    Umm after changing my MAC ADDRESS with the FD44Editor the driver will no longer load it says This device cannot start (Code 10)
    {Operation Failed}
    The requested operation was unsuccessful


    Could this be a problem with using the FD44Editor on my bios image flashing without editing the image using FD44Editor it works just fine? Note I'm using a programmer not DOS . Using a programmer should mean i don't need to run gberefl in DOS FD44Editor shouldn't corrupt the image.

    i get PDR Region does not exist when running gberefl and it doesn't fix the problem with my Internet controller.


    Any help on fixing this would be much appreciated i can go on using the default bios image from Asus but would like to get my Mac Address back if possible thanks.