BIOS guides, methods, resources and tools

**piernov** · 02-06-2022, 09:20 AM

Please post any suggestions and corrections to the discussion thread: https://badcaps.net/forum/showthread.php?t=103527

For additional information on SPI ROM, BIOS, EC, Intel ME, etc., please read: https://github.com/ISpillMyDrink/UEFI-Repair-Guide/wiki

Table of Contents:

Code:

1. How to dump and flash
  1.1. BIOS
    1.1.1. Programmers
      1.1.1.1. TL866II
      1.1.1.2. T56
      1.1.1.3. RT809F
      1.1.1.4. RT809H
      1.1.1.5. EZP2019
      1.1.1.6. CH341A
    1.1.2. Adapters
  1.2. EC
    1.2.1. Programmers
      1.2.1.1. SVOD3
      1.2.1.2. SVOD4
      1.2.1.3. Vertyanov
      1.2.1.4. RT809H
      1.2.1.5. RT809F
      1.2.1.6. T56
      1.2.1.7. TL866II
    1.2.2. Adapters
    1.2.3. Automatic flashing
2. How to clean ME/TXE region
3. Password removal by laptop brand
  3.1. Acer
  3.2. Apple
    3.2.1. 2011 and older		
    3.2.2. 2012 to 2017
    3.2.3. 2018 to 2020 (T2)
    3.2.4. 2020 and newer (M1)
  3.3. Asus
  3.4. Dell
  3.5. Fujitsu-Siemens
  3.6. HP
  3.7. Lenovo ThinkPad
    3.7.1. Password ROM bypass (2012 and older)
    3.7.2. DXE password bypass driver injection (2012-2018)
    3.7.3. Flashing EC (2019-*)	 
  3.8. Microsoft Surface
  3.9. Panasonic, and some other standard AMI implementation
  3.10. Toshiba
    3.10.1. Consumer
    3.10.2. Business
4. DMI editing by brand
  4.1. AMI-based standard BIOS (SuperMicro…)
  4.2. Acer
  4.3. Apple
  4.4. Asus
  4.5. HP
  4.6. Intel Network Adapters
  4.7. Lenovo
5. Clearing NVRAM
6. Extracting BIOS/EC firmware from update packages
  6.1. Desktops
  6.2. Laptops
    6.2.1. Asus
    6.2.2. HP
    6.2.3. Lenovo
    6.2.4. Samsung

**piernov** · 02-06-2022, 09:21 AM

1. How to dump and flash
1.1. BIOS
BIOS can be updated from software using the manufacturer's tool. It can also often be dumped from software (although not really reliable).
However, if you need to re-flash the BIOS because the computer does not boot and BIOS recovery procedure does not work, you need an external programmer.
Likewise, if you want to modify the BIOS to remove a password, it must be done with an external programmer.

When flashing a BIOS always make a backup first. Take 2 or 3 different dumps and make sure they are identical.
On Windows, you can use the command "fc /b" to check if two dumps are identical.
Make sure that the dumps looks good, i.e. not filled with 0x00 or 0xFF. After compression, if the file has a size of only a few kilobytes, the EEPROM was most likely not read properly.

Additionally, please read the FAQ at: https://www.badcaps.net/forum/showthread.php?t=98665

1.1.1. Programmers
TL866II is arguably the most reliable and easy to use programmer while still being relatively cheap.
If you also need eMMC support, consider T56 or RT809H
If you need LCD monitor In-System Programming through VGA port, consider RT809F or RT809H.

1.1.1.1. TL866II
Supports I2C, SPI, LPC, FWH, parallel.
Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt

1.1.1.2. T56
Supports I2C, SPI, LPC, FWH, parallel, eMMC.
Support list: http://www.xgecu.com/MiniPro/T56_List.txt

1.1.1.3. RT809F
Supports I2C, SPI, LPC, FWH, VGA ISP.
Parallel interfaces support requires PEB-1 extension board and can be troublesome.
Support list: https://www.hklrf.com/Download__1.html
Software: http://doc.ifix.net.cn/@rt809/ENGLISH.html

1.1.1.4. RT809H
Supports I2C, SPI, LPC, FWH, parallel, eMMC, VGA ISP.
Support list: https://www.hklrf.com/Download__1.html
Software: http://doc.ifix.net.cn/@rt809/ENGLISH.html

1.1.1.5. EZP2019
Supports I2C (24-series), SPI (25-series), 93-series.
Support list: https://www.hklrf.com/24download/img/EZP2019-List.txt

Note: Auto-detection may not work properly for 8Mb and larger ROMs, it is recommended to select the part number manually. In addition, if there are errors when reading and writing, try to lower the speed.

1.1.1.6. CH341A
Supports I2C (24-series), SPI (25-series).

This programmer is not recommended but it is the cheapest programmer available.
It has several shortcomings:

Limited interfaces support, only SPI and I2C
Several different software with varying level of reliability and ROM IC support (especially troublesome with 128Mb and larger ICs)
Several different hardware design, some of them having design defects
No proper detection of communication issue with the ROM IC

Available software include: NeoProgrammer, Colibri, AsProgrammer, Flashrom…
Read the guide there: https://winraid.level1techs.com/t/gu...rammer/32948/3

If you have a black PCB, it is very likely that it needs to be modified for 3V operation instead of 5V. Failing to do so could damage the ROM IC.
Watch the instructions there:
https://www.youtube.com/watch?v=-ln3VIZKKaE
https://www.youtube.com/watch?v=HwnzzF645hA

1.1.2. Adapters

It is possible to use clips on SOIC-8 ICs to avoid desoldering, however it is *very unreliable* and will often lead to an empty or corrupt dump. Avoid whenever possible.
If you insist on using a clip, then make sure the programmer uses an additional buffer and line driver for SPI. For the TL866II this is available as an additional adapter, the T56 has it built-in.
It is recommended to desolder the chip and use an adapter board or socket. They exist for all sorts of packages: SOIC-8 200mil, SOIC-8 150mil, SOIC-16, WSON-8 8x6mm, WSON-8 6x5mm, USON-8 4x3mm, PLCC-32, TSSOP-48…

Most common packages for the BIOS SPI ROM on modern boards are SOIC-8 200mil and WSON-8 8x6mm.
Desktop boards sometimes use DIP-8 which can be inserted directly into the programmer.
Desktop boards before around 2005 used PLCC-32 (which can use a LPC, FWH or parallel bus), even older boards (in the 90s or older) used DIP-32.

MacBook Pro 15"/17" boards before 2015, MacBook Pro 13" non-Retina and MacBook air before 2011 use SOIC-8 200mil
MacBook Air and MacBook Pro 13" Retina boards between 2011 and 2015 use WSON-8 8x6mm.
Apple boards from 2015 to 2017 use WSON-8 6x5mm.
Apple boards from 2018 onwards use USON-8 4x3mm for T2/M1 ROM.

1.2. EC

Dumping and flashing EC often requires a dedicated EC programmer. Some EC can be flashed with regular SPI ROM programmers.
List of EC that may require programming: https://www.badcaps.net/forum/showthread.php?t=66963

1.2.1. Programmers

1.2.1.1. SVOD3

Code:

ENE
ITE
Nuvoton
SMSC

SVOD3 debug ZIF programming PCB - https://www.badcaps.net/forum/showthread.php?t=108704

1.2.1.2. SVOD4

Code:

ENE
ITE
Nuvoton
SMSC

1.2.1.3. Vertyanov

Code:

ENE
ITE
Nuvoton
SMSC

1.2.1.4. RT809H
Support list: https://www.hklrf.com/Download__1.html

Code:

ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
 KB9028
ITE
 IT8386E
 IT8580E
 IT8585E
 IT8586E
 IT8587E
 IT8595E
 IT8985E
 IT8987E
 IT8996E
Nuvoton
 NPCE288N
 NPCE388N
SMSC 
 MEC1653
 MEC1650
 MEC1633
 MEC1609
 MEC1619
 MEC1618
 MEC5035
 MEC5045
 MEC5055
 MEC5075
 MEC5085

1.2.1.5. RT809F
Not a dedicated EC programmer, standalone programmer supports EC SPI and JTAG interfaces only. PEB-1 extension board supports ITE interface.

Support list: https://www.hklrf.com/Download__1.html

Code:

ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
 KB9028
ITE (requires PEB-1 extension board)
 IT8580
 IT8585
 IT8586
 IT8587
 IT8985
 IT8595
 IT8987
 IT8996E
SMSC
 MEC1653
 MEC1650
 MEC1633
 MEC1609
 MEC1619
 MEC1618
 MEC5035
 MEC5045
 MEC5055
 MEC5075
 MEC5085

1.2.1.6. T56
Not a dedicated EC programmer, supports EC SPI interface only.
Support list: http://www.xgecu.com/MiniPro/T56_List.txt

Code:

ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022

1.2.1.7. TL866II
Not a dedicated EC programmer, supports EC SPI interface only.

Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt

Code:

ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022

1.2.2. Adapters
Adapter boards exist for some programmers, chip must be (partially) soldered on the adapter board, then the adapter board is connected to the programmer to be flashed.

In most cases, EC can also be programmed in-system through the keyboard connector. Adapter for the programmer to keyboard connector is required, as well as correct cable (keyboard connectors can have different number of pins and different pitch). Pinout of the keyboard connector matching the EC programming interface must be known and set up in the programmer software.

1.2.3. Automatic flashing

Some platforms can automatically flash a blank EC from the image stored in an external SPI ROM alongside the main BIOS when power is first applied. This assumes that there is no other issue on the board.
Platform with automatic flashing:

Most Asus laptops
Quanta Y11A
To be completed…

**piernov** · 02-06-2022, 09:21 AM

2. How to clean ME/TXE region
Cleaning ME/TXE region is required after replacing the PCH or the SoC. Sometimes the ME region gets corrupted on its own and it also required cleaning.
Cleaning ME/TXE region consists in replacing the existing ME/TXE region in the BIOS dump by a fresh, non-paired one, retaining the manufacturer's configuration.

Symptoms when ME region cleaning may be required include:

Shutdown after 30 minutes (unrelated cause is using Core i3/i5/i7 with HM70 PCH, cleaning ME region won't help)
Slow POST
Fans spinning at full speed
Intel MEI not working in Device Manager
In case of Apple machine, macOS reboots or freezes during boot
No POST

Refer to: https://www.badcaps.net/forum/showthread.php?t=88533 and https://winraid.level1techs.com/t/gu...lization/31277 .

Do not use use Intel ME/TXE Injector/Easy Clean ME or similar tools: they do not retain the manufacturer's configuration and can cause subsequent problems.

MS Surface no touchscreen after cleaning ME Firmware: https://badcaps.net/forum/showthread.php?t=104153

**piernov** · 02-06-2022, 09:22 AM

3. Password removal by laptop brand

DISCLAIMER: badcaps.net and its members do no support unlocking stolen or company-owned devices. The information given here is for personal use only, ie. you accidentally set a password on your own machine, you forgot the password you set a long time ago or you mistyped the password when setting it and cannot get in again.
Note that a device bought locked might also have been stolen if the previous owner cannot give the correct password. This is especially common with business-grade equipment (Lenovo ThinkPad…) that employees sneak out or do not return.

3.1. Acer
If you enter empty password 3 times, the BIOS gives you a code.
8-digit answer generators are easily found on the web.
For 10 digits, see here: https://www.badcaps.net/forum/showthread.php?t=84084

3.2. Apple

3.2.1. 2011 and older
For 2011 and older machines, changing RAM configuration and performing 3× PRAM reset can clear the password. Password can also be extracted from BIOS dump.

3.2.2. 2012 to 2017
For 2012 to 2017 machines, BIOS must be edited and reflashed to clear the password. There are 2 methods for this:

Clear out the whole SVS store. There are other stuff in this store, no idea what they are for so better avoid doing this.
Invalidate the CBF2CC32 NVRAM variable in that SVS store which contains the encrypted password. You just have to change one bit in its name, so like replace the C with an A or whatever. Note that strings are UCS-2 encoded, so in the hex editor it'll show up as 0x43 0x00 0x42 0x00 0x46 0x00 etc.

If there is an iCloud pin, you need to perform 3× PRAM reset after removing password. If FindMyMac is still enabled, you have to reinstall macOS while being disconnected from the Internet, then reconnect after logging in and bind to a new Apple account.

3.2.3. 2018 to 2020 (T2)
For 2018 to 2020 machines with T2, T2 DFU restore with Apple Configurator 2 can clear the EFI password, however it will not remove the iCloud account. iCloud account is bound to the T2 of the machine on Apple servers and cannot be permanently unbound except by Apple. Methods to bypass activation screen thanks to checkm8 exploit exist.

3.2.4. 2020 and newer (M1)
For 2020 and newer machines with M1, no publicly known bypass method has been confirmed yet.

3.3. Asus
A lot of Asus machines use a standard AMI implementation, and BIOS password can be decoded or cleared from AMITSESetup NVRAM variable. See: https://www.badcaps.net/forum/showpo...55&postcount=2
Master codes for some dates also exist.

3.4. Dell

Dell laptops store the password in EC. However, some generators exist depending on the code suffix.
See: https://beta.bios-pw.org/ .
Note: The 6FF1 suffix has a bug,use your service tag with the BF97 suffix instead,Example: 1234ABC-BF97
There is no publicly available 8FC8 generator available at the moment.
The CTRL-ENTER-ENTER keystroke after the password only applied to laptops with a suffix (xxxxxxx-8FC8 for example), until Dell also required it in some laptops using System Disable 16-Hex algorithm, on which only the Password+ENTER was needed at first and then in some models you needed the CTRL-ENTER-ENTER to properly delete the system passwords, otherwise the password would remain SET upon the automatic system reboot if just doing Password+ENTER until the proper CTRL-ENTER-ENTER keystroke was performed in certain models.

3.5. Fujitsu-Siemens
See: https://www.badcaps.net/forum/showthread.php?t=79974

3.6. HP
BIOS password is stored in NVRAM in the BIOS. BIOS editing and re-flashing is required.
You can use the automatic unlocker at: https://www.badcaps.net/forum/showthread.php?t=98539
Another tool that may also work: https://www.badcaps.net/forum/showthread.php?t=103184

3.7. Lenovo ThinkPad
There are mainly 3 methods to unlock ThinkPads and some other Lenovo laptops depending on the generation.

3.7.1. Password ROM bypass (2012 and older)
Most ThinkPads from 2012 and older (3rd gen Intel and older) use a 24-series dedicated password ROM. It can often be bypassed during boot by shorting the SDA and SCL pins together.
Other times, flashing the ROM may be required.

3.7.2. DXE password bypass driver injection (2012-2018)
For newer machines (2012-2018, 4th to 8th gen Intel), the password itself is stored in the EC. BIOS must be modified and re-flashed to insert a special driver that will allow bypassing the BIOS password.
Refer to https://www.badcaps.net/forum/showthread.php?t=87588 and https://www.badcaps.net/forum/showthread.php?t=81573

3.7.3. Flashing EC (SMSC MEC, 2019-*)
On the latest generations of ThinkPads, the security issue that allowed to inject the DXE driver and bypass the password does not exist anymore. The password is still stored inside the EC, in a write-only region.
However, it appears that dumping the EC with a dedicated programmer, erasing it and flashing back can actually clear the password. See: https://www.badcaps.net/forum/showth...t=95736&page=5
https://badcaps.net/forum/showthread.php?t=111439

3.7.4. Flashing EC (ENE KB9012)
ThinkPad S1 Yoga 12: https://www.badcaps.net/forum/showpo...4&postcount=19

3.7.5. Flashing EC (Nuvoton NPCE288/NPCE388)
ThinkPad X390 Yoga: https://badcaps.net/forum/showthread.php?t=117284

3.8. Microsoft Surface
Surface Pro 3 passwords are stored in AMITSESetup NVRAM variable and can be decoded from the BIOS dump without any need to re-flash. See: https://www.badcaps.net/forum/showpo...&postcount=139
Surface Pro 4 and newer cannot be decoded, password must be removed from dump and re-flashed.

3.9. Panasonic, and some other standard AMI implementation
Password often can be decoded from the BIOS dump, see: https://www.badcaps.net/forum/showthread.php?t=102275
Otherwise, AMITSESetup variable can be cleared from the BIOS dump and re-flashed.

3.10. Toshiba

3.10.1. Consumer
A lot of Toshiba consumer laptops have a jumper on the motherboard that needs to be shorted before boot to clear the password.

3.10.2. Business
Most Toshiba business laptops do not have a jumper, and the password is stored inside a protected region of the EC. See affected models: https://www.badcaps.net/forum/showpo...2&postcount=19
Either you need a donor EC without password, or you need to unlock through challenge-response.
Response generator is not available publicly, however, some generous people may be able to generate a response for you. Ask in this thread: https://www.badcaps.net/forum/showthread.php?t=79489
Laptop must not be rebooted, the challenge will change.

**piernov** · 02-06-2022, 09:22 AM

4. DMI editing by brand
DMI editing can be required to restore model number and serial number after flashing a blank dump or rebrand a machine after board replacement.

Copy DMI info easily with Hex editing software and Macro script: https://www.badcaps.net/forum/showthread.php?p=1214739

WinKeyFinder - Search for Windows key in BIOS dump: https://www.badcaps.net/forum/showthread.php?t=115044

4.1. AMI-based standard BIOS (SuperMicro…)
See: https://www.badcaps.net/forum/showpo...2&postcount=18

4.2. Acer
See: https://www.badcaps.net/forum/showthread.php?t=103301

4.3. Apple
For 2017 and older machines, serial number is stored in Fsys store of BIOS and can be edited with hexadecimal editor. Fsys checksum needs to be fixed afterwards
Search for "ssn", edit the serial number, save, open dump in UEFITool, go to the Fsys store and write down the suggested checksum in the panel on the right. Checksum is 4 bytes at the end of the Fsys store, between one zone of 0x00 either Gaid or another zone of 0xFF, it must be written in reverse order (so last 2 characters from UEFITool must be written first).
See: https://www.youtube.com/watch?v=poA8HByYqTM

4.4. Asus
With these tools you can add DMI information, add a MAC address to older generation Asus boards and fix the keyboard backlight not working on newer generation boards.

BT.exe (old boards, MS-DOS): https://www.badcaps.net/forum/showthread.php?t=69782
BT2.exe (newer boards, MS-DOS): https://www.badcaps.net/forum/showpo...57&postcount=4
WBT.exe (newest boards, Windows): https://www.badcaps.net/forum/showpo...79&postcount=7

4.5. HP
See: https://www.badcaps.net/forum/showthread.php?t=69204

4.6. Intel Network Adapters
Not specific to a board manufacturer but rather to the Ethernet controller on the board.
If you want to fix the MAC address of some Intel controllers, you can use eeupdate: https://www.badcaps.net/forum/showpo...8&postcount=17

4.7. Lenovo
Sometimes you only need a hex editor to edit the DMI,or to copy the DMI to a different bios. Lenovo DMI tools also exist such as LVAR .
Also some can be edited using the bios update software from the command line,read the bios release notes to find out which ones are supported that way.

Lenovo IdeaPad C340-15IML/FLEX-15IML/S340-15IML/S340-15IML Touch/S340-14IML Lenovo XiaoXin-15IML 2019/XiaoXin-14IML 2019: https://www.badcaps.net/forum/showthread.php?t=98038

LVAR: https://www.badcaps.net/forum/showth...64#post1133564

Lenovo Gold Key U1 Tool: https://github.com/ASparkOfFire/lenovo-u1-tool

ThinkPad Config Information Update Utility: https://badcaps.net/forum/showthread...90#post1174090

**piernov** · 02-06-2022, 09:22 AM

5. Clearing NVRAM
Clearing NVRAM manually from the BIOS can help if NVRAM variables become corrupt and POST does not finish successfully, or BIOS freezes before boot, or when entering Setup.
Actual process may vary between BIOSes, but blanking the first VSS store inside the first NVRAM area can be enough.

**piernov** · 02-06-2022, 09:22 AM

6. Extracting BIOS/EC firmware from update packages
In order to fix a corrupt BIOS or EC firmware, it may be necessary to use an image provided by the manufacturer. Manufacturers rarely provide an image ready to flash, but rather an update file that may contain extra data or missing part of the full image. Note that using a clean BIOS like this will lose DMI info.

BIOSUtilities: https://github.com/platomav/BIOSUtilities

AMI BIOS Guard Extractor
AMI UCP Update Extractor
Apple EFI IM4P Splitter
Apple EFI Image Identifier
Apple EFI Package Extractor
Apple EFI PBZX Extractor
Award BIOS Module Extractor
Dell PFS/PKG Update Extractor
Fujitsu SFX BIOS Extractor
Fujitsu UPC BIOS Extractor
Insyde iFlash/iFdPacker Extractor
Panasonic BIOS Package Extractor
Phoenix TDK Packer Extractor
Portwell EFI Update Extractor
Toshiba BIOS COM Extractor
VAIO Packaging Manager Extractor

6.1. Desktops
Retail motherboards can have a full BIOS image or only an update. Pre-built desktops will have DMI info, and mostly only a BIOS update.
The full BIOS image may be packed into an UEFI Update Capsule. UEFITool with recognize the UEFI Update Capsule and allow you to extract the body in order to obtain the raw BIOS image.

6.2. Laptops
For laptops, the manufacturer rarely provide the full BIOS image. The usual procedure is to extract the BIOS region, and if provided the ME region, from the update package, and insert them back into the original dump using Intel FITC. If ME region is not provided, it can be cleaned with one from the win-raid repository at the same time.

6.2.1. Acer and other Insyde-based UEFI
See: https://github.com/ISpillMyDrink/UEF...-Tool-(H2OFFT)

6.2.2. Asus
See: https://www.badcaps.net/forum/showthread.php?t=96604

6.2.3. Dell
AFUDELL: https://www.badcaps.net/forum/showthread.php?t=115830

6.2.4. HP
Newer HP bios updates can be extracted to a saved folder by running the executable.

6.2.5. Lenovo
Phoenix TDK: https://www.badcaps.net/forum/showthread.php?t=80861

6.2.6. Samsung
Find BIOS update file: https://www.badcaps.net/forum/showthread.php?t=88206

02-06-2022, 09:21 AM	#2
piernov Super Moderator Join Date: Jan 2016 City & State: Valbonne, 06 My Country: France I'm a: Knowledge Seeker Posts: 3,999	Re: BIOS guides, methods, resources and tools 1. How to dump and flash 1.1. BIOS BIOS can be updated from software using the manufacturer's tool. It can also often be dumped from software (although not really reliable). However, if you need to re-flash the BIOS because the computer does not boot and BIOS recovery procedure does not work, you need an external programmer. Likewise, if you want to modify the BIOS to remove a password, it must be done with an external programmer. When flashing a BIOS always make a backup first. Take 2 or 3 different dumps and make sure they are identical. On Windows, you can use the command "fc /b" to check if two dumps are identical. Make sure that the dumps looks good, i.e. not filled with 0x00 or 0xFF. After compression, if the file has a size of only a few kilobytes, the EEPROM was most likely not read properly. Additionally, please read the FAQ at: https://www.badcaps.net/forum/showthread.php?t=98665 1.1.1. Programmers TL866II is arguably the most reliable and easy to use programmer while still being relatively cheap. If you also need eMMC support, consider T56 or RT809H If you need LCD monitor In-System Programming through VGA port, consider RT809F or RT809H. 1.1.1.1. TL866II Supports I2C, SPI, LPC, FWH, parallel. Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt 1.1.1.2. T56 Supports I2C, SPI, LPC, FWH, parallel, eMMC. Support list: http://www.xgecu.com/MiniPro/T56_List.txt 1.1.1.3. RT809F Supports I2C, SPI, LPC, FWH, VGA ISP. Parallel interfaces support requires PEB-1 extension board and can be troublesome. Support list: https://www.hklrf.com/Download__1.html Software: http://doc.ifix.net.cn/@rt809/ENGLISH.html 1.1.1.4. RT809H Supports I2C, SPI, LPC, FWH, parallel, eMMC, VGA ISP. Support list: https://www.hklrf.com/Download__1.html Software: http://doc.ifix.net.cn/@rt809/ENGLISH.html 1.1.1.5. EZP2019 Supports I2C (24-series), SPI (25-series), 93-series. Support list: https://www.hklrf.com/24download/img/EZP2019-List.txt Note: Auto-detection may not work properly for 8Mb and larger ROMs, it is recommended to select the part number manually. In addition, if there are errors when reading and writing, try to lower the speed. 1.1.1.6. CH341A Supports I2C (24-series), SPI (25-series). This programmer is not recommended but it is the cheapest programmer available. It has several shortcomings: Limited interfaces support, only SPI and I2C Several different software with varying level of reliability and ROM IC support (especially troublesome with 128Mb and larger ICs) Several different hardware design, some of them having design defects No proper detection of communication issue with the ROM IC Available software include: NeoProgrammer, Colibri, AsProgrammer, Flashrom… Read the guide there: https://winraid.level1techs.com/t/gu...rammer/32948/3 If you have a black PCB, it is very likely that it needs to be modified for 3V operation instead of 5V. Failing to do so could damage the ROM IC. Watch the instructions there: https://www.youtube.com/watch?v=-ln3VIZKKaE https://www.youtube.com/watch?v=HwnzzF645hA 1.1.2. Adapters It is possible to use clips on SOIC-8 ICs to avoid desoldering, however it is very unreliable and will often lead to an empty or corrupt dump. Avoid whenever possible. If you insist on using a clip, then make sure the programmer uses an additional buffer and line driver for SPI. For the TL866II this is available as an additional adapter, the T56 has it built-in. It is recommended to desolder the chip and use an adapter board or socket. They exist for all sorts of packages: SOIC-8 200mil, SOIC-8 150mil, SOIC-16, WSON-8 8x6mm, WSON-8 6x5mm, USON-8 4x3mm, PLCC-32, TSSOP-48… Most common packages for the BIOS SPI ROM on modern boards are SOIC-8 200mil and WSON-8 8x6mm. Desktop boards sometimes use DIP-8 which can be inserted directly into the programmer. Desktop boards before around 2005 used PLCC-32 (which can use a LPC, FWH or parallel bus), even older boards (in the 90s or older) used DIP-32. MacBook Pro 15"/17" boards before 2015, MacBook Pro 13" non-Retina and MacBook air before 2011 use SOIC-8 200mil MacBook Air and MacBook Pro 13" Retina boards between 2011 and 2015 use WSON-8 8x6mm. Apple boards from 2015 to 2017 use WSON-8 6x5mm. Apple boards from 2018 onwards use USON-8 4x3mm for T2/M1 ROM. 1.2. EC Dumping and flashing EC often requires a dedicated EC programmer. Some EC can be flashed with regular SPI ROM programmers. List of EC that may require programming: https://www.badcaps.net/forum/showthread.php?t=66963 1.2.1. Programmers 1.2.1.1. SVOD3 Code: ENE ITE Nuvoton SMSC SVOD3 debug ZIF programming PCB - https://www.badcaps.net/forum/showthread.php?t=108704 1.2.1.2. SVOD4 Code: ENE ITE Nuvoton SMSC 1.2.1.3. Vertyanov Code: ENE ITE Nuvoton SMSC 1.2.1.4. RT809H Support list: https://www.hklrf.com/Download__1.html Code: ENE KB9010 KB9012 KB9016 KB9018 KB9022 KB9028 ITE IT8386E IT8580E IT8585E IT8586E IT8587E IT8595E IT8985E IT8987E IT8996E Nuvoton NPCE288N NPCE388N SMSC MEC1653 MEC1650 MEC1633 MEC1609 MEC1619 MEC1618 MEC5035 MEC5045 MEC5055 MEC5075 MEC5085 1.2.1.5. RT809F Not a dedicated EC programmer, standalone programmer supports EC SPI and JTAG interfaces only. PEB-1 extension board supports ITE interface. Support list: https://www.hklrf.com/Download__1.html Code: ENE KB9010 KB9012 KB9016 KB9018 KB9022 KB9028 ITE (requires PEB-1 extension board) IT8580 IT8585 IT8586 IT8587 IT8985 IT8595 IT8987 IT8996E SMSC MEC1653 MEC1650 MEC1633 MEC1609 MEC1619 MEC1618 MEC5035 MEC5045 MEC5055 MEC5075 MEC5085 1.2.1.6. T56 Not a dedicated EC programmer, supports EC SPI interface only. Support list: http://www.xgecu.com/MiniPro/T56_List.txt Code: ENE KB9010 KB9012 KB9016 KB9018 KB9022 1.2.1.7. TL866II Not a dedicated EC programmer, supports EC SPI interface only. Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt Code: ENE KB9010 KB9012 KB9016 KB9018 KB9022 1.2.2. Adapters Adapter boards exist for some programmers, chip must be (partially) soldered on the adapter board, then the adapter board is connected to the programmer to be flashed. In most cases, EC can also be programmed in-system through the keyboard connector. Adapter for the programmer to keyboard connector is required, as well as correct cable (keyboard connectors can have different number of pins and different pitch). Pinout of the keyboard connector matching the EC programming interface must be known and set up in the programmer software. 1.2.3. Automatic flashing Some platforms can automatically flash a blank EC from the image stored in an external SPI ROM alongside the main BIOS when power is first applied. This assumes that there is no other issue on the board. Platform with automatic flashing: Most Asus laptops Quanta Y11A To be completed… Last edited by SMDFlea; 05-07-2023 at 05:31 AM.. Reason: edited winraid link

02-06-2022, 09:21 AM	#3
piernov Super Moderator Join Date: Jan 2016 City & State: Valbonne, 06 My Country: France I'm a: Knowledge Seeker Posts: 3,999	Re: BIOS guides, methods, resources and tools 2. How to clean ME/TXE region Cleaning ME/TXE region is required after replacing the PCH or the SoC. Sometimes the ME region gets corrupted on its own and it also required cleaning. Cleaning ME/TXE region consists in replacing the existing ME/TXE region in the BIOS dump by a fresh, non-paired one, retaining the manufacturer's configuration. Symptoms when ME region cleaning may be required include: Shutdown after 30 minutes (unrelated cause is using Core i3/i5/i7 with HM70 PCH, cleaning ME region won't help) Slow POST Fans spinning at full speed Intel MEI not working in Device Manager In case of Apple machine, macOS reboots or freezes during boot No POST Refer to: https://www.badcaps.net/forum/showthread.php?t=88533 and https://winraid.level1techs.com/t/gu...lization/31277 . Do not use use Intel ME/TXE Injector/Easy Clean ME or similar tools: they do not retain the manufacturer's configuration and can cause subsequent problems. MS Surface no touchscreen after cleaning ME Firmware: https://badcaps.net/forum/showthread.php?t=104153 Last edited by SMDFlea; 04-26-2023 at 09:16 AM.. Reason: Edited win-raid URL. No longer worked

02-06-2022, 09:22 AM	#4
piernov Super Moderator Join Date: Jan 2016 City & State: Valbonne, 06 My Country: France I'm a: Knowledge Seeker Posts: 3,999	Re: BIOS guides, methods, resources and tools 3. Password removal by laptop brand DISCLAIMER: badcaps.net and its members do no support unlocking stolen or company-owned devices. The information given here is for personal use only, ie. you accidentally set a password on your own machine, you forgot the password you set a long time ago or you mistyped the password when setting it and cannot get in again. Note that a device bought locked might also have been stolen if the previous owner cannot give the correct password. This is especially common with business-grade equipment (Lenovo ThinkPad…) that employees sneak out or do not return. 3.1. Acer If you enter empty password 3 times, the BIOS gives you a code. 8-digit answer generators are easily found on the web. For 10 digits, see here: https://www.badcaps.net/forum/showthread.php?t=84084 3.2. Apple 3.2.1. 2011 and older For 2011 and older machines, changing RAM configuration and performing 3× PRAM reset can clear the password. Password can also be extracted from BIOS dump. 3.2.2. 2012 to 2017 For 2012 to 2017 machines, BIOS must be edited and reflashed to clear the password. There are 2 methods for this: Clear out the whole SVS store. There are other stuff in this store, no idea what they are for so better avoid doing this. Invalidate the CBF2CC32 NVRAM variable in that SVS store which contains the encrypted password. You just have to change one bit in its name, so like replace the C with an A or whatever. Note that strings are UCS-2 encoded, so in the hex editor it'll show up as 0x43 0x00 0x42 0x00 0x46 0x00 etc. If there is an iCloud pin, you need to perform 3× PRAM reset after removing password. If FindMyMac is still enabled, you have to reinstall macOS while being disconnected from the Internet, then reconnect after logging in and bind to a new Apple account. 3.2.3. 2018 to 2020 (T2) For 2018 to 2020 machines with T2, T2 DFU restore with Apple Configurator 2 can clear the EFI password, however it will not remove the iCloud account. iCloud account is bound to the T2 of the machine on Apple servers and cannot be permanently unbound except by Apple. Methods to bypass activation screen thanks to checkm8 exploit exist. 3.2.4. 2020 and newer (M1) For 2020 and newer machines with M1, no publicly known bypass method has been confirmed yet. 3.3. Asus A lot of Asus machines use a standard AMI implementation, and BIOS password can be decoded or cleared from AMITSESetup NVRAM variable. See: https://www.badcaps.net/forum/showpo...55&postcount=2 Master codes for some dates also exist. 3.4. Dell Dell laptops store the password in EC. However, some generators exist depending on the code suffix. See: https://beta.bios-pw.org/ . Note: The 6FF1 suffix has a bug,use your service tag with the BF97 suffix instead,Example: 1234ABC-BF97 There is no publicly available 8FC8 generator available at the moment. The CTRL-ENTER-ENTER keystroke after the password only applied to laptops with a suffix (xxxxxxx-8FC8 for example), until Dell also required it in some laptops using System Disable 16-Hex algorithm, on which only the Password+ENTER was needed at first and then in some models you needed the CTRL-ENTER-ENTER to properly delete the system passwords, otherwise the password would remain SET upon the automatic system reboot if just doing Password+ENTER until the proper CTRL-ENTER-ENTER keystroke was performed in certain models. 3.5. Fujitsu-Siemens See: https://www.badcaps.net/forum/showthread.php?t=79974 3.6. HP BIOS password is stored in NVRAM in the BIOS. BIOS editing and re-flashing is required. You can use the automatic unlocker at: https://www.badcaps.net/forum/showthread.php?t=98539 Another tool that may also work: https://www.badcaps.net/forum/showthread.php?t=103184 3.7. Lenovo ThinkPad There are mainly 3 methods to unlock ThinkPads and some other Lenovo laptops depending on the generation. 3.7.1. Password ROM bypass (2012 and older) Most ThinkPads from 2012 and older (3rd gen Intel and older) use a 24-series dedicated password ROM. It can often be bypassed during boot by shorting the SDA and SCL pins together. Other times, flashing the ROM may be required. 3.7.2. DXE password bypass driver injection (2012-2018) For newer machines (2012-2018, 4th to 8th gen Intel), the password itself is stored in the EC. BIOS must be modified and re-flashed to insert a special driver that will allow bypassing the BIOS password. Refer to https://www.badcaps.net/forum/showthread.php?t=87588 and https://www.badcaps.net/forum/showthread.php?t=81573 *3.7.3. Flashing EC (SMSC MEC, 2019-) On the latest generations of ThinkPads, the security issue that allowed to inject the DXE driver and bypass the password does not exist anymore. The password is still stored inside the EC, in a write-only region. However, it appears that dumping the EC with a dedicated programmer, erasing it and flashing back can actually clear the password. See: https://www.badcaps.net/forum/showth...t=95736&page=5 https://badcaps.net/forum/showthread.php?t=111439 3.7.4. Flashing EC (ENE KB9012) ThinkPad S1 Yoga 12: https://www.badcaps.net/forum/showpo...4&postcount=19 3.7.5. Flashing EC (Nuvoton NPCE288/NPCE388) ThinkPad X390 Yoga: https://badcaps.net/forum/showthread.php?t=117284 3.8. Microsoft Surface Surface Pro 3 passwords are stored in AMITSESetup NVRAM variable and can be decoded from the BIOS dump without any need to re-flash. See: https://www.badcaps.net/forum/showpo...&postcount=139 Surface Pro 4 and newer cannot be decoded, password must be removed from dump and re-flashed. 3.9. Panasonic, and some other standard AMI implementation Password often can be decoded from the BIOS dump, see: https://www.badcaps.net/forum/showthread.php?t=102275 Otherwise, AMITSESetup variable can be cleared from the BIOS dump and re-flashed. 3.10. Toshiba 3.10.1. Consumer A lot of Toshiba consumer laptops have a jumper on the motherboard that needs to be shorted before boot to clear the password. 3.10.2. Business** Most Toshiba business laptops do not have a jumper, and the password is stored inside a protected region of the EC. See affected models: https://www.badcaps.net/forum/showpo...2&postcount=19 Either you need a donor EC without password, or you need to unlock through challenge-response. Response generator is not available publicly, however, some generous people may be able to generate a response for you. Ask in this thread: https://www.badcaps.net/forum/showthread.php?t=79489 Laptop must not be rebooted, the challenge will change. Last edited by piernov; 03-26-2023 at 01:56 PM..

02-06-2022, 09:22 AM	#5
piernov Super Moderator Join Date: Jan 2016 City & State: Valbonne, 06 My Country: France I'm a: Knowledge Seeker Posts: 3,999	Re: BIOS guides, methods, resources and tools 4. DMI editing by brand DMI editing can be required to restore model number and serial number after flashing a blank dump or rebrand a machine after board replacement. Copy DMI info easily with Hex editing software and Macro script: https://www.badcaps.net/forum/showthread.php?p=1214739 WinKeyFinder - Search for Windows key in BIOS dump: https://www.badcaps.net/forum/showthread.php?t=115044 4.1. AMI-based standard BIOS (SuperMicro…) See: https://www.badcaps.net/forum/showpo...2&postcount=18 4.2. Acer See: https://www.badcaps.net/forum/showthread.php?t=103301 4.3. Apple For 2017 and older machines, serial number is stored in Fsys store of BIOS and can be edited with hexadecimal editor. Fsys checksum needs to be fixed afterwards Search for "ssn", edit the serial number, save, open dump in UEFITool, go to the Fsys store and write down the suggested checksum in the panel on the right. Checksum is 4 bytes at the end of the Fsys store, between one zone of 0x00 either Gaid or another zone of 0xFF, it must be written in reverse order (so last 2 characters from UEFITool must be written first). See: https://www.youtube.com/watch?v=poA8HByYqTM 4.4. Asus With these tools you can add DMI information, add a MAC address to older generation Asus boards and fix the keyboard backlight not working on newer generation boards. BT.exe (old boards, MS-DOS): https://www.badcaps.net/forum/showthread.php?t=69782 BT2.exe (newer boards, MS-DOS): https://www.badcaps.net/forum/showpo...57&postcount=4 WBT.exe (newest boards, Windows): https://www.badcaps.net/forum/showpo...79&postcount=7 4.5. HP See: https://www.badcaps.net/forum/showthread.php?t=69204 4.6. Intel Network Adapters Not specific to a board manufacturer but rather to the Ethernet controller on the board. If you want to fix the MAC address of some Intel controllers, you can use eeupdate: https://www.badcaps.net/forum/showpo...8&postcount=17 4.7. Lenovo Sometimes you only need a hex editor to edit the DMI,or to copy the DMI to a different bios. Lenovo DMI tools also exist such as LVAR . Also some can be edited using the bios update software from the command line,read the bios release notes to find out which ones are supported that way. Lenovo IdeaPad C340-15IML/FLEX-15IML/S340-15IML/S340-15IML Touch/S340-14IML Lenovo XiaoXin-15IML 2019/XiaoXin-14IML 2019: https://www.badcaps.net/forum/showthread.php?t=98038 LVAR: https://www.badcaps.net/forum/showth...64#post1133564 Lenovo Gold Key U1 Tool: https://github.com/ASparkOfFire/lenovo-u1-tool ThinkPad Config Information Update Utility: https://badcaps.net/forum/showthread...90#post1174090 Last edited by piernov; 03-02-2023 at 04:42 AM..

02-06-2022, 09:22 AM	#6
piernov Super Moderator Join Date: Jan 2016 City & State: Valbonne, 06 My Country: France I'm a: Knowledge Seeker Posts: 3,999	Re: BIOS guides, methods, resources and tools 5. Clearing NVRAM Clearing NVRAM manually from the BIOS can help if NVRAM variables become corrupt and POST does not finish successfully, or BIOS freezes before boot, or when entering Setup. Actual process may vary between BIOSes, but blanking the first VSS store inside the first NVRAM area can be enough.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode