Badcaps.net Forum
Go Back   Badcaps Forums > Troubleshooting Hardware & Devices and Electronics Theory > Troubleshooting Laptops, Tablets, and Mobile Devices > BIOS Requests ONLY!
Register FAQ Calendar Search Today's Posts Mark Forums Read

 
Thread Tools Display Modes
Old 02-06-2022, 09:20 AM   #1
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Lightbulb BIOS guides, methods, resources and tools

Please post any suggestions and corrections to the discussion thread: https://badcaps.net/forum/showthread.php?t=103527

For additional information on SPI ROM, BIOS, EC, Intel ME, etc., please read: https://github.com/ISpillMyDrink/UEFI-Repair-Guide/wiki


Table of Contents:
Code:
1. How to dump and flash
  1.1. BIOS
    1.1.1. Programmers
      1.1.1.1. TL866II
      1.1.1.2. T56
      1.1.1.3. RT809F
      1.1.1.4. RT809H
      1.1.1.5. EZP2019
      1.1.1.6. CH341A
    1.1.2. Adapters
  1.2. EC
    1.2.1. Programmers
      1.2.1.1. SVOD3
      1.2.1.2. SVOD4
      1.2.1.3. Vertyanov
      1.2.1.4. RT809H
      1.2.1.5. RT809F
      1.2.1.6. T56
      1.2.1.7. TL866II
    1.2.2. Adapters
    1.2.3. Automatic flashing
2. How to clean ME/TXE region
3. Password removal by laptop brand
  3.1. Acer
  3.2. Apple
    3.2.1. 2011 and older		
    3.2.2. 2012 to 2017
    3.2.3. 2018 to 2020 (T2)
    3.2.4. 2020 and newer (M1)
  3.3. Asus
  3.4. Dell
  3.5. Fujitsu-Siemens
  3.6. HP
  3.7. Lenovo ThinkPad
    3.7.1. Password ROM bypass (2012 and older)
    3.7.2. DXE password bypass driver injection (2012-2018)
    3.7.3. Flashing EC (2019-*)	 
  3.8. Microsoft Surface
  3.9. Panasonic, and some other standard AMI implementation
  3.10. Toshiba
    3.10.1. Consumer
    3.10.2. Business
4. DMI editing by brand
  4.1. AMI-based standard BIOS (SuperMicro…)
  4.2. Acer
  4.3. Apple
  4.4. Asus
  4.5. HP
  4.6. Intel Network Adapters
  4.7. Lenovo
5. Clearing NVRAM
6. Extracting BIOS/EC firmware from update packages
  6.1. Desktops
  6.2. Laptops
    6.2.1. Asus
    6.2.2. HP
    6.2.3. Lenovo
    6.2.4. Samsung
__________________
OpenBoardView — https://github.com/OpenBoardView/OpenBoardView

Last edited by piernov; 02-13-2022 at 11:05 AM..
piernov is offline  
Old 02-06-2022, 09:21 AM   #2
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

1. How to dump and flash
1.1. BIOS
BIOS can be updated from software using the manufacturer's tool. It can also often be dumped from software (although not really reliable).
However, if you need to re-flash the BIOS because the computer does not boot and BIOS recovery procedure does not work, you need an external programmer.
Likewise, if you want to modify the BIOS to remove a password, it must be done with an external programmer.

When flashing a BIOS always make a backup first. Take 2 or 3 different dumps and make sure they are identical. Make sure that the dumps looks good, i.e. not filled with 0x00 or 0xFF. After compression, if the file has a size of only a few kilobytes, the EEPROM was most likely not read properly.

Additionally, please read the FAQ at: https://www.badcaps.net/forum/showthread.php?t=98665

1.1.1. Programmers
TL866II is arguably the most reliable and easy to use programmer while still being relatively cheap.
If you also need eMMC support, consider T56 or RT809H
If you need LCD monitor In-System Programming through VGA port, consider RT809F or RT809H.

1.1.1.1. TL866II
Supports I2C, SPI, LPC, FWH, parallel.
Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt

1.1.1.2. T56
Supports I2C, SPI, LPC, FWH, parallel, eMMC.
Support list: http://www.xgecu.com/MiniPro/T56_List.txt

1.1.1.3. RT809F
Supports I2C, SPI, LPC, FWH, VGA ISP.
Parallel interfaces support requires PEB-1 extension board and can be troublesome.
Support list: https://www.hklrf.com/24download/img/RT809F-List6.txt
Software: http://doc.ifix.net.cn/download/2017266

1.1.1.4. RT809H
Supports I2C, SPI, LPC, FWH, parallel, eMMC, VGA ISP.
Support list: https://hklrf.com/24download/img/RT809H-List8.txt
Software: http://doc.ifix.net.cn/download/2017266

1.1.1.5. EZP2019
Supports I2C (24-series), SPI (25-series), 93-series.
Support list: https://www.hklrf.com/24download/img/EZP2019-List.txt

1.1.1.6. CH341A
Supports I2C (24-series), SPI (25-series).

This programmer is not recommended but it is the cheapest programmer available.
It has several shortcomings:
  • Limited interfaces support, only SPI and I2C
  • Several different software with varying level of reliability and ROM IC support (especially troublesome with 128Mb and larger ICs)
  • Several different hardware design, some of them having design defects
  • No proper detection of communication issue with the ROM IC

Available software include: NeoProgrammer, Colibri, AsProgrammer, Flashrom…
Read the guide there: https://www.win-raid.com/t4175f16-GU...rogrammer.html

If you have a black PCB, it is very likely that it needs to be modified for 3V operation instead of 5V. Failing to do so could damage the ROM IC.
Watch the instructions there:
https://www.youtube.com/watch?v=-ln3VIZKKaE
https://www.youtube.com/watch?v=HwnzzF645hA

1.1.2. Adapters

It is possible to use clips on SOIC-8 ICs to avoid desoldering, however it is *very unreliable* and will often lead to an empty or corrupt dump. Avoid whenever possible.
It is recommended to desolder the chip and use an adapter board or socket. They exist for all sorts of packages: SOIC-8 200mil, SOIC-8 150mil, SOIC-16, WSON-8 8x6mm, WSON-8 6x5mm, USON-8 4x3mm, PLCC-32, TSSOP-48…

Most common packages for the BIOS SPI ROM on modern boards are SOIC-8 200mil and WSON-8 8x6mm.
Desktop boards sometimes use DIP-8 which can be inserted directly into the programmer.
Desktop boards before around 2005 used PLCC-32 (which can use a LPC, FWH or parallel bus), even older boards (in the 90s or older) used DIP-32.

MacBook Pro 15"/17" boards before 2015, MacBook Pro 13" non-Retina and MacBook air before 2011 use SOIC-8 200mil
MacBook Air and MacBook Pro 13" Retina boards between 2011 and 2015 use WSON-8 8x6mm.
Apple boards from 2015 to 2017 use WSON-8 6x5mm.
Apple boards from 2018 onwards use USON-8 4x3mm for T2/M1 ROM.


1.2. EC

Dumping and flashing EC often requires a dedicated EC programmer. Some EC can be flashed with regular SPI ROM programmers.
List of EC that may require programming: https://www.badcaps.net/forum/showthread.php?t=66963

1.2.1. Programmers

1.2.1.1. SVOD3
Code:
ENE
ITE
Nuvoton
SMSC
1.2.1.2. SVOD4
Code:
ENE
ITE
Nuvoton
SMSC
1.2.1.3. Vertyanov
Code:
ENE
ITE
Nuvoton
SMSC
1.2.1.4. RT809H
Support list: https://hklrf.com/24download/img/RT809H-List8.txt

Code:
ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
 KB9028
ITE
 IT8386E
 IT8580E
 IT8585E
 IT8586E
 IT8587E
 IT8595E
 IT8985E
 IT8987E
 IT8996E
Nuvoton
 NPCE288N
 NPCE388N
SMSC 
 MEC1653
 MEC1650
 MEC1633
 MEC1609
 MEC1619
 MEC1618
 MEC5035
 MEC5045
 MEC5055
 MEC5075
 MEC5085
1.2.1.5. RT809F
Not a dedicated EC programmer, standalone programmer supports EC SPI and JTAG interfaces only. PEB-1 extension board supports ITE interface.

Support list: https://www.hklrf.com/24download/img/RT809F-List6.txt
Code:
ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
 KB9028
ITE (requires PEB-1 extension board)
 IT8580
 IT8585
 IT8586
 IT8587
 IT8985
 IT8595
 IT8987
 IT8996E
SMSC
 MEC1653
 MEC1650
 MEC1633
 MEC1609
 MEC1619
 MEC1618
 MEC5035
 MEC5045
 MEC5055
 MEC5075
 MEC5085
1.2.1.6. T56
Not a dedicated EC programmer, supports EC SPI interface only.
Support list: http://www.xgecu.com/MiniPro/T56_List.txt
Code:
ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
1.2.1.7. TL866II
Not a dedicated EC programmer, supports EC SPI interface only.

Support list: http://www.autoelectric.cn/MiniPro/TL866II_List.txt
Code:
ENE
 KB9010
 KB9012
 KB9016
 KB9018
 KB9022
1.2.2. Adapters
Adapter boards exist for some programmers, chip must be (partially) soldered on the adapter board, then the adapter board is connected to the programmer to be flashed.

In most cases, EC can also be programmed in-system through the keyboard connector. Adapter for the programmer to keyboard connector is required, as well as correct cable (keyboard connectors can have different number of pins and different pitch). Pinout of the keyboard connector matching the EC programming interface must be known and set up in the programmer software.

1.2.3. Automatic flashing

Some platforms can automatically flash a blank EC from the image stored in an external SPI ROM alongside the main BIOS when power is first applied. This assumes that there is no other issue on the board.
Platform with automatic flashing:
  • Most Asus laptops
  • Quanta Y11A
  • To be completed…

Last edited by piernov; 02-13-2022 at 11:03 AM..
piernov is offline  
Old 02-06-2022, 09:21 AM   #3
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

2. How to clean ME/TXE region
Cleaning ME/TXE region is required after replacing the PCH or the SoC. Sometimes the ME region gets corrupted on its own and it also required cleaning.
Cleaning ME/TXE region consists in replacing the existing ME/TXE region in the BIOS dump by a fresh, non-paired one, retaining the manufacturer's configuration.

Symptoms when ME region cleaning may be required include:
  • Shutdown after 30 minutes (unrelated cause is using Core i3/i5/i7 with HM70 PCH, cleaning ME region won't help)
  • Slow POST
  • Fans spinning at full speed
  • Intel MEI not working in Device Manager
  • In case of Apple machine, macOS reboots or freezes during boot
  • No POST

Refer to: https://www.badcaps.net/forum/showthread.php?t=88533 and https://www.win-raid.com/t1658f39-Gu...alization.html .

Do not use use Intel ME/TXE Injector/Easy Clean ME or similar tools: they do not retain the manufacturer's configuration and can cause subsequent problems.

MS Surface no touchscreen after cleaning ME Firmware: https://badcaps.net/forum/showthread.php?t=104153

Last edited by piernov; 03-05-2022 at 04:55 AM..
piernov is offline  
Old 02-06-2022, 09:22 AM   #4
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

3. Password removal by laptop brand

DISCLAIMER: badcaps.net and its members do no support unlocking stolen or company-owned devices. The information given here is for personal use only, ie. you accidentally set a password on your own machine, you forgot the password you set a long time ago or you mistyped the password when setting it and cannot get in again.
Note that a device bought locked might also have been stolen if the previous owner cannot give the correct password. This is especially common with business-grade equipment (Lenovo ThinkPad…) that employees sneak out or do not return.


3.1. Acer
If you enter empty password 3 times, the BIOS gives you a code.
8-digit answer generators are easily found on the web.
For 10 digits, see here: https://www.badcaps.net/forum/showthread.php?t=84084

3.2. Apple

3.2.1. 2011 and older
For 2011 and older machines, changing RAM configuration and performing 3× PRAM reset can clear the password. Password can also be extracted from BIOS dump.

3.2.2. 2012 to 2017
For 2012 to 2017 machines, BIOS must be edited and reflashed to clear the password. There are 2 methods for this:
  • Clear out the whole SVS store. There are other stuff in this store, no idea what they are for so better avoid doing this.
  • Invalidate the CBF2CC32 NVRAM variable in that SVS store which contains the encrypted password. You just have to change one bit in its name, so like replace the C with an A or whatever. Note that strings are UCS-2 encoded, so in the hex editor it'll show up as 0x43 0x00 0x42 0x00 0x46 0x00 etc.
If there is an iCloud pin, you need to perform 3× PRAM reset after removing password. If FindMyMac is still enabled, you have to reinstall macOS while being disconnected from the Internet, then reconnect after logging in and bind to a new Apple account.

3.2.3. 2018 to 2020 (T2)
For 2018 to 2020 machines with T2, T2 DFU restore with Apple Configurator 2 can clear the EFI password, however it will not remove the iCloud account. iCloud account is bound to the T2 of the machine on Apple servers and cannot be permanently unbound except by Apple. Methods to bypass activation screen thanks to checkm8 exploit exist.

3.2.4. 2020 and newer (M1)
For 2020 and newer machines with M1, no publicly known bypass method has been confirmed yet.

3.3. Asus
A lot of Asus machines use a standard AMI implementation, and BIOS password can be decoded or cleared from AMITSESetup NVRAM variable. See: https://www.badcaps.net/forum/showpo...55&postcount=2
Master codes for some dates also exist.

3.4. Dell

Dell laptops store the password in EC. However, some generators exist depending on the code suffix.
See: https://beta.bios-pw.org/ .Enter the generated code using a US QWERTY keyboard and press
enter, or press the left control key and press enter ,or press the left control key and press enter enter.
Note: The 6FF1 suffix has a bug,use your service tag with the BF97 suffix instead,Example: 1234ABC-BF97

3.5. Fujitsu-Siemens
See: https://www.badcaps.net/forum/showthread.php?t=79974

3.6. HP
BIOS password is stored in NVRAM in the BIOS. BIOS editing and re-flashing is required.
You can use the automatic unlocker at: https://www.badcaps.net/forum/showthread.php?t=98539
Another tool that may also work: https://www.badcaps.net/forum/showthread.php?t=103184

3.7. Lenovo ThinkPad
There are mainly 3 methods to unlock ThinkPads and some other Lenovo laptops depending on the generation.

3.7.1. Password ROM bypass (2012 and older)
Most ThinkPads from 2012 and older (3rd gen Intel and older) use a 24-series dedicated password ROM. It can often be bypassed during boot by shorting the SDA and SCL pins together.
Other times, flashing the ROM may be required.

3.7.2. DXE password bypass driver injection (2012-2018)
For newer machines (2012-2018, 4th to 8th gen Intel), the password itself is stored in the EC. BIOS must be modified and re-flashed to insert a special driver that will allow bypassing the BIOS password.
Refer to https://www.badcaps.net/forum/showthread.php?t=87588 and https://www.badcaps.net/forum/showthread.php?t=81573

3.7.3. Flashing EC (SMSC MEC, 2019-*)
On the latest generations of ThinkPads, the security issue that allowed to inject the DXE driver and bypass the password does not exist anymore. The password is still stored inside the EC, in a write-only region.
However, it appears that dumping the EC with a dedicated programmer, erasing it and flashing back can actually clear the password. See: https://www.badcaps.net/forum/showth...t=95736&page=5

3.7.4. Flashing EC (ENE KB9012)
ThinkPad S1 Yoga 12: https://www.badcaps.net/forum/showpo...4&postcount=19

3.8. Microsoft Surface
Surface Pro 3 passwords are stored in AMITSESetup NVRAM variable and can be decoded from the BIOS dump without any need to re-flash. See: https://www.badcaps.net/forum/showpo...&postcount=139
Surface Pro 4 and newer cannot be decoded, password must be removed from dump and re-flashed.

3.9. Panasonic, and some other standard AMI implementation
Password often can be decoded from the BIOS dump, see: https://www.badcaps.net/forum/showthread.php?t=102275
Otherwise, AMITSESetup variable can be cleared from the BIOS dump and re-flashed.

3.10. Toshiba

3.10.1. Consumer
A lot of Toshiba consumer laptops have a jumper on the motherboard that needs to be shorted before boot to clear the password.

3.10.2. Business
Most Toshiba business laptops do not have a jumper, and the password is stored inside a protected region of the EC. See affected models: https://www.badcaps.net/forum/showpo...2&postcount=19
Either you need a donor EC without password, or you need to unlock through challenge-response.
Response generator is not available publicly, however, some generous people may be able to generate a response for you. Ask in this thread: https://www.badcaps.net/forum/showthread.php?t=79489
Laptop must not be rebooted, the challenge will change.

Last edited by piernov; 05-07-2022 at 05:58 AM..
piernov is offline  
Old 02-06-2022, 09:22 AM   #5
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

4. DMI editing by brand
DMI editing can be required to restore model number and serial number after flashing a blank dump or rebrand a machine after board replacement.

4.1. AMI-based standard BIOS (SuperMicro…)
See: https://www.badcaps.net/forum/showpo...2&postcount=18

4.2. Acer
See: https://www.badcaps.net/forum/showthread.php?t=103301

4.3. Apple
For 2017 and older machines, serial number is stored in Fsys store of BIOS and can be edited with hexadecimal editor. Fsys checksum needs to be fixed afterwards
Search for "ssn", edit the serial number, save, open dump in UEFITool, go to the Fsys store and write down the suggested checksum in the panel on the right. Checksum is 4 bytes at the end of the Fsys store, between one zone of 0x00 either Gaid or another zone of 0xFF, it must be written in reverse order (so last 2 characters from UEFITool must be written first).
See: https://www.youtube.com/watch?v=poA8HByYqTM

4.4. Asus
With these tools you can add DMI information, add a MAC address to older generation Asus boards and fix the keyboard backlight not working on newer generation boards.

4.5. HP
See: https://www.badcaps.net/forum/showthread.php?t=69204

4.6. Intel Network Adapters
Not specific to a board manufacturer but rather to the Ethernet controller on the board.
If you want to fix the MAC address of some Intel controllers, you can use eeupdate: https://www.badcaps.net/forum/showpo...8&postcount=17

4.7. Lenovo
Sometimes you only need a hex editor to edit the DMI,or to copy the DMI to a different bios. Lenovo DMI tools also exist such as LVAR .
Also some can be edited using the bios update software from the command line,read the bios release notes to find out which ones are supported that way.

Lenovo IdeaPad C340-15IML/FLEX-15IML/S340-15IML/S340-15IML Touch/S340-14IML Lenovo XiaoXin-15IML 2019/XiaoXin-14IML 2019: https://www.badcaps.net/forum/showthread.php?t=98038

LVAR: https://www.badcaps.net/forum/showth...64#post1133564

Last edited by SMDFlea; 07-22-2022 at 02:04 PM..
piernov is offline  
Old 02-06-2022, 09:22 AM   #6
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

5. Clearing NVRAM
Clearing NVRAM manually from the BIOS can help if NVRAM variables become corrupt and POST does not finish successfully, or BIOS freezes before boot, or when entering Setup.
Actual process may vary between BIOSes, but blanking the first VSS store inside the first NVRAM area can be enough.
piernov is offline  
Old 02-06-2022, 09:22 AM   #7
piernov
Super Moderator
 
Join Date: Jan 2016
City & State: Valbonne, 06
My Country: France
I'm a: Knowledge Seeker
Posts: 3,682
Default Re: BIOS guides, methods, resources and tools

6. Extracting BIOS/EC firmware from update packages
In order to fix a corrupt BIOS or EC firmware, it may be necessary to use an image provided by the manufacturer. Manufacturers rarely provide an image ready to flash, but rather an update file that may contain extra data or missing part of the full image. Note that using a clean BIOS like this will lose DMI info.

6.1. Desktops
Retail motherboards can have a full BIOS image or only an update. Pre-built desktops will have DMI info, and mostly only a BIOS update.
The full BIOS image may be packed into an UEFI Update Capsule. UEFITool with recognize the UEFI Update Capsule and allow you to extract the body in order to obtain the raw BIOS image.

6.2. Laptops
For laptops, the manufacturer rarely provide the full BIOS image. The usual procedure is to extract the BIOS region, and if provided the ME region, from the update package, and insert them back into the original dump using Intel FITC. If ME region is not provided, it can be cleaned with one from the win-raid repository at the same time.

6.2.1. Asus
See: https://www.badcaps.net/forum/showthread.php?t=96604

6.2.2. HP
Newer HP bios updates can be extracted to a saved folder by running the executable.

6.2.3. Lenovo
Phoenix TDK: https://www.badcaps.net/forum/showthread.php?t=80861

6.2.4. Samsung
Find BIOS update file: https://www.badcaps.net/forum/showthread.php?t=88206
piernov is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Badcaps.net Technical Forums © 2003 - 2022
Powered by vBulletin ®
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
All times are GMT -6. The time now is 09:19 PM.
Did you find this forum helpful?