Scribd
Upload
419 views75 pages

Laptop Repair Topics Part3

Uploaded by

Bong Barcelita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
419 views75 pages

Laptop Repair Topics Part3

Uploaded by

Bong Barcelita
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 75

Advanced Laptop Repair Workshop

Session 3 – BIOS Repair, Cleaning,


Splitting and Reconstruction
VERA EQUINOX TECHNOLOGIES, INC.
Dr. Oliver C. Agustin

Copyright Notice:

All materials contained on this slides are copyrighted and may not be reproduced, distributed, transmitted, displayed,
published or broadcast without the prior written permission of LeakyMosfet. You may not alter or remove any
trademark, copyright or other notice from copies of the content.
BIOS (8 hours)
• Tools of the Trade
• ME Analyzer
• UEFI Tool
• HxD Hex Editor
• Notepad++
• Intel Flash Image Tool
• Others (Winrar, UniExtract, 7zip, etc.)
• Cleaning of ME/TXE Initialized DATA section
• FIT Method
• Pre-Skylake (Me 2.X – 10.x, TXE 1.x – 2.x)
• Post-Skylake (ME 11.X, TXE 3.x)
• Hex Method

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS (4 hours)
• BIOS Editing
• Editing Serial Number
• Extracting/Changing Win8/Win10 keys
• Password Reset
• BIOS Extraction from EXE
• HP
• Acer
• Lenovo
• Asus
• Dell
• BiosExtractor v1.04
• Proprietary, Commercial

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Hardware
• SVOD3
• https://www.leakymosfet.com/products/svod3-programmer?
• RT809H
• https://www.leakymosfet.com/products/rt809h
• RT809F
• https://www.leakymosfet.com/products/rt809f-spi-programmer
• EZP2019
• https://www.leakymosfet.com/products/ezp2013-spi-usb-
programmer?variant=16529144873033

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
ME Analyzer(2)
• We use ME Analyzer
• to check the family, version, type,
sku, etc.
• Verify if the cleaned BIOS has the
same properties as the original
dump
• Verify if the new BIOS has been
upgraded with newer ME/TXE
Region

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
UEFI Tool
• Downloadable at
https://github.com/LongSoft/UEFITool/releases/download/A43/UEFIT
ool_NE_A43.win.zip
• cross-platform C++/Qt program for parsing, extracting and modifying
UEFI firmware images.
• supports parsing of full BIOS images starting with the flash descriptor
or any binary files containing UEFI volumes.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
UEFI Tool(2)

We will use UEFI Tool to verify and check Offset value

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
HxD Hex Editor
• Downloadable at http://mh-nexus.de/downloads/HxDen.zip
• HEX editor, raw disk editor, can be used to modify main memory
(RAM), handles files of any size.
• offers features such as searching and replacing, exporting,
checksums/digests, insertion of byte patterns, a file shredder,
concatenation or splitting of files, statistics and much more

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
HxD Hex Editor
We will use the HxD to
• View SPI Image
• Search and Edit information from SPI
Image
• Compare two SPI Images
• Create new SPI Image

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
Notepad++
• Downloadable at https://notepad-plus-
plus.org/download/v7.5.1.html
• Notepad++ is a free (as in "free speech" and also as in "free beer")
source code editor and Notepad replacement that supports several
languages
• written in C++ and uses pure Win32 API which ensures a higher
execution speed and smaller program size

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
Notepad++ We will use the Notepad++ to
• Search Win8/10 Keys
• Search, SNID, etc.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
Intel Flash Image Tool
• Intel ME System Tools v11.7 r2 - (Updated: 2017-09-01)
• For 100/200/300-series systems which come with ME firmware v11.7
• Intel ME System Tools v11.6 r16 - (Updated: 2017-07-31)
• For 100/200-series systems which come with ME firmware v11.6
• Intel ME System Tools v11.0 r10 - (Updated: 2017-08-07)
• For 100-series systems which come with ME firmware v11.0
• Intel ME System Tools v10.0 r4 - (Updated: 2017-10-03)
• For Broadwell mobile systems which come with ME firmware v10.0
• Intel ME System Tools v9.5 r3 - (Updated: 2017-06-02)
• For 8-series systems which come with ME firmware v9.5
• Intel ME System Tools v9.1 r2 - (Updated: 2017-05-07)
• For 8/9-series systems which come with ME firmware v9.1 *
• Intel ME System Tools v9.0 r1 - (Updated: 2016-10-13)
• For 8-series systems which come with ME firmware v9.0
• Intel ME System Tools v8 r1 - (Updated: 2016-10-13)
• For 7-Series systems which come with ME firmware v8 **

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Tools of the Trade
Intel Flash Image Tool(2)
• Intel ME System Tools v7 r1 - (Updated: 2016-10-13)
• For 6-series systems which come with ME firmware v7
• Intel ME System Tools v6 1.5MB/5MB r2 - (Updated: 2017-05-10)
• For 5-series (Ibex Peak) systems which come with ME 1.5MB/5MB firmware v6
• Intel ME System Tools v6 Ignition r1 - (Updated: 2016-10-13)
• For 5-series (Ibex Peak) or 89xx-series (Cave/Coleto Creek) systems which come with ME Ignition firmware v6
• Intel ME System Tools v5 r1 - (Updated: 2016-10-13)
• For ICH10 systems which come with ME firmware v5
• Intel ME System Tools v4 r1 - (Updated: 2016-10-13)
• For ICH9M systems which come with ME firmware v4
• Intel ME System Tools v3 r1 - (Updated: 2016-10-13)
• For ICH9 systems which come with ME firmware v3
• Intel ME System Tools v2 r1 - (Updated: 2016-10-13)
• For ICH8 & ICH8M systems which come with ME firmware v2

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
FIT METHOD
• Pre-CSE (ME 2 – 10, TXE 1 – 2)
• CSE (CSME 11, TXE 4)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Introduction/Overview
• Ref - http://www.win-raid.com
• Tested to work on all major ME (2.x - 11.x)
and all major TXE versions (1.x - 4.x)
• highly recommended to use exact/closest
match firmware from repository
• Exception
• ME 6.0 Ignition firmware 6.0.x.x are Ibex Peak
• ME 6.0.50.x are Cave/Coleto Creek
• In Cave/Coleto Creek, need to match the
hotfix version and make sure it's 50. Major.Minor.Hotfix.Build_SKU_PRD_RGN

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
PRE-CSE (ME 2- 10, TXE 1-2)
Pre-CSE (ME 2 – 10, TXE 1 – 4)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
• Our example is an SPI image
dump with ME firmware version
9.1.x.xxxx and SKU 1.5MB.
1. Make sure you have extracted
the correct System Tools
package and extract it

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
2. Make sure you extracted the
correct ME firmware repository
package based on major/minor
version

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
3. Drag the dumped SPI image
with ME Analyzer to see what
major/minor version we need as
well as SKU
• vn7_591.bin is found in
demo\cleaning folder

Our SPI image dump has an ME


9.1 firmware with 1.5MB SKU

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
4. Browse the Repository pack and
copy the same (or as similar as
possible) ME/TXE RGN firmware
of the same SKU and major/minor
version

We pick the firmware


file 9.1.2.1010_1.5MB_PRD_RGN which matches
perfectly with what we saw at ME Analyzer

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
5. Browse the Repository pack and copy the same (or as similar as
possible) ME/TXE RGN firmware of the same SKU and major/minor
version

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
6. The Flash Image Tool folder should now have be a folder named after
the inputted file, in this case it's named 9.1.2.1010_1.5MB_PRD_RGN

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
7. Enter that folder in previous step and open Decomp subfolder. You
should see a single file named "ME Region.bin". Remember this file, we
will use this to replace a file in the next step.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
8. Run FITC again, this time drag & drop the dumped SPI image you
want to clean (vn7_591.bin). After it's done loading
• Go to Build > Build Settings... , untick the option to "Generate intermediate
build files", leave all other settings intact and click OK

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
9. For SPI image with ME 5 to ME
9.x or TXE 1.x,
• go to Flash Image > ME/TXE
Region > Configuration > Features
Supported
• set "Intel (R) Anti-Theft Technology
Permanently Disabled? " to "Yes".
• Intel Anti-Theft Technology has
been EOL since January 2015
and can cause issues if left
activated nowadays.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
10. For SPI image with ME 7 to ME
9.x,
• go to Flash Image > Descriptor
Region > PCH Straps > PCH Strap 2
• set "Intel (R) ME SMBus MCTP
Address Enable" to "false“
• set "Intel (R) ME SMBus MCTP
Address" to "0x00".
• These are Intel Anti-Theft
Technology settings.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
11. Go to "File > Save As" and save the configuration xml file, in this
case it's named "config.xml". Afterwards, close the FITC window.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
12. At the FITC folder there should now be a vn7_591 folder, take the
"ME Region.bin“ in 9.1.2.1010_1.5MB_PRD_RGN\Decomp and
overwrite the "ME Region.bin" vn7_591\Decomp folder.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
13. Run FITC again. From "File > Open" select the saved config.xml file
you save earlier and open it.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
14. Click the "Build Image" icon (or "Build > Build Image") and it should
complete successfully.

If this is stage is completed without problem, then you have successfully cleaned
your SPI dump.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
15. In FITC folder you should now see a file named "outimage.bin"
• This is your dumped SPI image with Engine region which has a Configured
DATA section without any unneeded "Initialization" information stored.

You can rename outimage.bin to any name you preferred and flash using SPI programmer
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
FIT Method
Pre-CSE (ME 2 – 10, TXE 1 – 2)
15. In FITC folder you should now see a file named "outimage.bin"
• This is your dumped SPI image with Engine region which has a Configured
DATA section without any unneeded "Initialization" information stored.

You can rename outimage.bin to any name you preferred and flash using SPI programmer
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
FIT Method
CSE (CSME 11, CSTXE 4)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
• Our example is an SPI image
dump with ME firmware version
11.0.0.1205 and SKU Consumer
LP.
1. Make sure you have extracted
the correct System Tools
package and extract it

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
2. Make sure you extracted the
correct ME firmware repository
package based on major/minor
version

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
3. Drag the dumped SPI image
with ME Analyzer to see what
major/minor version we need as
well as SKU
• dell 13 15296-1.bin is found in
demo\cleaning folder

Our SPI image dump has an ME


11.0 firmware with Consumer LP
SKU

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
4. Browse the Repository pack and
copy the same (or as similar as
possible) ME/TXE RGN firmware
of the same SKU and major/minor
version

We pick the firmware


file 11.0.0.1205_CON_LP_C0_NPDM_PRD_RGN wh
ich matches closely (PDM = No, Rev=C0,
SKU=Consumer LP, Release = Production,
Type=Region) with what we saw at ME Analyzer

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
4. Run the correct fit.exe version and drag & drop the selected/copied
CSME/CSTXE firmware of the previous step into the FIT window.
After it's done loading, close the FIT window without saving any changes when
prompted

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
6. The Flash Image Tool folder should now have be a folder named after
the inputted file, in this case it's named
• 11.0.0.1205_CON_LP_C0_NPDM_PRD_RGN

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
7. Enter that folder in previous step and open Decomp subfolder. You
should see a single file named "ME Region.bin". Remember this file, we
will use this to replace a file in the next step.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
8. Run FIT again. This time drag &
drop the dumped SPI image you
want to clean.
• Once done loading check if the
CSME firmware inside the SPI
dump has indeed initialization
data from the equivalent warning.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
9. Go to "Build > Build Settings" , select "No" at the option to "Generate
Intermediate Files", leave all other settings intact and click Close

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
10. Go to "File > Save As" and save the configuration xml file, in this
case it's named "config.xml". Afterwards, close the FITC window.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
11. At the FITC folder there
should now be a dell 13 15296-1
folder, take the "ME Region.bin“ in
11.0.0.1205_CON_LP_C0_NPDM_
PRD_RGN\Decomp and overwrite
the "ME Region.bin" dell 13
15296-1 \Decomp folder.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
12. Run FITC again. From "File >
Open" select the saved config.xml
file you save earlier and open it.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
13. Click the "Build Image" icon
(or "Build > Build Image") and it
should complete successfully.

If this is stage is completed without problem, then


you have successfully cleaned your SPI dump.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
14. In FIT folder you should now see a file named "outimage.bin"
• This is your dumped SPI image with Engine region which has a Configured
DATA section without any unneeded "Initialization" information stored.

You can rename outimage.bin to any name you prefer and flash using SPI programmer
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
FIT Method
CSE (CSME 11, CSTXE 3)
15. In FIT folder you should now see a file named "outimage.bin"
• This is your dumped SPI image with Engine region which has a Configured
DATA section without any unneeded "Initialization" information stored.

You can rename outimage.bin to any name you preferred and flash using SPI programmer
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
FIT Method
CSE (CSME 11, CSTXE 3)
16. Verify that the resulting image is indeed not Initialized and that it
has the same configured DATA settings as the imported one.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


FIT Method
CSE (CSME 11, CSTXE 3)
16. Import the output file to ME
Analyzer and check if the Major/Minor
versions & SKU are the same as before.
• Make sure the Type is reported as
"Region, Extracted" which means that
the inputted image is OEM/FIT
configured.
• Whether the DATA section is now
Configured and not Configured +
Initialized cannot be checked/verified
by ME Analyzer, only via the FIT
Warning, but if you followed the
above steps properly you should not
be having any issues.

If you have reached this stage, then you have successfully cleaned a CSE SPI Image.
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Applicable to pre/post CSE (1)
• General Procedure
1. Drag the SPI dump bin file to ME Analyzer to identify the ME version, type,
sku (e.g., 10.0.38.1000)
2. Drag the SPI dump file to UEFITool to get the offset value of ME Region (e.g.,
1000h) or search “$FPT” via HxD Search function
3. Load/drag the SPI dump to HxD
4. Load the correct ME region you get in (1) from the repository to HxD
1. Make sure you select the correct tab (tab name is equal to the filename you loaded in
(1).
2. Press Ctrl + A (select all), to select all content and take note the length of the file found
in the status bar (e.g., 17D000)
3. Press Ctrl + C (copy)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method (2)
• General Procedure
5. Go to the SPI dump tab in HxD
6. Click Search -> Go to, a dialog will popup, enter the offset value you get in
(2)(e.g., 1000h).
7. Click Edit -> Select Block, a dialog will popup, click Length, and enter the
value you get in (4.2)(e.g., 17D000).
8. Click Edit -> Paste Write, you have successfully cleaned the ME Region.
9. Save the file by clicking File -> Save As, then specify the filename and
extension name (e.g., la-c341p_clean.bin)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
1. In this detail hands-on lab, we use the dump (vn7_591.bin) with ME
firmware version 9.1.2.1010.
2. Drag vn7_591.bin file to ME Analyzer. See results on the right

Family, version, sku must at least match.


© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
2. Drag the SPI dump file to UEFITool to get the offset value of 1000h.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
3. Load the SPI dump to HxD by dragging it

A new tab should appear bearing the name of


the file – vn7_591.bin

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
4. Drag the correct ME region from the repository to HxD

Another tab should appear indicating the name of the


ME region you dragged from te repository
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
4.1-3 Drag the correct ME region
from the repository to HxD
• Select the correct tab
• Press Ctrl + A, or Edit -> Select All
• When the content is highlighted,
press Ctrl + C, or Edit -> Copy to
copy the content to clipboard.

The idea is to copy the content to the clipboard so we


can pasteAllthe
© 2019 LeakyMosfet content
Rights Reservedto the spi dump image. https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
5. Select the tab vn7_591.bin in
HxD
6. Click Search -> Go to, a dialog
will popup, enter the offset value
you get in (2)(e.g., 1000h)

The arrow above is the start of the ME Region that we should replaced by a clean one. Do not try to click/move
the cursor.All Rights Reserved
© 2019 LeakyMosfet https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
7. Click Edit -> Select Block, a
dialog will popup, click Length,
and enter the value you get in
(4.2)(e.g., 17D000).

The block to be replaced must be equal in length to the ME image file that you loaded in step 4.
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
8. Click Edit -> Paste Write, you
have successfully cleaned the ME
Region.

The above result indicates that you have written the content from the clipboard successfully.
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
8. Click Edit -> Paste Write, you
have successfully cleaned the ME
Region.

The above result indicates that you have written the content from the clipboard successfully.
© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com
Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
9. Save the file by clicking File ->
Save As, then specify the filename
and extension name (e.g.,
vn7_591_clean.bin).

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method – Detailed Procedure (2)
10. File verification & Checking
• Load the cleaned SPI image (vn7_591_clean.bin) to ME Analyzer again and
ensure they have the same version

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


Cleaning of ME/TXE Initialized DATA section
HEX Method – Final Test
• To pass this test, your resulting cleaned SPI image must be exactly
identical to vn7_951_cleaned_oliver.bin found in the demo folder.
• Load both your cleaned SPI image file and vn7_951_cleaned_oliver.bin to HxD

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Editing
Editing Serial Number, SNID, etc.
• If serial number offset address is not known for a particular laptop
model, then existing SPI image dump is required.
• Objective – to transfer machine information to a working dump
(extracted from other systems) prior to flashing.
• Procedure
• Drag the original SPI image in HxD
• Using Search->Find (Ctrl+F) in HxD to search the Serial Number, SNID, etc.
• Make sure that you record the exact address offset value and address length for each
information that you want to search
• Open the working SPI dump from other system
• Go to each offset address and modify the corresponding information (SN, SNID, etc.)

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Editing
Extracting/Changing Win8/Win10 keys
• Objective: Transfer win8/win10 key to another system ;)
• Be careful when sending SPI dump for cleaning, other tech may have access
to your (customers’) keys
• Procedure
• Open Notepad++
• Drag the SPI dump (any of you dump or PLT dump) ;)
• Click Search –> Find, then enter the ff:
• ([A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5})
• Make sure Search Mode is set to regular expression
• Click Find Next until you found the key.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Editing
Password Reset
• Various method for resetting BIOS password
• Entering the BIOS master password (http://www.bios-pw.org)
• Shorting out the RTC_RST# and SRTC_RST# or the jumper near the DIMM slot
or PSWDCLR
• Flashing with a good known System BIOS dump/stock firmware (in some
cases, password is in the SIO chip)
• Replacing the BIOS Region of the System BIOS Dump
• Editing the platform.ini to reset password

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction from EXE
General Guidelines
• Normally, firmware can be extracted from BIOS update downloaded from
manufacturer website using the following tool
• WinRar, 7zip
• Universal Extractor - https://www.legroom.net/software/uniextract
• Check if the extracted file is correct
• Correct size is multiples of 1024
• 1 MB = 1 x 1024KB = 1024KB 64 kB
• 2 MB = 2 x 1024KB = 2048KB 128 kB
• 4 MB = 4 x 1024KB = 4096KB 256 kB
• 8 MB = 8 x 1024KB = 8192KB 512 kB
• 16 MB = 16 x 1024KB = 16384KB
• But there are some situations where this is not possible, because it is
encrypted,
• In this case, we use their respective tool or any 3rd party tool

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction
• Extraction Method
• HP Tool – use the tool found in tools\HP-InsydeFlash.rar
• Acer– Just extract using winrar/7zip then edit the file to fix the size if needed
• Dell Firmware Update
• Older dell firmware can be extracted using the syntax
• firmware.exe /writeromfile
firmware.exe /writehdrfile
• For newer dell bios update,
• Extract to HDR using utilities in Tools folder
• Possibly convert HDR to ROM/Bin
• Toshiba – use winrar/7zip to extract
• Lenovo
• Use innoextract, then winrar/7zip to extract the resulting exe file from innoextract
• Then edit the file to fix the size
• Asus -
• Samsung – use samsung_find_gz.exe May not work for some files

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction
Extracting firmware from EXE
• Generic firmware extraction procedure
• Press Window + R, open this folder
• %userprofile%\appdata\Local\temp
• Delete all files & folder you found there. You will thank me later ;)
• Go to our demo folder
• Demo\extraction\v3-572
• Double click the exe
• Z5WAH109.exe and click YES if UAC pops up
• Ignore the error message that pops up and don’t click any dialog window yet until the next
procedure is completed
• You should see a new folder in your temp folder
• Copy the isflash.bin with 9896KB in size to your demo\extraction\v3-572 folder
• This file is what we need for further processing later
• Also save the whole folder and rename for further processing of isflash.bin (using Method 1)
If you’re lucky, (if used with other downloaded BIOS update from manufacturer, you’ll get FD, ROM OR BIN file that may
not
© 2019 require further
LeakyMosfet All Rights processing.
Reserved https://www.leakymosfet.com
BIOS Extraction
Extracting SPI Image from ISFLASH.BIN
• Method 1
• From your old SPI Dump, get the
offset location of ME Region
• Usually this is 1000h, 2000h or
3000h
• Drag the isflash.bin to HxD
• Click Edit->Select Block, a dialog
will popup,
• enter the information offset
information you get previously in
Start-Offset
• Enter 800000h in Length

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction
Extracting SPI Image from ISFLASH.BIN (2)
• Method 1
• Save the filename as
isflash_cropped.bin or any file
name you want.
• Validate isflash_cropped.bin
• Check the file with ME Analyzer
• Load the file to FITC if it will load
correctly

• If no warning/error, then the file is


ready to flash to the target system.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction
Extracting SPI Image from EXE
• Applicability
• Acer
• Method 2
• Extract BiosExtractor.rar and use it to get the main/ec bios from EXE
• Run BiosExtractor.exe and load the EXE downloaded from Acer
• Click extract
• The main and EC bios will be saved in the same folder as the EXE/BIN
• Verification
• Use ME Analyzer and FITC to verify the extracted main bios is ok.

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


BIOS Extraction
Splitting EC & MAIN BIOS
• Condition
• BIOS file from manufacturer is not encrypted
• EC & MAIN SPI image are embedded together in a single file
• File size is greater than normal ( see slide #72)
• Access to original EC and MAIN SPI Image
• Procedure
• Load the EC dump to HxD and copy the first line ( and last line
• Load the BIOS downloaded from manufacturer
• Search the ‘first line’ from the loaded BIOS and record the offset value
• Search the last

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com


HP DMI Tools
• Specific Branding Tools
• HP DMI Tools
• Lenovo SerialNumberChanger

© 2019 LeakyMosfet All Rights Reserved https://www.leakymosfet.com

You might also like