[REQUEST] Lenovo Thinkpad X240 (GIETxxWW) Whitelist Removal

[BDMaster]

In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.

I agrre with these considerations as when I was experimenting Recovery Mode on Acer series I found that many Eeprom were Write Unprotect when laptops had original (from manufacturers) Bioses and after update Eeprom begun Protected.
Same thing for .efi module modify ! all mods will work after flashing not before !
When InsydeFlash write Bios and in UEFI is worse, The actual Bios check the new bypassing InsydeFlash control !
I exprimented many things with Descriptors and ME Region so I agree completely with Xsmile !
I think that Donovan is much forward us as He has done many experiments and disassembled many modules (He knows better CodeRush and his discoveries), but
He don't want to share yet it.
I know that so far the better way to unlock all was mod original, do the Recovery and get full control on Eeprom (excluded Descriptors Region only way is SPIPGM),
but I am experimenting now for Acer that in new series V5 Recovery is not present and all Eeprom are write protect like the Insyde know where was the hole and They have patched !
So It's very difficult as We have to Patch InsydeFlash with dll and then the Bios to flash, but We have to get a SPI Programmer too !
Regards

[rozker]

In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.

@xsmile: what utility do you use to read and edit the UEFI bios settings?

i've been searching for some old bios for x240, in the hope to find a lock-free version.
for x240s it's possible to flash 1.11 or 1.07, but those versions won't match the x240 i guess because of the different part id.
maybe it's possible to find some unprotected version for x240 too, or patch winflash64.exe to accept this version for x240? what if UEFI flasher doesn't check the part id and only the bios digital signature? hehe.. lil hope.


<2.10>
UEFI: 2.10 / ECP: 1.08
- (New) Added support for ThinkPad X240.
- (New) Added support for Intel BIOS Guard.
- (New) Updated CPU microcode.
- (New) Updated Diagnostics module to version 2.01.06.
- (Fix) Fixed an issue where CDP mode of Always On USB did not work after
resuming from sleep state of Intel Rapid Storage Technology.
- (Fix) Fixed an issue that WMI for UEFI PXE Boot Priority did not work.
- (Fix) Fixed an issue where help messages in the ThinkPad Setup were incorrect.

<1.11>
UEFI: 1.11 / ECP: 1.07
- (New) Updated Intel Graphic Output Protocol driver.
- (New) Updated Diagnostics module to version 2.01.04.
- (Fix) Fixed an issue where system might resume immediately from sleep state
when USB2.0 device was attached via USB3.0 Hub.
- (Fix) Fixed an issue where system might fail to resume by Intel Rapid Storage
Technology with some configuration.
- (Fix) Fixed an issue of intermittent error before flashing BIOS on the system
Ericsson N5321gw wireless WAN device attached.
- (Fix) Fixed an issue that WMI for Smart Card did not work.
- (Fix) Fixed an issue where help messages in the ThinkPad Setup were incorrect.

<1.07>
UEFI: 1.07 / ECP: 1.05
- (New) Initial release for ThinkPad X240s.

[wisar]

RE: Lenovo X240 BIOS Whitelist for Intel 7620 AC
I have make a mod for x240 firmware.
this is the link:
http://www.sendspace.com/file/iho7ww
I have test it, works fine on my x240.
Use it at your own risk.Tongue
Hi all ! Sorry for my bad English ...
Ill try this method but have :
failed to verify secure flash image
Replace the same name file under:
C:\DRIVERS\FLASH\giuj10us\GIET72WW - not last bios <<<
and run:
C:\DRIVERS\FLASH\giuj10us\WINUPTP
Please help me solve this .... I have the latest bios Version
: 2.23 from 04 May 2014, I only need working wifi card , lte work fine.

[Orth]

I have make a mod for x240 firmware.
this is the link:
http://www.sendspace.com/file/iho7ww

I have test it, works fine on my x240.
Use it at your own risk.

I've got the same issue on my x240 20AL-0067RT

[2014/5/29 18:38:32]
OS = Windows 8 64bit
Driver Loading....Done
System BIOS Version -> GIET73WW
Applying BIOS Version -> GIET72WW
Note : Applying BIOS is older than System BIOS.
System EC Version -> GIHT28WW
Applying EC Version -> GIHT28WW
AC adapter/Battery check....OK.

BIOS Flashing....
The number of retries of BIOS update = 1
The number of retries of BIOS update = 2
The number of retries of BIOS update = 3
Failed.
Error : Failed to verify Secure Flash image.

Error code = 234

Do you have any idea?

[ucupsz]

BDMaster and xsmile,
do you think that changing the flash descriptor bits will enable us writing the bios directly using intel fpt?

btw, the reason for me doing all of this hack is to get broadcomm wifi card working in T430 so that i can install OSX. last night i found out that someone in insanelymac manage to have express card based wifi working in broadcomm.

In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.

I agrre with these considerations as when I was experimenting Recovery Mode on Acer series I found that many Eeprom were Write Unprotect when laptops had original (from manufacturers) Bioses and after update Eeprom begun Protected.
Same thing for .efi module modify ! all mods will work after flashing not before !
When InsydeFlash write Bios and in UEFI is worse, The actual Bios check the new bypassing InsydeFlash control !
I exprimented many things with Descriptors and ME Region so I agree completely with Xsmile !
I think that Donovan is much forward us as He has done many experiments and disassembled many modules (He knows better CodeRush and his discoveries), but
He don't want to share yet it.
I know that so far the better way to unlock all was mod original, do the Recovery and get full control on Eeprom (excluded Descriptors Region only way is SPIPGM),
but I am experimenting now for Acer that in new series V5 Recovery is not present and all Eeprom are write protect like the Insyde know where was the hole and They have patched !
So It's very difficult as We have to Patch InsydeFlash with dll and then the Bios to flash, but We have to get a SPI Programmer too !
Regards

[rozker]

I've got the same issue on my x240 20AL-0067RT

Russian version? I gave up finding a software backdoor to flash the bios, and I've ordered a hardware programmer, it's gonna arrive very soon already. While waiting, I tried to disassemble my x240 and found the bios chip. It appears to be Winbond 25Q128FVSSIQ, 16MB Quad Speed SPI serial flash. I also tried to order a blank spare chip from China just in case but haven't been able to find one. That's because it's very new I guess. 25Q128BV... is widely available, that's an older version. I just hope I'll be able to flash it just in place, without desoldering it

[ucupsz]

rozker..
1. is x240 only have 1 chip?
my T430 has 2 chip from macronix, 4MB and 8MB size.
2. can you share what kind of hardware programmer did you order?
i tried to use my hardware programmer to flash winbond type of chip on my intel board, but failed.
it doesn't support the chip natively. the forum and support is not responsive.

thx

[rozker]

Yes x240 has only one 16MB chip. 25Q128FVSSIQ. FPT recognizes it as 25Q128BV though. That's because both chips share the same hardware id. And FV and Q appears to be the newer version with quad speed bit turned on. The programmer that I ordered has BV chip listed in its support list, but no FV. I hope that chip can be programmed using normal speed SPI.

That' the programmer:
http://www.aliexpress.com/item/Russian-S...34165.html

Try to check your chip in the programmer's compatibility list. Since it's just 8MB I guess you're okay there, because those chips are not very new.

[rozker]

Also i made the WL patch and SMM lock patch for X240. Just waiting for my hardware programmer to arrive so I flash it into the chip and try

About SMM lock: is it enough to just patch PchBiosWriteProtect.efi as described at http://www.insanelymac.com/forum/topic/2...try1993117 ? I found the code in X240 bios.

Or I should also modify hidden default "SMM Lock" bios setting in PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) ? I managed to extract settings using Universal IFR Extractor, but how do I modify those settings to be able to flash them back into the bios?

[BDMaster]

BDMaster and xsmile,
do you think that changing the flash descriptor bits will enable us writing the bios directly using intel fpt?

btw, the reason for me doing all of this hack is to get broadcomm wifi card working in T430 so that i can install OSX. last night i found out that someone in insanelymac manage to have express card based wifi working in broadcomm.

In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.

I agrre with these considerations as when I was experimenting Recovery Mode on Acer series I found that many Eeprom were Write Unprotect when laptops had original (from manufacturers) Bioses and after update Eeprom begun Protected.
Same thing for .efi module modify ! all mods will work after flashing not before !
When InsydeFlash write Bios and in UEFI is worse, The actual Bios check the new bypassing InsydeFlash control !
I exprimented many things with Descriptors and ME Region so I agree completely with Xsmile !
I think that Donovan is much forward us as He has done many experiments and disassembled many modules (He knows better CodeRush and his discoveries), but
He don't want to share yet it.
I know that so far the better way to unlock all was mod original, do the Recovery and get full control on Eeprom (excluded Descriptors Region only way is SPIPGM),
but I am experimenting now for Acer that in new series V5 Recovery is not present and all Eeprom are write protect like the Insyde know where was the hole and They have patched !
So It's very difficult as We have to Patch InsydeFlash with dll and then the Bios to flash, but We have to get a SPI Programmer too !
Regards

I am sorry for delay,
Yes changing Descriptors Locks You can acess to Read and Write at all EC Regions !
If You want to look the Form of your Bios File load It into CodeRush UEFI Tool and It will display all locks and Regions Segment and size !
Then You can use the Intel FICT tool to exzmine better and modify your Bios !
Regards

P.S. only way to read and wriite Descriptors is by SPI PGM