![[-]](https://www.bios-mods.com/forum/images/black/collapse.png "[-]")
07-08-2022, 08:06 PM
Unlocking BIOS on An Embeded Device
# The device
Its BIOS reads:
- InsydeH20 Version: APL.1.0.15
- UEFI Version: 2.5
The BIOS has two main interfaces:
- `Front Page`
The first interface after hitting `ESC` key repeatly right after pressed its power button.
Please reference the attachment `The device - front page.png`
- `Setup Utility`
Please refernce the attachment `The device - Setup Utility.png`
Main chips on its board:
- CPU: `Atom Processor E3930`
- BIOS Chip: `MXIC MX, 2SU6473F, M2I-10G, 8E544200, L18489S`
- TPM Chip: `Infineon, SLB 9670, VQ20 30, T6H1839`
- Network Chip: `Marvell, W8997-M1216`
# Whats wanted
There are two limitations on its bios:
- The booting OS is EFI protected, i.e., only the customized Ubuntu 16.04 OS distributed by its manufactory can be booted.
Trying to boot from a different OS installation (EFI, not legacy mode) USB stick will leads to `\EFI\BOOT\BOOTx64.EFI has been blocked by the current security policy.`
So, to my understanding, one need to do sth. like `Clean TPM` to set the TPM status, or disable the protection, before install different OSs.
However, There is no such option in its BIOS. It seems these options are hidden (ref `Whats tried`).
- One of the USB 3.0 port is limited to be use as a network access point (like a router).
Can't find related options in the BIOS neither.
So, wanted:
- unlocking the options for TPM/Secure boot options
- unlocking the options for USB Ports settings.
# Whats tried
## Extract the stock BIOS image
Extracted its original BIOS image from the MXIC chip using CH341A Programmer.
Please reference the attachment `Stock BIOS image.bin`.
## A small experiment
After some searching (I am new to BIOS modding), found a tool, `InsydeH2OEZE_x86_WIN_100.00.03.04`, can be used to read the image.
So I tried to make a small change of its `BIOS version` content from `APL.1.0.15` to `APL.1.0.15.toMod`.
Then reflashed the mod bios image back to the MXIC chip.
After that the device can boot to its BIOS and the `Version` reads `APL.1.0.15.toMod`.
## Lets GTD
So I tried to continue.
First, the export result from `H2OEZE`'s `Function`-`other`-`Setup menu`-`Export setup menu`,
shows there are `TPM` related options exists. So they were just hidden somehow.
(Please reference the attachment `Export setup menu.csv` for the result.)
Second, some online posts suggested the visibility of the options may controlled by `H2OFormBrowserDxe` module.
So, the module was exported via `H2OEZE`'s `Function`-`BIOS image`-`Components`-`Module`-`Export module`-`9E5DAEB4-.. (H2OFormBrowserDxe)`,
this result the attachment `9E5DAEB4-(H2OFormBrowserDxe).ffs`.
Then using `Universal IFR Extractor v0.5(2014 donovan6000)` to extract its info from it.
However, its extraction, `9E5DAEB4-(H2OFormBrowserDxe) IFR.txt`, provides no usable info -- its almost empty.
Third, as there is a `Setup Utility` interface, so the `SetupUtility` module was exported -`FE3542FE-C1D3.FV04.SetupUtility.ffs`.
Then using the `IFR extractor` to extract it, which results `FE3542FE-C1D3.FV04.SetupUtility IFR.txt`.
There are two things about it:
- I failed to find 'TPM' or 'secure boot' related options in the result.
- As an experiment, working on learning how to modify the `ffs` file with the help from the `IFR` txt to enable the options in the module, such as the `SystemConfig`.
Any advices?
Many thanks!
# The device
Its BIOS reads:
- InsydeH20 Version: APL.1.0.15
- UEFI Version: 2.5
The BIOS has two main interfaces:
- `Front Page`
The first interface after hitting `ESC` key repeatly right after pressed its power button.
Please reference the attachment `The device - front page.png`
- `Setup Utility`
Please refernce the attachment `The device - Setup Utility.png`
Main chips on its board:
- CPU: `Atom Processor E3930`
- BIOS Chip: `MXIC MX, 2SU6473F, M2I-10G, 8E544200, L18489S`
- TPM Chip: `Infineon, SLB 9670, VQ20 30, T6H1839`
- Network Chip: `Marvell, W8997-M1216`
# Whats wanted
There are two limitations on its bios:
- The booting OS is EFI protected, i.e., only the customized Ubuntu 16.04 OS distributed by its manufactory can be booted.
Trying to boot from a different OS installation (EFI, not legacy mode) USB stick will leads to `\EFI\BOOT\BOOTx64.EFI has been blocked by the current security policy.`
So, to my understanding, one need to do sth. like `Clean TPM` to set the TPM status, or disable the protection, before install different OSs.
However, There is no such option in its BIOS. It seems these options are hidden (ref `Whats tried`).
- One of the USB 3.0 port is limited to be use as a network access point (like a router).
Can't find related options in the BIOS neither.
So, wanted:
- unlocking the options for TPM/Secure boot options
- unlocking the options for USB Ports settings.
# Whats tried
## Extract the stock BIOS image
Extracted its original BIOS image from the MXIC chip using CH341A Programmer.
Please reference the attachment `Stock BIOS image.bin`.
## A small experiment
After some searching (I am new to BIOS modding), found a tool, `InsydeH2OEZE_x86_WIN_100.00.03.04`, can be used to read the image.
So I tried to make a small change of its `BIOS version` content from `APL.1.0.15` to `APL.1.0.15.toMod`.
Then reflashed the mod bios image back to the MXIC chip.
After that the device can boot to its BIOS and the `Version` reads `APL.1.0.15.toMod`.
## Lets GTD
So I tried to continue.
First, the export result from `H2OEZE`'s `Function`-`other`-`Setup menu`-`Export setup menu`,
shows there are `TPM` related options exists. So they were just hidden somehow.
(Please reference the attachment `Export setup menu.csv` for the result.)
Second, some online posts suggested the visibility of the options may controlled by `H2OFormBrowserDxe` module.
So, the module was exported via `H2OEZE`'s `Function`-`BIOS image`-`Components`-`Module`-`Export module`-`9E5DAEB4-.. (H2OFormBrowserDxe)`,
this result the attachment `9E5DAEB4-(H2OFormBrowserDxe).ffs`.
Then using `Universal IFR Extractor v0.5(2014 donovan6000)` to extract its info from it.
However, its extraction, `9E5DAEB4-(H2OFormBrowserDxe) IFR.txt`, provides no usable info -- its almost empty.
Third, as there is a `Setup Utility` interface, so the `SetupUtility` module was exported -`FE3542FE-C1D3.FV04.SetupUtility.ffs`.
Then using the `IFR extractor` to extract it, which results `FE3542FE-C1D3.FV04.SetupUtility IFR.txt`.
There are two things about it:
- I failed to find 'TPM' or 'secure boot' related options in the result.
- As an experiment, working on learning how to modify the `ffs` file with the help from the `IFR` txt to enable the options in the module, such as the `SystemConfig`.
Any advices?
Many thanks!
![[Valid RSS]](valid-rss.png "Validate my RSS feed")