What can we do?
- Extract current BIOS
- Update the microcodes, this is the most important modification to make
- Update RST firmware, this is responsible for SATA/RAID
- Update iGPU VBIOS
- Add KVM/AMT to the BIOS ME region, enables vPro stuff like remote desktop even if system is off
- Modify Dell boot logo, replace it with a fruity pineapple if you're so inclined
- Modify DSDT tables, in theory we could add all our ACPI patches needed for macOS to the BIOS itself
- Add NVMe support to the BIOS
- Flashing
- Verify
- Windows 10 Live
- Recovery
- Unlocking
- Windows 10, see below for a guide for those who have left Windows behind long ago
- UBU
- Intel ME Platform Tools 9.1
- Intel firmware files
- Intel BMP
- MMTool
All those we need can be found the first post of this thread. Search for SoniX's MEGA link in there and open it up.
The things you need to download from the Mega repo are:
- UBU_v1_xxxxx.rar
- Tools -> mmt.rar
- Files_xxxxx -> Intel GOP/RST/VBIOS .7z files
We also need Intel ME System Tools 9.1, a download link can be found here, search for 9.1 r7. Download and unpack the ME System Tools to C:.
Install Intel BMP and unpack the ME System Tools to C:.
Intel for some reason doesn't make their ME System Tools public, but now that we have a copy we can unpack it and start using some of the tools. First lets check the versions.
Open a new PowerShell as admin and go to the MEInfo\WIN64 folder and run .\MEInfoWin64.exe:
PS C:\Intel ME System Tools v9.1 r7\MEInfo\WIN64> .\MEInfoWin64.exe
Intel(R) MEInfo Version: 9.1.45.3000
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
Intel(R) ME code versions:
BIOS Version: A18
MEBx Version: 9.0.0.0029
Gbe Version: 1.3
VendorID: 8086
PCH Version: 4
FW Version: 9.1.45.3000 H
LMS Version: Not Available
MEI Driver Version: 11.7.0.1032
I removed the rest as its not important for this check. Simply make sure your MEBx is at version 9.0.x and the firmware is on 9.1.x. If you're on the latest Dell BIOS these should match up.
We can only upgrade MEBx and the firmware within its major release. This means that we have to stay on 9.0.x for MEBx and 9.1.x for firmware related things. This is no problem and we're not touching those.
Now lets extract the current BIOS, don't use any other tools do this, we can't just extract the .rom file from the Dell BIOS executable.
Navigate to the Flash Programming Tool\WIN64 folder and execute .\fptw64.exe -bios -d bios_backup.bin:
PS C:\Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64> .\fptw64.exe -bios -d bios_backup.bin
Intel (R) Flash Programming Tool. Version: 9.1.10.1000
Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.
Platform: Intel(R) Q87 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid
--- Flash Devices Found ---
MX25L6405D ID:0xC22017 Size: 8192KB (65536Kb)
MX25L3205A ID:0xC22016 Size: 4096KB (32768Kb)
- Reading Flash [0xC00000] 6144KB of 6144KB - 100% complete.
Writing flash contents to file "bios_backup.bin"...
Memory Dump Complete
FPT Operation Passed
We now have a backup of the BIOS and the file we need to apply our modifications to. We can move on to the next section.
Extract UBU somewhere simple. I picked C:\UBU. Now you'll need to find a copy of MMTool. We downloaded a file called mmt.rar, extract it and you'll find a bunch of versions of the MMTool utility. I used v4.50.0.23 and renamed it to mmtool_a4.exe and placed in the UBU root folder. At this point also copy your extracted BIOS to this folder and rename it to bios.bin.
First we will apply microcode patches. These fix processor related bugs and security issues. It is a must to keep these up to date, don't expect much from Dell at this point.
Still in the UBU root folder right click UBU.bat and run it as admin. It will find the extracted bios and starts to analyse it and taking it apart. Let it do its thing, when its done press any key to continue and you'll be presented with a menu (the file not found message can be ignored).
Next enter 5 to enter the microcode section. It will print a table showing the current versions and if there are any updates for it. On mine it looked like this:
╔═════════════════════════════════════════╗
║ MC Extractor v1.42.0 r140 ║
╚═════════════════════════════════════════╝
╔═════════════════════════════════════════════════════════════════╗
║ Intel ║
╟─┬─────┬───────────┬────────┬──────────┬────┬──────┬────────┬────╢
║#│CPUID│Platform ID│Revision│ Date │Type│ Size │ Offset │Last║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼────────┼────╢
║1│40661│ 32 (1,4,5)│ 1B │2019-02-26│PRD │0x6400│0x3CB150│ No ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼────────┼────╢
║2│40660│ 32 (1,4,5)│FFFF0011│2012-10-12│PRE │0x6400│0x3D1950│Yes ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼────────┼────╢
║3│306C3│ 32 (1,4,5)│ 27 │2019-02-26│PRD │0x5C00│0x3D8150│ No ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼────────┼────╢
║4│306C2│ 32 (1,4,5)│FFFF0006│2012-10-17│PRE │0x5800│0x3DE150│Yes ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼────────┼────╢
║5│306C1│ 32 (1,4,5)│FFFF0013│2012-06-14│PRE │0x6000│0x3E3950│ No ║
╚═╧═════╧═══════════╧════════╧══════════╧════╧══════╧════════╧════╝
We'll end up in another menu, all we want to enter here is F. It will find and replace anything that can be updated, like this:
Note: The values and number of updates for your machine could be different, on mine it also cleared out 2 entries. It won't remove anything that could prevent booting up. And you can always flash back your backup, or download the BIOS from Dell and flash the BIOS with that. If you change the CPU you may need to re-run the above but I'm not certain about that.
Choice:F
CPUID 306C3 found.
Files\Intel\mcode\1150\cpu306C3_plat32_ver00000028_2019-11-12_PRD_DBD4CFD1.bin
Checksum correct.
CPUID 306C2 found.
Files\Intel\mcode\1150\cpu306C2_plat32_verFFFF0006_2012-10-17_PRE_30531EB4.bin
Checksum correct.
CPUID 306C1 found.
Files\Intel\mcode\1150\cpu306C1_plat32_verFFFF0014_2012-07-25_PRE_E86E3EB1.bin
Checksum correct.
Generate FFS with Microcode
╔═════════════════════════════════════════╗
║ MC Extractor v1.42.0 r140 ║
╚═════════════════════════════════════════╝
╔═══════════════════════════════════════════════════════════════╗
║ Intel ║
╟─┬─────┬───────────┬────────┬──────────┬────┬──────┬──────┬────╢
║#│CPUID│Platform ID│Revision│ Date │Type│ Size │Offset│Last║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼──────┼────╢
║1│306C3│ 32 (1,4,5)│ 28 │2019-11-12│PRD │0x5C00│ 0x18 │Yes ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼──────┼────╢
║2│306C2│ 32 (1,4,5)│FFFF0006│2012-10-17│PRE │0x5800│0x5C18│Yes ║
╟─┼─────┼───────────┼────────┼──────────┼────┼──────┼──────┼────╢
║3│306C1│ 32 (1,4,5)│FFFF0014│2012-07-25│PRE │0x6000│0xB418│Yes ║
╚═╧═════╧═══════════╧════════╧══════════╧════╧══════╧══════╧════╝
These microcodes will be entered into your BIOS file
R - Start replacement
0 - Cancel
Choice:
Now we enter R to replace the old microcodes with the new ones in the BIOS file.
Choice:R
[Preparing for replacement]
BIOS file backup
[Replacement]
mCode FFS: File replaced
Real Pointer
_FIT_ Offset - FFA90740 == FFA90740
Real _FIT_
01 mCode Offset - FFDCB150 != FFDC9610
Fixed - FFDCB150
mCode Size - 5C00
02 mCode Offset - FFDD0D50 != FFDCFE10
Fixed - FFDD0D50
mCode Size - 5800
03 mCode Offset - FFDD6550 != FFDD6610
Fixed - FFDD6550
mCode Size - 6000
Changes _FIT_ saved
Press any key to continue . . .
After pressing any key we're back in the menu with the table on top. You will notice the table now shows the updated microcodes. We are now done here. Press 0 to return to the main menu.
Now there are more things we can update here, one could be very useful but not really required; we can update the SATA/RAID (RST) drivers, though unfortunately it doesn't magically add a RAID controller to 7020 boards. If only!
I have tried a few versions and didn't notice any differences, but if you do have a RAID controller there could be benefits. For example using a modified version that allows for RAID0 booting and TRIM from the BIOS itself. You can find a lot more detailed information on the Win-Raid forums. Also note that the latest versions don't always mean best performance.
What I did update were the ethernet firmware and iGPU VBIOS. Remember those Intel GOP/VBIOS/RST files we grabber earlier? We're going to extract the GOP one. Copy the 2 files found in \Intel_GOP_VBT_r2\HSW\189 to C:\UBU\Files\Intel\VBIOS.
UBU should still be open and if you enter 2 in the menu now and new menu will appear displaying a current and available section. Verify the available version is newer than your current one and press 1 to update those in the BIOS file.
At the time of writing version 5.5.1034 was the newest and probably will be forever. Somehow despite the folder the updates were in being called 189 the RAW GOP VBT is left at version 184. It appears the files only update the GOP driver.
Press any key to return to the main menu and now press 3 another current and available menu will appear. Here I could update my ethernet firmware from 0.0.17 to 0.0.27. Press 1 to update the drivers inside the BIOS.
If you wish you can also try RST drivers, but for now I left those alone until I know a bit more about the impact they may or may not have on performance. I left mine at the default. Only apply updates you want. But at least apply the microcode updates for security sake.
We're now done modifying the BIOS, wew.
Press 0 to return to the main menu and then press 0 again then press 1 to save the BIOS as mod_bios.bin.
Time to move on to the next section or if you don't want to add KVM/AMT or change the BIOS logo skip ahead to flashing.
Most Dell OptiPlex system have an Intel feature called vPro, this allows for remote management. Even when the computer is turned off! When I went into the MEBx the first to change the password I noticed sometimes KVM/AMT was not an option or could not be enabled. The BIOS was missing some parts. This is not an issue because we can update MEBx so these options become available again.
Being able to login remotely when the machine is turned off and to be able to turn it on, change BIOS settings or install a new OS is pretty cool and if you need manage lots of computers at work much easier on the legs.
We will also need to download the latest MEBx compatible with our machine. We can only update without in the major branch so we are stuck with 9.0.x MEBx and a 9.1.x firmware for it. It can sound a bit confusing, but look at it as MEBx being an operating system. The OS is running version 9.0.x and can only be upgraded within that branch. The firmware the OS uses is at 9.1.x and can only be upgraded within that branch. Maybe it is possible to upgrade but it would involve more risks than benefits. Reprogramming chips in specialised tools are not worth the gains.
- Go to this forum thread and look for the
B. Intel (Converged Security) Management Engine Firmware Repositorysection, download the firmware file that's linked for 9.1. - Open the
\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32folder and double clickfitc.exe. Once open drag your extractedmod_bios.binfile in it. - From the build menu open build settings and disable
Generate intermediate build files. Leave the window open and navigate to\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32\mod_bios\Decompin the folder copy the new firmware downloaded (in my case this file was called 9.1.45.3000_5MB_PRD_RGN.bin) in step 1 to this folder and rename it toME Region.bin. If such a file already exists, remove it. - Go back to Flash Image Tool (
fitc.exe) that should still be open. Press F5 to build a new image, press yes when asked about a boot profile. Navigate to\Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32\Buildand copyoutimage.binto your desktop and rename it back tomod_\bios.bin(this is optional but to keep this guide working it has to to be renamed to avoid confusion).
Tip: With KVM/AMT enabled you can manage the machine with something like Meshcommander. And some basics from the a web browser. I'll leave that all to you to explore.
Now that we have a final image (mod_bios.bin) all up to date we can change the Dell BIOS logo. This will be easy compared to the other mods.
Download UEFITool and paint.net.
- Open UEFITool and drag your mod_bios.bin BIOS image in there then press
control + fand change to the GUID tab. - Paste
EB3001D5-F827-4938-95E2-5C8F644B966Fin to the GUID search box and double click on the result in the box below. - In the main window the GUID is now highlighted, expand it until see
Raw sectionand right click on it. - Select
Extract bodyand save it aslogo.bmp. Leave UEFITool open for now. - Open the logo in paint.net and do your thing!
- Once done save the file as a 4bit bitmap, don't use too many colours it will look bad. Save it as
new-logo.bmp. - Exit paint.net and rename the file to
new-logo.raw. - UEFITool is still open and the
Raw sectionis highlighted again, this time right click and selectReplace bodyand choose new-logo.raw to replace it with. - Press
control + sto save the modified BIOS, save it asmod_bios.binoverwriting the existing one. UEFITool will ask if you want to open the newly saved image. It's not needed.
Some other images you might want to replace:
F8C4B76D-4D4B-4CF9-BCDF-384644F385C6 - F12 Boot Options.
FC213366-3BE1-4BE8-B0B0-A4DAAC9E0778 - Energy Star logo. This logo is disabled by default I think, I never seen it.
7225BDBD-F72C-4955-9F5D-E86C143D8026 - Optiplex 9010 Series. Wonder why this in a 9020 BIOS haha.
80EEAEB5-9099-443D-A919-EF12385D141C - Preparing one time boot menu.
ED6DDA63-C41E-4B8D-9CD5-429B0378AE6A - Preparing to enter Setup.
53257F05-9942-44FA-BA0B-B97B712C705F - Preparing MEBx menu.
9273B6D9-F255-482D-83D3-C1AE0DFF0275 - Diagnostic boot selected.
This should allow for booting from NVME disks. It is a very easy add-on.
First we download NvmExpressDxe_4 it is hidden in a spoiler in this thread.
Open mod_bios.bin in mmtool_a4.exe in C:\UBU and scroll down till you're in section 4:03-00. Highlight any entry in that section. Then on the insert tab above click on browse and select .ffs the file you just downloaded. The module will now be inserted. Save the new file as nvme.fd and quit the tool. Now rename it back to mod_bios.rom.
If you get an error that there is not enough space you can download a smaller version from the thread above and if that isn't enough we can delete some IPv6 modules. These moduels are only used while booting. I only had to delete Mtftp6Dxe to get enough space and since I'm not planning on using tftp over IPv6 in UEFI/boot it's not a problem. You can also export modules before you delete them and restore them later.
|160|Dhcp6Dxe |8DD9176D-EE87-4F0E-8A84-3F998311F930|0043FB2A|00899D|DRVR|
|161|Ip6Dxe |8F92960E-2880-4659-B857-915A8901BDC8|004484C7|012F39|DRVR|
|162|Mtftp6Dxe |61AFA251-8AC8-4440-9AB5-762B1BF05156|0045B400|0073BD|DRVR|
|163|Udp6Dxe |10EE54AE-B207-4A4F-ABD8-CB522ECAA3A4|004627BD|006759|DRVR|
You can delete all of those if you're not planning on using IPv6 networking in UEFI/boot. You migt need the space if you want to add more modules or replace exisintg ones with newer (larger) versions.
In order to be able to boot from it you may also have to change this setting:
0x4C9FE One Of: SATA RAID ROM, VarStoreInfo (VarOffset/VarName): 0x174, VarStore: 0x2, QuestionId: 0x183, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 23 02 24 02 83 01 02 00 74 01 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x4CA24 One Of Option: Legacy ROM, Value (8 bit): 0x0 (default) {09 0E 25 02 30 00 00 00 00 00 00 00 00 00}
0x4CA32 One Of Option: UEFI Driver, Value (8 bit): 0x1 {09 0E 26 02 00 00 01 00 00 00 00 00 00 00}
0x4CA40 One Of Option: Both, Value (8 bit): 0x2 {09 0E 27 02 00 00 02 00 00 00 00 00 00 00}
0x4CA4E End One Of {29 02}
Change it to 0x2.
This is the "dangerous" part, it's not really though. But you do have to pay close attention if you want to prevent having to recover from a bad flash.
Enabling service mode requires a jumper on the service pins on the motherboard. It disables the write protections to the flash regions. Short the service pins on the motherboard. They are clearly labeled. Use a jumper or some breadboard cables.
I think it also possible to remove these restrictions in a modified Grub shell but I wouldn't leave this kind of protections disabled if I were you.
Turn the machine off and short the service jumper and turn it back on. You'll get a notice about it and have to press F1 to resume booting.
Once back in Windows it is time to flash the modified BIOS file. Copy mod_bios.bin to the \Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64.
Navigate to the same folder in a PowerShell running as admin, and execute .\fptw64.exe -f mod_bios.bin. It will start the process right away. Once it's finished execute .\fptw64.exe -greset. The machine will now reboot and it is recommended to enter the BIOS and load the factor defaults. Make sure you set things up correctly for your hackingtosh config too. Like legacy roms etc. Save and exit the BIOS.
Note: If you only modified the BIOS and didn't update/add AMT/KVM you can use
.\fptw64.exe -bios -f mod_bios.bininstead to only flash the BIOS region. IF you only added AMT/KVM you can use.\fptw64.exe -me -f mod_bios.binto only flash the ME region.
Enjoy your newly modified and updated BIOS. Feels good right?
There is a lot more to update and modify but for now we're done here.
Verify that your microcodes are up to date with InSpectre.
It's also a good idea to verify the current MEBx versions with MEInfoWin64.exe:
PS C:\Intel ME System Tools v9.1 r7\MEInfo\WIN64> .\MEInfoWin64.exe
Intel(R) MEInfo Version: 9.1.45.3000
Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
Intel(R) Manageability and Security Application code versions:
BIOS Version: A18
MEBx Version: 9.0.0.0029
Gbe Version: 1.3
VendorID: 8086
PCH Version: 4
FW Version: 9.1.45.3000 H
LMS Version: Not Available
MEI Driver Version: 11.7.0.1032
Wireless Hardware Version: Not Available
Wireless Driver Version: Not Available
FW Capabilities: 0x4DFE5947
Intel(R) Active Management Technology - PRESENT/ENABLED
Intel(R) Capability Licensing Service - PRESENT/ENABLED
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Service Advertisement & Discovery - PRESENT/ENABLED
Intel(R) AMT State: Enabled
TLS: Enabled
Last ME reset reason: Global system reset
Local FWUpdate: Enabled
BIOS Config Lock: Enabled
All looks good, firmware has been updated and after I changed the password from the admin default to uHhvd!sD^8 the options to enable remote management could be enabled (KVM/AMT). Network by default is unconfigured, you'll need to turn that on too. You can configure the IP manually or using DHCP. I've had mixed resutls with DHCP. Manual setup is best. Pick an IP outside the range your router/DHCP server serves.
So you're like me and not spend any time in Windows and also don't want to install it on your machine. Well you're in luck! There is a way to create a Windows install that will work on pretty much any computer and runs from a usb drive. Don't use anything too slow or you will be in a serious world of lag and pain because the system keeps using 100% of the disk constantly. Use an old ssd for best results.
You'll need:
- Rufus - Totally free but can not create Windows To Go installs on ssd's only usb sticks OR WinToUSB - To create the Windows To Go disk, the free version will do fine.
- Windows 10 media, you can grab an evaluation version directly from Microsoft using this website.
Create the Windows To Go disk or stick and boot from it, run Windows Update until there are no more updates.
Tip: To see file extentions and hidden files the easy way, search for "developer" in the search or start menu and open those settings. Scroll down to the File Explorer section and click apply.
It is possible to recover from a bad flash. You will need:
SECTION NOT FINSIHED YET!
- A dump of the BIOS (like we made previously with
fptw64) - Another computer
- 2 usb sticks
- A $10 ($15 with Amazon Prime) usb programmer
- Not being afraid of command line and Linux (it soudns more difficult than it is)
- Patience
- And mayeb a usb extention cable)
Note: You can not use a bios update extracted from an update to recover without going trought a lot of hassle. If the flashing of your modified BIOS failed you can use the modified BIOS instead of the backup. If the BIOS flashed correctly but doesn't work you have to use the backup file.
The programmer linked is sold on eBay and the usual sites under many brand names. I linked to the page to show you want you need. Buy it anywhere you wish.
Getting ready, the recovery process seems complex but it's fairly straigh forward. First lets boot into Windows again where our bios_backup.bin dump we made in the first step should still reside in the \Intel ME System Tools v9.1 r7\Flash Programming Tool\WIN64 folder. Go there in Windows Explorer. In another Windows Explorer window we go to \Intel ME System Tools v9.1 r7\Flash Image Tool\WIN32. If there is a Build folder there delete it, we need a fresh start. Now double click fitc.exe and as before and drag your backup in there. It will unpack the BIOS.
Also as before in the build menu disable Generate intermediate build files and then build the new image. Say yes when asked about bootguard. A new Build folder should have been created. Inside it are 3 .bin files. Note their sizes. Copy the 4MB and 8MB files to the desktop and rename them to 4mb.bin and 8mb.bin.
Now we are ready to create a Liux Live usb stick. This very easy to do with Balana Etcher, download it here. We're also going to need a Linux distro. Use something Debian/Ubuntu based. As I liek to stay close to macOS my go to Live distro is elementary OS. On their page select $0 and download the ISO directly or use the magnet link to do it via torrent. When the download is complete insert the first usb stick and write the ISO file to it with Balana Etcher. When it's done writing Windows may complain about it, just eject it. That usb stick is now done.
Format the second usb stick to FAT32 (right click and select format in My Computer) and copy the 4mb and 8mb .bin files to it. Make sure to safely eject it from the systray or by right clicking on the drive in My Computer.
Now we're finally ready to get started. Boot up elementary OS and choose try when asked if you want to install or try it. You can also install it, but thats not needed. You will end up on a desktop, in the top left corner open the app list and in there scroll to the the next page and open up the Terminal app. I think you can also press Windows Key + T.
In there type sudo su and then apt install flashrom. I assume you have an ethernet connection. If not you can setup wifi in the top right of the screen or in the terminal with nmtui. If you get an error that the files are in use just wait a little while and try again (the system itself checks for updates after booting up). Also insert the usb stick with the 2 backup files. We need to manually mount it. Enter lsblk to see a block devices. Check the sizes to determine which one it is then mount it like so mount /dev/sdX /mnt.
You can now open up your computer and disconnect it from the power and remove the CMOS battery then hold down the power button for a max of 30 seconds. You may see an amber light. This is done to drain all the power from the system.
Connect the programmer up to the clip. I'll update this section to include some photos but it is not hard. You can also download this that came with my programmer I got on Amazon. Inside is a .pdf file explaining it. Just a matter of lining all the pin 1's up.
Now comes the fiddly part, attach the clip to one of the two BIOS chips and run flashrom. It will scan for chips and show whats detected.
I'll finish this section once I get back in my Live Linux cuz I forgot the exact chipset names
(This still didn't happen as I don't remember the exact names anymore and rather not repeat flashing the BIOS thsi way just to get this part right lol...)
But essentially you let it scan the bus and if it detects a chip it will show it. It is very finnicky and it took me a bunch fo tries before it detected the chip.
Once it's detected pay attention to the name as it indicates the size. If it has 32 in the name is the 4mb chip. If it has 64 it is the 8mb chip. Depending on which one you managed to read first you will flash the matching file to it. I tried a few times on eac hchip as not to get too bored trying to get a connection.
Now that the chip is visable you can write the new image with flashrom -c bla bla -w /mnt/Xmb.bin. Repeat for the other chip and you're back in business and can write a letter of complaint to Dell for not having decent BIOS recovery till the 7040.
You now gained the skills and equipment to read/write many (not all) BIOS chips. Though remember if you're going to buy that $25 laptop on eBay that failed a BIOS update be sure you have a properly dumped image for it and that the BIOS chip is compatible with the programmer.
Some BIOS areas can be unlocked which means you don't have to short the service pins to write to those areas. Use with caution.
0x47FC7 One Of: SMI Lock, VarStoreInfo (VarOffset/VarName): 0x74, VarStore: 0x2, QuestionId: 0x7B, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 BA 01 BB 01 7B 00 02 00 74 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x47FED Default: DefaultId: 0x0, Value (8 bit): 0x1 {5B 0D 00 00 00 01 00 00 00 00 00 00 00}
0x47FFA One Of Option: Disabled, Value (8 bit): 0x0 {09 0E C3 03 00 00 00 00 00 00 00 00 00 00}
0x48008 One Of Option: Enabled, Value (8 bit): 0x1 (default MFG) {09 0E C2 03 20 00 01 00 00 00 00 00 00 00}
0x48016 End One Of {29 02}
0x48018 One Of: BIOS Lock, VarStoreInfo (VarOffset/VarName): 0x75, VarStore: 0x2, QuestionId: 0x7C, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 C0 01 C1 01 7C 00 02 00 75 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x4803E One Of Option: Disabled, Value (8 bit): 0x0 {09 0E C3 03 00 00 00 00 00 00 00 00 00 00}
0x4804C One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 0E C2 03 30 00 01 00 00 00 00 00 00 00}
0x4805A End One Of {29 02}
0x4805C One Of: GPIO Lock, VarStoreInfo (VarOffset/VarName): 0x76, VarStore: 0x2, QuestionId: 0x7D, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 BE 01 BF 01 7D 00 02 00 76 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x48082 Default: DefaultId: 0x0, Value (8 bit): 0x0 {5B 0D 00 00 00 00 00 00 00 00 00 00 00}
0x4808F One Of Option: Disabled, Value (8 bit): 0x0 {09 0E C3 03 00 00 00 00 00 00 00 00 00 00}
0x4809D One Of Option: Enabled, Value (8 bit): 0x1 (default MFG) {09 0E C2 03 20 00 01 00 00 00 00 00 00 00}
0x480AB End One Of {29 02}
0x480AD One Of: BIOS Interface Lock, VarStoreInfo (VarOffset/VarName): 0x77, VarStore: 0x2, QuestionId: 0x7E, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 BC 01 BD 01 7E 00 02 00 77 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x480D3 Default: DefaultId: 0x0, Value (8 bit): 0x1 {5B 0D 00 00 00 01 00 00 00 00 00 00 00}
0x480E0 One Of Option: Disabled, Value (8 bit): 0x0 {09 0E C3 03 00 00 00 00 00 00 00 00 00 00}
0x480EE One Of Option: Enabled, Value (8 bit): 0x1 (default MFG) {09 0E C2 03 20 00 01 00 00 00 00 00 00 00}
0x480FC End One Of {29 02}
0x480FE One Of: RTC RAM Lock, VarStoreInfo (VarOffset/VarName): 0x78, VarStore: 0x2, QuestionId: 0x7F, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 C2 01 C3 01 7F 00 02 00 78 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x48124 One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 0E C3 03 30 00 00 00 00 00 00 00 00 00}
0x48132 One Of Option: Enabled, Value (8 bit): 0x1 {09 0E C2 03 00 00 01 00 00 00 00 00 00 00}
0x48140 End One Of {29 02}
This requires extra modules in the BIOS for it to work.
https://software.intel.com/en-us/articles/intel-trusted-execution-technology-a-primer/
0x47834 One Of: Intel TXT(LT) Support, VarStoreInfo (VarOffset/VarName): 0x44, VarStore: 0x2, QuestionId: 0x5F, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 ED 00 EE 00 5F 00 02 00 44 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x4785A One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 0E F6 00 30 00 00 00 00 00 00 00 00 00}
0x47868 One Of Option: Enabled, Value (8 bit): 0x1 {09 0E F5 00 00 00 01 00 00 00 00 00 00 00}
0x47876 End One Of {29 02}
Disabled: ACPI thermal management uses EC reported temperature values. Enabled: ACPI thermal management uses DTS SMM mechanism to obtain CPU temperature values.
0x478BC One Of: CPU DTS, VarStoreInfo (VarOffset/VarName): 0x45, VarStore: 0x2, QuestionId: 0x61, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 EF 00 F0 00 61 00 02 00 45 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x478E2 One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 0E F6 00 30 00 00 00 00 00 00 00 00 00}
0x478F0 One Of Option: Enabled, Value (8 bit): 0x1 {09 0E F5 00 00 00 01 00 00 00 00 00 00 00}
0x478FE End One Of {29 02}
PCI hot swapping. Untested by me haha.
0x4A202 One Of: Hot Plug, VarStoreInfo (VarOffset/VarName): 0xE9, VarStore: 0x2, QuestionId: 0xF5, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 D9 02 DA 02 F5 00 02 00 E9 00 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x4A228 One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 0E C3 03 30 00 00 00 00 00 00 00 00 00}
0x4A236 One Of Option: Enabled, Value (8 bit): 0x1 {09 0E C2 03 00 00 01 00 00 00 00 00 00 00}
0x4A244 End One Of {29 02}
RAM timings.
0x51634 One Of: DIMM profile, VarStoreInfo (VarOffset/VarName): 0x28C, VarStore: 0x2, QuestionId: 0x423, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 06 05 07 05 23 04 02 00 8C 02 14 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x5165A One Of Option: Default DIMM profile, Value (8 bit): 0x0 (default) {09 0E 08 05 30 00 00 00 00 00 00 00 00 00}
0x51668 One Of Option: Custom profile, Value (8 bit): 0x1 {09 0E 0B 05 00 00 01 00 00 00 00 00 00 00}
0x51676 One Of Option: XMP profile 1, Value (8 bit): 0x2 {09 0E 09 05 00 00 02 00 00 00 00 00 00 00}
0x51684 One Of Option: XMP profile 2, Value (8 bit): 0x3 {09 0E 0A 05 00 00 03 00 00 00 00 00 00 00}
0x51692 End One Of {29 02}
Set voltage (DDR3 = 1.5v / DDR3L = 1.35v)
0x51694 One Of: DDR Selection, VarStoreInfo (VarOffset/VarName): 0x287, VarStore: 0x2, QuestionId: 0x285, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 12 05 13 05 85 02 02 00 87 02 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x516BA One Of Option: DDR3, Value (8 bit): 0x0 (default) {09 0E 14 05 30 00 00 00 00 00 00 00 00 00}
0x516C8 One Of Option: DDR3L, Value (8 bit): 0x1 {09 0E 15 05 00 00 01 00 00 00 00 00 00 00}
0x516D6 One Of Option: Auto, Value (8 bit): 0x2 {09 0E C0 03 00 00 02 00 00 00 00 00 00 00}
0x516E4 End One Of {29 02}
Freqencies, one block for each pair of DIMM slots.
0x51729 One Of: Memory Frequency, VarStoreInfo (VarOffset/VarName): 0x284, VarStore: 0x2, QuestionId: 0x287, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 18 05 19 05 87 02 02 00 84 02 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x5174F One Of Option: Auto, Value (8 bit): 0x0 (default) {09 0E C0 03 30 00 00 00 00 00 00 00 00 00}
0x5175D One Of Option: 1067, Value (8 bit): 0x3 {09 0E 1A 05 00 00 03 00 00 00 00 00 00 00}
0x5176B One Of Option: 1333, Value (8 bit): 0x5 {09 0E 1B 05 00 00 05 00 00 00 00 00 00 00}
0x51779 One Of Option: 1600, Value (8 bit): 0x7 {09 0E 1C 05 00 00 07 00 00 00 00 00 00 00}
0x51787 One Of Option: 1867, Value (8 bit): 0x9 {09 0E 1D 05 00 00 09 00 00 00 00 00 00 00}
0x51795 One Of Option: 2133, Value (8 bit): 0xB {09 0E 1E 05 00 00 0B 00 00 00 00 00 00 00}
0x517A3 One Of Option: 2400, Value (8 bit): 0xD {09 0E 1F 05 00 00 0D 00 00 00 00 00 00 00}
0x517B1 One Of Option: 2667, Value (8 bit): 0xF {09 0E 20 05 00 00 0F 00 00 00 00 00 00 00}
0x517BF End One Of {29 02}
0x517C1 One Of: Memory Frequency, VarStoreInfo (VarOffset/VarName): 0x285, VarStore: 0x2, QuestionId: 0x288, Size: 2, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 18 05 19 05 88 02 02 00 85 02 10 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x517E7 One Of Option: 1067, Value (16 bit): 0x42B {09 0E 1A 05 00 01 2B 04 00 00 00 00 00 00}
0x517F5 One Of Option: 1333, Value (16 bit): 0x535 (default) {09 0E 1B 05 30 01 35 05 00 00 00 00 00 00}
0x51803 One Of Option: 1600, Value (16 bit): 0x640 {09 0E 1C 05 00 01 40 06 00 00 00 00 00 00}
0x51811 One Of Option: 1867, Value (16 bit): 0x74B {09 0E 1D 05 00 01 4B 07 00 00 00 00 00 00}
0x5181F One Of Option: 2133, Value (16 bit): 0x855 {09 0E 1E 05 00 01 55 08 00 00 00 00 00 00}
0x5182D One Of Option: 2400, Value (16 bit): 0x960 {09 0E 1F 05 00 01 60 09 00 00 00 00 00 00}
0x5183B One Of Option: 2667, Value (16 bit): 0xA75 {09 0E 20 05 00 01 75 0A 00 00 00 00 00 00}
0x51849 End One Of {29 02}
I don't think ECC memory works without also fitting the board with a Xeon or something. Server memory is cheap though. Too bad I have no ECC sticks to try.
0x5184B One Of: ECC Support, VarStoreInfo (VarOffset/VarName): 0x27D, VarStore: 0x2, QuestionId: 0x289, Size: 1, Min: 0x0, Max 0x0, Step: 0x0 {05 A6 32 05 33 05 89 02 02 00 7D 02 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
0x51871 One Of Option: Disabled, Value (8 bit): 0x0 {09 0E C3 03 00 00 00 00 00 00 00 00 00 00}
0x5187F One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 0E C2 03 30 00 01 00 00 00 00 00 00 00}
0x5188D End One Of {29 02}
https://ami.com/en/products/firmware-tools-and-utilities/bios-uefi-utilities/
https://raw.githubusercontent.com/syscl/ASUS-H67-series/master/BIOS_Utilities/AMIBCP4.55.0070.exe