Page 1 of 2
#1 Removing Protected Range Registers. by izzy2004 11.03.2020 06:51


Hello quick question for you guys. Basically I was wondering if it is possible to somehow change the variable to allow flashing with FPT internally. I want to be able to flash my bios through windows instead of taking it apart and connecting my SPI programmer. I think once should be enough but as I test my various mod attempts it would be amazing to have the internal feature. The error in question I get is included in the picture. And the bios is a Phoenix. Comes from a Lenovo x250.

Thank you kindly,

Edit: I forgot to include the bios in question if it is needed somehow. I am assuming of course it would be the same procedure on every modern Phoenix bios though.

#2 RE: Removing Protected Range Registers. by Lost_N_BIOS 11.03.2020 06:58


@izzy2004 -- Please link me to the stock BIOS download page for system, and or give me your FPT BIOS region dump. Sometimes it's possible to change value via grub/setu_var edit, or if Insyde BIOS using H2OUVE to dump and edit vars and flash it back.
But, sometimes, in any BIOS, it's part of a BIOS module check routine and can't be edited simply by changing a setting value, only by dumping BIOS with FPT or programmer then edit it to bypass in assembly (if possible) then program back in and use that as your base going forward and then it will remain unlocked.

* Edit - I didn't see your edit until my reply posted. What is the full model here, so I can keep this BIOS in a proper folder. Thanks

* Edit 2 - Few things here, please be careful with FPT, you can brick your system with one click.
Here's some proper usage, and how you should be using it for best success (mainly this is to correct context mistakes I see you make, and so you are dumping/flashing BIOS region only, that's all that's needed, or possible without unlocking FD usually anyway)

FPTw.exe -bios -d biosreg.bin << This dumps BIOS region only, name it whatever you want.
FPTw.exe -bios -f bisoregmod.bin << This flashes BIOS region modified, using any name you want.

DO NOT flash BIOS region only, without using -bios flag (ie >> FPTw.exe -f biosreg.bin)

FPTw.exe -d filename.bin << This dumps entire SPI, when allowed. Sometimes FD or ME region will be skipped, if FD locked from read on FD/ME
FPTw.exe -f filename.bin << This flashes entire BIOS, when allowed per FD rules. Usually FD and ME are locked and cannot be written this way with FPT, some BIOS allow, most don't. If you flash this way, usually FD and ME will be skipped, if it lets anything happen (Same sometimes when dumping, if read is locked)

Your FPT BIOS dump, I see FD has locked write to FD and ME, so you can't write to those with FPT without unlocking FD first. So, as noted above, best to dump BIOS region only, and flash BIOS region only, using -bios flag each way.

I checked, and in your BIOS there is not a setting for PRR/FPRR/Protected Range Register etc. So it's within a BIOS module instead, to get around this you first need flash programmer.
You can try PRR/PRR2 tool, but it may brick your board and I wouldn't try without programmer in hand and backup made via programmer first. But, if you want the tool let me know and I will upload for you.

Additionally, BIOS Lock and SMI lock are enabled by default on this BIOS, so those also need changed before you can FPT BIOS region flash.
These are editable via grub/setup_var possibly, but I'm not 100% sure about that, never dealt with changing a setting in this manner for Phoenix BIOS.

My advice, stop here and get a flash programmer like CH341A + SOIC8 test clip with cable. Then proceed once it arrives.

You may be able to flash mod BIOS with winflash, did you try already? If yes, what error does it give you, maybe I can bypass for you.

@SODA may be able to tell you some other specific flashing tips/info/known method etc for Lenovo Thinkpad X250

* Edit 3 - Also, be careful here, BIOS Guard may be enabled/burned in at the PCH, so you can only edit certain regions of the BIOS.
Verify by running >> MEINFOWin -verbose
From the V10 ME System tools package, if you see Measured or Verified Boot enabled at the end of the report on the left/FPF side then it's enabled.
Intel Management Engine: Drivers, Firmware & System Tools

#3 RE: Removing Protected Range Registers. by izzy2004 13.03.2020 09:03


Hi there,

Thank you a lot for getting back to me. Unfortunately the laptop in question got is out of service at the moment due to my girlfriend cleaning the keyboard and long story short the fuse for the LCD backlight blew. I am currently working on a new machine the T480S. Much more complicated with its security. I tried a few attempts at a starter menu unlock and all my attempts result in the device not booting. If you are okay with helping me with this I would be very appreciated. I will take your previous post into account for this adventure. The bios is as follows:

Have a nice evening.

#4 RE: Removing Protected Range Registers. by Lost_N_BIOS 13.03.2020 09:26


So, did she order you a new KB, or does the board need replaced (assuming you can't see/find the blown fuse)

Is Boot Guard enabled? Check with proper version MEINFO (V11 from section "C.2" from here). Run this command, show me bottom of report, as an image not text copy/paste >> MEINFOWin.exe -verbose
We're looking to see Measure or Verified Boot, if enabled at Left/FPF side. If yes, any edits to any areas covered in color Cyan, Red, yellow etc in UEFITool Alpha NE (51-55 etc) cannot be edited. Unless you put system into MFG mode first, then it may be possible (untested by me)

Do you have flash programmer? If yes, is the above file a programmer dump?

* Edit @izzy2004 - Here, test and see if MFG mode goes active now, if yes, then maybe you can run like that always if it gives you full BIOS menu settings access? Unsure what else that may disable though, so it may not be ideal.
You can also test after flashing this, if flashing in a further edit done by you using this as base, if it's OK or boot guard shuts it down instantly.

#5 RE: Removing Protected Range Registers. by izzy2004 13.03.2020 12:46



In regards to the fuse blown x250 mobo, I am not 100% sure it is just that. I think the keyboard definitely shorted a bit and the Enter key now is a Down Arrow key how convenient! I also read that it might be the EDP cable so until I get a different one to try I will leave it alone for now. The LCD works great still its my own personal one I like to order - Sharp LQ133M1JX26 ( if you are ever looking for panels or just like them this one is the most gorgeous I have ever seen). Two different panels i tested on the mobo are the same no backlight. VGA output works fine and so does the mobo. But I had my fun with that board already. Did everything to it besides nvme. For now just wait on Aliexpress for a KB and EDP cable.

So regarding this 480s. Let me tell ya Kaby Lake 8000 and Windows 7 do not like each other. Big pain to set up but works just dandy. Now as you can see this thing is nuts.. nearly everything is enabled regarding security Lenovo has really gone out of their way this time.
Attached below is the same but with the -verbose option you suggested. However I am using Intel CSME System Tools v11 r29 which seem to work just fine.

I also uploaded the IFR. Unfortunately when it comes to using IDA and manipulating hex I am not very confident in my abilities. I tried many different variations with this but in the end I break the bios or get no boot. But still a good learning experience albeit foolish. And also if the FPT dump bothers you then here is my ripped one from earlier today.

Thank you.
Спс большое

Oh I forgot to asnwer your questions;

She did not get my a new KB, the girl cant tell a laptop from a keyboard haha!
And I have a a few programmers dont worry I always have backups of my roms before I go full retard.. learned that the hard way long ago..

#6 RE: Removing Protected Range Registers. by Lost_N_BIOS 14.03.2020 05:56


Ahh yes, sounds like keyboard is shorting, sometimes you can open the film cover in back, clean out best you can with alc and then let dry, then it may be OK. If not, KB replacement often cheap on ebay, $7-12 or so. But yes, I guess if you order from Allie then probably even cheaper

I see Verified boot is enabled, and I think profile 4 in ME FW, so FVE = VB, Immediate Shut Down on BG violation. Yes, you should be using V11 ME System tools package, whichever is latest on the download page here (I'm still using V27 package, lazy )

I don't need IFR or any of that, I can get that on my end. FPT Dump is fine, I only asked what kind of dump that was and how you created it (so I would know if it was FPT, programmer, other program etc)

As for editing menus or anything like that, this area is covered by boot guard, but with the MFG BIOS I sent you that may be OK to edit, unsure and only a simple quick test would let us know.
But, that test is only possible if you have hardware flash programmer, like CH341A, do you have this + SCOI8 test clip w. cable? Ohh!, I see at end of your post that you do, good man

So, lets do a quick test before I even take time to look at unlocking menus, which I may not be able to do, but best we see if mod BIOS can be used or not first before time put into menu edits.
Please program in the BIOS I sent you in post #4, boot to BIOS, load optimal defaults and reboot back to BIOS. Does any of it look different? If not, it's OK, only curious. After that, dump the BIOS contents again and send me that for a quick edit test.
I will switch some setting in BIOS to opposite of current, so we can see if boot guard shuts it down immediately or not.

#7 RE: Removing Protected Range Registers. by izzy2004 14.03.2020 10:16


Hey my wizard of the biosizard.. (man that was terrible)

I flashed the rom you sent me I didn't even notice it yesterday my apologies. I checked it out it looks like you changed 4C 4E 56 42 42 53 45 43 FB FF FF FF FF FF FF FF which was in a very in a very isolate area. I wanted to ask what did it do? It is on a part of the bios that seeming is just filler? Was this just a test to see if boot guard would get set off?

As requested here is the dump after I cleared cmos:

Took with fpt again. As much as I love my trusty tl866 the clip i am using is the black chinese "going to rip off a leg on a unsuspecting eeprom" standard one as my dog decided my pomona clip was blueberries im guessing, so I am being careful till a new one arrives. Also wanted to ask you, I gathered that must see many people flashing with the ch341a but have you seen anyone burn their chip ever? I mean those things run at 5v usb due to the unparalleled skill of the people who designed the layout of this programmer. Was thinking to myself that people should be more aware of this fault and could do a little soldering to fix it if desired but at the very least knowing if you connect it to a low power flash like a 25q40, 1.85v it would just pop.

If interested here's a picture of mine I tried to make it as clear as possible in a single photo but yes, very simple solder and works great (note that the leg of the chip is de-soldered and raised up a bit with tape underneath). This little trick to make it output correctly, I don't remember where I got the fix from but was from some forum.

And hey thanks for helping me out out of no where I appreciate it very much, I hope you enjoy talking about off topic tangents from time to time.



Oh! And the bios - it didn't look any different besides saying EFI Security Something something warning along side with cmos reset and bad time settings right after post. Afterwards it went away. I have the TPM disabled at all times. Hope that helps.

-there is no spoon

#8 RE: Removing Protected Range Registers. by Lost_N_BIOS 14.03.2020 10:27


@izzy2004 - Hahaha, at least I laughed with ya!

Yes, I changed one byte in NVRAM or padding area (can't remember, not looking at BIOS now) to set board to MFG mode. This was not meant to do anything to boot guard, except later/next I wanted to see if while in MFG mode boot guard was active or not (which I will send you other BIOS next to test that).
I don't want a cleared CMOS Dump?? I want you to flash that BIOS, enter BIOS, load optimal defaults, save and apply, reboot, then shut down and dump the BIOS.
Due to MFG mode, do you see anything different during boot, or while in BIOS? I've not used these boards, so not sure what's expected. >> on your edit, what exactly was the EFI comment, do you remember?
I know very little on these systems directly, other than general BIOS knowledge that applies to all.

Cheap black Chinese clip? It wont rip off a BIOS leg, but it will QUICKLY wear down and stop being able to grab the legs, so be very careful of it popping off as that adds the wear-down faster.

No, I've not seen any burned BIOS chips, usually if you short the BIOS it will blow up a trace on the board instead or trace + resistors + scorch marks etc
5V is not feed to the chip, only the programmer, unless it goes bad and send out 5v while it dies. 1.8V chips can hangle 3.3v it sends out, they just get warm (not even as hot as a reversed chip) and you can't read write properly due to the overvoltages.

You're welcome, thanks for the thanks... izz'r

#9 RE: Removing Protected Range Registers. by izzy2004 14.03.2020 10:32


Hi, I think you may have misunderstood me. I meant cleared cmos meaning I hit default settings rebooted into W7 and took a FPT read for you. And regarding the 1.8v chips I agree with you. I personally had some fun a while back with a 1.85 monster. Little bugger read and wrote but very glitchy-ly-ee. Took me forever to figure that one out haha.]


Well I tried my best to replicate the error besides reflashing But I cant get it again. If you need it let me know and I will reflash for you. I did see something different however. I see the the TPM chip I cannot select the mode of anymore. It is simply MFG.


I hope you saw my edit. Unfortunately I am a victim of constantly forgetting something I wanted to write and hitting the edit button a bit too much. Most of the time while someone else is already replying to a message I was in the middle of editing.

And by the black Chinese ones yes that ones that wear down and are made out of chalk seeming are the ones i refer to. Completely laughable not like this precious:

My god that thing is absolutely jaw dropping. I really appreciate a good quality very specific item.


Ill mess around with it a bit more Im happy the boot guard is not invasive. Is there anywhere you can suggest for me to read regarding these "new" bioses. Its been Habr lately

#10 RE: Removing Protected Range Registers. by Lost_N_BIOS 15.03.2020 06:20


OK, I will check file and send you new edit to test. Be ready in advance to recover from next BIOS test, in case it bricks due to Boot Guard.
No, no need to try and get that error again, just hoped you remembered more exactly what it said than what you mentioned, but it's no big deal. Good, sorry I meant to tell you that, about TPM, but good you noticed, this proves MFG mode is indeed active now

Hey, no worries about the edits, I do it too, and here we try to keep replies down to one per person so there's no duplicate posts by same person one after another (as you see I merged all yours), so I make many edits into a single post myself if someone hasn't replied yet.

I picked up a Pomona clip too finally But, I haven't used it yet, I often use totally different system to program BIOS, unless I'm testing something for someone here.
I use a PCB jumper type adapter that goes over the top of onboard BIOS, with pins that push down onto the onboard BIOS, so no clips needed.

Boot Guard is invasive and will brick your system if violated (ie instant shut down, and no way to recover), if you edit anything within the colored areas of the BIOS shown below., The ones I circled, anything inside can't be edited, if/when boot guard is active or brick

This is what we will test in next BIOS I send you, to see if MFG mode allows boot guard to by on pause/bypass and edits not brick. If it bricks anyway, then BIOS menu can't be changed due to the files needed to edit are in the cyan area.
However, you can change any default BIOS settings you want, even on settings you can't see, because those are stored and loaded fron NVRAM area and it's not covered by Boot Guard.

I will edit next test BIOS into here, so if you read now, refresh in a few for next BIOS edit test

* Edit @izzy2004 - Here, please be ready to recover via programmer with programmer dump of your original working BIOS! This is setup module edit test, inside boot Guard covered area x2, please test both and let me know outcome of each.
So you know what changed and don't have to dig around, I swapped default byte that controls BIOS Lock default variable, so two bytes edited in setup PE32 module.

#11 RE: Removing Protected Range Registers. by izzy2004 15.03.2020 13:33


Ah yes the PCB attachment one I am familiar with. I have about 6 myself. However none for SOP8. Oh well.
I want to thank you for the picture you sent it explains a few things. Mostly like how when I was attempting this myself a week back why the laptop was not booting and all my hard work in IDA and HxD was in vain. I think its hilarious. I get why the extended menu is hidden, that they don't want the swarm of menu curious customers in their repair facilities demanding that they un-brick their laptops, but the company going out of their way to make it hard for people who even have a darn SPI programmers is unreal.

I think it's sad the way technology is progressing these days and really angers me sometimes. I had to switch to W10 on this laptop because Windows 7 cannot use human interface devices over I2C period. I couldn't get the mouse touch-pad to scroll (who would have thought would be a deal breaker eh?). Also since on the topic - funny enough since Windows 7 finally stopped getting receiving support, Microsoft I'm assuming paid Intel to only release these "Intel® Graphics - Windows® 10 DCH Drivers" versions of display driver which I could not for the life of me get to work on W7 with slight .inf tweaking like I could with ones released 5 months prior. Sadly not much a choice in the latter with notebooks as they just keep getting nicer and nicer. My Desktop however still on the Z68 chipset and runs just fine. Not sure how modern desktop boards are open to modification but I fear the worst.

Less and less open source instead "our device, our rules" - the Apple manifesto.
Anywho... back to real mans talk - Bios.

Now about the two files you sent me;

The first file you sent me. T480MFGDumpSetupEditTest.bin - This had no changes that I am aware of. It also produces a EFI security error and then restarts itself. Then shows same error however gives me the option to go into setup or continue booting. I did manage to get a photo of the error code that I have attached below(excuse the crudeness).

Second file - T480SMFGBLSetupEditTest.bin - No changes either however it did not produce the EFI security error.

Hopefully my findings are of help to you, and again I very much appreciate the help my man.


#12 RE: Removing Protected Range Registers. by Lost_N_BIOS 16.03.2020 08:14


Mine are like this, come from "Nano USB Programmer" guy on ebay, from Korea
BIOS Modding for CSM UEFI DOS 98SE 2000 XP 2003 2009 Compatibility Discussions
[Request] Dell Vostro 260 - Add Ivy Bridge support (4)
Also these for Asus/MSI JSPI1 headers - Flashing BIOS chip (MX25L3205D) with CH341A progammer - can't detect chip

You're welcome! Yes, sorry I didn't mention this sooner, or you hadn't read somewhere about Boot Guard and how to check, what it does etc.
I agree, they shouldn't lock anyone out once programmer is being used especially. I think it's more for security though, than locking people out of BIOS.

I bet you can find drivers for your KB/touchpad etc here so you can use Win7, or find someone that will edit a driver for you.
I know for sure there is several threads on this very thing, and especially some active ones on the graphics driver issue, but sounds like you know all about that due to editing the previous one (just stick with that last one that worked )

Mainstream desktop boards are now MUCH easier to edit than older ones, and offer far more options in the BIOS. Z68 era BIOS isn't too bad, to edit, or options-wise, but modern BIOS are much easier to play with now.

Both BIOS I sent you have the exact same new edit in them, only one is made from stock BIOS I first edited and sent to you, and the other is made from the dump you sent me after flashing that BIOS.
Due to changes I noticed, I suspected the dumped one you sent me may not work as smoothly, that's why I sent you the one without dump in the name too.
BUT!! Main thing here is boot booted, and boot guard did not instant shut them down!! That was the goal, to see if while MFG mode enabled, you can edit the BIOS or not.
Now, we need to test and see what happens, with edited BIOS in there, when we disable MFG mode (like when were are done, can we disable or must we leave enabled so boot guard doesn't brick it instantly)

Please program in this one T480SMFGBLSetupEditTest.bin, then boot to BIOS, load optimized, save and reboot back to BIOS/Windows, shut down and dump with programmer.
Then send me that file, I will disable MFG mode, and then you program back in and see if it bricks or not, if not then we know we can disable MFG mode once done with all edits and boot guard will be OK
Or, you can easily do this edit/test on your end if you want. Take the dumped BIOS (via programmer, not FPT) and then edit the file as a whole in hex editor go to 0x89D008h and set that to FB instead of FF, then program back and see if boot guard bricks it or not.

#13 RE: Removing Protected Range Registers. by izzy2004 16.03.2020 15:38


Haha that's hilarious, I tried that once with the 8 pins and I thought it wasn't sturdy enough and I was being stupid. Thought I'd short the flash. And regarding the bios unfortunately I don't own the Imaginero 2000 V2.3 programmer to use that .img imaginary bios, so if you could please convert and re-upload as .bin or .rom would be great:) Speaking of which what programmer you use yourself? Im pretty curious. And the W7 touchpad thing I was looking at this topic on the forum:

[Request] Win7 compatible Intel I/O drivers for the Touchpad of ASUS Notebooks

And of course many other forums, unfortunately all dead ends.. But I am adapting to W10 been about 2 days now (or should I say I made it adapt to me). Found the magical LTSC Insider builds, purged a lot of Windows heresy with NTLite and made a customized .iso, then more blasphemy with Windows Lite pre-setup scripts, then some more ass kicking with power shell. I still can't believe this is all necessary. I'm going to have to write a script that combines all these things into my image so I never have to deal with a flipping app store and siri that I cant remove on my desktop environment. I must have gotten rid of more than 70% of "features".

And regarding adding the little bit of hex code should be no problem. And forget about fpt, I refuse to have have ME drivers installed most of the time to use it let alone not give in to the urge to run me_cleaner on every device I own. I thought it was cool that it could get a dump of my bios, I have been using the programmer for years never even tried fpt till last week. But on a side note maybe I'm blind but I don't think you uploaded any rom file in your last post. Sorry for constantly talking about this but honestly I really wish this right to repair bill would pass so this nonsense will slowly stop.

Hope all is well,


Big Edit:

Wasn't thinking right and didn't notice the same are the same. So anyway I did what you said and on that line made the FF into FB. And nothing happend. Still MFG mode. Maybe I didn't understand what you meant by changing it to FB?


Ill check it again later tonight just been sick the past few days. Also I did use the Lenovo bios ultility to update to a newer version. I had some mouse issues with it lagging when charging and using usb, and they seemingly address that so I think its gone. Strangely enough when their tool flashed the bios it kept the MFG mode. The rom I uploaded up there is the new version I dumped.


#14 RE: Removing Protected Range Registers. by Lost_N_BIOS 18.03.2020 08:11


@izzy2004 - It works fine, if you have that correct tool, there may be similar but if they are not meant for that then they wont work.
Those are not DIP8 pins that go to the BIOS chip when you pop it on there, the pins are lined up exact width of BIOS legs, so once on straight it all works perfectly.
You go on at an angle, then tip over so it's spread onto each leg and it grips right into place.

What? What are you talking about Imaginero and .img files?? Ohh! Sorry, from that link at post 10 I sent you T480, but in folder I have for you I see X250. Which system are we doing here?
And, what file/link/post are you now saying the ^^ above about?? Ohh, I see, maybe? Were you making a joke, about a file you thought I meant to link you to? If yes, re-read what I said at end of post #12, you have the file I wanted you to flash next, I assumed you could do the edit so I told you exact edit info
If you need me to do it instead, let me know

I use cheap CH341A when I have it sitting out and in hurry, when I'm serious and have time I use Nano USB Programmer that uses the above PCB jumper I was discussing.
I think I gave links to programmer in ebay on one of those links with the jumper images, if not let me know and I will show you on ebay
Mainly I try to use the Nano USB programmer since it's much better software and much better connection method to BIOS chip onboard, but sometimes I just grab CH341A because it's in front of me.

You can use FPT at DOS, if you don't want to install ME Drivers in OS

Yes, change FF to FB where I mentioned, then program that BIOS back in. Sounds like you did this, then updated BIOS version?
If yes, great, please confirm and then I will grab above #13 file and sent you test edit to program back in, then if all OK we can look at BIOS menu mods (That's goal right?)

#15 RE: Removing Protected Range Registers. by izzy2004 18.03.2020 22:56


Hi there,

yes I was making a joke thinking that you forgot to upload a file but I didn't notice the filename. The file I uploaded was a dump of the edited rom you told me to do with the FBFBFB.. I did that wrong i think. "Take the dumped BIOS (via programmer, not FPT) and then edit the file as a whole in hex editor go to 0x89D008h and set that to FB instead of FF, then program back and see if boot guard bricks it or not." - So this you wrote I interpreted as open file in hex editor, go to line 00x89D008h which sadly doesn't exist but but 89D008 does. and fill the whole line with FB instead of FF?

But what I did was this: I was on your MFG mode rom, I updated to new version, took dump and it still had MFG on and then modded the FBFBFB and nothing happened. Booted fine. And yes the end goal is indeed the menu.


So sorry I thought I pressed sent yesterday!!

Xobor Forum Software von Xobor