Bios Unlock and Overclocking of Mobile Skylake Cpu

To begin with, please note that there is great risk involved in doing this. If you have no experience with bios editing or flashing, please be VERY VERY cautious. I also highly recommend having or getting an spi programmer in the event you brick your system. This will make recovery very painless (CH341a programmer with SOIC8 chip clip). But again, this is not an easy task and has great risk involved. Please be very careful if attempting any of this.

Now then, all of this was done on an MSI laptop, a GE72 to be exact. The unlocking of the bios regions will be different for different manufacturers, but the process is basically the same afterwards. There is a wonderful and very in depth guide on the unlocking of the regions HERE, so I will only briefly go over the procedure.

References Here are some sources/guides that are very useful for understanding the scope of modifying the Bios. Many of these offer great insight.

Aptio Skylake Bios Manual > https://www.acromag.com/sites/default/files/Aptio-Skylake-Core-BIOS-Manual-1097A.pdf

TechInferno Forum on 6 and 7 series Overclocking > https://www.techinferno.com/index.php?/forums/topic/1624-lets-enable-overclocking-on-all-6-an d-7-series-laptops/

ME Analyzer Tool Information > https://n0where.net/intel-engine-firmware-analysis-tool-meanalyzer

Intel ME Bring Up Guide > http://www.corus.pro/pilotes/VAD/VAD517/XP/ME/1.5MB%20FW%20Bring%20Up%20Guid e%208.1.0.1248%20PV.pdf

Bios Mods Forum > https://www.bios-mods.com/forum/archive/index.php?thread-7795-1.html

PCI Access Error Solution > http://watfak.com/?q=node/10

I would first like to thank Dreamonic, Paloseco, Svet, Kasar, and everyone else involved in this. Months were spent figuring all this out. Many long nights and bricked systems were used to get to this point. Without their help and knowledge none of this could have been done. So may you benefit from our time spent on this project.

The BIOS is non-volatile firmware used to perform hardware initialization during the booting process, and to provide runtime services for operating systems and programs. It takes care of initializing ram speeds, cpu clock, turning on drives, etc. As for overclocking, the cpu, ram, and cache are the main focus and what we want control of. This guide will go over how to gain access to those so that the settings/speeds or each can be changed. So the bios is normally locked when you can't write to it (flash ROM) directly from an operating system like Windows or Linux. Although older computers allowed to do that, modern ones block it, so malware can't break your computer. This also presents a problem when trying to modify it since there is no read or write access to most of the regions. The descriptor region by default allows read access. This is a start because that's where the locks for the other regions are located. Unlocking the BIOS is a required previous step to flash a modded ROM later on so that we can edit settings. However, unlocking the bios regions does not alter anything.

Please note, everything I am about to go over in this first section is located in THIS guide. This unlocking of all the regions in the bios is SPECIFIC to your manufacturer. All of this is specific to MSI notebooks. Asus notebooks should be unlocked already. Not sure about other Manufacturers.

Also, Screenshots of EVERYTHING are located HERE. If you have any doubts or can’t find something, refer to the screenshots. Modifying the wrong thing can result in a bricked system. Please be VERY careful. My modified Bios is located HERE as FullOC.bin. Please DO NOT flash this bios, just use it for reference.

Find Bios Lock Bit First, we need to find the BIOS lock position inside the ROM (offset): 1.) Download and extract the BIOS (For the GE72 I used Bios version E1795IMS.106, which is not available on the MSI website anymore. But you can grab a copy of it HERE in Bioses folder. Not sure if all of this works on newer bios versions (should work), but the latest versions are located HERE.)

2) Download and extract latest UEFITool for Windows, located HERE . (Note that all tools that I used are also available in the drive also which is HERE in tools folder.)

3) UEFITool ● Open UEFITool > File > Open image file... > select "All files (*)" on the corner > choose E1795IMS.106 ● File > Search > GUID > Leave selected "Header only" > Paste on the textbox: 899407D799FE43D89A2179EC328CAC21 > Ok ● A message will be displayed in the lower frame (Very Bottom Pane): GUID pattern "899407D7-99FE-43D8-9A21-79EC328CAC21” found as "D7079489FE99D8439A2179EC328CAC21" in 899407D7-99FE-43D8-9A21-79EC328CAC21 at header-offset 0h ● Double click on the message. The entry/module called Setup should be selected displaying additional information ● Action > File > Extract as is... > save as setup.ffs

4) Download Universal IFR Extractor, located HERE . (Scroll down and download the executable) ● Run Universal IFR Extractor > Open setup.ffs > Extract > Save as "setup IFR.txt" > IFR extracted successfully

5) Open "setup IFR.txt" with any text editor and search for "BIOS Lock". There should be only one coincidence.

"Variable:" will show the offset, respect to the Setup module, where the BIOS Lock value is stored. In my case the offset is 0x5A8, (This may change on different notebooks). The value stored in that address is the actual BIOS lock, and if it's set to 01, it prevents the BIOS from being written directly from Windows or any other operating system. If it's 00 the BIOS should not be locked. Create Bootable Hex Editor With RU To actually change the BIOS Lock, we can't do it directly from the operating system, we need an utility called RU:

● RU homepage: http://ruexe.blogspot.com ● Download latest version. ● There should be 3 files inside: RU.efi, RU.exe and RU32.efi ● Grab any USB flash drive. Very little space is required, 64 MB should be enough depending on how you format it. ● Download Rufus , and open it as administrator. ● Select from the device list your pendrive or card, with the following options, and hit Start. It will delete all the data on that device. ● Partition scheme and target system type: MBR partition scheme for UEFI ● File system: use FAT32. ● Quick format ● Uncheck "Make a bootable disk using" ● Now, browse to the unit with Windows explorer (in my case it's E: drive) and create the folder EFI on the root of the pendrive and another folder BOOT inside EFI. ● Copy the downloaded file RU.efi to E:\EFI\BOOT and rename it to bootx64.efi ● Now we are ready to change the lock bit.

Booting into RU Reboot the computer with the USB drive inserted already and hit repeatedly DELETE key when powering on to enter to BIOS. Secure boot needs to be disabled to boot into RU or you will get a secure boot violation error. Boot mode also needs to be uefi, but this should be default on newer notebooks.

● Security > Secure boot menu > Secure Boot > Disabled ● The usb should also come before your Hard Drive in the boot order. This will automatically boot into RU if the USB is present.

Basic RU commands:

● Press F12 in any screen to take a screenshot. It will be saved in BMP format to the root of the pendrive where RU is stored, provided that the pendrive or card is formatted in FAT32 filesystem. If it's in NTFS won't work. ● Press F1 on the main screen to display basic keyboard shortcuts table. ● Press CTRL +F1 to display the Universal Help. ● Press ALT + any of the letters in red in the menu bar to unfold that particular menu. ○ ALT+ F : File options ○ ALT+ C : Config options ○ ALT+ E : Edit options ○ ALT+ G : Go options ○ ALT+ T : Tools options ○ ALT+ S : System options ○ ALT+ Q : Quit (close RU and reboot) ● CTRL +W : to save changes to the BIOS once you made some modification. If you don't want to save any random modification you made just exit from RU without saving. Changes are not automatically saved.

Changing the Lock Bit:

● If you plan on overclocking the cpu, you will need read write access to ALL regions, not just the Bios region. So before you do anything the first screen you see in RU will have some bits we need to change. If you don’t care about this, then you can skip ahead. ● Offset 00000080 and 00000090 are the locks for all the regions. (Intel Management region, Descriptor region, Bios region, etc.) ● Everything in these two lines needs to be changed to FF , but before you change them take a screenshot. These bits will need to be changed back after everything is done for security reasons. (If you don’t want to change them don’t, but any program in windows/linux could potentially write to your bios if it wanted) ● Once you have changed both lines to all FF , you can continue unlocking the bios bit. ● Screenshots of this are located HERE .

● Hit AL T+ C to expand the Config menu, then select UEFI variable and hit enter. ● A list of UEFI variables will be displayed in alphabetical order. Use the keyboard arrows to move down until you see "Setup". There will be two of them. The second one, which has much more data, is the one we need to reach the address 0x5A8 in hexadecimal. ● Once you are on the right Setup, the first page of the module will be displayed. Use the arrow keys to move along bytes of the current page, and use CTRL+ P AGE UP or CTRL +P AGE DOWN to switch to further pages of the Setup module. Skip pages until you reach the page starting at 0500, and then with the arrow keys move to row 05A0, and then to the column 08 , until you are at position 05A8. The current cursor position will be displayed at the top left corner of the hexadecimal table. That is the position where BIOS Lock is stored. We will see that the value is 01 , which means that the BIOS is locked. ● Now, just type 0, and the value in that position will change to 00 in red, meaning that it's in edit mode. Type Enter to accept the new value. ● Finally, CTRL+ W will save changes permanently to the BIOS. You should see a "Updated OK: Setup" message. ● Now, quit RU with ALT+ Q and enter again to check that the BIOS Lock is preserved to 00. If the edit stuck, reboot into windows. ● Examples of RU usage are located HERE .

Dumping and Editing Bios

Now that we have that out of the way, the fun begins. We will first need to dump the bios using the Flash Programming Tool or FPT for short. For 7 series cpus, use the FPT provided by Kasar located HERE. I did this on a 6 series cpu and the FPT version I used is located HERE. Please note that I used the 32 bit version of FPT on a 64 bit version of windows. Not sure why this issue occurred, but using the 32 bit version of FPT should work fine. First download FPT and extract it to a folder. Use Winrar or 7zip to extract. Once that is done we can dump the bios. Please note that FPT is a powerful tool and will happily overwrite anything.

FPT Basic Commands: ● Use FPTW for 32 bit systems and FPTW64 for 64 bit systems. If you get a wrong system error, use the other version of FPT. ● Open an Admin Command prompt and change to the directory FPT is located in. (cd C:/path/to/fpt) ● For dumping use > FPTW -d yourfilename.bin ○ This will dump the entire bios image with all regions. You can name the file whatever you would like, but it is best to name them something that makes sense. For example, if the bios hasn’t yet been modified save it as Original.bin or something similar for simplicity. ● For flashing use > FPTW -f yourfilename.bin ● You can also dump/flash only specific parts of the bios instead of the whole image. I HIGHLY recommend doing this so that you don’t mess up any regions you aren’t editing. ○ -BIOS will dump the bios region ○ -ME will dump the management engine region ○ -DESC will dump the descriptor region. ○ For example to dump bios region > FPTW -d yourfilename.bin -BIOS ○ All of this goes for dumping and flashing ● Once the bios is dumped, you can edit the bios to make changes. ● If you get an error similar to “Error 26: The host CPU does not have read access to the target flash area. To enable read access for this operation you must modify the descriptor settings to give host access to this region” the you do not have read/write access to the region. Modifying the Descriptor region for read/write access will solve this problem. ● Please also note for flashing especially the size of the files. A whole bios image should be 8192 KB. (Or something similar) Bios region should be 6144 KB, Descriptor region should be 4 KB, and the ME region should be 2044 KB. If the sizes are not similar, PLEASE DO NOT FLASH. This will most certainly brick your system. ● Examples of FPT usage are located HERE .

Editing Bios: Once the bios has been dumped, we can edit it with AMIBCP. Please note that this tool is specific to your bios version. My bios version was Aptio V. Please download the correct version for your bios. AMIBCP is located HERE, under AMI BIOS Configuration Program. Now there are tons of different options and settings and such. The majority of them will be left alone. Most of the settings will be focused on overclocking. This will include ram, cache, and cpu. There are settings for literally everything else, but I do not advise changing them. All the failsafe values NEED TO BE LEFT ALONE. Only change the optimal settings. If you change the failsafe settings to something wrong, the computer won’t boot correctly and will result in a bricked system. Also thee Access/Use needs to be changed to USER for any setting you change.

● Open the Bios dump in AMIBCP. You can just drag and drop. ● You can refer to my screenshots located HERE . ● Under Setup > Advanced > Intel ICC ○ These settings are for overclocking the cpu later. ○ Watchdog Timer > Enabled ○ ICC Locks after EOP > All Unlocked ○ ICC Profile > 1 (This will be the overclocking profile that we create later) ● Under Setup > Advanced > OverClocking Performance Menu ○ Overclocking Feature > Enabled ○ Setup > Advanced > Overclocking Performance Menu > Memory Overclocking ■ These settings are for overclocking ram ■ DIMM profile > Custom profile ■ QCLK Odd ratio > Enabled ■ You can also set the Ram voltage here also. I did this to help stabilize mine. I set voltage to 1.25 for my ram. This will just be dependent on your overclocking. Voltage will be under N/A > set to whatever voltage. ● Under Setup > Advanced > PCH-FW Configuration > Firmware Update Configuration ○ These settings will allow us to flash the ME firmware for the cpu ○ ME FW Image Re-Flash > Enabled ○ Local FW Update > Enabled ● Under Setup > Advanced > CPU Configuration ○ Overclocking Lock > Disabled ○ Power Limit 1 Override > Enabled (do this for all power limits) ○ CFG Lock > Disabled (If not already disabled) ● Under Setup > Advanced > System Agent Configuration > Memory Configuration ○ These settings will allow us to overclock ram also ○ Maximum Memory Frequency > 3200 (Set this as high as it will let you. Your ram won’t run at this frequency most likely, but you also don’t want it to cap your max frequency. Change all instances of this. There were 3 for me.) ● Under Setup > Advanced > PCH-IO Configuration > BIOS Security Configuration ○ RTC Lock > Disabled ○ BIOS Lock > Disabled ● Also change Access/Use to USER for anything you change. You can change Access/Use to User for every setting if you want, but it will take a good while. ● Once you have changed everything, save the modifications. When you exit AMIBCP, it will ask you if you want to save again. Click yes.

So with all these settings changed, this will allow for overclocking of the ram and cache and will also let us change the cpu settings later.

Flashing Modified Bios

Now that the bios has been edited, it is time to flash it back. Hopefully if all settings were changed correctly the bios gets flashed correctly, then we will be able to reboot into windows.

● Copy your modified bios file to the same folder that FPT is located in. ● Flash the bios with FPT. Open an Admin Command prompt and change to the directory FPT is located in. (cd C:/path/to/fpt) ● Flash to bios region with > FPTW -f yourfilename.bin -BIOS (Use whatever command you used to dump here also. Just change the -d to -f for flashing.) ● FPT example screenshots are located HERE .

Modifying and Flashing ME Region

The thing we need to modify is the ME region. This will give us full control of the cpu. It should unlock cache ratios, multipliers, and base clock. Please note that you CANNOT change the multipliers. If you do not have an unlocked cpu you cannot change them. For modifying the ME we will need to use the Flash Image Tool (FIT). I found that only a full dump of the bios worked with FIT. If you use just a dumped ME region and it gives you a format error, use a full (8192 KB) dump. ● FIT is also specific to your firmware version ● Once the ME has been dumped, (doesn’t matter if it is a full image or just ME) use ME Analyzer to find the firmware version. You can also check this via the Bios. ● You can download the ME Analyzer HERE . ● Once you have downloaded it, run the application and drag and drop your image into it. It will then list info about your system. ● At the top, look for the Firmware version. You will need to download the corresponding tools for that Firmware. ● FIT tools can be found HERE. Be sure to download the correct one. (Download is towards the bottom of the page under Intel CS(ME) System Tools) ● Drag and drop your dump into FIT ● Make sure the CORRECT CHIPSET is selected at the top of FIT. If this is not correct, you will brick your system if you flash it. My chipset was a HM170 Mobile. ● To check your chipset type, download HWINFO64 located HERE . ● You can check the chipset under the MotherBoard tab. It should say Motherboard chipset and then list the chipset in bold. ● Once the correct chipset has been selected, modifications can be made. ● Under Flash Settings > Number of flash components ○ Needs to be set to 1. This will create a full 8MB Bios image. ○ If set to 0, it will only create the ME portion. (2144 KB) ● Under Integrated Clock Controller ○ Set Boot Profile > Profile 1 ○ Create new profile (Profile 1, default should be profile 0) ■ Under Profile parameters, set Profile Type > OverclockingExt ■ Make sure the clock range is 98 to 341 Under Clock Range Definition Record. This will unlock the base clock for the cpu. ■ Under BCLK Clock Configuration set BCLK Spread setting to 0% ● This will make your BCLK even. (So 100 instead of 99.8) ● Once all this has been done, Build the image. It should build the image in the FIT directory as outimage.bin ● If you used a full dump, and selected 1 for the number of flash components, then outimage.bin is a full dump and you can flash the whole thing with FPT. ● Once you have done this, copy the file (outimage.bin) to the directory of FPT. ● Then flash the image with FPT using the command > FPTW -f outimage.bin ○ Or > FPTW -f outimage.bin -ME (if you are only flashing ME region) ● If all is successful, reboot into windows. ● Downgrading CPU microcode may also be necessary. This can be done by simply renaming the microcode update function in windows. In the folder called System32 (C:/windows/system32), there is a .dll file called mcupdate_GenuineIntel.dll. By renaming this and rebooting, you can remove all microcode patches applied by windows.

Conclusion

If all worked well, you should have overclocking capabilities via Intel XTU or Throttlestop. Once everything has been flashed, you will probably have to reinstall intel XTU if you use it. This will work with the latest versions of XTU, so no need to find a specific version. It is also important to note than raising the BCLK of the cpu past 100Mhz is overclocking. Once you hit this point, Integrated graphics should be disabled because that will cap your overclock. AVX instructions will also be lost. However, pushing the BCLK to about 103Mhz can be done without losing anything. Please note that you CANNOT disable Integrated graphics on most modern laptops even if they have a designated GPU. Everything is routed through the Integrated graphics. The Hdmi ports are done this way also. In essence, disabling the Integrated Graphics is impossible on a notebook if you want to see anything. I do not know if this applies to External gpu setups. If you discover anything new, or figure out how to remove the 103Mhz bclk ceiling please let the people know. This has and always will be a group effort. You can find me on many of the forums as I506dk. Goodluck to all who attempt this!