microsoft surface pro 4

i picked up one of these with a UEFI password. boot from USB isn't disabled, but the damned audio and wifi are. secure boot is also enabled.

i am able to reinstall and/or recover windows, and rewrite secure boot keys for windows, but i cannot boot rEFInd or anything else that would allow me an EFI shell.

it's got an MX25U1635F by macronix. fortunately it's an SOIC8 so i can flash it in place, but i'm not familiar with these dumps or removing the password.

anybody done these before?

reverendalc wrote: i picked up one of these with a UEFI password. boot from USB isn't disabled, but the damned audio and wifi are. secure boot is also enabled.

i am able to reinstall and/or recover windows, and rewrite secure boot keys for windows, but i cannot boot rEFInd or anything else that would allow me an EFI shell.

it's got an MX25U1635F by macronix. fortunately it's an SOIC8 so i can flash it in place, but i'm not familiar with these dumps or removing the password.

anybody done these before?

So I know jack squat about this particular method, but I had flashed a lot of PC BIOS through Windows or CMD. I've sold computers for 12 years and I have a working knowledge of how some of this works, but not near as much as the other folks here, so take what I say with a grain of salt.

About a week ago therealjayvi helped me get flashrom on my raspberry pi - that was a task in and of itself for some reason - but anyway I successfully pulled the bin files and flashed clean back to the Macs. As far as I can tell, it's just flashing a clean factory bin to the chip.

For Dells, You can download the BIOS from Dell's website and there are utilities that will extract the bin file from the bios. I *think* in this case (I have not tested this yet) that I should be able to simply flash the bin file generated from the Dell bios and don't have to bother scrubbing the bin pulled from the chip. Of course you should make a backup of the chip with Flashrom and make sure you have that in case anything goes wrong.

Like I said, I haven't tried this but theoretically this should be possible unless there's something I'm missing.

The firmware and drivers for your Surface Pro can be found here : www.microsoft.com/en-us/download/details.aspx?id=49498

How to extract the UEFI bin from that, I don't know.

Yes. I'm currently attempting both a flash from within windows and also defeating secure boot via dev tools.

I'm intimately acquainted with flashing eeprom, however I cannot for the life of me open the tablet.

I have heated the bezel with 240c and tried a multitude of pics, spudgers, and suction cups. I do not want to break the glass.

Which tool(s) do you use for flashing within windows? I have some but none are working, various platform or other errors.

I've not written a BIOS within Windows on anything that's still password protected. On desktops you can just pull a jumper on the motherboard and remove the password. Password generators have always worked fine for me on laptops, and the newer ones (for which I don't have a password generator) I've always just installed a loaded hard drive and ignored the BIOS altogether.

Unfortunately I've not opened any Surface Pros so I can't help you there, but I did a quick youtube search: you're on the right track.



As shown in this teardown video, it looks like the EEPROM chip is easily accessed once you get that digitizer/screen off.



Probably gonna have to work it more with the spudgers and heat gun. I hate doing that with these stupid tablets as you always run the risk of overheating the LCD and discoloring it. It's gonna take some patience.

Good luck!

Yeah. I'm not thrilled about trying to open it some more. I can't afford to break it lol.

Those videos are bullshit. If you look closely the LCD is already loose.

I'm going to take this opportunity to learn more about the windows10 dev mode secure boot vulnerability.

After tons of failed attempts to bypass secureboot, I resorted to opening the LCD again. And succeeded.



Tons of heat. Skip the hot air station and spend about 10-15min heating the entire thing with a hair dryer, then start with the speaker cutout. I used an isesame to start, but finished with a credit card because the metal opener started to scuff things.

The amount of prying force that screen accepts is fin far excess to what I had believed would break it. I went around the screen with a 5mm insertion, then around a second time to fully separate with suction cups.

THAT WAS NOT FUN.

Anyhow, it seems the ic that ifixit identified is actually part of the display. Unfortunately the SOIC8 chip isn't the efi rom. I found a winbond wson8 chip. It's tucked in closely next to a soldered on metal shield. This is going to be tough.

This is the chip, winbond w25q128fv.
It's a conventional wson8 package with 3.3v power requirement.

Should be a straight forward flash provided I can get to it without shorting against the shrouding.

Hi Reverendalc, I know you have more experience than I do in binary extractions, however I want to tell you something regarding that particular chip, be very careful when extracting the information try to make several backups and that you totallymete sure that you extract the binary In a correct way, I mention it because to me in particular that chip model gave me headaches with the raspberry pi and the MiniPro TL866CS, I managed to read it and program it correctly with another programmer of a colleague, unfortunately I do not remember the brand I know it was old enough but it worked correctly,

regards

@choms:

Thank you for your information. The only chip I've ever struggled with (and not defeated) was also a winbond.

Did you solder to the exposed pads on this chip, or remove the chip? The clearance is VERY tight on the right side.

If you can recall the name of the programmer at some point, I'd appreciate to know.

I always take at least three reads and verify checksum/against chip contents when exploring.

I'll probably dive in tomorrow, and will update as I proceed.

You're welcome.

I personally removed it from the motherboard and did the reading outside. This is my colleague's programmer.

Good job you take out the screen,
I recommend the Sofi-Tech SP-16B.
Easy software frequently updates and most important it supports 1.8V chips.

Oh I do not like that programmer lol.

Raspberry pi has 1.8v point also... not on GPIO but easily accessible.

Anyway, the 1.8v rom is for the LCD/digitizer. Efirom is 3.3v.

I am going to try snipping the shroud and bending it back. I want to flash in place.

ok back at it again.

here's the SOB. it was REALLY tough to get off, and my tweezers marred it a little bit

Lol yeah. I ordered a few replacements anyway.

My microtweezers are all chewed up from digging half of a headphone jack out of my son's MacBook, and they chewed it up pretty good.

Would you happen to know what software i use to read off the firmware on this chip via the actual surface?

Ive tried several AMI tools so far and none are reading the bios which i would like to dump. An exhaustive search of the interwebs has not found me any technical details on the bios type or software to successfully dump. This thread is the closest i have come thus far.

Thanks.

look at this video

Thanks for the link but that is beyond my capabilities.

Im pretty certain it can be done via software only but am having a hell of a time just finding the right tool for dumping the bios.