Posted by RvdH under Computer & Peripherals on Jun 20 2018

As it takes ages for HP to complete the microcode updates that protect against the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715) vulnerabilities for HP Pavilion 500-0xx/ENVY 700-0xx series (ROM Family SSID 2AF7) desktops I decided I would give it a go and update it manually using UBU.

This guide is aimed at my own system, which is a HP Pavilion Desktop - 500-405nd with a Intel Core i7-4790S (Haswell) processor, but might work for for other models in the HP Pavilion 500-0xx/ENVY 700-0xx series with different processor configurations, use it at your own risk!

The UBU tool is very easy to use and able

  1. to detect the versions of the OROM/EFI modules, which are inside an AMI UEFI BIOS file and
  2. to update
    a) the most important OROM/EFI modules, and
    b) the CPU microcode of any AMI Aptio UEFI BIOS.
In this post we are only going to discuss and use it to update the CPU microcode, for other usage I suggest you read the relevant topics on win-raid.com, here and here.

First we need to dump our current bios with all DMI data like product name, serial numbers (otherwise the DMI data won't be preserved) using the Intel's Flash Programming Tool, which can be obtained through and listed under section: "C2. Intel (CS)ME System Tools" on win-raid.com forums. You need to download the tools listed under Intel ME System Tools v9.x

Now first you need to unlock the Flash Descriptor, when the flash descriptor is locked you cannot use Intel's Flash Programming Tools. Example error message when Flash Descriptor is locked is shown below.
Intel (R) Flash Programming Tool. Version:  9.1.10.1000
Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.

Platform: Intel(R) H87 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

    --- Flash Devices Found ---
    W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)

Error 26: The host CPU does not have read access to the target flash area. To enable read access for this operation you must modify the descriptor settings to give host access to this region.

You unlock the Flash Descriptor by placing the Flash Descriptor Override Jumper (FDO / E1) jumper on your Pegatron IPM87-MP Memphis-S or similar motherboard in enabled position. (see illustrations below)

With the Flash Descriptor Override jumper in place we can now dump our current BIOS with the Flash Programming Tool, mentioned above... therefor unpack the files listed in \Flash Programming Tool\WINDOWS64\ (for 64-bit) or \Flash Programming Tool\WINDOWS\ (for 32-bit) in the downloaded package. Run:

fptw64.exe -D backup.bin  (fptw64.exe on 32-bit is called fptw.exe)
Intel (R) Flash Programming Tool. Version:  9.1.10.1000
Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.

Platform: Intel(R) H87 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

    --- Flash Devices Found ---
    W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)


- Reading Flash [0x800000] 8192KB of 8192KB - 100% complete.
Writing flash contents to file "backup.bin"...

Memory Dump Complete
FPT Operation Passed

Open the dumped backup.bin with UBU, for this guide I used UBU v1.69.17.4 and the patched version of MMTool v5.2.0.24 (MMTool v5.0.0.7 should be safe to use as well)
Scanning BIOS... Please wait...
Define BIOS platform - AMI Aptio 4
Brand Hewlett-Packard
Found Option ROM VBIOS in GUID A062CF1F-8473-4AA3-8793-600BC4FFE9A8
Found Option ROM in GUID A062CF1F-8473-4AA3-8793-600BC4FFE9A8
Found EFI Intel GOP Driver GUID 5BBA83E6-F027-4CA7-BFD0-16358CC9E123
Found EFI Intel Raid Controller GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F
Found EFI Realtek LAN Undi GUID 9F1D2270-2E0F-4D07-9477-587989B8A32D
Press any key to continue . . .

Press any key, there select option 7
        Select option for update

1 - Intel RST(e) OROM and EFI SataDriver
     OROM IRST RAID for SATA    - 12.5.0.1815
     EFI IRST RAID for SATA     - 12.5.0.1815
2 - Intel OROM VBIOS and EFI GOP Driver
     OROM VBIOS Haswell         - 2179
     OROM VBIOS Haswell         - 2164
     EFI GOP Driver Haswell     - 5.0.1032
3 - LAN OROM PXE and EFI UNDI - Intel, RTK, BCM, QCA
     OROM Intel Boot Agent GE   - 1.4.10
     OROM Realtek Boot Agent GE - 2.53
     EFI Realtek UNDI           - 2.021
7 - CPU MicroCode
     View/Extract/Search/Update
i - Versions, HomePages, Donate
0 - Exit
Press ENTER - Re-Scanning ALL EFI modules.

Enter number:7
In the next screen the current available microcode revisions are displayed, more information is displayed but don't worry...i simply wasn't able to paste it here and retain it's formatting. Select option 1
        Update Intel CPU MicroCode

1 - Update CPU MicroCode Haswell and/or Broadwell
3 - View CPU Microcode Patch list
m - User Select Microcode File
e - Extract all CPU Microcodes
s - Search for available microcode in DB.
0 - Exit to Main Menu

Enter number:1
Select the latest microcode revision in the list displayed, 24 is the latest supported in UBU 1.69.17.4 and includes fixes for CVE-2017-5715 and CVE-2017-575
Enter Microcode:24

Checksum correct.
Generate FFS Microcode
Preparing for replacement
Dump _FIT_ created!
Update Microcode Patch...Ok!
Update Microcode Patch...Ok!
Dump _FIT_ restored
Little more information is displayed not displayed above,, like microcode address and microcode size...don't worry...i simply wasn't able to paste it here and retain it's formatting.

Return to menu options and select 0, Exit to Main Menu, press 0 once more to exit the program...a prompt will be shown, choose option 1 and save the modified bios as mod_backup.bin

Now flash this modified bios using the Flash Programming Tool, running this command:

fptw64.exe -REWRITE -F mod_backup.bin  (fptw64.exe on 32-bit is called fptw.exe)
Intel (R) Flash Programming Tool. Version:  9.1.10.1000
Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.

Platform: Intel(R) H87 Express Chipset
Reading HSFSTS register... Flash Descriptor: Valid

    --- Flash Devices Found ---
    W25Q64BV    ID:0xEF4017    Size: 8192KB (65536Kb)

PDR Region does not exist.

- Erasing Flash Block [0x800000] - 100% complete.
- Programming Flash [0x800000] 8192KB of 8192KB - 100% complete.
- Verifying Flash [0x800000] 8192KB of 8192KB - 100% complete.
RESULT: The data is identical.

FPT Operation Passed
Turn off your PC, reseat the Flash Descriptor Override (FDO) jumper to it's original position and boot your PC.
If everything completed without errors you now should see updated microcode in for example the freeware program HWiNFO

  HWiNFO
Note: The above screenshot displays microcode revision 25 which is one later revision as the microcode revision used earlier in this guide, eg: microcode revision 24 (Microcode revision 25 = with CVE-2018-3639 fix)

SpeculationControl PowerShell script
SpeculationControl output:
 
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is present: True
Windows OS support for speculative store bypass mitigation is enabled system-wide: True


BTIHardwarePresent                  : True
BTIWindowsSupportPresent            : True
BTIWindowsSupportEnabled            : True
BTIDisabledBySystemPolicy           : False
BTIDisabledByNoHardwareSupport      : False
KVAShadowRequired                   : True
KVAShadowWindowsSupportPresent      : True
KVAShadowWindowsSupportEnabled      : True
KVAShadowPcidEnabled                : True
SSBDWindowsSupportPresent           : True
SSBDHardwareVulnerable              : True
SSBDHardwarePresent                 : True
SSBDWindowsSupportEnabledSystemWide : True
 
SpeculationControl resources
  1. Windows Client Documentation and Settings
  2. Windows Server Documentation and Settings
  3. Understanding Get-SpeculationControlSettings PowerShell script output

Last edited Jun 21 2018