As it takes ages for HP to complete the microcode updates that protect against the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715) vulnerabilities for HP Pavilion 500-0xx/ENVY 700-0xx series (ROM Family SSID 2AF7) desktops I decided I would give it a go and update it manually using UBU.
This guide is aimed at my own system, which is a HP Pavilion Desktop - 500-405nd with a Intel Core i7-4790S (Haswell) processor, but might work for for other models in the HP Pavilion 500-0xx/ENVY 700-0xx series with different processor configurations, use it at your own risk!
The UBU tool is very easy to use and able
- to detect the versions of the OROM/EFI modules, which are inside an AMI UEFI BIOS file and
- to update
a) the most important OROM/EFI modules, and
b) the CPU microcode of any AMI Aptio UEFI BIOS.
First we need to dump our current bios with all DMI data like product name, serial numbers (otherwise the DMI data won't be preserved) using the Intel's Flash Programming Tool, which can be obtained through and listed under section: "C2. Intel (CS)ME System Tools" on win-raid.com forums. You need to download the tools listed under Intel ME System Tools v9.x
Now first you need to unlock the Flash Descriptor, when the flash descriptor is locked you cannot use Intel's Flash Programming Tools. Example error message when Flash Descriptor is locked is shown below.
You unlock the Flash Descriptor by placing the Flash Descriptor Override Jumper (FDO / E1) jumper on your Pegatron IPM87-MP Memphis-S or similar motherboard in enabled position. (see illustrations below)
Intel (R) Flash Programming Tool. Version: 22.214.171.1240 Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved. Platform: Intel(R) H87 Express Chipset Reading HSFSTS register... Flash Descriptor: Valid --- Flash Devices Found --- W25Q64BV ID:0xEF4017 Size: 8192KB (65536Kb) Error 26: The host CPU does not have read access to the target flash area. To enable read access for this operation you must modify the descriptor settings to give host access to this region.
With the Flash Descriptor Override jumper in place we can now dump our current BIOS with the Flash Programming Tool, mentioned above... therefor unpack the files listed in \Flash Programming Tool\WINDOWS64\ (for 64-bit) or \Flash Programming Tool\WINDOWS\ (for 32-bit) in the downloaded package. Run:
fptw64.exe -D backup.bin
(fptw64.exe on 32-bit is called fptw.exe)
Intel (R) Flash Programming Tool. Version: 126.96.36.1990 Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved. Platform: Intel(R) H87 Express Chipset Reading HSFSTS register... Flash Descriptor: Valid --- Flash Devices Found --- W25Q64BV ID:0xEF4017 Size: 8192KB (65536Kb) - Reading Flash [0x800000] 8192KB of 8192KB - 100% complete. Writing flash contents to file "backup.bin"... Memory Dump Complete FPT Operation Passed
Open the dumped backup.bin with UBU, for this guide I used UBU v188.8.131.52 and the patched version of MMTool v184.108.40.206 (MMTool v220.127.116.11 should be safe to use as well)
Press any key, there select option 7
Scanning BIOS... Please wait... Define BIOS platform - AMI Aptio 4 Brand Hewlett-Packard Found Option ROM VBIOS in GUID A062CF1F-8473-4AA3-8793-600BC4FFE9A8 Found Option ROM in GUID A062CF1F-8473-4AA3-8793-600BC4FFE9A8 Found EFI Intel GOP Driver GUID 5BBA83E6-F027-4CA7-BFD0-16358CC9E123 Found EFI Intel Raid Controller GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F Found EFI Realtek LAN Undi GUID 9F1D2270-2E0F-4D07-9477-587989B8A32D Press any key to continue . . .
In the next screen the current available microcode revisions are displayed, more information is displayed but don't worry...i simply wasn't able to paste it here and retain it's formatting. Select option 1
Select option for update 1 - Intel RST(e) OROM and EFI SataDriver OROM IRST RAID for SATA - 18.104.22.1685 EFI IRST RAID for SATA - 22.214.171.1245 2 - Intel OROM VBIOS and EFI GOP Driver OROM VBIOS Haswell - 2179 OROM VBIOS Haswell - 2164 EFI GOP Driver Haswell - 5.0.1032 3 - LAN OROM PXE and EFI UNDI - Intel, RTK, BCM, QCA OROM Intel Boot Agent GE - 1.4.10 OROM Realtek Boot Agent GE - 2.53 EFI Realtek UNDI - 2.021 7 - CPU MicroCode View/Extract/Search/Update i - Versions, HomePages, Donate 0 - Exit Press ENTER - Re-Scanning ALL EFI modules. Enter number:7
Select the latest microcode revision in the list displayed, 24 is the latest supported in UBU 126.96.36.199 and includes fixes for CVE-2017-5715 and CVE-2017-575
Update Intel CPU MicroCode 1 - Update CPU MicroCode Haswell and/or Broadwell 3 - View CPU Microcode Patch list m - User Select Microcode File e - Extract all CPU Microcodes s - Search for available microcode in DB. 0 - Exit to Main Menu Enter number:1
Little more information is displayed like microcode address and microcode size...don't worry, I simply wasn't able to paste it here and retain it's formatting. Return to the options menu and select 0, Exit to Main Menu, press 0 once more to exit the program...a prompt will be shown, choose option 1 and save the modified bios as mod_backup.bin
Enter Microcode:24 Checksum correct. Generate FFS Microcode Preparing for replacement Dump _FIT_ created! Update Microcode Patch...Ok! Update Microcode Patch...Ok! Dump _FIT_ restored
Now flash this modified bios using the Flash Programming Tool, running this command:
fptw64.exe -REWRITE -F mod_backup.bin
(fptw64.exe on 32-bit is called fptw.exe)
Turn off your PC, reseat the Flash Descriptor Override (FDO) jumper to it's original position and boot your PC.
Intel (R) Flash Programming Tool. Version: 188.8.131.520 Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved. Platform: Intel(R) H87 Express Chipset Reading HSFSTS register... Flash Descriptor: Valid --- Flash Devices Found --- W25Q64BV ID:0xEF4017 Size: 8192KB (65536Kb) PDR Region does not exist. - Erasing Flash Block [0x800000] - 100% complete. - Programming Flash [0x800000] 8192KB of 8192KB - 100% complete. - Verifying Flash [0x800000] 8192KB of 8192KB - 100% complete. RESULT: The data is identical. FPT Operation Passed
If everything completed without errors you now should see updated microcode in for example the freeware program HWiNFO
Note: The above screenshot displays microcode revision 25 which is one later revision as the microcode revision used earlier in this guide, eg: microcode revision 24 (Microcode revision 25 = with CVE-2018-3639 fix)
SpeculationControl PowerShell Script
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629 Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True Speculation control settings for CVE-2017-5754 [rogue data cache load] Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID performance optimization is enabled: True [not required for security] Speculation control settings for CVE-2018-3639 [speculative store bypass] Hardware is vulnerable to speculative store bypass: True Hardware support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is present: True Windows OS support for speculative store bypass disable is enabled system-wide: True Speculation control settings for CVE-2018-3620 [L1 terminal fault] Hardware is vulnerable to L1 terminal fault: True Windows OS support for L1 terminal fault mitigation is present: True Windows OS support for L1 terminal fault mitigation is enabled: True BTIHardwarePresent : True BTIWindowsSupportPresent : True BTIWindowsSupportEnabled : True BTIDisabledBySystemPolicy : False BTIDisabledByNoHardwareSupport : False BTIKernelRetpolineEnabled : False BTIKernelImportOptimizationEnabled : False KVAShadowRequired : True KVAShadowWindowsSupportPresent : True KVAShadowWindowsSupportEnabled : True KVAShadowPcidEnabled : True SSBDWindowsSupportPresent : True SSBDHardwareVulnerable : True SSBDHardwarePresent : True SSBDWindowsSupportEnabledSystemWide : True L1TFHardwareVulnerable : True L1TFWindowsSupportPresent : True L1TFWindowsSupportEnabled : True L1TFInvalidPteBit : 45 L1DFlushSupported : True
- Windows Client Documentation and Settings
- Windows Server Documentation and Settings
- Understanding Get-SpeculationControlSettings PowerShell script output
Last edited Jan 22 2019