Home

Topics

Lenovo: Everything around Lenovo
ESP32
CarThing: Hacking the Thing
Radxa Zero

Lenovo

Topics

ThinkCentre BIOS Unlock / Mod: Unlock hidden Advanced BIOS features.
ThinkCentre CPU choice: CPU choice for the Thinkcentre.

ThinkCentre CPU choice

Introduction

This guide will export more possible CPU configurations.

1. Officially Supported CPUs

Intel Core i3-9100T (4 Core/ 6 MB/ 4T/ up to 3.7GHz)
Intel Core i3-9300T (4 Core/ 8 MB/ 4T/ up to 3.8GHz)
Intel Core i5-9400T (6 Core/ 9 MB/ 6T/ up to 3.4GHz)
Intel Core i5-9500T (6 Core/ 9 MB/ 6T/ up to 3.7GHz)
Intel Core i5-9600T (6 Core/ 9 MB/ 6T/ up to 3.9GHz)
Intel Core i7-9700T (8 Core/ 12 MB/ 8T/ up to 4.3GHz)
Intel Core i9-9900T (8 Core/ 16 MB/ 16T/ up to 4.4GHz)
Intel Core i3-8100T (4 Cores/ 6 MB/ 4T/ up to 3.1GHz)
Intel Core i3-8300T (4 Cores/ 8 MB/ 4T/ up to 3.2GHz)
Intel Core i5-8400T (6 Cores/ 9 MB/ 6T/ up to 3.3GHz)
Intel Core i5-8500T (6 Cores/ 9 MB/ 6T/ up to 3.5GHz)
Intel Core i5-8600T (6 Cores/ 9 MB/ 6T/ up to 3.7GHz)
Intel Core i7-8700T (6 Cores/ 12 MB/ 12T/ up to 4.0GHz)
Intel Celeron G4900T (2 Cores/ 2MB/ 2T/ up to 2.9GHz)
Intel Celeron G4930T (2 Cores/ 2MB/ 2T/ up to 3.0GHz)
Intel Pentium Gold G5400T (2 Cores/ 4MB/ 4T/ up to 3.1GHz)
Intel Pentium Gold G5420T (2 Cores/ 4MB/ 4T/ up to 3.2GHz)
Intel Pentium Gold G5500T (2 Cores/ 4MB/ 4T/ up to 3.2GHz)
Intel Pentium Gold G5600T (2 Cores/ 4MB/ 4T/ up to 3.3GHz)

The two Celeron SKUs, along with the Pentium Gold G5400T/ G5420T support only the Intel UHD 610 graphics while the other SKUs support UHD 630.

2. Unofficial working CPUs

Intel CC150

This CPU is basically a rebranded i9 i9900 without boost, its locked at 3.5 GHz. Since its so cheap to get this is my preferred choice. It does NOT have integrated graphics. So for BIOS and GUI you need a dedicated GPU

Benchmark 7zz b:

1T CPU Freq (MHz):  3483  3486  3485  3486  3485  3486  3486
8T CPU Freq (MHz): 793% 3472   799% 3481  

RAM size:   31967 MB,  # CPU hardware threads:  16
RAM usage:   3559 MB,  # Benchmark threads:     16

                       Compressing  |                  Decompressing
Dict     Speed Usage    R/U Rating  |      Speed Usage    R/U Rating
         KiB/s     %   MIPS   MIPS  |      KiB/s     %   MIPS   MIPS

22:      51005  1265   3923  49618  |     492776  1588   2645  42019
23:      51539  1411   3722  52513  |     487683  1588   2656  42188
24:      48704  1397   3750  52367  |     481717  1589   2661  42267
25:      48175  1448   3799  55005  |     474093  1586   2660  42180
----------------------------------  | ------------------------------
Avr:     49856  1380   3798  52376  |     484068  1588   2655  42164
Tot:            1484   3227  47270

ThinkCentre BIOS Unlock / Mod - [14.11.2024]

Introduction

This guide will explain all steps necessary to Unlock or Mod a Lenovo BIOS. The guide might work for other Mainboards/BIOS too but its not guaranteed.

Step 1 - Dump BIOS

Step 1.1: Identify BIOS Chip

Identify whether you have a single or split BIOS:

Main BIOS Chip: Winbond 25Q128FV or compatible
EC/ME BIOS Chip: Winbond 25Q64FV or compatible

Lenovo ThinkCentre Mainboard

Step 1.2 Desolder BIOS Chips

note

Skip this step if you have a single BIOS

If you have two BIOS Chips you need to desolder both of them. It's not possible to get a proper dump of the BIOS Chips because of the Embedded Controller.

Lenovo Thinkcentre Mainboard Desoldered BIOS

Step 1.2.1 Connect CH341a

Connect the CH341a programmer to the BIOS Chip (either directly to the Mainboard or to an external reader). Desoldered EEPROM CH341a connection

Step 1.3 - Dump BIOS via flashrom (or similar)

caution

Dump BIOS TWICE and compare checksums

Dump single BIOS

flashrom -p ch341a_spi -r bios_main.bin

md5sum bios_main.bin

Dump split BIOS
Connect Main BIOS Chip
flashrom -p ch341a_spi -r bios_first.bin

md5sum bios_first.bin
Connect EC/ME BIOS Chip
flashrom -p ch341a_spi -r bios_second.bin

md5sum bios_second.bin

Step 1.4 - Backup BIOS dump

warning

If the BIOS gets corrupted without a backup, your Mainboard becomes a paperweight.

Backup the previously dumped BIOS binaries to a safe location.

Step 1.5 - Merge BIOS dump

note

Skip this step if you have a single BIOS

This will effectively combine the split BIOS to a single BIOS dump.

cat bios_first.bin bios_second.bin > bios_main.bin

Step 2 - Prepare BIOS for Modding / Unlocking

Step 2.1 - Import Dump

Open bios_main.bin in UEFITool NE.

UEFITool Import

Step 2.2 - Find UI Section

Search (CTRL + F) for a known setting, e.g. "cpu setup" in the "Text" tab. UEFITool Search 1

Double-click the reference to Setup/PE32 image section at the bottom. UEFITool Search 1 Result

Step 2.3 - Extract BIOS Section

Extract PE32 image section "as is". UEFITool PE32 Extract

Scroll down inside the currently expanded section and find AMITSE and setupdata UEFITool AMITSE Search

Extract AMITSE PE32 image section "as is". UEFITool AMITSE Extract

Extract setupdata setupdata "body". UEFITool Setupdata Extract

Step 2.4 - Extract IFR Data

Move ifrextractor to the current folder, open the CLI inside and convert the first .sct file you extracted.

./ifrextractor "Section_PE32_image_Setup_Setup.sct" verbose

Step 3 - Modding / Unlocking BIOS

Step 3.1 - Modify BIOS in UEFI Web Editor

Upload the extracted files to UEFI Web Editor.
Find the option you want to unlock or edit. Navigate UEFI Editor
Click the Suppress If Hex Value on the option you want to enable (here Advanced) in the BIOS.

note

You might also want to unlock the Chipset Section under Decives to be able to disable FPRR (Flash Protection Range Registers) later.

Click the "UEFI Files" button on the bottom of the page to download the modified BIOS section and the changelog.

Step 3.2 - Write modified Section to BIOS dump

Open the untouched bios_main.bin in UEFITool 0.28.0

To find the correct section in UEFITool 0.28.0, you can search for the GUID which you get from UEFITool NE. UEFITool_guid UEFITool_guid_search

Replace the section the same way you extracted them in UEFITool NE (Extract as is -> Replace as is on the PE32 image section): UEFITool GUID Replace

It should say PE32 image section Remove and PE32 image section Replace UEFITool_guid_replace_view

Save the modified BIOS as bios_main_mod.bin. UEFITool Save Unlock

Step 3.3 - Additional mods

Now its time to make additional modifications to the BIOS. e.g. unlock the FD Unlock FD (winraid.level1techs.com)

Screenshot winraid.level1techs.com

Step 4 - Flash BIOS

Step 4.1 - Split BIOS

note

Skip this step if you have a single BIOS

Prepare Main BIOS Chip file

dd if=bios_merged_mod.bin of=bios_first_mod.bin bs=1M count=16

Prepare EC/ME BIOS Chip file

dd if=bios_merged_mod.bin of=bios_second_mod.bin bs=1M skip=16

Step 4.2 - Connect CH341a

Connect the CH341a programmer to the BIOS Chip (again either directly or to the desoldered Chips)

CH341a connection

Step 4.3 - Flash BIOS via flashrom (or similar)

Flash single BIOS

flashrom -p ch341a_spi -w bios_main_mod.bin

Flash split BIOS

25Q128FV > bios_first_mod.bin (16MB)

25Q64FV > bios_second_mod.bin (8MB)
Connect Main BIOS Chip
flashrom -p ch341a_spi -w bios_first_mod.bin
Connect EC/ME BIOS Chip
flashrom -p ch341a_spi -w bios_second_mod.bin

Step 4.4 - Solder BIOS Chips

note

Skip this step if you have a single BIOS

Solder the BIOS Chips back to the Mainboard Check Step 1.1

Step 5 - Test Modded BIOS

Step 5.1

Disconnect CH341a programmer and connect the Power Supply.

Press F1 to enter BIOS.

The ThinkCentre should now have the new unlocked BIOS Settings.

note

If your ThinkCentre should not start anymore or beep (in my case 3x long 1x short), something went wrong. You should try to erase and flash the original bios_main.bin or bios_(first/second).bin again to test it with the original dumps.

Bios Advanced Settings

Step 6 - Unlock Full Power

important

This section is dangerous. Im not yet 100% sure how everything works!

Step 6.1 - Disable 800Mhz Throttle caused by BD PROCHOT

[ Section updated on 14.11.2024 ]

You can disable the BD PROCHOT in the BIOS under Advanced > Advanced > Thermal Configuration > Cpu Thermal Configuration > Bi-directional PROCHOT#

This setting is there so every part of the System can call the CPU to throttle to 800Mhz.

Disabling it will make the CPU Throttle only at 100°C

ALTERNATIVE (now preferred by myself):

You can also control BD PROCHOT from the OS. I wrote a small script which runs after boot.

note

Requirements:

disable Secure Boot
install msr-tools

#!/bin/bash

# default 2883677 (PROCHOT ON)

# Check if argument is provided
if [ $# -ne 1 ]; then
    echo "Usage: $0 <0|1>"
    echo "  0 - Turn off PROCHOT (disable throttling)"
    echo "  1 - Turn on PROCHOT"
    exit 1
fi

# Load MSR module if not loaded
if ! lsmod | grep -wq msr; then
    modprobe msr
fi

# Read current value from MSR
current_value=$(rdmsr 0x1FC)

# Convert hexadecimal to decimal
current_id=$(printf "%d" 0x$current_value)

# Decide whether to turn on or off PROCHOT
if [ "$1" -eq 0 ]; then
    echo "Turning off PROCHOT"
    new_id=$((current_id & ~1))  # Set LSB to 0
elif [ "$1" -eq 1 ]; then
    echo "Turning on PROCHOT"
    new_id=$((current_id | 1))  # Set LSB to 1
else
    echo "Invalid argument: $1"
    exit 1
fi

# Write new value to MSR
wrmsr 0x1FC $new_id

MISSING

How to change the TDP
How to flash the BIOS via FPT (currently throws Error 167)

Conclusion

There are always more options to explore and unlock. But be careful not to destroy anything.

I take no responsibility if something goes wrong when you follow this guide.

If you have any suggestions for improvement or feedback contact me via [email protected]

ESP32

Topics

LILYGO T-Beam // NEO-6M

LILYGO T-Beam // NEO-6M

void sendPacket(byte *packet, byte len)
{
    for (byte i = 0; i < len; i++)
    {
        GPSSerial.write(packet[i]);
    }
}

void setup() {
    GPSSerial.begin(9600, SERIAL_8N1, GPS_RX, GPS_TX);

    byte payload[14] = {0xB5,0x62,0x06,0x08,0x06,0x00,0xE8,0x03,0x01,0x00,0x01,0x00,0x01,0x39};
    sendPacket(payload, sizeof(payload));

    GPSSerial.end();

    GPSSerial.begin(115200, SERIAL_8N1, GPS_RX, GPS_TX);)
}

void loop() {
}

DOCS: