• How to patch BIOS to enable SPD Write capability on Intel 8 Series and higher Chipset Family PCH

Publication 1.1 / May 4, 2015


With release of 8 Series/C220 Series Chipset Family Platform Controller Hub (PCH) Intel introduce a great surprise for all of us. Now writes to SMBus addresses 50h - 57h are disabled by default via SMBus Host Controller registers. The “SPD Write Disable” feature is implemented within Intel 9 Series Chipset Family PCH and X99 Chipset PCH as well. This means Intel does not want SPD to be programmed any more. In some cases it was the only way to increase the memory bandwidth on notebooks. Unfortunately, software can’t temporarily bypass this restriction in Windows session. The only working solution is to modify BIOS.

So, if we open the Intel 8 Series PCH datasheet (public edition) on page 667 we will find that the Host Configuration Register (HOSTC) of the SMBus Controller uses bit 4 called “SPD Write Disable” that was previously reserved. According to the bit description it should be set to “1”. ASUS, MSI, Biostar and other motherboard manufacturers meet this requirement, although ASRock, for example, does not protect SPD from programming within BIOS firmware. This bit can be cleared by on PLTRST# assertion only. PLTRST# is a platform reset. The PCH asserts this signal to reset devices on the platform (such as SIO, FWH, LAN, processor, and so on). The PCH asserts PLTRST# during power-up and when software initiates a hard reset sequence through the Reset Control register (I/O port CF9h). Unfortunately, our investigations confirmed that the bit is set by BIOS again once the hard reset has been initiated. So, our goal is to modify BIOS firmware the way it does not set bit 4 of the HOSTC register.

Practical part

OK, we have downloaded the latest BIOS update file for the ASUS H97-PRO Gamer motherboard for our experiment. Also, we will use UEFITool 0.20.4 utility to edit BIOS sections and QView 2.90 file editor for viewing and patching extracted BIOS section files. You can use any other HEX editor if you are not familiar with QView. But this tool is good at disassembling which we need to examine BIOS code. Keep in mind that any attempt to lunch QView on 64-bit Windows fails. In this case you can use a simple utility of HxD.

After running UEFITool, go to the “File” main menu and select “Open image file…” to open your downloaded BIOS firmware file. From the “File” main menu select “Search…” to call the Search dialog box. Activate the “Text” tab and enter “SmBusPei” without quotes to find this entrance. Click OK.

UEFITool SmBusPei search

UEFITool should find a module that contains PE32 image with routines for SMBus Host Controller initialization. Double click on the “Unicode text "SmBusPei" found in User interface section at offset 0h” string to open the found node in the modules tree. Right-click on the “PE32 image section” and select “Extract as is…” to save it to file.

UEFITool PE32 image extraction

Do not close UEFITool since you will need it to perform the final step.

The next step is to patch the SMBus PE32 section file. But before patching we need any search criterion. According to the Intel 8 Series PCH datasheet SMBus Host Controller registers are located in the PCI configuration space at address “Bus:0, Device:1F, Function:3” and the HOSTC register has address 40h. To access this location in the memory mapped space software encodes both the addresses using the specific formula: PCIEXBAR+(Bus number[27:20]) +(Device number[19:15])+(Function number[14:12])+(Register number[11:0]), where PCIEXBAR stands for PCI Express Register Range Base Address Register which may be set to F8000000h or F0000000h by default. After encoding the search criterion would be “F80BF040” or “F00BF040”.

Now you can run QView utility to find something that matches our search criterion. After running QView, press Alt+D to select the drive letter where the SMBus PE32 section file is saved. Since it is a 16-bit application, please ignore any warning Windows messages. Press Alt+F to select and open the section file. Press F7 to call the search string dialog box and enter BF40B00F as HEX code to be searched.

QView Search

QView will find this string as shown below.

QView Search

Switch from the HEX mode to the Assembler mode by pressing F4 key. Activate 32-bit code addressing by pressing F2 key and move the cursor a few lines above by using up arrow key. Your result should look like as shown below.

QView Search

Everything you need is to change “push 00000018” to “push 00000008”. OK, enable code editing by pressing Alt+F3. “Edit ON” must be displayed when you hold Alt key and press down F3 key. Edit opcode “6A18” to “6A08”. Press Alt+F9 to save changes. Now you can close QView by pressing Esc key. Patching is done!

So, what has been actually done? 18h is a value to be programmed to the HOSTC register of the SMBus Host Controller by BIOS. In binary 18h is 11000b, where bit 3 (Soft SMBus Reset) and bit 4 (SPD Write Disable) are set to “1”. We have cleared bit 4 to let the SMBus Host Controller normally operate and respond to SPD Write commands being initiated by software.

The final step is to replace existing PE32 image section of the BIOS firmware file with the patched one. Activate UEFITool window, right-click on the “PE image section” again and select “Replace as is…”.

UEFITool PE32 image extraction

Open the directory were your patched PE32 section file is located and select it. Don’t worry if UEFITool shows two “PE32 image section” nodes. Now save the edited BIOS image file by pressing Ctrl+S.

Your BIOS firmware file is ready to be flashed.

Alternative patching with HxD

Open the SMBus PE32 section file you have extracted. From the “File” main menu select “Find” to call the Find dialog. Enter BF40B00F in the “Search for” string, select “Hex-values” from the “Datatype” dropped-down list.

HxD Search Dialog

Click “OK”. HxD should find and highlight the found string.

HxD Search result

Now move the cursor to two bytes left to offset D47 and change its value from 18h to 08h.

HxD Search result

Save the SMBus PE32 section file.


Project by Vitaliy Jungle
Copyright © 2008 Showshock Softnology
All Rights Reserved

Company Location
Warsaw, Republic of Poland