[kefi]

Hey overclockers. I recently got back into building PCs and overclocking after 5 or so years and realized I couldn't flash my ASUS 4090 TUF OC edition to the 1000W XOC BIOS as planned due to 'Board ID mismatch'. There were patched versions of nvflash floating around back in my day, but nothing for this series. Luckily I'm a software engineer with some reverse engineering chops, so I just went ahead and patched nvflash myself. Turns out this was something a lot of people needed, especially for turning their 1.07v cards back into 1.1v cards!

How's it work?
When you go to flash a vBIOS to a GPU, nvflash double checks a few parameters (don't quote me on this, guessing a lot):

• GPU PCI Device ID (GPU chip, i.e. 2xxx/3xxx/4xxx) - You'll see this if you try flashing across series
• PCI Subsystem ID (PCB ID) - You'll see this for any non-standard vBIOS
• Board ID (PCB+GPU ID) - You'll usually see this on XOC bios or where the GPU was revised but the PCB remained the same (i.e. 1.07v 4090 revision)
• Hierarchy (Unknown, potentially Lovelace/Turing/etc) - Dunno when you see this
• A couple other minor items that appear to just be software-defined metadata

I managed to locate a backdoor of sorts that nVidia implemented to have a 'mismatch bypass', and I have forced that bypass to be enabled at all times when using the -6 parameter. This makes this a very, very dangerous version of nvflash. It will attempt to flash anything to anything. Literally - you can try to flash a 3060 XOC BIOS to a 4090 FE, even. We now know it won't work and will just say 'Nothing happened!', but it will try!

nvflashk will still confirm you want to perform those bypasses and only when they're necessary, unlike former versions of patched nvflash that used a simpler board ID bypass. I've also added some warnings and a harmless touch of my humor to some messages. It is otherwise a fully normal, fully functioning nvflash.

Note that this doesn't mean your GPU will actually boot the BIOS you decide to flash, it just means nvflashk will get it there. I've read about some signing stuff nVidia did with some cards that may cause issues, but you should always be able to flash back either way.

I don't believe this tool will allow you to flash uncertified/modified BIOSes yet, but I will check on that and work on it.

Where do I get it? How do I use it?
You can find it (and more detailed usage instructions) here: notfromstatefarm/nvflash (or on the releases page)

Proof it works?

Gains from going to a 1.1v BIOS:

Here's a video proving it works and upgrades the voltage on my card:

And even crazier, flashing a Founders Edition BIOS to my 4090 TUF:

For those worried about viruses or whatever, feel free to compare the binaries. You should only see a handful of string changes and a couple of shifted/NOP'd instructions. Filesize is identical. Nothing that could constitute a virus. Or just don't use it and stay slow. 💓

Contribute!
If you guys manage to flash anything that hasn't been tried before (and currently that's most things), please post and let us know so I can add it to the README!

 

[kefi]

It just occurred to me, what ultimately led me to make this bypass in the first place.. I couldn't flash the 1000W ASUS XOC BIOS solely because I had a 1.07v 4090. I thought it was just because it was some fancy XOC BIOS, but no, it's because I had a 1.07v. Other 4090s could run it. Another user had a 1.1v version and was able to flash it just fine without this tool. So, not only did NVIDIA neuter my voltage, they also made it more difficult for me to run these BIOSes, doubly screwing my overclocking efforts. Exactly what they did to some cards in the 2xxx and 3xxx series.

And now, with this tool, everyone can flash anything and the overclocking race is everyone's race again.

 

[Bulis]

Hey question, I should be able to flash my EVGA 3090 FTW3 ULTRA with the ASUS ROG STRIX 3090 OC EDITION bios right? Would that actually work? I don't want to brick my GPU. Thanks!

 

[kefi]

Hey question, I should be able to flash my EVGA 3090 FTW3 ULTRA with the ASUS ROG STRIX 3090 OC EDITION bios right? Would that actually work? I don't want to brick my GPU. Thanks!

It should, in theory, work. We've flashed much crazier combinations already without consequence. You won't brick it just by flashing the BIOS alone, but keep an eye on thermals and power consumption when you first ramp it up just in case there was something weird in there. But I really doubt it - to my understanding these BIOS files seem to pretty much be glorified configuration files. As long as the GPU chip, memory, and power-pin configuration are the same they should be largely cross-compatible.

 

[terranx]

I’m assuming the bios itself still needs a valid signature? I can’t say… mod my 3090 FE’s bios to remove the power limit and flash that?

 

[kefi]

I’m assuming the bios itself still needs a valid signature? I can’t say… mod my 3090 FE’s bios to remove the power limit and flash that?

Haven't tested it. No idea what all I bypassed but it's not impossible that the signature isn't part of it.

 

[Veii]

Hey question, I should be able to flash my EVGA 3090 FTW3 ULTRA with the ASUS ROG STRIX 3090 OC EDITION bios right? Would that actually work? I don't want to brick my GPU. Thanks!

Full rebrand versions where floating around already
What was missing is an Ada aware BoardID missmatch check.

Meaning yes, given he included -6 to do (SSID, PCIID, BoardID) , it will work
If you fail at XUSB FW patch downgrade failed - then its his version being weak.

Try and post screenshots of the command and progress
No other way

 

[Chomuco]

Now it's easier, but I lost the original bios two keeping it saved thanks nvflash 😉

 

[Veii]

. There were patched versions of nvflash floating around back in my day, but nothing for this series. Luckily I'm a software engineer with some reverse engineering chops, so I just went ahead and patched nvflash myself. Turns out this was something a lot of people needed,

Haven't tested it. No idea what all I bypassed

Please list the date of your project file and your old sources that were your "inspirations"
You make it sound like , you didnt look at anybody's exe and created the patch in one day ~ given no credits or any lookback of user uploads.
With a fresh youtube account, a fresh OCN account.
Only your github account has some age, yet the project file is from the 18th,Aug 2023.

It sounds very awkward that you "don't know" what you patched either.
Without changelogs or anything. Untypical for a developer.

 

[Veii]

2080Ti - nonA

Also you failed on newer VBioses that require boardID change
Given you have no DevID bypass *

This is nonsense
You have to deal with falcon if you want any sort of CID or BID (locked by XUSB FW and Falcon) rebrand.
Again, your release doesn't know how to work with XUSB FW nor chipID rebrands. It also needs communication with falcon

It will flash anything to anything. Literally - you can flash a 3060 XOC BIOS to a 4090 FE, even

Don't advertise nonsense please. I understand you are hyped, but;

This is how it should actually look like:
2080ti Patch-A , lock gone & 2080ti non A rebrand

And another illustration:
* 650 to GTX1030, 650 to GT740
Dev/ChipID & BoardID ~ just so we don't have random suspicions of me copying your stuff

You are very much suspected in copying people's work without credit,
And rebranding it as yours.
Also advertising a discord or YT channel with company's property is ... awkward.

=======================================================
I expect to hear from you a proof of data, aka work & file stamp [Project Creation & modification date];
And as for you towards the community ~ to edit your hype posts, and remove that nonsense.

Currently you are suspected to have used leaked versions of several peoples work
Yet didn't credit even one of them. There are around 5 people who worked on it past Kepler.
Zero credits given to any of your "inspirations".

I suspect a lot of my stuff was used too, but the BoardID patch was your own finding (credits given)
~ well halfway, you missed a point on InfoROM else Turing wouldn't error with your tool.
if you copied the only person who had it figured and confirmed (me 2080Ti onwards) then you just copied badly.

 

[kefi]

Currently you are suspected to have used leaked versions of several peoples work
Yet didn't credit even one of them. There are around 5 people who worked on it past Kepler.
Zero credits given to any of your "inspirations".

I suspect a lot of my stuff was used too, but the BoardID patch was your own finding (credits given)

I made this in all of a little under two hours while messing around on Discord.

As you can see, I did it myself. I have my own patchfile. Feel free to do a binary diff. I got excited and wanted to help the community do what I'm doing. I'm actually landing on leaderboards and having fun with this and wanted others to do so too with their fancy toys, nothing more. I freshly registered on this site because I've never been a part of this community - someone linked to my Reddit thread from here and I wanted to answer questions.

You're right, you've found edge cases it doesn't support, and called out things I made educated guesses on and put in the README and may have been wrong about. I will update my descriptions of things accordingly and work on the failing cases once people provide me with the failing files. I have at least one card from every series in the past 10 years.

You could help me with what you clearly have knowledge on, instead of posting on my thread claiming I've stolen your work, despite you yourself admitting you've never seen this type of bypass done before. I always put in the README that there were edge cases we haven't tested like that, but for the majority of flashes people want to do today, this has unlocked them for the first time.

This isn't some extremely difficult thing to do, you know, especially when you do this for a living like I do. Backtrace from the CPP exception x64dbg automatically catches, go through the call stack, find out where it actually determines it's the board ID, and work out from there until you find the closest possible branch so the remaining logic remains the same. Add a couple hours time and here we are.

 

[Veii]

Why did you go from congratulating me and saying good job and all that to posting some **** like this?

Because i have to be honest, if suspicion exists.
If asked you normally for a timestamp of creation and a proof of work, before deciding what to do with my version.

You gave it and i'm thankful.
D*ck or not, situation is just how it is.
Because i am harsh to you , it doesn't mean i wouldn't like to work with you
But the main reason of changing thoughts was reading the way you market and advertise. And they way you wrote and pose with it.
That's the core reason of "why i changed my behavior" - or it at least might look that way.

I gave you critism for points that i think are valid and do not match with reality.
I suspected you for specific reasons, because its been many years past the last release on win-raid ,
and then you come over stating you got "inspired by old files" but could not credit anybody + "don't know what you patched".
And it randomly appears at the same time when i post some good foundations but not the full versions of them . Exactly to prevent such events.

I made this in all of a little under two hours while bullshitting on Discord because people like you want to hold it to their chest for no good reason.

There is a reason trust me.
The release of this , ruined it for us all now.
But i can't stop you. I can tell you why, but can we talk normally ?

I read the "f** you nvidia and other swears"
But do you understand the consequences you created with this release ?

I worked on it for over 2 digit months, this and on AMDs side.
I don't feel like owning neither Turing nor Ada.
I'm in possesion of stuff from both companies, that i shouldn't have.
And i'm friends with some people that got to work there xor work there since quite some time now.

Let me ask,
Do you think i would have anything positive, from keeping it to myself ?
Please answer

Do you think this is my only project on nvidia that is mid/done progress ?
Flashing of cards is a bigger picture, and an unlocked nvflash was the core foundation of this.
It was crucially needed to support projects like:
[Official] NVIDIA RTX 3090 Owner's Club .
[Official] NVIDIA RTX 3090 Owner's Club .
[Official] NVIDIA RTX 3090 Owner's Club .

And run around claiming its yours like you said you would with your snide little 'rebrand' comment.

Huh ?
Rebrand, i was talking about card rebrand.
I know what i have and not have. Its not the topic of comparison.
I there is no need to downlook your work, nor compare my work that took me 100x longer than your work.
You are a skilled person and i learned from scratch. But this doesnt matter here

instead of posting on my thread claiming I've stolen your work

I am suspecting you with a reason
You can understand this reason if you want to talk with me
I'm not purposely attacking you
I was asking for a proof of timestamp, to know who's work you looked up and decompiled
Yes nvidia made it easy - but those are not "backdoors".

Nvflash works on a golden card system
It can even create signatures and contact nvidia servers to sign cards
It can be used for nvidia-shield devices and it can/is used through FTP for headless machines like their ai farm SKUs.

Again i'm not here to fight with you
I totally will use you as the leaker for this
But i hope i can try to explain to you, what damage you just caused to consumer in releasing this.
Well its too late now, soo i might as well publish and credit the people accordingly.

This story is not about me or you.
Anywho, had to ask - so i can know what timestamps to give and who to credit properly
Also overclock discord is ... well , people leak stuff there too and betray others.
Some people. Eh anywho, we'll clear this up and i needed the confirmation i now got. Thank you for that
The congratulations still remain. I know its not easy to decompile it.

 

[kefi]

Because i have to be honest, if suspicion exists.
If asked you normally for a timestamp of creation and a proof of work, before deciding what to do with my version.

You gave it and i'm thankful.
D*ck or not, situation is just how it is.
Because i am harsh to you , it doesn't mean i wouldn't like to work with you
But the main reason of changing thoughts was reading the way you market and advertise. And they way you wrote and pose with it.
That's the core reason of "why i changed my behavior" - or it at least might look that way.

I gave you critism for points that i think are valid and do not match with reality.
I suspected you for specific reasons, because its been many years past the last release on win-raid ,
and then you come over stating you got "inspired by old files" but could not credit anybody
And it randomly appears at the same time when i post some good foundations but not the full versions of them . Exactly to prevent such events.

There is a reason trust me.
The release of this , ruined it for us all now.
But i can't stop you. I can tell you why, but can we talk normally ?

I read the "f** you nvidia and other swears"
But do you understand the consequences you created with this release ?

I worked on it for over 2 digit months, this and on AMDs side.
I don't feel like owning neither Turing nor Ada.
I'm in possesion of stuff from both companies, that i shouldn't have.
And i'm friends with some people that got to work there xor work there since quite some time now.

Let me ask,
Do you think i would have anything positive, from keeping it to myself ?
Please answer

Do you think this is my only project on nvidia that is mid/done progress ?
Flashing of cards is a bigger picture, and an unlocked nvflash was the core foundation of this.


Huh ?
Rebrand, i was talking about card rebrand.
I know what i have and not have. Its not the topic of comparison.
I there is no need to downlook your work, nor compare my work that took me 100x longer than your work.
You are a skilled person and i learned from scratch. But this doesnt matter here

I am suspecting you with a reason
You can understand this reason if you want to talk with me
I'm not purposely attacking you
I was asking for a proof of timestamp, to know who's work you looked up and decompiled
Yes nvidia made it easy - but those are not "backdoors".

Nvflash works on a golden card system
It can even create signatures and contact nvidia servers to sign cards
It can be used for nvidia-shield devices and it can/is used through FTP for headless machines like their ai farm SKUs.

Again i'm not here to fight with you
I totally will use you as the leaker for this
But i hope i can try to explain to you, what damage you just caused to consumer in releasing this.
Well its too late now, soo i might as well publish and credit the people accordingly.

This story is not about me or you.
Anywho, had to ask - so i can know what timestamps to give and who to credit properly
Also overclock discord is ... well , people leak stuff there too and betray others.
Some people. Eh anywho, we'll clear this up and i needed the confirmation i now got. Thank you for that
The congratulations still remain. I know its not easy to decompile it.

Okay, cool. Let's work together and push it forward then. I came off a little harsh in my first edits too and turned it down. Understand this is an annoying thing to wake up to when you truly have not stolen anything and are excited about making it. I misunderstood the 'rebrand' comment - to me it sounded like you were joking about stealing my work

I know the potential that releasing this had for locking it down in the future, but frankly, if NVIDIA wants to go down that route they're going to one way or the other. We could've delayed till 5000 series and had this same bypass, we will see what happens. I think we should let as many people enjoy what we have now instead of letting a few people enjoy it for longer. This tool still has enough massive warnings about how this is a really bad idea (I even edited in extra warnings) that I don't think they'll mind TOO much. Me saying 'f*** nvidia' is just me being silly, I'm a massive NVIDIA fanboy and do this because I love hacking on stuff.

The particularly interesting thing about this bypass is that it's not just me skipping over an if/else statement - they literally wrote this generic 'mismatch bypass' code in themselves. Hell, it is even generic so there can be multiple types of 'mismatch bypass'. It brings up additional confirmation prompts. I just could not find out how to invoke it with the command line - maybe it's looking in the BIOS file itself. So I simply forced the built-in bypasses on. It will be very easy for them to remove this from future versions of nvflash, but I think they and board manufacturers rely on it heavily during development. And I can always backport whatever card lookup tables they add to the new version, if necessary.

 

[Veii]

Okay, cool. Let's work together and push it forward then. I came off a little harsh in my first edits too and turned it down.

I will invite you later somewhere
We needed more people and a developer was needed.

I think we can get along
But let me try to explain to you what this release actually caused

I will post mine before the end of this day, and you got my permission to decompile and edit it ~ or i'll hand you over the mapped out stuff
Its too late anyways now, soo might as well go with it, now that the cat is out of the sack.

Two mapping out attempts out of 200 more "actions/symbols" inside nvflash ~ 4.780
One as sorry for being harsh
And one to proof i'm not a troll and just am extremely suspicious to people especially from your server,
who just release something at the same day when i post some done foundations
Version to version patching is not very time consuming. Finding & mapping it out is actually the hard part.

Sorry
Lets talk tomorrow more~
I'll be sure to mention all your work and the timestamps, before i publish mine.
As for the other stuff, i need to be careful ~ but you'll understand

 

[Talon2016]

Okay, cool. Let's work together and push it forward then. I came off a little harsh in my first edits too and turned it down. Understand this is an annoying thing to wake up to when you truly have not stolen anything and are excited about making it. I misunderstood the 'rebrand' comment - to me it sounded like you were joking about stealing my work

I know the potential that releasing this had for locking it down in the future, but frankly, if NVIDIA wants to go down that route they're going to one way or the other. We could've delayed till 5000 series and had this same bypass, we will see what happens. I think we should let as many people enjoy what we have now instead of letting a few people enjoy it for longer. This tool still has enough massive warnings about how this is a really bad idea (I even edited in extra warnings) that I don't think they'll mind TOO much. Me saying 'f*** nvidia' is just me being silly, I'm a massive NVIDIA fanboy and do this because I love hacking on stuff.

The particularly interesting thing about this bypass is that it's not just me skipping over an if/else statement - they literally wrote this generic 'mismatch bypass' code in themselves. Hell, it is even generic so there can be multiple types of 'mismatch bypass'. It brings up additional confirmation prompts. I just could not find out how to invoke it with the command line - maybe it's looking in the BIOS file itself. So I simply forced the built-in bypasses on. It will be very easy for them to remove this, but I think they and board manufacturers rely on it heavily during development.

Exactly and I appreciate that you released it to the community. It's going to help so many that have gotten the middle finger 1.07v cards vs if you had purchased earlier on.

 

[kefi]

I will invite you later somewhere
We needed more people and a developer was needed.

I think we can get along
But let me try to explain to you what this released actually caused

I will post mine before the end of this day, and you got my permission to decompile and edit it ~ or i'll hand you over the mapped out stuff
Its too late anyways now, soo might as well go with it, now that the cat is out of the sack.

Two mapping out attempts out of 200 more "actions/symbols" inside nvflash ~ 4.780
One as sorry for being harsh
And one to proof i'm not a troll and just am extremely suspicious to people especially from your server, who just release something at the same day when i post some done foundations

Sorry
Lets talk tomorrow more~
I'll be sure to mention all your work and the timestamps, before i publish mine.
As for the other stuff, i need to be careful ~ but you'll understand

Well, I'm sorry if I threw a wrench in something bigger. I'm sure there's so much more to discover within nvflash and I had no idea what was happening at large. Honestly, I'm barely part of any community. I just put that Discord link there so people had a way to get to me and tell me how its working, since that was where I've had the most discussion lately. I would've linked here instead had I been here first. I have been out of the scene for 5 years taking care of my new kids and this was my first build in years. I just wanted to take what I bought to the absolute limit with the skills I have and quickly ran to share this amazing thing I discovered.

 

[Veii]

@kefi 🙇‍♂️🤝 ?

Well, I'm sorry if I threw a wrench in something bigger. I'm sure there's so much more to discover within nvflash and I had no idea what was happening at large

I'm sorry for being soo critical to you.
It will clear up in a bit

Part of the reason of silence is to give us a bit of playroom
XUSB FW (patch) is a one way SW EEPROM access lock , which is handled by falcon
If falcon doesnt listen, we public people basically can't do anything anymore.
XUSB FW patch is supplied by newer VBIOS version and hardlocks partitions of EEPROM + blows fuse.

It was a mistake from me to even post the weak/halfdone version who overrides the ISSI/Galax patch.
But here we are now, soo let's be faster than nvidia.
I can pretty much promise you that both will face consequences and every nvidia user too.
That 1.1v "limit" was nothing, see you could even patch it without being XUSB FW halted. They forgot. But now its too late;
Eh, at least till 2000 series we can mod stuff and past that , ... i should be quiet now 🤭
==============================================================

This, is the actually hard part (old pic)

This ! is the level 1 of the actually hard part. The 4080/4090 didnt have it, so you could just BoardID patch/force it.
Past your release i can promise you that every Card will be locked now ~ including Ada v2 (5000 series). We should've waited~
I'm through it, but yea give me one day ~ can't talk atm.

NVidia GPUs are RiscV ecosystems on own customOS. AMD GPUs are ARM Coretex ecosystems.
In order to unlock it, you have to rewrite the core itself. So that falcon listens to you . . .
Mocking Nvidia now with the BoardID patch, was just not the right time.
Anywho, i actually got this since last couple of days~

 

[kefi]

@kefi 🙇‍♂️🤝 ?

🙇‍♂️🤝

Let's do this thing.

 

[kefi]

@kefi 🙇‍♂️🤝 ?
I'm sorry for being soo critical to you.
It will clear up in a bit

Part of the reason of silence is to give us a bit of playroom
XUSB FW (patch) is a one way SW EEPROM access lock , which is handled by falcon
If falcon doesnt listen, we public people basically can't do anything anymore.
XUSB FW patch is supplied by newer VBIOS version and hardlocks partitions of EEPROM + blows fuse.

It was a mistake from me to even post the weak/halfdone version who overrides the ISSI/Galax patch.
But here we are now, soo let's be faster than nvidia.
I can pretty much promise you that both will face consequences and every nvidia user too.
That 1.1v "limit" was nothing, see you could even patch it without being XUSB FW halted. They forgot. But now its too late;
Eh, at least till 2000 series we can mod stuff and past that , ... i should be quiet now 🤭
==============================================================
View attachment 2625251
This, is the actually hard part (old pic)

This ! is the level 1 of the actually hard part. The 4080/4090 didnt have it, so you could just BoardID patch/force it.
Past your release i can promise you that every Card will be locked now ~ including Ada v2 (5000 series). We should've waited~
I'm through it, but yea give me one day ~ can't talk atm.

NVidia GPUs are RiscV ecosystems on own customOS. AMD GPUs are ARM Coretex ecosystems.
In order to unlock it, you have to rewrite the core itself. So that falcon listens to you . . .
Mocking Nvidia now with the BoardID patch, was just not the right time.
Anywho, i actually got this since last couple of days~

I see your point now. I obviously had no idea this research was going on, but I guess we better work fast!

 

[cennis]

Does it works for FE? For example flashing XOC 1000W to an FE card?