2021-02-21

Temporarily Removing Read-Only Attribute of Some Disposable USB Flip Cards

Many corporate conferences use(d) cheap branded, read-only flip card style USB flash drives to distribute demo software or other marketing materials.  These are set to read-only, limiting their utility as low/no cost disposable play storage.  Using undocumented vendor specific commands, this oversight can sometimes *temporarily*¹ be remedied.  

¹ Needs to be done every time device is plugged in. This method uses an undocumented SCSI command to write to ram. There's another undocumented SSCI command to write a sector to flash, currently unknown.  

tl;dr:  

eject /dev/sdX

sg_raw -v -v -v -R -s 0 /dev/sdX F1 0C F6 9B 70 00 00 00 00 00 00 00

eject /dev/sdX

Requirements

sg3_utils:

sudo apt-get install on pi   

and sometimes necessary: sudo apt-get install eject  

Source:  sg3_utils

Read-only (Flip Card) USB Flash Drive:

(Intel) Flip card

Example for sale:  usb0218gb-8gb-flip-card-printed-usb-flash-drives


The particular 2gb Intel credit card thumbdrive variant explored here contained an auto-opened link for Parallel Studio XE and used <1mb of the capacity of the drive:

      <a href="https://software.intel.com/en-us/intel-parallel-studio-xe?utm_campaign=DPD&amp;utm_source=Collateral%20Resources%20USB&amp;utm_content=Parallel%20Studio%20Buy%20Now" target="_blank"><img src="img/learn_more.jpg" alt="Learn more &rsaquo;" /></a>

Contents:                   

32K     ./img/box1.jpg
32K     ./img/box2.jpg
64K     ./img/box3.jpg
64K     ./img/box4.jpg
32K     ./img/box5.jpg
32K     ./img/box6.jpg
32K     ./img/buy_now.jpg
32K     ./img/evaluate_now.jpg
32K     ./img/intel_logo.jpg
32K     ./img/learn_more.jpg
32K     ./img/page_bg.jpg
32K     ./img/parallel_universe_magazine.jpg
32K     ./img/product_support.jpg
32K     ./img/Thumbs.db
32K     ./img/twitter_handle.jpg
576K    ./img
64K     ./OpenFile/STARTDOC.EXE
32K     ./OpenFile/STARTDOC.INF
128K    ./OpenFile
32K     ./AUTORUN.INF
64K     ./collateral.ico
32K     ./start.htm
864K

Initial mount

[ 37895007.597355] usb 1-1.4: new high-speed USB device number 4 using dwc_otg
[37895007.730866] usb 1-1.4: New USB device found, idVendor=1234, idProduct=1234, bcdDevice=11.00
[37895007.730883] usb 1-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[37895007.730893] usb 1-1.4: Product: 1234567812345678
[37895007.730903] usb 1-1.4: Manufacturer: 12345678
[37895007.731764] usb-storage 1-1.4:1.0: USB Mass Storage device detected
[37895007.735346] scsi host0: usb-storage 1-1.4:1.0
[37895007.790833] usbcore: registered new interface driver uas
[37895008.868174] scsi 0:0:0:0: Direct-Access     12345678 1234567812345678 1100 PQ: 0 ANSI: 4
[37895008.894264] sd 0:0:0:0: Attached scsi generic sg0 type 0
[37895008.968555] sd 0:0:0:0: [sda] 3893248 512-byte logical blocks: (1.99 GB/1.86 GiB)
[37895008.971146] sd 0:0:0:0: [sda] Write Protect is on
[37895008.971198] sd 0:0:0:0: [sda] Mode Sense: 43 00 80 00
[37895008.971384] sd 0:0:0:0: [sda] 3893248 512-byte logical blocks: (1.99 GB/1.86 GiB)
[37895008.972061] sd 0:0:0:0: [sda] Attached SCSI removable disk
[37895008.981651]  sda: sda1

Query and Modify

Linux

Query

# sg_raw -v -v -v -R -n -r 1024 -o id.bin /dev/sda F0 04 00 00 00 00 00 00 00 00 00 02

Attempt to decode cdb name: Vendor specific [0xf0]
open /dev/sda with flags=0x800
    cdb to send: f0 04 00 00 00 00 00 00 00 00 00 02
    Command name: Vendor specific [0xf0]
sense_buffer=0x7ea5a4d4, length=32
dxfer_buffer_in=0x122e000, length=1024
SCSI Status: Good
Writing 1024 bytes of data to .bin
No errors

Check for expected SMI controller:  

# strings id.bin | grep SMI

  2013-02-26  SM3257ENLTBA   SMI32X

Or look in-situ:  

# xxd -s 32 -l 35 -u -c 32 id.bin

00000020: 2020 3230 3133 2D30 322D 3236 2020 534D 3332 3537 454E 4C54 4241 2020 2053 4D49    2013-02-26  SM3257ENLTBA   SMI
00000040: 3332 58                                                                            32X

Disable Read-only

Send a stop command:  

# eject /dev/sdb

Send vendor command:  

# sg_raw -v -v -v -R -s 0 /dev/sda F1 0C F6 9B 70 00 00 00 00 00 00 00

Attempt to decode cdb name: Vendor specific [0xf1]
open /dev/sda with flags=0x800
    cdb to send: f1 0c f6 9b 70 00 00 00 00 00 00 00
    Command name: Vendor specific [0xf1]
sense_buffer=0x7ed16514, length=32
dxfer_buffer_out=0x1a10000, length=0
SCSI Status: Good

Re-attach:  

# eject /dev/sda

[37955283.370850] sd 0:0:0:0: [sda] 3893248 512-byte logical blocks: (1.99 GB/1.86 GiB)
[37955283.371530] sd 0:0:0:0: [sda] Write Protect is off
[37955283.371544] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
[37955283.374875]  sda: sda1

Explanation about the ejects:  

eject 1 tells the PI that it's 'gone', but it's still plugged in  

eject 2 should tell the PI, "I'm baaack!"  

Behind the scenes, SCSI actually has a 'start'/'stop' command - and it causes a 'media changed' response  - this means the kernel treats it as if you plugged an SD card into an external reader, and re-scans -- and this time, the response to the "INQUIRY" command says "I'm writable", and Linux is happy  

Testing Write

dd if=systemrescue-9.03-i686.iso of=/dev/sda bs=8M status=progress

794820608 bytes (795 MB, 758 MiB) copied, 152.078 s, 5.2 MB/s
94+1 records in
94+1 records out
794820608 bytes (795 MB, 758 MiB) copied, 180.895 s, 4.4 MB/s
du -ahd 1

2.0K    ./autorun
2.1M    ./boot
2.9M    ./EFI
162K    ./isolinux
752M    ./sysresccd
2.5K    ./sysrescue.d
757M    .

Windows 

> sg_scan

PD0     [L]     ST2000DM001-1CH164 ...
PD1     [C]     PCIe SSD  E8FM11.6 ...
PD2     [D]     Seagate   Backup+ Desk ...
PD3             Msft      Virtual Disk      1.0
PD4             12345678  1234567812345678  1100

> sg_ident PD4  

No output... 

Note: sg_stop doesn't work, need --eject:  

> sg_start --eject PD4

> sg_raw -v -v -v -R -s 0 PD4 F1 0C F6 9B 70 00 00 00 00 00 00 00

Attempt to decode cdb name: Vendor specific [0xf1]
    cdb to send: f1 0c f6 9b 70 00 00 00 00 00 00 00
    Command name: Vendor specific [0xf1]
sense_buffer=000000000065F9E0, length=32
dxfer_buffer_out=00000000001DB000, length=0
SCSI Status: Good
No errors

Re-attach:  

> sg_start --start PD4

Note: Rufus won't write drive: Alt-Z to zero it.  

Other notes:  Some systems seem to have issues booting when it's written this way, leaving this just as a way to put some small amount of information on flash and "protect" it (say, a password database).  

Unfinished Notes / Unsorted Dump

Questions

1.  What are the right parameters to 'write flash' (F1 01), does it need a block-erase first, or does it do that as part of its operation
        More concretely - what are the sequences of bytes sent to Port 19h (eg, 0 <1 byte>, 1 < 10 bytes?> 4 <2 bytes>)
2.  Why do ports 19h and 88h/89h both seem to have something to do with flash data cycles
        (Port 88/Port 89 is used to 'Read Flash ID" (command 0x90/0x00), port 19 seems to be used for just about everything else.

 Memory Map

    0000    - 2013-02-026 SM3257ENLTBA SMI32x
    8000    - Buffer (?)
    9000    - Buffer (???)
                    Max read is 8KB (10h)
    A000    - Used as code target?
    B000    - ??
    C000    - SM3257ENU 141027-SLC C00D version string
    D000    - Bank switched based on 7C.5 ?
    DBF0    - 20091116 rwcmd
    DC00    - ?
    DFF0    - 20070102 SETOP2
    E000    - 4 banks (7C.3,4) WMP ??
    F000    - 20091116 ISP1k ?

Port notes:  

    50      USB status/control
            .1 direction (0=send,1=recv)
            .0 active (set to 1, wait for clear)

    70      ? status of some sort
            .1   Code 1C87 waits on (SRC is C0_00, uses 71)
            .2   Code_1ea0 waits for clear
                    71 - used by .1 mode?  (memfill?)
    72,73,74,75,76,77  <= R4, R5, R6, R7, R2, R3
                    0xE0, 0, 0x80, 0, 2, 0
                    R6:R7 = Dest (80_00) R2:R3 = length, R4:R5 = src
                    72 = SRC HIGH   (Must be C0 for memfill?)
                    73 = SRC LOW    (should  be 00 for memfill??)
                    74 = Dest High
                    75 = Dest Low
                    76 = length high
                    77 = Length low
                    70.2 = 1
                    wait for 70.2 to be clear
    7C      ? Control
            .5      ? Bank switch for D0??
            .4      set in BA6
            .3      set in BAF
            .2,.1,.0        bank switching?

Generating a dump (without bank switching) Dump all RAM (64k?)

for ((ii=0; ii < 256;ii+=4)); do sg_raw -v -v -v -R -n -r 1024 -o $ii.bin /dev/sg7 F0 04 `printf "%02x" $ii` 00 00 00 00 00 00 00 00 02 ; done
(for ((ii=0; ii < 256;ii+=4)); do echo $ii.bin; done) | xargs cat > map.bin

This just does 1024 bytes at a time

2020-02-20

How-To: Fix Incorrect Function When Sharing via Windows SMB

Problem Summary

Trying to create an SMB file share on Windows ( from at least Vista onwards) results in an error message due to a missing firewall rule, even if the Windows Firewall is disabled(?!), managed (as with TinyWall) or replaced with another firewall application altogether.  

Windows Incorrect Function Error
An error occurred while trying to share FOLDER. Incorrect function.   The shared resource was not created at this time.  


Solution  

Recreate the required missing firewall rule FPS-SMB-In-TCP, which seems to be the only one necessary. 

Add REG_SZ FPS-SMB-In-TCP to 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules 

with the value of:

v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|

Or save the following to incorrect_function_fix.reg and merge it to the registry:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"FPS-SMB-In-TCP"="v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|"

Proper Rules in Windows Firewall



Reference

This was one of the few useful posts when trying to find a resolution to this issue, though it erroneously identifies the Echo Request as the culprit: Fix: Cannot Share Folder 

2016-05-11

Notes - BIOS MOD - NVME Native Boot on Intel DZ77BH-55K

Problem: Intel BIOSes locked, can't flash modified via software without difficulty.
Solution: Direct write via test clip and Raspberry PI.

Equipment:
- Macronix MX25L6406E Datasheet: http://www.macronix.com/Lists/Datasheet/Attachments/7370/MX25L6406E,%203V,%2064Mb,%20v1.9.pdf
- Pomona 5250 Test Clip
  * Issues with knock-offs: pins too close, contacts don't mate with chip
- Raspberry PI  (Ref: https://pinout.xyz/pinout/spi)
  * Instructions: https://tomvanveen.eu/flashing-bios-chip-raspberry-pi/
                          https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi

Modifying BIOS:
- Source: [BHZ7710H.86A] 05/17/2013 V0100 https://downloadcenter.intel.com/download/22814/BIOS-Update-BHZ7710H-86A-
- Instructions:
  * Followed, Worked: https://www.win-raid.com/t871f50-Guide-How-to-get-full-NVMe-support-for-all-Systems-with-an-AMI-UEFI-BIOS.html
  * Untried: https://www.overclock.net/forum/6-intel-motherboards/1571271-tutorial-how-add-nvme-support-any-ami-uefi-bios-intel-chipset.html



pi@~$ flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -r original.bin
flashrom v1.0 on Linux 4.14.70-v7+ (armv7l)
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on linux_spi.
Reading flash... done.

pi@~$ md5sum original.bin
4caa66abdf964d93d7a673e6a0aae7e5 original.bin
4caa66abdf964d93d7a673e6a0aae7e5 original_verify.bin

pi@~$ md5sum nvmeflash.rom
67adeb213f6fc62774ecb39130fadcfe nvmeflash.rom

pi@~$ flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -w nvmeflash.rom -V
flashrom v1.0 on Linux 4.14.70-v7+ (armv7l)
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Initializing linux_spi programmer
Using device /dev/spidev0.0
Using 2000 kHz clock
The following protocols are supported: SPI.
Probing for Macronix MX25L6406E/MX25L6408E, 8192 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2017
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on linux_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading old flash chip contents... done.
Erasing and writing flash chip... Trying erase function 0.

pi@~$ flashrom -c "MX2flashrom -c "MX25L6406E/MX25L6408E" -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -r verify.rom

pi@~$ md5sum verify.rom
67adeb213f6fc62774ecb39130fadcfe verify.rom

2014-10-30

Dell UltraSharp U2212HM Power Consumption Table / Estimate

The Dell U2212HM's OSD menu shows a bar labeled "Energy Use" that goes from 1 (least watts) to 20 (most).  I wanted to see what the actual correlation was, so I broke out my kill-a-watt.   The simple testing method was to change the brightness from lowest to highest, which tracked with the energy use bar. (Aside: Setting the contrast almost to black results in a 1w decrease, even with brightness at 100%).

Monitor resolution was 1080x1920 (Portrait Mode), with Gmail open while changing brightness.  Values listed are average: there was an up to .8w variance from start of a bar to end. (For example, going from 3 bars to 4 showed 13.8, and right before going to 5 was 14.4)
Energy Use to Watt Correlation
Bars1234567891011121314151617181920
Watts (avg) 11.8 12.4 13.4 14.0 14.6 15.3 15.8 16.4 17.2 17.7 18.2 18.8 19.4 20.0 21.0 22.5 23.8 25.0 26.4 27.9
With a colorful video playing, at 20 bars energy use, the power consumption was around 26w.  Full screen open pdf of the manual (islands of black text on oceans of white) resulted in the highest consumption, at 28.1w*.  Dell's conservative value in the specs ('normal') is 30w; the kill-a-watt measurement supports this.

Based on an energy cost calculator, the yearly cost to leave this monitor on 24/7 at the highest observed energy use (28w) (.672 kWh/day) at 12 cent per kWh is $29.43/yr ($2.42/mo, $.08/day).  

Using 'good enough' brightness for me (15 bars)(21w) and assuming a more realistic 16 hour a day use (ignoring marathons of sexual transgression with the red bulls) gives .336 kWh/day, costing $.04/day, $1.21/mo, or $14.72 a year.   (x2 for its twin)

I remain opposed to running the numbers on the 27", at least, until I set up nircmd such that I'm turning all three off with a hotkey. 

*This doesn't account for using the USB or sound bar.

2014-07-31

Hardware FDE with Intel SSD 330 on Intel DH67BL Motherboard

To be able to make full use of the built-in AES encryption on the Intel SSD 330 with the Intel DH67BL desktop motherboard...
  1. Move BIOS block jumper to 'maintenance mode' position.
  2. Boot.
  3. Set hard drive password.
  4. Move BIOS block jumper back to normal position.
  5. Boot.
Notes:
  • To set a longer password than 13 characters, use hdat2 (mhdd seems to have a difficult time with AHCI, and since we're hotplugging...)- boot system without drive powered up, or, hard reset drive when in hdat2 and rescan, and then set password.  The BIOS prompt WILL allow entry of longer passwords, just not setting them. 
  • Removing a drive with a password set causes the option to set password in the BIOS security menu to disappear.  However, once maintenance mode has been entered and a password set, it seems from then on, hooking up a drive with a password set will work. (i.e., reattaching drive gets the initial password prompt on boot and menu entries in setup->security.)

That very simple procedure is the hard won wisdom from a week of exploring many much more difficult divergent tangents, since there's nothing in Intel's documentation about this, and Intel's own 'support' crew (Intel Community) apparently aren't familiar with it.

It might seem like a no brainer, and it should have been.

The BIOS prompt to set a hard drive password does not initially appear in 'normal' mode.

If you hook up a hard drive with a password set on it, the BIOS does not prompt for a password, and the prompt to set a hard drive password does not appear in the BIOS security tab.

The BIOS on this board sets SECURITY FREEZE LOCK and has no option to disable it, so just using mhdd/hdat2/victoria after boot every time isn't an option, nor is hacking out an .efi module. (hdat2 seems to be able to power off the drive; it doesn't reset it; hard resetting really seems to be the only way to do it.)   One can't simply use the atasx extension here --- the nasty frankenstein BIOS (it's even worse than an Insyde one, God help us all) is apparently signed, so even if you figured out how to force a PCI ROM module in it you wouldn't be able to flash it.

Finding the 'maintenance mode' was a lucky discovery; I'd found a tool which would sort of let me extract the .bio file (UEFITool), and trying to figure out how to modify the setup forms to display the menu items to allow setting the hdd password.  Donovan6000's blog, filled with astoundingly useful and indepth tutorials, and his Universal IFR Extractor, were instrumental in this.  However, his tool didn't actually parse the dumped VARSTORE data, which made it harder to pursue the solution I wanted to try before actually attempting to mod the BIOS: just change some nvram variables.  I forked his project to display the information, and make the correlation trivial, but, found the whole 'just set the damn jumper' thing prior to going any deeper.

So, for someone adventurous, in an EFI shell ( Tianocore --- I tried 'refind'; seriously gimped piece of crap; doesn't have any of the built-in help, and doesn't implement dmpstore -s or -l!) just try setting 3DD0DE67-02D7-4129-914A-9F377CC34B0D:IDESecDev:00 to 0x01 and save screwing with the jumper... or, perhaps, there are desktop boards out there with the capability but no jumper.

I did have a save of the nvram before and after 'enabling' the hdd password.  For handy reference for anyone who might care, here's what's different after:
Variable NV+RT+BS 'Efi:MonotonicCounter' DataSize = 4
- Seems to track boots; not relevant.

Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevOrder' DataSize = A
  00000000: 02 00 00 00 06 00 11 00-12 00                    *..........*
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevChecksum' DataSize = 4
  00000000: 11 AC 12 6B                                      *...k*
to
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevOrder' DataSize = A
  00000000: 02 00 00 00 06 00 01 00-11 00                    *..........*
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevChecksum' DataSize = 4
  00000000: 01 15 11 6B                                      *...k*
Presumably that's part of the SSD being hooked up (wasn't for initial dump).

Variable NV+RT+BS '1B838190-4625-4EAD-ABC9-CD5E6AF18FE0:HiiDB' DataSize = 8
  00000000: 18 C0 8A DA 00 00 00 00-                         *........*
to
Variable NV+RT+BS '1B838190-4625-4EAD-ABC9-CD5E6AF18FE0:HiiDB' DataSize = 8
  00000000: 18 F0 8A DA 00 00 00 00-                         *........*

This looks like it might be related to displaying the setup menu item for hard drive passwords(?). HiiDB: UEFI HII (Part 4): Strings

Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:MaintenanceSetup' DataSize = 29D
  000000B0: 00 00 00 00 00 02 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 59 65  *..............Ye*
  000000E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
to: 
Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:MaintenanceSetup' DataSize = 29D
  000000B0: 00 00 00 00 00 00 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 00 61  *...............a*
  000000E0: 07 AC 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
Since these compares are after the jumper is in the normal position, then this may be relevant. 

Variable NV+RT+BS 'Efi:BootOrder' DataSize = 4
  00000000: 01 00 05 00                                      *....*
to
Variable NV+RT+BS 'Efi:BootOrder' DataSize = 4
  00000000: 01 00 02 00                                      *....*
Seems obvious and not relevant.

Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:Setup' DataSize = 29D
  000000A0: 00 00 00 01 00 20 00 00-00 00 00 01 00 00 00 00  *..... ..........*
  000000B0: 00 00 00 00 00 02 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 9D 9F  *................*
  000000E0: D6 98 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
to
Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:Setup' DataSize = 29D
  000000A0: 00 00 00 01 00 20 00 00-00 00 00 01 00 00 00 00  *..... ..........*
  000000B0: 00 00 00 00 00 00 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 EC FF  *................*
  000000E0: 2C 4A 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *,J..............*

And for the truly masochistic, here's the relevant(?) form dump (something to pursue might be seeing if the password's actually stored in the nvram when set from the BIOS...):
Form Set: Security {0E 24 43 D6 87 EC A4 EB B5 4B A1 E5 3F 3E 36 B2 0D A9 A5 03 DD 04 00 00 00 00 00 00 00 00 04 00 00 00 9D 02}
0x40FD2 Variable Store (32): {24 20}
Name: [ IDESecDev ] {49 44 45 53 65 63 44 65 76 00}
GUID: [ 3DD0DE67-02D7-4129-914A-9F377CC34B0D ] {67 DE D0 3D D7 02 29 41 91 4A 9F 37 7C C3 4B 0D}
  ID: [ 0xF015 ] {15 F0}
Size: [ 144 ] {90 00}
0x40FF2 Form: Security, Form ID: 0x4 {01 06 04 00 A5 03}
0x40FF8 Suppress If: {0A 03 00}
0x40FFB Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x41002 Not {17 02}
0x41004 Text: Supervisor Password :  {03 0B 20 00 B7 03 B9 03 00 00 00}
0x4100F End If {18 02}
0x41011 Suppress If: {0A 03 00}
0x41014 Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x4101B Text: Supervisor Password :  {03 0B 20 00 B7 03 BB 03 00 00 00}
0x41026 End If {18 02}
0x41028 Suppress If: {0A 03 00}
0x4102B Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x41032 Not {17 02}
0x41034 Text: User Password :  {03 0B 20 00 B8 03 BA 03 00 00 00}
0x4103F End If {18 02}
0x41041 Suppress If: {0A 03 00}
0x41044 Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x4104B Text: User Password :  {03 0B 20 00 B8 03 BC 03 00 00 00}
0x41056 End If {18 02}
0x41058 Suppress If: {0A 03 00}
0x4105B Variable Store Select: 0xF015 {25 04 15 F0}
0x4105F Variable 0xC[2] equals value in list (0x0) {14 09 0C 00 02 01 00 00 00}
0x41068 Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x41071 Variable Store Select: 0x0 {25 04 00 00}
0x41075 Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x4107E Or {16 02}
0x41080 Or {16 02}
0x41082 Text: Master Key Hard Disk Drive Password : {03 0B 04 00 97 04 BB 03 00 00 00}
0x4108D End If {18 02}
0x4108F Suppress If: {0A 03 00}
0x41092 Variable Store Select: 0xF015 {25 04 15 F0}
0x41096 Variable 0xC[2] equals value in list (0x1) {14 09 0C 00 02 01 00 01 00}
0x4109F Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x410A8 Variable Store Select: 0x0 {25 04 00 00}
0x410AC Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x410B5 Or {16 02}
0x410B7 Or {16 02}
0x410B9 Text: Master Key Hard Disk Drive Password : {03 0B 04 00 97 04 B9 03 00 00 00}
0x410C4 End If {18 02}
0x410C6 Suppress If: {0A 03 00}
0x410C9 Variable Store Select: 0xF015 {25 04 15 F0}
0x410CD Variable 0xA[2] equals value in list (0x0) {14 09 0A 00 02 01 00 00 00}
0x410D6 Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x410DF Variable Store Select: 0x0 {25 04 00 00}
0x410E3 Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x410EC Or {16 02}
0x410EE Or {16 02}
0x410F0 Text: Hard Disk Drive Password : {03 0B 04 00 96 04 BB 03 00 00 00}
0x410FB End If {18 02}
0x410FD Suppress If: {0A 03 00}
0x41100 Variable Store Select: 0xF015 {25 04 15 F0}
0x41104 Variable 0xA[2] equals value in list (0x1) {14 09 0A 00 02 01 00 01 00}
0x4110D Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x41116 Variable Store Select: 0x0 {25 04 00 00}
0x4111A Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x41123 Or {16 02}
0x41125 Or {16 02}
0x41127 Text: Hard Disk Drive Password : {03 0B 04 00 96 04 B9 03 00 00 00}
0x41132 End If {18 02}
0x41134 Subtitle:  {02 04 20 00}
0x41138 Suppress If: {0A 03 00}
0x4113B Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41141 Variable 0x41 equals 0x2 {22 06 41 00 02 00}
0x41147 Or {16 02}
0x41149 Password: Set Supervisor Password, Variable: 0x3B[40] {08 10 3B 00 28 A8 03 A9 03 04 00 10 02 14 01 00}
0x41159 End If {18 02}
0x4115B Grayout If: {19 03 00}
0x4115E Variable 0x42 equals 0x1 {22 06 42 00 01 00}
0x41164 Password: Set User Password, Variable: 0x13[40] {08 10 13 00 28 A6 03 A7 03 04 01 10 02 14 01 00}
0x41174 End If {18 02}
0x41176 Grayout If: {19 03 00}
0x41179 Variable 0x42 equals 0x1 {22 06 42 00 01 00}
0x4117F Suppress If: {0A 03 00}
0x41182 Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x41189 Selectable: Clear User Password, Form ID: 0x4 {0F 0B 04 00 AC 03 AD 03 04 04 10}
0x41194 End If0x41194 End If {18 02}
0x41196 Grayout If: {19 03 00}
0x41199 Variable 0x21E[1] equals 0x2 {12 07 1E 02 01 02 00}
0x411A0 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x411A6 Or {16 02}
0x411A8 Suppress If: {0A 03 00}
0x411AB Variable 0x21E[1] equals 0x1 {12 07 1E 02 01 01 00}
0x411B2 Variable 0x41 equals 0x2 {22 06 41 00 02 00}
0x411B8 Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x411BF Or {16 02}
0x411C1 Or {16 02}
0x411C3 Setting: User Access Level, Variable: 0x21D[1] {05 09 1D 02 01 BD 03 BE 03}
0x411CC Option: No Access, Value: 0x0 {09 09 BF 03 00 00 10 00 00}
0x411D5 Option: View Only, Value: 0x1 {09 09 C0 03 01 00 13 00 00}
0x411DE Option: Limited, Value: 0x2 {09 09 C1 03 02 00 10 00 00}
0x411E7 Option: Full Access, Value: 0x3 {09 09 C2 03 03 00 10 00 00}
0x411F0 End of Options {10 02}
0x411F2 End If0x411F2 End If {18 02}
0x411F4 Subtitle:  {02 04 20 00}
0x411F8 Suppress If: {0A 03 00}
0x411FB Variable Store Select: 0xF015 {25 04 15 F0}
0x411FF Variable 0x0[2] equals 0x0 {12 07 00 00 02 00 00}
0x41206 Variable Store Select: 0x0 {25 04 00 00}
0x4120A Variable 0xB5[1] equals 0x1 {12 07 B5 00 01 01 00}
0x41211 Or {16 02}
0x41213 Grayout If: {19 03 00}
0x41216 Variable Store Select: 0xF015 {25 04 15 F0}
0x4121A Variable 0xE[2] equals 0x0 {12 07 0E 00 02 00 00}
0x41221 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41227 Or {16 02}
0x41229 Password: Set Master Key Hard Disk Drive Password, Variable: 0x50[64] {08 10 50 00 40 9B 04 9C 04 00 00 00 02 20 01 00}
0x41239 End If0x41239 End If {18 02}
0x4123B Suppress If: {0A 03 00}
0x4123E Variable 0x0[2] equals 0x0 {12 07 00 00 02 00 00}
0x41245 Variable Store Select: 0x0 {25 04 00 00}
0x41249 Variable 0xB5[1] equals 0x1 {12 07 B5 00 01 01 00}
0x41250 Or {16 02}
0x41252 Grayout If: {19 03 00}
0x41255 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x4125B Variable Store Select: 0xF015 {25 04 15 F0}
0x4125F Password: Set Hard Disk Drive Password, Variable: 0x10[64] {08 10 10 00 40 99 04 9A 04 04 40 10 02 20 01 00}
0x4126F End If0x4126F End If {18 02}
0x41271 Subtitle:  {02 04 20 00}
0x41275 Grayout If: {19 03 00}
0x41278 Variable Store Select: 0x0 {25 04 00 00}
0x4127C Variable 0x220[1] equals 0x2 {12 07 20 02 01 02 00}
0x41283 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41289 Or {16 02}
0x4128B Suppress If: {0A 03 00}
0x4128E Variable 0x220[1] equals 0x1 {12 07 20 02 01 01 00}
0x41295 Setting: Chassis Intrusion, Variable: 0x21F[1] {05 09 1F 02 01 C3 03 C5 03}
0x4129E Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x412A7 Option: Log Only, Value: 0x1 {09 09 90 04 01 00 13 00 00}
0x412B0 Option: Pause POST, Value: 0x2 {09 09 C4 03 02 00 10 00 00}
0x412B9 End of Options {10 02}
0x412BB End If0x412BB End If {18 02}
0x412BD Grayout If: {19 03 00}
0x412C0 Variable 0x222[1] equals 0x2 {12 07 22 02 01 02 00}
0x412C7 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x412CD Or {16 02}
0x412CF Suppress If: {0A 03 00}
0x412D2 Variable 0x222[1] equals 0x1 {12 07 22 02 01 01 00}
0x412D9 Variable 0x4E equals 0x0 {22 06 4E 00 00 00}
0x412DF Or {16 02}
0x412E1 Setting: Execute Disable Bit, Variable: 0x221[1] {05 09 21 02 01 C7 03 C8 03}
0x412EA Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x412F3 Option: Enable, Value: 0x1 {09 09 E5 00 01 00 13 00 00}
0x412FC End of Options {10 02}
0x412FE End If0x412FE End If {18 02}
0x41300 Grayout If: {19 03 00}
0x41303 Variable 0x224[1] equals 0x2 {12 07 24 02 01 02 00}
0x4130A Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41310 Or {16 02}
0x41312 Suppress If: {0A 03 00}
0x41315 Variable 0x224[1] equals 0x1 {12 07 24 02 01 01 00}
0x4131C Variable 0x6C equals 0x0 {22 06 6C 00 00 00}
0x41322 Or {16 02}
0x41324 Setting: Intel® Virtualization Technology, Variable: 0x223[1] {05 09 23 02 01 AE 03 AF 03}
0x4132D Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x41336 Option: Enable, Value: 0x1 {09 09 E5 00 01 00 13 00 00}
0x4133F End of Options {10 02}
0x41341 End If0x41341 End If {18 02}
0x41343 End Form {0B 02}
0x41345 End Form Set {0D 02}

References (Link Dump):

  1. http://vxlabs.com/2012/12/22/ssds-with-usable-built-in-hardware-based-full-disk-encryption/
  2. http://ark.intel.com/products/67288/Intel-SSD-330-Series-180GB-SATA-6Gbs-25nm-MLC
  3. http://www.intel.com/p/en_US/support/highlights/ssdc/ssd-330
  4. http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-dh67bl.html
  5. https://communities.intel.com/thread/53404
  6. http://www.intel.com/support/ssdc/hpssd/sb/CS-034543.htm
  7. https://github.com/NikolajSchlej/UEFITool
  8. http://donovan6000.blogspot.com/2014/02/universal-ifr-extractor.html
  9. http://wiki.phoenix.com/wiki/index.php/EFI_IFR_VARSTORE
  10. http://uefidk.intel.com/blog/accessing-uefi-variables-linux
  11. https://github.com/sstahlman/Universal-IFR-Extractor/releases/tag/v0.6.1a
  12. http://www.thepromisedlan.org/archives/tag/firmware
  13. https://svn.code.sf.net/p/edk2/code/trunk/edk2/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
  14. http://uefi.blogspot.com/2009/10/uefi-hii-part-4-strings.html