explaingit

zer0condition/x670e-tomahawk-anticheat-update

12Audience · researcherComplexity · 4/5ActiveSetup · easy

TLDR

Technical writeup that reverse-engineers the March 2026 MSI X670E TOMAHAWK BIOS v1KB and shows the two pre-boot changes behind its advertised anti-cheat fix.

Mindmap

mindmap
  root((x670e-tomahawk-anticheat-update))
    Inputs
      MSI BIOS v1KA
      MSI BIOS v1KB
      UEFI module diffs
    Outputs
      Diff analysis
      Bds patch explanation
      DxeCore NX bitmask change
    Use Cases
      Understand the anti-cheat patch
      Decide whether to flash
      Learn UEFI option ROM tricks
    Tech Stack
      UEFI
      x86
      Reverse engineering

Things people build with this

USE CASE 1

Understand exactly what MSI changed in the X670E TOMAHAWK v1KB BIOS update

USE CASE 2

Decide whether to flash v1KB based on the risk analysis in the writeup

USE CASE 3

Learn how UEFI option ROM stripping blocks FPGA-based DMA cheat hardware

Tech stack

UEFIx86

Getting it running

Difficulty · easy Time to first run · 5min

There is nothing to install; the repo is a markdown writeup so reading the README is the entire deliverable.

In plain English

This repository is a writeup, not a tool. The author takes a recent BIOS update from MSI for the MAG X670E TOMAHAWK WIFI motherboard, called v1KB and dated March 2026, which MSI advertised in its release notes with the line about an anti-cheat mechanism. The README is the result of opening up the new BIOS file, comparing it against the previous version v1KA, and explaining exactly what changed. The short answer is that only two small things changed in the pre-boot code that runs before the operating system starts. MSI did not add a new driver, a new system management handler, or any new piece that the operating system can talk to. Both changes live in early UEFI firmware modules called Bds and DxeCore. The first change adds 52 bytes to the Bds module. During the part of boot where the firmware lists all the PCI devices on the board, the new code clears one specific attribute bit on each device, the EMBEDDED_ROM bit. PCI devices can advertise their own small option ROM, which is firmware code that the system runs during boot. By stripping that bit, MSI prevents any plugged-in PCI card from injecting its option ROM into the boot process. The author notes that some hardware cheating devices, particularly FPGA boards that perform direct memory access tricks, rely on this option ROM behaviour, so this is most likely the route MSI is closing, although MSI itself has not said so. The second change is a single tweaked number in DxeCore that controls the no-execute, or NX, policy for different categories of memory during boot. The bitmask goes from 0x4FD5 to 0x4F41. In practice this removes NX protection from three memory types: EfiLoaderData, EfiBootServicesData, and EfiConventionalMemory. That is the opposite of hardening, since it lets code run from memory regions that were previously marked as data only. The author guesses this is either a compatibility patch for a new pre-boot component or a workaround for a regression from the AMD AGESA firmware update. The writeup ends with a risk note. Both changes only run once during boot. There is no new code path that a driver running inside Windows or Linux can reach after the operating system starts. The author concludes the update is safe to flash.

Copy-paste prompts

Prompt 1
Explain the EMBEDDED_ROM bit clear in the Bds module of MSI BIOS v1KB and why it blocks PCI option ROM cheats
Prompt 2
Walk me through the DxeCore NX bitmask change from 0x4FD5 to 0x4F41 and which memory types lose NX
Prompt 3
Summarize for a non-RE engineer whether the X670E TOMAHAWK v1KB update is safe to flash
Prompt 4
Show me how I could reproduce this BIOS diff using UEFITool and Ghidra on the v1KA and v1KB images
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.