Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
[REQUEST] Hystou S200 BIOS unlock
Last Post: genius239
Today 05:46 AM
» Replies: 26
» Views: 8392
[Request] Unlocking Voltages of i7 12700...
Last Post: Jarit.lal
Today 03:59 AM
» Replies: 0
» Views: 22
[REQUEST] Lenovo Legion 5 (EUCNxxWW) BIO...
Last Post: silent_light
Today 03:42 AM
» Replies: 0
» Views: 36
[REQUEST] Lenovo B50-70 (9DCNxxWW) BIOS ...
Last Post: Urry
Today 12:27 AM
» Replies: 103
» Views: 26261
[Request] Lenovo P580 Whitelist Removal
Last Post: Dudu2002
Yesterday 01:35 PM
» Replies: 172
» Views: 38043
[REQUEST] Lenovo Y50-70 (9ECNxxWW) BIOS ...
Last Post: Dudu2002
Yesterday 11:35 AM
» Replies: 2336
» Views: 618242
[REQUEST] Lenovo G580 (5ECNxxWW) Whiteli...
Last Post: mma21
Yesterday 04:23 AM
» Replies: 2105
» Views: 505724
[Close] Inspiron 14R 5421 BIOS unlock
Last Post: Dudu2002
Yesterday 03:31 AM
» Replies: 1
» Views: 173
LENOVO THINKPAD L440
Last Post: Dudu2002
Yesterday 03:29 AM
» Replies: 1
» Views: 127
[REQUEST] GL504GS BIOS unlock
Last Post: varu
08-10-2022 11:11 PM
» Replies: 70
» Views: 19501
[REQUEST] Lenovo G580 (62CNxxWW) Whiteli...
Last Post: pangzibupang
08-10-2022 10:10 PM
» Replies: 832
» Views: 226288
[Done] GA-5AX patch injection for RAS Pr...
Last Post: lukas12p
08-10-2022 10:12 AM
» Replies: 9
» Views: 3143
[REQUEST] Acer Aspire V3-772G BIOS Unloc...
Last Post: Dudu2002
08-10-2022 09:34 AM
» Replies: 651
» Views: 147090
[REQUEST] Lenovo G400S (7BCNxxWW) Whitel...
Last Post: Dudu2002
08-10-2022 09:21 AM
» Replies: 220
» Views: 64084
voltage control for 1135g7
Last Post: Devryd
08-10-2022 09:18 AM
» Replies: 0
» Views: 71
[Request] ROG Strix G15 Advantage Editio...
Last Post: Sml6397
08-10-2022 02:45 AM
» Replies: 76
» Views: 20702
[Request] Zotac Magnus One AMI Bios unlo...
Last Post: ptap
08-10-2022 12:59 AM
» Replies: 63
» Views: 9191
[Request] Unlock IBM ThinkPad R50e
Last Post: ihazcat
08-09-2022 06:31 PM
» Replies: 0
» Views: 142
Lenovo V130-15IKB 81HN00NDGE BIOS Unlock
Last Post: Viktor_
08-09-2022 01:44 PM
» Replies: 0
» Views: 142
Lenovo V130-15IKB 81HN00NDGE BIOS Unlock...
Last Post: Viktor_
08-09-2022 01:35 PM
» Replies: 0
» Views: 132

[REQUEST] ASUS TUF A15 FA506IV BIOS Unlock
#41
(06-28-2021, 12:25 PM)Sml6397 Wrote: Hello KnoxMe,

Thank you for your continued patience with this! Hopefully soon you'll have access to not only the CBS Menu, but also the Chipset Menu.

I have prepared another mod for the Chipset Menu. This mod involves edits to the AMITSESetupData module that change the required access level for the chipset menu to "USER" instead of "DEFAULT". Let me know how this flash goes!


The rest of this post is an informational reference containing the details of the mod. You can skip over this if you wish or read it if you want to know what is going on behind the scenes. Smile

0x19921 Form: Chipset, Form ID: 0x2713 {01 86 13 27 1E 00}

The last two bracketed bytes (1E 00) in the line above appear in AMISESetupData for each menu and sub-menu (these bytes will be different for different menus and sub-menus, of course). This line was taken from the IFR text given from Donovon6000's Universal IFR Extractor run on the Setup module extracted from the UEFI image using UEFITool.


1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
04 00 00 00 00 00 00 00 01 00 01 00 31 00 00 00
01 00 00 00 02 00 00 00 04 00 01 00 66 07 00 00

The code segment above is 0x30 bytes long and occurs at offset 0x2120 in the extracted AMITSESetupData module. As you can see, "1E 00" are the first two bytes. This code segment corresponds to the Chipset Menu. The first byte in the third row "01" controls which access level is assigned to the menu/sub-menu defined by the first two bytes "1E 00" (in this case, the Chipset Menu).

"01" represents an access level of "Default". I think the "Default" access level is defined someplace elsewhere in the BIOS image. I'm not sure how to edit that, but that is unnecessary (in theory). We can change "01" to "05" to set the access level to "User", which I believe is the access level you have when you enter your BIOS Setup Utility.

Based on what shows up in the AMITSE and Setup modules I believe that, unless there is some lock hidden somewhere I haven't yet looked, this access level lock is the only thing hiding the Chipset Menu.
Report about the latest BIOS, Nothing being exposed again, just like a stock BIOS, do you need a dumped BIOS of flashed modded BIOS to check something?
find
quote
#42
That's a good idea, actually. Could you upload a dump of the modded BIOS? If the BIOS chip isn't being erased properly before the modded BIOS flash, then unerased regions could be skipped in programming.

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#43
(06-28-2021, 02:18 PM)Sml6397 Wrote: That's a good idea, actually. Could you upload a dump of the modded BIOS? If the BIOS chip isn't being erased properly before the modded BIOS flash, then unerased regions could be skipped in programming.
I would like to, but my crappy clipper doesn't allow it now. I can't get a good grip on chip now.
find
quote
#44
(06-28-2021, 02:18 PM)Sml6397 Wrote: That's a good idea, actually. Could you upload a dump of the modded BIOS? If the BIOS chip isn't being erased properly before the modded BIOS flash, then unerased regions could be skipped in programming.
Is there a command in AFUWin that allow unsecured BIOS (Modded) to be flashed?
find
quote
#45
I had this same issue. I eventually had to purchase the Pomona 5250 clip. It gets a really good connection to the chip every time in my experience and is the one BDMaster recommended to me. This is the one I purchased: https://www.amazon.com/CPT-063-Test-Clip...w?dchild=1&keywords=CPT-063+Test+Clip+SOIC8+Pomona+5250&qid=1624914166&s=industrial&sbo=RZvfv%2F%2FHxDF%2BO5021pAnSA%3D%3D&sr=1-3

You may be able to find it elsewhere for less or even with a neat ribbon cable already attached.

Note that you will either need to solder the old wires to the new clip or you will need to purchase 8 female-to-female jumper cables (I recommend 40+ cm). They often come in pack of 40, 80, or more. I didn't have the proper number of these cables, so I had to improvise, as can be seen in the attachment to this post.


Could you try getting a backup from AFUWIN or AFUDOS? This would work too and would allow me to verify that the flashes are working correctly (I imagine they are but you bring up a good point that would be nice to clarify).

Until then, I will go back to the drawing board. I may have to disassemble some of the modules and figure out what is happening. My experience with this is somewhat limited and I am not even sure if my Ghidra disassembler is configured correctly right now, so the next mod might take a little longer than the others.


--Reference info that you can skip over if you wish--

There are many repeated lists of the BIOS menu IDs in the AMITSE module. Maybe some of those lists are subject to certain checks that are elsewhere in the image that might disable certain menus. This differs from a lot of other AMI Aptio V images, however, as normally I would expect there to be one or more lists of exclusively disabled menus and one or more lists of exclusively enabled menus, not a bunch of copies of lists containing all menus... If by exploring the assembly language code I can figure out which of these lists are subject to checks - if any - I can simply remove the Form ID of the Chipset Menu from that list.

Here's an example of one such listing:
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *11 27* 00 00 07 10 00 00
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *12 27* 00 00 08 10 00 00
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *13 27* 00 00 09 10 00 00
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *15 27* 00 00 0A 10 00 00
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *14 27* 00 00 0B 10 00 00
4A 10 59 7B 0D C0 58 41 87 FF F0 4D 63 96 A9 15 *16 27* 00 00 0C 10 00 00

11 27 = Main, 12 27 = Advanced, 13 37 = Chipset, 15 57 = Boot, 14 27 = Security, 16 27 = Save & Exit

Offsets that may be of interest to disassemble in AMITSE are 0x373B8 (starts with 11 27 - may be useful figuring out what visible menu code looks like) and 0xF02F5 (starts with 13 27 - might help figure out what the hidden Chipset menu code looks like).

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#46
(06-28-2021, 03:55 PM)KnoxMe Wrote:
(06-28-2021, 02:18 PM)Sml6397 Wrote: That's a good idea, actually. Could you upload a dump of the modded BIOS? If the BIOS chip isn't being erased properly before the modded BIOS flash, then unerased regions could be skipped in programming.
Is there a command in AFUWin that allow unsecured BIOS (Modded) to be flashed?

Didn't see this post before my previous reply. This goes into territory I am less experienced in, but if you can try it and give me the error code, we may be able to remove flash locks in the way through RU.EFI. First try getting a backup though. That way we can verify that the hardware programmer is working properly (ie: it is erasing first then writing).

I cannot guarantee that an AFU flash will not result in a brick. The AFU flash would probably fail to even execute if the BIOS image is not in the right format. I'm not sure if your notebook expects BIOS updates to be delivered through an AMI Aptio Capsule yet.

With the SPI programmer, we can directly write to the chip, so we can write whatever we want to it as long as long as it is exactly 16MB.

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#47
(06-28-2021, 04:09 PM)Sml6397 Wrote:
(06-28-2021, 03:55 PM)KnoxMe Wrote:
(06-28-2021, 02:18 PM)Sml6397 Wrote: That's a good idea, actually. Could you upload a dump of the modded BIOS? If the BIOS chip isn't being erased properly before the modded BIOS flash, then unerased regions could be skipped in programming.
Is there a command in AFUWin that allow unsecured BIOS (Modded) to be flashed?

Didn't see this post before my previous reply. This goes into territory I am less experienced in, but if you can try it and give me the error code, we may be able to remove flash locks in the way through RU.EFI. First try getting a backup though. That way we can verify that the hardware programmer is working properly (ie: it is erasing first then writing).

I cannot guarantee that an AFU flash will not result in a brick. The AFU flash would probably fail to even execute if the BIOS image is not in the right format. I'm not sure if your notebook expects BIOS updates to be delivered through an AMI Aptio Capsule yet.

With the SPI programmer, we can directly write to the chip, so we can write whatever we want to it as long as long as it is exactly 16MB.
Finally, I use brute strength to keep the clipper on the chip (quite a pain). The file is uploaded in the google drive, file name is dxd.rom
find
quote
#48
(06-28-2021, 04:18 PM)KnoxMe Wrote: Finally, I use brute strength to keep the clipper on the chip (quite a pain). The file is uploaded in the google drive, file name is dxd.rom

Thanks! I can say for sure that the SPI flash is working properly. This comparison allowed me to discover that there is only one module that changes between reboots (or at least between reboots with no OS re-installations or BIOS setting changes occurring). In this image, the GUID of this module is CEF5B9A3-476D-497F-9FDC-E98143E0422C. More importantly, the name of it is "NVAR Store". It looks like this might be the table that contains some or all of the UEFI variables that can be edited in RU.EFI to change settings without a BIOS mod (see the attachment). I still need to investigate this before I can say for sure that this module stores the UEFI variables. I will check this on my test machine at a later time.

Anyways, I will go back to the drawing board and see if I can get my disassembler working properly and then figure out what is going on in the image that could be hiding the Chipset Menu.


Attached Files Thumbnail(s)
   

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#49
Here is a preview of the Chipset Menu to give you something to look forward to! Smile

The left pane contains the sub-menus in the Chipset Menu. The right pane contains the settings just in the Graphics Configuration sub-menu.


Attached Files Thumbnail(s)
   

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#50
(06-28-2021, 04:38 PM)Sml6397 Wrote:
(06-28-2021, 04:18 PM)KnoxMe Wrote: Finally, I use brute strength to keep the clipper on the chip (quite a pain). The file is uploaded in the google drive, file name is dxd.rom

Thanks! I can say for sure that the SPI flash is working properly. This comparison allowed me to discover that there is only one module that changes between reboots (or at least between reboots with no OS re-installations or BIOS setting changes occurring). In this image, the GUID of this module is CEF5B9A3-476D-497F-9FDC-E98143E0422C. More importantly, the name of it is "NVAR Store". It looks like this might be the table that contains some or all of the UEFI variables that can be edited in RU.EFI to change settings without a BIOS mod (see the attachment). I still need to investigate this before I can say for sure that this module stores the UEFI variables. I will check this on my test machine at a later time.

Anyways, I will go back to the drawing board and see if I can get my disassembler working properly and then figure out what is going on in the image that could be hiding the Chipset Menu.

Thanks, It'll be long for sure, for me to receive the Pomona clipper.

I've ordered one in Aliexpress.
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)