Forum RSS Feed Follow @ Twitter Follow @ Twitter

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[REQUEST] Acer Predator Helios 300 PH317-53 BIOS Unlock
#11
(04-06-2021, 06:42 PM)Littlefreya Wrote: did it worked? i have the same notebook, and want to unlock the advanced menu, pls help
Hi
ALL mods are personal!
Need your bios dump only
Check your PM
find
quote
#12
We proud to show You, users a little Guide to modify your Bios (would be usefull the SPI Programmer with Pomona Clip) :

First of all using Andys' PhoenixTool or CodeRush's UEFITool , You have to open your bios backup and extract the "Setup"
(SetupUtility) module (FE3542FE-C1D3-4EF8-657C-8048606FF670_902.ROM or Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi).
I will explain all , if You will reply to this post !

Using Donovan6k Tool , UniversalIFRextractor.exe You'll get the SetupUtility IFR txt which contains usefull informations, like these

Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x93694 Debug (0x1436 from string package 0x4)
0x97E94 Advanced (0x144E from string package 0x4)
0xB9474 Power (0x1509 from string package 0x4)
0xC96F4 Security (0x39 from string package 0x4)
0xCAFD4 Information (0xFF from string package 0x4)
0xCC2A4 Main (0x5 from string package 0x4)
0xCD8C4 Advanced (0x100 from string package 0x4)
0xCF414 Security (0x39 from string package 0x4)
0xD0C04 Boot (0x59 from string package 0x4)
0xD1ED4 Exit (0x90 from string package 0x4)

These are the modifies to unlock the Advanced, Power ecc Tab, that We can get using IDA Pro ...

090A : 74 70 to 74 00

0942 : 74 38 to 74 00

097A : 75 20 to EB 20


How to unlock Eerpom Write Protect (Intel Insyde Bios can use H2OUVE, but it's not for AMD, then We can try by RU efi Tool) :

0xA125E Setting: Flash Protection Range Registers (FPRR), Variable: 0x612 {05 91 23 0D 24 0D 03 03 05 00 12 06 10 10 00 01 00}
0xA126F Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xA1276 Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xA127D End of Options {29 02}

0xACDCE Variable 0x5F equals value in list (0x1) {14 08 5F 00 01 00 01 00}
0xACDD6 Setting: BIOS Lock, Variable: 0x17 {05 91 25 05 26 05 79 07 05 00 17 00 10 10 00 01 00}
0xACDE7 Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xACDEE Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xACDF5 End of Options {29 02}
0xACDF7 End If {29 02}

0xA0A9F Form: PCH-IO Configuration, Form ID: 0x102F {01 86 2F 10 89 04}
0xA0AA5 Subtitle: PCH-IO Configuration {02 87 89 04 00 00 00}
0xA0AAC End {29 02}
0xA0AAE Subtitle: {02 87 02 00 00 00 00}
0xA0AB5 End {29 02}
0xA0AB7 Ref: PCI Express Configuration, Variable: 0xFFFF {0F 0F 27 05 28 05 D8 02 00 00 FF FF 00 30 10}
0xA0AC6 Ref: SATA And RST Configuration, Variable: 0xFFFF {0F 0F 46 09 47 09 D9 02 00 00 FF FF 00 32 10}
0xA0AD5 Ref: USB Configuration, Variable: 0xFFFF {0F 0F DB 08 DC 08 DA 02 00 00 FF FF 00 31 10}
0xA0AE4 Ref: Security Configuration, Variable: 0xFFFF {0F 0F 21 05 22 05 DB 02 00 00 FF FF 00 3D 10}

How to bypass error 280, 28, 368 ... Eeprom Write Protect

https://www.win-raid.com/t3908f16-GUIDE-...Flash.html

Flash Protection Range Registers (FPRR), Variable: 0x612

BIOS Lock, Variable: 0x17

Look for GUID 4570B7F1-ADE8-4943-8DC3-406472842384

0x97F97 Var Store: 0x5[1632] (PchSetup) {24 1F F1 B7 70 45 E8 AD 43 49 8D C3 40 64 72 84 23 84 05 00 60 06 50 63 68 53 65 74 75 70 00}

F1 B7 70 45 E8 AD 43 49 8D C3 40 64 72 84 23 84 = F1 B7 70 45 - E8 AD - 43 49 - 8D C3 - 40 64 72 84 23 84

F1 B7 70 45 - E8 AD - 43 49 (little endian) = 4570B7F1-ADE8-4943-
8D C3 - 40 64 72 84 23 84 (big endian) = 8DC3-406472842384

GUID : 4570B7F1-ADE8-4943-8DC3-406472842384

Ho to make these modify into your NVRAM variables (VSS VarStore too), using an Intel tool H2OUVE , and getting the vars.txt file [It's easy to be hacker with the tools Wink]
Then We can modify this file and rewrite back, setting new values for the NVRAM variables and unlocking many things not only these ones.

Modify into "Pch-Setup" and / or "Custom", looking for the GUID 4570B7F1-ADE8-4943-8DC3-406472842384 , (then modify into Bios file too searching the patterns) :

Bios Lock Pattern :

00 00 54 9B 00 01 00 00 03 01 02 00 01 01 00 00 00 01 02 03 00 00 01 01
0000549B0001000003010200010100000001020300000101

FPRR Pattern (in this case may be not usefull, but example) :
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000000000000000000000000000000000100000000000000000000000000

You'll have to modify "VSS" Modules and "Custom" or "Padding" too into your Bios Back using CodeRush's UEFITool version NE
to search and extract and a version like 0.25 or 0.28 to replace modules modified.


[05C] "PchSetup"

GUID: 4570B7F1-ADE8-4943-8DC3-406472842384
Attributes: 0x7
DataSize: 0x6EC
Data:
Offset : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000: 00 00 54 9B 00 01 00 00 03 01 02 00 01 01 00 00
Bios 00000010: 00 01 02 03 00 00 01 01 01 00 01 00 00 01 01 FF <==== Variable: 0x17 0x01 to 0x00
Lock 00000020: 01 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01
00000030: 01 01 00 00 01 01 01 01 01 01 01 01 01 01 00 01
00000040: 01 00 00 01 01 00 01 01 01 01 01 01 01 01 00 00
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01
00000080: 01 01 00 00 01 01 01 01 00 00 00 01 01 00 01 00
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0: 71 02 71 02 71 02 71 02 71 02 71 02 71 02 71 02
000000B0: 0F 0F 0F 0F 0F 0F 0F 0F 01 00 00 00 01 00 00 00
000000C0: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00
000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000F0: 00 00 00 00 00 00 01 01 01 01 01 01 01 01 01 01
00000100: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 02
00000110: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000120: 02 02 02 02 02 02 00 00 00 00 00 00 00 00 00 00
00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01
00000200: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00000210: 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00
00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01
00000230: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00000240: 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00
00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00
00000280: 02 00 00 00 00 00 02 00 02 00 02 00 02 00 01 01
00000290: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002A0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002B0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002C0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002D0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002E0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
000002F0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00000300: 01 01 01 01 01 01 05 05 05 05 05 05 05 05 05 05
00000310: 05 05 05 05 05 05 05 05 05 05 05 05 05 05 07 07
00000320: 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07
00000330: 07 07 07 07 07 07 06 06 06 06 06 06 06 06 06 06
00000340: 06 06 06 06 06 06 06 06 06 06 06 06 06 06 02 02
00000350: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000360: 02 02 02 02 02 02 05 05 05 05 05 05 05 05 05 05
00000370: 05 05 05 05 05 05 05 05 05 05 05 05 05 05 01 01
00000380: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00000390: 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00
000003A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003C0: 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00
000003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000003E0: 06 06 08 0A 0C 08 0C 08 08 02 00 00 00 01 01 01
000003F0: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00000400: 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00
00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02
00000420: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000430: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000440: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000450: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000460: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
00000470: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 3C 00
00000480: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00
00000490: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00
000004A0: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00
000004B0: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00
000004C0: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00
000004D0: 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 3C 00 00 00
000004E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000004F0: 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00
00000500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A
00000510: 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A
00000520: 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A
00000530: 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 04
00000540: 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04
00000550: 04 04 04 04 04 04 04 01 01 01 00 00 00 01 00 00
00000560: 00 00 00 00 00 00 00 00 00 00 02 04 00 00 00 01
00000570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000580: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00
00000590: 00 00 00 00 00 00 00 00 00 00 00 01 00 00 44 00
000005A0: 39 00 43 00 39 00 35 00 32 00 34 00 39 00 2D 00
000005B0: 45 00 44 00 46 00 43 00 2D 00 34 00 30 00 34 00
000005C0: 36 00 2D 00 39 00 36 00 45 00 43 00 2D 00 31 00
000005D0: 35 00 44 00 32 00 45 00 42 00 31 00 32 00 43 00
000005E0: 37 00 34 00 45 00 00 00 00 00 00 00 00 00 00 00
000005F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FPRR 00000610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <==== Variable: 0x612 0x01 to 0x00 It is set to 00
00000620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000670: 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 00
00000680: 02 00 00 00 00 00 00 01 01 00 01 01 01 01 01 01
00000690: 01 00 00 01 00 01 00 01 00 00 00 00 00 00 00 01
000006A0: 01 01 01 01 01 02 02 02 01 01 00 00 00 00 00 00
000006B0: 00 00 0E 00 00 00 00 00 03 03 01 00 00 00 00 00
000006C0: 00 00 00 00 01 03 02 01 00 00 01 01 02 03 00 00
000006D0: 00 01 02 03 00 00 00 01 01 00 00 01 00 00 00 00
000006E0: 00 00 00 00 00 01 01 00 01 00 03 00


Then if You have an SPI Programmer You can unlock the FD Descriptors too to unlock all regions (areas) bios.

You have to modify these bytes :

This values are to be set (0000FFFF0000FFFF1801FFFF from offset 60h into Firmware Dump)

00 00 0B 0A 00 00 0D 0C 18 01 08

then change it to

00 00 FF FF 00 00 FF FF 18 01 08

After You modified vars.txt, You can rewrite it back and unlocking Eeprom , reflash the Bios Mod, by Intel FPT Tool.
This is conceptual informations for all bioses and We can apply to Intel (H2OUVE) or AMD (RU efi), but many times all variables are protected too and not changeble, so
only using the SPI Programmer CH341A and Pomona Clip, It's possible to rewrite the firmware back.
Let me know if You are interesting to this and I will continue to explain all Wink
Regards

BDMaster
find
quote


Forum Jump:


Users browsing this thread: 3 Guest(s)
Expand chat
Expand chat
Expand chat

To join us in the community live chat, please register or log-in