Asus ROG Strix Z270H Unlock

BIOS/UEFI Modding Reports: BIOS Modding Results
1

Hello Lost_N_BIOS,

Here’s hoping you can help me to unlock all of the hidden settings on my Asus ROG Strix Z270H. I’m in the process of trying to do it myself (based on your guide), but given that I’ll likely butcher it somehow - I would more than appreciate it done right - by you - and I could learn from that example later. I’ll send you a PM with the BIOS.

Thank you ever so much and kind regards,

2

@hydropepon - Please send me some screenshots of your BIOS, you can use F12 to screenshot to USB. I need to see all of Ai Tweaker (scroll up/down if needed), I need to see all visible to you submenus at ROOT of advanced (don’t need to see in them right now, just need to see which are visible to you), boot page, exit page
What is your goal/desired settings to be made visible here? This BIOS is not like the Tongfang thread you originally posted in, that has hidden advanced and chipset etc.
But, there is many submenus or settings that may be hidden from you, but I can’t go through and enable them all at once (Unless you show me every page of your BIOS, in full, all settings visible on all submenus)
It’s much quicker if you only need a few settings, tell me those, then I can make visible for you, so if you were missing something specific let me know and we can get that visible for you right away.

3

Thank you for taking this up first of all

1. The share link in the PM with the compilation of the BIOS screenshots has some sections/settings that I’ve set to USER Access/Use on AMIBCP - namely “PCI Subsystem Settings” and “ACPI” under Advanced in the screenshots.
2. Just some context - I’ve started digging into hidden BIOS settings after seeing that I am unable to activate Windows 10 Kernel DMA protections due to apparently my PCI Express Root Complex (ACPI\PNP0A08) ending up detected as a “Un-allowed DMA capable bus/device” - I’d like to fix that if possible.
3. After checking the BIOS Strings via AMIBCP I can see references to a “Chipset” (0x002F or 0022) menu which is totally absent.
4. The first menu beneath “Main” doesn’t have a name and is totally absent from within the actual BIOS(most of the options appear to be replicated elsewhere though).
5. There are references to HDD Security(Presumably HDD password protection) which is absent from the BIOS and that’s something I’d very much like to enable.
*. On the topic of HDD security: I have a Samsung 970 EVO NVMe M.2 drive and for some reason I can’t activate Bitlocker eDrive/Self-Encrypting Drive(Hardware based automatic encryption) on it. No issues doing so on a Samsung 850 EVO mSATA(connected to the same motherboard via a SATA adapter) - I was hoping there were some settings(Perhaps within the NVMe modules) that could help me rectify this. This isn’t just a me problem by the way, from what I’ve read it would appear that most Z270 boards irrespective of the manufacturer have this issue.
6. There’s a secondary Exit menu that you can see from within AMIBCP and whatever options it may or may not hold are eldritch to me.
7. There’s a submenu under Advanced called “(1753) PCI Subsystem Settings” that doesn’t appear to have any settings at all(It appeared after I set Access/Use for it to USER in AMIBCP) - I’m curious what if anything is meant to be/could be there.
8. Lastly and this is more of a question - I’m guessing that most of the options that you can see in AMIBCP but not in regular BIOS can be made to appear within the regular BIOS by just changing the Access/Use from default to USER?

Kind regards,

4

OK, right off the bat we need to start over then maybe. I normally don’t want to edit on top of someone else’s edits, unless you have ONLY working edits in there, and none that you left in place that didn’t work. If you removed any edits you tried that failed, OK, I guess I can use.

#2 - sorry, I have no idea about any of that, but I believe this is a ME FW issue you need to deal with and maybe not possible on Mv12 yet, there is a thread around here about that I think.
#3 - yes, that is correct.
#4 - this is debug folder, ignore (but you can change something there if needed, and it’s not in other sections of the BIOS.
#5 - Yes, if you cannot see HDD passwords in security section of the BIOS then that can be enabled via AMIBCP or setup edit (sorry, I’m not looking at the BIOS right now, so location may not be correct)
#5a - I’ve never heard of this, we’ll have to see what @Fernando says, since you say it seems to be a common Z270 issue then many users surely have ran into and I bet he’s seen/discussed this with others previously.
#6 - I can switch your exits if that is what you want, sorry I don’t know what eldritch means. ** OK, looking at BIOS now, I assume you mean the second exit that is blank, ignore this, you have best exit already
#7 - OK, looking at BIOS now - See, now this is why I prefer to work on stock BIOS or a dump of flashed stock BIOS only, there is no PCI subsystem in this BIOS so you should have never enabled that, you can see on left there is no PCI Subsystem so nothing to enable. Surely you put this back to default correct?
#8 - Sometimes yes, other times you need to unsupress in setup menu (this is a UEFITool, IFR and HEX edit process)

So, back to my original comment, sounds like you’ve made edits for no reason, and I prefer to edit a clean BIOS so all edits are my own and anything that fails to show I know how to then fix/do other way etc.
Can you please flash stock BIOS using EZ Flash, then unlock SMI/BIOS lock if needed, then dump BIOS region only via FPT and send me that (Along with all new, clean BIOS images)

5

The BIOS that I’ve sent you is actually clean(The one that you can see in the uploadfiles.io) - Only UBU updates had been applied to it. But I’ll send you a share link with another one pre-UBU updates/untouched.

6

I don’t see any link to uploadfiles.io (This why I said keep all info in thread ) I assume you mean in PM, I can’t help with BIOS in PM, 1000’s of PM’s literally, so I can’t spend time digging around in there to try and find link, please keep all files, details etc here in thread, thanks
Yes, I also don’t want dump edited by UBU either, so thanks, yes please do clean EZ Flash and then unlock SMI/BIOS lock if needed, then make new FPT bios region dump
Then get all stock images of the BIOS too

Since you already edited with AMIBCP before, what did you want enabled, that you wasn’t able to enable with AMIBCP anyway? Just ACPI?

7

Stock BIOS image (BIOS Locked - do you need it unlocked?): https://ufile.io/h3xu3y87
Stock BIOS screenshot compilation: https://uploadfiles.io/bamcqy1j

8

I don’t need it unlocked, but you do to flash So, you can unlock SMI/BIOS lock if you need to, before you make FPT dump and send to me, or before you flash the locked one I send you back if you don’t disable it before the dump
If you disable before the dump, then after flash of mod BIOS it will remain disabled

9

Yeah, - I actually like to keep it locked (For PCR7 Binding). In terms of the redefined goals - HDD Security options and whatever options that can be “unsupressed” via the “this is a UEFITool, IFR and HEX edit process” you mentioned. The stuff that I can change just via “Access/Use USER” in AMIBCP - I’m happy to do myself (ACPI would be one of these things I think).

P.S. The google drive images were mid edit experimentation - trial and error sort of thing.

10

Thanks, I didn’t download the google Images (page never loaded for me to anyway, just blank).
So, since you’ve sent complete BIOS images, and don’t have any hard specific setting you need that you couldn’t get before, and also already know how to enable some stuff via AMIBCP, I’m not sure what to do first here now
Normally I send user a few test edits with one setting changed a few ways, to see which method works for AMIBCP changes (User or Super), I assume both work here since you mentioned using User already.
Anyway, then after that I send them BIOS with all AMIBCP changes vs what I see in BIOS images, then they send me back images of BIOS again, so anything missing I can unsuppress as needed.

You don’t know exactly what all you enabled via AMIBCP that worked and what didn’t, do you? If you do, and know for sure, do you have a list of what didn’t work via AMIBCP edit? If yes, post that for me, it will save some steps here, I can do the AMIBCP vs images changes, then from your list do the changes that need done in setup.
Otherwise I will have to send you AMIBCP edit BIOS, and then you send me back all new BIOS screenshots. If we do this, you don’t have to name them specifically like you did, or put in folders, I arrow through them in photo viewer beside AMIBCP anyway so don’t need to look at names or foldered out sections (to save you some time next round)

On Bitlocker issue, did you test changing some of the TPM options at Advanced >> PCH-FW Configuration >> PTT<br />And >> Advanced >> Trusted Computing (there is three of these), I normally disable/hide the default limited one, and make visible the one with most settings. in this case, maybe make 2+3 visible, since those have different settings

On the HDD Security you mentioned, I don’t see a Security section in this BIOS, so anything I mentioned before does not apply. Where are you seeing HDD security stuff?
* Edit, Never mind, I see Security inside Main now, sorry Checking it out
>> Nothing for this in this boards BIOS All that may be offered there is HDD password anyway, which you can set with windows and it’s dangerous to do anyway in case you forget or loss (Same for BIOS Admin or User Password too)

11

HDD Security - In the Main folder there’s “(17A4) HDD Security Configuration:”, then in the unnamed folder under Main there are the following: (17A4) HDD Security Configuration:, (17B6) Security Supported:, (17B7) Security Enabled:, (17B8) Security Locked:, (17B9) Security Frozen:, (17C2) HDD User Pwd Status:, (17C3) HDD Master Pwd Status:, (17BC) Set User Password, (17BE) Set Master Password. In the BIOS string section, all the tokens/lines between and including (17A4) - (17C3). Bios string tokens 0x0080 and 0x0081. (0C93) HDD Unlock and 0C92.

Edit - I would like HDD Security because the Samsung drives I have offer hardware encryption if there’s a HDD password set (Hardware encryption can be enabled either via HDD password, OPAL or Bitlocker).

I had only made a handful of edits on the google drive screenshotted bios - the following links show what was done in AMIBCP: https://ufile.io/qjhz3n7v

The only thing that worked was ACPI, nothing else revealed any extra settings - I did not attempt to set to USER any of the individual items within the screenshotted images.

12

Folder without name is debug, you cannot have this in BIOS, only change those settings in place if needed for debug purposes. If you need any of those enabled/disabled, then you do that while you do your AMIBCP editing (don’t change access level or show/hide, just change the “optimal” value
I’m halfway through initial BIOS edit, in this case I think we work in reverse of my usual. I’m unsuppressing a bunch of stuff in setup, then you send me all new images of entire BIOS, then I will make rest of missing stuff visible via AMIBCP. Then once done with that, you can make any changes you want in debug folder

As mentioned, I did not download anything from google, so no need for us to further check any of that out

If User/Super did not work for you to enable a submenu at root level, then changing individual settings within will not matter, it has to be visible to you in BIOS at the root level first, then anything missing within you can enable via Access Level (if the setting is not additionally suppressed itself)
A lot of stuff is suppressed at the root level, so changes in AMIBCP wouldn’t have worked for you until it was unsuppressed. Don’t worry, all will be visible once we’re done, and we’ll probably have to go back and hide again some dupes

* Edit @hydropepon - Send me one of your UBU edited BIOS that you have edited the most and flashed and it was OK, I need to see if something is OK on your board/BIOS or not, thanks

** Edit 2 - @hydropepon - Never mind, sorted out! Here, please test, and give me all new images of entire BIOS (ALL). Don’t try changing anything via AMIBCP yet, please wait until I’m done and tell you go ahead, that way all edits are still mine and I know what’s done and how it’s been changed etc
Don’t worry what’s there and what’s missing, this is a process and I have to do it this way (really, prefer reverse of this actually, but oh well )
Anyway, some new submenus may be empty, or you may still see stuff missing, it’s OK, I will get it as we wrap it all up, and some stuff always will be hidden (laptop stuff etc)
https://ufile.io/p8k450ac

13

@Lost_N_BIOS :

Since I have never read/heard about such problem, I cannot help.

14

@Fernando - thanks, sounds like this is not such a common issue as he may have thought. I’ll have to see if he can show me what makes him say it’s common

@hydropepon - Can you show me some links or discussions, where you see that as being a commonly discussed Z270 issue? ^^ @ #5a

In reply to your PM - HDD Security I answered you aBOVE. You can change those to whatever you want anytime with AMIBCP, change optimal column, and be sure you load optimal once in BIOS.
You can’t make anything there visible, however if there is 1-2 settings you want from there, I can copy out into some other section, but I have to replace something you don’t use or can’t currently see etc.
Main goal of this edit was not to make menu’s visible, although some may be visible now, this was good swath of suppressed items in BIOS now unsuppressed, rest I will do after seeing images as I mentioned

15

Apologies for the delay, but here are the follow-up screenshots: https://ufile.io/9vne7sum

In terms of the NVMe Hardware encryption matter, it would appear that it doesn’t quite matter as much anymore as apparently since “September 24, 2019—KB4516071 (OS Build 16299.1420)” Microsoft started defaulting to software based encryption due to the SSD folks being rather dodgy about their hardware encryption capabilities. But, I’d be happy to provide you a cornucopia of links to support my claim (One can just google “Samsung NVMe Bitlocker” or “Samsung NVMe eDrive” to get a rough idea of what I’m talking about and just to be clear, Samsung had responded over a year ago to the matter - stating that the fault lies with the respective motherboard manufacturers). Also, I might have actually understated just how widespread the issue itself is in terms of how many different kinds of motherboards it affects, but last I tracked it which was about a year ago, I remember reading reports about the issue not being present in Z390+ motherboards. Lastly, a side note, I had actually messaged our dear host Mr Fernando about this matter a year(+22 days) ago.

16

@hydropepon - thanks for the screenshots and info, I know nothing about this, so general info or user complaints does not help me.
But, from what you say, sounds like this can maybe be addressed in BIOS, but without me knowing anything about TPM all I know to do is make the settings visible to you, or I can update TPM module sometimes (or maybe downgrade it etc)
But for any of that to work, ideally there would be some discussion about that, or some company fixed this in their boards (then I could look). Since it sounds like no company did fix it, then it must be an Intel Chipset or Intel ME FW issue, not a BIOS issue, otherwise Z170 and Z370/Z390 would be affected since they all use same base BIOS type
Until recently I didn’t even know you could use TPM without a add-on TPM chip/device, since 99% of boards that can do TPM have a TPM header on the board for such item.

You didn’t comment about HDD security, is there a few of those you’d like copied out into a visible section of the BIOS? If yes, I can do, but we need to find what you don’t want/care to use that I will replace it with.
That can be visible to you now, or hidden (I will make visible while replacing). Some items, have several multiples in BIOS, so those could easily be one of the ones to replace with setting you want (like SI Spec control in Boot page)
^^ Speaking of SI Config, let me know if you don’t see that now on Boot, I left suppressed but enabled with AMIBCP, may need unsuppressed also

The setting to be replaced must have the EXACT amount of setting options as the one you want me to replace it with. Meaning if setting you want has enabled/disabled, one I replace must contain only two possible options (doesn’t have to be enable/disable, just “two” options).
If it has Auto, settin1, setting2, then one I replace must originally have three options. Hope you get what I mean

Here is unlocked BIOS now, all should be visible, if anything still missing let me know (some stuff I did leave suppressed, and some stuff I may have missed in first edit as well, so if anything important let me know)
https://ufile.io/tisw9xaq

New screenshot when you have time, thanks Probably a few items I still need to unsuppress
Also, some stuff is dupes, so I’ve only enabled in one area too, as well as some may be duplicated that I didn’t notice (in these cases let me know so I can rehide one)

17

Hello ,
Link is not available

18

@digilabs

Hi friend, please use this tool , run it as Admin and upload thre result file here :

https://www.mediafire.com/file/flr80ru40…ols20i2.7z/file

Let me know
Regards

19

.