Yes, sorry, I need to make clear in the guide if I did not already, BIOS Lock is not always in same GUID or same module by name even and name of module does not always matter for grub either (so always try, then check issue by error outcome).
Also, some modules contain “Textual Mention” of BIOS lock, but do not control or contain it’s setting, so you may be looking at a mention/reference of it and not the actual setting location.
Some BIOS you may need to use modified grub that has setup_var2 or setup_var3 commands. And if BIOS Insyde you may also need to use H2OUVE to change variable, and with that you can specify module you are needing to edit (setup, custom etc).
Some, only direct BIOS mod will work 
What error do you get with normal grub, show me an image of command entered and error given.
Found this guide regarding unlocking descriptors on a Dell laptop:
“ME FW Image Re-Flash” and “Disable ME” bios options.
The guy figured out that disabling the variables “Disable ME” and enabling “ME firmware reflash” will give him access to his whole bios albeit individually. So was wondering if the very same variables exist on other mainboards and if so help facilitate pinless modding of the firmware in the case of Coffeelake mods for example?
If anyone could do an afr dump of their setup and check? I would but am away from home.
Thanks
ME Re-Flash settings disable ME for one session, so that it can be re-flashed via FPT, this is on many standard Intel boards. I’ve only seen the “Disable ME” on certain (very few) Dell’s, and many of those have jumpers for this anyway.
@davidm71 @Lost_N_BIOS
This is the Intel S2600CP
The "bios lock" is in the var 0xA60 and is in the guid "blank"(97E409E6……) under the "setup".
And when I used the grub,it showed wrong message no matter I typed “setup_var” or "setup_var2"
“Does not match expected GUID” means var 0xA60 don’t exist in the SETUP GUID?
@gloobox - yes that is correct for this BIOS. You may not be able to use setup_var for this BIOS since that is not in “Setup” Or, it may be working/correctly finding the proper module here, but can’t edit like this (Sometimes this happens, even with var2 or var3)
For this you’ll have to try H20UVE, try all versions - if you need these let me know and I’ll send you in PM
H2OUVE.exe -gv vars.txt
H2OUVE.exe -gs -all Setup.txt
H2OUVE -gv var-GUID.txt -g 72C5E28C-7783-43A1-8767-FAD73FCCAFA4 -all (If error, remove -all)
You can try with GUID 97E409E6-4CC1-11D9-81F6-000000000000 but that may not work, since there is about 8 other modules with same GUID
The above is to dump only, to write back after edit
H2OUVE.exe -sv varsM.txt
H2OUVE.exe -ss -all Setup.txt
H2OUVE -sv var-GUID.txt -g 72C5E28C-7783-43A1-8767-FAD73FCCAFA4 -all (If error, remove -all)
After you write back anything, dump it again with new “mod” text name, and check that your correct edit was written in, if not write back the original (unless your new dump matches original, if that is the case re-check your write command and try again)
If all the above fails, your only option is mod BIOS
Wanted to share a more convenient way to access the Shell.efi environment without needing a usb drive. Someone else actually wrote about this elsewhere but good to know. Basically what you do is access your Windows system partition and mount it to a drive letter and copy the Shell.efi file to the root of the system partition. According to what I read you need to this under administrative priveledges by restarting explorer.exe under an admin command window. Once the file is copied all you have to do is go into bios and select boot into efi shell. Kind of cool little trick.
@davidm71 - good trick! Some BIOS may need that file named differently, some BIOS look for Shellx64.efi, I’m not sure how that would react in those cases. Maybe a copy of both in place would be OK?
@Lost_N_BIOS I only tried it on Asus boards as those have their bios’s locked. May get around to a permanent solution.
Thanks
What I mentioned applies to Asus as well, different BIOS or different series may need Shell or Shellx64 as the name, you can always tell which by looking at BIOS in AMIBCP and select this exit option and you’ll see what name it’s going to look for in the help text for that entry in AMIBCP.
This only applies to BIOS with this option on the exit page (or hidden exit page), for BIOS without this option I am not sure what the ideal name would be to do how you mentioned, I always suggest this method for users who can’t hit that choice on their BIOS exit page - [Help needed] Hidden Advanced menu Bios HP Z1 J52_0274.BIN (2)
hello my issue is the bootx.efi file doesn’t load on my system, even if I rename it.
I just get a black screen with a frozen cursor. any help would be great
@f3bandit - What is bootx.efi? Do you mean generally, the file attached at post one? If yes, what is your model, or link to your BIOS, or send me a FPT dump etc, can’t really help without knowing what system/BIOS we’re discussing 
Did you disable secure boot? Is USB MBR FAT32 partitioned?
yes
@f3bandit - That is not a large enough answer to what all I asked, do you need help or not? If you do, please >> what is your model, or link to your BIOS, or send me a FPT dump etc
USB Does not have to be DOS bootable, but can be. However, .efi file does need to be in root of USB (ie not in folder) and probably not on USB 3.0/3.1 port either, unless that is all your system has
The .efi file does have to be a specific name, which I can’t guess, I have to check your BIOS before I can tell you that name.
First off, thanks for making this guide.
Second: Im having an issue when following it. I have pretty much the exact same problem and I can follow it pretty much upto step 15, but when when I do it tells me that setup has 6 bytes and that the offset is out of range. Any suggestions what I might have done wrong?
@Kuhman - You’re welcome, and thank you too, good to hear it’s always being put to use 
Please show me an image of what you are describing, sometimes this is normal/expected, if not followed by more error.
Also, you can check what the “current” value is by >> setup_var variable (only, no setting following variable)
Some BIOS types, you need to use other setup_var, or use other tools such as Intel H20UVE etc.
What motherboard do you have, please link me to it’s stock BIOS download page
Hello, thank you for this guide. This question may be dumb, but I want to make sure I don’t brick my mobo… I’m on step 12, and I don’t have “Clear Secure Boot Keys” as an option. I can delete each key by going further into the PK, KEK, DB and DBX menus but I don’t know if that’s correct. If so, should I delete all 4 keys?
Using Asus Z170 Sabertooth S - Ultimately trying to flash modded Coffeelake bios via USB Flashback
[[File:190831234903 (1).jpg|none|auto]]
@slvrsurfr - You’re welcome! None of that can brick the board, it would only give you issues while trying to get to grub. The keys can always be restored by re-enable/install default keys or BIOS reflash.
However, I don’t think you need to do that, once you disable secure boot and reboot, that section should be hidden or empty I think
I checked BIOS 3801 and I see this option on your BIOS at this location, so this setting is either hidden from you always, or not there because you have disabled secure boot already and need to reboot possibly.
If you have secure boot enabled, do you then see clear keys option? I could make it always visible for you, but then you’d have to flash in that mod BIOS first, so we’d be right back here.
Just make sure secure boot disabled, reboot and then go to grub, should be OK
* Edit - USB Flashback does not require any of this. Put mod BIOS on root of FAT32 USB (Smaller/cheaper is best 128MB-2GB) and flash away - be sure file is in a signed capsule and is named Z170STS.CAP
To check if it’s signed, drop in UEFITool, and then in middle you’ll see AMI Capsule Signed or Unsigned. If it’s not signed, upload your file for me and I will fix for you.
Actually some USB keyboard couldn’t work in this GRUB,could you have another GRUB?
Can I avoid using GRUB and set all needed VAR values via FTPw.exe console?
@gloobox - I’ve never heard of such a thing, you can try the grub’s for this that have been modified to allow setup_var2 and setup_var3, but I think they use this as base.
Probably your issue is some USB setting, like XHCI or legacy USB forced enabled or something like that.
@klaxklax3 - you always have the funny questions, well always asked in strange ways 
I think you mean can you mod BIOS to make these changes in BIOS itself? If so, yes, this can be done, but you need to unlock the BIOS first otherwise you can’t flash in that mod BIOS.
Best way to do it is to unlock so you can flash with FPT, once confirmed you can, then dump BIOS again and then it’s already done for you, then use that as your new base BIOS to flash in first (ie now) and then always use that as your base BIOS moving forward for any mods and it will remain unlocked.