[Guide] Howto Unlock/Flash an Insyde H2O UEFI BIOS

Hello!

Can somebody, if possible, unlock all bios settings for the Acer Aspire R3-131T? (InsydeH2O Rev. 5.0).

Here is a link to the latest bios version (v. 1.17): https://global-download.acer.com/GDFiles…SC=EMEA_27

According to a programmer, the bios probably has RSA protection.

Maybe this “Result” file helps: https://www.sendspace.com/file/sxc16i

Thank you!

does anybody have the QA.pfx file?

Can someone provide some clarification please? this threads topic got highjacked as the post is about signing the bios with official insyde tools which is the holy grail solution to almost all of insyde bios reflashing issues-the poster then provides incomplete tools missing the QA cert,drops the mike and walks away-then the thread contines with NOBODY trying the tools to discover they are missing the security certs and discussing nonsense-It appears whether you mod the flashing tool or not if the bios isnt signed then=brick-I know this as I hardware programmed my bios dumped,edited, then hardware programmed with an nvme insert and didnt re-sign the bios and guess what-brick

@Sweet_Kitten you provide an interesting link stating instructions inside archive in response to someone else askiong for the QA.pvk files which is the whole basis for this post so where are they? the link has over 12 files one of which is needing somew crazy pay for download plan
can someone please post where to obtain the qa certs-I tried making certs labeled QA-its signs well enough but no bueno for the flashing tool

In the matter of the topic I only uploaded makecert.exe, pvk2pfx.exe, MakeKeyFirst.bat, MakeKeySecond.bat. You have a limitation of 50MB per download on Chomikuj file-sharing.

A new certificate can be created with “makecert.exe” tool. There was no need for poster to publish the QA cert as it is being generated with random seed by default.

We still missing private keys from the manuf. It is necessary to have those files to generate a correct private key – public key pair, because the priv. key is that seed we use to generate certificate. So, the whole topic is a big nonsense itself.

So to say, the part about certificates belongs to “external” protection of flash memory. It is only valid untill the BIOS image is flashed by the genuine flashing tool. But there is also such thing as internal sanity, when already flashed BIOS performs the integrity check at some point of initialization.
Devices I know have this technology: Lenovo B50-30, Acer Swift 3 SF314, Xiaomi Redmi G 2021, most of HP Notebooks…

Yours might be one of those.

Ah, sure… Just got to know your device is Lenovo B40-30. It’s unfortunate, but I have no solution. I’m barely understanding how encryption things are actually work.

1 Like

yes the b40-30 uses the exact same bios as b50-30
does that mean even flashing back modded bios with hardware programmer will still =brick?

I read that when using winhex after loading bios in h20 that the decrypted file is stored in ram and you can edit/save without needing to flash

I have manually edited and unlocked all descriptors on signed bios without breaking it
and flashed back no problem-any additional edits result=brick

I found several tools that will replace the signed bios with your certs but its not for my model and unsure how to edit the tool

how do I manually edit nvme module into bios? what line?

Don’t know. I’ve checked the FPT way only.=bri ck

I didn’t catch the idea. Could you post the source of this info?

What descriptors? Flash descriptors of descriptors region?
Note that only individual volumes are verified during initialization. Otherwise, even just NVRAM data change would result in brick.

Can someone mod the InsydeH2O BIOS of my Lenovo IdeaPad 320-17IKB? I want to unlock the advanced settings. I already used a tool to replace the SLIC, but the same error that it is an invalid firmware image appears. I would like the full package
BIOS.zip (5.1 MB)
with modifications that allow flashing.

Flashing might be a challenging task. But unlocking the advanced settings should be rather simple. This BIOS has everything in place. Known working shortcuts to open advanced settings in the code, and the application to enter setup screen.
Extract files from the archive to a flash drive, boot and see what happens. 4WCN47WW.zip

Thank you! I will try to boot it soon from my SD card as I have no USB drive free. Luckily my BIOS is good enough to support that :rofl:. I guess that Secure Boot must be disabled?

I just ran it, but nothing special. One thing though, is that the BIOS says that it can boot my DVD ROM, which the device has but there is no disc and when I just enter the BIOS normally it isn’t there too! So I guess the BIOS is a bit exploitable. Also the PXE boot’s address is it at 00-00-00-00-00-00 which is also not normal, but this might tell that it is hackable.

Also, what shortcuts? So did Lenovo lie to me? They said that it was a production BIOS without shortcuts. Also just checked and saving an option in the temporary ‘patched’ BIOS does indeed save.

With this you have created some controversy in my mind. Did the patch actually worked or no additional menu appear?

This BIOS clearly has a function inside, executing which opens 2 additional tabs on the top. With the patcher I tried to activate it.

Hello,

GOOD NEWS. I unlocked the Main, Advanced and Power tabs!!! I searched for the program you did use for the ZIP, which linked to another program called ‘InsydeH2O-Unlocker’ and success with that program! I CAN ENABLE STUFF LIKE OVERCLOCKING.

This is nice.

Yes, here are some photos:



Also, even though I unlocked the BIOS, would you be able to get to know what the shortcut is to unlock the advanced settings? It might be handy for in the feature and to get even an easier way to unlock it.

I’m sorry, I would not.

Okay, but you said it is easy to get to know that. Or am I wrong?

Unfortunately and fortunately,

I had bricked my BIOS after changing some settings. Only had a black screen and loud fans after. Fortunately, I got a CH341A programmer and were able to restore it to a working BIOS dump. Is there a way I can set back and/or get back the license key in the BIOS? I were stupid and made no BIOS backup, so. I can live without it, as I already upgraded from Windows Home to Pro using a different key not stored in the BIOS, but it might be handy to get it back just in case.

  1. Open a dump in hex editor.
2. Search for this sequence.

01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 1D 00 00 00

  1. Input your key after the last character (00) replacing FF bytes.