Help to remove BIOS lock

Hi to all.

I have a problem. I have a bios dump locked with password.

I cleaned the ME region and reflashed the bios, but the password is still there.

Maybe the password is not stored in the ME region?


Just flash original bios will do.

Hi, i have a problem in flashing a bios on Surface pro 5.

The bios is locked and protected with password, but I dont’ remember which.

I managed to estract the bios with a programmer and, following the guide, clean the ME region.

Re flashed the clean bios but the password is still here.

Here are the dumped bios and the cleared one .

Anybody could help?


That is correct, password is not stored in ME FW. Password is in NVRAM or some other module of the main BIOS region, some may even store on external chip.
People at forum can help you with that, but you’ll need to give them a dump of the BIOS preferably with a flash programmer (CH341A + SOIC8 test clip with cable) as that will probably be required to easily overwrite the password anyway.

If you see a code on screen, you can try one of these sites

See also…eered-bios.html

@Rob983 Here, this thread, do not start new ones in the wrong sub-forums

Sorry for the wrong section posting! (I didn’t realized the first post was moved an not just cancelled).

No codes on screen, I will try to give the dump bios to the guys at Bios Mod, thanks!

Or, I have an idea: I have the original locked bios of a SP4 and the same bios but inlocked. I will try to compare the 2 files with an Hex editor and find the parts that were changed, and find the same parts in SP5 bios locked and erase them.

Will it work?


I can’t.

Windows won’t boot and I can’t reinstall because I can’t change the boot order in bios.


Cancelled some parts with Hex editor. Reflashed bios.

Seems to work.

No password request.

@Rob983 - please edit your posts if you want to add more info and no one has replied yet, thank you.

If you have a locked BIOS and unlocked BIOS, put those into a zip for me and I will see if I can find the area to remove the password for you.

* Edit - Sorry, I missed your last post while editing and replying. So, you got it correct?
If yes, please still upload those BIOS for me, so I can find the location (or you tell me hex address) then I can find what actual area in BIOS modules or NVRAM it is, then I can post the info here to help others later so they know where to look.

Hi @Lost_N_BIOS , thankyou for the reply, and sorry for the bad using of the forum.

Here <— you can find the dumped bios for Surface Pro 5 (2017)

And Here <— you can find the modded bios.

See address 00600060, I edited only some addresses.

With the modded bios the password is unlocked, i managed to change the boot order and reinstall windows, but I think to have deleted more than needed, because if i try to update drivers and firmware downloading .msi file from Microsoft site, it gives me an error: it doesnt recognise that the laptop is a Surface Pro 5 and quit.

Can you give me some advice?

By the way, now that my win is ok, can I flash with fptw tool instead of the programming cable? Is the same thing?

P.S. Sorry for my bad english, I’m from Italy…

Luckily for you this BIOS is booting, you broke the VSS Store/NVRAM, so before I even look into BIOS or what you edited, we know password is stored in VSS/NVRAM or something there pulls password from another location but it can’t load now due to this region is broken
Since you broke the entire section, no NVRAM can be loaded. You may or may not have removed the password, it’s simply not loaded due to it’s all broken now
This is why your driver installs fail, product name, family, SKU etc is all stored in NVRAM (windows keys, serial, UUID is too)

What you FF’d out, is the following, none of which is the actual password entry. GUID names is mainly what you FF’d and it’s contents after = sign below (which is not much)
AuthVarKeyDatabase = 00
VendorKeysNV = 01
MemoryOverwriteRequestControlLock = 00
RTC (Real Time Clock) = FF 07 00 00
RTC Alarm = 98 00 06 09 00 00 00 00 00 00 00 00 FF 07 00 00
CapsuleLongModuffer = AA (you only FF’d one byte of this modules GUID Header name entry, rest of GUID and module remains)

So, password still remains there, somewhere between 600000 and 640000, or something there is invoked to read the password from another location.
I looked but didn’t recognize any modules that look to hold a password, but as I mentioned I’m not familiar with removing these passwords.

FPT flashing may require you to unlock some things, before you put the programmer away, at very minimum you need to unlock the FD per this guide (See Section B, second spoiler, first image)
[Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing

Best you post your original dump at BIOS-mods forum and ask someone to remove password for you.
If you already did, bump your thread, and add now, that you broke VSS/NVRAM region and system boots without password now, so they will have easier time to locate it now that you can tell them this.

What kind of password is this, do you know for sure it’s BIOS, or is it a windows type screen?

Put back on the original BIOS and try password all lowercase, type this from a USB Keyboard

Thanks for the help @Lost_N_BIOS ,

seems I was lucky in destroying my bios… :slight_smile:

I wrote to the other forum, I let you know if there are some news!

15/09/2019 Edit:

Good News! @Lost_N_BIOS

Aguy from Bios-mod forum managed to remove psw from original bios.

Tryed the bios and works.

Here <— is the working and unlocked bios.