[Problem] Bricked ACER PREDATOR HELIOS 300 PH317-52 BIOS

Well on windows update it downloaded something called synde firmware or something like that and I thought I passed over the name “synde” or something similar while googling on details about my bios etc.

Anyway I am afraid I need to burden you a lil longer if you find free time and are able to help then you are more than welcome to do so :slight_smile:

So I looked a little bit into how to unlock the OC options and found this:

OneOf Prompt: "Overclocking Lock", Help: "Enable/Disable Overclocking Lock (BIT 20) in FLEX_RATIO(194) MSR ", QuestionFlags: 0x10, QuestionId: 0x167, VarStoreId: 0x3, VarOffset: 0xDA, Flags: 0x10, Size: 8, Min: 0x0, Max: 0x1, Step: 0x0
			OneOfOption Option: "Disabled" Value: 0, Default, MfgDefault
			OneOfOption Option: "Enabled" Value: 1
		End 
	End 

Which is located in this partof my bios

Bios region> EfiFirrmwareFileSystemGuid>1FD0BACE-6F0A-4085-901E-F6210385CB6F>Volume image section>EfiFirmwareFileSystem2Guid>SetupUtility/PE32 image section at header-offset 55CA2h

And I think it shows the “coordinates” of the flag to enable the Overclocking in my bios but I cant figure out where it points… since you are a master in binary spaghetti I wonder if you know which bit to change given the above info :smiley:

Yep, finding all the hidden bios options this way is well known, one might (re-) program the corresponding store in NVRAM, but there’s lots of connections/ connected values and conditions, I used it once to push SATA 3 mode on an Ivy Bridge laptop, but that’s som years ago- sorry!

Ok I figured out how to do it (some steps that I will designate with an asterisk may not be needed I just did them none the less cause I wasn’t sure if they needed to be done and wanted to lean towards the side of caution -which is risking my bios by adding complexity but didn’t care cause I had a back up of the working bios thanks to you :smiley: )

I am going to share my steps in case somebody needs to do the same since there is no unlocked bios for my particular predator variant as far as I checked online.

Having that said the following steps should be applicable to many other bioses/laptops out there if not all (obviously the hex values/id/flags could be different but the steps should be more or less the same)

So first of all I will quickly recoup.

I used the UEFItool found here Releases · LongSoft/UEFITool · GitHub (not the UEFIfind zip nor the UEFIextract zip you need to expand the list and find the zip labeled as UEFItool)

Step 1: I opened the UEFItool.exe and loaded my bios binary

Step 2: I searched (CTRL+F) for a string (don’t forget in the search dialogue to click on the “Text” format tab) namely this one “Overclocking Lock”

Step 3: Two results appeared in my case (and in my case they both lead to the same place but you should try all the results if you cant proceed to the steps that follow) I double clicked the first one and it pointed me to SetupUtility/PE32 in the Bios region (more on that here )

Step 4: I right clicked on PE32 and clicked on “extract as is” I saved the file in a directory I wont forget cause I will need it soon and also saved it as a .bin file eg “1.bin” .

Step 5: In order to make all that binary spaghetti code I just extracted a little more intelligible I needed a tool called IFR extractor which you can find here: Releases · LongSoft/IFRExtractor-RS · GitHub

Step 6: I extracted the executable in the same directory I extracted that PE32 bin file (need to extract there for convenience)

Step 7: then opened cmd as an administrator (probably not necessary ) and run the command ifrextractor.exe 1.bin

Step 8: the result was a lot of txt files but I focused on the ones that had big file sizes (cause probably they had bunch of text) and it so happened that the first big size text file had what we are looking for.

Step 9: I searched again within that txt file for the string “Overclocking Lock” I already know it’s here (cause of Steps 3&4) but what I want to get is the VarStoreId so that I can find the store name it belongs to, in my case the VarStoreId is 0x3 (as you can see in the post above) .

Step 10: Now that I know the store id, I search for a sentence in that text file that associates the VarStoreId with a varstore name and I found it by blindly looking for all the sentences containing the string "VarStoreId is 0x3 " but it so happens for all the store GUIDs to be listed on the very beginning of the text file :stuck_out_tongue:

The list looks like that (I will include only 3 members of the list as a reference)


VarStore Guid: 5432122D-D034-49D2-A6DE-65A829EB4C74, VarStoreId: 0x4, Size: 0x2B, Name: “MeSetup”
VarStore Guid: B08F97FF-E6E8-4193-A997-5E9E9B0ADB32, VarStoreId: 0x3, Size: 0x236, Name: “CpuSetup
VarStore Guid: 4570B7F1-ADE8-4943-8DC3-406472842384, VarStoreId: 0x5, Size: 0x6DA, Name: “PchSetup”

Step 11: So I know the store name but I also need to know the VarOffset value corresponding to the prompt labeled as “Overclocking Lock” in order to be able to edit/trigger it from “Disabled” or “0x00” to “Enabled” or “0x01

I do that by searching in the same text file, as previously, for the string “VarStoreId: 0x3” again, checking if it corresponds to a prompt that makes sense to unlock.

I say that because some/most do not need to, thankfully next to every prompt there is a help string describing what it does e.g “Processor trace” is a prompt you gonna end up with while searching for “VarStoreId: 0x3” prompts but it doesn’t make sense to enable/or disable it because it doesn’t seem to have anything to do related to “hide” or “reveal” advanced/hidden OC controls so the prompt looks like this

OneOf Prompt: “Processor trace”, Help: “Enable/Disable processor trace feature from CPU MSR. Enabling this feature will immediately start trace collection.”, QuestionFlags: 0x10, QuestionId: 0x33, VarStoreId: 0x3, VarOffset: 0xFE, Flags: 0x10, Size: 8, Min: 0x0, Max: 0x1, Step: 0x0
OneOfOption Option: “Disabled” Value: 0, Default, MfgDefault
OneOfOption Option: “Enabled” Value: 1

Its help section tells us basically that’s a debug feature that logs stuff the CPU executes so its not related… google can also help e.g googling “Bios processor trace” and give more context.

Also the default state of a prompt reveals if you need to note its offset down or not, like the prompt may be already related to revealing OC features but also is already enabled (as in the “Processor Trace” example above you see that the default value is Disabled

Or it simply may just be a prompt of a ranged option meaning there isn’t something to enable or disable so we ignore those too e.g “Core Max OC ratio” is just a prompt to enter the OC ratio you would like to have and NOT a prompt that enables or disables “Core Max OC ratio” as an option, that’s evident because there is no enable or disable values just a declaration of its default value (0)

Numeric Prompt: “Core Max OC Ratio”, Help: “Sets the maximum OC Ratio for the CPU Core. Uses Mailbox MSR 0x150, cmd 0x10, 0x11. Range 0-80.”, QuestionFlags: 0x14, QuestionId: 0x152A, VarStoreId: 0x3, VarOffset: 0x1B9, Flags: 0x10, Size: 8, Min: 0x0, Max: 0x53, Step: 0x1
Default DefaultId: 0x0 Value: 0

So I basically probably only needed to disable “Overclocking Lock” (it sounds counter intuitive but its a lock so by disabling a lock you get access to what it used to lock be mindful of that so that you wont need to repeat this step) but I did enable other stuff as well so I can’t be sure if without them this would work, on hindsight I just assume it would…

Anyway, these are the values who’s offsets I noted down (or you can make a txt file and take a photo or just do that in a second pc and look at that machine’s monitor while you are using these offset values in your laptop)

Mind again that your actual VarOffset values may probably be different than mine so I recommend that you don’t copy them unless you are absolutely sure you have an identical machine (from the posts above lisint my mobo sku and revision my laptop model and part number as well as my bios revision. )

*“CFG Lock” VarOffset: 0x3E <-I Disabled this.

“Overclocking Lock” VarOffset: 0xDA <-I Disabled this.

*“OverClocking Feature” VarOffset: 0x1B7 ← I Enabled this.

*“XTU Interface” VarOffset: 0x1B8 <-I Enabled this.

Step 12: So now that I know the store name (CpuSetup) and the VarOffset address/value of each prompt in said store, I need a tool to edit the “active” bios within my laptop, because I don’t know how to find these things in the binary of my bios :P, so I used grub which you can find here: Releases · XDleader555/grub_setup_var · GitHub
I downloaded the x64 version of it cause my CPU is 64 bit, the i386 version is for older 32bit CPUs.

Step 13: I took a USB stick (the smaller the size the better, cause some motherboards have issues reading large size USBs during post, I wouldn’t also recommend creating partitions to logically convert your e.g physical 256GB USB stick to a logical 8gb partition and leave the rest unallocated/or even formatted, it could work but wont work every time for everyone imho), I formatted it as FAT32 then I created a folder named EFI, inside that folder I created an other named Boot and inside that boot folder I pasted the grubx64.efi file (from step 12) but I renamed it to bootx64.efi (and this is necessary)

So the directory should look like this: x:\EFI\Boot\bootx64.efi ← where “x” the letter associated to your USB stick.

Step 14: I booted my computer into the bios (in my case spamming the F2 key multiple times right after pushing, the power on button boot the computer, in your case it may be the delete key or something else) then disabled the option labeled as “Secure Boot” usually found in a bios tab labelet as “boot” or “boot priority” or “UEFI” something or an other :stuck_out_tongue: (when we are done with the steps you can reenable this option if you wish) and set the USB as first boot device saved and exited the bios (obviously the USB stick from step 9 should be plugged into the laptop :P)

Step 15: Now you are booted into the grub command line you need to take a look at the VarStore name we are interested in ( namely in my case CpuSetup) and VarOffset addresse/value list that I listed at the end of step 11 and use the setup_var command to read the value and then edit it.

The command works like this:

setup_var [VarStore name] [VarOffset address] //<-- For querying/reading a value//

setup_var [VarStore name] [VarOffset address] [new value] //<-- For EDITING the existing value// 

e.g

setup_var CpuSetup 0xDA

Will give us the value of 0x1 (since 0xDA is for the Overclocking lock which is enabled)

We want to disable it though so we gonna enter give it a new value that corresponds to the disabling trigger so 0x00 (and 0x01 enables )

setup_var CpuSetup 0xDA 0x00

It will tell us that it wrote that value successfully (hopefully :stuck_out_tongue: )

Then it would be wise to query the same offset to be sure that the value changed (I also recommend doing the first query before editing the value just to be sure of what’s what)

so again:

setup_var CpuSetup 0xDA

And hopefully it will read that the value is 0x00 if don’t repeat editing it giving it the new value of 0x00

and do the same with the rest of the offsets of the list (at the end of step 11) if you wish so (again I don’t thing its needed but I done it only one time and when I done it I edited all the ones I mentioned )

And in theory you will be done congratz you know have an unlocked bios and can get into OC settings :smiley: (only caution dont mess with stuff you are not completely sure what they do or what the tolerances are cause user moded bioses dont have the same fail saves as factory unlocked ones in gaming desktops and what not you could end up frying your CPU for good)

But in my case that wasn’t enough…

Acer (at least in my case with the Acer Predator Helios 300 PH317-52) decided to put an extra lock you cant unlock by your own at least not if you aren’t a seasoned and well educated with the subject hacker which you probably are not since you read thus far into my post :stuck_out_tongue: (I think they did it through a series of conditionals in the code I assume since I saw some conditional IF statements when browsing the text files I extracted to english from binary e.g if this and this and this flag then dont get into unlocked bios :stuck_out_tongue: )

The good news is that Acer themselves revealed the way on how to access the hidden features! :smiley:

The bad news is that its a cumbersome ritual…

So here it is

Enter the bios normally by pressing/spamming F2 (either by cold boot or restart)

enter your password in case you have one, if you dont have dont worry you dont need to create one, do not do anything in the bios now just keep the power down button pushed until the computer shuts down (yea I know, but its not bs that’s how you do it I tried to avoid steps but no :stuck_out_tongue: hence I called it a ritual)

then you need to push these buttons , while the laptop is turned off (yes I know but seriously it’s no bs) in the exact series as they appear in this pic (first blue then green then purple)

You dont need to push them simultaneously just in series namely this series:

F4, 4, R, F, V, F5, 5, T, G, B, F6, 6, Y, H, N

And then after you do that you need to push the power on button and spam the F2 key again before windows loads so that you enter the bios, you know should have two “Advanced” tabs on your bios and all the OC (and more) features unlocked!!! congratz :smiley:

Also don’t worry I didn’t waste your time with all these steps you needed to do the above steps anyway (learned that the hard way because after having some performance issues, cpu package consuming to little power and thus not raising good clocks, I had to load bios defaults which I didnt think would revert all the steps above too but apparently it does :stuck_out_tongue: ) otherwise the above “ritual” doesn’t work I tried, it only started to work again when I edited (via grub) the offsets once more.

Hey mate, how did you know what keys they were? In my case I only saw 0A 82 something like that in the if statement, which doesn’t reveal which keys they are.
Thanks!!!

What do you mean? the “if statements” I was talking about are irrelevant that’s like my take/guesstimate on how they lock the OC options you dont need to find any IF statements (and also I cant remember what exactly I saw too much time passed and I dont do this regularly actually that was my first and last time lol )

But if you are at the point you quoted me above then it means you finished the other steps above now all you need to do is to use the method I describe (getting into the bios then shutting down the computer while in the bios by pressing the shutdown/boot button then press the keys as in the photo and then you are golden you can enter in the unlocked bios but be careful to not fry something lol so dont touch stuff you are not absolutely sure what they do and also in case you mess up if you restore the bios settings to unmess it up you have to do the steps all over again so better buck up your bios when you are at this point and then when you finally set it up the way you want it and then maybe you can experiment.