[Request] (2021 - AMI) Alienware m17 R4 - Unlock hidden menus

Hi,

I would like to unlock hidden menu in my BIOS. I believe it’s an AMI Aptio 5 BIOS, however I was unable to dump it myself using AFUWin or AFUEfi. I attached the BIOS image provided my Dell.

I would be very open in understanding how you did it too if you are open to share :slight_smile:

Thanks in advance!
James

BIOS File:
sendspace.com/file/tzdv0v

From Dell: dell.com/support/home/en-ca/drivers/driversdetails?driverid=3jggn

I edited with links, I noticed the attachment was not present

Bumping and letting know I’m still checking everyday and interested

Hie friend,
use this tool , execute it as Admin and get a resut file then upload it for me , i will give a look !
Here you go :

https://www.mediafire.com/file/4s2lp3ig8…ools20h.7z/file

Regards



Omg nice!!
I’m looking to unlock hidden menus :slight_smile: and I also have one extra goal which I am not sure it actually is possible: to have at least one of the following 3 connectors to display through intel IGPU: MiniDP or HDMI or Thunderbolt 3

Results: mediafire.com/file/xi5s98x2qj2k4o1/results20.rar/file

@BDMaster

Still very interested :slight_smile:

Hi friend, it’s for your laptop safe and i think about users like friends …
Thanks i will give a look


Error 167: Protected Range Registers are currently set by BIOS, preventing flash access.
Please contact the target system BIOS vendor for an option to disable
Protected Range Registers.

FPT Operation Failed.

Eeprom is write protect …

Boot Guard.jpg



Only NVRAM variables are modificable , all rest is under Boot Guard and FPF checks.

You have to use MEinfo to check FPF state , please download it and make a log here.

https://medium.com/firmware-threat-hunti…rd-cc05edfca3a9



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 

Intel (R) MEInfo Version: 14.1.53.1649
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
 
General FW Information

Platform Type Mobile
FW Type Production
Last ME Reset Reason Other
BIOS boot State Post Boot
Boot critical code redundancy Disabled
Current Boot Partition 1
Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78
TCSS FW partial update Disabled
Crypto HW Support Enabled
Integrated Sensor Hub Initial Power State Enabled
OEM Tag 0x00
FWUpdLcl Enabled
Capability Licensing Service State Enabled
TLS State Disabled
CSME Measured Boot to TPM Disabled

Intel(R) ME code versions:
BIOS Version 1.3.1
Vendor ID 8086
MEI Driver Version 2040.100.0.1029
FW Version 14.0.46.1431 H Consumer
LMS Version 2036.15.0.1832

IUPs Information
PMC FW Version 140.2.1.1011
OEM FW Version 0.0.0.0000
ISHC FW Version 0.0.0.0000
PCHC FW Version 14.0.0.7002

PCH Information
PCH Version 0
PCH Device ID 68D
PCH Step Data A0
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replacement Counter 0
PCH Unlocked State Disabled

Flash Information
Storage Device Type SPI
SPI Flash ID 1 C84018
SPI Flash ID 2 Not Available
RPMC Replay Protection Supported
RPMC Replay Protection Bind Counter 1
RPMC Replay Protection Bind Status Post-bind
RPMC Replay Protection Rebind Supported
RPMC Replay Protection Max Rebind 15
Host Read Access to ME Enabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled

FW Capabilities 0x31119540
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/ENABLED
Persistent RTC and Memory - PRESENT/ENABLED

End Of Manufacturing
Post Manufacturing NVAR Config No
HW Binding Enabled
End of Manufacturing Enable Yes

Trusted Device Setup

Intel(R) Protected Audio Video Path
Keybox Not Provisioned
EPID Group ID 0x358E
Re-key needed False
PAVP State Yes

Security Version Numbers
Trusted Computing Base SVN 1
Minimum Allowed Anti Rollback SVN 1
Image Anti Rollback SVN 8

Intel(R) Platform Trust Technology -
Intel(R) PTT initial power-up state Enabled
Intel(R) PTT State Enabled

FW Supported FPFs
FPF UEP ME FW
*In Use
--- --- -----
EK Revoke State Not Revoked Not Revoked Not Revoked
Error Enforcement Policy 0 Enabled Enabled Enabled
Error Enforcement Policy 1 Enabled Enabled Enabled
Flash Descriptor Verification Disabled Disabled Disabled
Intel(R) PTT Enabled Enabled Enabled
OEM ID 0x00 0x00 0x00
OEM KM Present Enabled Enabled Enabled
OEM Platform ID 0x00 0x00 0x00
OEM Secure Boot Policy 0x79 0x79 0x79
CPU Debugging Enabled Enabled Enabled
BSP Initialization Enabled Enabled Enabled
Protect BIOS Environment Enabled Enabled Enabled
Measured Boot Enabled Enabled Enabled
Verified Boot Enabled Enabled Enabled
Key Manifest ID 0x01 0x01 0x01
Force Boot Guard ACM Enabled Enabled Enabled
PTT Lockout Override Counter 0x00 0x00 0x00
Persistent PRTC Backup Power Enabled Enabled Enabled
RPMC Rebinding Enabled Enabled Enabled
RPMC Support Enabled Enabled Enabled
SOC Config Lock State Enabled Disabled Enabled
SPI Boot Source Enabled Enabled Enabled
Txt Supported Disabled Disabled Disabled
 
ACM SVN 0x02 0x02 0x02
BSMM SVN 0x00 0x00 0x00
KM SVN 0x00 0x00 0x00
 

OEM Public Key Hash FPF 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
OEM Public Key Hash UEP 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
OEM Public Key Hash ME FW 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
 

 

Boot Guard :

Measured Boot Enabled Enabled Enabled
Verified Boot Enabled Enabled Enabled

You make verbose opt ? …
Please use these commands and post logs here (i thinks we cannot modify nothing) :

MEInfoWin.exe -verbose

MEinfoWin.exe -fwsts

Regards





fwsts output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
Intel (R) MEInfo Version: 14.1.53.1649
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
 
General FW Information
FW Status Register1: 0xA0000245
FW Status Register2: 0x86100106
FW Status Register3: 0x00000020
FW Status Register4: 0x00004000
FW Status Register5: 0x00001F01
FW Status Register6: 0x44400BC9
 
CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
Phase: Maestro
PhaseStatus: MAESTRO_CM0_ENTRY_COMPLETE_IDLE
ME File System Corrupted: No
FPF and ME Config Status: Committed
RPMC status: OK
 
 


verbose output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 

Intel (R) MEInfo Version: 14.1.53.1649
Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
 

Windows OS Version : 10.0
 
LPC Device Id: 68D.
Platform: Cometlake Platform
General FW Information
FW Status Register1: 0xA0000245
FW Status Register2: 0x86100106
FW Status Register3: 0x00000020
FW Status Register4: 0x00004000
FW Status Register5: 0x00001F01
FW Status Register6: 0x44400BC9
 
CurrentState: Normal
ManufacturingMode: Disabled
FlashPartition: Valid
OperationalState: CM0 with UMA
InitComplete: Complete
BUPLoadState: Success
ErrorCode: No Error
ModeOfOperation: Normal
SPI Flash Log: Not Present
Phase: Maestro
PhaseStatus: MAESTRO_CM0_ENTRY_COMPLETE_IDLE
ME File System Corrupted: No
FPF and ME Config Status: Committed
RPMC status: OK
FW Capabilities value is 0x31119540
Feature enablement is 0x31119540
Platform type is 0x71000391

Platform Type Mobile
FW Type Production
Last ME Reset Reason Other
BIOS boot State Post Boot
Boot critical code redundancy Disabled
Current Boot Partition 1
Firmware Update OEM ID 68853622-EED3-4E83-8A86-6CDE315F6B78
TCSS FW partial update Disabled
Crypto HW Support Enabled
Integrated Sensor Hub Initial Power State Enabled
OEM Tag 0x00
FWUpdLcl Enabled
Capability Licensing Service State Enabled
TLS State Disabled
CSME Measured Boot to TPM Disabled

Intel(R) ME code versions:
BIOS Version 1.3.1
Vendor ID 8086
MEI Driver Version 2040.100.0.1029
FW Version 14.0.46.1431 H Consumer
LMS Version 2036.15.0.1832

IUPs Information
PMC FW Version 140.2.1.1011
OEM FW Version 0.0.0.0000
ISHC FW Version 0.0.0.0000
PCHC FW Version 14.0.0.7002

PCH Information
PCH Version 0
PCH Device ID 68D
PCH Step Data A0
PCH SKU Type Production PRQ Revenue
PCH Replacement State Disabled
PCH Replacement Counter 0
PCH Unlocked State Disabled

Flash Information
Storage Device Type SPI
SPI Flash ID 1 C84018
SPI Flash ID 2 Not Available
RPMC Replay Protection Supported
RPMC Replay Protection Bind Counter 1
RPMC Replay Protection Bind Status Post-bind
RPMC Replay Protection Rebind Supported
RPMC Replay Protection Max Rebind 15
Host Read Access to ME Enabled
Host Write Access to ME Disabled
Host Read Access to EC Disabled
Host Write Access to EC Disabled

FW Capabilities 0x31119540
Protect Audio Video Path - PRESENT/ENABLED
Intel(R) Dynamic Application Loader - PRESENT/ENABLED
Intel(R) Platform Trust Technology - PRESENT/ENABLED
Service Advertisement & Discovery - NOT PRESENT
Persistent RTC and Memory - PRESENT/ENABLED

End Of Manufacturing
Post Manufacturing NVAR Config No
HW Binding Enabled
End of Manufacturing Enable Yes

Trusted Device Setup

Intel(R) Protected Audio Video Path
Keybox Not Provisioned
EPID Group ID 0x358E
Re-key needed False
PAVP State Yes

Security Version Numbers
Trusted Computing Base SVN 1
Minimum Allowed Anti Rollback SVN 1
Image Anti Rollback SVN 8

Intel(R) Platform Trust Technology -
Intel(R) PTT initial power-up state Enabled
Intel(R) PTT State Enabled

FW Supported FPFs
FPF UEP ME FW
*In Use
--- --- -----
EK Revoke State Not Revoked Not Revoked Not Revoked # Not Revoked=0, Revoked=1
Error Enforcement Policy 0 Enabled Enabled Enabled # Disabled=0, Enabled=1
Error Enforcement Policy 1 Enabled Enabled Enabled # Disabled=0, Enabled=1
Flash Descriptor Verification Disabled Disabled Disabled # Disabled=0, Enabled=1
Intel(R) PTT Enabled Enabled Enabled # Disabled=0, Enabled=1
OEM ID 0x00 0x00 0x00
OEM KM Present Enabled Enabled Enabled # Disabled=0, Enabled=1
OEM Platform ID 0x00 0x00 0x00
OEM Secure Boot Policy 0x79 0x79 0x79
CPU Debugging Enabled Enabled Enabled # Enabled=0, Disabled=1
BSP Initialization Enabled Enabled Enabled # Enabled=0, Disabled=1
Protect BIOS Environment Enabled Enabled Enabled # Disabled=0, Enabled=1
Measured Boot Enabled Enabled Enabled # Disabled=0, Enabled=1
Verified Boot Enabled Enabled Enabled # Disabled=0, Enabled=1
Key Manifest ID 0x01 0x01 0x01
Force Boot Guard ACM Enabled Enabled Enabled # Disabled=0, Enabled=1
PTT Lockout Override Counter 0x00 0x00 0x00
Persistent PRTC Backup Power Enabled Enabled Enabled # Enabled=0, Disabled=1
RPMC Rebinding Enabled Enabled Enabled # Disabled=0, Enabled=1
RPMC Support Enabled Enabled Enabled # Disabled=0, Enabled=1
SOC Config Lock State Enabled Disabled Enabled # Disabled=0, Enabled=1
SPI Boot Source Enabled Enabled Enabled # Enabled=0, Disabled=1
Txt Supported Disabled Disabled Disabled # Disabled=0, Enabled=1
 
ACM SVN 0x02 0x02 0x02
BSMM SVN 0x00 0x00 0x00
KM SVN 0x00 0x00 0x00
 

OEM Public Key Hash FPF 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
OEM Public Key Hash UEP 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
OEM Public Key Hash ME FW 37CAAB25214DD80D5EAFB392F777D82CEA98F04A2897EDF87D53E486584BCD61
 

 

Hi friend,
in both ME log …

FPF and ME Config Status: Committed

and

Protect BIOS Environment Enabled Enabled Enabled # Disabled=0, Enabled=1
Measured Boot Enabled Enabled Enabled # Disabled=0, Enabled=1
Verified Boot Enabled Enabled Enabled # Disabled=0, Enabled=1

We cannot modify none byte into this firmware, otherwise you will brick definitively your laptop and would change the Chipset PCH …
I am sorry :frowning:

This is sad news :frowning: Would it be possible with an hardware flasher or it would brick too?


Thanks for looking into it :slight_smile:



@BDMaster May I ask if you have any clue about my question? :slight_smile:

Hi friend, you can only modify the NVRAM variables to get unlocked or modifies some settings , this will not give a brisk as it’s only into
Eeprom Protected Ram and clearing CMOS or reflashing a stock bios they will be deleted.
I hope to have replied to your question.

Look here :

https://nstarke.github.io/0037-modifying…ing-ru-efi.html

About the settings , i have to extract the EFI IFR from your bios Module :

https://www.mediafire.com/file/hcsj091g3…8CAC21.rar/file

look into this file and find which ones you want ot modify and i will help you to make …
Regards



Thanks for the reply

I have extracted a few for fun

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 

0x29B66 One Of: Primary Display, VarStoreInfo (VarOffset/VarName): 0x4C3, VarStore: 0x1, QuestionId: 0x330, Size: 1, Min: 0x0, Max 0x4, Step: 0x0 {05 91 AA 07 AB 07 30 03 01 00 C3 04 10 10 00 04 00}
0x29B77 One Of Option: Auto, Value (8 bit): 0x3 {09 07 2E 06 00 00 03}
0x29B7E One Of Option: IGFX, Value (8 bit): 0x0 {09 07 AC 07 00 00 00}
0x29B85 One Of Option: PEG, Value (8 bit): 0x1 {09 07 AD 07 00 00 01}
0x29B8C One Of Option: PCIE, Value (8 bit): 0x2 {09 07 E1 09 00 00 02}
0x29B93 One Of Option: SG, Value (8 bit): 0x4 (default) {09 07 AE 07 30 00 04}
0x29B9A End One Of {29 02}
 

 

0x29BAA One Of: Primary Display, VarStoreInfo (VarOffset/VarName): 0x4C3, VarStore: 0x1, QuestionId: 0x331, Size: 1, Min: 0x0, Max 0x4, Step: 0x0 {05 91 AA 07 AB 07 31 03 01 00 C3 04 10 10 00 04 00}
0x29BBB One Of Option: Auto, Value (8 bit): 0x3 {09 07 2E 06 00 00 03}
0x29BC2 One Of Option: IGFX, Value (8 bit): 0x0 {09 07 AC 07 00 00 00}
0x29BC9 One Of Option: PCIE, Value (8 bit): 0x2 {09 07 E1 09 00 00 02}
0x29BD0 One Of Option: SG, Value (8 bit): 0x4 (default) {09 07 AE 07 30 00 04}
0x29BD7 End One Of {29 02}
 
0x29E15 One Of: DVMT Pre-Allocated, VarStoreInfo (VarOffset/VarName): 0x49F, VarStore: 0x1, QuestionId: 0x27B9, Size: 1, Min: 0x1, Max 0xFE, Step: 0x0 {05 91 6F 07 92 07 B9 27 01 00 9F 04 14 10 01 FE 00}
0x29E26 One Of Option: 32M, Value (8 bit): 0x1 {09 07 70 07 00 00 01}
0x29E2D One Of Option: 64M, Value (8 bit): 0x2 (default) {09 07 71 07 30 00 02}
0x29E34 One Of Option: 96M, Value (8 bit): 0x3 {09 07 72 07 00 00 03}
0x29E3B One Of Option: 128M, Value (8 bit): 0x4 {09 07 73 07 00 00 04}
0x29E42 One Of Option: 160M, Value (8 bit): 0x5 {09 07 74 07 00 00 05}
0x29E49 One Of Option: 192M, Value (8 bit): 0x6 {09 07 75 07 00 00 06}
0x29E50 One Of Option: 224M, Value (8 bit): 0x7 {09 07 76 07 00 00 07}
0x29E57 One Of Option: 256M, Value (8 bit): 0x8 {09 07 77 07 00 00 08}
 
0x29F16 One Of: DVMT Total Gfx Mem, VarStoreInfo (VarOffset/VarName): 0x4A0, VarStore: 0x1, QuestionId: 0x339, Size: 1, Min: 0x1, Max 0x3, Step: 0x0 {05 91 93 07 94 07 39 03 01 00 A0 04 10 10 01 03 00}
0x29F27 One Of Option: 128M, Value (8 bit): 0x1 {09 07 95 07 00 00 01}
0x29F2E One Of Option: 256M, Value (8 bit): 0x2 (default) {09 07 96 07 30 00 02}
0x29F35 One Of Option: MAX, Value (8 bit): 0x3 {09 07 97 07 00 00 03}
 
 


If I understand properly, if I were to change "DVMT Pre-Allocated" to 256M, I would edit the value of offset 0x49F to 0x8. Is that correct ?

I have a few questions:

1. How can I tell what is the 'current' value.
2. Is there a way to unlock hidden menu from this?
3. Is there a way to change one of the 3 video ports: Mini DP, HDMI or Type-C (Thunderbolt) to use Internal Graphics (IGPU / Intel)
4. If I screw up, can I fix without opening/disassembling the laptop

Primary Display, VarStoreInfo (VarOffset/VarName): 0x4C3,
DVMT Pre-Allocated, VarStoreInfo (VarOffset/VarName): 0x49F
DVMT Total Gfx Mem, VarStoreInfo (VarOffset/VarName): 0x4A0

the variables are these

0x4C3
0x49F
0x4A0

You can change values by RU shell :

https://nstarke.github.io/0037-modifying…ing-ru-efi.html

https://casualhacking.io/blog/2019/6/2/d…-s-hardware-cpu

https://ruexe.blogspot.com/

choice the GUID and get the varibles then change values

ie for this 0x4C3 you can have these values :

0x00
0x01
0x02
0x04

One Of Option: Auto, Value (8 bit): 0x3 {09 07 2E 06 00 00 03}

0x29B7E One Of Option: IGFX, Value (8 bit): 0x0 {09 07 AC 07 00 00 00}
0x29B85 One Of Option: PEG, Value (8 bit): 0x1 {09 07 AD 07 00 00 01}
0x29B8C One Of Option: PCIE, Value (8 bit): 0x2 {09 07 E1 09 00 00 02}
0x29B93 One Of Option: SG, Value (8 bit): 0x4 (default) {09 07 AE 07 30 00 04}

So you can write into the NVRAM variable any of these values and not others !!!

And so on …

let me know
Regards

@BDMaster Still interested in case you have time to answer me :slight_smile:

Let met know if it’s bad habit to bump the thread like this



Sorry I had not noticed I was answered on another page :stuck_out_tongue:

Do you have answers for these 4 other questions?

I have a few questions:

1. How can I tell what is the ‘current’ value.
2. Is there a way to unlock hidden menu from this?
3. Is there a way to change one of the 3 video ports: Mini DP, HDMI or Type-C (Thunderbolt) to use Internal Graphics (IGPU / Intel)
4. If I screw up, can I fix without opening/disassembling the laptop