Hi!
You’ve been doing this since march! Really?!
Dump your vars: H2OUVE.exe -gv vars.txt
H20UVE_100.00.9.2.zip
Its to unlock PRR.
Thanks Sweet Kitten 
Большое спасибо
PS C:\Users\timou\Desktop\H2OUVE_100.0.9.2\H2OUVE> .\H2OUVE.exe -gv vars.txt
Insyde H2OUVE (UEFI Variable Editor) Version 100, 0, 9, 2
Copyright (c) 2012- 2013, Insyde Software Corp. All Rights Reserved.
Read current ROM start !
Reading Block at FFB07000
Read ROM Complete
Successful generate variable data to "vars.txt"
PS C:\Users\timou\Desktop\H2OUVE_100.0.9.2\H2OUVE> type .\vars.txt
https://uploadfiles.net/cot/vars.txt
thanks in advance …
Well, now set your new variable data: H2OUVE.exe -sv varsNEW.txt
After that I need your BIOS saved by Intel Flash Programming Tool(simply run READ.bat), an then I’ll make a mod for you.
Just don’t reset BIOS settings untill you flash it, PRR must be kept disabled.
Thanks you rock solid …
what do you mean PRR ?
that i understood after changing vars with new ones : i dont change settings in the bios nor reset them until the bios mod flashing …
±----------------------------------------------------------------------------------------------------------------------------------------+
Read current ROM start !
Reading Block at FFB07000
Read ROM Complete
"PK" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - authenticate variable, not allowed to update
"KEK" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - authenticate variable, not allowed to update
"db" {D719B2CB-3D3A-4596-A3BC-DAD00E67656F} - authenticate variable, not allowed to update
"AuthVarKeyDatabase" {AAF32C78-947B-439A-A180-2E144EC37792} - authenticate variable, not allowed to update
"certdb" {59D1C24F-50F1-401A-B101-F33E0DAED443} - authenticate variable, not allowed to update
"CurrentPolicy" {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - authenticate variable, not allowed to update
"FUB" {1DD54778-F3EA-11E0-AF9A-84914824019B} - write variable success
"AdministerSecureBoot" {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"Tcg2PhysicalPresenceFlags" {AEB9C5C1-94F1-4D02-BFD9-4602DB2D3C54} - write variable success
"Tcg2PhysicalPresence" {AEB9C5C1-94F1-4D02-BFD9-4602DB2D3C54} - write variable success
"MTC" {EB704011-1402-11D3-8E77-00A0C969723B} - write variable success
"AcpiGlobalVariable" {C020489E-6DB2-4EF2-9AA5-CA06FC11D36A} - write variable success
"Lang" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"PlatformLang" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"SPLC" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"WAND" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"WRDD" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"WRDS" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"BRDS" {42780DD5-9A7D-404C-80E4-7F7094360394} - write variable success
"EWRD" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"WGDS" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"SADS" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"SADS" {42780DD5-9A7D-404C-80E4-7F7094360394} - write variable success
"GPC" {92DAAF2F-C02B-455B-B2EC-F5A3594F4AEA} - write variable success
"GPC" {42780DD5-9A7D-404C-80E4-7F7094360394} - write variable success
"BiosGuardStatus" {9C57C6E2-4C78-42D9-9051-96B9D80C9C92} - write variable success
"MemoryConfig" {C94F8C4D-9B9A-45FE-8A55-238B67302643} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“PttCapability” {5432122D-D034-49D2-A6DE-65A829EB4C74} - write variable success
"FirstBootAfterFlash" {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"WdtPersistentData" {78CE2354-CFBC-4643-AEBA-07A27FA892BF} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“SaPegData” {B414CAF8-8225-4D6F-B918-CDE5CB84CF0B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“ACFB” {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"LSHLoadDefault" {F0A30BC7-AF08-4556-99C4-001009C93849} - write variable success
"CpuSetupSgxEpochData" {B08F97FF-E6E8-4193-A997-5E9E9B0ADB32} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“SgxSetupVariable” {45B5ACB9-0359-49BE-ADB1-49377BD607F7} - write variable success
"CustomPlatformLang" {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"Custom" {A04A27F4-DF00-4D42-B552-39511302113D} - write variable success
"Custom" {EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9} - write variable success
"Custom" {72C5E28C-7783-43A1-8767-FAD73FCCAFA4} - write variable success
"Custom" {5432122D-D034-49D2-A6DE-65A829EB4C74} - write variable success
"Custom" {B08F97FF-E6E8-4193-A997-5E9E9B0ADB32} - write variable success
"Custom" {4570B7F1-ADE8-4943-8DC3-406472842384} - write variable success
"MeSetupStorageCustom" {5432122D-D034-49D2-A6DE-65A829EB4C74} - write variable success
"SetupCpuFeatures" {EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9} - write variable success
"ASTM" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"ABRV" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"UsbTypeC" {FC876842-D8F0-4844-AE32-1FF843797B17} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“SetPcrBanks” {8376BDCA-5E03-4735-951A-4A74141E5886} - write variable success
"EPCBIOS" {C60AA7F6-E8D6-4956-8BA1-FE26298F5E87} - write variable success
"SinitSvnSetup" {ACDC5EEE-9014-4DA4-820F-D43B78010EC3} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“Setup” {EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9} - write variable success
"TrEEPhysicalPresence" {F24643C2-C622-494E-8A0D-4632579C2D5B} - write variable success
"TrEEPhysicalPresenceFlags" {F24643C2-C622-494E-8A0D-4632579C2D5B} - write variable success
"A01LastSataPortPresent" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"ConIn" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"SwitchableGraphicsVariable" {B2B7C21F-1786-4A64-BE69-16CEF7647331} - write variable success
"ConOut" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"SMAA" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"SMAB" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"SMAC" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"AHPL" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"Boot2001" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"Boot2002" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"Boot2003" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"BootDevice" {0A4CD120-EA2D-4AEF-A4B0-B0C08CBBDBBE} - write variable success
"AEBT" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"ACFT" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"VarErrorFlag" {04B37FE8-F6AE-480B-BDD5-37D98C5E89AA} - write variable success
"MeSetup" {5432122D-D034-49D2-A6DE-65A829EB4C74} - write variable success
"LastEnumLang" {0E8C545B-A2EE-470D-8E26-BDA1A13C0AA3} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“MeSetupStorage” {5432122D-D034-49D2-A6DE-65A829EB4C74} - write variable success
"RestoreFactoryDefault" {59D1C24F-50F1-401A-B101-F33E0DAED443} - authenticate variable, not allowed to update
"SetupMode" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - authenticate variable, not allowed to update
"CustomSecurity" {59D1C24F-50F1-401A-B101-F33E0DAED443} - authenticate variable, not allowed to update
"ACUB" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"FirmwarePerformance" {C095791A-3001-47B2-80C9-EAC7319F2FA4} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“HSTI_RESULTS” {8732B833-5367-422C-A77D-99E5B51039A8} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“FullReset” {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"S3MemVariable" {973218B9-1697-432A-8B34-4884B5DFB359} - write variable success
"UnlockID" {EAEC226F-C9A3-477A-A826-DDC716CDC0E3} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“UnlockIDCopy” {EAEC226F-C9A3-477A-A826-DDC716CDC0E3} - write variable success
"Boot0002" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"WBMN" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"WBSN" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"OfflineUniqueIDEKPub" {EAEC226F-C9A3-477A-A826-DDC716CDC0E3} - write variable success
"OfflineUniqueIDEKPubCRC" {EAEC226F-C9A3-477A-A826-DDC716CDC0E3} - write variable success
"PBRDevicePath" {A9B5F8D2-CB6D-42C2-BC01-B5FFAAE4335E} - write variable success
"Timeout" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"dbx" {D719B2CB-3D3A-4596-A3BC-DAD00E67656F} - authenticate variable, not allowed to update
"PhysicalBootOrder" {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"AEBO" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"AUPS" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"SecureBootEnforce" {59D1C24F-50F1-401A-B101-F33E0DAED443} - authenticate variable, not allowed to update
"SecureBoot" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - authenticate variable, not allowed to update
"WBOP" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"WindowsBootChainSvn" {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“BootingDeviceTypeInfo” {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“Kernel_Lsa_Ppl_Config” {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - write variable success
"CurrentActivePolicy" {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“BootDebugPolicyApplied” {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“VsmLocalKey2” {77FA9ABD-0359-4D32-BD60-28F4E78F784B} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“MemoryOverwriteRequestControlLock” {BB983CCF-151D-40E1-A07B-4A17BE168292} - write variable success
"SecureFlashInfo" {382AF2BB-FFFF-ABCD-AAEE-CCE099338877} - write variable success
"CpuSetup" {B08F97FF-E6E8-4193-A997-5E9E9B0ADB32} - write variable success
"SaSetup" {72C5E28C-7783-43A1-8767-FAD73FCCAFA4} - write variable success
"RstOptaneConfig" {4DA4F952-2516-4D06-8975-65036403A8C7} - write variable success
"PchSetup" {4570B7F1-ADE8-4943-8DC3-406472842384} - write variable success
"Setup" {A04A27F4-DF00-4D42-B552-39511302113D} - write variable success
"AACV" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"TargetHddDevPath" {59D1C24F-50F1-401A-B101-F33E0DAED443} - write variable success
"PlatformConfigurationChange" {E3CACF62-3062-4E1D-978E-46807AB9747D} - EFI_VARIABLE_RUNTIME_ACCESS is not set, not allowed to update (Variable Attribute=0x3)
“ASSN” {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"BootOrder" {8BE4DF61-93CA-11D2-AA0D-00E098032B8C} - write variable success
"AFBD" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"WBOA" {89CB0E8D-393C-4830-BFFF-65D9147E8C3B} - write variable success
"MemoryOverwriteRequestControl" {E20939BE-32D4-41BE-A150-897F85D49829} - write variable success
Flash completed
Successful save variable from “.\varsNEW.txt” to rom
PS C:\Users\timou\Desktop\H2OUVE_100.0.9.2\H2OUVE>
±-----------------------------------------------------------------------+
done
ok executing your batch script
@echo off
fptw64 -bios -d biosreg.bin
pause
±--------------------------------------------------------------------------+
Can you confirm to do this in CLI underwindows because i use powershell there some risks @lostinbios said to me ?!
Can you confirm …
PS is not active with these calls only CLI commads-like …
PS C:\Users\timou\Desktop\H2OUVE_100.0.9.2> .\FPTW64.exe -bios -d biosreg.bin
Intel (R) Flash Programming Tool Version: 12.0.49.1536
Copyright (C) 2005 - 2019, Intel Corporation. All rights reserved.
Reading HSFSTS register… Flash Descriptor: Valid
— Flash Devices Found —
W25Q128FV ID:0xEF4018 Size: 16384KB (131072Kb)
- Reading Flash [0x1000000] 11264KB of 11264KB - 100 percent complete.
Writing flash contents to file “biosreg.bin”…
Memory Dump Complete
FPT Operation Successful.
HERE IT IS thanks !!!
https://www.sendspace.com/file/zlp7b2
"PCHSetup" written sucessfuly. Everything went ok.
Flash Protect Range Registers. This is what blocks the ability to flash through iFPT (error 167).
In case of incompatibility, the tool just wouldn’t work with Powershell, but it does.
I’ll send you unlocked bios when I get home. Don’t expect it next couple of hours.
Take your time buddy : really apreciate your work and can you please give me the list of the tools you use to do that please i want to learn to DIY …
Maybe you’ve already heard of them. It’s UEFITool OE, some IFRExtractor fork, any interactive disassembler and, of course, hex editor. That’s all.
I’ve completed a bios mod for you. DOWNLOAD, run "FLASH.bat", if doesn’t work, please, repeat setting variables
and try again.
ok will do tomorow thanks mate really apreciate your help …
you have learned by yourself Sweet kitten ?!
@kitty : PPR not unlocked cant be flashed
PS C:\Users\timou\Desktop\Nouveau dossier> .\FPTW64.exe -bios -f .\biosreg.bin
Intel (R) Flash Programming Tool Version: 12.0.49.1536
Copyright (C) 2005 - 2019, Intel Corporation. All rights reserved.
Reading HSFSTS register… Flash Descriptor: Valid
— Flash Devices Found —
W25Q128FV ID:0xEF4018 Size: 16384KB (131072Kb)
Error 167: Protected Range Registers are currently set by BIOS, preventing flash access.
Please contact the target system BIOS vendor for an option to disable
Protected Range Registers.
FPT Operation Failed.
PS C:\Users\timou\Desktop\Nouveau dossier>
so i rechecked via H2ouve and pushed one more time your Vars Mod checked PCHsetup is ok and restart the flashing opération …
And register are locked …
May can I help you friend, “Little Kitten” is on many forum to helps users and may be will came back quickly.
But I can make it too …
We have to unlock your Write eeprom ckecks and then make a bios backup by Fptw.exe.
All Bioses have one or more Write checks :
SMM/SMI/BIOS Lock, nor FPRR/PRR/Protected/Range
RTC Lock
BIOS Lock
Flash Protection Range Registers
SPD Write Disable
BIOS Guard
Flash Wear Out Protection
CFG Lock
Me FW Image Re-Flash
MC Lock
Local FW Update
The one more ostic is FLOCKDN, as it’s on binary code into bios module , usually BiosRegionLockDxe (GUID - BC05DC37-9DA0-4050-9728-F34DDB01E200).
It’s possible to check them by linux tool Chipsec, or by windows RWAnything.
How to bypass them, so for many of thgem it’easy as modifying NVRAM variables (VarStore / VSS callerd area) we can set to 0x00 that setting and then it’s
possible to flash the bios.
Tools to make this work ? EFI shell, RU Shell, H2OUVE, SCE (AMI bios), etc
Also exist a method to unlock ME temporaneily called PinMod (described by the GRAT CodeRush) , just reset 2 pins on Audio Chip and get FD Descriptors and ME disabled, just pedestrian way of shorting pins 1 and 5 on the audio chip. also it was doscovered an utility (WinTest.exe) to reflash the Firmware that make the same thing, after a reboot ME is disabled … but after there are many issues to resolve about ME, after that Audio Chip is ourt of order 
, this method is called a “fool style update”, used on Lenovo Y-700.
The simply and first vulnerability discoverd was the S3 alias Sleep Bug, this bug exploit after the hibernate state of laptop, we get the same thing and it’s possible to reflash the bios Region by Fpt.
I made an excursus to explain what all modder and more users made so far , discovering all these tricks …
Here Little Kitten use H2OUVE to edit VarStore Variables and rewrite them back by that Intel Tool (AMD is penalized and many time it needs to use SPI Programmer on)
He unlocked FPRR and made possible to use Fpt.
In this Bios we have 2 checks (from EFI IFR txt) :
0xBFC59 Suppress If: {0A 82}
0xBFC5B Variable 0x7E equals value in list (0x1) {14 08 7E 00 01 00 01 00}
0xBFC63 Setting: BIOS Lock, Variable: 0x17 {05 91 CD 06 CE 06 12 0A 05 00 17 00 10 10 00 01 00}
0xBFC74 Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xBFC7B Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xBFC82 End of Options {29 02}
0xBFC84 End If {29 02}
0xB372B Setting: Flash Protection Range Registers (FPRR), Variable: 0x6D1 {05 91 7A 0D 7B 0D 0F 05 05 00 D1 06 10 10 00 01 00}
0xB373C Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xB3743 Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xB374A End of Options {29 02}
Bios lock Variable: 0x17
Flash Protection Range Registers (FPRR) Variable: 0x6D1
They are on GUID: 4570B7F1-ADE8-4943-8DC3-406472842384 = PchSetup (always from EFI IFR txt is possible to discover it)
So we have to find in this GUID and into VSS>>NVRAM to discover and patch them … Lost_N_BIOS (the GREAT modder here) shown as …
This is mine note … Search for PchSetup and You’ll find this … VarStore
Using UEFITool you get the GUID - Unicode text “PchSetup” in VSS store/4570B7F1-ADE8-4943-8DC3-406472842384 at header-offset 3Ch
Into EFI IFR txt you get
0x99AE7 Var Store: 0x5[1633] (PchSetup) {24 1F F1 B7 70 45 E8 AD 43 49 8D C3 40 64 72 84 23 84 05 00 61 06 50 63 68 53 65 74 75 70 00}
-------------------------------------------------- -====>------------------------------------------------------<====
GUID : F1 B7 70 45 E8 AD 43 49 - 8D C3 40 64 72 84 23 84 to 45 70 B7 F1 AD E8 49 43 (little endian) - 8D C3 40 64 72 84 23 84 (big endian)
====>-----------------------------------------------------<====
GUID: 4570B7F1-ADE8-4943-8DC3-406472842384
Then find every where is this GUID and change the variable value from x01 to 0x00 … as we said starting there are many methods , but EFI shell works only on
Setup GUID: FE3542FE-C1D3-4EF8-657C-8048606FF670, so for this mmodify is better RU shell or UVE, as we are on GUID: 4570B7F1-ADE8-4943-8DC3-406472842384 = PchSetup .
Regards
P.S. if it does’t needs to share knowledgments , say to me and i will not write again , but Lost_N_BIOS made many times …
For my part: for sure LostinBios did the trick only with only a Vars.txt file and the bios mod same size as your Kitty BTW, but definatly no need to dll with FPTW … I saw this is dynamic librairies for intel software but i havent seen it yet, 1st time for me …
EFI shell, RU Shell no way already tried this not working for unlock register with LOst
---------------------------------------------------------------------------------------------------------------------
The simply and first vulnerability discovered was the S3 alias Sleep Bug, this bug exploit after the “hibernate state of laptop, we get the same thing and it’s possible to reflash the bios Region by Fpt.”
---------------------
Will check all the protections with chipsec : Intel has reinforced the settings since last BIOS …
I saw lot of people complaining they cant even no more undervolt their laptop after intel mods …
I know chipsec will do i have to audit my system anyway before and after flashing the rom to unsure the kindness on the internet of the people …
Thanks for your help : i appreciate thanks for your PM mate also
but so much work today be not available to look for these resources before days …
but will look for it …
for your knowledge : https://www.youtube.com/watch?v=ryKy9LvmSIs
https://www.youtube.com/watch?v=nyW3eTobXAI&t=584s
S3sleep RESUME is a nasty way to hack a PC also …
Best way to install Lo()jack also
Bypass all protection and hack into Hypervisor enclaves …
Regards Saltin …
I didn’t understand the result of modify isn’t good or you have write the modify …
Eeprom is benn result unlocked to use Fpt backup or not ?
Let me know , please as it seems that you got the mod and then no.
Regards
I can explain full procedure and take a moment to try something, but it will be usefull to came back to version 1.08 which Last_N_BIOS unlocked FPRR …
We have to try to reflash the old version, before all.
I have to see into platform.ini if it’s possible.
01. Dump your vars: H2OUVE.exe -gv vars.txt
02. Write your new vars : H2OUVE.exe -sv varsMod.txt
03. Dump your bios backup : fptw64 -d biosreg.bin -bios
04. Write your bios mod : fptw64 -f biosreg.bin -bios
We to find the flash locks have to extract the Bios Module FE3542FE-C1D3-4EF8-657C-8048606FF670 SetupUtility and then IFR, so will find
(PchSetup) {24 1F - F1 B7 70 45 E8 AD 43 49 8D C3 40 64 72 84 23 84 - 05 00 E2 06 50 63 68 53 65 74 75 70 00}
0xA4477 VarStore: VarStoreId: 0x5 [4570B7F1-ADE8-4943-8DC3-406472842384], Size: 0x6E2,
Name: PchSetup {24 1F F1 B7 70 45 E8 AD 43 49 8D C3 40 64 72 84 23 84 05 00 E2 06 50 63 68 53 65 74 75 70 00}
-------------------====>-----------------------------------------------------<====
GUID : F1 B7 70 45 E8 AD 43 49 - 8D C3 40 64 72 84 23 84 >>
====>-------------------------------------------------------------<====
45 70 B7 F1 AD E8 49 43 (little endian) - 8D C3 40 64 72 84 23 84 (big endian) >>
PCH-Setup GUID: 4570B7F1-ADE8-4943-8DC3-406472842384
0xBFC59 Suppress If: {0A 82}
0xBFC5B Variable 0x7E equals value in list (0x1) {14 08 7E 00 01 00 01 00}
0xBFC63 Setting: BIOS Lock, Variable: 0x17 {05 91 CD 06 CE 06 12 0A 05 00 17 00 10 10 00 01 00}
0xBFC74 Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xBFC7B Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xBFC82 End of Options {29 02}
0xBFC84 End If {29 02}
0xB372B Setting: Flash Protection Range Registers (FPRR), Variable: 0x6D1 {05 91 7A 0D 7B 0D 0F 05 05 00 D1 06 10 10 00 01 00}
0xB373C Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
0xB3743 Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}
0xB374A End of Options {29 02}
Then into “vars.txt” we can find the GUID 4570B7F1-ADE8-4943-8DC3-406472842384 and see where to make the modifies …
[06B] PchSetup
GUID: 4570B7F1-ADE8-4943-8DC3-406472842384
Attributes: 0x7
DataSize: 0x6E2
Data:
[02A] Custom
GUID: 4570B7F1-ADE8-4943-8DC3-406472842384
Attributes: 0x7
DataSize: 0x6E2
Data:
Variables BIOS Lock 0x17
>> 01 to 00
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000010: 01 01 02 03 00 00 01 01 00 00 01 01 00 01 00 FF
Variables FPRR 0x6D1
>> 01 to 00
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000006D0: 00 01 00 00 00 00 00 00 01 01 01 00 00 00 00 00
To prepare the Bios Mod we have to modify not only Setuputility Module (FE3542FE-C1D3-4EF8-657C-8048606FF670 SetupUtility),
but all others ones which have the settings to lock the Flash program.
So we have to find into Bios Modules the hex strings “Bios Lock” and “FPRR” which we get from vars.txt and they rapresent the NVRAM (VSS / VartStore) actual situation.
UEFI Tool NE 0.58 is our friend and it permits to check many things before firmware modify.
First of all you can extract all GUID Module’s Names (under File → Export Discovered GUIDs) you will find all GUIDS and Names.
Then we can test and check the effects of H2OUVE or EFI shell or RU shell , etc modifies, as if the variables we have had to change are changed , then we will not
find any string of that i said above.
Variables BIOS Lock 0x17
010102030000010100000101000100FF
Variables FPRR 0x6D1
00010000000000000101010000000000
So after the H2OUVE command we request an his backup or a bios backup (Fptw.exe), and we can looking for these hex pattern into bios modules.
This is to get the Bios Flashable, but we have to unlock totally it, so we can reflash many times and to do that we have to check if there are others hex bytes locking
finding these strings and changing values in every module (VSS/NVRAM Store) - FFF12B8D-7696-4C8B-A985-2747075B4F50, Padding etc
Then if we have a Firmware Dump (all eeprom) we have to continue to modify Descriptors FD , there are two types look here :
[Guide] Unlock Intel Flash Descriptor Read/Write Access Permissions for SPI Servicing
In this bios is second type, so continue, you can do with HexEditor HxD.
Then modify the FE3542FE-C1D3-4EF8-657C-8048606FF670 SetupUtility module changing these bytes :
Bios version 1.12 Adv Pwr Mod :
Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0xA3C04 Advanced (0x1645 from string package 0x4)
0xC64D4 Power (0x16CD from string package 0x4)
0xD6384 Security (0x2F from string package 0x4)
0xD7CC4 Information (0xFF from string package 0x4)
0xD8EC4 Main (0x3 from string package 0x4)
0xDA624 Advanced (0x100 from string package 0x4)
0xDC2B4 Security (0x2F from string package 0x4)
0xDDA84 Boot (0x4F from string package 0x4)
0xDED24 Exit (0x89 from string package 0x4)
09EA : 74 38 to 74 00
0A22 : 75 1D to EB 1D
It depends of bios version and it needs to extract the above module and edit by HexEditor tool (we use IDA pro to disassemble code and H&D to edit)
yet , use Donovan6k tool “Universal IFR Extractor” to extract EFI opcode in human and readble version, find all GUIDs and variables to modify and choice
a way to do …
Newly with HxD editor edit the SetupModule for IFR edit and save, at last you can repack into bios by UEFI Tool 0.28 …
To modiify all modules it needs to be extracted before and then repalced , so use UEFI Tool NE 058 to explore and extract modules (GUIDs) as body and use UEFI Tool 028 to replace
modules (GUIDs) as body …
I will contune , may be
Regards
i was stuck in that page lol. will do now