[Request] Unlocked BIOS for Lenovo Legion T7-34IMZ5

So close yet so far :frowning: let me see if I can revert back to an older bios version

Couldn’t revert back to the old BIOS. I found this topic [TOOL] Lenovo (H20) Bios Unlocker and Locker. Don’t know if this could work out. —> NO.
Other than that I guess I’m out of options.

Since I’m still learning any feedback is always welcome!

Another update. After hours of searching the forums I came to the conclusion that I indeed only have the option left to use an SPI programmer as @Sweet_Kitten suggested.

With only four days of knowledge I find the risk of bricking using an SPI programmer too high. The amount of people bricked their BIOS (chip) with several warnings included is most likely due to lack of knowledge.

Overclocking memory speeds and tweaking some other settings is for me not worth the risk (at this moment) and I encourage everyone to think twice before taking next steps.

So that means I firstly will take more time to learn about modding. That said, I especially would like to thank @Sweet_Kitten for the effort!



Hello KewellH. Did a search for Legion T7 XMP BIOS unlock and found this forum and thread.

Like you, I’m trying to figure out a way to unlock the advanced BIOS for T7-34IMZ5. It seems you got stumped at trying to revert back to old BIOS? I have previous versions of BIOS dating back to last June 2021 and have messed around with reverting back to different BIOS versions. In order to revert back to previous BIOS versions, you have to go into the BIOS and disable "Secure Roll Back Prevention" and set it to "NO". Hope this helps in some way.

Oh, this is too bad. It looks like Lenovo added a system to prevent unauthorized changing of variables. There is nothing to be done about this without hardware BIOS flashing tools. Since disabling the protection mechanism involves modifying BIOS, it creates a circle. Last time I’ve seen this on HP device and only on it, but the tendency is expanding.





Sweet Kitten, thanks for help and work you have done thus far.

Can the BIOS/UEFI "Secure Boot" setting be the variable or culprit?

---------

What is Secure Boot?

Secure Boot is one feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 specification (Errata C). The feature defines an entirely new interface between operating system and firmware/BIOS.

When enabled and fully configured, Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system.

How does Secure Boot work?

Secure Boot works like a security gate. Code with valid credentials gets through the gate and executes. However, Secure Boot blocks at the gate and rejects a code that has bad credentials, or no credential.

Hi,
Can you maybe extract they key combo used to acces that part of the bios?Or do they use a dongle of somekind? There is a way to boot a bios from usb, but that was very limited ( see my post on biosmod). I’m still leaning these things, sorry if make no sense :slight_smile: gr



Hi @KewellH , would you be so kind yo upload a BIOS dump for your T7-34IMZ5 again, please. It seems that this file is deleted. Thank you very much!!!

@Sweet_Kitten Hello, after browsing and learning from this post and others, I attempted to dump my BIOS and modify it using ru.efi, but ultimately I failed and would like to seek your help.

Basic Information:
My PC is a Legion Ren9000k 34IAZ, which is essentially the same series as the Legion T7-34IMZ5 from the post above, just sold in different regions.

The BIOS version is O5HKT2DA. You can see that the BIOS versions for the 34IAZ and T7-34IAZ7 are the same from the following two webpages:

This BIOS version already has some advanced menus enabled, such as the option to enable XMP. The BIOS update history is described in the second link.

My Needs: I have enabled XMP in the BIOS, and it works fine, but I also want to use XTU/Throttlestop for undervolting and overclocking. I can overclock, but I cannot undervolt due to the undervolt protection. So, I want to disable the undervolt protection.

What I Have Done:

Here is the BIOS I dumped.

Initially, I tried using SREP, but neither of the configuration files from the following two links worked:

Using UEFITool, I found that the “Undervolt Protection” option is hidden by the following logic:

Suppress If: {0A 82}
Variable 0x285C equals 0x0 {12 86 5C 28 00 00}
Variable 0x1293 equals 0x0 {12 06 93 12 00 00}
Or {16 02}
End {29 02}
Setting: UnderVolt Protection, Variable: 0x381 {05 91 CB 1D CC 1D EF 0E 02 00 81 03 10 10 00 01 00}
Option: Disabled, Value: 0x0 {09 07 04 00 00 00 00}
Option: Enabled, Value: 0x1 {09 07 03 00 30 00 01}

Through RU.EFI, I attempted to modify the CPUSetUp entry 0x381 to 0, but I received the error 0x00000008, indicating EFI_WRITE_PROTECTED.

I also had another idea to modify the “Suppress” condition to display the “Undervolt Protection” option:

Suppress If 0x285C = FF OR 0x1293 = FF

But I didn’t have any advanced guidance on how to do this.

Then I returned to SREP, tried to understand how it works, and with guidance from GPT, I learned how to create a CFG file. I replaced the "Suppress If" starting instruction with NOP, but still no effect:

Op Loaded
Setup
Op Patch
Pattern
0A 82 12 86 5C 28 00 00 12 06 93 12 00 00 16 02 29 02
00 00 12 86 5C 28 00 00 12 06 93 12 00 00 16 02 29 02
Op End
Op LoadFromFV
SetupUtilityApp
Op Exec

Based on previous SREP usage experiences, when the process runs successfully, it forces entry into the BIOS interface. According to my understanding and reviewing the SREP log files, it seems I couldn’t find the SetupUtilityApp.

Even after reviewing each part of the BIOS with UEFITool, I didn’t have enough knowledge or capability to identify the BIOS startup program for this version.

So, I basically failed completely.

It’s fine. You’ve tried your best. 3 years back I failed too.
Sadly, I haven’t made any progress on this request since then. Nothing has changed except me being now able to communicate in english better. A solution to the request is still yet to be found.

Here are the main showstoppers If you are trying to access more advanced part of the bios, or change variables without rewriting the memory chip completely.

  1. Specific nvram stores are protected.
  2. intel flash tool is locked by software policy.
  3. The runtime patcher is not effective for AMI (even if you find the startup program).

This is not the single case I supervised where bios is so secure. I tried plenty of things before ending up with feeling that everything was useless.

IMO, all that’s left is to do device disassembly and write memory chip directly.
If bios is boot guard protected, your options are limited to changing setup defaults.

Thank you very much for your suggestion! In that case, I’ll buy a non-disassembly programmer to give it a try. It’s very cheap, and I hope I won’t end up damaging my motherboard, haha!