[Request] Unlocked Gigabyte Aorus 17 XE4 BIOS

BIOS/UEFI Modding BIOS Modding Requests
1

Hello everyone, I’m very new to BIOS modding and I need help unlocking my BIOS.

It’s an Aorus 17 XE4, AMI Aptio v2.22.1284, on Intel 12th gen 12700H, I tried to follow the easier path of finding the setup file using UEFI Tool, then create a map using IFT Exrtract, but the PE32 image whatsoever, just to make sure, I generated the report from UEFI Tool, converted it to csv and sorted it by size, this is what i got:

{BD0C2F56-92C0-4125-B25F-BD570AC17B6E}
{BD0C2F56-92C0-4125-B25F-BD570AC17B6E}829×714 34.5 KB

The largest PE32 image is a TlsDxe Driver, which is around 1MB and 478 KB in size, which is far less than what I’m (probably) searching for, the other contender I sorted from this list was LzmaCustomDecompressGuid, but I tried everything in my power to decompress it and I couldn’t, from python code to extracting it via UEFI Tool then trying to open it separately, so I gave up on finding the Setup PE32 image at all.

I then noticed that there’s an NVAR entry with Setup and PchSetup in the Text, named EfiSetupVariableGuid and 4570B7F1-ADE8-4943-8DC3-406472842384 respectively

So i tried to follow what the user BDMaster reffering to in Forum, which is editing the 0x17 and the 0x6DD of my PchSetup, so I extracted the NVAR entry from UEFI Tool, then opened it in HxD, copied the entire HEX, and opened my unmodified BIOS in HxD and used the HEX from PchSetup to search for the pattern and could finally located PchSetup inside the BIOS’s Hex view, i found that 0x17 was already set to 0, so I skipped and changed 0x6DD to 00.

I then went ahead and used “fptw64.exe” on my laptop, first I ran “fptw64.exe -I” and it didnt return an error, then I backed up my BIOS using “fptw64.exe -bios -d bios_backup.bin” and saved it securely, then when I tried to write my 1-flipped-bit modified using “fptw64.exe -bios -f BIOS_MODIFIED.bin” and it didnt work, it returned the error “Protected Range Registers are currently set by BIOS, preventing flash access…..

Up to this point I have no idea what I’m doing, I was just tinkering with the tools I downloaded and trying to follow internet guides to try and unlock my BIOS, I know I probably did something wrong or maybe actively editing something completely unrelated to my goal of unlocking the advanced features such as voltages and such, but yeah I’m very new to this and trying to learn.

Please let me know if it’s feasible to unlock this BIOS through ssoftware, or do I have to buy an SPI Programmer and an SOIC8 clip necessarily, I see multiple sources noting to RU shell, but I didn’t fully understand what exactly am I supposed to do with it, how to use, or if it’s the right tool for the job. I would appreciate even a hint to what path I should rather follow.

If you read this far, thank you :slight_smile: !

Edit by Fernando: Thread title shortened

2

Hi back everyone,

Well, I have a big update. It turns out I was making a really dumb mistake this whole time, which explains all the walls I was hitting. I feel a bit silly, but I guess this is all part of being new to this and learning.

I was trying to do all my analysis on the .rom file I extracted from the Gigabyte .exe file. It seems like that file is packed or compressed in a special way, which is why I could never find the real setup PE32 image, and why that LzmaCustomDecompressGuid file was impossible to open.

On a hunch, I tried opening my bios_backup.bin (the one I made with fptw64) in UEFITool instead…

…and what do you know, the real setup PE32 image was right there, plain as day.

I extracted it, ran IFR Extract on it, and it worked. I finally have the complete setup_map.txt!

This makes so much more sense now. I was trying to analyze the “shipping box” instead of the actual “product” inside. It looks like the fptw64 dump is the only real, raw file to work with.

I’m going to start digging through this map right now to find the actual offsets for BIOS Lock (since 0x17 was already 00 in my dump) and all the advanced settings I was looking for.

I think I’m finally on the right track now. Thank you for reading, and I’ll let you know what I find! ( or if I hit another wall, which is more porbable :[ )