Unlocking Aptio V Hidden Menus in Asus UX461FN Help Request

Hi all!

Been trying to unlock the BIOS UEFI for my Asus Zenbook Flip 14 UX461FN for a few weeks now to no avail. I’m no expert but have been a long time lurker on the forum, and followed the guides here written by @Fernando and @CodeRush among others as well as played with many of the tools used and recommended here (AMIBCP, MMTool, EUFITool, EUFI BIOS Updater, etc).

Can anyone please help me unlock the hidden menus of my device? Specifically, I’m also trying to ascertain if the board has any CSM legacy support on it as well as I have found it virtually impossible to boot from USB, CD, etc unless its a Windows reinstall. From what I’ve read on different forums Asus has really started to lock down all their boards unless they’re ROG branded, which is a major pain for people like me.

I’ve attached the stock BIOS file from the Asus website and the dump file from the AMI toolset. Can anyone please help?

UX461FNAS205.zip (5.47 MB)

w64_AFUBAK5.zip (3.65 MB)

@vdubble05 - If you can boot to windows install on USB/CD, then you can boot to USB/CD, you just need to hit the boot menu hotkey at startup or change boot order temporarily.

Please check your ME FW Version either on main page of the BIOS, or with HWInfo64 on large window, on the left, in motherboard section, expand and find ME Firmware version.
Then let me know so I can link you to ME System Tools package so you can give me FPT dump instead of AFU. Please also include a zip of BIOS images, showing all current main sections (Main, Advanced, Security, Boot, Save and Exit etc)

Wow, that BIOS is unusual, may not be able to help with anything, I can’t even find a setup module in there!
I do not find CSM, so I doubt it’s there

@Lost_N_BIOS - Thank you for your help on this. Yes, the BIOS is very unusual indeed - and I’ve tested numerous bootable USB sticks and only a Windows installation media will successfully boot, even with the Boot Order, Fast Boot and Secure Boot turned off (there is no CSM or otherwise legacy option that can be enabled from what I cam tell). It really is the weirdest thing.

I’ve included the snapshots of the BIOS screens and the HWiNFO ME FW as requested. I’d love to be able to own this BIOS but it is beyond my skill to do so alone, thank you for helping me.

HWiNFO ME Version.zip (140 KB)

BIOS Help1.zip (3.21 MB)

BIOS Help2.zip (4.51 MB)

@vdubble05 Maybe, since UEFI default, you need GPT bootable DOS or EFI Shell etc if you want to boot to USB. Thanks for all the info, I will look into this again for you tonight and see if I can figure anything out.

@Lost_N_BIOS Thank you again for all your help on this! I have tried a GPT bootable DOS USB and CD, creating a Parted Magic stick using Rufus (GPT/No CSM), but it failed to boot. At most I would get a black screen with a white cursor in the center of the screen, and unfortunately I couldn’t get any input to take (space bar, hitting enter, escape, etc). The same thing would happen if I created a boot stick using Unetbootin, and I couldn’t get the Samsung Secure Erase utility to boot either.

I’ve never encountered anything like this, which is so unlike Asus to lock down a motherboard so tightly. The only USB that would take is a Windows 10 install media stick. I will play around with launching an EFI Shell, but that is new to me.

Thank you again!!!

@vdubble05 - You’re welcome! Please download V12 Intel ME System Tools package from this page in section “C” - Intel Management Engine: Drivers, Firmware & System Tools
Inside you will find Flash Programming Tool folder, and inside that a win32 folder, select that win32 folder and then hold shift and press right click, choose Open Command Window here. Then type the following command and zip the created file and upload here
FPTw.exe -bios -d biosreg.bin

While you are in there, do the same as above with MEInfo folder, select Win32 folder inside there and then run >> MEInfoWin and post image of the bottom of the output, here we’re checking if you see Measure Boot and Verified Boot enabled on the FPF/Left side
If it is, then you cannot modify this BIOS at all or it will brick, due to Boot Guard enabled, and it looks like it’s probably enabled and setup correctly based on some things I see in the BIOS itself.

I see Launch EFI Shell from file system on your exit page, so this means you can at least boot to Shell.efi or grub etc. Put a shell file on root of USB FAT32 formatted drive, disable secure boot mode and then on the exit page select that entry and click enter.
You first need to select/hover that setting on the exit page, and then look at the help/text, it should give you exact name of the file it will be looking for (Like boot to shellx64.efi, or boot.efi etc) - never mind, I found in your BIOS, for this system the file must be named Shell.efi

Here’s a general guide on using grub via this process, most of this does not apply to what you want, just read intro about settings required, and then skip through until you see the booting/BIOS setting/selection process
[GUIDE] Grub Fix Intel FPT Error 368 - BIOS Lock Asus/Other Mod BIOS Flash

@Lost_N_BIOS Sorry for the delay on this, and thank you again for all the help you’ve been giving me. I ran both applications as you requested and the outputs are attached in the .zip files. I did see in the MEInfoWin output that Measure Boot and Verified Boot are enabled, is this a show stopper or is there any possible way to disable the lock? I’m willing to run the risk of bricking the machine to beat the locks.

I have not had the chance to play with the Shell.efi to see if that would enable me to boot from USB on the system, but plan on messing around with it tonight. I will let you know what happens.

Thank you again for helping me on this!

biosreg file.zip (3.65 MB)

MEInfoWin Output.zip (1.51 KB)

@vdubble05 - no problem on a delay, I’m often behind anyway Thanks for the files, since Measured boot and Verified boot are enabled on the FPF side, we need to check if ME side is setup correctly to enable Boot Guard, please wait for reply from @CodeRush and Plutomaniac since I am not 100% sure on this one
Yes, you can boot to Shell/grub, and you will need to do that if we end up modifying your BIOS. BIOS Lock is enabled, but I still can’t find a way to get IFR output from the setup module to give you variable to unlock it, but may not matter if reply to below is not good.

Plutomaniac - Measured and Verified Boot enabled at FPF side, but in ME Boot Guard Config =0, no platform integrity section, however there is key set at Hash Key Config For BootGuard ISH
ME File is here taken from the stock BIOS and edited to open properly in FITc - http://s000.tinyupload.com/index.php?fil…619664711669760

What the downloaded SPI/CSME firmware from the OEM says does not matter, only what was flashed initially before closing manufacturing mode. You can see from the MEInfo report that FPF is set so the settings are already fused.

Thank you @plutomaniac and @Lost_N_BIOS for your help on this. Are there any other potential options to unlock this BIOS?

@Lost_N_BIOS I have not been able to boot from the shell.efi. I have confirmed that Secure Boot is disabled in the BIOS but every time I try to boot from the Boot Menu or from the shell.efi prompt in the Exit screen of the BIOS I get the attached screen that appears. Oddly, it does not result in a return to the BIOS as others who have had these issues have mentioned in previous forum posts. I have used USB 2.0 and 3.0 sticks and tried all the USB ports on the system just in case some weird anomaly occurred that would allow for success. The only USB I have tested that actually will boot from USB is the Windows 10 install media. Trying to use Samsung Secure Erase also fails to boot.

I’ve also used the shell.efi file from the above recommended post and put it in both the root of the USB that has the PartedMagic image as well as the EFI/boot folder with no luck. Is there anything else I can try to unlock this BIOS?

I don’t think I’ve every been this frustrated with a new computer before - all I want to do is Secure Erase the SSD and install a fresh copy of Windows 10 to get rid of the bloatware.

EDIT: Forgot to post this: https://forum.level1techs.com/t/asus-uef…ir-to-it/126344. Wasn’t sure if there may be some clues for those more knowledgeable with firmware than I am to find a solution to this problem.

Boot from Boot Menu.jpg

Boot from shell.efi.jpg

plutomaniac thanks, I knew that, but wanted you to check the ME side via FITc, or does it always mean that if FPF is set then ME side is always going to be set correctly? If yes, then how can you tell this, since this ME has no platform integrity section/entry?

Do the SE on another system (Desktop, older preferred if you have, like P45-Z68 maybe), then install Win10 again and you’re done, you’re making this too hard on yourself, unless you don’t have a desktop system?
And really, if you are not selling this drive, there is no need to SE it, format and do your clean install, TRIM will take care of resetting any empty or unused cells anyway, SE for no reason will just waste an erase/reset cycle across the cells.

On the Shell.efi, did you format the drive to FAT32? That link says they had success booting to shell.efi, but by going to the exit or boot screen and choosing USB by name/size
They mentioned UEFI USB etc, so you may need to create GPT USB instead of MBR/FAT32, but I would try FAT32 first and select that on this screen instead of UEFI USB.
This same thing can be done on reboot too, choose boot menu and then pick the USB stick

The CSME side never matters after the first FPF commit and that includes the current dumped firmware, the one from the OEM website downloaded SPI image etc. Think of it like that:

1. FPF not set
2. OEM configures CSME and ends manufacturing the first time
3. FPF set, permanent
4. OEM/User re-flashes the SPI with different CSME configuration and (re)-ends manufacturing
5. Nothing changes since FPF is permanently set from first commit

The only way to know the actual state of FPF is to use MEInfo. Everything else is unreliable and hypothetical.

I think you’re right and banging my head against a brick wall just isn’t worth it. I have done what the article suggested but have still had no luck booting from the shell.efi, so I won’t even worry about the SE piece, although I did find it odd that there appeared to be a built in function for this in the dump file.

Just have lost a lot of respect for Asus with them suddenly locking down their BIOS’.

plutomaniac Yes I get all that, but on the ME side, it’s not always set correctly, so even if FPF set correctly for it to be enabled, that doesn’t always mean it’s enabled, correct? Or am I understanding that aspect incorrectly, and once FPF set, no matter what is set in ME side it’s still enabled?
We did check MEinfo, measure and verified boot enabled, but then I see no integrity section in ME side

@vdubble05 - It can be done, the link you provided proves that since that guy did it at the end of that thread. if you cannot boot to shell.efi the normal way, use this method I outlined here and be sure to pay attention to all the comments I made, and look at all the images.
[Help needed] Hidden Advanced menu Bios HP Z1 J52_0274.BIN (2)

Try that with MBR FAT32 partition, and then try again with a GPT partition instead.

The CSME settings don’t have to match because the FPF is always respected, if set. The normal thing is for them to match because the OEM flashed a CSME with the FPF configuration they want and then close manufacturing mode to permanently set it. The system then leaves the factory. Maybe in some cases they need to rework the rest of the CSME settings and just leave the FPF ones to stock, or at least at different values compared to actual/first-time-committed FPF, because they know these cannot be re-committed and that’s why you see differences sometimes.

plutomaniac Thank you! I was not aware of that, and though it all had to be setup correctly no matter what, if one was off/wrong/not set then it couldn’t work. I didn’t know once FPF set then it’s enabled no matter what.

@vdubble05 - due to this, bootguard is enabled, so only certain things within the BIOS may be changed, and BIOS mod would fail in many instances, so not safe for you to test mod BIOS without a programmer and SOIC8 test clip cable in hand to recover if needed.
Often I’ve seen grub settings change be OK though, so if you can get that working you’ll be able to make some changes.