All the values in the latest bios (1.10) seem to be good (every option that's nice to have is enabled), except that, for me, UEFI boot isn't working.
Also, VSS modding doesn't seem to stick unless i change the value in both the Setup and the Custom variable, so I just did this with a hex editor (ACER doesn't have checksums on uncompressed VSS volumes). However, this requires a bios DUMP for each laptop, and then that to be modified. Instead, i like modifying the SetupUtility PE (well, actually the HII forms UEFI bytecode inside of its data section). This gives permanent option unlocking (just change the Suppress If statement to check some bogus variable for some bogus values).
You will need Python 2.6.x or 2.5.x installed and in your PATH for this to work, also copy the lzmadec.dll to it's dll dir.
First, we need the SetupUtility PE out of the bios, so do this:
Code:
python main.py PEW71110.fd
Then, we analyze the UEFI forms bytecode in this PE:
Code:
python dumpsetup2.py dataSetupUtility-mine.pe > bytecode.txt
the HIIPACK header consists of 6 bytes: [UINT32 SIZE, UINT16 TYPE], so place the cursor at the offset, check intel little endian mode in your hex editor, and interpret the int of size. The UEFI bytecode is located in the area right after the 6 byte header, defined by size. You can see a list of opcodes inside dumpsetup2.py, for more information about a opcode you can just google it, and then follow the link to the Phoenix Wiki. Or consult the Intel EFI pdf that has definitions for most of them.
So, i wanted to expose the advanced boot options like UEFI BOOT, FAST BOOT, etc. I found the string in bytecode.txt, found the form package they're in ("Reading form 'Boot'=7f120"), and see why they're not displaying ("Suppress If LIST [0x85<1>] in (0x00,0x01,0x02,0x03,0x04)"
Now, we could either just hex edit our DUMPED bios to set the VSS var 0x85 to 0x05, but this would mess up some other pages where you will see unknown grayed out values, etc, and would be reset if you chose to restore to factory settings in the bios, or we could edit the UEFI bytecode to not check that variable anymore.
To do that, we find that the LIST check we want is "EFI_IFR_EQ_ID_LIST_OP = 0x14", so we search for first occurence of 0x14 in the uefi bytecode area (after the HII header), and see:
Code:
1411 8500 01 0500 0000 0100 0200 0300 0400
8500 is the variable we check
01 is the length (in bytes) we are checking
0500 is the size of the array of the values we are checking for
and after that we have values[5] of UINT16 for the values to check for
Since 0x85 is in the range of 0x00 to 0x05, i just changed the values to check for to : 0xFF 0xFE 0xFD 0xFC 0xFB, so our bytecode changes to:
Code:
1411 8500 01 0500 FF00 FE00 FD00 FC00 FB00
This is where ezH2O comes in.
Open the PEW71110.fd file in it.
You cannot open dumped ROMs (or any ROMs that have NVRAM in them) with ezH2O, as it will just crash while saving it later.
If it were a stable utility, i could just go to modules->replace and replace the SetupUtility with our modded PE
But that makes it crash.
So, after opening the .fd image in ezH2O, i opened WinHEX, opened the ezH2O primary memory in it
Now, we can search around the uncompressed memory of ezH2O.
To find the range we want to replace, simply select a big enough chunk of hex around the area you want to edit (make sure you can find only 1 occurence of it in the PE, make it a big enough chunk of hex)
Then search for that in WinHEX while having opened ezH2O's memory area.
If you get the message "Virtual memory layout has changed", simply exit WinHEX and attach to ezH2O's memory again and try again.
After changing the bytes you wanted, you can simply close WinHEX, there is no saving for memory.
Now, some people say that ezH2O won't even bother rewriting the image from uncompressed modules in RAM unless you change something in ezH2O before doing a save as.
To circumvent this, i just change the boot logo.
The preferred format to change it to is a 640x480 indexed PCX file.
I have put a link to the original ACER logo PCX in the bottom of this post, that you can use.
Don't worry if ezH2O asks you to change the format to 0x0 or some crazy thing, just click yes, it will change the logo image properly.
You can open the logo image dialog again, to verify that it changed properly.
After that, simply do a File->Save as and name it modified.fd or something.
Then you can flash this with the official InsydeFlash utility, either for windows or DOS.
I also like setting the ALL=0 option in platform.ini to ALL=1, this way it clears the passwords and some other things get reflashed as well.
To get the raw folder (instead of the self extracting exe you download from acer's site), you just run the exe from acer's site, and immediately close the CMD prompt that comes up.
You can find the raw folder inside your Windows' temp dir.
Copy your modified.fd as PEW71110.fd in that folder, overwriting the original one, and simply run DPJ.BAT on your laptop to flash it.
Now, the problem ive encountered is:
1. the UEFI BOOT variable in the bios is already set to [ENABLED], but UEFI BOOT is not working. This would mean that we require some modules that we don't have in our BIOS, or we need to modify some boot selector that decides where we boot. The problem is that ezH2O crashes when you try to modify a module, and just gives an error that i haven't given it the correct module type when i try to insert a new one. I've found a BIOS from some other ACER laptop that supposedly CAN UEFI boot, and extracted all it's modues using fsdump.py, and it indeed has more modules than the 5742G bios (like Terminal), but both our bios and their bios have the same BOOTX64.EFI strings, as well as INTERNAL EFI SHELL string etc, in the modules, which confuses me.
To extract all modules from a .fd image, first you will have to manually unLZMA it. To do this, open the .fd in a hex editor, and remove everything before the LZMA header(5D000080001000), then save it and run
Code:
lzma -c -d lzmacompressedfd.lzma > decompressed.bin
fvdump.py decompressed.bin
fsdump.py fv-00000010.bin
So, any ideas on how get UEFI boot going ?
Files like python scripts, sample bios with extra options, and the boot logo pcx can be found at Index of /acer/tools
To get ezH2O, just google ezH2O 2.1.0.13 (earlier versions will crash on .fd load)
Python scripts made by Marcan and d6z, i just edited them with correct offsets for this bios image
EDIT: I've found why the pages weren't showing, the SetupUtility code, on form init, checked if the form set string ID was either 0x67 ("Advanced") or 0x283 ("Power"). Simply replacing these checks with NOPs made them show up.
To reiterate, i've replaced 83F867 0F849E000000 (cmp eax, 67h, jz) with 83F867 909090909090 (cmp eax, 67h, 6*nop) and 3D83020000 0F848A000000 (cmp eax, 283h, jz) with 3D83020000 909090909090 (cmp eax, 283h, 6*nop). These are at 0x1249 and 0x125B in SetupUtility PE, respectively. I've uploaded a bios image that unlocks these pages to the link above.
EDIT2: Just inserting new modules properly extracted from other ACER laptop models using ezh2o does make a valid efi image, but the laptop will just keep resetting before display init if you do this
However, you can safely remove the following modules: Chinese, JpegDecoder (if you're using a PCX boot logo) and also all the VGA BIOS for the graphics card you don't have, if you have nvidia, you can remove all ATOMBIOS ATI, vice versa if you have ATI
In case anyone cares, the recovery bios filename for the Acer Aspire 5742G is PEW71X64.fd and you can use any 4MB .fd file from acer's site for this model, put it on a fat16/fat32 formatted us
Reply 1 : ACER 5742G BIOS modding
Following the dumpsetup2.py I encountered:
UnicodeDecodeError: 'utf16' can't decode bytes in position 403678-403679:illegal encoding.
I took at look at the offset it is this char
Edit: I got it, just forgotten to mod the string table. =P
UnicodeDecodeError: 'utf16' can't decode bytes in position 403678-403679:illegal encoding.
I took at look at the offset it is this char
Edit: I got it, just forgotten to mod the string table. =P
Code:
Opened BIOS 'NALG0X64.fd' with md5:b88f67347247ae6853b5d928ed43a3d5
Operating on BIOS data/original_bios-mine.fd size = 0x400000
Loading compressed sections
.. found 3 compressed sections
Locating Firmware Volumes
.. found 8 FirmwareVolumes (4 compressed)
STRING_TABLE = 0x18340
String table:
Language: eng (English)
String count: 929
Location = 0x7c020
Location = 0x7c450
Location = 0x7c4e0
Location = 0x7c660
Location = 0x7cb90
Location = 0x7ccf0
Location = 0x80d30
Have vss_volume: FirmVol position=0x390000 size=0x00ffb8 where=None [VSS]
Have vss_volume: FirmVol position=0x3a0000 size=0x05ffb8 where=None [VSS]
Have vss_volume: FirmVol position=0x000010 size=0x47ffb8 where=[compr at 0x281069] [VSS]
Done
Reply 2 : ACER 5742G BIOS modding
yep, you first run main.py, then modify dumpsetup2.py with the values you gotten from main.py (string table location and page offsets)
then, if you want to use vtenable.py, you have to search the .fd file for $VSS in a hex editor, and note that as VSS_OFFSET, for VSS_SIZE you have to do a fvdump whatever.fd and look at the size of the fv-*.bin file which contains $VSS at the top, PATCH_OFFSET is the storage offset you got from looking at output of dumpimage2.py (0x85, 0x1a3, etc), PATCH_VALUE is what you want the value to be.
however, when i wanted to do this, it was easier to just hex edit the .fd file directly, to do this, find $VSS, then find "Setup" unicode after it, then find the next AAFF hex after it, go back X bytes (X being the value of nvsize in dumpsetup2.py output) and then go forward your PATCH_OFFSET and edit the value. Repeat for "Custom" unicode as well to make sure the value sticks (didn't want to stick for me unless it was in both)
then, if you want to use vtenable.py, you have to search the .fd file for $VSS in a hex editor, and note that as VSS_OFFSET, for VSS_SIZE you have to do a fvdump whatever.fd and look at the size of the fv-*.bin file which contains $VSS at the top, PATCH_OFFSET is the storage offset you got from looking at output of dumpimage2.py (0x85, 0x1a3, etc), PATCH_VALUE is what you want the value to be.
however, when i wanted to do this, it was easier to just hex edit the .fd file directly, to do this, find $VSS, then find "Setup" unicode after it, then find the next AAFF hex after it, go back X bytes (X being the value of nvsize in dumpsetup2.py output) and then go forward your PATCH_OFFSET and edit the value. Repeat for "Custom" unicode as well to make sure the value sticks (didn't want to stick for me unless it was in both)
Reply 3 : ACER 5742G BIOS modding
I was thinking of unlocking all menu.
VT is already enabled.
But after dumping all the tables there seems to be nothing of real useful there...
VT is already enabled.
But after dumping all the tables there seems to be nothing of real useful there...
Reply 4 : ACER 5742G BIOS modding
I've also now uploaded new python scripts rar which includes a fsdump.py which follows ezH2O guid format, and also dumps the original .ffs as well as the separate sections, so you can try to import the ffs in ezH2O (it will work, you need to change logo after import and before saving for ezH2O to notice ,but whether your laptop can still boot is the question)
Can your laptop UEFI boot (from a usb stick with EFI/BOOT/BOOTX64.EFI or from a EFI bootable DVD) ?
EDIT: Looks like your BIOS has about the same amount of options as mine...
There's a VID Override string, but no actual vid override option in the forms
Can your laptop UEFI boot (from a usb stick with EFI/BOOT/BOOTX64.EFI or from a EFI bootable DVD) ?
EDIT: Looks like your BIOS has about the same amount of options as mine...
There's a VID Override string, but no actual vid override option in the forms
Reply 5 : ACER 5742G BIOS modding
Quote:
|
Originally Posted by rajkosto 
Can your laptop UEFI boot (from a usb stick with EFI/BOOT/BOOTX64.EFI or from a EFI bootable DVD) ?
EDIT: Looks like your BIOS has about the same amount of options as mine... There's a VID Override string, but no actual vid override option in the forms |
Reply 6 : ACER 5742G BIOS modding
in order to be uefi compatible, it should also just boot windows 7 x64 from the dvd using uefi, not mbr. all of this seems to be compiled out of the bios modules
and i had that boot folder just fine, and the strings in the module dump seem to be there on my bios, yet it doesnt work
would be nice if anyone here had Acer 3810T, because for that model, bios 1.08 allows uefi boot, while 1.10 doesnt. And i have a list of changed modules here, could try them one by one, see which one disabled it.
EDIT: GREAT SUCCESS http://i.imgur.com/LE0Pb.jpg
thing holding me back was that ezh2o bitflips the header crc byte of a FFS entry, so you have to bitflip that byte in fsdump.py as well, if you want to directly use extracted .ffs files to insert in ezh2o.
updated fsdump.py is in the rar above
The modules i needed to insert, i found in the 3810T 1.08 firmware, and they were EmuVariable, DiskIo, Partition, Fat, LaunchApp, Terminal
I have achieved all my objectives.
The resulting bios file is here: http://rajko.info/acer/tools/ACER574..._NOATIBIOS.rar
As the filename says, i had to remove the ATI vbios modules to fit the ones required for efi boot. So don't use on a 5742G with ATI graphics.
and i had that boot folder just fine, and the strings in the module dump seem to be there on my bios, yet it doesnt work
would be nice if anyone here had Acer 3810T, because for that model, bios 1.08 allows uefi boot, while 1.10 doesnt. And i have a list of changed modules here, could try them one by one, see which one disabled it.
EDIT: GREAT SUCCESS http://i.imgur.com/LE0Pb.jpg
thing holding me back was that ezh2o bitflips the header crc byte of a FFS entry, so you have to bitflip that byte in fsdump.py as well, if you want to directly use extracted .ffs files to insert in ezh2o.
updated fsdump.py is in the rar above
The modules i needed to insert, i found in the 3810T 1.08 firmware, and they were EmuVariable, DiskIo, Partition, Fat, LaunchApp, Terminal
I have achieved all my objectives.
The resulting bios file is here: http://rajko.info/acer/tools/ACER574..._NOATIBIOS.rar
As the filename says, i had to remove the ATI vbios modules to fit the ones required for efi boot. So don't use on a 5742G with ATI graphics.
Reply 7 : ACER 5742G BIOS modding
please, i update my acer 5742g bios to 1.11 and now i cant upgrade with your mod bios because is 1.10. what can i do? please help me......
Reply 8 : ACER 5742G BIOS modding
Was somebody able to install Win 7 in EFI mode on GPT partition? I have BSOD when trying to do this on acer 3810
Reply 9 : ACER 5742G BIOS modding
Quote:
|
Originally Posted by advan20092
Was somebody able to install Win 7 in EFI mode on GPT partition? I have BSOD when trying to do this on acer 3810
|
It can read GPT but not as a system disk, I came to the answer a couple of months back while trying to do the same.
No comments:
Post a Comment