Rajko Acer 5742g Bios Mod

About Us Contact Us Newsletter Sign Up Log OutSettingsMy ProfileNotificationsWelcome, BDMaster

REVIEWSREVIEWS NEWSNEWS SHOPSHOP COUPONSCOUPONS DEALSDEALS ADD ONSADD ONS VIDEOSVIDEOS BUSINESSBUSINESS

Site Rules FAQ UserCP New Posts Calendar Community Forum Actions Quick Links Image Gallery

Search...

Forum Notebook Manufacturers Acer ACER 5742G BIOS modding

EDITOR'S PICKSEDITOR'S PICKS

FOLLOW US AROUND THE WEBFOLLOW US AROUND THE WEB

Sager NP7330 Linux Guide/Review by joeelmex

Y410p [full review] by jobine702

+ Reply to Thread

Results 1 to 10 of 52 Page 1 of 6 1 2 3 4 5 ... Last

FORUMFORUM

Pagina 1 di 13ACER 5742G BIOS modding

21/12/2013http://forum.notebookreview.com/acer/541716-acer-5742g-bios-modding.html

Thread: ACER 5742G BIOS modding

MOST ACTIVE THREADSMOST ACTIVE THREADS

Clevo notebooks with 800M series...Last Post By flingin (179 replies)Today, 06:56 AM in Gaming (Software andGraphics Cards)

Looking for a gaming pc on a budgetLast Post By peppergrass (119 replies)17th December 2013, 06:28 PM in WhatNotebook Should I Buy?

Mechanical Keyboard Worth it?Last Post By octiceps (91 replies)18th December 2013, 07:27 PM in Accessories

XPS 11 Owner's LoungeLast Post By IntelUser (90 replies)Today, 04:34 AM in Dell XPS and Studio XPS

Xbox controller for PC games?Last Post By BlazeHN (70 replies)Yesterday, 12:42 AM in Gaming (Software andGraphics Cards)

3 LikesLike Tree

Bookmark & Share Thread Tools Search Thread Rate This Thread

19th December 2010, 02:03 PM

ݖ

ݖ

ACER 5742G BIOS modding (unhidden pages/enabled UEFIBOOT)

You will need ezH2O 2.1.0.13 or newerAll the values in the latest bios (1.10) seem to be good (every option that's niceto have is enabled), except that, for me, UEFI boot isn't working.Also, VSS modding doesn't seem to stick unless i change the value in both theSetup and the Custom variable, so I just did this with a hex editor (ACERdoesn't have checksums on uncompressed VSS volumes). However, thisrequires a bios DUMP for each laptop, and then that to be modified. Instead, ilike modifying the SetupUtility PE (well, actually the HII forms UEFI bytecodeinside of its data section). This gives permanent option unlocking (just changethe Suppress If statement to check some bogus variable for some bogusvalues).

You will need Python 2.6.x or 2.5.x installed and in your PATH for this to work,also copy the lzmadec.dll to it's dll dir.

First, we need the SetupUtility PE out of the bios, so do this:Code:

This will make a data folder with SetupUtility PE in it.Then, we analyze the UEFI forms bytecode in this PE:

Code:

Each form set listing starts with "Reading form 'Main'=7ecb0" where 7ecb0 isthe offset in the PE where the HIIPACK header is located.the HIIPACK header consists of 6 bytes: [UINT32 SIZE, UINT16 TYPE], so

#1

Join Date:

Posts:

Dec 2010

10

Rep Power: 8

rajkosto

Notebook Enthusiast



python m ain.py PEW 71110. f d

python dum pset up2.py data\SetupU t i l i t y- m ine. pe > byt ecode. t xt

RECENT LAPTOP REVIEWSRECENT LAPTOP REVIEWS

NEW FORUM THREADSNEW FORUM THREADS

**New** Samsung ATIV Book 9 Lite (NP905S3G)User Review

**New** Lenovo ThinkPad Edge E431 Review

HP Pavilion Touchsmart 11z Review

Asus ZenBook UX51VZ-XB71 Review

Alienware 14 Review

HP Pavilion g6 Screen ProblemPosted By andoidvsapple (0 replies)Today, 07:55 AM in HP Pavilion Notebooks

Anyone know if there's a way to...Posted By Vogelbung (0 replies)Today, 07:32 AM in Gaming (Software andGraphics Cards)

4900MQ turbo boost broken?

ݖ

ݖ

place the cursor at the offset, check intel little endian mode in your hex editor,and interpret the int of size. The UEFI bytecode is located in the area right afterthe 6 byte header, defined by size. You can see a list of opcodes insidedumpsetup2.py, for more information about a opcode you can just google it,and then follow the link to the Phoenix Wiki. Or consult the Intel EFI pdf that hasdefinitions for most of them.

So, i wanted to expose the advanced boot options like UEFI BOOT, FASTBOOT, etc. I found the string in bytecode.txt, found the form package they're in("Reading form 'Boot'=7f120"), and see why they're not displaying ("Suppress IfLIST [0x85<1>] in (0x00,0x01,0x02,0x03,0x04)"Now, we could either just hex edit our DUMPED bios to set the VSS var 0x85 to0x05, but this would mess up some other pages where you will see unknowngrayed out values, etc, and would be reset if you chose to restore to factorysettings in the bios, or we could edit the UEFI bytecode to not check thatvariable anymore.To do that, we find that the LIST check we want is "EFI_IFR_EQ_ID_LIST_OP= 0x14", so we search for first occurence of 0x14 in the uefi bytecode area(after the HII header), and see:

Code:1411 8500 01 0500 0000 0100 0200 0300 0400

14 is our opcode, 11 is the length of it (+ additional bit, ignore it)8500 is the variable we check01 is the length (in bytes) we are checking0500 is the size of the array of the values we are checking forand after that we have values[5] of UINT16 for the values to check forSince 0x85 is in the range of 0x00 to 0x05, i just changed the values to checkfor to : 0xFF 0xFE 0xFD 0xFC 0xFB, so our bytecode changes to:

Code:1411 8500 01 0500 FF00 FE00 FD00 FC00 FB00

After we have done the change, we need a way to pack it back into our .fdimage.This is where ezH2O comes in.Open the PEW71110.fd file in it.You cannot open dumped ROMs (or any ROMs that have NVRAM in them) withezH2O, as it will just crash while saving it later.If it were a stable utility, i could just go to modules->replace and replace theSetupUtility with our modded PE



TECHNOLOGYGUIDE UPDATESTECHNOLOGYGUIDE UPDATES

Posted By beezow (3 replies)Today, 06:26 AM in Sager and Clevo

AW17 W8: USB not working, drivers...Posted By DivideByIchi (0 replies)Today, 06:04 AM in Alienware 17 and M17x

Hibernation issuePosted By Davidjb82 (0 replies)Today, 05:49 AM in Asus

**New** What are the Best Tablets?

**New** What are the Best Digital Cameras?

**New** What are the Best Smartphones?

Moms, Dads, & Grads 2013 Buyers Guide

But that makes it crash.So, after opening the .fd image in ezH2O, i opened WinHEX, opened theezH2O primary memory in itNow, we can search around the uncompressed memory of ezH2O.To find the range we want to replace, simply select a big enough chunk of hexaround the area you want to edit (make sure you can find only 1 occurence of itin the PE, make it a big enough chunk of hex)Then search for that in WinHEX while having opened ezH2O's memory area.If you get the message "Virtual memory layout has changed", simply exitWinHEX and attach to ezH2O's memory again and try again.After changing the bytes you wanted, you can simply close WinHEX, there is nosaving for memory.

Now, some people say that ezH2O won't even bother rewriting the image fromuncompressed modules in RAM unless you change something in ezH2O beforedoing a save as.To circumvent this, i just change the boot logo.The preferred format to change it to is a 640x480 indexed PCX file.I have put a link to the original ACER logo PCX in the bottom of this post, thatyou can use.Don't worry if ezH2O asks you to change the format to 0x0 or some crazy thing,just click yes, it will change the logo image properly.You can open the logo image dialog again, to verify that it changed properly.After that, simply do a File->Save as and name it modified.fd or something.Then you can flash this with the official InsydeFlash utility, either for windows orDOS.I also like setting the ALL=0 option in platform.ini to ALL=1, this way it clearsthe passwords and some other things get reflashed as well.To get the raw folder (instead of the self extracting exe you download fromacer's site), you just run the exe from acer's site, and immediately close theCMD prompt that comes up.You can find the raw folder inside your Windows' temp dir.Copy your modified.fd as PEW71110.fd in that folder, overwriting the originalone, and simply run DPJ.BAT on your laptop to flash it.

Now, the problem ive encountered is:1. the UEFI BOOT variable in the bios is already set to [ENABLED], but UEFIBOOT is not working. This would mean that we require some modules that wedon't have in our BIOS, or we need to modify some boot selector that decideswhere we boot. The problem is that ezH2O crashes when you try to modify amodule, and just gives an error that i haven't given it the correct module typewhen i try to insert a new one. I've found a BIOS from some other ACER laptopthat supposedly CAN UEFI boot, and extracted all it's modues using fsdump.py,and it indeed has more modules than the 5742G bios (like Terminal), but bothour bios and their bios have the same BOOTX64.EFI strings, as well asINTERNAL EFI SHELL string etc, in the modules, which confuses me.To extract all modules from a .fd image, first you will have to manually unLZMA



ݖ

it. To do this, open the .fd in a hex editor, and remove everything before theLZMA header(5D000080001000), then save it and run

Code:l zma - c - d l zmacompr essedf d. l zma > decompr essed. bi nf vdump. py decompr essed. bi nf sdump. py f v- 00000010. bi n

And you will get tons of files that correspond to the modules inside the fdimage.

So, any ideas on how get UEFI boot going ?

Files like python scripts, sample bios with extra options, and the boot logo pcxcan be found at Index of /acer/toolsTo get ezH2O, just google ezH2O 2.1.0.13 (earlier versions will crash on .fdload)Python scripts made by Marcan and d6z, i just edited them with correct offsetsfor this bios image

EDIT: I've found why the pages weren't showing, the SetupUtility code, on forminit, checked if the form set string ID was either 0x67 ("Advanced") or 0x283("Power"). Simply replacing these checks with NOPs made them show up.To reiterate, i've replaced 83F867 0F849E000000 (cmp eax, 67h, jz) with83F867 909090909090 (cmp eax, 67h, 6*nop) and 3D830200000F848A000000 (cmp eax, 283h, jz) with 3D83020000 909090909090 (cmp eax,283h, 6*nop). These are at 0x1249 and 0x125B in SetupUtility PE, respectively.I've uploaded a bios image that unlocks these pages to the link above.

EDIT2: Just inserting new modules properly extracted from other ACER laptopmodels using ezh2o does make a valid efi image, but the laptop will just keepresetting before display init if you do thisHowever, you can safely remove the following modules: Chinese, JpegDecoder(if you're using a PCX boot logo) and also all the VGA BIOS for the graphicscard you don't have, if you have nvidia, you can remove all ATOMBIOS ATI,vice versa if you have ATIIn case anyone cares, the recovery bios filename for the Acer Aspire 5742G isPEW71X64.fd and you can use any 4MB .fd file from acer's site for this model,put it on a fat16/fat32 formatted usb drive or a CD/DVD

EDIT3:If your laptop doesn't boot, and you don't know the filename you need to use forrecovery from usb/dvd to work, you will need to extract modules from the PEIsection as well, which i don't know how to do manually using these tools.However, the Phoenix SLIC Editor Package, which supports insyde h2o bioses,can automagically extract all modules, including the PEI ones. Simply have it



open your bios, and after you see the .ROM files being extracted, a dialog boxwill show up, and then you can harvest the .ROM files from the same folder thebios was in, in a subfolder called TEMP. Then simply search them for".fd" (unicode) and see what the filename is. On mine, i had an ASCII hit aswell, right next to TORITO, which is DVD bootsector related.

Attached Thumbnails

Last edited by rajkosto; 20th December 2010 at 08:59 PM.

|Like

Reply Reply With Quote

19th December 2010, 09:53 PM

Re: ACER 5742G BIOS modding

Following the dumpsetup2.py I encountered:UnicodeDecodeError: 'utf16' can't decode bytes in position 403678-403679:illegal encoding.I took at look at the offset it is this char ¬

#2

Join Date:

Posts:

Apr 2008

2,798

weinter

/dev/null



Documents

Rajko Acer 5742g Bios Mod