Contribute
Register

Successfully patched Z170X-UD5 TH CFG Lock (MSR Ex02)

Status
Not open for further replies.
Search result for unicode text "CFG lock" on Z170X-UD5 TH BIOS version 22g by using UEFITool app.

181107-0001.jpg
 
Yeah I probably did. Lets say 'modify' if that works for you?

It's a huge difference.

As I understand there are actually 2 options available.
  • Patching BIOS
  • Modify hidden BIOS settings
If we check CFG lock section in BIOS (version 22g), then we see

Code:
0x33377     Form: View/Configure CPU Lock Options, FormId: 0x2734 {01 86 34 27 11 07}
0x3337D         One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1, QuestionId: 0x24C, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B4 08 B5 08 4C 02 01 00 EF 04 10 10 00 01 00}
0x3338E             One Of Option: Disabled, Value (8 bit): 0x0 {09 07 04 00 00 00 00}
0x33395             One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 07 03 00 30 00 01}
0x3339C         End One Of {29 02}
0x3339E         One Of: Overclocking Lock, VarStoreInfo (VarOffset/VarName): 0x59E, VarStore: 0x1, QuestionId: 0x24D, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B0 08 B1 08 4D 02 01 00 9E 05 10 10 00 01 00}
0x333AF             One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 07 04 00 30 00 00}
0x333B6             One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}
0x333BD         End One Of {29 02}
0x333BF     End Form {29 02}

As we see here, default state for CFG Lock is Enabled. By patching BIOS we can set default setting Disabled ( 0x0 ). By hacking hidden BIOS setting we can probably modify setting. But I guess that by hacking setting, we lose these if something happens to stored BIOS setting and those are reset for some reason. So the fail safe way is to patch BIOS.'

For Gigabyte Z170X-UD5 TH BIOS version 22g the offset for CFG Lock setting is 0x4EF.
 
Last edited:
It's a huge difference.

As I understand there are actually 2 options available.
  • Patching BIOS
  • Modify hidden BIOS settings
If we check CFG lock section in BIOS (version 22g), then we see

Code:
0x33377     Form: View/Configure CPU Lock Options, FormId: 0x2734 {01 86 34 27 11 07}
0x3337D         One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1, QuestionId: 0x24C, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B4 08 B5 08 4C 02 01 00 EF 04 10 10 00 01 00}
0x3338E             One Of Option: Disabled, Value (8 bit): 0x0 {09 07 04 00 00 00 00}
0x33395             One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 07 03 00 30 00 01}
0x3339C         End One Of {29 02}
0x3339E         One Of: Overclocking Lock, VarStoreInfo (VarOffset/VarName): 0x59E, VarStore: 0x1, QuestionId: 0x24D, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B0 08 B1 08 4D 02 01 00 9E 05 10 10 00 01 00}
0x333AF             One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 07 04 00 30 00 00}
0x333B6             One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}
0x333BD         End One Of {29 02}
0x333BF     End Form {29 02}

As we see here, default state for CFG Lock is Enabled. By patching BIOS we can set default setting Disabled ( 0x0 ). By hacking hidden BIOS setting we can probably modify setting. But I guess that by hacking setting, we lose these if something happens to stored BIOS setting and those are reset for some reason. So the fail safe way is to patch BIOS.'

For Gigabyte Z170X-UD5 TH BIOS version 22g the offset for CFG Lock setting is 0x4EF.

Good job! If I remember correctly that was my offset as well.
I could be wrong so do your own research on the matter, but I think we need to modify the setting once it has been loaded onto the motherboard because if you patch the image, your will get a checksum fail when you try to load it onto the bios.
 
How to change hidden CFG Lock setting

I'm going to clarify the procedure how to figure out the offset for CFG Lock setting and how to apply needed change in BIOS.

Please note, it's not exactly patching the BIOS. It's about changing it's hidden variables.

KernelPm patch on Glover is needed for any system that uses XCPM and has MSR_PKG_CST_CONFIG_CONTROL locked.

Starting with Haswell Macs, CPU power management functionality was moved into the kernel (known as XNU CPU Power Management). KernelPm patches the kernel to prevent writes to MSR_PKG_CST_CONFIG_CONTROL (MSR 0xE2), which is frequently locked on many systems (can usually be disabled by disabling the firmware option "CFG Lock"). Without this patch, you will encounter a kernel panic if MSR 0xE2 is locked (which appears to be the case for your system).

Using fixed BIOS settings eliminates need for KernelPm patch. With this patch is possible to get fully native HWP (Intel SpeedShift Technology) CPU Power Management for all Skylake-X processors on all X299 mainboards with unlocked MSR 0xE2 BIOS Register, resulting in absolutely brilliant and top-end CPU performance.

clover-configuration-010-2.jpg

If you don't have needed tools, then for first you should acquire these tools. Needed tools are UEFITool and IFR-Extractor. Also you need GRUB Shell to change settings.

Shortly about setup_var
UEFI documentation ((U)EFI = (Unified) Extensible Firmware Interface):
Both BIOS and UEFI store variables in NVRAM - non-volatile RAM. The location of this is platform-specific - early BIOSes used the CMOS. BIOS variables, in CMOS or otherwise, were not standardised. Accessing their location sometimes was possible for the OS, sometimes not. Knowing their meaning meant knowing the BIOS version, potentially to a build level. Clearly, maintaining a catalogue of all BIOSes is untenable. UEFI solves this problem. UEFI provides an extensible, standardised interface to access NVRAM variables - infact, it is one of the few runtime services that UEFI provides, indicating that the variables are not otherwise accessible to the OS. This means that at any point during the OS's execution, it can both get and set these variables.

EFI variables can be read and modified in Linux, which is done trough the sys pseudo-filesystem, where EFI varies are mounted at /sys/firmware/efi/efivars. Some GRUB versions supports modifying EFI variable storage space (VSS) via command setup_var, which can take up to two arguments, a variable identifier/offset (0xDF etc) and a value to write to this variable (0x1 etc).

Command setup_var in the modified GRUB can change settings which are stored in the "Setup-{guid}" efivar and with setup_var_2(setup_var_3 settings which are stored in the "Config-{guid}" efivar.

Usage of setup_var
To read current configuration:
Code:
setup_var 0xDF
To write setting
Code:
setup_var 0xDF 0x00

Download tools:
Download BIOS or save it to the disk from BIOS GUI
  • Download BIOS from Gigabyte website (22g) or
  • save it to the disk from your BIOS settings GUI (FAT16 or FAT32 drive is needed for that)
Extract CFG Lock related block from BIOS

Code:
cd ~/Desktop
mkdir cfglockfix
curl -L http://download.gigabyte.eu/FileList/BIOS/mb_bios_ga-z170x-ud5-th_f22g.zip -o bios.zip -s
unzip -a bios.zip
rm autoexec.bat
rm Efiflash.exe
rm bios.zip
curl -L https://github.com/LongSoft/UEFITool/releases/download/t20181011/UEFITool_NE_A52_mac.zip -o uefitool.zip -s
unzip -a uefitool.zip
rm uefitool.zip
curl -L https://github.com/LongSoft/Universal-IFR-Extractor/releases/download/v0.3.5/ifrextract_v0.3.5.osx.zip -o ifextract.zip -s
unzip -a ifextract.zip
rm ifextract.zip
./UEFITool.app/Contents/MacOS/UEFITool ~/Desktop/cfglockfix/Z17XU5TH.22g

Now we should have UEFITool opened with with BIOS image Z17XU5TH.22g.
Then we press CMD+F and and select text and type CFG Lock and press OK.

181107-0003.jpg
181107-0002.jpg

Then we have to double click on search result, which leads as to the section containing CFG Lock setting.
Then we right click on selected block and select extract body and safe it as PE32Section.efi and quit UEFITool.

181107-0004.jpg
181107-0005.jpg

Then we run following command on terminal

Code:
./ifrextract PE32Section.efi PE32Section.txt

We should have now text file which reveals offset for CFG Lock setting.

181107-0006.jpg

Code:
0x33377     Form: View/Configure CPU Lock Options, FormId: 0x2734 {01 86 34 27 11 07}
0x3337D         One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1, QuestionId: 0x24C, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B4 08 B5 08 4C 02 01 00 EF 04 10 10 00 01 00}
0x3338E             One Of Option: Disabled, Value (8 bit): 0x0 {09 07 04 00 00 00 00}
0x33395             One Of Option: Enabled, Value (8 bit): 0x1 (default) {09 07 03 00 30 00 01}
0x3339C         End One Of {29 02}
0x3339E         One Of: Overclocking Lock, VarStoreInfo (VarOffset/VarName): 0x59E, VarStore: 0x1, QuestionId: 0x24D, Size: 1, Min: 0x0, Max 0x1, Step: 0x0 {05 91 B0 08 B1 08 4D 02 01 00 9E 05 10 10 00 01 00}
0x333AF             One Of Option: Disabled, Value (8 bit): 0x0 (default) {09 07 04 00 30 00 00}
0x333B6             One Of Option: Enabled, Value (8 bit): 0x1 {09 07 03 00 00 00 01}
0x333BD         End One Of {29 02}
0x333BF     End Form {29 02}

The line we are interested about is:

One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1,...​

0x4EF is offset and 0x1 is default setting.

We have figured out the command to use with modified GRUB Shell for motherboard Z170X-UD5 TH BIOS version f22g:

Code:
setup_var 0x4EF 0x00

Seems that for various Z170X-UD5 TH BIOS versions (F20 and newer) offset is 0x4EF:

F20
One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1

F21
One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1

F22a
One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1

F22d
One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1

F22g
One Of: CFG Lock, VarStoreInfo (VarOffset/VarName): 0x4EF, VarStore: 0x1

Didn't check older versions.

How to create bootable USB for GRUB shell

1 . Make bootable USB stick for Grub Shell
Inject USB stick into USB port and follow next steps... Be very careful, that you dont erase your system or other important disks accidentally.

a. Mac Instuctions
  1. Open Disk Utility
  2. Select your USB drive (Entire drive, not partition)
  3. Click Partition
  4. Choose GUID scheme, FAT format and any name you like.

181122-0002.jpg


b. Linux Instructions
If for some case Mac instructions doesn't suit you, you can create bootable USB on Linux Terminal easily too. Run lsblk --fs to detect your USB device, for example /dev/sdc or /dev/sda etc. Terminal commands below are for USB device /dev/sdc, use your own device instead of that.

Code:
lsblk --fs
sudo parted -s /dev/sdc print
sudo wipefs -a /dev/sdc
sudo parted -s /dev/sdc print
sudo parted /dev/sdc help mktable
sudo parted /dev/sdc mktable msdos
sudo parted /dev/sdc help mkpart
sudo parted /dev/sdc mkpart primary fat32 0% 100%
sudo mkfs.fat -F 32 /dev/sdc1
sudo parted /dev/sdc set 1 boot on
lsblk --fs

2. Download and put Grub Shell on usb
  • Download Grub Shell from grub-mod-setup_var
  • Extract it into ~/Downloads folder
  • Rename it from modGRUBShell.efi to bootx64.efi
  • Copy bootx64.efi into USB disk
Code:
cd /Volumes/NO\ NAME
ls
mkdir -p /Volumes/NO\ NAME/EFI/BOOT
cp -iR ~/Downloads/bootx64.efi /Volumes/NO\ NAME/EFI/BOOT/bootx64.efi

181122-0003.jpg


3. Make changes
  • Reboot from USB disk / Press F12 key for boot options
  • Change settings
Make sure that you have UEFI boot enabled

grub-shell-boot-00002.jpg

Press F12 key for boot options

grub-shell-boot-00001.jpg

On GRUB shell you can now use setup_var or setup_var_2 or setup_var_3 commands.

grub-shell-boot-00003.jpg

To check variable just enter setup_var <offset> for example:
Code:
setup_var 0x4EF
or
Code:
setup_var_3 0x4EF

NB! On some BIOS you might find this useful, use setup_var_3 instead of setup_var. Read more on grub-mod-setup_var

Code:
setup_var_3 0x4EF 0x00
 

Attachments

  • PE32Section.txt.zip
    245.1 KB · Views: 299
Last edited:
I could be wrong so do your own research on the matter, but I think we need to modify the setting once it has been loaded onto the motherboard because if you patch the image, your will get a checksum fail when you try to load it onto the bios.

Yes, this might be true on some cases. I'm not familiar with modified GRUB Shell, so please can you save you BIOS to the disk, zip and upload there to compare it with original BIOS?

I'm curios where it writes modification, into the bios or stored settings.

Thank you in advance!
 
We have figured out the command to use with modified GRUB Shell for motherboard Z170X-UD5 TH BIOS version f22g:

Code:
setup_var 0x4EF 0x00

To use the GRUB Shell, download and uncompress the above link (bootx64.efi) and place it in the EFI folder of a USB key (one you're not using for any other purpose). Then boot from that USB key and you will boot into a shell prompt. From that prompt run
Code:
setup_var (your offset here) 0x0
and reboot from your usual boot drive.

This is modifying code on your motherboard. Use with extreme caution.

Credit to this post and above related posts to VIT9696.
 
Yes, this might be true on some cases. I'm not familiar with modified GRUB Shell, so please can you save you BIOS to the disk, zip and upload there to compare it with original BIOS?

I'm curios where it writes modification, into the bios or stored settings.

Thank you in advance!
I'm not at home so I cannot do that at the moment.
 
Status
Not open for further replies.
Back
Top