Jump to content

CFGLock - unlock (MSR 0xE2)


Brumbaer
 Share

99 posts in this topic

Recommended Posts

Some boards do not have a visible option for CFG Lock.

For those cases the Bootloaders offer options to not write to the MSR. An other way is to disable CFG Lock in the BIOS despite the fact that there is no option available in the user interface.

One way to do so is to use UEFITool, ifrextract and a patched Grub. Which is not only cumbersome, also it will work only, if the storage used for CFG Lock is in a certain varstore.

Generally speaking CFGLock.efi does what those tools do, but the only user interaction needed is to confirm that you want to toggle the CFG Lock value (on to off/off to on) and it works regardless where the CFG Lock option resides, as long as the BIOS has a CFG Lock option - hidden or not - in their HiiDatabase.

It is an EFI Application. Install it in the Tools folder of your OpenCore EFI and enter it under Misc->Tools in the config.plist.

The EFI must not be able to boot MacOS, it must just be able to show the picker.

It should also run as an application from the UEFI shell, but I haven't tested this.

CFGLock.efi.zip

  • Like 14
  • Thanks 2
Link to comment
Share on other sites

1 hour ago, Brumbaer said:

Some boards do not have a visible option for CFG Lock.

For those cases the Bootloaders offer options to not write to the MSR. An other way is to disable CFG Lock in the BIOS despite the fact that there is no option available in the user interface.

One way to do so is to use UEFITool, ifrextract and a patched Grub. Which is not only cumbersome, also it will work only, if the storage used for CFG Lock is in a certain varstore.

Generally speaking CFGLock.efi does what those tools do, but the only user interaction needed is to confirm that you want to toggle the CFG Lock value (on to off/off to on) and it works regardless where the CFG Lock option resides, as long as the BIOS has a CFG Lock option - hidden or not - in their HiiDatabase.

It is an EFI Application. Install it in the Tools folder of your OpenCore EFI and enter it under Misc->Tools in the config.plist.

The EFI must not be able to boot MacOS, it must just be able to show the picker.

It should also run as an application from the UEFI shell, but I haven't tested this.

CFGLock.efi.zip

I just try it and it does works from the shell using clover bootloader. Congratulations for your great tool. I test it on a GA-Z170X-Gaming G1 motherboard. I wonder if you have tried this tool already with GA-Z490X series motherboards. Please, let me know if you tested on Z490 series motherboards and if you where successful. Cheers, thanks for you contribution.

Link to comment
Share on other sites

18 hours ago, Brumbaer said:

Some boards do not have a visible option for CFG Lock.

For those cases the Bootloaders offer options to not write to the MSR. An other way is to disable CFG Lock in the BIOS despite the fact that there is no option available in the user interface.

One way to do so is to use UEFITool, ifrextract and a patched Grub. Which is not only cumbersome, also it will work only, if the storage used for CFG Lock is in a certain varstore.

Generally speaking CFGLock.efi does what those tools do, but the only user interaction needed is to confirm that you want to toggle the CFG Lock value (on to off/off to on) and it works regardless where the CFG Lock option resides, as long as the BIOS has a CFG Lock option - hidden or not - in their HiiDatabase.

It is an EFI Application. Install it in the Tools folder of your OpenCore EFI and enter it under Misc->Tools in the config.plist.

The EFI must not be able to boot MacOS, it must just be able to show the picker.

It should also run as an application from the UEFI shell, but I haven't tested this.

CFGLock.efi.zip

How can you know what is the address of CFG Lock option in the non-volatile storage of different BIOSes?

Link to comment
Share on other sites

On 6/1/2020 at 3:05 PM, Brumbaer said:

Some boards do not have a visible option for CFG Lock.

Some boards have another one option - CFG Lock is visible in BIOS but has not apsolutely no effect. It's no joke, this issue noticed on some ASUS C422/X299 MoBo with new Cascade Lake BIOS including my one from signature.

 

I want to try your tool in Clover. It's this possible?

 

Thank you. 

Edited by yapan4
Link to comment
Share on other sites

1 hour ago, yapan4 said:

Some boards have another one option - CFG Lock is visible in BIOS but has not apsolutely no effect. It's no joke, this issue noticed on some ASUS C422/X299 MoBo with new Cascade Lake BIOS including my one from signature.

 

I want to try your tool in Clover. It's this possible?

 

Thank you. 

 

I do not know why the Asus option doesn't work. Depending on the reason CFGLock.efi might work.

You can start CFGLock.efi from the Clover EFI shell of a Clover installation, just try it out.

 

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...
On 6/4/2020 at 5:05 PM, yapan4 said:

Quick test with CFGLock.efi in .../drivers folder. If this is wrong, I'll try tomorrow from shell

Files.zip

 

@Brumbaer

It seems that the value was changed but the MSR remained locked ?...

Could this be another case of FW chip not declare as MMIO in ACPI and so the kernel ignores the MMIO region declared by the UEFI memory map, like in the case of 300 series motherboards?

  • Like 1
Link to comment
Share on other sites

On 6/5/2020 at 12:05 AM, yapan4 said:

Quick test with CFGLock.efi in .../drivers folder. If this is wrong, I'll try tomorrow from shell

Files.zip

 

@Brumbaer

It seems that the value was changed but the MSR remained locked ?...

Be sure you rebooted after use.

CFGLock.efi->reboot->MSR 0xE2 is unlocked

  • Like 1
Link to comment
Share on other sites

I have tested.

My computer #1 in the signature has CFGLock option in BIOS. So I did the follow:

1. Reboot and enter BIOS. Set CFGLock to enable. Boot to Clover.

2. Call Shell.efi from Clover. Then call CFGLock.efi

 

Spoiler

IMG_0155.jpg

 

3. Reboot and enter BIOS.

Yes now I see CFGLock is disabled again!

Thanks, Brumbaer, it works!

  • Like 2
Link to comment
Share on other sites

On 6/17/2020 at 7:38 PM, Slice said:

Be sure you rebooted after use.

CFGLock.efi->reboot->MSR 0xE2 is unlocked

Yes, of course. Reboot many times, still with CFGLock.efi(just for check) and without - I see value "1" so somewhat was changed, but what? Because MSR 0xE2 remains locked(I check this by clover preboot.log and AppleIntelInfo tool in Hackintool). Finally I comeback default value("0") also via CFGLock.efi

 

Spoiler

toggle the value.jpg

 

 

Spoiler

after reboot.jpg

 

Link to comment
Share on other sites

19 hours ago, Tecnicaso Rico said:

Could this be another case of FW chip not declare as MMIO in ACPI and so the kernel ignores the MMIO region declared by the UEFI memory map, like in the case of 300 series motherboards?

The Fresh Think.:thumbsup_anim:

But how to check this?

Link to comment
Share on other sites

On 6/17/2020 at 10:29 PM, yapan4 said:

Yes, of course. Reboot many times, still with CFGLock.efi(just for check) and without - I see value "1" so somewhat was changed, but what? Because MSR 0xE2 remains locked(I check this by clover preboot.log and AppleIntelInfo tool in Hackintool). Finally I comeback default value("0") also via CFGLock.efi

 

 

I notice on your screenshot that the value before you toggle it with Y (Yes) was 0. 0 means CFGLock is disable (Not Lock). Then the second screenshot shows a value of 1 which means CFGLock is enable (It's Lock) and you typed N (NO) to leave it alone, but actually you left it Lock.

It seems you are doing it backwards and that you had it unlock from the beginning.

But some motherboards (like 300 series) won't have native NVRAM working because of a problem with there firmware. To get around this problem a SSDT is being used. You need to analyze your firmware and see if you can use this SSDT or maybe a modified version of this SSDT.

Search for SSDT-PMC, maybe you can find useful info... 

 

  • Like 1
Link to comment
Share on other sites

On 6/18/2020 at 3:48 AM, Tecnicaso Rico said:

It seems you are doing it backwards and that you had it unlock from the beginning.

You're right, a little confusion. Sorry for that. 

But the main conclusion remains the same - no matter what value CFGLock.efi shows, MSR 0xE2 still remained locked. It also turned out, that switching values in CFGLock.efi don't change BIOS setting "MSR Lock Control" and opposite.

 

Thank you for sending me to the SSDT-PMC, I will study...

Edited by yapan4
Link to comment
Share on other sites

  • 4 weeks later...

Thanks for your excellent tool, it was a breeze to unlock my GA Z170X gaming 5.

 

For some reason the conventional approach using the modified grub wasn't working, but with your tool there wasn't any problem.

 

Cheers!

Link to comment
Share on other sites

  • 2 weeks later...

@Brumbaer I have a Dell T7910 that has it's MSR 0xE2 locked on GUID below is there any way you could write the EFI for that GUID? it's under PpmInitialize on A33 of the Dell BIO's any help would be greatly welcomed! 

 

# PpmInitialize | Broadwell-E
3FFCAE95-23CF-4967-94F5-16352F68E43B 10 P:0FBA6C24400F:0FBA7424400F 

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
On 6/1/2020 at 2:05 PM, Brumbaer said:

Some boards do not have a visible option for CFG Lock.

For those cases the Bootloaders offer options to not write to the MSR. An other way is to disable CFG Lock in the BIOS despite the fact that there is no option available in the user interface.

One way to do so is to use UEFITool, ifrextract and a patched Grub. Which is not only cumbersome, also it will work only, if the storage used for CFG Lock is in a certain varstore.

Generally speaking CFGLock.efi does what those tools do, but the only user interaction needed is to confirm that you want to toggle the CFG Lock value (on to off/off to on) and it works regardless where the CFG Lock option resides, as long as the BIOS has a CFG Lock option - hidden or not - in their HiiDatabase.

It is an EFI Application. Install it in the Tools folder of your OpenCore EFI and enter it under Misc->Tools in the config.plist.

The EFI must not be able to boot MacOS, it must just be able to show the picker.

It should also run as an application from the UEFI shell, but I haven't tested this.

CFGLock.efi.zip

Apparently it works fine on my PC. I have run CFGLock.efi from the UEFI shell to be able to take a screenshot of the process (if I run it directly from the OC menu, CrScreenshotDxe.efi did not work and I can't take screenshot).
Thank you and congratulations for your work. Simple and effective.

msr-lock.png.f5de03f0e5213b6ff7457d561a1cc057.png

Edited by miliuco
Link to comment
Share on other sites

 Share

×
×
  • Create New...