How to hack PC BIOS — CFG Unlock

Image for post
Image for post

If you want to transfer your Windows PC into Hackintosh by OpenCore, you’d better unlock your BIOS. The OSX like Big Sur needs to use register #2.

— === M E N U === —

🔬1. Test BIOS Locking Status
🌫🌫🌫🌫
Download the Shell
🌫🌫🌫🌫
Test Tool
🌫🌫🌫🌫
Test BIOS Lock
💍2
. Find CFG Lock Address
🌫🌫🌫🌫
BIOS Tool: Ru.efi
🌫🌫🌫🌫
Viewer+Converter of BIOS Image
🌫🌫🌫🌫
Find the Address of CFG Lock
🔓3
. Unlock CFG

🔬1. Test BIOS Locking Status

< === Menu

  • A bootable disk formatted by Fat32. Don’t waste your time to create a new one. Your OpenCore bootable USB stick is fine.

Boot folder: /efi/boot

So we need to collect all of the files in this folder. My OpenCore USB:

Image for post
Image for post

Let replace a general UEFI shell with the same name. You can remove it now.

Download the Shell

Copy shell.efi to boot folder and rename it to BootX64.efi.

Test Tool

Image for post
Image for post

The OpenCore has a tool to test your BIOS lock, called VerifyMsrE2.efi. Copy the file to the boot folder and rename it as v2.efi. (🤔Don’t you see it has a ridiculously long name?!)

Image for post
Image for post

Setup BIOS

Restart and press F2. (Mine is F2) Let’s change BIOS settings:

  • Set your password for BIOS
  • Disable Secure Boot
  • Enable F12 to boot options

Save.

Test BIOS Lock

F12, let’s choose USB. Shell will pop up:

Image for post
Image for post
Shell> v2.efi
Image for post
Image for post

Here is your best news: LOCKED! 😫

💍2. Find CFG Lock Address

< === Menu

BIOS Tool: Ru.efi

Download the latest beta and unzip with the corresponding password.

Image for post
Image for post

Copy Ru.efi to the boot folder.

Image for post
Image for post

Viewer+Converter of BIOS Image

Please download them to a tool folder.

Image for post
Image for post

I rename the ifr…exe to ifr.exe because its name is too long.

BIOS Image

Please download a BIOS update file from your motherboard supplier in the same folder. If it is ZIP or EXE file, please decompress it until you see the image file. For example,

Image for post
Image for post

Find the Address of CFG Lock

Open UEFITool:

Image for post
Image for post

Ctrl+F: Search for “CFG Lock

Image for post
Image for post

It founds:

Image for post
Image for post

Open the link:

Image for post
Image for post

Extract as is: Save to your tool folder

Image for post
Image for post
Give a name

Open a CMD: Move to your tool folder.

tools> ifr sec.sct sec.txt
Input: sec.sct
Output: sec.txt
Protocol: UEFI

Open sec.txt with your text editor:

Image for post
Image for post

Search for “cfg lock”:

Image for post
Image for post

I got “0x3E”. This is my lock. Please write down yours on a piece of paper or use your phone to shoot it down.

🔓3. Unlock CFG

< === Menu

Restart and go to USB: ru.efi

Image for post
Image for post
Image for post
Image for post

Press any key to continue.

Alt+=: List

Image for post
Image for post

CpuSetup.

Image for post
Image for post

0x3E: 01 ← Locked. You need to move to your address, probably a few pages after.

Spacebar → 00 → Enter

Image for post
Image for post

Ctrl+W: Save

Image for post
Image for post

Alt+Q: Quit

Restart to USB again: v2.efi

Image for post
Image for post

Oh, yeah! Unlocked… Now, you’ve stepped in the door of a BIOS engineer.

Computer Science BS from SFSU. I studied and worked on Android system since 2017. If you are interesting in my past works, please go to my LinkedIn.

Get the Medium app