ACER 5742G BIOS modding (unhidden pages/enabled UEFI BOOT)

You will need ezH2O 2.1.0.13 or newer
All the values in the this bios (1.10) seem to be good (every option that's nice to have is enabled), except that, for me, UEFI boot isn't working.
Also, VSS modding doesn't seem to stick unless i change the value in both the Setup and the Custom variable, so I just did this with a hex editor (ACER doesn't have checksums on uncompressed VSS volumes). However, this requires a bios DUMP for each laptop, and then that to be modified. Instead, i like modifying the SetupUtility PE (well, actually the HII forms UEFI bytecode inside of its data section). This gives permanent option unlocking (just change the Suppress If statement to check some bogus variable for some bogus values).

You will need Python 2.6.x or 2.5.x installed and in your PATH for this to work, also copy the lzmadec.dll to it's dll dir.

First, we need the SetupUtility PE out of the bios, so do this:

Code:

python main.py PEW71110.fd

This will make a data folder with SetupUtility PE in it.
Then, we analyze the UEFI forms bytecode in this PE:

Code:

python dumpsetup2.py data\SetupUtility-mine.pe > bytecode.txt

Each form set listing starts with "Reading form 'Main'=7ecb0" where 7ecb0 is the offset in the PE where the HIIPACK header is located.
the HIIPACK header consists of 6 bytes: [UINT32 SIZE, UINT16 TYPE], so place the cursor at the offset, check intel little endian mode in your hex editor, and interpret the int of size. The UEFI bytecode is located in the area right after the 6 byte header, defined by size. You can see a list of opcodes inside dumpsetup2.py, for more information about a opcode you can just google it, and then follow the link to the Phoenix Wiki. Or consult the Intel EFI pdf that has definitions for most of them.


So, i wanted to expose the advanced boot options like UEFI BOOT, FAST BOOT, etc. I found the string in bytecode.txt, found the form package they're in ("Reading form 'Boot'=7f120"), and see why they're not displaying ("Suppress If LIST [0x85<1>] in (0x00,0x01,0x02,0x03,0x04)"
Now, we could either just hex edit our DUMPED bios to set the VSS var 0x85 to 0x05, but this would mess up some other pages where you will see unknown grayed out values, etc, and would be reset if you chose to restore to factory settings in the bios, or we could edit the UEFI bytecode to not check that variable anymore.
To do that, we find that the LIST check we want is "EFI_IFR_EQ_ID_LIST_OP = 0x14", so we search for first occurence of 0x14 in the uefi bytecode area (after the HII header), and see:

Code:

1411 8500 01 0500 0000 0100 0200 0300 0400

14 is our opcode, 11 is the length of it (+ additional bit, ignore it)
8500 is the variable we check
01 is the length (in bytes) we are checking
0500 is the size of the array of the values we are checking for
and after that we have values[5] of UINT16 for the values to check for
Since 0x85 is in the range of 0x00 to 0x05, i just changed the values to check for to : 0xFF 0xFE 0xFD 0xFC 0xFB, so our bytecode changes to:

Code:

1411 8500 01 0500 FF00 FE00 FD00 FC00 FB00

After we have done the change, we need a way to pack it back into our .fd image.
This is where ezH2O comes in.
Open the PEW71110.fd file in it.
You cannot open dumped ROMs (or any ROMs that have NVRAM in them) with ezH2O, as it will just crash while saving it later.
If it were a stable utility, i could just go to modules->replace and replace the SetupUtility with our modded PE
But that makes it crash.
So, after opening the .fd image in ezH2O, i opened WinHEX, opened the ezH2O primary memory in it
Now, we can search around the uncompressed memory of ezH2O.
To find the range we want to replace, simply select a big enough chunk of hex around the area you want to edit (make sure you can find only 1 occurence of it in the PE, make it a big enough chunk of hex)
Then search for that in WinHEX while having opened ezH2O's memory area.
If you get the message "Virtual memory layout has changed", simply exit WinHEX and attach to ezH2O's memory again and try again.
After changing the bytes you wanted, you can simply close WinHEX, there is no saving for memory.

Now, some people say that ezH2O won't even bother rewriting the image from uncompressed modules in RAM unless you change something in ezH2O before doing a save as.
To circumvent this, i just change the boot logo.
The preferred format to change it to is a 640x480 indexed PCX file.
I have put a link to the original ACER logo PCX in the bottom of this post, that you can use.
Don't worry if ezH2O asks you to change the format to 0x0 or some crazy thing, just click yes, it will change the logo image properly.
You can open the logo image dialog again, to verify that it changed properly.
After that, simply do a File->Save as and name it modified.fd or something.
Then you can flash this with the official InsydeFlash utility, either for windows or DOS.
I also like setting the ALL=0 option in platform.ini to ALL=1, this way it clears the passwords and some other things get reflashed as well.
To get the raw folder (instead of the self extracting exe you download from acer's site), you just run the exe from acer's site, and immediately close the CMD prompt that comes up.
You can find the raw folder inside your Windows' temp dir.
Copy your modified.fd as PEW71110.fd in that folder, overwriting the original one, and simply run DPJ.BAT on your laptop to flash it.

Now, the problem ive encountered is:
1. the UEFI BOOT variable in the bios is already set to [ENABLED], but UEFI BOOT is not working. This would mean that we require some modules that we don't have in our BIOS, or we need to modify some boot selector that decides where we boot. The problem is that ezH2O crashes when you try to modify a module, and just gives an error that i haven't given it the correct module type when i try to insert a new one. I've found a BIOS from some other ACER laptop that supposedly CAN UEFI boot, and extracted all it's modues using fsdump.py, and it indeed has more modules than the 5742G bios (like Terminal), but both our bios and their bios have the same BOOTX64.EFI strings, as well as INTERNAL EFI SHELL string etc, in the modules, which confuses me.
To extract all modules from a .fd image, first you will have to manually unLZMA it. To do this, open the .fd in a hex editor, and remove everything before the LZMA header (5D000080001000), then save it and run

Code:

lzma -c -d lzmacompressedfd.lzma > decompressed.bin
fvdump.py decompressed.bin
fsdump.py fv-00000010.bin

And you will get tons of files that correspond to the modules inside the fd image.

Files like python scripts, sample bios with extra options, and the boot logo pcx can be found at h t t p://rajko.info/acer/tools/
To get ezH2O, just google ezH2O 2.1.0.13 (earlier versions will crash on .fd load)
Python scripts made by Marcan and d6z, i just edited them with correct offsets for this bios image

EDIT: I've found why the pages weren't showing, the SetupUtility code, on form init, checked if the form set string ID was either 0x67 ("Advanced") or 0x283 ("Power"). Simply replacing these checks with NOPs made them show up.
To reiterate, i've replaced 83F867 0F849E000000 (cmp eax, 67h, jz) with 83F867 909090909090 (cmp eax, 67h, 6*nop) and 3D83020000 0F848A000000 (cmp eax, 283h, jz) with 3D83020000 909090909090 (cmp eax, 283h, 6*nop). These are at 0x1249 and 0x125B in SetupUtility PE, respectively. I've uploaded a bios image that unlocks these pages to the link above.

EDIT2: Just inserting new modules properly extracted from other ACER laptop models using ezh2o does make a valid efi image, but the laptop will just keep resetting before display init if you do this
However, you can safely remove the following modules: Chinese, JpegDecoder (if you're using a PCX boot logo) and also all the VGA BIOS for the graphics card you don't have, if you have nvidia, you can remove all ATOMBIOS ATI, vice versa if you have ATI
In case anyone cares, the recovery bios filename for the Acer Aspire 5742G is PEW71X64.fd and you can use any 4MB .fd file from acer's site for this model, put it on a fat16/fat32 formatted usb drive or a CD/DVD

EDIT3: I've also now uploaded new python scripts rar which includes a fsdump.py which follows ezH2O guid format, and also dumps the original .ffs as well as the separate sections, so you can try to import the ffs in ezH2O (it will work ,you need to change logo after import and before saving for ezH2O to notice, but whether your laptop can still boot is the question).
If your laptop doesn't boot, and you don't know the filename you need to use for recovery from usb/dvd to work, you will need to extract modules from the PEI section as well, which i don't know how to do manually using these tools. However, the Phoenix SLIC Editor Package, which supports insyde h2o bioses, can automagically extract all modules, including the PEI ones. Simply have it open your bios, and after you see the .ROM files being extracted, a dialog box will show up, and then you can harvest the .ROM files from the same folder the bios was in, in a subfolder called TEMP. Then simply search them for ".fd" (unicode) and see what the filename is. On mine, i had an ASCII hit as well, right next to TORITO, which is DVD bootsector related.

EDIT4: thing holding me back was that ezh2o bitflips the header crc byte of a FFS entry, so you have to bitflip that byte in fsdump.py as well, if you want to directly use extracted .ffs files to insert in ezh2o.
updated fsdump.py is in the rar above

I have achieved all my objectives.
The resulting bios file is here (v 1.24 from ACER's site): h t t p://rajko.info/acer/tools/ACER5742G_124_MoreOptionsMorePages_UEFIBOOT.rar
If you already have 1.24 flashed, run InsydeFlash.exe , otherwise run DPJ.bat to flash this bios
In the newer versions, ACER changed their boot logo, and removed some unused modules, so i had space to put in the UEFI stuff even without removing any modules !
Instead, there were Packard Bell, eMachines, and one more logo, that i just blanked out. The acer logo stayed the same so you will see nothing different if you use the logo
Blanking out the logos gave me more than enough space, so i didn't remove any modules from the firmware, just added additional ones.

 

you have to insert diskio, partition, emuvariable, launchapp, fat modules from a acer laptop that can uefi boot, like Acer Timeline 3810T-6415: V1.08 (SU9400) (nothing newer than 1.08 though since they disabled it in those)

 

I updated the original post with latest 1.24 version of the bios from acer's site, and this one has no modules removed so you can use it on any version of this laptop

also, for the optimus queries, i've tried and tried, but the problem is in HARDWARE setup
for OPTIMUS, the laptops display is connected to INTEL GRAPHICS, and when nvidia graphics is enabled, it finds a way to jack it from intel and use it for its own purposes
on NON OPTIMUS laptops, the laptops display is connected to NVIDIA grpahics, and intel graphics are just doing nothing and stay in disabled state (no PCI-E lanes occupied)

so, a simple software setting CANNOT change the mode you are in, it's a hardware thing

if you wish to install UEFI loaded Win7, you MUST select the "weird" boot entry from the F12 boot manager (like this: h t t p://images.rajko.info/IMG_20110913_002033.jpg), if you select the other one, your laptop will boot from MBR of the DVD, which will start the normal Win7 installation for BIOS-based computers. When you boot the disk this way, you will be FORCED to use a GPT partitioned hdd to install (if your hdd is MBR, you will have to remove and recreate all the partitions, and end up with something like h t t p://images.rajko.info/IMG_20110913_004126.jpg (the System partition isn't there on MBR disks)
otherwise, if you wish to install normal, BIOS-based WIN7, it will ONLY install on MBR disks, not GPT, and to do that, just boot from the device with the same name as your DVD drive (HLDST or whatever) from the F12 boot manager