# SmokelessRuntimeEFIPatcher # Discaimer **Use this at your own risk,I won’t be responsible for any damage.** Also the code quality and the parsing engine are not that great, but were the best I could come to. # What is this This is a simple tool to patch and Inject/Patch EFI modules at runtime, I developed this as I wasn't confortable with SPI flashing, as is not boring and require opening the laptop for every small change, as with AMD you can't flash from the OS a new BIOS, if is not signed... # Why this exist The real reason why this exist, is that with an update Lenovo removed the Unlock BackDoor [LenovoH2O-Unlocker](https://github.com/SmokelessCPUv2/LenovoH2O-Unlocker), so after an update I couldn't change some adv option check [Unlocking Lenovo H2O Bios](#Lenovo-BIOS-Unlock) I decided to develop a new way to do it.... # How this work When the EFI App is booted up, it look for a file Called *SREP_Config.cfg*, containing a list of command to execute, then will execute them # Support/Donate If you want to donate/support please consider supportorting on [Patreon](https://www.patreon.com/SmokelessCPU) For one one donation, you can subribe for a month to Patreon then after the biilling, unsubsribe; (I might add a paypal in future) # How to use it * Download the Latest zip, from the [Release Page](https://github.com/SmokelessCPUv2/SmokelessRuntimeEFIPatcher/releases/latest) * extract in a USB, such that exist a Folder Called EFI in the USB Root, * Create a SREP_Config.cfg and place in the root of the USB * boot from the USB * ?? * Profit # SREP_Config Structure The Config file can containg muliple batch of operation, the syntax is, Op OpName1 Argument 1 Argument 2 Argument n Op OpName2 Argument 1 Argument 2 Argument n End Op OpName3 Argument 1 Argument 2 Argument n End # Implemented Operiation ## LoadFromFS Load a EFI File in memory from a EFI partition, set as target ### Arguments * FileName : The Filename to load ## LoadFromFV Load a EFI File in memory from the FV(Firmware Volume)/The BIOS image, set as target ### Arguments * SectionName : The Section to load ## Loaded Target an already loaded Module ### Arguments * Name : The Name of the Loaded App to target ## Patch Patch the previus loaded target ### Arguments * Pattern : provide the Find and Replace a Patterns * Offset : Provide and offset from the File start, and then the Byte to replace here * RelNegOffset/RelPosOffset : negative/positive offset from previus Patch operation, and then the Byte to replace here ## Exec Execute the Previus loaded Module # To be Implemted [ ] Uninstall Protocol [ ] Lzma compressed object (very common on AMI BIOS) # Example This is an Example of Loading a simple EFI, and executing it: Op LoadFromFS APP.efi Op Exec End This is an Example of Loading a simple EFI, replacing by pattern,and executing it Find and replace AABBCCDDEEFF with AABBCCDDEEEE, find and replace AABBCCDDAABB with AABBCCDDAAAA: Op LoadFromFS APP.efi Op Patch Pattern AABBCCDDEEFF AABBCCDDEEEE Op Patch Pattern AABBCCDDAABB AABBCCDDAAAA Op Exec End This is an Example of using relative pattern Find the pattern AABBCCDDEEFF (replace with AABBCCDDEEFF, as we want it's own start address), then write AABBCCDDAAAA, at +50 from the pattern start Op LoadFromFS APP.efi Op Patch Pattern AABBCCDDEEFF AABBCCDDEEFF Op Patch RelPosOffset 50 AABBCCDDAAAA Op Exec End ## Lenovo-BIOS-Unlock Now a real example on how to use it to patch a Lenovo Legion Bios to Unlock the Advanced menu: The Target H2O, is very simple in the regard on which form is shown... in the H2OFormBrowserDxe there is a simple array of struct: struct Form { GUID FormGUID; uint32_t isShown; } struct Form FormList[NO_OF_FORM]; The previus cE! backdoor, was very simple, looked like this: if(gRS->GetVariable("cE!".....)) for(int i=0;i