Dell bios, how to decompose / mod.

what is the value for the RSDT table?

 

i am not sure it is correct strings position:

 

You need to login to view this posts content.

 

Too bad, well if abyone wants to test this method please pm me, I can prepare some bioses with the slic table inserted this way and the RSDT table edited the same way we do with the other mods (sounds promissing)
SLIC 1.0 to 2.1 for Dell!

 

Do you plan to describe what/how exactly you do it?
I.e. it's probably 2 steps process

1. Insert SLIC into unused space, but do not correct ANY XSDT stuff. Make sure it’s actually there using any suitable program.
2. Make a correction to XSDT, not necessarily to include SLIC, just add something insignificant, which shouldn’t affect boot process. Although the most insignificant thing is SLIC, right?
3. Combine both mods.

Just looking for better way to test…
IMO step #1 is quite important.
Need to think more about #2 – any ideas are welcome!

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

Adding the slic module

Here I will put my ideas, theories on this part!
PLEASE - THIS IS ONLY HERE TO BRING DISCUSSION, TO ACTUALLY PUT THIS CODE IN YOUR BIOS COULD VERY WELL RISK BRICKING THE BIOS!
OK, since the SLIC marker is not defined in the bios already it is my understanding that the entire 374 byte slic must be presented in one piece, if I am wrong then please correct me. I do not know all the answers, perhaps Yen or someone will correct me on that, if it can still be presented in 3 pieces, ie, the SLIC table, the SLIC marker and the PUBKEY all seperately the this may be easier, we already have compressed versions of the markers and pubkeys from the other bioses!
The rest of this will only be my personal ideas, maybe they are wrong, maybe they will point someone in the right direction or give them ideas!
I figure we have 2 options
1.) Introduce the entire slic table in one module, since we don't know the compression alogorithm just leave it uncompressed but contained in one slic module with an unique index (indentifier) byte
2.) Introduce the entire slic table in one module, we already have an idea what the marker and pubkeys look like compressed, just enter the beginning of the module ahead of the rest, it could very well end up looking the same anyways
I also have some more ideas about the modules themselves, some of you may have already read places where I have mused about the first byte in these modules, I believe there is an additional byte place at the start of the module, perhaps identifying the module type? Reading my original instructions for the SLIC -> SLIC 2.1 upgrades you see the marker module always begins with the hex value "40", the pubkey module always begins with "00", but that one is more difficult to identify, I am sure I seen the module start with "40" once in a Dell server bios though, perhaps I will track that down if needed to back up this theory of mine.. that byte(s) is included in the length bytes so that would bring the length of the entire slic table to 375 or 177h bytes.
IF <- note the capitals! IF what I suspect were true an uncompressed SLIC table could look something like this

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   77 01 56 00 53 4C 49 43  76 01 00 00 01 8A 44 45   w.V.SLICv....ŠDE
00000010   4C 4C 20 20 4D 30 39 20  20 20 20 00 12 0C D8 27   LL  M09    ...Ø'
00000020   41 53 4C 20 61 00 00 00  00 00 00 00 9C 00 00 00   ASL a.......œ...
00000030   06 02 00 00 00 24 00 00  52 53 41 31 00 04 00 00   .....$..RSA1....
00000040   01 00 01 00 7F F6 C1 05  BE 5C 57 63 A5 8A 68 F3   .....öÁ.¾\Wc¥Šhó
00000050   6E 8F 06 FA AF B4 9F 68  82 23 EC 50 40 5A 73 7F   n..ú¯´Ÿh‚#ìP@Zs.
00000060   EC E4 07 CB DC 25 1A 9C  E3 E3 66 11 E0 A5 98 06   ìä.ËÜ%.œããf.क़.
00000070   C5 80 0A FA 42 93 86 98  E7 D5 1B D4 D7 3A A4 0B   Å€.úB“†˜çÕ.Ô×:¤.
00000080   EE E2 7D BE 5F 5B 15 0C  AB D0 21 DE BF E9 B5 6E   îâ}¾_[..«Ð!Þ¿éµn
00000090   A4 57 B9 8C 0C D2 BA 3A  69 30 76 94 71 A2 64 D7   ¤W¹Œ.Òº:i0v”q¢d×
000000A0   4C D8 85 BF DF A5 6A C8  DC 45 D5 4D 8C B8 8C 05   LØ…¿ß¥jÈÜEÕMŒ¸Œ.
000000B0   2F FC 2E 23 C4 29 C5 6F  3F 29 6C 6D 57 79 0E B6   /ü.#Ä)Åo?)lmWy.¶
000000C0   75 ED 21 95 01 00 00 00  B6 00 00 00 00 00 02 00   uí!•....¶.......
000000D0   44 45 4C 4C 20 20 4D 30  39 20 20 20 20 00 57 49   DELL  M09    .WI
000000E0   4E 44 4F 57 53 20 01 00  02 00 00 00 00 00 00 00   NDOWS ..........
000000F0   00 00 00 00 00 00 00 00  00 00 6E EF 2F 10 A5 23   ..........nï/.¥#
00000100   4C 3A 45 03 F4 B6 9F CB  E6 C8 07 17 97 F7 24 FC   L:E.ô¶ŸËæÈ..—÷$ü
00000110   EA 12 CD 73 C8 AE 7E E4  2F 7A 65 50 11 53 0D 97   ê.ÍsÈ®~ä/zeP.S.—
00000120   58 47 CD 1F F0 27 1E D6  30 CD 0C DB 01 D5 43 24   XGÍ.ð'.Ö0Í.Û.ÕC$
00000130   12 70 CA 24 F4 DF A7 49  B2 98 1D 99 01 3C ED FC   .pÊ$ôߧI²˜.™.<íü
00000140   13 0D 37 C6 DA 59 05 BF  70 93 78 45 E2 10 5D D7   ..7ÆÚY.¿p“xEâ.]×
00000150   DA 6F 6A EE 44 BB A4 E1  C5 E3 E9 A8 7D 98 10 14   ÚojîD»¤áÅãé¨}˜..
00000160   CA C7 3A 36 7F 92 41 AD  6F 36 EB 33 6E C9 75 05   ÊÇ:6.’A*o6ë3nÉu.
00000170   21 F5 25 EB E6 71 E5 D3  60 9C                     !õ%ëæqåÓ`œ

where the "77 01" are the length bytes and "56" is the index or identifier byte, I could only speculate whether the first byte should be "00" or "40" and am only speculating that the index byte could likely be just about anything as long as it isn't already being used, most of the slic tables seem to have index bytes like 29, 2A, 55, 56 (I think from memory) Most of the older bioses seem to have all the main bios code in one large section after what is likely the boot block area at the beginning identified by a very large section of "FF FF"s, I would think tha placing this module at the end of that section, at the start of the next large block of "FF"s would be best and safest!

 

Maybe this is all hogwash, but I thought if I posted some ideas then perhaps we can get this started, or give up on it all together. I still think that this whole idea could be possible, perhaps since we can parse the entire bios, perhaps someone that is VERY good with compression methods can look at the parsed bioses in the post on the previous page!
I've had these ideas for a while now, only just last night decided to have a closer look at parsing the bioses to show my point (and because I was provided some links to use as reference) It was very useful as I had a look and was easily able to recognise the index/length bytes. There is actually a current server model that only uses the 2 length bytes as well so that really was no surprise...
So I am thinking, this brings me more questions,
1.) I have seen requests before to remove the computrace module, I suppose that could be done? (I suppose it probable wouldn't be that easy, or could it?)
2.) If one were able to identify the cpu update module, and there were two bioses for the same chipset, one could swap the cpu update module for added processor support?
3.) If one bios has a whitelist for certain add-ons one could either swap that module for one from a bios version without the whitelist, or (and I have no idea, but) if the whitelist were somehow all contained in a module that had no other purpose, remove the whitelist module?

 

So, it isn't working as of yet?
Or no feedback from the testers? I thought they were supposed to supply you with more details, etc?

Anyway, it seems there is at least a possibility you get this sorted.
Hopefully in 2010 i have a Windows 7 compatible Dimension 8300!
Should help me out while i save for a new computer (yes, i did notice my system is from 2004!)

Thanks,

Allegro16.

 

well, I was never able to re-create the original bios flash of Harry's and he must have flashed his pc afterwards because the bios is different, on the brighter side, he and others are working on testing my idea about building a slic module (a couple posts back), we are taking it very slow, different schedules, holidays etc. Hoping for some results back today, as long as they are not disastrous I hope to be able to "play" around with the module for the slic without bricking anything until we can figure out what may work. No one has claimed my ideas are impossible and I figure if a slic table can be placed at the end of the bios without disastrous results (we have done that several times so far), why not a slic in a module? I think it is possible, looking at the hex in a phoenix bios, a module can be created and just hex edited in, it is just data after all, nothing to do with the boot process, you just need the correct header information for the acpi06 module or whatever (I hope). So far we have put data at the end of the bios without disastous effect, so this step is just trying to create an actual rom with header information, we know how it may look, the possible problems are probably just that first byte I have talked about
I am out of town for the next few days, I will try to check in and keep everyone up to date with any results
Shakey

 

Well,

Still it looks better for us with older Dell's out here!

Hopefully, soon you'll have good news!

Thanks again,

Allegro.

-Dimension 8300

 

Hopefully Shakey can get it to flash. It sounded promising..

 

Trying to figure out compress algo (LZ variation?) – should be piece of cake for experts.
Can somebody help?
Once done – we can definitely replace Dell BIOS modules easily and hopefully insert new ones too.
Below are two pieces of Dimension 4600 A12 BIOS, module 1 (D4600A12.rom, offset 10000h)

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
-----------------------------------------------------------
00000000   F0 00 43 6F 70 79 72 69  67 68 74 20 31 39 38 35   ð.Copyright 1985
00000010   2D 02 04 F0 0F 38 20 50  68 6F 65 6E 69 78 20 54   -..ð.8 Phoenix T
00000020   65 63 68 6E 6F 6C 6F 67  69 65 73 20 4C 74 64 2E   echnologies Ltd.
00000030   20 20 20 0C 2F A0 38 2D  32 30 30 34 20 44 65 6C      ./ 8-2004 Del
00000040   6C 02 18 50 6D 70 75 74  65 72 02 21 80 72 70 6F   l..Pmputer.!€rpo
00000050   72 61 74 69 6F 6E 02 30  00 41 02 1A 04 5F B0 73   ration.0.A..._°s
00000060   20 72 65 73 65 72 76 65  64 2E FF E0 FF E0 FF E0    reserved


Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
-----------------------------------------------------------
00000000   43 6F 70 79 72 69 67 68  74 20 31 39 38 35 2D 31   Copyright 1985-1
00000010   39 38 38 20 50 68 6F 65  6E 69 78 20 54 65 63 68   988 Phoenix Tech
00000020   6E 6F 6C 6F 67 69 65 73  20 4C 74 64 2E 20 20 20   nologies Ltd.   
00000030   43 6F 70 79 72 69 67 68  74 20 31 39 38 38 2D 32   Copyright 1988-2
00000040   30 30 34 20 44 65 6C 6C  20 43 6F 6D 70 75 74 65   004 Dell Compute
00000050   72 20 43 6F 72 70 6F 72  61 74 69 6F 6E 2E 20 20   r Corporation.  
00000060   41 6C 6C 20 72 69 67 68  74 73 20 72 65 73 65 72   All rights reser
00000070   76 65 64                                           ved

Very same algo is used for XPS 400-Dimension 9150 parsed by shakeyplace

 

I put aside efforts to figure out compression algorithm – I’m not good enough in this area and don’t know where to seek for a help either. Although, algorithm seemed to be quite easy…

Anyway, did some research on HRD file structure and wrote a simple tool to extract modules (they are still compressed thought)
Basically HDR file consist of sections.
Each section contains one or more modules.
If section length not divisible by 2KB (2048B) it’s padded by FF.
Modules are saved in the chain structure (as described by shakeyplace)
I found 3 chain types:
For HDR starting with 00000000 24 52 42 55 54 01 $RBUT.
Aka $RBUT01
(A) 2 bytes module length + 1 byte module type (OptiPlex GX620, Dimension 4600)
(B) 1 byte module type + 4 bytes module length (Latitude D620)

For HDR starting with 00000000 24 52 42 55 54 02 $RBUT.
Aka $RBUT02
(C) 4 bytes module length + 1 byte module type

Chains (B) and (C) may contain pubkey and marker

Latitude D620 - D620_A10.hdr

Code:

Section #00 starts 020054
#01 (01) 009061 <= 020054-0290BA
#02 (08) 005738 <= 0290BA-02E7F7
Section #01 starts 040054
#01 (0E) 00D614 <= 040054-04D66D
#02 (03) 009242 <= 04D66D-0568B4
#03 (04) 001EC3 <= 0568B4-05877C
#04 (05) 01A2EF <= 05877C-072A70
#05 (07) 001FFF <= 072A70-074A74
#06 (12) 0002F7 <= 074A74-074D70
#07 (10) 000A32 <= 074D70-0757A7
#08 (55) 00009E <= 0757A7-07584A  <- pubkey
#09 (56) 0000A9 <= 07584A-0758F8  <- marker
#10 (32) 00059B <= 0758F8-075E98
#11 (30) 00097B <= 075E98-076818
#12 (11) 000B92 <= 076818-0773AF
#13 (33) 000531 <= 0773AF-0778E5
#14 (31) 00097B <= 0778E5-078265
#15 (13) 009E53 <= 078265-0820BD
#16 (58) 006ABC <= 0820BD-088B7E
#17 (0A) 00ABD9 <= 088B7E-09375C
#18 (25) 00C1D0 <= 09375C-09F931
#19 (0D) 000709 <= 09F931-0A003F
#20 (4E) 011F5D <= 0A003F-0B1FA1
#21 (15) 002C3E <= 0B1FA1-0B4BE4
#22 (0F) 0075FA <= 0B4BE4-0BC1E3
#23 (16) 000133 <= 0BC1E3-0BC31B
#24 (47) 0003CF <= 0BC31B-0BC6EF
#25 (48) 00003D <= 0BC6EF-0BC731
#26 (49) 0052AF <= 0BC731-0C19E5
#27 (4A) 009C71 <= 0C19E5-0CB65B
#28 (4B) 0010B1 <= 0CB65B-0CC711
#29 (4D) 01036F <= 0CC711-0DCA85

OptiPlex 745 - o745-263.hdr

Code:

#01 (2C) 00AEA3 <= 000054-00AEFC
#02 (01) 0062CB <= 00AEFC-0111CC
#03 (02) 005804 <= 0111CC-0169D5
#04 (03) 008876 <= 0169D5-01F250
#05 (12) 000760 <= 01F250-01F9B5
#06 (32) 00093F <= 01F9B5-0202F9
#07 (05) 010A4D <= 0202F9-030D4B
#08 (28) 00A075 <= 030D4B-03ADC5
#09 (08) 00ADC6 <= 03ADC5-045B90
#10 (21) 00768D <= 045B90-04D222
#11 (0B) 008D64 <= 04D222-055F8B
#12 (35) 000627 <= 055F8B-0565B7
#13 (17) 00236C <= 0565B7-058928
#14 (15) 004AFB <= 058928-05D428
#15 (14) 015480 <= 05D428-0728AD
#16 (16) 00137A <= 0728AD-073C2C
#17 (0F) 000439 <= 073C2C-07406A
#18 (33) 012479 <= 07406A-0864E8
#19 (29) 00009E <= 0864E8-08658B  <- pubkey
#20 (2A) 0000A9 <= 08658B-086639  <- marker
#21 (34) 0052B5 <= 086639-08B8F3
#22 (1D) 00057E <= 08B8F3-08BE76
#23 (1A) 000A5B <= 08BE76-08C8D6
#24 (1B) 0002D8 <= 08C8D6-08CBB3
#25 (23) 00092E <= 08CBB3-08D4E6

Yet some section format is unknown to me:
Latitude D620 - D620_A10.hdr

Code:

Offset      0  1  2  3  4  5  6  7   8  9 10 11 12 13 14 15
-----------------------------------------------------------
00000080   00 00 00 00 FF FF FF FF  FF FF FF FF FF FF FF FF   ....яяяяяяяяяяяя
00000096   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   яяяяяяяяяяяяяяяя
00000112   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   яяяяяяяяяяяяяяяя

Bootloader? “EL TORITO SPECIFICATION”
00020050   FF FF FF FF 01 61 90 00  00 F0 00 43 6F 70 79 72   яяяя.a_..р.Copyr
00020060   69 67 68 74 20 31 39 38  35 2D 02 04 F0 0F 38 20   ight 1985-..р.8 
00020070   50 68 6F 65 6E 69 78 20  54 65 63 68 6E 6F 6C 6F   Phoenix Technolo

Main BIOS?
00040050   FF FF FF FF 0E 14 D6 00  00 0D 00 E0 06 20 00 98   яяяя..Ц....а. ._
00040060   53 30 30 4E 59 E1 06 20  00 C8 3F 31 30 4E 59 E4   S00NYб. .И?10NYд
00040070   06 20 00 88 00 30 42 4E  59 E8 06 20 00 58 10 30   . ._.0BNYи. .X.0

???
000E4050   FF FF FF FF 44 65 6C 6C  20 53 79 73 74 65 6D 20   яяяяDell System 
000E4060   4C 61 74 69 74 75 64 65  20 44 36 32 30 00 00 00   Latitude D620...
000E4070   00 00 C2 01 41 31 30 FE  00 00 00 00 00 00 00 00   ..В.A10ю........

???
000F0050   FF FF FF FF 46 3A 52 00  00 F0 0B 44 65 6C 6C 20   яяяяF:R..р.Dell 
000F0060   53 79 73 74 65 6D 20 4C  61 74 69 74 75 64 65 20   System Latitude 
000F0070   44 36 32 30 00 E0 03 50  C2 01 41 31 30 FE 03 0A   D620.а.PВ.A10ю..

Boot record Signature AA55 ??? Some recovery mechanism???
000F8050   FF FF FF FF AA 55 21 00  00 00 19 0D B0 0C 00 00   яяяяЄU!.....°...
000F8060   4E 00 00 00 FF FF CF 00  48 03 00 00 00 00 00 00   N...яяП.H.......
000F8070   00 00 00 00 00 0F 6E FB  0F 73 F7 20 8B EF 8B 7C   ......nы.sч <п<|

Keyboard BIOS (same as -writekromfile)
01048640   FF FF FF FF E9 3D A0 00  78 01 37 00 FF FF FF FF   яяяяй= .x.7.яяяя
01048656   FF FF FF FF 7A 47 CC 8A  02 00 61 20 00 5E 02 10   яяяяzGМ_..a .^..
01048672   03 00 00 20 00 56 02 10  0B 00 00 20 00 4E 02 10   ... .V..... .N..
01048688   13 00 00 20 00 46 02 10  1B 00 00 20 00 3E 02 10   ... .F..... .>..

To be continued in the next post…