Dell bios, how to decompose / mod.

I miss a kind of trifle, but it is very important. Again I'm at an impasse. Untangling the tangle I had about ten times to start again. Now quite clear next: Execute of code start at offset F4030 by Jump to F4248 About this jump I wrote above yet,
then enters into the work routine address calculation of transition. It is the main "mechanism" for this block.
Look at this:

Code:

 Code D810_A05.rom (called by me as  "Pre_boot" aka 03-01-00.bin after unpuck by Apokrif's tool)
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4000   20 44 65 6C 6C 20 53 79  73 74 65 6D 20 4C 61 74    Dell System Lat
000F4010   69 74 75 64 65 20 44 38  31 30 00 00 00 00 86 01   itude D810    † 
000F4020   41 30 35 FE 00 00 00 00  55 00 00 00 00 00 00 00   A05ю    U       
000F4030   E9 15 02 00 00 00 00 00  00 00 00 00 00 00 00 00   й               
000F4040   B0 4A 58 44 61 53 01 03  AA 73 20 49 45 52 02 03   °JXDaS  Єs IER  
000F4050   CD 4A 69 4F 49 53 03 03  9E 4E 6E 64 68 53 0F 01   НJiOIS  ћNndhS  
000F4060   E2 4F 6E 68 53 65 34 04  8E 45 20 65 72 70 12 01   вOnhSe4 ЋE erp  
000F4070   05 43 74 6F 6F 62 04 03  39 4E 42 41 6D 50 05 03    Ctoob  9NBAmP  
000F4080   63 4E 68 63 61 43 08 03  5E 74 70 43 54 52 0A 01   cNhcaC  ^tpCTR 
....
000F4220   A0 53 4B 33 65 52 4F 02  C4 53 69 6D 73 41 50 02   *SK3eRO ДSimsAP 
000F4230   CE 53 65 68 63 52 51 00  A6 42 6C 61 65 52 52 00   ОSehcRQ ¦BlaeRR 
... e.t.c.
000FFFFF
 

Highlighted are:
Address of jump to code block in the same segment aka
000F0000
Code block "name"
Tag , if tag=00 -> end
"Name" can be understood in charge of what this unit.
But i'm not sure that all blocks will be executed.
This is main "mechanism",disassembled by IDA and me.Look at this

Code:

F000:4263
F000:4263 loc_F4263:                              ; CODE XREF: F000:5E9AJ
F000:4263   mov     bx, 4038h
F000:4266   shl     ebx, 10h        ; ebx=40380000
F000:426A
F000:426A loc_F426A:
F000:426A   mov     bx, 3
F000:426D
F000:426D loc_F426D:                              
F000:426D   movd    mm0, ebx      ; mm0=40380003
F000:4270
F000:4270 Calc_Address_Routing:; CODE XREF: F000:loc_F42A4j
F000:4270 movd    ebx, mm0   ; Move 32 bits
F000:4273 add     ebx, 80000h  ; Add
F000:427A movd    mm0, ebx    ; 0)mm0=40400003(1 cicle)
F000:427A       ; ->mm0=40480003(2 cicle)
F000:427A       ; ->mm0=40500003(3 cicle)
F000:427A       ; 1)mm0=40580003(4 cicle)    *1a)mm0=40580004
F000:427A       ; if shutdown by power       if shutdown was occurred
F000:427A       ; then->(2);                     other reasons  ->(a)
F000:427A        ;
F000:427A       ; 2)mm0=40600003  ->a)mm0=40600004(5)
F000:427A       ;                               2a)mm0=40680004(6)
F000:427A        ;                               3a)mm0=40700004(7)
F000:427A      ;                                 4a)mm0=40780004(8)
F000:427A      ;                                 5a)mm0=40800004(9)
F000:427A       ;                                6a)mm0=40880004(10)
F000:427A       ;                                7a)mm0=40900004(11)
F000:427D    mov     al, bl      ; al=03(1-2)
F000:427D                            ; al=04(a)
F000:427F    shr     ebx, 10h   ; bx=4040(->)
F000:427F                             ; bx=4048(->);
F000:427F                            ; bx=4050(->);
F000:427F                              ; bx=4058(1);
F000:427F                              ; bx=4060(2);    bx=4060(->)
F000:427F                              ;                       bx=4068(2a)
F000:427F                              ;                       bx=4070(3a)
F000:427F                              ;                       bx=4078(4a)
F000:427F                              ;                       bx=4080(5a)
F000:427F                              ;                       bx=4088(6a)
F000:427F                              ;                       bx=4090(7a)
F000:4283   test    cs:[bx+7], al   ; 00)03(f000:4047)=03,ZF=1;
F000:4283                                 ; ->)03(f000:404F)=03,ZF=1;
F000:4283                                 ; ->)03(f000:4057)=03,ZF=1;
F000:4283   ; 01)01(f000:405F)<03,ZF=0;  1a)01(f000:405F)<04,ZF=0
F000:4283   ; go to f000:4289;
F000:4283   ; 2)04(f000:4067)>03,ZF=0    !2a)04(f000:4067)=04,ZF=1(5)
F000:4283                                                     01(f000:406F)<04,ZF=0(6)
F000:4283   ; go to f000:4289
F000:4283   ; 3)01(f000:406F)<03,ZF=0   3a)03(f000:4077)<04,ZF=0(7)
F000:4283    ;                                         4a)03(f000:407F)<04,ZF=0(8)
F000:4283       ;                                      5a)03(f000:4087)<04,ZF=0(9)
F000:4283     ;                                      6a)01(f000:408F)<04,ZF=0(10)
F000:4283                                             7a)03(f000:4097)<04,ZF=0(11)
F000:4287     jz      short loc_F42A4 ; Jump if Zero (ZF=1)
F000:4289     mov     eax, cs:[bx+2]  ; eax=5368646e(1)"Shdn"
F000:4289     ; if shutdown by              |if shutdown was occurred
F000:4289     ; power on(soft reset)     |other reasons
F000:4289     ; eax=6553686E(2)"eShn"|*eax=70726520(2a)"pre_"
F000:4289     ;                                       *eax=626f6f74(3a)"boot"
F000:4289     ;                                       *eax=506d4142(4a)"PmAB"
F000:4289     ;                                       *eax=43616368(5a)"Cach"
F000:4289      ;                                      *eax=52544370(6a)"RTCp"
F000:4289      ;                                      *eax=496E4150(7a)"InAP"
F000:428E     cmp     eax, 0                 ; Compare Two Operands
F000:4292     jz      short loc_F429C       ; Jump if Zero (ZF=1)
F000:4294     mov     sp, 429Ah
F000:4297     jmp     OUTPUT_DELL_INDICATOR ; manufacturer port

to be continued...

 

First jump offset is :4058, code block name is "Shdn" aka shutdown.

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4050                            9E 4E 6E 64 68 53 0F 01           ћNndhS 
....

000F4E90                                              E4 64                 дd
000F4EA0   A8 04 74 20 B0 8F E6 70  E4 71 3C 04 72 16 3C 0B   Ё t ° жpдq< r < 
000F4EB0   74 12 3C 0C 77 0E 0F 7E  C0 66 83 E0 FC 66 83 C8   t < w  ~АfѓаьfѓИ
000F4EC0   04 0F 6E C0 C3 81 
 

Disassembling:

Code:

F000:4E9E ; ---------------------------------------------------------------------------
F000:4E9E Read shutdown condition of laptop:
F000:4E9E
F000:4E9E Shdn:          ; CODE XREF: F000:429FJ
; AT Keyboard controller 8042, read status reg.
; check bits 3-0, set flag ZF,if al=00000100b
; Bits value
; #0== output buffer full 0-no data(empty),1 has data
; #1== input buffer full 0-no data(empty), 1 has data
; #2== 0 - power on reset, 1 - system
; #3== command/data 0-write to port 60h(data),
;     1-write to port 64h(command)
F000:4E9E                 in      al, 64h         
F000:4EA0                 test    al, 4           
; jump if reset was called by sistem
F000:4EA2                 jz      short locret_F4EC4 
; exec if reset was called "Power On":
; CMOS Memory:write in port value 10001111b
; NMI disable, reg= 0F Shutdown status byte
F000:4EA4                 mov     al, 8Fh ; 'П'   
F000:4EA6                 out     70h, al         
; CMOS Memory:read Shutdown status                                        
; byte value:
; 00  Power on or soft reset
; 01  Memory size pass shut down after
; 02  Memory test pass shut down after memory test
; 03  Memory test fail shut down with memory error
; 04  POST complete; boot system shut down
; 05  JMP DWORD request with INT init pointer with EOI
; 06  protected mode test 7 passed
; 07  protected mode test 7 failed
; 08  protected mode test1 failed
; 09  Int 15h block move shutdown request
; 0A  JMP DWORD request without INT init (EOI)
; 0B  Used by 80386
F000:4EA8                 in      al, 71h                                               
                           
F000:4EAA                 cmp     al, 4           ; Compare Two Operands
F000:4EAC                 jb      short locret_F4EC4 ; if  al<04
F000:4EAE                 cmp     al, 0Bh         ; Compare Two Operands
F000:4EB0                 jz      short locret_F4EC4 ; if special 80386 shut
F000:4EB2                 cmp     al, 0Ch         ; Compare Two Operands
F000:4EB4                 ja      short locret_F4EC4 ; Jump if Above (CF=0 & ZF=0)
F000:4EB6 if shutdown was occurred other reasons
F000:4EB6 rewrite mm0 with new end = 04
F000:4EB6                 movd    eax, mm0        ; 
F000:4EB9                 and     eax, 0FFFFFFFCh ; 
F000:4EBD                 or      eax, 4          ; 
F000:4EC1                 movd    mm0, eax        ;
F000:4EC4
F000:4EC4 locret_F4EC4:                           ; CODE XREF: F000:4EA2j
F000:4EC4                                         ; F000:4EACj ...
F000:4EC4                 retn                    ; cs:ip=f000:42A2
F000:4EC5 ; ---------------------------------------------------------------------------

This is general code to determine the branching.
I describe everything in such detail because I can not understand where the mistake.If i go to branch "03 tag" then come to a standstill:

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4060   E2 4F 6E 68 53 65 34 04                            вOnhSe4 
...
F000:4FE2 ; ---------------------------------------------------------------------------
F000:4FE2
F000:4FE2 eShn:          ; CODE XREF: F000:429Fj
F000:4FE2                 mov     sp, 4FE8h
F000:4FE5                 jmp     HB_PAM0_SET    
F000:4FE8 ; ---------------------------------------------------------------------------
....
---------------------------------------------------------------------------
F000:5E9C
F000:5E9C HB_PAM0_SET:                            ; CODE XREF: F000:4FE5j
F000:5E9C                 mov     dx, 0CF8h
F000:5E9F                 mov     eax, 80000090h  ; Dev.0,Func.0, reg offset 90
; Host Bridge Program. Atribute Map 0
; 0F0000-0FFFFF Attribute (HIENABLE):
; This field controls the steering of
;  read and write cycles that address
;  the BIOS area from
; 0F0000 to 0FFFFF.
F000:5EA5                 out     dx, eax         ; read offset 90,91,92,93
F000:5EA7                 mov     dl, 0FCh ; '№'
F000:5EA9                 mov     al, 10h
F000:5EAB                 out     dx, al          ; write reg.offset 90 (HIEnable)
F000:5EAB                                         ; new value al=00010000b
F000:5EAB                                         ; bits(5:4)=01, Read only
F000:5EAB                                         ; all read from DRAM
F000:5EAB                                         ; all writes to DMI
F000:5EAC                 jmp     sp              ; sp=4FE8
F000:5EAC ; ---------------------------------------------------------------------------
....

F000:4FE8
F000:4FE8 loc_F4FE8:                              ; CODE XREF:4FE8                                         ; F000:5EACJ
F000:4FE8                 mov     al, 0E2h ; 'т'
F000:4FEA                 out     70h, al         ; CMOS Memory:
F000:4FEA                                         ; NMI disable, reg.offset 62?
F000:4FEA                                         ;
F000:4FEC                 in      al, 71h         ; CMOS Memory, read value
F000:4FEE                 mov     dh, al
F000:4FF0                 mov     al, 0E3h ; 'у'
F000:4FF2                 out     70h, al         ; CMOS Memory:
F000:4FF2                                         ; NMI disable, reg.offset 63?
F000:4FF2                                         ;
F000:4FF4                 in      al, 71h         ; CMOS Memory, read value
F000:4FF6                 mov     dl, al        ;In reg have value dx=[62]:[63]
F000:4FF6                                         ; CMOS offsets
F000:4FF8                 db      66h
F000:4FF8                 lidt    fword ptr cs:byte_F48EC ; Lidt=000000000400h
F000:4FF8                                         ; adress base:00000000h
F000:4FF8                                         ; limit:0400h
F000:4FFF                 xor     esp, esp        ; esp=0
F000:5002                 mov     eax, cr0        ; Move to/from Special Registers
F000:5005                 and     al, 0FEh        ; Logical AND
F000:5007                 mov     cr0, eax        ; write into cr0 new value
F000:5007                                         ; cr0=60000010 Processor
F000:5007                                         ; work in Real mode aka R_Mod
F000:500A                 jmp     far ptr unk_FFFA0 ; Jump to standstill
F000:500A ; ---------------------------------------------------------------------------
.....

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FFFA0   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   яяяяяяяяяяяяяяяя

My question is what a proc will do? Freez and wait reset?
How proc. will read RAM, if it don't determined?

 

Your skill in disassembly is more beyond mine.
I've tryied too but without required knowledge ...
What's strange I never find some direct write on some registers, just some variation of 800000xxh.

Even when I try to replace part of code who just write "Unused Shadow Memory ....." in free area of expansion rom I get a bricked laptop.And all I was need was just a pointer to PnP instalation check and a call to BCV (~20 bytes,code)

Until now (I fried network chip) I was able to boot from USB and with GRUB4DOS to remap disks and then boot from RAID expresscard by using custom made PXE ROM inside BIOS.
Now since no chip detected BIOS doesn't load PXE module and this make me use custom MBR on USB device to use my laptop.

Now I'm thinking on different approach,what's happen if I isolate ICH from KBC? I mean to let BIOS chip connected to KBC and attach another one flash chip to ICH southbridge.
On power up,KBC load required data from original BIOS and try to pass to ICH (but ICH are not connected to) ,in this time ICH try to load BIOS and he can because of new attached flash chip.
If KBC doesn't have some kind of protection like watchdog or some other method,then think all is OK and system runing,computer part also,if BIOS is OK can work fine,all is need to use some other manufacturer BIOS for similar hardware,or maybe coreboot or UEFI.
I'll try that in next few days. (now I'm seeking like mad one BCM5752 to regain easy boot method)

 

I wrote early: Google is you friend
Intel 965 Express Chipset Family.pdf (or almost any other)
Section 5.1.18 PAM0—Programmable Attribute Map 0
I do know nothing about it

 

You don’t have to stick to NIC PXE, technically any PXE will do...
Does your "RAID express card" have one?

Just a thought: does LPC bus exist on notebooks still?

 

gabiz_ro
Hi brother!

There is a PCI spec. All registers can write only this metod: read reg -> modify->write new value.

Could be recover BIOS methods help you? But apparently it haven't helped.
What will happen after your experiments, I do not know. In any case, nothing to lose.

Apokrif

That's all I've read, but could not answer that.

To reason logically of the code:
no RAM physically, all reads only from RAM
Processor Cash - disable, (No-fill Cache Mode), but read from cash accessible,ROM only write.
jump to address in RAM......or cash (L1),but MTRR don't defined and cash size unknown.
Resume: INT 06 except #UD or INT 08 — except #DF -> Hung

 

In original config doesn't have but there was a place on card where can be put flash chip and a place for EPROM, SIL3132 chipset can use both but ony one at a time.EPROM is only for setting device hardware id,flash chip is used for same + Option ROM (SIL3132 BIOS)
Dell BIOS detect card,load their Option ROM,card is initialized I can enter setup to configure RAID etc.
But according to PnP BIOS specifications Option ROM must not hook any interrupt and return BIOS to initial state when was loaded.
Then BIOS depending on what info are passed by Option ROM after initialization act according to what is need to be done.
In my case BIOS doesn't make a call to OROM Boot connection Vector.
Then I try to solve that by using PXE ROM for this,was a simple coded OROM wich act like BIOS providing required details and make a call to BCV (ofcourse there was problem too,RAM region where OROM was shadowed was set RO by BIOS).
After a call to BCV,number of disk in BIOS Data Area increased by 1 and in shadowed OROM was a value for their disk 80,81,82,dependig on what disk number was assignes.

Card Option ROM is loaded by BIOS ,If I want to enter BIOS setup,by example first is loaded OROM then I can enter BIOS,but nothing reffer to that card in BIOS.
Since that way to call BCV was at boot stage I was thinking to enable support for PXE from BCM4401 and fool BIOS to think is some other card and need to load their OROM so I can load from here my custom PXE ROM.
BIOS have his PXE modules but is loaded too late,just when booting.

BUT since no datasheet for BCM4401,and even I added SPI flash for them,I can't program it,even if enabled from EPROM.
Last chance could be to find one BCM5752 (combined EPROM and flash bootrom) and hardware mod motherboard to be like M1710 then maybe,but even so could be firmware from chip who disable flash boot ROM since M1710 have too PXE modules in BIOS.

Still exist.
On schematic I see some config for BIOS LPC,PCI or SPI.
Actual config is SPI via M?EC5004 (KBC)

Like I said I'm not a programmer and is dizzy for me.
I was looked at some asm code who read write PCI registers,looks similar to that.
There is need to look closely at every one to identify where is operating.

Bricking is not a problem,I can program flash chip external in any case.

 

Ok, going further...
Branch named "tag=04", the conditions under which the code is on this branch is:
value of CMOS reg #0F
04h INT 19h reboot
05h flush keyboard (issue EOI) and jump via 40h:0067h
06h reset (after successful test in virtual mode)
(or: jump via 40h:0067h without EOI)
07h reset (after failed test in virtual mode)
08h used by POST during protected-mode RAM test (return to POST)
09h used for INT 15/87h (block move) support
0Ah resume execution by jump via 40h:0067h.
..I need to run, Finish later...

 

Excuse me for the delay. Continue...
The code in the BIOS of D510,D610 the same way, just different addresses, so I will examine the code D810, which is the new date.If someone will notice and correct errors i will be very happy .
I assume that the branch "tag=03" leading to hang a laptop, but there is one strange why to use this address 000FFFA0 and why download interrupt table? Let it be so until.
The first address in this branch (04) is :4068

Code:

D810_A05.rom
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4060    .  .  .  .  .  .  .  .   8E 45 20 65 72 70 12 01           ЋEerp  
...

000F4580    .  .  .  .  .  .  .  .                    66 C1                 fБ
000F4590   E4 10 BC 98 45 E9                                  д ј˜Eй
jump to

000F5D20                                           BA F8 0C                єш 
000F5D30   66 B8 9C 00 00 80 66 EF  B2 FD EC C3               fёњ  ЂfпІэмГ
return to

000F4590                            9A 45 66 C1 EC 10 A8 08           љEfБм Ё 
000F45A0   74 03 E9 20 09 C3                                  t й  Г
return to Calc_Address_Routing

In this block write Host Bridge Reg_TOLUD (offset 9C) with default value = 08h. This 8-bit register defines the Top of Usable DRAM (TOLUD).Сode checks whether or not the write value 08h.If not,-> jump to "stop maschine", proc. waiting to reset.

Code:

F000:4EC5 ; ---------------------------------------------------------------------------
F000:4EC5
F000:4EC5 ready_to_reset:                         ; CODE XREF: F000:45A2j
F000:4EC5                 cmp     word ptr ds:472h, 1234h ; ds=0h Compare Two Operands
F000:4ECB                 jnz     short stop_maschine1 ; Jump if Not Zero (ZF=0)
F000:4ECD                 mov     dl, 40h ; '@'
F000:4ECF                 jmp     short Stop_maschine2 ; Jump
F000:4ED1 ; ---------------------------------------------------------------------------
F000:4ED1
F000:4ED1 stop_maschine1:                         ; CODE XREF: F000:4ECBj
F000:4ED1                 mov     dl, 0
F000:4ED3
F000:4ED3 Stop_maschine2:                         ; CODE XREF: F000:4ECFj
F000:4ED3                 mov     ax, 0DBDBh
F000:4ED6                 out     70h, al         ; CMOS Memory:NMI disable,
F000:4ED6                                         ; reg #5B???
F000:4ED6                                         ;
F000:4ED8                 in      al, 71h         ; CMOS Memory write reg.value in al
F000:4EDA                 and     al, 0BFh        ; check bits 7,5:0 equal 1?
F000:4EDC                 or      al, dl          ; have 0?
F000:4EDE                 xchg    al, ah          ; Exchange Register/Memory with Register
F000:4EE0                 out     70h, al         ; CMOS Memory: reg #5B
F000:4EE0                                         ; used by real-time clock
F000:4EE2                 xchg    al, ah          ; Exchange Register/Memory with Register
F000:4EE4                 out     71h, al         ; CMOS Memory:write to  reg #5B
F000:4EE4                                         ; new value
F000:4EE4                                         ; used by real-time clock
F000:4EE6                 mov     dx, 0CF9h
F000:4EE9                 mov     al, 2
F000:4EEB                 out     dx, al
F000:4EEC                 mov     al, 6
F000:4EEE                 out     dx, al
F000:4EEF                 hlt                     ; Stop maschine, proc waiting reset!
F000:4EEF ; ---------------------------------------------------------------------------

If value = 08h jump to Calc_Address_routing for going to new address .

 

Let's continue.
Next offset is :4305, code of block named "boot":
In this block code check Keyboard controller 8042 output buffer, and whether there has been "power on reset". If buffer has data, write it into CMOS and jump to Calc_address_routing. If buffer has no data-> jump to Calc_address_routing. Look this:

Code:

 D810_A05.rom
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4070   05 43 74 6F 6F 62 04 03                             Ctoob
...
"boot"
000F4300                  E4 64 24  81 3C 81 B0 DC E6 70 75        дd$ < °Ьжpu
000F4310   06 E4 60 E6 71 EB 02 E4  71 0F 7E C3 24 02 3C 02    д`жqл дq ~Г$ < 
000F4320   75 06 66 83 E3 FE EB 04  66 83 E3 FD 0F 6E C3 C3   u fѓгюл fѓгэ nГГ

Next block "PmAB", offset is :4E39
At this fragment code set proc. into protect mode aka "P_Mode" and defines GDT & IDT.
Installing the new addressing:

Code:

D810_A05.rom
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000F4070                            39 4E 42 41 6D 50 05 03           9NBAmP  
...
"PmAB"
000F4E30                               66 2E 0F 01 16 E0 48            f.   аH
000F4E40   66 2E 0F 01 1E E6 48 0F  20 C0 0C 01 0F 22 C0 EA   f.   жH  А   "Ак
000F4E50   54 4E 08 00 B8 10 00 8E  D8 8E C0 8E E0 B8 48 00   TN  ё  ЋШЋАЋаёH 
000F4E60   8E D0 C3                                           ЋРГ
....
GTD
000F4890   00 00 00 00 00 00 00 00  FF FF 00 00 FF 9B 00 FF           яя  я› я
000F48A0   FF FF 00 00 00 93 CF 00  FF FF 00 00 00 93 00 00   яя   “П яя   “  
000F48B0   FF FF 00 00 0F 9B 40 00  FF FF 00 00 02 9B 00 00   яя   ›@ яя   ›  
000F48C0   FF FF 00 00 F0 9B 00 FF  FF FF 00 00 02 9B 00 00   яя  р› яяя   ›  
000F48D0   FF FF 00 00 0E 93 00 00  FF FF 00 00 0F 93 00 00   яя   “  яя   “  

GDT has 10 descriptors:
1 descriptor(CODE) GDT= FF009BFF0000FFFF=>
address base FFFF0000
Flags:G=0,D/B=0,AVL=00,
P=1,DPL=00,S=1,Type=1011(1=code,EWA=011
grow up,write enable,available)
limit 0FFFF
remain in ROM (64k), i.e our code segment is from F000:0000 to F000:FFFF
2 descriptor in GDT(DATA) =00CF93000000FFFF
Flags:G=1,D/B=1,AVL=00,
P=1,DPL=00,S=1,Type=0011(0=data,EWA=011
grow up,write enable,available)
adress base 00000000
limit FFFFFx1000h; our data segment is from 0000:0000 to F000:F000

9 descriptor in GDT(Stack)=0000930F0000FFFF->
address base 000F0000
flags:G=0,D/B=0,AVL=00,P=1,
DPL=00,S=1,Type=0011(0=data,EWA=011
grow up,write enable,available)
limit=0FFFF, i.e our stack segment is from F000:0000 to F000:FFFF
F000:0000 is alias of FFFF:0000 and 000F:0000

to be continued...
PS: IDT addres base 00000000
limit 00000, dim.=1 byte

 

You need to login to view this posts content.

 

Dell HDR (from XPS420-A07.EXE) offsets 00017450-00019420 contains microcode update data.

It matches exactly to cpu00010677_plat00000010_ver00000705_date20080428.bin (microcode update 20090927 from Intel site) 00000030-00002000
I.e. only microcode update header is stripped out.

Code:

microcode update header (Intel)
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   01 00 00 00 05 07 00 00  08 20 28 04 77 06 01 00   ......... (.w...
00000010   DD 99 DB A6 01 00 00 00  10 00 00 00 D0 1F 00 00   ݙۦ........Ð...
00000020   00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00   . ..............

microcode update data (same for intel & dell offset 00017450)
00000030   00 00 00 00 A1 00 00 00  01 00 02 00 05 07 00 00   ....¡...........
00000040   37 00 00 00 00 00 00 2E  28 04 08 20 11 03 00 00   7.......(.. ....
00000050   01 00 00 00 77 06 01 00  00 00 00 00 00 00 00 00   ....w...........
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

Although almost all fields are repeated in update data.

Something I don’t understand still:
Dell update module for XPS420 lists 28 or 29 records.
But only 6 or 7 fragments look like microcode update data (i.e. starts with 00 00 00 00)
Other offsets point into "middle of the data"...

I guess, at this point we can replace BIOS microcode update manually.
1a. Safe way: need to find Dell BIOS with microcode update for our CPUID.
1b. Unsafe: replace current module microcode update for some CPUID to the one we need
2. Replace module + update 2 CRC.

Code:

1C/28 records
00 - 000006F1:0000F5D0:57434131
01 - 000006F4:000105A0:57434230
02 - 000006F5:000096F0:57434231
03 - 000006F6:00011570:43524232
04 - 000006F7:00012540:57434233
05 - 000006F2:00013510:43524C32
06 - 00010671:000144E0:48414131
07 - 00010674:000154B0:48414231
08 - 00010676:00016480:48414330
09 - 00010677:00017450:48414331
0A - 00000F25:00000160:4E574D30
0B - 00000F34:00000930:50434430
0C - 00000F41:00002500:50434530
0D - 00000F44:000040A0:534D4130
0E - 00000F60:00005840:434D4130
0F - 00000F61:00006010:434D4230
10 - 00000F62:000067E0:434D4231
11 - 00000F43:00008750:49524E30
12 - 000006F0:0000E600:57434130
13 - 00000F49:000038D0:50434731
14 - 00000F47:00004C70:534D4230
15 - 00000F64:000073B0:434D4331
16 - 00000F65:00007F80:434D4430
17 - 00000F4A:00008F20:49525230
18 - 000006F9:0000A6C0:43524530
19 - 00010661:0000B690:434C4130
1A - 000006FB:0000C660:43524730
1B - 000006FD:0000D630:43524D30

1D/29 records
00 - 000006F1:0000F5D0:57434131
01 - 000006F4:000105A0:57434230
02 - 000006F5:000096F0:57434231
03 - 000006F6:00011570:43524232
04 - 000006F7:00012540:57434233
05 - 000006F2:00013510:43524C32
06 - 00010671:000144E0:48414131
07 - 00010674:000154B0:48414231
08 - 00010676:00016480:48414330
09 - 00010677:00017450:48414331
0A - 0001067A:00019420:48414552
0B - 00000F25:00000160:4E574D30
0C - 00000F34:00000930:50434430
0D - 00000F41:00002500:50434530
0E - 00000F44:000040A0:534D4130
0F - 00000F60:00005840:434D4130
10 - 00000F61:00006010:434D4230
11 - 00000F62:000067E0:434D4231
12 - 00000F43:00008750:49524E30
13 - 000006F0:0000E600:57434130
14 - 00000F49:000038D0:50434731
15 - 00000F47:00004C70:534D4230
16 - 00000F64:000073B0:434D4331
17 - 00000F65:00007F80:434D4430
18 - 00000F4A:00008F20:49525230
19 - 000006F9:0000A6C0:43524530
1A - 00010661:0000B690:434C4130
1B - 000006FB:0000C660:43524730
1C - 000006FD:0000D630:43524D30

 

Got it – only new updates starts with 00 00 00 00 and repeat header data. Older starts "with data" "right away"

 

BIOS CPU microcode

If I replace the existing cpu*.bin code in the .hdr (7168-48=7120 bytes since first 48 characters don't exist in the .hdr) with a standard (2048 bytes) cpu*.bin code and gzip the new .hdr file, name it bios.gz, boot it up with FreeDOS and run "d4700a10.exe -readgzfile" would it attempt the flash but possibly give a CRC mismatch error which can be corrected I believe?

Do you know which 2 CRC's?




Can the CPUID be just 4 characters?

So 0f34 & 0f65 would just be 00000f34 & 00000f65 from the cpu000*****_.bin file names (characters 4 to 11) from the decoded microcode.dat update package?

Are the CPUID's even required if I'm going to hack my BIOS as I described?

 

You need to login to view this posts content.

 

Code:

file length 07005C -> scanning for CRC32...
 scanning 004054
...
 scanning 06C054
crc32 found at 070054
whole file:
crc32 found at 070058

section start 0x000054
 module #01 (0x01) 0x000054-0x006737 = 0x0066E0
 module #02 (0x02) 0x006737-0x00C355 = 0x005C1B
 module #03 (0x03) 0x00C355-0x014A1A = 0x0086C2
 module #04 (0x12) 0x014A1A-0x01516D = 0x000750
 module #05 (0x05) 0x01516D-0x01DD18 = 0x008BA8
 module #06 (0x26) 0x01DD18-0x024DCA = 0x0070AF
 module #07 (0x08) 0x024DCA-0x02C8A7 = 0x007ADA
 module #08 (0x0B) 0x02C8A7-0x03270F = 0x005E65
 module #09 (0x17) 0x03270F-0x03491B = 0x002209
 module #10 (0x15) 0x03491B-0x0379C8 = 0x0030AA
 module #11 (0x14) 0x0379C8-0x0436FD = 0x00BD32
 module #12 (0x16) 0x0436FD-0x0449B9 = 0x0012B9
 module #13 (0x1A) 0x0449B9-0x045417 = 0x000A5B
 module #14 (0x1B) 0x045417-0x0456F2 = 0x0002D8
 module #15 (0x1D) 0x0456F2-0x045C16 = 0x000521
 module #16 (0x23) 0x045C16-0x046547 = 0x00092E
 module #17 (0x1C) 0x046547-0x046BFB = 0x0006B1
 module #18 (0x1E) 0x046BFB-0x047310 = 0x000712
 module #19 (0x24) 0x047310-0x048135 = 0x000E22
 module #20 (0x25) 0x048135-0x049067 = 0x000F2F

Let me know what is you current CPUID and what is the new one, I'll take a close look.
I guess, you Dimension 4700 is quite old, so you won't be disappointed much, if you brick it, right?

 

CPUID + offsets for D4700A10.hdr
It's old BIOS, CPUIDs there are 2 bytes only, i.e. "0F24"

Code:

12/18 records
00 - 00000F24:00000092:4E574230
01 - 00000F27:00000862:4E574331
02 - 00000F29:00001032:4E574431
03 - 00000F25:00001802:4E574D30
04 - 00000F13:00001FD2:434C4530
05 - 00000F30:000027A2:50434130
06 - 00000F31:00003772:50434230
07 - 00000F32:00004742:50434231
08 - 00000F33:00004F12:50434330
09 - 00000F37:000056E2:50434331
0A - 00000F34:00005EB2:50434430
0B - 00000F41:00007A82:50434530
0C - 00000F49:00008E52:50434731
0D - 00000F60:00009622:434D4130
0E - 00000F61:00009DF2:434D4230
0F - 00000F62:0000A5C2:434D4231
10 - 00000F43:0000AD92:49524E30
11 - 00000F4A:0000B562:49525230

No idea still what last column is...

with sizes:

Code:

00 - 00000F24:00000092:4E574230 - 000007D0
01 - 00000F27:00000862:4E574331 - 000007D0
02 - 00000F29:00001032:4E574431 - 000007D0
03 - 00000F25:00001802:4E574D30 - 000007D0
04 - 00000F13:00001FD2:434C4530 - 000007D0
05 - 00000F30:000027A2:50434130 - 00000FD0
06 - 00000F31:00003772:50434230 - 00000FD0
07 - 00000F32:00004742:50434231 - 000007D0
08 - 00000F33:00004F12:50434330 - 000007D0
09 - 00000F37:000056E2:50434331 - 000007D0
0A - 00000F34:00005EB2:50434430 - 00001BD0
0B - 00000F41:00007A82:50434530 - 000013D0
0C - 00000F49:00008E52:50434731 - 000007D0
0D - 00000F60:00009622:434D4130 - 000007D0
0E - 00000F61:00009DF2:434D4230 - 000007D0
0F - 00000F62:0000A5C2:434D4231 - 000007D0
10 - 00000F43:0000AD92:49524E30 - 000007D0
11 - 00000F4A:0000B562:49525230 - 000007D0

So if you want to replace 00000F34 to 00000F65,
You leave entry 0A - 00000F34:00005EB2:50434430 - 00001BD0 alone.
Get ANY other entry, like 11 - 00000F4A:0000B562:49525230 - 000007D0
Update it to 11 - 00000F65:0000B562:49525230
Replace 2000 bytes (0000B562-0000BD31) to 00000F65 microcode

Could 3rd column might be some chipset settings, like timing?

 

Timing as in memory timings or FSB speed? I couldn't modify them could I, if I did it wouldn't work or brick the board? 1066MHz FSB would be nice.

Is it crucial to leave entry 0A - 00000F34:00005EB2:50434430 - 00001BD0 alone & change another one? Can you not remove any of them or add without replacing?

Thank you for your time and assistance.

Edit: Yup, current CPUID is 0F34 and new one is 0F65. Which program are you using?
What's the difference between plat0000001d & plat00000001?
It can't be socket related because both CPUs are LGA775 and same FSB.

 

You need to login to view this posts content.

 

Can someone help me with something that is not related to this topic? I want to clear the service tag of my Dell L401X. I guess that it is stored in some location in the bios which is not erased/overwritten during the bios upgrade. Can we program the bios update tool to clear those areas such that the service tag gets cleared???