Latitude D610 - flash_recover segment There is very interesting flash_recover segment is in Latitude D610 BIOS hdr file at 0x04054 It has some interesting phrases as well as file names it looks for during recovery process: I was wondering if somebody with disassembly skills can take a look? It might have BIOS modules decompress algo. Code: Looking for file: - not found The BIOS file was not found Could not read boot sector AZED????BIN AZED????HDR AZED????HDC AZE?????BIN AZE?????HDR Dumping sector: Init USB Floppy Support turn off bottom_boot System names do not match Back in the saddle again... Off we go into the wild flashing yonder Decompressing... Fatal error??? program_this_block
SLIC-less test on Dell Could/would test BIOS A06 (has no SLIC) on Dell D610 here if needed... Lemme know.
IMO, Dell D610 will be best bet – it has bad flash recovery mechanism built in. Here is the map file for D610_A06.hdr: D610_A06.map --------------------- 00054R 04054R 10054R 60054B F4054R Although XPS 400 has simpler HDR file - XP051A07.hdr XP051A07.map --------------------- 00054A 68EDDR 6FF84R 70004R
Examined Dimension 9100 A03 thoroughly – found unpack segment module procedure. Compared with mine - works exactly same way! About procedure itself – it searches and unpacks two modules: Module type 01 to address 0F000:0000 Module type 02 to address 0F800:0000 I name modules like this: Code: 00-01-02 ^^ segment # (00) ^^ module # (within segment) (01) ^^ module type (02) Haven’t found how control gets to unpacked module thought – far beyond my skills I guess, all other modules are unpacked by either module 01 or 02 SLIC get constructed by them too, most likely
I guess, I was wrong about "best bet" Checked XPS 400 vs Latitude D610 XPS 400 has XSDT table and D610 doesn’t (too old ACPI) Below comparing XSDT OptiPlex 745 with XPS 400 Does the space right below SLIC$ in 745 reserved for pubkey/marker? XSDT OptiPlex 745 / 00-03-02.bin Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 000050A0 41 50 49 43 92 00 00 00 01 00 44 45 4C 4C APIC’.....DELL 000050B0 20 20 42 38 4B 20 20 20 20 00 15 00 00 00 41 53 B8K .....AS 000050C0 4C 20 61 00 00 00 00 00 E0 FE 01 00 00 00 00 08 L a.....àþ...... 000050D0 01 04 01 00 00 00 00 08 02 06 00 00 00 00 00 08 ................ 000050E0 03 05 00 00 00 00 00 08 04 07 00 00 00 00 00 08 ................ 000050F0 05 00 00 00 00 00 00 08 06 01 00 00 00 00 00 08 ................ 00005100 07 02 00 00 00 00 00 08 08 03 00 00 00 00 01 0C ................ 00005110 08 00 00 00 C0 FE 00 00 00 00 02 0A 00 00 02 00 ....Àþ.......... 00005120 00 00 00 00 02 0A 00 09 09 00 00 00 0D 00 04 06 ................ 00005130 FF 0D 00 01 42 4F 4F 54 28 00 00 00 01 00 44 45 ÿ...BOOT(.....DE 00005140 4C 4C 20 20 42 38 4B 20 20 20 20 00 15 00 00 00 LL B8K ..... 00005150 41 53 4C 20 61 00 00 00 7A 00 00 00 41 53 46 21 ASL a...z...ASF! 00005160 92 00 00 00 20 00 44 45 4C 4C 20 20 42 38 4B 20 ’... .DELL B8K 00005170 20 20 20 00 15 00 00 00 41 53 4C 20 61 00 00 00 .....ASL a... 00005180 04 00 07 00 00 01 88 01 00 2C 00 00 00 03 0C 89 ......ˆ..,.....‰ 00005190 04 01 01 05 6F 00 68 08 88 17 00 89 04 04 04 07 ....o.h.ˆ..‰.... 000051A0 6F 00 68 20 88 03 00 89 05 01 01 19 6F 00 68 20 o.h ˆ..‰....o.h 000051B0 88 22 00 02 00 14 00 03 04 00 00 02 88 00 01 01 ˆ"..........ˆ... 000051C0 88 00 02 03 88 00 04 03 00 17 00 00 10 00 00 00 ˆ...ˆ........... 000051D0 01 07 01 00 00 00 00 00 00 00 00 00 00 00 80 00 ..............€. 000051E0 10 00 FF 00 DA 01 00 00 02 A2 00 00 00 00 4D 43 ..ÿ.Ú....¢....MC 000051F0 46 47 3E 00 00 00 01 00 44 45 4C 4C 20 20 42 38 FG>.....DELL B8 00005200 4B 20 20 20 20 00 15 00 00 00 41 53 4C 20 61 00 K .....ASL a. 00005210 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 .............à.. 00005220 00 00 00 00 00 FF 00 00 00 00 00 00 48 50 45 54 .....ÿ......HPET 00005230 38 00 00 00 01 00 44 45 4C 4C 20 20 42 38 4B 20 8.....DELL B8K 00005240 20 20 20 00 15 00 00 00 41 53 4C 20 61 00 00 00 .....ASL a... 00005250 00 00 00 00 00 00 00 00 00 00 D0 FE 00 00 00 00 ..........Ðþ.... 00005260 00 E8 03 00 53 4C 49 43 24 00 00 00 01 00 44 45 .è..SLIC$.....DE 00005270 4C 4C 20 20 42 38 4B 20 20 20 20 00 15 00 00 00 LL B8K ..... 00005280 41 53 4C 20 61 00 00 00 00 00 00 00 00 00 00 00 ASL a........... 00005290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000052F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000053F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00005480 00 00 00 00 00 00 00 00 54 43 50 41 32 00 00 00 ........TCPA2... 00005490 01 00 44 45 4C 4C 20 20 42 38 4B 20 20 20 20 00 ..DELL B8K . 000054A0 15 00 00 00 41 53 4C 20 61 00 00 00 00 00 00 00 ....ASL a....... 000054B0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000054C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000054D0 02 00 00 00 01 00 00 00 04 00 00 00 02 00 00 00 ................ 000054E0 07 00 00 00 02 00 FF FF ......ÿÿ XPS 400 00-02-02.bin Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00005440 41 50 49 43 72 00 00 APICr.. 00005450 00 01 00 44 45 4C 4C 20 20 44 58 50 30 35 31 20 ...DELL DXP051 00005460 00 07 00 00 00 41 53 4C 20 61 00 00 00 00 00 E0 .....ASL a.....à 00005470 FE 01 00 00 00 00 08 01 04 01 00 00 00 00 08 02 þ............... 00005480 06 00 00 00 00 00 08 03 05 00 00 00 00 00 08 04 ................ 00005490 07 00 00 00 00 01 0C 08 00 00 00 C0 FE 00 00 00 ...........Àþ... 000054A0 00 02 0A 00 00 02 00 00 00 00 00 02 0A 00 09 09 ................ 000054B0 00 00 00 0D 00 04 06 FF 0D 00 01 42 4F 4F 54 28 .......ÿ...BOOT( 000054C0 00 00 00 01 00 44 45 4C 4C 20 20 44 58 50 30 35 .....DELL DXP05 000054D0 31 20 00 07 00 00 00 41 53 4C 20 61 00 00 00 7A 1 .....ASL a...z 000054E0 00 00 00 41 53 46 21 67 00 00 00 10 00 44 45 4C ...ASF!g.....DEL 000054F0 4C 20 20 44 58 50 30 35 31 20 00 07 00 00 00 41 L DXP051 .....A 00005500 53 4C 20 61 00 00 00 04 00 07 00 00 01 88 01 00 SL a.........ˆ.. 00005510 2C 00 00 00 03 0C 89 04 01 01 05 6F 00 68 08 88 ,.....‰....o.h.ˆ 00005520 17 00 89 04 04 04 07 6F 00 68 20 88 03 00 89 05 ..‰....o.h ˆ..‰. 00005530 01 01 19 6F 00 68 20 88 22 00 80 00 10 00 FF 00 ...o.h ˆ".€...ÿ. 00005540 D1 01 00 00 02 A2 00 00 00 00 4D 43 46 47 3E 00 Ñ....¢....MCFG>. 00005550 00 00 01 00 44 45 4C 4C 20 20 44 58 50 30 35 31 ....DELL DXP051 00005560 20 00 07 00 00 00 41 53 4C 20 61 00 00 00 00 00 .....ASL a..... 00005570 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 .........€...... 00005580 00 3F 00 00 00 00 00 00 48 50 45 54 38 00 00 00 .?......HPET8... 00005590 01 00 44 45 4C 4C 20 20 44 58 50 30 35 31 20 00 ..DELL DXP051 . 000055A0 07 00 00 00 41 53 4C 20 61 00 00 00 00 00 00 00 ....ASL a....... 000055B0 00 00 00 00 00 00 D0 FE 00 00 00 00 00 E8 03 00 ......Ðþ.....è.. 000055C0 50 4D 4D 20 46 75 6E 63 74 69 6F 6E 20 30 30 3A PMM Function 00: 000055D0 20 00 0D 0A 00 50 4D 4D 20 46 75 6E 63 74 69 6F ....PMM Functio 000055E0 6E 20 30 31 3A 20 00 0D 0A 00 50 4D 4D 20 46 75 n 01: ....PMM Fu 000055F0 6E 63 74 69 6F 6E 20 30 32 3A 20 00 0D 0A 00 50 nction 02: ....P 00005600 4D 4D 20 46 75 6E 63 74 69 6F 6E 20 55 6E 6B 3A MM Function Unk: 00005610 20 00 0D 0A 00 20 4C 65 6E 3D 00 0D 0A 00 2C 20 .... Len=...., 00005620 48 61 6E 64 6C 65 3D 00 0D 0A 00 2C 20 46 6C 61 Handle=...., Fla 00005630 67 73 3D 00 0D 0A 00 0D 0A 00 00 00 00 00 00 00 gs=............. 00005640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 ................ 00005650 00 00 00 FB 00 00 00 00 02 00 00 00 01 00 00 00 ...û............ 00005660 04 00 00 00 02 00 00 00 07 00 00 00 02 00 FF FF ..............ÿÿ
Update: Compared “search & unpack” procedure between different Dell BIOSs – it’s same, except module type and length might be stored in 3 different ways - described few times early already in this thread. Unpack procedure size is 128 bytes asm code – it’s a "flavor" of LZ77 I have wrote LZ77 decoder in C# already. If anybody can get/find C# source of ANY LZ77 encoder WITHOUT Huffman part – I can modify it to produce Dell compatible encoding. Alternatively, it should be piece of cake to get C/C++ source of LZ77 and do the same, but I’m not quite good in C/C++. Bottom line: without encoder we cannot do much anyway…
Sorry for keep jumping between topics… But there is nothing similar in D620 or D630 Technically, flash_recover segment must not be re-flashed during BIOS update – it might be damaged otherwise, right? So, I guess, D610 model is where it was introduced first time and it remains ever since? Subsequent questions: Could somebody confirm if flush recovery works for D620 and up models? Is there a way/program to dump whole BIOS on D620 and check if flash_recover segment there? Does it present in laptop BIOS only or new desktops have it too? If yes – how it may possibly get activated? Push (and hold?) some keyboard key combination? Definitely not the power button – if you hold it ~5 sec it’ll switch PC off.
flash_recover does exist in D620/630. It’s packed and that’s why I didn’t see it before, file masks are below: Code: D620 - TRAV????BIN TRAV????HDR TRAV????HDC D620????BIN D620????HDR D630 - BRIS????BIN BRIS????HDR BRIS????HDC D630????BIN D630????HDR flash_recover has string (below) now – pretty cool utility, right? DUMP UTILITY FOR I/O, MEMORY AND PCI ---------------------------------------------------------- Press H for help or Q to exit Press i(byte), ib(byte), iw(word), id(dword) Press o ,ob, ow, od to write i/o Press d to read physical memory Press e to write physical memory Press r to read PCI Config Press a to read all PCI device Config Press w to write PCI Config Press u to read memory at sel : offset Any other key to exit Haven’t found anything for in desktop BIOSes… So we have to do all SLIC mod experiments on laptops
Cannot tell for sure, most likely not. All of them uses LZ77/LZSS + something on top like Huffman coding I need to get “pure” LZ77 and modify to match Dell one. >Seems to be Chinese: They both C/C++, I need C#... pudn.com has C# version also, but there is no preview avail – might be something useless completely. >You can PM andyp, AFAIR, he is C/C++ guy >Before we continue we should be able to encode again. For SLIC mod – yes. Or we can try to replace striped RAID module to full one to prove we can replace modules at all. That’s C++ LZSS implementation. I guess, I can post Dell asm (and a little description?) so our experts can tell if compressor code exists already?
Update: compressor version 0.01 is ready. It creates file compatible with Dell un-compressor, but about 10% bigger in general. To make further progress, I’ll need to implement something called the "lazy coding" or "non-greedy" selection – i.e. lots of work. BTW: Finally identified used algorithm - it's combination LZSS & RLE I guess, I can post (separately) how it works and give few code samples, if anybody wants to help with development Current results: (XPS 400 ACPI module) Code: 00-02-02.rom - 23,165 (original) 00-02-02.bin - 32,768 (unpacked) test.rom – 23,785 (repacked) I guess, once SLIC is inserted here, it’ll be even bigger… The good thing – it’s plenty of space available XPS 400 first section has 68,572 “FF filled” gap. If you consider yourself “Dell BIOS super-mods” AND ready to experiment – let me know, I’ll PM tools link. Once again, I would suggest system with BIOS recovery available first like Latitude D610.
Fiddled with compressor a little bit more, made it work slightly better original. BTW: funny result - marker 2.1 can be compressed to exact size of marker 2.0 I.e. only marker replacement + one (or two) crc32 correction(s) needed for SLIC upgrade Code: original custom uncompressed compressed compressed 00-B9K-48.rom 182 170 169 // marker 2.1 00-BMK-48.rom 182 170 169 // marker 2.1 00-M09-48.rom 182 170 169 // marker 2.1 00-09-48.rom 182 169 167 // marker 2.0 00-0A-49.rom 156 158 158 // pubkey 00-01-01.rom 65536 36961 36510 01-1D-4D.rom 100912 66415 65374 If anybody wanna try, I can post custom compressed SLICs
Next steps... I’ll post some info (well known, most likely) and post tools than. I’ll try to describe as much as I can to avoid repetitive questions. Could you read and correct if you think I’m mistaken, please? I do it to make sure, we are on the same page before we broke anything because of misunderstanding…
HDR file block structure All information below was posted at least few times. All credits goes to bbsc/rtfm How to get HDR file: Download BIOS update exe file (for windows) from Dell site and run it with –writehdrfile switch For XPS 400 it’s: xp051a07.exe -writehdrfile HDR file consists of one or two blocks: romfile and optionally kromfile. Easiest method to tell – run: xp051a07.exe -writekromfile will respond with either: “Invalid command line...” for romfile only HDR file or d630_a16.exe -writekromfile “File D630_A16.bin written” for romfile + kromfile one. One block structure example: Run xp051a07.exe -writehdrfile Get xp051a07.hdr Open in WinHex or your favorite hex editor. You will see: Code: 000000-000007 - $RBUT version 000008-00002F - copyright message 000030-000032 - BIOS version 000038-00003F - model number (?) 000054-070053 - romfile 070054-070057 - romfile crc32 (inverted) ----------------------------------------- So crc32 of 000054-070057 - (i.e. romfile + crc32) = FFFFFFFF * To calculate crc32 in WinHex: 1. Select block 2. Menu -> Tools | Compute hash | CRC32 (32 bit) 070058-07005B – whole file crc32 (inverted) ----------------------------------------- So crc32 of 000000-07005B - (i.e. whole file) = FFFFFFFF Two block structure example: Run d620_a10.exe -writehdrfile Get d620_a10.hdr Code: 000000-000007 - $RBUT version 000008-00002F - copyright message 000030-000032 - BIOS version 000038-00003F - model number (?) 000054-100053 - romfile 100054-100057 - inverted crc32(romfile) ----------------------------------------- So crc32 of 000054-100057 - (i.e. romfile + crc32) = FFFFFFFF 100058-110057 - kromfile 110058-11005B - inverted crc32(romfile + kromfile) ----------------------------------------- So crc32 of 000054-100053 and 100058-11005B (i.e. romfile + kromfile + crc32) = FFFFFFFF * Note that range 100054-100057 (inverted crc32(romfile)) is excluded from calculation. If you want to calculate two range crc32, you have to write both ranges to files, concatenate them and calculate crc32. Or you can write a simple program to do it. 11005C-11005F - whole file crc32 (inverted) ----------------------------------------- So crc32 of 000000-11005F - (i.e. whole file) = FFFFFFFF Notes: * If you extract first block and padded it with FF – you will get very same romfile, the one you can get with –writeromfile switch. ** kromfile, extracted with –writekromfile, exists as is in hdr file, thus makes it easy to locate end of first block (the romfile) Bottom line: If you edit romfile content, you have to correct 2 crc32 for one block hdr file and 3 crc32 for two blocks hdr file.