Dell bios, how to decompose / mod.

Latitude D610 - flash_recover segment

There is very interesting flash_recover segment is in Latitude D610 BIOS hdr file at 0x04054
It has some interesting phrases as well as file names it looks for during recovery process:
I was wondering if somebody with disassembly skills can take a look?
It might have BIOS modules decompress algo.

Code:

Looking for file:
- not found
The BIOS file was not found
Could not read boot sector
AZED????BIN AZED????HDR AZED????HDC AZE?????BIN AZE?????HDR
Dumping sector:
Init USB Floppy Support
turn off bottom_boot
System names do not match
Back in the saddle again...
Off we go into the wild flashing yonder
Decompressing...
Fatal error???
program_this_block

 

SLIC-less test on Dell

Could/would test BIOS A06 (has no SLIC) on Dell D610 here if needed... Lemme know.

 

IMO, Dell D610 will be best bet – it has bad flash recovery mechanism built in.

Here is the map file for D610_A06.hdr:
D610_A06.map
---------------------
00054R
04054R
10054R
60054B
F4054R

Although XPS 400 has simpler HDR file - XP051A07.hdr
XP051A07.map
---------------------
00054A
68EDDR
6FF84R
70004R

 

Examined Dimension 9100 A03 thoroughly – found unpack segment module procedure.
Compared with mine - works exactly same way!

About procedure itself – it searches and unpacks two modules:
Module type 01 to address 0F000:0000
Module type 02 to address 0F800:0000

I name modules like this:

Code:

00-01-02
^^       segment # (00)
   ^^    module # (within segment) (01)
      ^^ module type (02)

Haven’t found how control gets to unpacked module thought – far beyond my skills
I guess, all other modules are unpacked by either module 01 or 02
SLIC get constructed by them too, most likely

 

I guess, I was wrong about "best bet"


Checked XPS 400 vs Latitude D610
XPS 400 has XSDT table and D610 doesn’t (too old ACPI)

Below comparing XSDT OptiPlex 745 with XPS 400
Does the space right below SLIC$ in 745 reserved for pubkey/marker?

XSDT OptiPlex 745 / 00-03-02.bin

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000050A0         41 50 49 43 92 00  00 00 01 00 44 45 4C 4C     APIC’.....DELL
000050B0   20 20 42 38 4B 20 20 20  20 00 15 00 00 00 41 53     B8K    .....AS
000050C0   4C 20 61 00 00 00 00 00  E0 FE 01 00 00 00 00 08   L a.....àþ......
000050D0   01 04 01 00 00 00 00 08  02 06 00 00 00 00 00 08   ................
000050E0   03 05 00 00 00 00 00 08  04 07 00 00 00 00 00 08   ................
000050F0   05 00 00 00 00 00 00 08  06 01 00 00 00 00 00 08   ................
00005100   07 02 00 00 00 00 00 08  08 03 00 00 00 00 01 0C   ................
00005110   08 00 00 00 C0 FE 00 00  00 00 02 0A 00 00 02 00   ....Àþ..........
00005120   00 00 00 00 02 0A 00 09  09 00 00 00 0D 00 04 06   ................
00005130   FF 0D 00 01 42 4F 4F 54  28 00 00 00 01 00 44 45   ÿ...BOOT(.....DE
00005140   4C 4C 20 20 42 38 4B 20  20 20 20 00 15 00 00 00   LL  B8K    .....
00005150   41 53 4C 20 61 00 00 00  7A 00 00 00 41 53 46 21   ASL a...z...ASF!
00005160   92 00 00 00 20 00 44 45  4C 4C 20 20 42 38 4B 20   ’... .DELL  B8K 
00005170   20 20 20 00 15 00 00 00  41 53 4C 20 61 00 00 00      .....ASL a...
00005180   04 00 07 00 00 01 88 01  00 2C 00 00 00 03 0C 89   ......ˆ..,.....‰
00005190   04 01 01 05 6F 00 68 08  88 17 00 89 04 04 04 07   ....o.h.ˆ..‰....
000051A0   6F 00 68 20 88 03 00 89  05 01 01 19 6F 00 68 20   o.h ˆ..‰....o.h 
000051B0   88 22 00 02 00 14 00 03  04 00 00 02 88 00 01 01   ˆ"..........ˆ...
000051C0   88 00 02 03 88 00 04 03  00 17 00 00 10 00 00 00   ˆ...ˆ...........
000051D0   01 07 01 00 00 00 00 00  00 00 00 00 00 00 80 00   ..............€.
000051E0   10 00 FF 00 DA 01 00 00  02 A2 00 00 00 00 4D 43   ..ÿ.Ú....¢....MC
000051F0   46 47 3E 00 00 00 01 00  44 45 4C 4C 20 20 42 38   FG>.....DELL  B8
00005200   4B 20 20 20 20 00 15 00  00 00 41 53 4C 20 61 00   K    .....ASL a.
00005210   00 00 00 00 00 00 00 00  00 00 00 00 00 E0 00 00   .............à..
00005220   00 00 00 00 00 FF 00 00  00 00 00 00 48 50 45 54   .....ÿ......HPET
00005230   38 00 00 00 01 00 44 45  4C 4C 20 20 42 38 4B 20   8.....DELL  B8K 
00005240   20 20 20 00 15 00 00 00  41 53 4C 20 61 00 00 00      .....ASL a...
00005250   00 00 00 00 00 00 00 00  00 00 D0 FE 00 00 00 00   ..........Ðþ....

00005260   00 E8 03 00 53 4C 49 43  24 00 00 00 01 00 44 45   .è..SLIC$.....DE
00005270   4C 4C 20 20 42 38 4B 20  20 20 20 00 15 00 00 00   LL  B8K    .....
00005280   41 53 4C 20 61 00 00 00  00 00 00 00 00 00 00 00   ASL a...........
00005290   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000052F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005300   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005310   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005320   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005330   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005340   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005350   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005360   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005370   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005380   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005390   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000053F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005400   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005410   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005420   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005430   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005440   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005450   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005460   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005470   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00005480   00 00 00 00 00 00 00 00  54 43 50 41 32 00 00 00   ........TCPA2...
00005490   01 00 44 45 4C 4C 20 20  42 38 4B 20 20 20 20 00   ..DELL  B8K    .
000054A0   15 00 00 00 41 53 4C 20  61 00 00 00 00 00 00 00   ....ASL a.......
000054B0   01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000054C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000054D0   02 00 00 00 01 00 00 00  04 00 00 00 02 00 00 00   ................
000054E0   07 00 00 00 02 00 FF FF                            ......ÿÿ

XPS 400 00-02-02.bin

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00005440                               41 50 49 43 72 00 00            APICr..
00005450   00 01 00 44 45 4C 4C 20  20 44 58 50 30 35 31 20   ...DELL  DXP051 
00005460   00 07 00 00 00 41 53 4C  20 61 00 00 00 00 00 E0   .....ASL a.....à
00005470   FE 01 00 00 00 00 08 01  04 01 00 00 00 00 08 02   þ...............
00005480   06 00 00 00 00 00 08 03  05 00 00 00 00 00 08 04   ................
00005490   07 00 00 00 00 01 0C 08  00 00 00 C0 FE 00 00 00   ...........Àþ...
000054A0   00 02 0A 00 00 02 00 00  00 00 00 02 0A 00 09 09   ................
000054B0   00 00 00 0D 00 04 06 FF  0D 00 01 42 4F 4F 54 28   .......ÿ...BOOT(
000054C0   00 00 00 01 00 44 45 4C  4C 20 20 44 58 50 30 35   .....DELL  DXP05
000054D0   31 20 00 07 00 00 00 41  53 4C 20 61 00 00 00 7A   1 .....ASL a...z
000054E0   00 00 00 41 53 46 21 67  00 00 00 10 00 44 45 4C   ...ASF!g.....DEL
000054F0   4C 20 20 44 58 50 30 35  31 20 00 07 00 00 00 41   L  DXP051 .....A
00005500   53 4C 20 61 00 00 00 04  00 07 00 00 01 88 01 00   SL a.........ˆ..
00005510   2C 00 00 00 03 0C 89 04  01 01 05 6F 00 68 08 88   ,.....‰....o.h.ˆ
00005520   17 00 89 04 04 04 07 6F  00 68 20 88 03 00 89 05   ..‰....o.h ˆ..‰.
00005530   01 01 19 6F 00 68 20 88  22 00 80 00 10 00 FF 00   ...o.h ˆ".€...ÿ.
00005540   D1 01 00 00 02 A2 00 00  00 00 4D 43 46 47 3E 00   Ñ....¢....MCFG>.
00005550   00 00 01 00 44 45 4C 4C  20 20 44 58 50 30 35 31   ....DELL  DXP051
00005560   20 00 07 00 00 00 41 53  4C 20 61 00 00 00 00 00    .....ASL a.....
00005570   00 00 00 00 00 00 00 00  00 80 00 00 00 00 00 00   .........€......
00005580   00 3F 00 00 00 00 00 00  48 50 45 54 38 00 00 00   .?......HPET8...
00005590   01 00 44 45 4C 4C 20 20  44 58 50 30 35 31 20 00   ..DELL  DXP051 .
000055A0   07 00 00 00 41 53 4C 20  61 00 00 00 00 00 00 00   ....ASL a.......
000055B0   00 00 00 00 00 00 D0 FE  00 00 00 00 00 E8 03 00   ......Ðþ.....è..
000055C0   50 4D 4D 20 46 75 6E 63  74 69 6F 6E 20 30 30 3A   PMM Function 00:
000055D0   20 00 0D 0A 00 50 4D 4D  20 46 75 6E 63 74 69 6F    ....PMM Functio
000055E0   6E 20 30 31 3A 20 00 0D  0A 00 50 4D 4D 20 46 75   n 01: ....PMM Fu
000055F0   6E 63 74 69 6F 6E 20 30  32 3A 20 00 0D 0A 00 50   nction 02: ....P
00005600   4D 4D 20 46 75 6E 63 74  69 6F 6E 20 55 6E 6B 3A   MM Function Unk:
00005610   20 00 0D 0A 00 20 4C 65  6E 3D 00 0D 0A 00 2C 20    .... Len=...., 
00005620   48 61 6E 64 6C 65 3D 00  0D 0A 00 2C 20 46 6C 61   Handle=...., Fla
00005630   67 73 3D 00 0D 0A 00 0D  0A 00 00 00 00 00 00 00   gs=.............
00005640   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 05   ................
00005650   00 00 00 FB 00 00 00 00  02 00 00 00 01 00 00 00   ...û............
00005660   04 00 00 00 02 00 00 00  07 00 00 00 02 00 FF FF   ..............ÿÿ

 

Update:
Compared “search & unpack” procedure between different Dell BIOSs – it’s same, except module type and length might be stored in 3 different ways - described few times early already in this thread.

Unpack procedure size is 128 bytes asm code – it’s a "flavor" of LZ77
I have wrote LZ77 decoder in C# already.
If anybody can get/find C# source of ANY LZ77 encoder WITHOUT Huffman part – I can modify it to produce Dell compatible encoding.
Alternatively, it should be piece of cake to get C/C++ source of LZ77 and do the same, but I’m not quite good in C/C++.

Bottom line: without encoder we cannot do much anyway…

 

Sorry for keep jumping between topics…

But there is nothing similar in D620 or D630
Technically, flash_recover segment must not be re-flashed during BIOS update – it might be damaged otherwise, right?
So, I guess, D610 model is where it was introduced first time and it remains ever since?

Subsequent questions:
Could somebody confirm if flush recovery works for D620 and up models?
Is there a way/program to dump whole BIOS on D620 and check if flash_recover segment there?
Does it present in laptop BIOS only or new desktops have it too?
If yes – how it may possibly get activated?
Push (and hold?) some keyboard key combination?
Definitely not the power button – if you hold it ~5 sec it’ll switch PC off.

 

flash_recover does exist in D620/630. It’s packed and that’s why I didn’t see it before, file masks are below:

Code:

D620 - TRAV????BIN TRAV????HDR TRAV????HDC D620????BIN D620????HDR
D630 - BRIS????BIN BRIS????HDR BRIS????HDC D630????BIN D630????HDR

flash_recover has string (below) now – pretty cool utility, right?

DUMP UTILITY FOR I/O, MEMORY AND PCI
----------------------------------------------------------
Press H for help or Q to exit

Press i(byte), ib(byte), iw(word), id(dword)
Press o ,ob, ow, od to write i/o
Press d to read physical memory
Press e to write physical memory
Press r to read PCI Config
Press a to read all PCI device Config
Press w to write PCI Config
Press u to read memory at sel : offset
Any other key to exit

Haven’t found anything for in desktop BIOSes…
So we have to do all SLIC mod experiments on laptops

 

Cannot tell for sure, most likely not. All of them uses LZ77/LZSS + something on top like Huffman coding
I need to get “pure” LZ77 and modify to match Dell one.

>Seems to be Chinese:
They both C/C++, I need C#...
pudn.com has C# version also, but there is no preview avail – might be something useless completely.

>You can PM andyp,
AFAIR, he is C/C++ guy

>Before we continue we should be able to encode again.
For SLIC mod – yes.
Or we can try to replace striped RAID module to full one to prove we can replace modules at all.

That’s C++ LZSS implementation.

I guess, I can post Dell asm (and a little description?) so our experts can tell if compressor code exists already?

 

You need to login to view this posts content.

 

Update: compressor version 0.01 is ready.
It creates file compatible with Dell un-compressor, but about 10% bigger in general.
To make further progress, I’ll need to implement something called the "lazy coding" or "non-greedy" selection – i.e. lots of work.

BTW: Finally identified used algorithm - it's combination LZSS & RLE
I guess, I can post (separately) how it works and give few code samples, if anybody wants to help with development

Current results: (XPS 400 ACPI module)

Code:

00-02-02.rom - 23,165 (original)
00-02-02.bin - 32,768 (unpacked)
test.rom – 23,785 (repacked)

I guess, once SLIC is inserted here, it’ll be even bigger…
The good thing – it’s plenty of space available
XPS 400 first section has 68,572 “FF filled” gap.

If you consider yourself “Dell BIOS super-mods” AND ready to experiment – let me know, I’ll PM tools link.
Once again, I would suggest system with BIOS recovery available first like Latitude D610.

 

Fiddled with compressor a little bit more, made it work slightly better original.
BTW: funny result - marker 2.1 can be compressed to exact size of marker 2.0
I.e. only marker replacement + one (or two) crc32 correction(s) needed for SLIC upgrade

Code:

                            original     custom
             uncompressed compressed compressed
00-B9K-48.rom         182        170        169 // marker 2.1
00-BMK-48.rom         182        170        169 // marker 2.1
00-M09-48.rom         182        170        169 // marker 2.1
00-09-48.rom          182        169        167 // marker 2.0
00-0A-49.rom          156        158        158 // pubkey
00-01-01.rom        65536      36961      36510 
01-1D-4D.rom       100912      66415      65374

If anybody wanna try, I can post custom compressed SLICs

 

Great work Apokrif!

If you want to share the load of putting a tool together, I'd be glad to help.

 

Next steps...

I’ll post some info (well known, most likely) and post tools than.
I’ll try to describe as much as I can to avoid repetitive questions.
Could you read and correct if you think I’m mistaken, please?
I do it to make sure, we are on the same page before we broke anything because of misunderstanding…

 

HDR file block structure

All information below was posted at least few times. All credits goes to bbsc/rtfm

How to get HDR file:
Download BIOS update exe file (for windows) from Dell site and run it with –writehdrfile switch
For XPS 400 it’s:
xp051a07.exe -writehdrfile

HDR file consists of one or two blocks: romfile and optionally kromfile.
Easiest method to tell – run:
xp051a07.exe -writekromfile
will respond with either: “Invalid command line...” for romfile only HDR file
or
d630_a16.exe -writekromfile
“File D630_A16.bin written” for romfile + kromfile one.

One block structure example:
Run xp051a07.exe -writehdrfile
Get xp051a07.hdr

Open in WinHex or your favorite hex editor. You will see:

Code:

000000-000007 - $RBUT version
000008-00002F - copyright message
000030-000032 - BIOS version
000038-00003F - model number (?)

000054-070053 - romfile
070054-070057 - romfile crc32 (inverted)
-----------------------------------------
So crc32 of 000054-070057 - (i.e. romfile + crc32) = FFFFFFFF
* To calculate crc32 in WinHex:
1. Select block
2. Menu -> Tools | Compute hash | CRC32 (32 bit)

070058-07005B – whole file crc32 (inverted)
-----------------------------------------
So crc32 of 000000-07005B - (i.e. whole file) = FFFFFFFF

Two block structure example:
Run d620_a10.exe -writehdrfile
Get d620_a10.hdr

Code:

000000-000007 - $RBUT version
000008-00002F - copyright message
000030-000032 - BIOS version
000038-00003F - model number (?)

000054-100053 - romfile
100054-100057 - inverted crc32(romfile)
-----------------------------------------
So crc32 of 000054-100057 - (i.e. romfile + crc32) = FFFFFFFF

100058-110057 - kromfile
110058-11005B - inverted crc32(romfile + kromfile)
-----------------------------------------
So crc32 of 000054-100053 and 100058-11005B 
(i.e. romfile + kromfile + crc32) = FFFFFFFF
* Note that range 100054-100057 (inverted crc32(romfile)) is 
excluded from calculation.
If you want to calculate two range crc32, you have to write both 
ranges to files, concatenate them and calculate crc32. 
Or you can write a simple program to do it.

11005C-11005F - whole file crc32 (inverted)
-----------------------------------------
So crc32 of 000000-11005F - (i.e. whole file) = FFFFFFFF

Notes:
* If you extract first block and padded it with FF – you will get very same romfile,
the one you can get with –writeromfile switch.
** kromfile, extracted with –writekromfile, exists as is in hdr file,
thus makes it easy to locate end of first block (the romfile)

Bottom line:
If you edit romfile content, you have to correct 2 crc32 for one block hdr file and 3 crc32 for two blocks hdr file.