Dell bios, how to decompose / mod.

Discussion in 'BIOS Mods' started by wolf69, Nov 21, 2009.

  1. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
  2. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    >but there are things like ROM resizing after initialization (Since both ROMs are sort of stuck together, how would shrinking ROM1 affect ROM2, etc). Or also the total ROM size reported by the first ROM (does it have to include the second ROM's size, and thus, how does it deal with shrinking if it wants to)
    Oh boy, I didn’t know such thing exists…
    I thought correct ROM size + checksum will be enough…
    Might be after WinSLIC execution, we can “simply” correct
    Jmp WinSLICMain
    Back to
    Jmp Main
    And remove all traces? :)
    I guess, we cannot modify that "jmp" easily either...

    >Then, after initialization, there's the BCV/BEV call, which is a little complex, too. Further, I was looking at chaining various Int13h
    I hope, we can find simpler solution…

    >Well, for the EBDA, you'd just go to 40:0E
    I don’t have those computers physically - i.e. without any SLIC and with BIOS recovery – we still have to find an owner willing to experiment...

    >As for the xSDT tables, do you know how they get loaded into memory yet? You might be able to dump the SLIC on the end of that module and figure out the address from the known address of the xSDT table.
    Are those absolute addresses? How super static method works than? I.e. depending on which options ROM are loaded, RSDT/XSDT tables might move too.
    Do you have a link to concise document about them?
    I was about to post “my next post”, but saw yours and decided to reply first :)
     
  3. truthinjection

    truthinjection MDL Member

    Aug 27, 2009
    247
    46
    10
    Hopefully we won't need that capability. :)

    Gotcha.

    Well, the xSDT tables are in the F000 region (I'm assuming), which I'm guessing won't be moving around too much. The option roms all load into the C000-DFFF region, so they alone shouldn't bump the allocation of the ACPI tables. If modules are loaded as a unit, knowing the length of the module and the offset difference between the xSDT table and the SLIC should allow for appending the SLIC address onto the xSDT table, at least in theory.

    Not really. No more documentation than you at least. Really I'm just theorizing.

    -tij-
     
  4. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #107 Apokrif, Jan 2, 2010
    Last edited by a moderator: Apr 20, 2017
    Mine are D032 & D09A, right?
    Code:
    Table NameOEMID&TableIDAddress  LenthDescription Table  (ACPI 2.0)
    
    RSD PTR DELL          000FEBF1    36Root System Desc.Pointer
     |
     |- RSDTDELL  XXX     000FD032    68Root System Desc.Table
     |     |
     |  00 |- FACP  DELL  XXX     000FD146   116
     |  01 |- SSDT  DELLst_ex     FFF5DB88   172
     |  02 |- BOOT  DELL  XXX     000FD340    40
     |  03 |- MCFG  DELL  XXX     000FD368    62
     |  04 |- HPET  DELL  XXX     000FD3A6    56
     |* 05 |- SLIC  DELL  XXX     000FD3DE   374Software Licensing Desc.Table
     |  06 |- OSFR  DELL  XXX     CFE55C00   124
     |  07 |- APIC  DELL  XXX     000FD2AE   146
     |  
     |- XSDTDELL  XXX     000FD09A   100Extended System Desc.Table
           |
        00 |- FACP  DELL  XXX     000FD1BA   244
        01 |- SSDT  DELLst_ex     FFF5DB88   172
        02 |- APIC  DELL  XXX     000FD2AE   146
        03 |- BOOT  DELL  XXX     000FD340    40
        04 |- MCFG  DELL  XXX     000FD368    62
        05 |- HPET  DELL  XXX     000FD3A6    56
        06 |- OSFR  DELL  XXX     CFE55C00   124
      * 07 |- SLIC  DELL  XXX     000FD3DE   374Software Licensing Desc.Table
    I was looking at code in RSDT module I just posted and I think I found how one module call another - don't want to post right away - I might be mistaken about it. Will let you know soon. :)
     
  5. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #108 Apokrif, Jan 2, 2010
    Last edited by a moderator: Apr 20, 2017
    Option ROM

    truthinjection,
    Could you tell, what kind of ROM below:
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    00000000   AA 55 21 00 00 00 19 0D  B0 0C 00 00 4E 00 00 00   ªU!.....°...N...
    00000010   FF FF CF 00 48 03 00 00  00 00 00 00 00 00 00 00   ÿÿÏ.H...........
    00000020   00 0F 6E FB 0F 73 F7 20  8B EF 8B 7C 24 04 33 DB   ..nû.s÷ ‹ï‹|$.3Û
    00000030   8A 5C 24 08 FC 80 FB 01  74 0C 80 FB 02 74 14 80   Š\$.ü€û.t.€û.t.€
    00000040   FB 03 74 16 EB 1F 0F 6E  E0 E9 68 00 00 00 0F 7E   û.t.ë..nàéh....~
    00000050   E0 EB 14 E9 F4 02 00 00  EB 0D E9 59 02 00 00 EB   àë.éô...ë.éY...ë
    00000060   06 B2 03 EB 02 B2 16 0F  73 D7 20 0F 7E FB 8B FD   .².ë.²..s× .~û‹ý
    00000070   8B 1C 24 FF E3 42 52 43  4D 54 50 4D 44 52 56 2D   ‹.$ÿãBRCMTPMDRV-
    00000080   4D 41 2D 53 45 47 33 32  20 76 33 2E 30 2E 39 20   MA-SEG32 v3.0.9 
    00000090   43 6F 70 79 72 69 67 68  74 20 32 30 30 36 2C 20   Copyright 2006, 
    000000A0   42 72 6F 61 64 63 6F 6D  20 43 6F 72 70 6F 72 61   Broadcom Corpora
    000000B0   74 69 6F 6E 00 00 0F 6E  EA EB 17 66 83 F8 00 75   tion...nêë.fƒø.u
    000000C0   0A 0F 7E EA E9 85 01 00  00 EB 00 8A D0 E9 7C FF   ..~êé…...ë.ŠÐé|ÿ
    000000D0   FF FF BB 00 0F 00 00 8D  15 E4 00 00 00 03 D7 E9   ÿÿ».....ä....×é
    000000E0   16 04 00 00 3D E4 14 01  10 75 06 66 B8 00 00 EB   ....=ä...u.f¸..ë
    000000F0   12 3D E4 14 02 10 75 07  B8 00 00 00 00 EB 04 66   .=ä...u.¸....ë.f
    00000100   B8 08 00 EB B6 00 81 E1  FF FF 00 00 75 03 83 C9   ¸..ë¶.áÿÿ..u.ƒÉ
    00000110   01 C1 E0 10 0B C8 66 33  C0 B4 0B E4 70 24 80 0A   .Áà..Èf3À´.äp$€.
    00000120   C4 E6 70 E4 71 C1 E1 08  8A C8 66 0F BA E8 06 C1   ÄæpäqÁá.ŠÈf.ºè.Á
    00000130   C9 08 66 C1 C0 08 B0 0B  C1 C0 08 E4 70 24 80 0A   É.fÁÀ.°.ÁÀ.äp$€.
    00000140   C4 E6 70 C1 C8 10 E6 71  B4 0C E4 70 24 80 0A C4   ÄæpÁÈ.æq´.äp$€.Ä
    00000150   E6 70 E4 71 2E 8B 87 08  00 00 00 66 83 C0 02 66   æpäq.‹‡....fƒÀ.f
    00000160   92 C1 C0 10 C1 C9 10 66  33 C0 EC 86 C1 66 0F A3   ’ÁÀ.ÁÉ.f3Àì†Áf.£
    00000170   C1 86 C1 72 1F C1 C1 10  B4 0C E4 70 24 80 0A C4   Á†Ár.ÁÁ.´.äp$€.Ä
    00000180   E6 70 E4 71 66 0F BA E0  06 73 D9 66 49 75 D5 32   æpäqf.ºà.sÙfIuÕ2
    00000190   C0 C1 C9 10 8A C8 C1 C1  18 C1 C0 10 66 92 8A E1   ÀÁÉ.ŠÈÁÁ.ÁÀ.f’Šá
    000001A0   B0 0B C1 C0 08 E4 70 24  80 0A C4 E6 70 C1 C8 10   °.ÁÀ.äp$€.ÄæpÁÈ.
    000001B0   E6 71 B4 0C E4 70 24 80  0A C4 E6 70 E4 71 66 33   æq´.äp$€.Äæpäqf3
    000001C0   C0 C1 C9 18 8A C1 FF E2  66 33 C0 B4 0B E4 70 24   ÀÁÉ.ŠÁÿâf3À´.äp$
    000001D0   80 0A C4 E6 70 E4 71 8A  D8 66 0F BA E8 06 66 C1   €.ÄæpäqŠØf.ºè.fÁ
    000001E0   C0 08 B0 0B C1 C0 08 E4  70 24 80 0A C4 E6 70 C1   À.°.ÁÀ.äp$€.ÄæpÁ
    000001F0   C8 10 E6 71 B4 0C E4 70  24 80 0A C4 E6 70 E4 71   È.æq´.äp$€.Äæpäq
    00000200   66 0F BA E0 06 73 ED 8A  E3 B0 0B C1 C0 08 E4 70   f.ºà.síŠã°.ÁÀ.äp
    00000210   24 80 0A C4 E6 70 C1 C8  10 E6 71 B4 0C E4 70 24   $€.ÄæpÁÈ.æq´.äp$
    00000220   80 0A C4 E6 70 E4 71 FF  E2 00 00 C1 00 00 00 0C   €.Äæpäqÿâ..Á....
    00000230   00 00 00 99 00 01 00 C1  00 00 00 0C 00 00 00 99   ...™...Á.......™
    00000240   00 02 00 C1 00 00 00 0C  00 00 00 99 00 03 66 33   ...Á.......™..f3
    00000250   C0 80 FA 00 74 31 80 FA  01 74 0C 80 FA 02 74 11   À€ú.t1€ú.t.€ú.t.
     
  6. truthinjection

    truthinjection MDL Member

    Aug 27, 2009
    247
    46
    10
  7. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    I think (sadly) that might be the case. All new Dell/HP/Compaq notebooks (that I saw recently) come with this module.
    But they all also are Win7 machines, so that is not a problem

    sebus
     
  8. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #113 Apokrif, Jan 2, 2010
    Last edited: Jan 2, 2010
    How it supposed to work?
    If boot sector is encrypted, BIOS need to load it, call TPMDRV to decrypt, than pass control there, right?
    I.e. BIOS knows about TPMDRV already. And WinSLIC won't work as TMPDRV - it has to have a device it can be bound to, right?

    BTW: That TPMDRV is from Latitude D410 BIOS, it doesn't even have SLIC in it!
     
  9. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    All I said that new laptops come with this module, but they are already Win7, so no need for any mod (hence not worth worrying about it)

    Can you turn OFF the TPM in BIOS?

    sebus
     
  10. truthinjection

    truthinjection MDL Member

    Aug 27, 2009
    247
    46
    10
    I think the TPM is only (usually) used for BitLocker drive encryption in Windows 7, so maybe it won't be an issue until Windows 8 :)

    -tij-
     
  11. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #116 Apokrif, Jan 2, 2010
    Last edited: Jan 3, 2010
    In this case once you move HD to another PC you will loose all access to it, even if you know all keys, right?
    IMO the only reason for "hardware" encryption if there is a "hardware chip" able to do it faster than CPU.
    It's main purpose to be tracking device, all other are just disguises...
    I hope I'm wrong...

    The image from Wiki link above:
    "Trusted Platform Module on Asus motherboard P5Q PREMIUM"
    Does it looks like you can transfer the module from one mobo to another, doesn't it?

    Edit:
    I've read a little more about TPM... Does PC go same way as most gaming consoles went already?
    Everything is secured, from very boot... no unsigned code, nothing... unless there is a key leak or some sort of bug... :(
     
  12. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #117 Apokrif, Jan 3, 2010
    Last edited by a moderator: Apr 20, 2017
    ACPI tables

    Code:
    Laptops have dynamically build ACPI tables.
    In BIOS module the RSTD length is 0:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    000054F0                                           52 53 44                RSD
    00005500   54 00 00 00 00 01 00 44  45 4C 4C 20 20 4D 30 37   T......DELL  M07
    00005510   20 20 20 20 00 0B 0A D7  27 41 53 4C 20 61 00 00       ...×'ASL a..
    00005520   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00005530   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    00005540   00 46 41 43 50 74 00 00  00 01 00 44 45 4C 4C 20   .FACPt.....DELL 
    00005550   20 4D 30 37 20 20 20 20  00 0B 0A D7 27 41 53 4C    M07    ...×'ASL
    00005560   20 61 00 00 00 00 00 00  00 00 00 00 00 01 02 09    a..............
    00005570   00 B2 00 00 00 70 71 97  80 00 10 00 00 00 00 00   .²...pq—€.......
    00005580   00 04 10 00 00 00 00 00  00 20 10 00 00 08 10 00   ......... ......
    00005590   00 28 10 00 00 00 00 00  00 04 02 01 04 08 00 00   .(..............
    000055A0   00 96 00 FA 00 00 00 00  00 01 03 0D 00 32 03 00   .–.ú.........2..
    000055B0   00 BD 82 00 00 41 50 49  43 68 00 00 00 01 00 44   .½‚..APICh.....D
    
    
    Code:
    Desktops have statically linked already populated ACPI tables:
    GX620 / A11 for example, RSDT length 40 & XSDT length 5C
    * Obviously, RSDT module is loaded to very same address every time.
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    00005200            52 53 44 54 40  00 00 00 01 00 44 45 4C      RSDT@.....DEL
    00005210   4C 20 20 47 58 36 32 30  20 20 00 07 00 00 00 41   L  GX620  .....A
    00005220   53 4C 20 61 00 00 00 DB  D2 0F 00 00 00 00 00 43   SL a...ÛÒ......C
    00005230   D4 0F 00 B5 D4 0F 00 DD  D4 0F 00 44 D5 0F 00 82   Ô..µÔ..ÝÔ..DÕ..‚
    00005240   D5 0F 00 00 00 00 00 00  00 00 00 00 00 00 00 00   Õ...............
    00005250   00 00 00 00 00 00 00 58  53 44 54 5C 00 00 00 01   .......XSDT\....
    00005260   00 44 45 4C 4C 20 20 47  58 36 32 30 20 20 00 07   .DELL  GX620  ..
    00005270   00 00 00 41 53 4C 20 61  00 00 00 4F D3 0F 00 00   ...ASL a...OÓ...
    00005280   00 00 00 00 00 00 00 00  00 00 00 43 D4 0F 00 00   ...........CÔ...
    00005290   00 00 00 B5 D4 0F 00 00  00 00 00 DD D4 0F 00 00   ...µÔ......ÝÔ...
    000052A0   00 00 00 44 D5 0F 00 00  00 00 00 82 D5 0F 00 00   ...DÕ......‚Õ...
    000052B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    000052C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    000052D0   00 00 00 00 00 00 00 00  00 00 00 46 41 43 50 74   ...........FACPt
    000052E0   00 00 00 01 00 44 45 4C  4C 20 20 47 58 36 32 30   .....DELL  GX620
    000052F0   20 20 00 07 00 00 00 41  53 4C 20 61 00 00 00 00     .....ASL a....
    00005300   00 00 00 00 00 00 00 01  00 09 00 B2 00 00 00 70   ...........²...p
    00005310   71 00 00 00 08 00 00 00  00 00 00 04 08 00 00 00   q...............
    00005320   00 00 00 00 00 00 00 08  08 00 00 28 08 00 00 00   ...........(....
    00005330   00 00 00 04 02 00 04 08  00 00 00 F4 01 88 13 00   ...........ô.ˆ..
    00005340   00 00 00 00 00 00 00 00  00 00 00 A5 00 00 00 46   ...........¥...F
    00005350   41 43 50 F4 00 00 00 03  00 44 45 4C 4C 20 20 47   ACPô.....DELL  G
    00005360   58 36 32 30 20 20 00 07  00 00 00 41 53 4C 20 61   X620  .....ASL a
    
    I.e. add SLIC is really piece of cake!
    The real pity is – laptops have recovery module while desktops don’t.
    From another hand – to laptop mod will require some code injection - i.e. quite more complex, error prone, and might be different for different families / BIOS revisions)
    Another observation – desktop RSDT modules are quite sparse – lot’s unused space to insert anything - good for future development. And notebook RSDT modules are very dense – no empty space at all. Even small code injection will extend module size.

    I use to have whole bunch of old Dell desktops… Not anymore – they were all thrown out right before new year :(

    BTW: Sebus - could you compare my dump with SLIC_ToolKit_V3.0 report and post its ACPI page here, please?
     
  13. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #118 Apokrif, Jan 3, 2010
    Last edited by a moderator: Apr 20, 2017
    Different situation with DELL 8400
    RSDT length 3C, but there is no any free slots - FACP table follows immediately.
    In this case:
    RSDT table need to be relocated – only 3C bytes (need to fine 40 bytes - one more slot for SLIC PTR)
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    00004C90                     52 53  44 54 3C 00 00 00 01 00         RSDT<.....
    00004CA0   44 45 4C 4C 20 20 38 34  30 30 20 20 20 00 07 00   DELL  8400   ...
    00004CB0   00 00 41 53 4C 20 61 00  00 00 D2 CC 0F 00 00 00   ..ASL a...ÒÌ....
    00004CC0   00 00 46 CD 0F 00 D8 CD  0F 00 00 CE 0F 00 3E CE   ..FÍ..ØÍ...Î..>Î
    00004CD0   0F 00 46 41 43 50 74 00  00 00 01 00 44 45 4C 4C   ..FACPt.....DELL
    
    RSD PTR need to be corrected – it’s static too AND in the same module!
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    00006BF0   52 53 44 20 50 54 52 20  00 44 45 4C 4C 20 20 00   RSD PTR .DELL  .
    00006C00   96 CC 0F 00                                        –Ì..
     
  14. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210
    #119 sebus, Jan 3, 2010
    Last edited: Jan 3, 2010
    Here it is:

    PHP:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

    0001D200            52 53 44 54 40  00 00 00 01 E1 44 45 4C      RSDT
    @....áDEL
    0001D210   4C 20 20 47 58 36 32 30  20 20 00 07 00 00 00 41   L  GX620  
    .....A
    0001D220   53 4C 20 61 00 00 00 DB  D2 0F 00 15 88 FD FF 43   SL a
    ...ÛÒ...ˆýÿC
    0001D230   D4 0F 00 B5 D4 0F 00 DD  D4 0F 00 44 D5 0F 00 82   Ô
    ..µÔ..ÝÔ....
    0001D240   D5 0F 00 00 00 00 00 00  00 00 00 00 00 00 00 00   Õ
    ...............
    0001D250   00 00 00 00 00 00 00 58  53 44 54 5C 00 00 00 01   .......XSDT\....
    0001D260   4A 44 45 4C 4C 20 20 47  58 36 32 30 20 20 00 07   JDELL  GX620  ..
    0001D270   00 00 00 41 53 4C 20 61  00 00 00 4F D3 0F 00 00   ...ASL a......
    0001D280   00 00 00 15 88 FD FF 00  00 00 00 43 D4 0F 00 00   ....ˆýÿ.......
    0001D290   00 00 00 B5 D4 0F 00 00  00 00 00 DD D4 0F 00 00   ...µÔ......ÝÔ...
    0001D2A0   00 00 00 44 D5 0F 00 00  00 00 00 82 D5 0F 00 00   .........‚Õ...
    0001D2B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0001D2C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    0001D2D0   00 00 00 00 00 00 00 00  00 00 00 46 41 43 50 74   ...........FACPt
    0001D2E0   00 00 00 01 2F 44 45 4C  4C 20 20 47 58 36 32 30   
    ..../DELL  GX620
    0001D2F0   20 20 00 07 00 00 00 41  53 4C 20 61 00 00 00 00     
    .....ASL a....
    0001D300   6C 68 5F 52 49 FD FF 01  00 09 00 B2 00 00 00 70   lh_RIýÿ....²...p
    0001D310   71 00 00 00 
    08 00 00 00  00 00 00 04 08 00 00 00   q...............
    0001D320   00 00 00 00 00 00 00 08  08 00 00 28 08 00 00 00   ...........(....
    0001D330   00 00 00 04 02 00 04 08  00 00 00 F4 01 88 13 00   ...........ô.ˆ..
    0001D340   00 00 00 00 00 00 00 00  00 00 00 A5 00 00 00 46   ...........¥...F
    0001D350   41 43 50 F4 00 00 00 03  DF 44 45 4C 4C 20 20 47   ACPô
    ....ßDELL  G
    0001D360   58 36 32 30 20 20 00 07  00 00 00 41 53 4C 20 61   X620  
    .....ASL a
     
  15. Apokrif

    Apokrif MDL Addicted

    Dec 7, 2008
    542
    35
    30
    #120 Apokrif, Jan 3, 2010
    Last edited by a moderator: Apr 20, 2017
    It matches, but address 0001D200 looks strange...
    Can you post this table too, please?
    It's SLIC_ToolKit_V3.0 report ACPI page - the last one.
    Code:
    Table NameOEMID&TableIDAddress  LenthDescription Table  (ACPI 2.0)
    
    RSD PTR DELL          000FEBF1    36Root System Desc.Pointer
     |
     |- RSDTDELL  B9K     000FD032    68Root System Desc.Table
     |     |
     |  00 |- FACP  DELL  B9K     000FD146   116
     |  01 |- SSDT  DELLst_ex     FFF5DB88   172
     |  02 |- BOOT  DELL  B9K     000FD340    40
     |  03 |- MCFG  DELL  B9K     000FD368    62
     |  04 |- HPET  DELL  B9K     000FD3A6    56
     |* 05 |- SLIC  DELL  B9K     000FD3DE   374Software Licensing Desc.Table
     |  06 |- OSFR  DELL  B9K     CFE55C00   124
     |  07 |- APIC  DELL  B9K     000FD2AE   146
     |  
     |- XSDTDELL  B9K     000FD09A   100Extended System Desc.Table
           |
        00 |- FACP  DELL  B9K     000FD1BA   244
        01 |- SSDT  DELLst_ex     FFF5DB88   172
        02 |- APIC  DELL  B9K     000FD2AE   146
        03 |- BOOT  DELL  B9K     000FD340    40
        04 |- MCFG  DELL  B9K     000FD368    62
        05 |- HPET  DELL  B9K     000FD3A6    56
        06 |- OSFR  DELL  B9K     CFE55C00   124
      * 07 |- SLIC  DELL  B9K     000FD3DE   374Software Licensing Desc.Table