Dell Precision M4400 / E6500 Flash Descriptor/ME hacking and bios mod

Discussion in 'BIOS Mods' started by NsaFarm, Mar 29, 2017.

  1. NsaFarm

    NsaFarm MDL Junior Member

    Mar 29, 2017
    68
    10
    0
    #1 NsaFarm, Mar 29, 2017
    Last edited by a moderator: Apr 20, 2017
    Trying to have a go at this M4400 laptop to enable AMT for testing and then purge it for security. It is a penryn system with PM45 chipset so pretty old.

    The bios and GB region are unlocked. ME and descriptor are locked. Read the schematic but the ME_FWP is not connected to the audio chip, only GPIO33. Some pins on the EC that could work but those require complete disassembly.

    I'd buy a flash programmer but I don't wish to disassemble the whole thing and then deal with the 16 pin SPI chip. The laptop is worth $80 and so is the 16 pin capable programmer w/ test clip.

    I notice many systems have a software trick to unlock the flash; perhaps a modified dell update utility would work. Gave phoenix tool 2.66 a go but it always gives a checksum error despite producing a ~3MB HDR file. I can't even add the slic or repack an unmodified bios.

    Could a modded HDR with patched flash descriptor be uploaded that way? I also tried sprom.exe from acer which claims to bring gpio33 high or low and it did not work. The real dell utility has to do this somehow to update the ME region on ME enabled laptops. A slic patched A27 bios is on the forum ergo I must be making some mistake.

    What say you, experts?

    Schematic: filedropper.com/23f96la-4051p
    23f96_LA-4051P_.pdf
    technically the board is an LA-4052P


    Code:
    Dell BIOS
    $RBUT at 0
    Block at 54
    Block at 10054
    Block at 20054
    Block at 16F054
    Block at 170054
    Block at 188054
    Block at 190054
    Block at 1A0054
    Header pattern 14
    Block at 20054
    20054 Module 01 Size 39747
    29B9C Module 07 Size 27820
    3084D Module 0C Size 20480
    35852 Module 3D Size 73003
    47582 Module 02 Size 168955
    70982 Module 03 Size 8590
    72B15 Module 04 Size 152536
    97EF2 Module 10 Size 759
    981EE Module 56 Size 769
    984F4 Module 59 Size 2170
    98D73 Module 5A Size 1388
    992E4 Module 5B Size 1495
    998C0 Module 5C Size 1454
    99E73 Module 5D Size 1375
    9A3D7 Module 0E Size 14829
    9DDC9 Module 48 Size 158
    9DE6C Module 49 Size 170
    9DF1B Module 19 Size 1435
    9E4BB Module 17 Size 2427
    9EE3B Module 0F Size 2962
    9F9D2 Module 1A Size 1329
    9FF08 Module 18 Size 2427
    A0888 Module 11 Size 25342
    A6B8B Module 12 Size 21493
    ABF85 Module 27 Size 51699
    B897D Module 28 Size 51714
    C5384 Module 0B Size 1828
    C5AAD Module 4F Size 17320
    C9E5A Module 13 Size 13328
    CD26F Module 0D Size 67650
    DDAB6 Module 14 Size 269
    DDBC8 Module 3C Size 5322
    DF097 Module 3F Size 21172
    E4350 Module 42 Size 41417
    EE51E Module 43 Size 3611
    EF33E Module 45 Size 154263
    114DDA Module 4B Size 49245
    120E3C Module 4C Size 4527
    121FF0 Module 3E Size 40400
    12BDC5 Module 52 Size 163840
    Block at 188054
    188054 Module 3B Size 23312
    Pubkey found in 48_16.ROM at 0
    Marker found in 49_17.ROM at 0
    'SLIC' string found in 07_2.ROM at 65A8
    OEM/Table IDs identified are:
    1. DELL  M09     
    Pubkey in 48_16.ROM (x1)
    Marker (2.1) (DELL  M09     ) in 49_17.ROM (x1)
    HDR checksum not correct
    Compressing all SLIC elements in SLIC directory....
    SLIC digital signature valid
    HDR checksum not correct
    HDR checksum not correct
    

    FPT

    Code:
    
    Flash Programming Tool. Version 4.2.0.1017
    Copyright (c) Intel Corporation. 2007-2009
    
    Southbridge: ICH9-M
    Reading file "fparts.txt" into memory...
    Initializing SPI utilities
    Reading HSFSTS register... Flash Descriptor: Valid
    
    --- Flash Devices Found ---
    MX25L3205AID:0xC22016Size: 4096KB (32768Kb)
    
    Using software sequencing.
    Reading region information from flash descriptor.
    
    --- Flash Image Information --
    Signature: VALID
    Number of Flash Components: 1
    Component 1 - 4096KB (32768Kb)
    Regions:
    Descriptor - Base: 0x000000, Limit: 0x000FFF
    BIOS       - Base: 0x260000, Limit: 0x3FFFFF
    ME         - Base: 0x00B000, Limit: 0x25FFFF
    GbE        - Base: 0x001000, Limit: 0x002FFF
    PDR        - Base: 0x003000, Limit: 0x00AFFF
    Master Region Access:
    CPU/BIOS - ID: 0x0000, Read: 0x1B, Write: 0x1A
    ME       - ID: 0x0000, Read: 0x0D, Write: 0x0C
    GbE      - ID: 0x0218, Read: 0x08, Write: 0x08
    
    Used Space: 4096KB, Actual Space: 4096KB
    
     
  2. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    17,213
    14,773
    340
    @NsaFarm

    It would be better if you consult with plutomaniac.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. NsaFarm

    NsaFarm MDL Junior Member

    Mar 29, 2017
    68
    10
    0
    I did over at win-raid. He said pin mod (which we haven't narrowed down exactly) or reader. Both solutions require full disassembly though.

    BTW, the laptop supports dell crisis recovery. No idea if that vector unlocks regions either because the screen doesn't come on in that mode.
     
  4. NsaFarm

    NsaFarm MDL Junior Member

    Mar 29, 2017
    68
    10
    0
    #4 NsaFarm, Apr 1, 2017
    Last edited: Apr 12, 2017
    (OP)
    I'm slowly chowing down that 400 post thread.

    Phoenix tool completes and creates a file when you press go. Verify still doesn't verify but I assume that makes a different file. "Go" button says it updates the HDR checksum. So now to learn how to remove modules and see if it still packs up.

    With the HDR files it looks like you can use DCCU here: dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=R257719 and it will create the EXE.

    So step 1 is to modify slic/remove computrace and try to flash. I tested that the recovery mode exists in this model.
    Step 2 is to see if the HDR contains the flash descriptor. The full size is almost exactly what is reported above as (32768Kb).

    If the utility flashes the whole region I'm set, if it doesn't at least I lose the bad module and can search for hidden settings, etc.

    Update:

    So I don't see flash descriptor in the bios but the dell will upgrade/downgrade in recovery mode. I tried A27 and A29 bios and it took them from a 32gb USB drive. I have to try windows in order to see if it the slic is indeed there. Computrace module with 0s (3F_33.ROM) successfully flashed.

    Bios with slic2.1 from dell inserted and 0's module: mega.nz/#!VqRkWZbB key: !qgY5SpOhCIHUS8xtvCwa2Nz3cWMKCQqYr7F7DJpGYZw


    AMT fw interface is in bios at 3E_39.rom, it can be blanked but at 64kb I don't think its the whole thing.

    There are some interesting strings inside bios like a "one time" menu to disable or enable AMT with Vpro and non US AMT with no SSL. Plus "BIOS_FLASH:FFFB09B9 aSetFlashDescri db 'set flash descriptor override.',0Ah,0"


    Further research after HW flash here: http://www.win-raid.com/t2688f39-Dell-Precision-M-bios-modding-Bios-mod-AMT-and-Computrace-1.html