How to extract E6520 BIOS?

Discussion in 'BIOS Mods' started by Khenglish, Jan 16, 2012.

  1. Khenglish

    Khenglish MDL Novice

    Sep 18, 2011
    4
    0
    0
    I am trying to simply extract the BIOS .HDR or .ROM file out of the .exe file. The old method of adding -writehdrfile after the bios exe name no longer works for sandy bridge based dell laptops. Does anyone know how to extract the BIOS? I tried Universal BIOS backup toolkit, but the MSRs I wanted to change weren't even referred to at all in the BIOS, making me think that the BIOS extracted from the ROM chip was incomplete.

    Any help would be appreciated.
     
  2. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    I'm also trying to extract an E6220 BIOS.

    Anyone know how to extract the Dell Sandy Bridge BIOS?
     
  3. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,711
    1,606
    180
    i think is WPH not HDR. -writehdr or rom wont work on it. extract bios with uniflash ??
     
  4. swmspam

    swmspam MDL Novice

    Jan 11, 2012
    17
    2
    0
    I tried to extract my e6220 BIOS without success. I want to find the whitelist.

    (soapbox)
    I wish these computer manufactures would have less contempt for their customers. It's a shame that Dell is successful when they market products that are deliberately disabled (whitelists). It is a delicate balancing act between disabling their product intentionally for profit, and if taken too far, making too many unhappy customers. The iPhone shows customers are willing to give up all rights to their products, and those who aren't, live with jailbreaking (while it lasts). Once Apple closes up the jailbreak holes, can the iPhone survive?
    (end soapbox)
     
  5. dj61451

    dj61451 MDL Novice

    Jun 28, 2012
    1
    2
    0
    The bios for the E6520 is Insyde not Pheonix, and the .exe is a totally different format from previous Dell updates. The usual writeromfile and other parameters won't work.

    Using ProcMon you see the bios update (E6520A13.exe) opening itself up and seeking to a certain point in 512 byte chunks. For this version it then re-opens and reads 8192 byte chunks from position 414736. At the end it reads two 4192 byte chunks (looking in WinHex these seems to be signatures/certificates).

    The exe contains the string "ERROR: Unable to find Flash Payload Marker header" so I think what it does is open itself and then scans to find the payload.

    To extract the payload I used:

    dd if=E6520A13.exe of=payload.dat bs=1 skip=414736

    (The number 414736 will no doubt change across versions, use ProcMon to get the right offset).

    This payload appears to be compressed, or at least has few strings:

    Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
    00000000 78 9C EC DA 65 4C 18 D1 DB 28 78 DC B5 38 14 2F xœìÚeL.ÑÛ(xܵ8./
    00000016 EE 14 A7 40 71 77 97 22 C5 A5 B8 17 A7 14 77 2F î.§@qw—"Å¥¸.§.w/
    00000032 EE AE 85 E2 EE EE EE 14 77 2F CE FE DF F7 66 6F î®…âîîî.w/Îþß÷fo
    00000048 76 6F 72 77 3F 6E 36 39 BF E4 CC 64 9E 79 CE 99 vorw?n69¿äÌdžyΙ

    After the E6520A13.exe has extracted the payload it then displays a window with the different versions of the components in the update - so it must know how to decompress or read this payload. The code to display the results is near the string "- %s : %s\n".

    Before I go down the route of debugging the exe to see if I can figure out how to make sense of the payload, does anyone know if there are any tools out there that take an Insyde bios image and deconstruct it?
     
  6. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,711
    1,606
    180
    backup bios
     
  7. Khenglish

    Khenglish MDL Novice

    Sep 18, 2011
    4
    0
    0
    #7 Khenglish, Jun 29, 2012
    Last edited: Jun 29, 2012
    (OP)
    Nice find. I didn't think of using process monitor to figure out where the exec was writing to. I figured out that it was definitely to memory, but I had no idea on finding out where without doing a complete memory dump, which I really didn't want to do.

    Have you tried phoenixtool 2.05? It can read some insyde BIOS's. It was able to read and decompress the partial BIOS dump that I got from universal BIOS backup toolkit 2.0. What may even work better than Phoenixtool is the flash utility that Intel itself wrote for 6 series chipsets. The utility also seems to work with 7 series chipsets. This tool is extremely powerful, however it sadly cannot bypass the flash descriptor denying read and write access to the flash ROM. ht tp://ww w.mediafire. com/?0leqrax7paqc389

    You need to remove the spaces I had to put it to bypass the silly link blocker.

    Update:
    I read the file segment that the dell flash exec uses and looked at it. I was hoping that it just lacked padding, but there definitely is some sort of compression. I tried to compare the file to a ME firmware file, which should be contained in the image. The firmware file had quite a bit of patterns to it and padding, while the image the dell exec makes has neither. Phoenixtool can't recognize the file format and neither can the intel utility. Hopefully the exec expanded the code once it was read into a full uncompressed image. Looking into that now.
     
  8. grml4d

    grml4d MDL Junior Member

    Sep 14, 2011
    56
    3
    0
    bios should be gpl , for sure that would make mainboard working better , i have a tyan and at each bios update , i find bugs ....
    the more funny is that they never said thank or write my name with corrected bios release ... :icecream:
    i find that very "kind and honest" , but next mainboard will not be a tyan :banned: ["c8
     
  9. still_st

    still_st MDL Novice

    May 20, 2013
    1
    0
    0
    I am tryingi to extract e6220 BIOS rom file. Did you do it ?
     
  10. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,682
    18,581
    340