(UEFI) Dell XPS 15z L511z modded BIOS - and HOWTO

[TimeWalker]

This just created another layer of confusion. lol
Thank you for clarifying anyway. I don't quiet get how one is supposed to disassemble the module into UEFI IFR ?
I have found a list of UEFI IFR operators, but I guess there must a way to disasm it right away... so far I only found a python script to do this for InsydeH2O.

Also, I have found that Lenovo B570 uses similar Phoenix Secure Core Tiano UEFI: http://support.lenovo.com/en_US/download...D=DS025905
The advanced setup module has a GUID of CFEF94C4-4167-466A-8893-8779459DFA86_1_930
The same HEX string (0A 82 45 8A 01) can be found in the module, it has lots of occurrences . 45 0A 00 00 00 00 00 00 00 00 45 0A can be found as well.
I know for a fact that this laptop has had UEFI mode and some other options like Shell unlocked from the factory, but unfortunately I don't have an access to one of these anymore...
What we could use is find someone with this machine an see what they have enabled by default since our BIOSes are somewhat similar (same Tiano compression used)

[kasar]

gave a read to the another topic

and I modified

00 00 00 00 00 00 00 00 45 0A to 01 00 00 00 00 00 00 00 45 0A to enable these options. (three ocurrences)

and sucesfully unlocked two more menus, the third ocurrence made the intel me option selectable (before modify the third ocurrence it was grey out and unselectable)





I cant really belive this huge progress you are doing guys ^^


here is the total amount of strings I modified at the advanced setup module:

00 29 02 29 02 0A 82 45 8A (00) to -> 00 29 02 29 02 0A 82 45 8A (01) (two ocurrences )

00 20 00 29 02 0A 82 45 8A (00) to -> 00 20 00 29 02 0A 82 45 8A (01) (one ocurrence)

(00) 00 00 00 00 00 00 00 45 0A to -> (01) 00 00 00 00 00 00 00 45 0A (three ocurrences)

[TimeWalker]

I wonder if we can ever run out of space for menus like on regular BIOSes

Thanks for confirming, kasar
Have you tried changing bytes in the 4th occurrence that I had mentioned ? while looking for 45 0A 00 00 00 00 00 00 00 00 45 0A
Or you get just 3 on your L502x's Advanced Setup module ?

P.S. Now I'm absolutely positive about UEFI mode and booting from GPT... take a look, Hackintoshers
http://puu.sh/1a6b4
http://puu.sh/1a6bR
GPT-formatted USB flashdrive's EFI partition (which I assume is FAT32) CLOVERX64.efi renamed /EFI/bootx64.efi since UEFI is looking for this file.
I guess with access to a proper shell bcfg there might be a way to create additional boot option for F12 menu.

[jkbuha]

Yes kasar that confirms what I also did earlier.

To summarize all the hacks so far, they are in fact just two, and they are as follows:

In advancedsetup efi module
1) Replace all 02 0A 82 45 8A (00) to (01)
2) Replace all (00) 00 00 00 00 00 00 00 45 0A to (01)

There's also another module to modify if you look for the byte sequence in all your BIOS ROM files... it's the security module if you're interested in all the TPM options.

[Mohamed Khairy]

hi i found some code on my dell n5110 may be the one we search

26303: 29 02 sub %eax,(%edx)
26305: 29 02 sub %eax,(%edx)
26307: 0a 82 45 0a 01 00 or 0x10a45(%edx),%al
2630d: 00 00 add %al,(%eax)
2630f: 00 00 add %al,(%eax)
26311: 00 00 add %al,(%eax)
26313: 19 82 12 06 0d 00 sbb %eax,0xd0612(%edx)

[kasar]

@TimeWalker

well, In my case, I modified all the ocurrences I had.
that was the thing wich game me more results ^^

the more I modified the more unlocked stuff (:

I didnt had any negative effects while modifing those ocurrences.

the only thing wich worried me was to flash flash, flash and flash.

everytime I flash a new bios I become really worried about the lappy dont boot anymore

we need to get the recovery method working!

else my head will explode sooner or later hehe ^^

There's also another module to modify if you look for the byte sequence in all your BIOS ROM files... it's the security module if you're interested in all the TPM options.

can you tell me more about that?

I'm also wondering if is posible to unlock the computrace thing so you can enable and disable it all times you want ^^

[jkbuha]

I haven't modded & flashed it yet, but it's the security module to enable all the TPM/Computrace options. Enable it by applying the rules I set above in my previous post.

I don't really need that module enabled for now, (I'm trying to open the overclocking/volting options at the moment) but I'm pretty sure there will be others here who need it.

---

hi i found some code on my dell n5110 may be the one we search

26303: 29 02 sub %eax,(%edx)
26305: 29 02 sub %eax,(%edx)
26307: 0a 82 45 0a 01 00 or 0x10a45(%edx),%al
2630d: 00 00 add %al,(%eax)
2630f: 00 00 add %al,(%eax)
26311: 00 00 add %al,(%eax)
26313: 19 82 12 06 0d 00 sbb %eax,0xd0612(%edx)

hi mohamed - the code is not x86, but UEFI IFR form decoding, which unfortunately we need to do manually, not through any tool. Here is the spec:

Code:

0A == EFI_IFR_SUPPRESS_IF_OP//{---+
    82:1:0000010 L2  // Scope         |
                                      |
    45 == EFI_IFR_UINT64_OP// {---+   |
    8A:1:0001010 L10 // Scope     |   |
    0000000000000000              |   | 0000000000000001 !! new value !!
    45 == EFI_IFR_UINT64_OP       |   |
    0A:0:0001010 L10 // Scope     |   |
    0000000000000000              |   |

That's why we need a 0A 82 45 8A (00) sequence. It's very strange that your BIOS doesn't have this - I need to research what the 0A opcode is.

Just out of interest, do you have many sequences with 0A 82 45 0A 00?

[Mohamed Khairy]

@ jkbuha

UEFI IFR spec says: EFI_IFR_SUPPRESS_IF_OP: UINT64 0000000000000000

how did you find this code ?

[kasar]

@jkbudha

nope, I dont have any 0A 82 45 0A 00 secuence now.


all of them are now to 0A 82 45 0A 01 and everything seems to works fine now ^^


how we can know we unlocked all menus?

I'm kinda curius because my bios is full of new options , and I dont even know what some of them does hehe

the computrace option unlock seems also interesting for me.

can you give me a clue about the the module file size in kb or what is the module name? I guess it is something.efi


as for the moment I made some text replacement at some bios title file (156 kb), and also some tweaks to gpu vbios files (64 kb) and the advanced setup file (278 kb)

[Mohamed Khairy]

I haven't modded & flashed it yet, but it's the security module to enable all the TPM/Computrace options. Enable it by applying the rules I set above in my previous post.

I don't really need that module enabled for now, (I'm trying to open the overclocking/volting options at the moment) but I'm pretty sure there will be others here who need it.

---

hi i found some code on my dell n5110 may be the one we search

26303: 29 02 sub %eax,(%edx)
26305: 29 02 sub %eax,(%edx)
26307: 0a 82 45 0a 01 00 or 0x10a45(%edx),%al
2630d: 00 00 add %al,(%eax)
2630f: 00 00 add %al,(%eax)
26311: 00 00 add %al,(%eax)
26313: 19 82 12 06 0d 00 sbb %eax,0xd0612(%edx)

hi mohamed - the code is not x86, but UEFI IFR form decoding, which unfortunately we need to do manually, not through any tool. Here is the spec:

Code:

0A == EFI_IFR_SUPPRESS_IF_OP//{---+
82:1:0000010 L2 // Scope |
|
45 == EFI_IFR_UINT64_OP// {---+ |
8A:1:0001010 L10 // Scope | |
0000000000000000 | | 0000000000000001 !! new value !!
45 == EFI_IFR_UINT64_OP | |
0A:0:0001010 L10 // Scope | |
0000000000000000 | |

That's why we need a 0A 82 45 8A (00) sequence. It's very strange that your BIOS doesn't have this - I need to research what the 0A opcode is.

Just out of interest, do you have many sequences with 0A 82 45 0A 00?

nothing

till now the code i posted like what are you patching will try to dump it again and search throw code for binary like you patch or parts like yours