(05-11-2014, 04:32 AM)bornintheusa14 Wrote: What so no replies? Anyway I've found all the tab offsets, but I just can't seem to find any conditional jumps. I'm using IDA pro 6.1 by the way. Anyone got any ideas?
Ok friend,
a little gift my Dirty Guide How To Extract Decapsulated Bios :
http://rghost.net/52544682
It will be usefull to extract Decapsulated Bios and avoid You brick your laptop as reflash a Capsulated Bios Modded is equal to Brick !
Here is version Dell 5521 v.A12 Decapsulated Bios so You can start to mod the right one :
http://rghost.net/55088847
Then use this tool and run It as Administrator to get a resut file and upload It here, It will show the Eeprom Write Memory Status and give us a Bios Backup :
http://rghost.net/52417082
Now I will give a look to your Bios :
It seems that 3521 and 5521 have the same bios !
It's possible to add Slic 2.1 !
EFI / Insyde BIOS
Recovery filenames are:
VAW00X64.fd (It's the same as 3521)
SLIC header found in 7E374E25-8E01-4FEE-87F2-390C23C606CD_1263.ROM at 0
Pubkey found in 601FAEC1-FEBC-40F1-AA69-095FAC814901_1758.ROM at 0
Marker found in DCE0BB7A-D41C-4649-BC2C-D8FE2C08887A_1764.ROM at 0
'SLIC' string found in AFC04099-0D39-405D-BE46-846F08C51A31_1279.ROM at 3C7
'SLIC' string found in AFC04099-0D39-405D-BE46-846F08C51A31_1279.ROM at EAA
'SLIC' string found in D4E91137-43F4-4E56-B989-D3D0E7B16955_107.ROM at 20A1
'SLIC' string found in D4E91137-43F4-4E56-B989-D3D0E7B16955_107.ROM at 2661
OEM/Table IDs identified are:
1. INSYDEH2O BIOS
2. DELL CL09
Header (INSYDEH2O BIOS ACPI) (x1)
Pubkey (x1)
Marker (2.1) (DELL CL09 ) (x1)
Ok if You want to get only your Bios_Region open Bios_Extracted by UEFI Tool CodeRush and You'll find many informations about
Offset and size of all Region in your Firmware, so Descriptors, Me, GBe, PDR, Bios !
Size: 1000
ME region offset: 00001000
BIOS region offset: 00180000
Region access settings:
BIOS:ffff ME:ffff GbE:ffff
BIOS access table:
Read Write
Desc Yes Yes
BIOS Yes Yes
ME Yes Yes
GbE Yes Yes
PDR Yes Yes
So your Bios has offset to 0x180000 (start from 0x180000) and Size: 00480000 (end to 0x480000), now You can extract
Bios Region to get a Generalized Dcapsulated Bios version (this is usefll to reflash Bios by Intel FPT).
Here your Bios A12 Generalized :
http://rghost.net/55089553
Ok now You can open It by PMTool 2.54 and start to extract from DUMP folder all modules You need !
I think "SetupUtility" the most interst for You !
But Slic 2.1 Permanent It's too :
7E374E25-8E01-4FEE-87F2-390C23C606CD_1263.ROM Header (It's Slic 2.1 Header and have to get RSA Key + Marker 2.1, so look a slic21_Dell and copy to It)
FE3542FE-C1D3-4EF8-657C-8048606FF670_877.ROM SetupUtility
Your IFR (there are a lot of tabs = 9) :
Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x83F44 Advance (0xD3)
0x849A4 Wireless (0x11D)
0x84CD4 Boot (0x58)
0x85E84 Security (0x33)
0x87FA4 Main (0x3)
0x884D4 Power (0x3E7)
0x8A954 Advanced (0x1B9)
0x93D34 Main (0xA9)
0x93FD4 Exit (0x8A)
Now open it by IDA Pro 6.1 64 Bits and choice "metapc" CPU, confirm OK.
We are into the Code (if You understand Assebly Code and have studied Insyde Bios Structure can follow the explanation)
and We have to find all locks for Menu Tabs Bios, here Donovan (is the Best Teacher and I learned from him, I say always The Best One)
has shown how to do it !
I found this locks :
0A32 jnz loc_1800009A4 ; 1. lock
0A46 jnz loc_1800009A4 ; 2. lock
Start Procedure
.text:00000001800009EB mov rcx, [rdx+1A0h]
.text:00000001800009F2 mov rax, [rcx+80h]
.text:00000001800009F9 cmp [rbx+rcx], rax
09FD jz short loc_180000A20
.text:00000001800009FF mov rax, [rcx+70h]
.text:0000000180000A03 cmp [rbx+rcx], rax
0A07 jz short loc_180000A20
.text:0000000180000A09 mov rax, [rcx+50h]
.text:0000000180000A0D cmp [rbx+rcx], rax
0A11 jz short loc_180000A20
.text:0000000180000A13 mov rax, [rcx+90h]
.text:0000000180000A1A cmp [rbx+rcx], rax
.text:0000000180000A1E jnz short loc_180000A4C
.text:0000000180000A20
Locks Check
.text:0000000180000A20 loc_180000A20: ; CODE XREF: sub_180000850+1ADj
.text:0000000180000A20 ; sub_180000850+1B7j ...
.text:0000000180000A20 mov rcx, [rdx+1A0h]
.text:0000000180000A27 mov rax, [rcx+90h]
.text:0000000180000A2E cmp [rbx+rcx], rax
0A32 jnz loc_1800009A4 ; 1. lock
.text:0000000180000A38 mov rax, cs:qword_180095210
.text:0000000180000A3F mov rcx, [rax]
.text:0000000180000A42 cmp [rcx+4], dil
0A46 jnz loc_1800009A4 ; 2. lock
Now to unlock them (these offset contain the hex instructions and data to mod) :
0A32 : 0F 85 6C FF FF FF to 0F 85 00 00 00 00 jnz loc_1800009A4 to jnz $+6 (normaly exit, modded skip it)
0A46 : 0F 85 58 FF FF FF to 0F 85 00 00 00 00 jnz loc_1800009A4 to jnz $+6 (normaly exit, modded skip it)
I hope It will works, but only You can test and reply !
So here is your Bios Generalized Menu Tabs Unlocked, follow the instructions to flash It by FPT :
http://rghost.net/55090464
Create an USB Stick Dos Formatted Bootable, copy all files from "modified" folder into It and reboot from USB, then
run flash.bat.
I hope all will go well and You have got a nice tutorial !
Let me know
regards