(UEFI) Dell XPS 15z L511z modded BIOS - and HOWTO

[jkbuha]

hi, im the owner of a l502x that is mentioned on ur topic so i picked up the 550 bios mod and flashed. all was ok under windows. pc rebooted and the flash program popped up normally, so the programming process was all quite good. after 5 seconds pc rebooted and nothing happened. the caps led is on, screen is off and the fan speed is stuck at 100% and pc is frozen. any suggestion on how to rcover it?

Scruffy - the files in the first post are currently only for the 15z (L511z) so I think you may have flashed an incorrect BIOS!!

Try this. Disconnect your battery from the laptop, and leave it unplugged for 5 minutes. Reconnect everything, and power on (and pray).

Good luck!
jkbuha

[ScruffyITA]

a good idead is to write 15z or l511x in the files download link or some red code with that little observation.


however in the phoenix tools ive foun that the crisisrecovery is preent or should be available also for my notebook, but cant know if i made a wrong usb stick or i press the wrong botton combination.

[jkbuha]

a good idead is to write 15z or l511x in the files download link or some red code with that little observation.


however in the phoenix tools ive foun that the crisisrecovery is preent or should be available also for my notebook, but cant know if i made a wrong usb stick or i press the wrong botton combination.

Actually the few lines preceding the files did say that they were for the 15z only, but I've taken your point and added a red note on the first line to make sure everyone is aware that these files are for the 15z only.

Yes in theory there is a crisis recovery option present, but we've never fully tested it. What is required in theory is a FAT-formatted USB stick with PHLASH.EXE, MINIDOS.SYS and the correct BIOS.WPH file on it. You can google around for "CRISIS UEFI Recovery" for more info. Suggest you have a USB stick that flashes when active (so you'll know if/when the stick is being read by the BIOS).

Please keep us posted on this.

jkbuha

[jkbuha]

Hmmmm, seems more complex than i have expected.
I will look into this when I'm back home in 2 days.

---

Another thing , try noping the other call for the offest you are using.
For example, you replaced advanced with another qword, this qword was called from another routine, nop this call and make it only called from one routine .

Tried nopping the call from the previous routine, but same result.
I'm starting to suspect the hidden menus are nested in the Advanced Menu - could this be the case?

@kasar - I don't think PBE has been updated to support UEFI, and/or simulation of BIOS images. Can someone verify this and get back to us please?

[jkbuha]

Hey Ahmed

Hope you're having a good weekend.
I've had some time to play around with modifying some of the code, and I've listed the work I've done so far:

1) I've backtraced all the calls to the 'interesting' routines - and it appears that they seem to originate (as you correctly indicated) from sub_41488. In fact, the smoking gun is at offset_4150b: lea r8,off_3e0 (where all the advanced menu text beings)

2) So far so good. So in my normal BIOS, under the Advanced Menu I get to see all the text (and options obviously) from off_3e0 to about off_2470. From off_2478 (Charger Behaviour, etc) this text is hidden from my 15z standard BIOS.

3) Maybe I haven't figured IDA out properly yet, or maybe there is a strong clue in what I'm going to point out now. If you switch to text view mode when xrefing the code at off_3e0, the code is automatically segmented as follows:

1) .text: 03e0 off_3e0 (xref from sub_41488)
2) .text: 0410 qword_410 (start of Unhidden BIOS menu options: Speedstep, Virtualization etc)
3) .text: 1458 (Unhidden BIOS options: Powershare, 1394 etc)
4) .text: 2478 (Hidden options: Charger Behaviour, Express Charge, Wireless Config)
5) .text: 34a0 (Unhidden options: Battery Health, Misc Devices (USB Ports, eSata)
5a) .text: 3900 (Hidden option: Express Card Slot) <- prob because the 15z does not have a express card slot
5b) Note: at offset 3960 there are hidden options: Modem, Microphone, Camera, 1394, Media Card, Optical, FingerPrint
6) .text: 44a8 (Unhidden options: Diagnostic Screen)
6a) Note at offset 4600 there are hidden options: lots of interesting stuff
7) .text: 54a8 (Hidden options. Really good stuff)
etc etc

Why does IDA automatically group 410, 1458, 2478, 34a0?

4) So what I modded in sub_41488 was to nop or jmp my way sequentially through all the module without prematurely ending at loc_415eb. I've attached my handiwork. Result: Advanced Menu comes back, but no hidden menus or options unlocked. At this point I'm thinking that the routine checks against some mask (r9, rdx, ecx?) to identify the available hardware and/or allowed menu options before jumping to various parts of the code. Or I've reached the limits of what I can do today

Anyway it's Friday night, and I need to go out to clear my head. If you have some time to look at the file and let me know if you've picked up on something it would be greatly appreciated!

Cheers
jkbuha

[AHMED HOSSAM]

If you want to nop the jumps to the SUB_415EB , So why noping jumps inside the INT_64 routine ......... nop it in the first routine ( SUB_41488 ) and see the result if anything is unlocked .

i looked before inside strings and it seems like its hidden inside the ADVANCED tab ....... i guess no hidden tabs but its hidden menus inside the ADVANCED tab .
i will look deeply into this today .......... and try noping the SUB_415EB calls inside the SUB_41488 .

[jkbuha]

If you want to nop the jumps to the SUB_415EB , So why noping jumps inside the INT_64 routine ......... nop it in the first routine ( SUB_41488 ) and see the result if anything is unlocked .

i looked before inside strings and it seems like its hidden inside the ADVANCED tab ....... i guess no hidden tabs but its hidden menus inside the ADVANCED tab .
i will look deeply into this today .......... and try noping the SUB_415EB calls inside the SUB_41488 .

The reason why I've nopped the routine (just before) the int64 code is because that's where the reference to off_3e0 happens (ie: that routine is definitely in use), but have a look and let me know what you think

[jkbuha]

EDIT: In fact I tried it just now. Nopped all premature jumps to sub_415eb in routine sub_41488. No change in result. Advanced Menu is back, but with standard options.

EDIT EDIT: I've even nopped the premature jumps in DllEntryPoint and sub_40e48, before the code gets to sub_41488 (attached). Same result.

I'm suspecting that the "allowed options" are defined as bitmasks in qword_sections between qword_280 and qword_2f0. @Ahmed have you ever come across something like this in other bios mods?

[AHMED HOSSAM]

Ok , i made this the latest possibility but there is no hidden tabs in the BIOS and its only menus inside the advanced tab .......... as these are menus not tabs , its not controlled through routines but its controlled by control bits .
the strings are connected to the strings table and the strings table is connected to the menus structure which controls what is shown or hidden .
for example ( its not true , its just example ) :-

72 0f 00 00 01 00 02 00 93 95 85 41 32 85 78

72 0f is the menu ID and 01 is the language bits ( 01 for english ) 02 means hidden while the rest of bits points to the menu name and the bits is the strings table which leads to the strings itself .

i made it the latest possibility as its complicated to knew how to find and analyse the menus structure and strings table ....... but it seems we must do this .... i will begin today but this will take sometime .

[nextor]

Hi guys, I'm back. I had a lot of things going on, so no time for bios modding.
I see that you made great progress, that's really good. I'll try to keep up with you doing the same modding for the Vostro 3750 series. Dell just released a brand new version (A11) so it's a perfect time for modding.