This article documents the exciting work being done by some of the top contributors in our forum. The modifications performed on systems like the Dell 15z reflect the most advanced examples of BIOS modifications done within our community. For more information, please visit the thread.
Phoenix SecureCore Tiano, used by Dell, is a tough nut to crack – we came to what we have today by taking little steps on a road that wasn’t smooth to begin with. Phoenix nor Dell have provided any information regarding SCT 2.0 and to this day the BIOS on these machines has not been upgraded to 2.3.1 which allows for ME v8 (brings IVB CPU support) and SecureBoot capabilities.
The number one utility in all of our research is without a doubt AndyP’s Tool, which can be found here. Huge props to him – without his tool our work wouldn’t be possible. Please note, that for some reason later versions of this tool such as 2.11 don’t seem to unpack the BIOS.wph’s capsule properly, so use versions prior to that if you are going to attempt doing some *magic* on your own. There have been a new Phoenix Tool release v2.12 but I have yet to try it, I personally still use 2.02 and it has been producing stable and working output.
The BIOS chip structure is the following:
Platform: Intel(R) HM67 Express Chipset
— Flash Devices —
Size: 4096KB (32768Kb)
00000000h – 00000FFFh: Flash Descriptor Region
00001000h – 00037FFFh: Common ME Header
00038000h – 0017FFFFh: ME Region
00180000h – 003FFFFFh: BIOS Region
00400000h – 00420FFFh: EC Region (flashed to a secondary SPI chip W25X40VSIG, as of BIOS A13 my EC firmware is V02-14 For PHOENIX EC Version P1A38)
1. Unlocking Advanced Menus and Modifying Option ROMs
First came the nVidia VBIOS modding for XPS 15 and XPS 17 laptops. This was a pretty straight-forward discovery because nVidia bios modding was documented all over the place with a software package called NiBiTor that was coded a few years back which allows a user to adjust a range of options inside the video bios of the card. The guys with nVidia cards onboard have been playing with undervolting and overvolting successfully which allows for room for overclocking or gaining overall stability if you are experiencing hang/freeze/overheating issues with stock configuration. There are values for voltage already predefined in the VBIOS but they can be easily altered as the voltage table for nVidia is well-documented. There’s also a way of swapping VBIOSes for nVidia cards, like having a 525M utilize 540M VBIOS or vice versa, but this isn’t necessarily a good thing to do.
For people with AMD Switchable Graphics things are still not looking good since only Vostro 3450 of the laptop range with SCT UEFI uses this technology. The ROMs for AMD are not really easy to come by, even though they are documented pretty well. It’s just that Dell’s implementation on SG is kind of lousy anyway, so attempting any modifications on the ROM is pointless, really.
Then based on information from dgsga here and aldo androdev here we were able to overcome a huge problem for OS X users – Phoenix has locked write access to MSR register 0xE2 which stores C-State data. The register has only read access and therefore Apple’s Power Management implementation was unable to write necessary values to it resulting in kernel panics. SCT 2.0 from Phoenix has this restriction hardcoded inside the PowerManagement2.efi module (GIUD F7731B4C-58A2-4DF4-8980-5645D39ECE58) .. patching out the sequence specified in the reference topics seems to solve the issue.
After about 9 month of waiting with the help of Mikhail based on information found on Phoenix’s wiki page jkbuha was able to reverse the EFI_IFR_SUPPRESS_IF operator inside the PlatformSetupAdvancedDxe module which resulted in unlocked BIOS menus. Same patter was then found inside SystemSetuplSecurityDxe module, but the result wasn’t that exciting as with Advanced setup. The only thing unlocked in Security tab of the BIOS was the option to specify the length of the password.
Some of the menus that unlock has brought us and some of the main option highlights:
* Boot Configuration
– Lets you enable classic BIOS post screen with diagnostics summary
– Enable/disable UEFI and Legacy boot modes. Classic Legacy mode allows booting from MBR-formatted drives only (which in hand limits you to 4 partitions on your HDD), UEFI mode support GPT and virtually any amount of partitions. UEFI-capable Windows boot manager (Windows installed in UEFI mode) or a third party UEFI bootloader such as Clover is required to boot from GPT volumes)
– Enable QuickBoot – skips EFI Dxe driver loading which are already loaded, essentially speeds up your reboot. Doesn’t affect first boot.
* ACPI Configuration
– Allows to enable\disable Dell’s proprietary temperature and voltage monitoring device PTID, which essentially drops one of the SSDT tables called PtidDevc from the BIOS if you set to disable this feature.
* Processor Configuration
No, this won’t bring you OC features as this is one of the options that has to be supported by Intel’s Management Engine firmware.
– Intel’s Hyper Threading technology – well, this speaks for itself. this options controls whether virtual core thread is in use or not
– Flex Ratio is essentially the Plimit of your CPU, this is the highest multiplier your CPU can utilize. Please note it’s not the maximum multiplier used for TB.
– Execute Disable Bit (XD) – Intel’s hardware-based security implementation to protect your system against worm/rootkit exploits.
– CPU fast strings – Brings better CPU better performance.
– Processor Power Management submenu lets you manipulate the Turbo Boost setup a swell as your idle power C-state switching.
* Peripheral Configuration
– Nothing interesting to see here for the end-user
* HDD Configuration
– This menus basically lets you alter you SATA port configuration, setting it as Hot-Pluggable, External or Internal etc. Just make sure to never enable the ports that are disabled from the factory, otherwise you may run into some issues.
* Memory Frequency
If you bought some flashy 1600Mhz modules, well.. too bad you can’t really see your 800Mhz effective clock because chipset is locked to 1333Mhz.
– Memory Frequency will let you set the memfrq to as high as 1867Mhz (including 1600Mhz in between). This has been confirmed as working for XPS machines and is yet to be confirmed by Vostro 3450/3750 owners. The only catch here is that mobile Sandy Bridge CPUs are limited to support 1333Mhz only, so one has yet to see what is the result of setting the clock higher than theoretically supported.
* System Agent (SA) Configuration
– DMI Settings submenu
– Graphics Configuration and PEG Configuration submenus will let you allocate the amount of shared memory to IDG (integrated graphics) and change all sorts of options associated with it. There’s still no way to set nVidia or AMD cards (PEG) as primary GFX accelerator on OPTIMUS and Switchable-Grapchics machines.
* South Bridge Configuration (which is HM67 chipset for this generation of machines we are looking at)
– Adjustments to HPET (Hight Precision Event Timer) which is is one of the interrupt timers used in computers for ages.
– PCI Express Port Configuration submenu is there to control your mPCI-E port behavior (such as Wi-Fi and WIMAX). Same deal as with SATA – don’t enable ports that were disabled from the factory. Even though my computer doesn’t physically has a WiMAX port soldered to the daughterboard the port is enabled in the setup nevertheless.
– USB Config is your USB port configuration. And again .. don’t play detective here, enabling disabled things won’t do you any good.
– Azalia Configuration lets you disable onboard audio codec and HDMI audio.
– SB Serial IRQ Config is there for managing the allocation of computer interrupts (IRQs) ..
* Network Configuration
* LPC Configuration
* SMBIOS Event Log
– These 3 above again are submenus completely useless for the end-user
* ME Configuration
Here you can see the version of the Intel Management Engine firmware Dell has coded into your SPI chip. Dell still hasn’t updated to the latest v7 ME firmware and the version currently supplied with newer BIOS releases is 184.108.40.2067, while the newest one out there is 220.127.116.116. I personally wouldn’t advise installing ME from different platforms just because platform features of the firmware tend to differ. If you still think it’s feasible for some reason, kasar has put together an upgrade package which will bump your ME firmware to the latest v7 version.
– Intel AT is your Intel Anti-Theft feature which is huge on modern day Ultrabooks… and according to Intel isn’t really supported on the range of machines we are discussing here. Nevertheless I believe you can purchase your activation code (supplied as a pre-paid card with a scratch-off code) to subscribe to this service. This allows you to track your machine, remotely lock it (so that the thief won’t be able to enter BIOS setup) and even remotely wipe your machine. Basically an analog of Apple’s Find My Mac (or iPhone if you like) service from iCloud. Intel doesn’t support this range of machines officially due to Dell’s Computrace being hardcoded into the BIOS with essentially same capabilities as AT.
* Thermal Configuration
– CPU Thermal Configuration submenu allows you to disable Intel’s original thermal monitoring, enable the T-States (throttling states), also there’s an option to disable DTS (Digital Thermal Sensor) which uses optical fiber to report data from Thermal Zones and works in conjunction with PTID device (I have mentioned it earlier in the article) which reads data passed from Thermal Zones as well.
– Platform Thermal Configuration
1. Trip point temperatures for fan kicking in at HIGH and LOW RPMs.. the use is pretty obvious.
2. Passive TC1, TC2 and TSP values are used in a formula defined in ACPI Specification (see ACPI Spec 5.0, 18.104.22.168 Processor Clock Throttling, pp.525)
3. PCH Thermal Device which is a HM67 chipset sensor that is disabled by Dell because there are already 3 ways of monitoring temperature implemented and there was no need for SMBUS temperature reporting according to Dell.
You can enable the PCH Sensor nevertheless, but please note – most of the settings on this menu won’t do anything .. they don’t override anything because temperature values for tripping are most likely hardcoded into EC (ITE IT8158E Enchanted Controller found on this series of machines) firmware.
After this HUGE progress came a tiny exploration – a way of updating the CPU microcode, which Dell is not really doing a great job of themselves.. my A13 comes with microcode v23, while the latest one supplied by Intel for CPUID 0x000206A7h is v28. You can read about the procedure in detail here, as described by jkbuha. The only thing I should mention is that it’s not required to enable of the Control Options as said in the linked post. It’s enough to enable ‘No SLIC’ and ‘Allow users to modify other modules’.
Later we discovered that Dell is lazy to update their Intel IGD VBIOS as well and as seen from XPS L502x changelog they are actually downgrading the versions because their ePSA Diagnostics Utility is getting confused by changes in the VBIOS. We are not blaming Dell here, but it sure is nice to at least update your machines that haven’t gone through their support lifespan yet… then to roll something back because you are too lazy to update your proprietary diagnostics utility. So we went ahead and took a VBIOS v2130.0 (it seems that Itel’s VBIOS always goes by GUID of 29206FC2-9EAB-9EAB-4612-ACA1-1E3D098FB1B3) from an Inspiron 17R Special Edition laptop which also has SCT, but of version 2.3.1 already (still not documented by Phoenix on their wiki). We discovered that connector table as well as hardware ID table do differ across machines due to the nature of different port setup as well as available CPU support. jkbuha has found out that for Intel’s Mobile VBIOS the connector table always starts at offset 0xC20 and ends and 0xD1F, you have to use a connector table from your original VIDEO bios to support all the video-out ports. If the ID of your onboard graphics card is not found in the donor Video BIOS you have to carry over the ID table as well which is 0x44 to 0x80.
Right now we have settled on a Lenovo (product code H0ET70WW) mobile VBIOS v2137.0 which seems most stable and glitch-free (like broken brightness controls for eg.). It’s not advisable to use desktop board VBIOSes even though the version is higher the structure is totally different, also turned out they are missing the text mode 80×25.
The wake issue has been plaguing OSX users on Dell laptops based on SCT2.0 with later BIOS version. As a temporary measure I have troubleshooted what was causing the issue – the module PlatformSmm.efi of known to work BIOS version has to be backported into later versions to fix the issue. The module is responsible for loading DSDT and locating and loading SSDT tables based on RSTD/XSDT data.
Now that I know the module, I dug deeper and it turns out that changes to memory allocation across BIOS versions have caused the issue. Theoretically this can be solved purely by altering DSDT – in other words.. here are the changes for my Vostro going from A04 (wake works) to A07 (wake doesn’t work):
< OperationRegion (GNVS, SystemMemory, 0xBAF42E18, 0x01B0) A04
> OperationRegion (GNVS, SystemMemory, 0xBAF41E18, 0x01B0) A07
< OperationRegion (PNVS, SystemMemory, 0xBAE0D018, 0x100E) A04
> OperationRegion (PNVS, SystemMemory, 0xBAE0C018, 0x100E) A07
I have a proof of this concept over at InsanelyMac forums but I have yet to try this myself. What’s needed is you take the regions from a later version of the BIOS (A07 in this case) and swap the regions in DSDT of an older version of the BIOS (A04). This slight shift in memory has caused the machine to fail at locating ACPI tables upon wake. This is for people who prefer to keep older DSDTs even with new BIOS versions.. I’m such a person myself, but when I saw Brabbelbla was using the DSDT from latest BIOS while actually running the latest BIOS – this got me thinking what’s causing this. jkbuha once said that he hasn’t experienced the wake from sleep issue ever on his 15z. After checking DSDT of this machine going from one BIOS version to another version it appeared that memory regions haven’t changed .. to this has lead me to the conclusion above.
A good person that goes by the name CodeRush has created an automated cross-platform utility that is able to do the patching for Apple’s PM and unlocks advanced menus at the same time, the software is constantly updated and the source code can be found here. A compiled version 0.5.5 for Windows can be found here. You can even pass the .exe straight from Dell’s support page to apply the patch.
2. UEFI Shell access on Dell-Phoenix SCT 2.0:
Sadly, there’s still no way to unlock internal EFI Shell, but fortunately an external binary of SHELL 2.0 (best compatibility with UEFI 2.0 based SCT) can be used on a usb stick to initiate the UEFI SHELL. The stock shell used by Dell is very limited, so there’s no point in using the one supplied in the firmware.
Technically it is possible to add shell.efi in the same manner Windows adds itself to bcfg (Boot Configuration or your Boot Order that you see when you fir F12 on boot) or even assign a hotkey to it, but you need to have your HDD formatted with GPT partition table.
Load up the shell from external media. To do this you get a third-party SHELL binary from Intel’s EDK II and put it on a FAT32 formatted USB stick in a catalog hierarchy of /EFI/BOOT/bootx64.efi
Reboot your machine, enable UEFI Boot in Boot Configuration. Insert the USB flash drive and reboot your machine, it will boot up straight to SHELL.
At this point you would have two possible mount points for FS, one would be MBR (your USB) and another on would be GPT (your HDD partition).
Map your media by doing: map FS*
I assume you have 3 or more FS partitions now, fs0: is MBR (the USB drive) and the rest are GPT (EFI, primary part .. etc)
Do the following:
cp fs0:\EFI\BOOT\bootx64.efi fs1:\efi\shell64.efi
It will copy bootx64.efi (which is your third-party shell efi application) from USB /EFI/BOOT to your EFI partition /efi/shell64.efi
* Just to add SHELL as a Boot Order Entry do the following:
bcfg boot add 10 shell64.efi “Shell 2.0”
bcfg boot dump
* If you want SHELL to be accessible from a hotkey as well (like F12 or F2):
shell64.efi (this will initiate the SHELL binary we just copied to the EFI partition)
dh (this will produce a long list of loaded and initialized efi modules, the SHELL we just loaded will appear toward the end, make note of the directory and the handle number of it, it can be 1AE for example)
bcfg boot addh 10 handle_number_here “Shell 2.0” -opt 0x40000000 0x0015 (this will add Shell Boot Option with a hotkey of F11 – 0x0015)
3. Crisis Recovery
With all the modifications to the system BIOS there was a much needed way of doing Crisis Recovery, which again wasn’t documented anywhere for SCT 2.0. We have been looking and looking around for a way to initiate it with no apparent success. There was an inside document leaked from Packard Bell (division of Acer) which described the use of PFlash.efi (withci is an EFI SHELL Flasher that you see when you update the BIOS from an OEM updater) and some form of startup.nsh which is the script that is being executed when you start the EFI Shell (if it’s placed in the same folder where shell.efi is located). We have been able to find the latest releases of the mentioned utility on some ftp server, but to no avail . This wasn’t really useful because this application can only run when machines is booted in the firmware update boot mode (there are multiple boot modes possible with SCT 2.0 UEFI BIOS).
Like on some older Dell machines recovery is initiated in a pretty known manner. You basically prepare an external media with a recovery capsule (Torito CD or FAT32 flash drive), unplug the power cord from the laptop, press and hold the End key on the keyboard (it’s Right Arrow key on XPS 15z due to the lack of dedicated End key), plug the power back in as let go of the End key the moment you insert the power jack. The machine starts in a crisis boot mode and expects a valid recovery capsule. This was a piece of cake part of the recovery process .. the hardest part was the structure of the capsule that we need to be using. Phoenix wiki has some documentation regarding the structure but the information provided there wasn’t enough. After many misleading analogies from other machines and BIOS makers it was finally figured out.
To my surprise I was able to find the way of making the capsule. First I used a software called Universal BIOS Backup ToolKit 2.0 which essentially dumped the BIOS region of my W25Q32BVSIG SPI chip (2.5Mb in size) and I have renamed it as BIOS.cap (because this was the name I had originally found referenced inside the modules related to CD and USB booting in crisis boot mode) and following the method of initiating the recovery I was able to boot the machine. There came another surprise – the BIOS from the USB is not flashed directly to the SPI chip, but loaded into memory rather.. which allows the machine to boot while having the on-chip BIOS still corrupted.
Following superb feature which later allowed us to test BIOS modifications without actually flashing the BIOS we still had to figure out how to make the capsule by hand to include all the modifications. The answer was pretty obvious. Take the BIOS1.WPH supplied by Dell, extract it with Phoenix Tool and you will end up with a 4.12 Mb F33… RAW BIOS capsule and the actual EFI SHELL flasher which is 1.06 Mb in size and is of version v1.5.02 (while the latest version of Phoenix EFI SHELL Flasher is actually v1.5.66.. way to go Dell) that is used to flash the capsule to the chip. The capsule is of the exact size of the flashrom SPI chip and EC chip combined – 4329471 bytes or 4.12 Mb.. and If you followed the article carefully you’ve seen that BIOS region is 0x180000 to 0x3FFFFF – this is the part that has to be cut of the F33 RAW capsule (using a HEX editor of personal preference) and named as BIOS.cap to be used as a crisis recovery capsule.
Sadly as of the latest BIOS version (for my Vostro 3450 at least), Dell has decided to revoke Boot Manager and exclude the USB boot feature while machine was in crisis boot mode. The latest known BIOS version for my particular machine that supported this feature was A04. It is possible to obtain the feature back by backporting the appropriate modules to newer BIOS versions, but I just prefer to have a custom A04 crisis recovery capsule to avoid the need for backporting.
Our fellow comrade kasar or in other circles knows as capitankasar has put together a Windows PE (Bart PE) bootable image for BIOS crisis recovery via a Torito CD. You have to burn it to a bank CD/DVD.
When you boot the CD up, go to CMD and write repair, it will start the flasher … Follow the onscreen instructions and you should be all set in the matter of a couple minutes.
XPS L502x: http://www.mediafire.com/?z4lt1n56catjme6
XPS L702x: point me to one ?
XPS L511z: http://www.mediafire.com/?36xadbbn4a8udxd
Vostro 3450: http://www.mediafire.com/?c3cc3mqofabh5m3
Another positive thing about initiating crisis recovery is that CMOS gets reset while doing so. This won’t wipe your NVRAM if you screwed something up by using SHELL, but sure can save you from going through a hassle of dismantling the unit to reach for a coin-cell battery to reset the CMOS.
Pending projects are the following:
1. Flash Descriptor and ME Region unlocking, potentially leads to overclocking capabilities.
This requires a hardware solution, currently there is no way for Dell Phoenix SCT machines to do this via software. This is required to enable write access to these regions and potentially exploit ME region to enable Overclocking platform feature. A sequence of 00 00 FF FF 00 00 FF FF 18 01 08 08 FF has to be flashed by a hardware flasher to the offset 0x60 (part of the Flash Descriptor) to remove the master lock protection:
Master Region Access:
CPU/BIOS – ID: 0x0000, Read: 0x0B, Write: 0x0A
ME – ID: 0x0000, Read: 0x0D, Write: 0x0C
GbE – ID: 0x0118, Read: 0x08, Write: 0x08
Basically we overwrite the lock keys for FD and ME regions that appear as 00 00 0B 0A 00 00 0D 0C 18 01 08 08 FF at the noted offset, there is no GbE region on the SPI chip, so it’s pointless to remove the master lock on it.
This has been partially done by kasar at a cost of a dead motherboard on his XPS L502x machine, which was a result of an unsuccessful ME flash in attempt to unlock overclocking features. However, he was finally able to recover the motherboard by building an external BIOS programmer, and after restoring the chip backup, he got the unit back to working status, he also got a successful BCLK overclocking mod by modding the ME region.
2. Permanent DSDT modification
There are ACPI tables out there in the open inside the firmware’s capsule. We are able to decompile and recompile them using the AML iASL decompiler from Intel but there’s no known way of integrating them back inside the firmware and actually having the machine to boot. Replacing the module directly results in a black screen during boot. Using respective functionality from Phoenix Tool has the same result..
Credits for all the things related to SCT 2.0 unlocking/hacking/tweaking go to: Mikhail, Andy (of PhoenixTool fame!) djjonastybe, jkbuha, kasar, Ahmed and you humble servant TimeWalker.