Page 1 of 2
#1 Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by NSAfarm 26.03.2017 21:53

avatar

I have 2 Dell M4400 laptops. They came with AMT "disabled" from the factory. Yet in HWinfo it says AMT is supported and so is its out of band lan connection.


Started by downloading the latest released bios and attempted editing with phoenix tool 2.66. The bios breaks into the sections nicely but recompiling even an untouched version fails with "HDR checksum error".
Running demefactory from https://libreboot.org/docs/hcl/gm45_remove_me.html on the dumped rom produces a garbage header file with mostly FFs.
Either way, it seems that the packed bios EXE will only flash HDR files in a GZip from what I've read.

Flashrom in linux won't work. Winphlash won't either.

I ran MEA on the firmware and this is what I get.

1
2
3
4
5
6
7
8
9
10
11
12
13
 

File: Original-M4400A29.hdr
 
Family: ME
Version: 4.2.60.1060
Release: Production
Type: Update
FD: Unlocked
SKU: AMT
Date: 26/06/2012
Platform: Mobile
Latest: Yes
 
 



Since I have 2 and one is rather sacrificial. Ultimately it would be cool to play with AMT on one but secure the other. At minimum do the header mod for a spy-free bios and then load "functioning" ME into the other. Best case scenario I'd like to be able to remove modules from the bios images (ie, me, computrace, TPM?) and inject a slic as well.

There is so much information here that I'm a bit overwhelmed. Any help would be appreciated.

#2 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by Fernando 26.03.2017 22:07

avatar

@NSAfarm:
Welcome at Win-RAID Forum!
Since I am not an expert regarding BIOS modding of Dell computers, I am not able to help you myself, but I hope, that you will get support by somebody else.
Tip: After having entered the words "Dell Precision" or "Dell BIOS modding" into the search box, you will get hints to other threads, which may be interesting for you.

Good luck!
Dieter (alias Fernando)

#3 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by plutomaniac 26.03.2017 23:29

avatar

You need to work on your system's SPI dump and not deal with Dell's executable or HDR file. If you can dump the full contents of the SPI chip then you can easily do whatever you want, including disabling the ME via ich9deblob or similar.

#4 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by NSAfarm 27.03.2017 00:19

avatar

I've been trying to avoid buying an external flasher. Was going to try the Intel AMT/ME tools for the correct version (4). Hopefully I don't misread that they do some sort of SPI dump. I'm slowly going through the 100s of posts here and on MDL.

#5 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by plutomaniac 27.03.2017 00:35

avatar

Yes, Flash Programming Tool (FPT) v4 which can be found at the ME thread. Or flashrom under Linux if that's your thing. Try if you can dump with these but if the Flash Descriptor is locked and does not allow read/write access to the ME region, you'll need an external flasher, soldering and so on.

#6 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by NSAfarm 27.03.2017 01:03

avatar

I tried FPT v4 and it couldn't load the driver (some dll). I assume its 32bit on a 64bit windows? FPT64 and tools from here: http://forum.notebookreview.com/threads/...bios-mod.788481
say the platform is not supported.

Flashrom really cries about being on a laptop and couldn't identify the correct chip. I have a log from trying previously: http://pastebin.com/p8t9nzk4
Not sure if that log means its locked down.

edit: maybe something like this would work: http://imgur.com/a/oU4il
at that point I might as well get a programmer, will any of them work without desoldering the whole chip or pulling gnd/vcc off the board?

got it to read:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 

--------------------------------------------
Flash Programming Tool. Version 4.2.0.1017
Copyright (c) Intel Corporation. 2007-2009
 
Southbridge: ICH9-M
Reading file "fparts.txt" into memory...
Initializing SPI utilities
Reading HSFSTS register... Flash Descriptor: Valid
 
--- Flash Devices Found ---
MX25L3205A ID:0xC22016 Size: 4096KB (32768Kb)
 
Using software sequencing.
Reading region information from flash descriptor.
 
--- Flash Image Information --
Signature: VALID
Number of Flash Components: 1
Component 1 - 4096KB (32768Kb)
Regions:
Descriptor - Base: 0x000000, Limit: 0x000FFF
BIOS - Base: 0x260000, Limit: 0x3FFFFF
ME - Base: 0x00B000, Limit: 0x25FFFF
GbE - Base: 0x001000, Limit: 0x002FFF
PDR - Base: 0x003000, Limit: 0x00AFFF
Master Region Access:
CPU/BIOS - ID: 0x0000, Read: 0x1B, Write: 0x1A
ME - ID: 0x0000, Read: 0x0D, Write: 0x0C
GbE - ID: 0x0218, Read: 0x08, Write: 0x08
 
Used Space: 4096KB, Actual Space: 4096KB
 
 


But flash desc + ME region is definitely locked. :(

Found the schematic: http://kythuatphancung.vn/download/dell-...schematics.html



Pin A7 goes to? GND? VCC? It controls Intel HD Audio Dock Enable. Can it be shorted through the dock connector?

EDIT by Fernando: Put the code part into a "spoiler" (to save space)

#7 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by plutomaniac 27.03.2017 13:52

avatar

The ME4 tools are old and may have problems running at newer Windows OS. The DOS version will always work though if you cannot get the former to work. If "FPT -d spi.bin" command shows CPU Access Error or similar then your FD is locked indeed. You have a pre 6-series system so you are not looking for SDA_HDO of the audio chip but rather for GPIO33.

#8 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by NSAfarm 27.03.2017 17:33

avatar

According to that schematic there are 2 ME_FWP. The GPIO33 and GPIOK[0](USBDP2). Can't GPIOs be set low via software?

Making FPT work required taking the exe from the old v4 and adding the chip definitions from a new one. The SPI chip is 16pin according to my searching, most other laptops have SOIC8 varieties.

I tried sprom program from:http://forum.ixbt.com/print/0017/038124.html to set gpio33 but then the computer shuts down. So some manufacturer does it from software.

#9 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by plutomaniac 27.03.2017 21:17

avatar

Sometimes they can but only if the OEM has such tools and got leaked etc. For your Dell system you'll have to do it manually I guess. I see that GPIO33 is at the Audio chip (IDT 92HD71B7), which pin exactly not sure though.

#10 RE: Dell Precision M4400 bios modding. Bios mod AMT and Computrace? by NSAfarm 28.03.2017 00:13

avatar

According to that schematic the pin is not connected to the audio chip from the intel HDA.

From what I see the sprom.exe is supposed to set the gpio and then reboot, instead it shuts down. It is for version 6 of the ME so it never finds the engine. I opened it up in IDA and my chip is supported amazing enough. Maybe someone smarter can change the incorrect power command so it reboots or doesn't do anything and you can ctrl-alt-delete

I've mirrored the schematic too in case it disappears.

Pin 15 of ECE5028 is me_fwp according to page 37. Also connected to R648/649. Does that look right?

#11 some success! by NSAfarm 02.04.2017 01:22

avatar

Figured a bunch out. Putting phoenix tool in advanced mode by adding the INI generates the update files now. Upgrades/downgrades can be done using the recovery mode. It involves holding end while plugging power in and modelnumberVVV.hdr will flash regardless of version.

So now I can add slic and change out bios modules at will.
3E_39.ROM - Contains AMT bios interface for provisioning, etc.
3F_33.ROM - Contains computrace code but its rather small.
4B_37.ROM - Intel storage firmware (Intel(R) RAID for SATA - v8.0.0.1039)

I tried wiping the first 2 with 0s and no issues arise. Changing out the raid module:
>Intel MSM RAID ROM v8.9.1.1002 - "unsupported hardware"
>Intel RST RAID ROM v11.2.0.1527 - blinks and blinks, nothing happens

There are other fun strings in there related to ME fw update, overriding the flash descriptor and a menu similar to the computrace menu that lets you chose AMT/Noamt/NoSSL but would require actual cracking to work.

Why don't the raid FWs work?


There is unlocked flash descriptor inside the hdr file. It must be used during flashing or something. I changed it and it; had no effect, the HDR file contains AMT firmware in the 2nd half.

#12 RE: some success! by NSAfarm 03.04.2017 01:04

avatar

I obtained an spi bios dump of the E6500 (same motherboard). The flash descriptor is in the same place and has the exact same layout. WTF Gives? It should be fully unlocked with these bits set.

E6500: mega.nz/#!I3BTQIja!KxFxixdH2uzsPBWLj9aXJGWgPqFJFauruZcrB_Rtnh0


In fact, E6400 has the same layout too.

#13 RE: some success! by plutomaniac 03.04.2017 14:59

avatar

Two things:

1) Do not try to mod the HDR or any custom Dell executable. The best and by far easiest and safest thing to do is to use a programmer (or software dumper like FPT/Flashrom if your FD is unlocked or Dell has a jumper/BIOS option to enable ME Reflash) and get the contents of the SPI chip directly. That way you can work with proper modding tools and proper/known file structures.

2) That dump you have uploaded is either corrupt or incomplete. Maybe that system has two SPI chips and this is the second? Even so, a big part in the begging is filled with zeroes which is not normal, something is wrong.

#14 RE: some success! by NSAfarm 03.04.2017 18:18

avatar

Which programmer though? I read your thread and the ICSP results weren't stellar using the cheap one. The SOIC16 chip is detected by intel flashing tools but on board pictures I only see SOIC8.

bottom: s3.amazonaws.com/MOBO/MOBO-00405-1.JPG
top: s3.amazonaws.com/MOBO/MOBO-00405-2.JPG

Phoenixtool from MDL now makes the EXE but its easier to flash in recovery mode. It appears I cannot brick this way but neither can I modify the FD or ME region. If IDA matched the strings to where they are called, I could probably enable that flash descriptor override to stay on all the time.

Its in here somewhere:
mega.nz/#!VqRkWZbB!qgY5SpOhCIHUS8xtvCwa2Nz3cWMKCQqYr7F7DJpGYZw

if you search "5A A5 F0 0F" it shows up.

#15 RE: some success! by plutomaniac 03.04.2017 18:46

avatar

When it comes to FD locks, what the downloadable SPI images or Dell's hdr files say, does not matter. The locks cannot be overwritten by reflashing from software. The FD is read/write locked as well so you cannot change its access rights by any software means. You would need to first allow read/write access and then alter it. To allow read/write access you must either use the pinmod (GPIO33) or a hardware programmer on the chip itself. That way you can reflash the FD with unlocked read/write access, after which you can use FPT or Flashrom freely. The point is, you cannot unlock the FD by your current method of modding the .hdr because it won't do you any good (unless the FD is temporarily unlocked as well during that "recovery mode" which I doubt).

As for which programmer you need, I don't specialize in these things. You should be able to find the SPI chip quickly by FPT or Flashrom (try both) and especially at those board schematics you have found. Don't trust what FPT says about 8 or 16 pins, those text databases you replaced the old ones with may be for different platform and thus it recognizes the wrong chip. Try flashrom to see what it reports but as I said, your best bet are the board schematics. If you have a SOIC8 chip, then I don't see why a cheap CH341A programmer + clip wouldn't be able to read and write the chip. Mind you, you will probably need to desolder and solder back the SPI chip to read and write to it, check that thread for more details.

Xobor Forum Software von Xobor
Datenschutz