[GUIDE] Dell Precision M6800/M4800 sBIOS mod

Discussion in 'Dell Latitude, Vostro, and Precision' started by valuxin, Feb 20, 2016.

  1. valuxin

    valuxin Notebook Evangelist

    Reputations:
    139
    Messages:
    440
    Likes Received:
    124
    Trophy Points:
    56
    Hi there!

    Recently, I found the way to dump, modify and flash system BIOS firmware on Dell Precision M6800/M4800 machines. I'll describe everything in "step-by-step" way. Let's begin.

    Introduction
    The system BIOS on this machines is AMI Aptio 4.System flash contains the following regions:
    • Descriptor - contains basic info about flash and permissions. Full access after doing permanent unlock mod. Otherwise, only Read access.
    • BIOS - contains BIOS itself. Read and Write access.
    • ME - contains Intel Management Engine Firmware. Read and Write access.
    • GbE - contains Ethernet info. Read and Write access.
    Here you'll find all described and used tools:
    • FTK - used for dumping and flashing the firmware
    • Flash Image Tool - utility to modify Descriptor and ME region settings of the firmware and build the final firmware
    • Clock Commander Tool - utility to operate with Integrated Clock Controller (ICC) of ME engine
    !!!All described info is only valid for A16 BIOS!!!
    Haven't tested on other versions

    STEP 1: Unlock the system features
    Firstly, we need to unlock some features to be able to read and flash our roms to sBIOS. For this we need a flash drive formatted in FAT32 and tool from THIS archive - just extract "EFI" folder to the root of you flash drive.

    Next, reboot your laptop and boot from this USB stick in UEFI mode - GRUB prompt should appear. Now, we need to change NVRAM variables with "setup_var" command. Here is the list of variables and values:

    --SMI Lock, Variable: 0x74
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --BIOS Lock, Variable: 0x75
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --BIOS Interface Lock, Variable: 0x77
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --CFG lock, Variable: 0xC8A
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --Mc Lock, Variable: 0xD3F
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --VR Current value lock, Variable: 0xC93
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --Package power limit lock, Variable: 0xC94
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --Overclocking lock, Variable: 0xC95
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --Platform power limit lock, Variable: 0x54
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --Config TDP LOCK, Variable: 0x3A
    Disabled, Value: 0x00 <<---
    Enabled, Value: 0x01

    --ICC Locks After EOP, Variable: 0xC14
    Default, Value: 0x03
    All Locked, Value: 0x04
    All UnLocked, Value: 0x05 <<---

    --Me FW Image Re-Flash, Variable: 0x2BC - this one needs to read and flash ME firmware region. After second reboot, the value will be reset to default 0x00 and you'll loose full access to partition.
    Disabled, Value: 0x00
    Enabled, Value: 0x01 <<---

    Example of usage:
    Code:
    setup_var Variable - check variable value
    setup_var Variable Value - write new value for selected variable
    setup_var 0x2BC 0x01 - unlocks ME flash region
    
    After entering all values, command "exit" and press the power button. Changing this vars unlock the BIOS, CPU power management, editing ICC Profiles on the fly, and access to ME region.

    P.S. Alternatively, you could place NVRAM editor .efi file at EFI partition of Hard Drive and boot directly from F12 on the go.

    STEP 2: Dump the BIOS
    After patching NVRAM, boot into Windows and open FTK tool folder. Open spiinfo.bat with Administrative privileges and you should get something like this, saying that BIOS, ME, GbE regions have Read/Write permisions:
    spiinfo.png

    In this folder you'll find some .bat files that could be used to dump the firmware:
    • backup.bat - dumps full firmware from the flash to the file backup.bin
    • biosbck.bat - dumps only BIOS region of firmware to the file biosbck.bin

    STEP 3: Firmware editing
    After dumping the firmware you could modify BIOS part with your favorite tool. !!!But be careful: for BIOS modification to work, you should disable BIOS Signing Check feature inside the BIOS image - otherwise you'll break the laptop and the only way to restore is via programmer!!! For editing ME firmware settings you'll need full firmware dump and the tool called Flash Image Tool. By this tool you could add the ability to change the Reference Clock via Intel XTU utility.

    After modifying, click on "Build" option and you should get outimage.bin in utility folder. Rename it to bios.bin

    STEP 4: Flashing the firmware
    After committing changes to firmware file you can flash it now. Place your modified bios.bin file to FTK folder and use one of this .bat files to flash wanted region:
    • biosrefl.bat - re-flashing BIOS region
    • merefl.bat - re-flashing ME region
    • gberefl.bat - re-flashing GbE region
    After flashing complete - reboot your PC for changes to take effect.

    !!!WARNING!!!
    !!!Re-flashing with modified firmware may brick your PC!!!
    !!!
    Do it on your own risk!!!

    Any help on this project are always welcomed and very appreciated ;)
     
    Last edited: Nov 10, 2017
  2. valuxin

    valuxin Notebook Evangelist

    Reputations:
    139
    Messages:
    440
    Likes Received:
    124
    Trophy Points:
    56
    How to unlock all flash regions permanently
    After doing this mod you'll unlock ALL flash regions permanently (read/write) and there would no need unlocking ME region every time when you need to flash modified fw.

    STEP 0: Preparations
    • Download "DOS" from the cloud storage with tools in first post
    • Create bootable FreeDOS flash drive with Rufus
    • Extract all files from the archive to the root of flash drive
    • Open your dumped full fw in Flash Image Tool
    • Go to Flash Image >> Descriptor Region >> Master Access Section and change all values to 0xFF (Debug/Manufacturing)
    • Build the firmware, rename it to bios.bin and place it on flash drive
    STEP 1: HW
    1. Power off your PC
    2. Remove the palmrest (or just the keyboard)
    3. Locate Realtek Audio Chip
    4. Bridge Pin 1 and Pin 5
      WP_20160220_11_56_39_Raw.jpg
    STEP 2: SW
    1. Power on the PC and boot from flash drive in Legacy mode (not UEFI)
    2. Command "spiinfo" to check everything is ok with HW mod - you should see Read/Write permissions in every region
    3. Command "descrefl" to re-flash Descriptor region with modified one from bios.bin
    4. After success, power off your PC and remove the bridge from Audio Chip
    Now, you'll have permanent access to all flash regions :)
     
    Last edited: Nov 10, 2017
  3. valuxin

    valuxin Notebook Evangelist

    Reputations:
    139
    Messages:
    440
    Likes Received:
    124
    Trophy Points:
    56
    Currently, I'm working on building working overclocking firmware to modify the Reference Clock, but due to Dell warranty problems, my hands are tied...
     
    Ashkan Zare Karizak likes this.
  4. scrlk

    scrlk Notebook Consultant

    Reputations:
    6
    Messages:
    218
    Likes Received:
    37
    Trophy Points:
    41
    Any chance you could escalate your warranty problem to management? Hopefully you could get it sorted out then.
     
  5. valuxin

    valuxin Notebook Evangelist

    Reputations:
    139
    Messages:
    440
    Likes Received:
    124
    Trophy Points:
    56
    Unfortunately, Dell Care support don't care my problem at all:) I'm trying to solve the problem during 1 year - but with no positive result... Yep.
     
    Ashkan Zare Karizak likes this.
  6. D.Dastardly

    D.Dastardly Notebook Geek

    Reputations:
    5
    Messages:
    76
    Likes Received:
    12
    Trophy Points:
    16
    Is it possible after modding the bios, to access the memory functions?

    Would like to experiment with lower timmings/speeds
     
  7. D.Dastardly

    D.Dastardly Notebook Geek

    Reputations:
    5
    Messages:
    76
    Likes Received:
    12
    Trophy Points:
    16
    You dont need to modify the reference clock. It will cause instability. You can overclock the CPU with the ratio option.
     
  8. sama123

    sama123 Newbie

    Reputations:
    0
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    5
    What are the results of the tests M4800 i7 4940MX? Maximum CPU Turbo ratios?
     
  9. iieeann

    iieeann Notebook Evangelist

    Reputations:
    298
    Messages:
    484
    Likes Received:
    42
    Trophy Points:
    41
    Woot, great work, i am interested to adjust the CPU ratio :)
     
  10. sama123

    sama123 Newbie

    Reputations:
    0
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    5
    [​IMG]

    [​IMG]

    [​IMG]
     
    Last edited: Nov 29, 2016
Loading...

Share This Page