M18x Unlocked BIOS Modification Info

COOL! but the A03 unlocked is for all M18X users 460m 6970 6990m and 580m all alike. My guess now for the throttle is nvidia is doing it not dell.

 

That's something Nvidia confirmed long ago but I thought there was an extra limitation implemented by Dell as well.

 

looks like your out of a job DA_G

http://forum.notebookreview.com/ali...iental-has-been-unlocked-modded-a03-bios.html

 

Great news Although if that was a job, it was the worst paying one ever!

My motivations are simply to learn, hence why this is a modification info thread! Unfortunately my own goal has not been accomplished with this nodded BIOS as there have been no methodology posted! I have plenty more machines to modify and am far mire interested in the ability to do so myself rather than ask someone else Please ask for methodology disclosure if you get a chance! What forms were modified in disassembly, etc. Im sure for m580x support injection of the option rom is enough, but for the unlocked options SetupUtility must be patched.

 

ummm, that was a whole lot of....ummm stuff. (it was not for you to take personal my friend. )

if your not giving any information as to your tools...now why would they?

 

Err, I am not taking it personal, sorry if it seemed that way?

I posted everything I used, there was zero information I held back? Every tool I used is listed in first post, along with all my methodology. Here we have only a BIOS release with zero further information except "try this modified BIOS", it's a bit different

I've done enough research to know the "hidden check" must be located in disassembly, and patched out via either changing JNZ instruction to JZ, or patching the check to a NOP so it always passes. But the hard part is locating the proper form and opcode to patch. That little bit of info isn't hard at all to use once explained, but it is the "how to find it" that is hard

Anyway, if you feel there is something I did not disclose, feel free to ask and I will explain it in detail I don't think there is anything I missed however. I am only asking for the methodology because I want to educate myself and expand my skillset. If that is seen as a negative thing, I have nothing further to contribute to this forum, and will withdraw all information I shared openly and post it elsewhere where this type of knowledge sharing is encouraged. If not, I would greatly appreciate it if methodology could be shared so this method can easily be duplicated to other (similar) BIOSen without having to ask someone else.

Remember the Chinese Proverb;
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."

 

man, im making jokes! we are all good da_g
(that's what i mean by taking it personal)

http://www.bios-mods.com/forum/Thread-DELL-M18X-A03-BIOS-THROTTLE-REMOVAL-GTX580M-SLI

 

Maybe too much coffee this morning, then It happens!

I've been following the thread, but don't have an account there. Was hoping barcode could post and ask for methodology I don't want to ask myself as I haven't contributed there yet, and I don't want to seem rude barging in to ask for methodology. I looked at all the forums as closely as I could looking for an instructional guide, but don't see it anywhere there. I get the impression sharing isn't too encouraged

 

you would have to look over the whole forum for that guide...since they have been modding bios files for quite a long time...

they worked with me on my first insyde bios with no luck...but now...it seems that they have finally broken through.

but i can't test anything at the moment...i wanted to check it out for new over clocking features and if they have the bits you unlocked...unlocked as well.

side note:
wish it was like the old phoenix bios editor where you could run through the menu with having to flash a bios to see the new menu options.

 

I'm interested in writing a program nearly exactly like that eventually, major reason I want to know the "how" From what I learned so far there are enough magic signatures and offset pointers contained in the BIOS to disassemble entirely in a generic fashion, presenting the menu to you, and allowing even addition and removal of specific menu options, along with logo changing, option ROM swapping, etc. Much of the format is documented here, i've been studying that. What a dry read

BIOS Mods forum does have a tutorial section, but everything is geared towards educating a user how to install/use/recover from the modified BIOS, rather than how to modify the BIOS itself Bios Mods -The Best BIOS Update and Modification Source - Tutorials

 

wow Da G ... if you could produce something like that ... day-um !

 

I've written and released similar tools for Smartphone firmware, this is the last one I publicly released, but have developed a handful more tools that I used internally (never polished them up for public release). I also maintained detailed guides on firmware modification, I don't think anyone appreciates a locked down phone, who wants a locked down computer

Coming from the land of smartphone modification, BIOS modification is downright simple! There are no advanced security checks, encryption, checksumming, NX protection, etc. like on a smartphone. In fact InsydeH2O BIOS normally contains a checksum on the BIOS values, to enable automatic loading of setup defaults on a corrupt register. M18x BIOS didn't even have that, so no need to re-calculate the checksum. So refreshing

I love to be able to manipulate my hardware to it's fullest (even if that goes beyond design, intended usage, and even thermal and power limits) - if I want to explode my stuff, that's my right, even if the manufacturers don't want me to

 

i remember seeing you over there..back in my win mobile days..
off topic:
you get around the bootloader lock for the 4g evo yet?
on topic:
still waiting for someone with a 2920xm to test...

 

Haha, I don't have an EVO 4G unfortunately (AT&T for me)

Although, being released by HTC i'm sure it utilizes the same eMMC protection, we already know how to disable the lockbit on that, so it should work out just fine

I'm going to go flash the modded BIOS now, I expect it to function equally with regards to register modification as these setup menu options are what I read out in the first post to obtain the register locations, they should be changing the same values.

Will report back with anything different

 

Damn Da_G ... I just got rid of my Omnia Win Mobile phone for the GS2 ...

 

Thanks to the modified BIOS posted by Ahmed, I was able to identify the current limit register, marked it off in bios.hsl! See attached screenshot, i'm over 100W now Oh, current limit is set to CPU 840/IGP 839 in this screenshot, the register is divided by 8 to get the resulting current limit, 840/8 = 105A

Unfortunately the BIOS menu limits aren't lifted yet, so this type of mod is still required to go above the BIOS limitations, until SetupUtility is modified to lift the limits.

Current limit was definitely the thing holding us to 99W max (makes sense since 99W is also the BIOS limitation)



Uploading new bios.hsl to first post now!

 

told you it was that. nice find.
now can we use their menu with your updated bits?

 

The menu modifications don't change anything in the registers, so using bios.hsl is the same as without the menu modifications.

What I did was load up the modded BIOS, reset to defaults, make the changes I wanted to, then dumped it and raised the TDP/TDC values beyond the limits and flashed as per the method before.

 

DA G is any way you can upload your bios files just to flash without having to modify the registers in hex?

 

what i mean is.
1: using the menu bios with your bit mods.
2: then flashing it
3: then using the menu to change all the other stuff, since the main bits we wanted unlocked are now unlock.

is what i mean.
the best of both worlds...

 

@Speedy: There are device-specific infos like serial number etc. that may possibly get overwritten if you flashed my BIOS, so I would not recommend that. However if someone wanted to try, they could do a backup of their BIOS and attempt flashing mine, and report back, if it worked out ok then sure i'll post it. Whatever got overwritten would presumably be fixed by flashing back your backup.

@Johnksss: You can't do the register mods to the modded BIOS, as it is not a dump but a modded stock BIOS, so the registers are not present. You'll have to do the method I did, which is the same thing pretty much

 

got it, i was just trying to make it easier

 

The limits are contained within the same SetupUtility forms that Ahmed modified to unlock the menu options, so further modification should be able to lift the limits in there, negating the need for manually adjusting things.

Hopefully he shares his methods soon so I can do that

 

i guess we are about to find out. because mine is going in for rma as we speak.
but i think i used rw everything and all my serial information was the same.

 

Da_G: Does ThrottleStop show your turbo current limit correctly and after your bios mod, does ThrottleStop show this as locked or unlocked? If it was unlocked then in theory ThrottleStop would be able to adjust this on the fly or maybe use different values for each profile. I can't remember if I have added this functionality to ThrottleStop yet because it has always been locked.

I haven't seen the Intel documentation about this register so I am just going by what another user told me about this. Hopefully he got this right. I think he was testing a 2500K.

Nice work breaking through the 100W barrier.

 

considering he is using your software to verify things. going to have to say you indirectly helped unclewebb..
side note...i know if i use your software and lock all the bits...they will lock! that's for sure...haha

 

These new modded bios versions for the M18x have changed everything. I just want to make sure that ThrottleStop can do as much as possible. Being able to control your 2920XM from within Windows without having to reboot is a nice option to have.

 

@UncleWebb:

Yes, the beautiful and wonderful TS shows the modified current limit, that is what I used to verify It correctly reads 105A after modification. (It doesn't show the IGP Current Limit, but I imagine that works fine too.)

The bit still shows locked, there wasn't a toggle in the unlocked BIOS menu for that, and I haven't flipped any unknown bits yet, so that's expected. Over the next day or two i'll populate the rest of the Unknowns in bios.hsl using the modified BIOS with unlocked menu, maybe the lockbit for the current register will be apparent after that For now i'm quite satisfied as I can reach an arbitrary overclock via TDP/TDC/TurboFlexVID modification, thanks to TS and the BIOS mods

 

If we are talking the guy who unlocked the bios, I am pretty sure he has some insider's knowledge and prolly specialized tools to work with Insyde bioses (plus, good documentation what's what). Note one could do a lot only with the EzH20 tool if only one knows what and how to patch and has adequate patches.

In terms of compatibility nothing's been guaranteed. He just flipped the switch on several options making them available because they were there in the code. Well... 580m throttle hasn't been found so far and that's too bad.

 

can somebody pm me what i should change in my bios for my 2720qm?

too much stuff to change... got lost a few times...

 

@Da_G: If you ever find the current lock bit and get this register unlocked, let me know and I'll make sure you can control this with ThrottleStop.

warez420: The 2720QM is going to be a lot more limited in what you can do with it in the bios. Maximum power consumption and the turbo multipliers are hard locked by Intel at the factory. I think maximum long term power consumption is 48W compared to the factory default of 45W so even if you get this unlocked, you won't see the huge gains that the 2920XM is showing.

 

well 2920XM it is then... when i get a 4 pipe mod... lol

 

This is why we need some ppl from here with knowledge to go over to the bios mods forums and ask him the questions and work together with him. I can only do so much as my bios knowledge is crap.

You can do it i'll be happy to test it thats it

 

From testing, 128 seconds is the maximum value for short TDP time limit, any higher and the BIOS defaults back to 128.

Too bad we can't adjust Turbo Flex for each possible Turbo binning, at 1 core load I can hold 4.7ghz @ 25 turbo flex prime95 stable but that generates too much heat to be stable at the same current limit 4 core turbo max, have to drop the multi a bit from the max it can do to be prime stable.

Have my current limit set to 130A, this is a 33% overcurrent from the stock 97.5A, probably as high as I want to take it for fear of exploding the VRM circuitry or something

 

yeah, we did that...and got turned down flat. didn't ask thewiz though...but if the other guy is saying it's "underdevelopment and they can't share" chances are pretty good that that is website policy

 

johnksss, try not to annoy them, okay? I've seen your input on their board. Let 'em work. These guys do a lot of work for free for us and generally are extra helpful. Isn't that right? And no wonder they don't want to reveal their secrets. Do you know any magician who does that?

 

try not to annoy them? are you serious! i came in after the answer was no. think you need to read well before i started posting.

 

Thanks DA_G can you setup a donate button on your sig ? i am willing to donate for your great work now I can get the most of my system 4.2ghz is the absolutely max my cooling can handle with max temps of 90-91c running prime 95 i set the throttle temp to 95c and shutdown to 105c this laptop is a monster

 

yeah, looks like when im in riverside ill have to buy da_g a beer or a 10 dollar mixed drink!

man, i can't wait to get my machine back now.
30k vantage here i come!

 

nice Job Da_G unlocking the TDC that's going to skyrocket everything!

 

Da_G what register name is the amp limit under in your bios structure? I didn't see it?

 

Right between CPU_Turbo_Mode and ACPI_3_0_T_States:
UBYTE CPU_Turbo_Mode;
USHORT CPU_Current_Limit;
USHORT IGP_Current_Limit;
UBYTE ACPI_3_0_T_States;
Make sure you have the latest bios.hsl from post 1.

I'm done posting over there on the bios-mods forum as Ahmed's story changed from "I am not the one doing the modifications, and I respect the person who developed the method's choice of not sharing the method with anyone" to "The method was publicly posted years ago on a forum using the same python scripts you linked, but I didn't use those python scripts to do the modification".. so his reason for not helping me fell right through the floor and he still says I'm not welcome unless i want to help HIM. Such hypocrisy. Then he tells me he has full EFI documentation from Intel and dangles it in front of my face like a carrot.

You' think a site called bios-mods would be a little more friendly about modifying a BIOS, but I guess when you threaten their ability to harvest donations from posting the end results without educating anyone as to the method so they could do it themselves..

 

HI DA_G ,

Ithink its time to reply to you here , i was watching this thread from along time and saw all replies and didnt want to reply............but now i will figure out some things to make you understand .

1 ) i said that ` I HAVE MADE THE UNLOCKED BIOS AND I`M NOT AUTHORIZED TO SHARE THE METHOD ............THIS MEANS I HAVE LEARNED THE METHOD FROM THE ONE WHO DISCOVERED IT AND THIS ONE DECIDED NOT TO SHARE THIS METHOD WITH OTHERS AND TOLD ME TO KEEP IT SECRET .
2 ) i think that any one should keep his promise................I RESPECT THE ONE WHO LEARNED ME THE METHOD AND RESPECT HIS OWN DECISION NOT TO SHARE THIS METHOD...............AND I KEPT MY PROMISE BY NOT SHARING IT .
3 ) You posted a link to an old method ( discovered from couple of years in MDY forum ) and thought that i`m using this method and wouldn`t share it while its already shared in other forums.......................YOU MISUNDERSTOOD THIS...........I TOLD YOU I DIDN`T USE ANYPYTHON SCIPTS FOR THIS..........ONLY DECOMPRESS AND EDIT IN IDA AND HEX EDIT .
5 ) IF YOU ALREADY KNEW THE METHOD FROM THE LINKS YOU POSTED AND FROM INTEL HII ...............WHY YOU SUDDENLY JUMPED INTO THE THREAD ASKING FOR THE METHOD !!
6 ) IF ANY ONE READ MY FINAL POST TO YOU , HE WILL FIND ME SAYING THAT I HAVE THE FULL UEFI DOCUMENTATION AND YOU CAN DOWNLOAD IT EASILY ( I NEVER SAID THAT I WILL NOT POST LINK OR ANY THING LIKE THAT AS YOU WILL EASILY FIND IT FULL LIKE I FOUND IT )
7 ) YOU JUMPED INTO THE THREAD ASKING FOR THE METHOD AND I SAID I CAN`T SHARE IT AND TOLD YOU THE PREVIOUS REASONS AND TOLD YOU THAT THIS METHOD IS DIFFERENT FROM THE ONE IN THE LINK YOU POSTED...........SO , WHY YOU KEPT WRITING MORE REPLIES WHICH ASKING FOR WHY NOT SHARING ......etc WHICH ANY ONE CAN FEEL THE KIND OF THESE COMMENTS ARE ANNOYING .
8 ) You used my modified bios and unlocked more registers using it and i knew this from the start and never asked you for donation ( as you said we are harvesting donations )........do you knew that i`m the PHOENIX section moderator , i have modified alot of bioses there which all was fully unlocked and never get any donations there....... and alot of people say they will donate and get their mod then don`t donate and i never asked him for donation..............you can contact any one in PHOENIX section ask him if i received moeny from any one in PHOENIX section .
9 ) i told you i can share anything else with you except the unlocking method............then gave you information about the EC GLITCH then you were back posting about the unlocking method!!
10 ) if you check this thread , you will find that i learned modding by sharing the info.
trying to modify acer 5536G bios

and if you checked this , you will find us sharing advanced information
Sony VAIO VGN-FE44S, FE45G, FE45T, FE47S, FE48G BIOS MOD (Post #8)

there are alot of threads which prove this and this is for example .
so , why i didn`t say there unlocking method is secret and donate then i will unlock it !!!!!!!

ONLY THIS METHOD CAN`T BE SHARED NOW AND ANY OTHER INFO. CAN BE SHARED...........I TOLD YOU THIS IN THE THREAD BUT YOU KEPT ASKING AGAIN FOR THE METHOD AND POSTING REPLIES ABOUT IT.........SO DON`T BLAME ME FOR ANYTHING AND I NEVER TOLD YOU WHY YOU USED MY UNLOCKED BIOS FOR UNLOCKING MORE REGISTERS AND NEVER ASKED ANY ONE FOR DONATION............IN MOST OF THREADS , NO BODY DONATE AND I UNLOCK THE BIOS WITH NO PROBLEMS .
BESURE FROM WHAT YOU ARE TALKING ABOUT BEFORE POSTING PLEASE .
ALSO NO NEED FOR PLAYING FOR TRAGEDY HERE...............I CAN`T BRICK MY PROMISE AND TELL YOU THE METHOD..........ANY ONE CAN READ ALL REPLIES AND ALL THE THREAD HERE
http://www.bios-mods.com/forum/Thread-DELL-M18X-A03-BIOS-THROTTLE-REMOVAL-GTX580M-SLI

 

Please don't use all caps, common netiquette defines that as yelling. There's no cause to yell at me constantly. It's hard to remain polite when you are constantly being yelled at.

To address your post,

1.) Quoting your post, you said "infacy I'm not the one who unlocked insyde bioses here in the forum and I'm not authorized to share any information about this method" - then I replied asking if I could speak to the one who did do the unlocking, which was ignored. Then later you change the story to you are the one who did the unlocking..

2.) Sure, I respect that, I did not ask you any further about the method once you stated that. Only stated that I don't agree with that choice, and asked if I could speak to the person who did develop the method.

3.) I saw what you did by disassembling the SetupUtility. I didn't say you used python scripts anywhere, I only said that you could have easily linked me there to help me understand the method. That method being changing the EFI OpCodes to un-hide things, which is what you did.

4.) You skipped one!

5.) I did not already know the method when I asked, or I wouldn't have asked. I learned it after you told me you wouldn't help. What makes you think I knew it before asking?

6.) Your phraseology implies that you have more than is publicly available. Perhaps I misunderstood that. Your english is a little hard to understand, I apologize if I misunderstood.

7.) Why do you keep thinking that I was trying to force you to share the information? I stated multiple times that I respect that decision. I only stated that I don't agree with it. It's an opinion, I am fully capable of learning it on my own and in fact went on to do that.

8.) I did not unlock more registers using the modified BIOS, I simply used it as an easier method of determining offsets in VSS rather than through disassembly. I say that you are harvesting donations as you are actively trying to prevent others from contributing towards the common goal of BIOS modifications instead of fostering an active development community. At least, that is the impression i'm getting from you. Maybe it's incorrect, prove me wrong?

9.) Again I did not ask for further information about the unlocking method once you said you didn't want to share it. I only stated that I did not agree with you hiding the information, which I don't. I think it is counter-productive to the common goal. I then posted my own contribution towards identifying the EC (photos of the system board) and offered further help.

10.) I see you did share some information here and in the other post.

Again you say that I kept asking for the method. I asked one time, then from your reply I thought you didn't understand, so in next post I clarified with a more detailed reply. Then I asked if I could speak with the person who discovered the method. I did not ask for any further explanations.

Anyway, I am not in any way trying to play a tragedy, I simply want to contribute to development and got stonewalled. Once I determined that there would be no help from your end of things, I asked for my account to be deleted so I could leave that effort in the past. It still didn't get deleted, only banned, I would appreciate if you could delete it, thanks.

I really don't understand the amount of drama here, we are talking about modification of a BIOS here. Why does drama have to be involved? I hate drama. I'm only interested in the sharing of information. That's why I requested my account to be deleted. The hacking community always seems to attract drama like this, why? Can't we just discuss the technical aspect and leave this behind?

Anyway, right now I am determining the offset of the IFR Package by doing a simple memory search for the $IFRPKG magic:

Code:

#define IFR_PACKAGE_SIG	"$IFRPKG"	// marks the beginning of Internal Forms Representation Package
#define IFR_PACKAGE_SIG_SIZE	7
HRESULT _setuputility::DumpStringTable(_File& fdfile, HRESULT* hr)
{
	UCHAR* ifrpkg = nullptr;
	ifrpkg = MemSearch(fdfile.Base(), fdfile.Size().QuadPart, IFR_PACKAGE_SIG, IFR_PACKAGE_SIG_SIZE);
	if (ifrpkg == NULL) return E_SIGNOFND;
	return S_OK;
}

Are you aware of a pointer here that can be utilized instead of a search?

 

looks like i have the original a00 bios now. which will be under nda. lol

 

I don`t want to make problems here , i knew you may misunderstood somethings as my english is not good .........also , i wasn`t yelling i just think that caps will attract attention to the words .............. i appologize if you think i was yelling here .

i will only reply to special things :-

1 ) you misunderstood me and thought i haven`t unlocked the bios.............i mean i have learned the method and promised to keep it secret then unlocked the 18x bios .
2 ) person who discovered the method replied to the thread and has the same opinion as me .
3 ) as i was watching this thread from long time and saw you doing alot of advanced work here , i thought you already knew the method in MDY as it was posted from couple of years ( most bios modders are searching this forum and found this method from years but it unlocked options using opcodes not menus...)
4 ) this is my fault
5 @ 6 @ 7 ) ok , you understand my situation now that i can`t brick my promise and share the method .

8 ) i already proved that as i showed you some threads where we share advanced information for any one and i can show you more examples .............. in the thread i told you about the EC FW and told you that you are welcome if you want to modify it with us.........not told you that i will not share info. about the EC too.............................OR you want me to prove you are wrong by bricking my promise!!!!!!
9 ) thank you for these pics which greatly helped us ............. also i didn`t ignore your questions about the EC FW glitch and can send you more if you want .

when anyone read your replies in the thread at bios-mods , he will feel like you are trying to make me brick my promise and tell you the method.......this is what really annoyed me and made me angry.

anyway , i will help you in developing your work with out bricking my promise .........i hope you understand my situation .

 

probably would have been easier if you just said.
"i was told by the person teaching me not to explain this method. i hope you understand" <--this would have went over allot smoother than you stating nda and "annoy me"
vs
all that nda stuff and this and that. (don't take this wrong) but adding modded slic's to bios is not nda approved.
that's why i said what i said. (i apologize for that)

 

OK, great. I think we are reaching an understanding here. Only some misunderstanding between us, I hope we can work past that. I respect your promise to the developer and understand. I have a differing opinion but it is only that, an opinion, and does not mean I don't respect the decision.

I don't want to cause problems either, only make this very technical and advanced process more easily reachable by those with an EFI based BIOS like Insyde.

I am not currently working towards modification of the EC firmware, I lack the proper knowledge to accomplish this successfully at this time. Right now I am working towards understanding the overall structure of InsydeH2O BIOS and creating an application that will automate dumping, rebuilding, and modification of it without requiring advanced knowledge. Similar to AndyP's tool found here, except instead of targetting SLIC replacement, focused on modification of registers, menu items, etc.

Right now the general workflow of the app is to uncompress all firmware volumes, dump the filesystem, locate setuputility.pe, dump the string table, look for $VSS section, dump the various packages out. Look for VSS_Setup package and using string table located in SetupUtility.pe, map registers to menu options and values. After modification the process would be reversed, rebuilding the LZMA firmware volumes from modified filesystem, rebuilding final BIOS, performing a sanity check to verify modifications went OK. This way two approaches can be utilized, one being the manipulation of OpCodes in SetupUtility.pe to enable hidden menu options and lift limits, and another approach to directly modify register contents in VSS Setup. I think both approaches are required as I have identified some registers which are not directly referenced by SetupUtility string table such as one i marked Use_BIOS_Defined_Multipliers - this register is not referenced in string table but if set to FALSE, BIOS ignores multiplier settings and uses fused values from CPU.

I think developer psyq321 was working on an similar application to this, but I didn't see it released, see his screenshot here:



I will send him a PM asking about it.

 

i don`t add slic`s .............. just check the phoenix section and you will find us unlocking menus and options and sometimes adding option roms........................and you can try searching for unlocking phoenix menus and options then you will find it rare ...... and we share it as the one who learned me this didn`t tell me to keep it secret .

and sorry for my bad english but i think it was clear that i unlocked the bios and learned the method not discovered it .

 

DA_G , nice we can work together now in developing your new tool .
but first we need to modify the EC FW first to remove throttle then start developing the new tool
i will send you information about the EC FW tonight and post it here or send it in PM .
MUMAK said that this will not be an easy task and needs alot of time and effort.
i hope we can fix this together