How to refresh a Dell laptop to a lower version of BIOS

[Preface statement] The content of this article is essentially irrelevant to technology and has no technical content. It should not be placed on a technical blog. However, in order to allow more people to find this article through the search engine, I posted this article on my technical blog.

In the past two days, I have been tossing a DELL notebook (its model is vostro 2420). For some reason, I upgraded the laptop BIOS to a07, however, I want to downgrade the BIOS back to the earlier version and find that it is not feasible, the software I used at the beginning cannot be restored to the BIOS backup file (because I tried to fix it as soon as possible during the upgrade, so I did not take a closer look, probably becauseProgramDoes not apply to the motherboard model of this notebook )! I tried various BIOS software and methods on the Internet (including afudos.exe under DOS), all of which caused me a lot of frustration and frustration.

I first checked that the BIOS version of another computer of the same model is A03, So I downloaded the A03 BIOS update program (2420a03. if you want to update the bios, the system prompts "you are about to flash your BIOS to an older BIOS version. dell does not recommend flashing your BIOS to an older version. press OK button to exit. "When you click" OK ", the program will exit, making people quite angry with this. Dell, what are your own claims for this program? Why are users prohibited from downgrading the BIOS?

After I tried all the methods and reported failure, it seems that all the online tools are not powerful at this time (probably because the laptop model is relatively new, so that all the online tools are not applicable ), I have to consider the most reliable and secure way to use the BIOS update program on the Dell official website to refresh it back (because the official website can explicitly download BIOS updates that match the machine model ). Obviously, because my BIOS version has been updated to a07, I want to refresh A03 with a lower version, I know that when this program is executed, it will bring up the desperate prompt and exit. So the only idea at this time is to modify this program! Find the MessageBoxCodeThen reverse his logic! This is my last life-saving straw and the only hope. If I still fail, I have to accept this depressing reality (that is, I will use it ), but the last life-saving straw will save me from the crisis.

So we started the project. Start Ida, open the 2420a03.exe program, and wait for IDA to complete the analysis. Good news to me is that this program does not have any encryption or self-protection. Obviously, it is a program written directly (it has never been considered to prevent someone from modifying it and taking protective measures), and I checked the resources of this program, it seems that there are some dialogs, as if this program is a "encapsulation" of the aluwingui program, because it contains some marks of the aluwingui program, such as the dialog box. However, when I run the aluwingui program downloaded from the Internet, it is always in a dead state, so I cannot focus on the program 2420a03.exe.

The code that pops up this MessageBox is very easy to locate, because the text content of this MessageBox is in plain text. RDATA, it is very easy to locate the position of the MessageBox code popped up, find them, continue to track the key nodes of the program jump forward, and soon find the location (. text) Address 00466e21, the Code is as follows:

 1 . Text: 00466e00  2 . Text:  00466e00   Loc_466e00:                               ;  Code xref: sub_466d40 + 9fj  3 . Text:  00466e00                                           ;  Sub_466d40 + b7j  4 . Text:  00466e00                   Push Offset awarning_4 ;  "Warning"  5 . Text:  00466e05                   Lea  Eax, [EBP + caption]  6 . Text:  00466e0b                   Push Eax ;  Lpstr  7 . Text: 00466e0c                   Call      DS:  Wsprintfa  8 . Text:  00466e12                   Add ESP, 8  9 . Text:  00466e15                   MoV  ECX, [EBP + var_10c]  10 . Text: 00466e1b                   CMP  ECX, [EBP + var_214]  11 . Text:  00466e21                   JNBLoc_466ef0;[Important] command to be modified!  12 . Text:  00466e27                   Movzx  EdX, word_5072f8 13 . Text:  00466e2e                   And  EdX, 80 h  14 . Text:  00466e34                   JZ  Short loc_466e93  15 . Text:  00466e36                   Push Offset awarning_5 ; "Warning !! "  16 . Text:  00466e3b                   Lea  Eax, [EBP + caption]  17 . Text:  00466e41                   Push Eax ;  Lpstr  18 . Text:  00466e42                  Call      DS:  Wsprintfa  19 . Text:  00466e48                   Add ESP, 8  20 . Text:  00466e4b                   Push Offset ayouareabouttof ;  "You are about to flash your BIOS to "...  21 .Text:  00466e50                   Lea  ECX, [EBP + TEXT]  22 . Text:  00466e56                   Push ECX ;  Lpstr  23 . Text:  00466e57                   Call      DS:  Wsprintfa 24 . Text:  00466e5d                   Add ESP, 8  25 . Text:  00466e60                   Push 31 H ;  Utype  26 . Text:  00466e62                   Lea EdX, [EBP + caption]  27 . Text:  00466e68                   Push EdX ;  Lpcaption  28 . Text:  00466e69                   Lea  Eax, [EBP + TEXT]  29 . Text:  00466e6f                  Push Eax ;  Lptext  30 . Text:  00466e70                   Push      0                 ;  Hwnd  31 . Text:  00466e72                   Call      DS:  Messageboxa 32 . Text:  00466e78                   CMP Eax, 1  33 . Text:  00466e7b                   Jnz Short loc_466e87

Look at this function and find 11th lines of code:"JNB loc_466ef0"Is the key pivot. If var_10c <var_204, it will pop up the MessageBox we saw last time; otherwise, it will jump to the nearby00466ef0Position to brush the BIOS normally. So here, you only need to change JNB to JB, and the program will run completely in reverse logic (the BIOS version is being refreshed as the master version ).

To modify the assembly code, you also need to refer to Intel's official documentation: 64 Ia 32 ubuntures software developer manual 325462. This document provides instructions on how to modify commands.

Display in IDAJNB loc_466ef0The command corresponds to six Bytes:"0f 83 C9 00 00 00", We can see from the introduction of this document that the first two bytes"0f 83"Is the opcode of JNB, followed by four bytes"C9 00 00 00"Indicates that the address offset is0xc9(201) bytes (I .e:If not below, then EIP = EIP + 0xc9).

The next step is to modify this jump command. There are multiple methods (the operands in the following operation code are relative values, that is, offset ):

(1) Change JNB to JB (operation code:0f 82). Only the version to be updated is earlier than the current version.

(2) Change JNB to jnz (operation code:0f 85). If the version to be updated is different from the current version, click it.

(3) Change JNB to JMP (operation code:E9). Brush unconditionally. (Because the JMP operation code has only one byte, you need to add a NOP). You may need to modify a jump with the same version. I didn't take it into detail.

Here I use (1 ). Open the EXE in a hexadecimal Editor, such as ultraedit. The logical address in IDA is the logical address in the process space, and the imagebase is removed as the file address. The default imagebase of EXE is00400000, So00466e21Converting to file address is00066e21, Jump00066e20In this row, set the 6 bytes starting from the second byte (0f 83 C9 00 00 00) (0f 82 C9 00 00 00In fact, we only modified one byte (the file address is00066e22The byte0x83Change0x82In this way, the original JNB command becomes a JB command.

After the modification, run the modified exe program. If the annoying MessageBox does not appear as expected, it prompts that the system is shutting down (hopefully !), Then the system restarts automatically. The exciting time is now. Finally, we can see the prompt that the BIOS is being refreshed (as shown in), about 1 ~ 2 minutes later, the BIOS is refreshed. after entering the bios again, the system simply checks the version information and returns to A03. Everything is normal !!!

now, the BIOS of the earlier version is restored. If you want to brush the BIOS of another version, I guess it is similar here. If you are not allowed to brush this version, you can modify this file. Fortunately, these BIOS upgrade programs do not set any obstacles to such modifications, so as long as you have a little compilation knowledge, you can easily modify this logic with tools. Finally, let's talk about this unreasonable logic of Dell. The freedom should be decided by the user! At the same time, we all know that BIOS flushing is described as a risky thing. I should be cautious in my personal opinion. If not necessary (for example, to activate a Windows 7 7 or later System) if you are successful, try not to brush the BIOS. Finally, let's talk about how to activate win7. Currently, almost all soft-cracking methods and keys circulating on the Internet have all become invalid, leaving only the last path, start with the BIOS (that is, whether it is software or hard-brush bios, so that the BIOS has SLIC 2.1), simulate the products of large notebook OEMs, so that Windows can only allow, despite the large number of "pirated" users activated by such means, Windows authentication technology is insufficient to recognize because they are mixed in a large number of genuine OEM products, therefore, such "piracy" is almost certainly safe. Finally, I would like to mention that Windows loader v2.1.6 is the only effective win7 activation tool. I would like to thank the author of this software for the benefit of Windows users.