decompressing/de-obfuscating Dell Optiplex BIOSes \ VOGONS

decompressing/de-obfuscating Dell Optiplex BIOSes

Topic actions

First post, by sander

Posted on 2024-10-01, 09:48

sander Offline

Rank Newbie

Rank: Newbie
Posts: 44
Joined: 2021-04-01, 13:57
Location: Netherlands

While looking at some VLSI VL82C483 bios dumps I stumbled upon the Dell OptiPlex 486 MTE motherboard. Within the uncompressed DELL update executable there is a bios image which is exactly 131.072 bytes (For example. 4xxLeA08.exe). As I don't own one of these machines I'm unsure if the bios is uncompressed on boot (is this even possible when the video ROM is compressed as well?) or if this image is written to ROM and is unpacked and written to ROM in a second stage update.

[EDIT]I should have mentioned that although the 'uncompressed' ROM is 131.072 bytes, the data in there is obviously compressed. There is a little section where I found the decompression routine, but to me it currently looks like that's part of the firmware update procedure.[/EDIT]

As I've reverse-engineered the decompression routine (which was cumbersome to find) I'm posting it here for archiving purposes:

1/*
2This routine was reverse-engineered from a compressed Dell Optiplex ROM
3and is released for public domain.
4
5It's used for older style Dell (Optiplex?) ROMs as a second stage?
6decompression / deobfuscation routine. This routine is used for at least
7the following systems:
8
9OptiPlex GN Plus
10OptiPlex N
11OptiPlex GL Plus
12OptiPlex GM Plus
13OptiPlex GMT Plus
14OptiPlex GXL
15OptiPlex GXM
16OptiPlex GXMT
17OptiPlex G1
18OptiPlex 486 LE
19OptiPlex 486 MTE
20OptiPlex 486 MXE
21
22This is a quick and dirty implementation, it will possibly crash. 
23Who needs bounds checking..? 
24
25Note. this only runs on little endian machines (x86). 
26
27*/
28#define _CRT_SECURE_NO_DEPRECATE
29
30#include <stdint.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34
35int decompress_rom_block(const uint8_t *src, uint8_t *dst, int blk)
36{
37    uint16_t seg_size = 0;
38    const uint8_t *src_end, *src_p = src, *dst_p = dst;
39
40    for (int i = 0; i < blk; i++) {
41        seg_size = *(uint16_t*)src_p;
42        src_p += 2;
43
44        if (i + 1 != blk) {
45            src_p += seg_size;
46        }
47    }
48    src_end = src_p + seg_size;
49
50    while (src_p < src_end) {
51        uint16_t blkofs;
52        uint8_t blksize, instr = *(src_p++);
53
54        if (instr & 0xf)
55        {
56            blksize = (instr & 0xf) + 1;
57            blkofs = (((uint16_t)instr << 4) & 0xff00) | *(src_p++);
58            memcpy(dst_p, dst_p - blkofs - 1, blksize);
59            dst_p += blksize;
60        }

…Show last 52 lines

61        else
62        {
63            blksize = (instr >> 4) + 1;
64            memcpy(dst_p, src_p, blksize);
65            dst_p += blksize;
66            src_p += blksize;
67        }
68    }
69    return dst_p - dst;
70}
71
72int main(int argc, char *argv[])
73{
74    FILE* f;
75    
76    if (argc != 4)
77    {
78        printf("Usage: %s inputfile outputfile blocknr\n", argv[0]);
79        exit(1);
80    }
81
82    f = fopen(argv[1], "rb");
83    if (!f) {
84        return -1;
85    }
86    fseek(f, 0, SEEK_END);
87    long fsize = ftell(f);
88    fseek(f, 0, SEEK_SET);
89
90    uint8_t* src = (uint8_t * ) malloc(fsize);
91    if (src != NULL) {
92        fread(src, fsize, 1, f);
93    }
94    fclose(f);
95
96    uint8_t* dst = (uint8_t * )malloc(32768);
97    if (dst != NULL) {
98        int sz = decompress_rom_block(src, dst, atoi(argv[3]));
99
100        f = fopen(argv[2], "wb");
101        if (f) {
102            fwrite(dst, 1, sz, f);
103            fclose(f);
104        }
105    }
106
107    free(dst);
108    free(src);
109
110    return 0;
111}

Original listing:

1decompress_rom_block proc near
2                cld
3
4loc_F49F3:
5                mov     ax, si
6                shr     ax, 4
7                mov     dx, ds
8                add     dx, ax
9                mov     ds, dx
10                and     si, 0Fh
11                lodsw
12                mov     dx, ax
13                dec     bl
14                jz      short loc_F4A0C
15                add     si, dx
16                jmp     short loc_F49F3
17
18loc_F4A0C:
19                add     dx, si
20                sub     ch, ch
21
22loc_F4A10:
23                cmp     si, dx
24                jnb     short locret_F4A3F
25                lodsb
26                test    al, 0Fh
27                jnz     short loc_F4A24
28                shr     al, 4
29                mov     cl, al
30                inc     cl
31                rep movsb
32                jmp     short loc_F4A10
33
34loc_F4A24:
35                mov     cl, al
36                and     cl, 0Fh
37                inc     cl
38                sub     ah, ah
39                shl     ax, 4
40                lodsb
41                mov     bx, si
42                mov     si, di
43                sub     si, ax
44                dec     si
45                rep movs byte ptr es:[di], byte ptr es:[si]
46                mov     si, bx
47                jmp     short loc_F4A10
48
49locret_F4A3F:
50                retn
51decompress_rom_block endp

Go to top of page Go to top of page

Back to General Old Hardware