Dell T3500 bios microcode mod writeup

Dell abandoned T3500 with bios update A17 relased in 07 Jun 2013. The following guide could be used for T5500 and T7500 (as they are the same non-UEFI Phoenix bios) too but they received Spectre fixing microcode bios updates.

This information is gathered from numerous sources helping with little steps but as far as I know no-one has compiled it into a working solution that I present here.

The first problem is - how to get the BIOS file. For that download the official update binary:
https://www.dell.com/support/home/us/en/…?driverid=cn9vg

For research 2 commands were needed:
.\T3500A17.exe -writehdrfile
.\T3500A17.exe -writeromfile

This produces 2 files:
T3500A17.hdr
T3500A17.rom

On the T3500 running Universal BIOS Backup ToolKit 2.0 one can dump the bios and comparing that to T3500A17.rom one can see that the update rom image contains 0xFF until offset 0x10000. And then the next difference is at the end of the rom where 0xFF is replace by the machine serial in the real bios dump.

This is good news, this means that the bios update is basically just overwriting most of the flash chip and there are no strange region based updates like some bios updates are performing.

From this point forward we are only working on the update rom/hdr, the bios backup was just needed to see how the format for the file is.

As the .rom file is padded 0xFF until offset 0x10000 one can remove it for further analysis and come to the conclusion that the .hdr file contains the full .rom file (starting from 0x10000) at offset 0x54 until 0x1F0053.

We have just found how the original dumped rom is in relation to the update rom and this in relation to the hdr. This allowes us to use the .hdr file as a working point.

Where is the microcode? When using MCE.exe to open the file it finds no microcode. But it surely must be in the bios. Is it compressed? Is it encrypted?

Well for this the hint was a forum post about a Dell laptop - it turns out Dell is using the microcode with removing the Main header until offset 0x30.

Much help was from this documentation https://github.com/platomav/MCExtractor/…cumented-Header that describes the extra header.

All cpus inside a generation use the same RSA public key, so let’s search for that! As anyone using the T3500 in 2020 you should be using the 32nm Xeon CPUs with 206C2 cpuid.

Dowloading the latest 206C2 microcode from https://github.com/platomav/CPUMicrocode…RD_77DADA73.bin and using the RSA key from there at offset 0xB0-0x1AF and searching it inside the .hdr file it MATCHES:


Remember the removed main header, well if you look at the picture you can see that this is microcode for 206c2 from 2009-08-25 described in the extra header. Well this is interesting.
But how is it used? if you start now looking backwards for 0x00 in a row that are in the extra header in the intel microcodes you finally reach offset 0x93820.



This is the first microcode in the bios and as one can see from the extra header it is for CPUID 106a2 from 2008-07-14.

The next big hint came from phoenixtool273. When one opens the .hdr file with it an let’s it open the file and in the log it will show internal Phoenix bios modules and offsets. We are looking for something that is near 0x93820.

And in the log file one can find:
93774 Module 14 Size 125072

Going to to that offset we can find this content that I reformated for clearer view:



This looks nice. As it is short I will copy it here

90 E8 01 00 14 (size 125072 is hex 1E890, and then module number 14)
07 00
A5 06 01 00 20 54 00 00 30 44 4C 4E 03 00 00 00 (CPUID 106a5)
A4 06 01 00 50 2C 00 00 30 43 4C 4E 01 00 00 00 (CPUID 106a4)
A4 06 01 00 F0 73 00 00 31 43 4C 4E 02 00 00 00 (CPUID 106a4)
A2 06 01 00 80 00 00 00 30 42 4C 4E 03 00 00 00 (CPUID 106a2)
C0 06 02 00 C0 97 00 00 30 41 4D 57 13 00 00 00 (CPUID 206c0)
C1 06 02 00 90 B7 00 00 30 42 4D 57 03 00 00 00 (CPUID 206c1)
C2 06 02 00 60 CF 00 00 31 42 4D 57 03 00 00 00 (CPUID 206c2)
8D A4 24 00 00 00 00 8D A4 24 00 00 00 00 (padding)


And the heureka moment was looking at what comes after the 3 bytes of cpuid and 0x00. As the first microcode after the bios module header is 106a2.
A2 06 01 00 80 00… CPUID 106A2 and 0x80 is exactly the offset from from 0x93779 where content is 07 00 (that itself is most likely reference to there being 7 entries in the table).
This gives us exact information on where the 7 included microcodes are located in the module:
106A5 ‭93779‬+5420=98B99
106A4 ‭93779‬+2C50=963C9
106A4 ‭93779‬+73F0=9AB69
106A2 ‭93779‬+0080=937F9
206C0‭ 93779‬+97C0=9CF39
206C1 ‭93779‬+B790=9EF09
206C2 ‭93779‬+CF60=A06D9

Here is the same information but sorted by order in the file:
106A2 ‭93779‬+0080=937F9
106A4 ‭93779‬+2C50=963C9
106A5 ‭93779‬+5420=98B99
106A4 ‭93779‬+73F0=9AB69
206C0‭ 93779‬+97C0=9CF39
206C1 ‭93779‬+B790=9EF09
206C2 ‭93779‬+CF60=A06D9

This is all information needed for someone to do a full update of the microcodes, but I am interested only in 206C2 and it’s the last one. But the module is MUCH larger than the last entry of the module header. Let’s see what comes AFTER the last described microcode and search again for the microcode extra header information.

Well it turns out Dell included quite a lot of microcodes in the bios that are not referenced by the microcode module header and not even available for socket 1366:
Here are all the microcodes that come AFTER 206C2 (so not referenced by the bios microcode module header as 206C2 is the last one in the list):
6f9 2006-10-12
6fb 2007-03-13
10671 2007-03-29
10674 2007-06-08
10676 2008-01-19
10677 2008-04-27
1067A 2008-04-08
6fb 2007-07-12

There is AMPLE space to do whatever we like with the microcode module. All those micocodes are just dead space in the bios - they are not referenced by the microcode module header and just taking up space.

Why am I talking about space, well 206C2 microcode size has changed like this:
║ CPUID │ PLATFORM │ VERSION │ YYYYMMDD │ SIZE ║
║ 000206C2 │ 00000003 │ 0000001F │ 20180508 │ 00002C00 ║
║ 000206C2 │ 00000003 │ 0000001E │ 20180123 │ 00002800 ║
║ 000206C2 │ 00000003 │ 0000001D │ 20150804 │ 00002400 ║
║ 000206C2 │ 00000003 │ 0000001C │ 20150627 │ 00002400 ║
║ 000206C2 │ 00000003 │ 0000001A │ 20130617 │ 00002400 ║
║ 000206C2 │ 00000003 │ 00000015 │ 20110826 │ 00002000 ║
║ 000206C2 │ 00000003 │ 00000014 │ 20110311 │ 00001C00 ║
║ 000206C2 │ 00000003 │ 00000013 │ 20100907 │ 00001C00 ║
║ 000206C2 │ 00000003 │ 00000010 │ 20100825 │ 00001C00 ║

The version included in the bios is 10 and size 0x1C000 bytes but the latest is 0x2C00 bytes in size. But as there are 8 unused microcodes after the last referenced microcode in the bios module we can just overwrite the unused microcodes as much as we like.

Here comes the mod. Take the latest 206C2 microcode, remove 30 bytes main header and just insert it into offset 0xA06D9. You will overwrite 6f9 and 6fb microcodes in the module but no worres.

How to write the modded .hdr back.

Well there of course is a checkum in there. When one compares the .rom and .hdr one can see that something comes after the rom in hdr, and that is the cheksum!
At offset 0x1F0054 there is an “inverted” CRC32.

Remember what I mentioned earlier: As the .rom file is padded 0xFF until offset 0x10000 one can remove it for further analysis and come to the conclusion that the .hdr file contains the full .rom file (starting from 0x10000) at offset 0x54 until 0x1F0053.

Let’s see how the original .hdr file compares, let’s select block from 0x54-0x1F0053 and calculate CRC:

Now let’s open calculator and do FFFFFF-D9E28D6=F261D729
Bingo, we just found how the .hdr file verifes that the rom file is correct.

And the last step is - how to write the .hdr file back? Well Dell has a tool for automated BIOS update executable creation that uses .hdr as input named “Dell Client Configuration Utility”:
https://www.dell.com/support/home/us/en/…id=k33tk&lwp=rt

There are all the steps described how to modify the included microcodes, fix the checksum and write the .hdr file to the flash on the motherboard.

In the end when all the steps are performed latest microcode is loaded at poweron and BIOS information shows it:

Just want to say THANK YOU, and it is a pity that your post doesn’t have any other comments on it. This was the missing piece that enabled me to verify and substitute the CPU microcode in the BIOS for my Dell Precision T7500. In fact, it was more than the missing piece, it was almost a complete step-by-step. Granted, I spent the previous several days learning the ins-and-outs of OEM BIOS decomposition and modification, but still couldn’t have finished the task without you. Bravo!

Too bad I ultimately learned that the Xeon WS3690 I bought and was trying to install is fundamentally incompatible with the 5520 chipset the T7500 motherboard contains! According to a rumor on another thread, it has to do with the number of QPI channels in the chipset.

Just wanted to weigh in with another thank you for all of your work documenting this. It’s great to have these additional options with the T3500.