Remove Dell T20 / 7020 / T1700 BIOS Write-Protection

Hi,

I’m not sure, if this method will work for all Dell PCs out there. But atleast it does for mine. I have the Dell T20, which also shares “exactly” the same motherboard as the OptiPlex 7020 and the Precision Workstation T1700 (I’ve even crossflashed my T20 to T1700, but that’s another topic). On these mainboards, there is a jumper called “PSWD” and a header called “SERVICE_MODE”. With the PSWD jumper set (default), the BIOS is tightly locked down. Removing the PSWD jumper loosens these locks and you (probably) should be able to write. Using that jumper and setting SERVICE_MODE loosens even more locks. Using this method, I was able to trick the T1700 BIOS Flash EXE using a Debugger (OllyDbg) and flash it onto my T20.

Flashing on a Dell works like this: DOS / Windows EXE writes BIOS to somewhere (RAM? SPI_2? Sorry, I don’t know where exactly) and sets a CMOS value, so your Dell knows an update is waiting and boots into BIOS Updater (integrated into BIOS) upon next reboot. It reads in from “somewhere”, verifies the update and either flashes or doesn’t. With PSWD jumper set (default), the BIOS Updater will fail with an error message, if you have a non-matching BIOS (e.g. T20 <-> T1700). If you remove PSWD jumper, the BIOS Updater will gladly flash your non-matching BIOS. As the T1700 BIOS is also signed by Dell, I’m not sure, if removing the PSWD jumper will be enough to allow flashing modified or unsigned BIOSes. But I’m pretty sure, setting the SERVICE_MODE jumper will allow it (as it has been done by another user).

Even with write-protection disabled, the problem remains: how do we get the BIOS Updater to take our modified BIOS? One way to do this could be: modify Dell BIOS EXE. There is a tool on GitHub, which could help us to figure out a way to swap non-modified and modified BIOS in EXEs: https://github.com/theopolis/uefi-firmwa…_extract_hdr.py.

Another way could be using Intel FPT and completely bypassing the BIOS Updater. However, as this is not the “default” Dell updating process and there are several BIOS chips (SPI_1, SPI_2 and SPI_3) on the mainboard, I’m not sure, if this might brick your mainboard. Would be awesome, if someone with a similar Dell + external programmer (just in case) could check this out.

Last but not least: external programmer. Will definitely work. You could get away with non-soldering method, using SOIC8 test clip. But I haven’t tested this on the T20 and cannot say anything about it. Worst case: you need to desolder.

Any thoughts on this?

Cheers,
Tolga

1 Like

I came across Install and boot from an NVMe SSD on a Dell OptiPlex 9020, 7020 or 3020 (tachytelic.net) using the SERVICE_MODE jumper to write a custom BIOS to the 7020. If it is the same as the T1700 - would this work on the T1700 also?

Usually the method motioned “Service Mode” jumper allows FD unlock and access to the SPI regions by the Intel FPT tool, for reading and possibly to write also.
Look for the jumper on your motherboard, use FPT to make backups/dumps, full spi dump and bios_region.
Working only in bios_region is the best to avoid further touch in other areas.