Dell XPS 15 L502X Bios update patching

August 20, 2023 • Robin Chan

👋, I have an old Dell L502X (XPS 15) for purely nostalgic reasons. I first bought this laptop in ~2011 as a workhorse. The thing certainly has it's best days behind it.

The USB and HDMI ports no longer work, the graphics card is fried and unless disabled in Device Manager - causes a BSOD, the battery has totally failed, the case is cracked and dented as an added bonus it's around 3 inches thick and 4 kilograms 'light'.

However! The speakers on the thing are great - the JBL sub-woofer is probably the best thing I've heard coming out of a laptop and it does have reasonable specs - i7 (granted, 2nd gen) with an SSD makes it a decent worker if in a fix.

I dusted this unit off to have a spare beater alongside my 2015 Macbook. I re-installed Windows 10 and downloaded the drivers from the Dell support site. Unbelievably there was a BIOS update from 2020 - this thing was end of life in around 2014.

attempt #1

I promptly downloaded the update and ran it - instantly hitting this error:

Brilliant. Clicking OK - displays the same box over and over until the battery is >10%, I'm not interested in ordering a replacement battery for this, it's a toy at this point.

Windows seems to think my battery is tip-top though, it seems like an 8-bit BMS has gone very wrong or something, 255% charged, yet a 100% in the control panel - and an empty battery icon in the system tray. Nice.

To Ghidra we go! I first searched the string in the error message I was receiving.

After finding said string at 0x043c0d8 - I started sniffing around the references from this string, we have one - at function 0x0402120 from offset 0x04036a4

Which led me to this piece of code - Note the do while loop, and the "case 3:" we're inside a switch statement and this is where I'm getting stuck. I could probably just patch the while code and it'd be happy from this point on.

I did notice other checks though for power management though which would be nice to bypass.

After scrolling around this sub-routine a little longer I found the case which seems to be executed if everything is OK and prepares the system for flashing the BIOS. This is where we need to be.

A quick look at the comparison for the switch statement tells me I can just patch this variable out to always land on case 6, this should take me straight me to the BIOS flashing procedure with no pesky checks.

patching from this:

MOV EAX, dword ptr [EBP + local_d00]
AND EAX, 0x7

to this, as 0x7 & 0x7 = 0x7, and this is then subtracted by 1, this should take to us to case 6 for our flash:

MOV EAX, 0x7
AND EAX, 0x7

attempt #2

The binary is then exported and we cross our fingers that we haven't just created a 4kg doorstop.

Success! Here's a final photo of the laptop after the BIOS update had completed. Safe to say I doubt there'll be any future BIOS updates for this machine. Was fun all the while.