-
Notifications
You must be signed in to change notification settings - Fork 0
/
notes.txt
195 lines (150 loc) · 8.17 KB
/
notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
Notes on the structures and sequence discovered so far
Program flow:
Look for RSDP
Parse XSDT
Parse FACP
Save SMI_CommandPort
Parse UEFI e86395d2-e1cf-414d-8e54-da4322fede5c "uuid_4"
Save addr (as unknown_addr1)
Parse UEFI be96e815-df0c-e247-9b97-a28a398bc765 "uuid_2"
Save Buffer_Ptr_Address
Load some bytes from unknown_addr1, but I dont know what for
(check dword at offset 0x4, if 0x40 set flag, if 0x20 reset flag,
if other set flag and return zero)
Create Header at Buffer_Ptr_Address:
00000000 00 00 01 00 00 00 00 00 ff 00 00 00 00 00 00 00 |................|
00000010 68 00 00 00 00 00 00 00 fc 44 de b1 46 79 82 49 |h........D..Fy.I|
00000020 9b 4b 2f 8c a4 5e a7 92 00 00 00 00 00 00 00 00 |.K/..^..........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Header size 0x28
dword unknown = 0x10000
dword unknown = 0
qword unknown = 0xff
qword total packet size = 0x40+0x28
uuid "uuid_1" = fc 44 de b1 46 79 82 49 9b 4b 2f 8c a4 5e a7 92
Call SMI
out SMI_CommandPort, 0xe9 (val is hardcoded in binary - eg 0x0000e8d7)
packet 3: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x10
packet 4: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x03
packet 5: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x05
packet 6: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x09
packet 7: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x20
packet 8: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x1e
packet 9:
00000000 00 17 01 00 00 00 00 00 ff 00 00 00 00 00 00 00 |................|
00000010 00 02 00 00 00 00 00 00 fc 44 de b1 46 79 82 49 |.........D..Fy.I|
00000020 9b 4b 2f 8c a4 5e a7 92 04 00 00 00 00 00 00 00 |.K/..^..........|
00000030 41 00 70 00 70 00 4e 00 61 00 6d 00 65 00 00 00 |A.p.p.N.a.m.e...|
00000040 46 4c 41 53 48 00 00 00 00 00 00 00 00 00 00 00 |FLASH...........|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
packet 10: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x0b
(opens file, which fails)
packet 11: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x1e
packet 12:
00000000 00 17 01 00 00 00 00 00 ff 00 00 00 00 00 00 00 |................|
00000010 00 02 00 00 00 00 00 00 fc 44 de b1 46 79 82 49 |.........D..Fy.I|
00000020 9b 4b 2f 8c a4 5e a7 92 00 00 00 00 00 00 00 00 |.K/..^..........|
00000030 41 00 70 00 70 00 4e 00 61 00 6d 00 65 00 00 00 |A.p.p.N.a.m.e...|
packet 13:
00000000 00 17 01 00 00 00 00 00 ff 00 00 00 00 00 00 00 |................|
00000010 00 02 00 00 00 00 00 00 fc 44 de b1 46 79 82 49 |.........D..Fy.I|
00000020 9b 4b 2f 8c a4 5e a7 92 00 00 00 00 00 00 00 00 |.K/..^..........|
00000030 41 00 70 00 70 00 50 00 6c 00 61 00 74 00 66 00 |A.p.p.P.l.a.t.f.|
00000040 6f 00 72 00 6d 00 00 00 00 00 00 00 00 00 00 00 |o.r.m...........|
packet 14: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x21
packet 15: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x26
packet 16: dw0 = 00 01 01 00, size = 0x38, 0x28 = 0x06, 0x30 = 0x08
-----
0011f8e: SMI (port[0xb2] = 0xe9)
buf: 0x10000 0x0 0xff size=0x68 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
buf: 0x10000 0x0 0xff size=0x68 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 |........ .......|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 00 |................|
buf: 0x11700 0x0 0xff size=0x200 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 04 00 00 00 00 00 00 00 41 00 70 00 70 00 4e 00 |........A.p.p.N.|
0010 61 00 6d 00 65 00 00 00 46 4c 41 53 48 00 00 00 |a.m.e...FLASH...|
*
01d0 00 00 00 00 00 00 00 00 |........|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 |................|
(loads image file from disk to ram)
buf: 0x5 0x0 0x1 0x0 0xffd20000 0x810 0xc10 0xff 0x1010
uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
+0x0 dword 5
+0x4 dword 0
+0x8 dword 1
+0xc dword 0
+0x10 dword = arg_8h (0xffd20000) (appears to be a base addr from the FLASH_MAP)
+0x14 dword = arg_ch (0)
+0x30 dword = [data.dosbuf.something.0x4ca68] (via fn that could make it 0)
+0x34 dword 0
+0x48 dword = [data.dosbuf.something.0x4ca68]+0x400 (via same fn)
+0x4c dword 0
+0x50 dword 0xff
+0x54 dword 0
+0x58 dword = [data.dosbuf.something.0x4ca68]+0x800 (via same fn)
+0x5c dword 0
+0x60 uuid = uuid_1
then read 0x1000 from 0x810 (dosbuf)
buf: 0x11400 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 00 10 00 00 00 00 00 00 10 08 00 00 00 00 00 00 |................|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 00 |................|
buf: 0x11700 0x0 0xff size=0x200 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 00 00 00 00 00 00 00 00 41 00 70 00 70 00 4e 00 |........A.p.p.N.|
0010 61 00 6d 00 65 00 00 00 00 00 00 00 00 00 00 00 |a.m.e...........|
*
01d0 00 00 00 00 00 00 00 00 |........|
buf: 0x11700 0x0 0xff size=0x200 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 00 00 00 00 00 00 00 00 41 00 70 00 70 00 50 00 |........A.p.p.P.|
0010 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 00 00 |l.a.t.f.o.r.m...|
*
01d0 00 00 00 00 00 00 00 00 |........|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 21 00 00 00 00 00 00 00 |........!.......|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 |........&.......|
buf: 0x10100 0x0 0xff size=0x38 uuid=fc44deb1-4679-8249-9b4b-2f8ca45ea792
0000 06 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 |................|
ERROR 200 - Failed to perform flash initialization!
Status = 255.
---
FL2 ec firmware:
the x220.8DHT34WW.s01CB000.FL2.orig consists of:
0 - 0x4fffff padding 0xff
0x500000 - 0x51ffff EC firmware
0x520000 - 0x75fccf garbage?
0x75fcd0 - 0x77bfff padding 0xff
0x77c000 - ? _FLASH_MAP
? - 0x7fffff garbage? (minimum size of tail)
0x800000 - 0x8140bf gargage? (starts with "$PFH")
0x8140c0 - 0x820fff padding 0xff
the x230.G2HT35WW.s01D3000.FL2.orig consists of:
0 - 0x4fffff padding 0xff
0x500000 - 0x52fff0 EC firmware
0x530000 - 0x7fffff padding 0xff
0x800000 - 0xb0ffff garbage? seems to be from a bios image
0xb10000 - 0xb10354 _FLASH_MAP http://wiki.phoenix.com/wiki/index.php/PHOENIX_FLASH_MAP_HEADER
0xb10355 - 0xc140bf garbage?
0xc140c0 - 0xc20fff padding 0xff
fuzz testing shows that dosflash accepts a binary with the following:
0 - 0x25c32f minimum initial size (any data)
0x25c330 - 0x2e0330 copied from x220 fl2 at offset 0x77c000 - 0x7fffff
(dd if=/dev/zero bs=$[0x25c330] count=1; dd if=x220.8DHT34WW.s01CB000.FL2.orig bs=1 skip=$[0x77c000] count=$[0x84000] ) >test2.FL2
(dd if=/dev/zero bs=$[0x25c330] count=1; dd if=x230.G2HT35WW.s01D3000.FL2.orig bs=1 skip=$[0xa7d330] count=$[0x1a3cd0] ) >test2.FL2