GitBucket
Ajax Dong
FlashDriverSmm
Function Table
| Address | Name | Description | |
|---|---|---|---|
| _FlashDriverExExEx | |||
| SpiPreOperCallbacksacks | |||
| SpiPostPostOperrationallbacksacks | |||
| ReReJEDEDId | |||
| SpiExExExCommCommCommcomm | |||
| CpuPuPuPuP | |||
| Seteetmp | |||
| LongJmp | |||
| FlashRead | |||
| SpiPreOpCallbacks | |||
| SpiPostOpCallbacks | |||
| ReaJEDEDId | |||
| GetFlashSizeFromJedec | |||
| SpiExecuteComman | |||
| SpiSetCs | |||
| SpiWaitForCycleComplete | |||
| SpiInitRegisters | |||
| SpiReadData | |||
| FlashFvTrackingInit | |||
| FlashFvTrackingTeardown | |||
| Port | **13374 | Image 0x0-0x5840 | 85 functions** |
| This | SMM driver provides SPI flash read/write/erase operations | ||
| through | SMI handlers. Key features: | ||
| Global | State (.data section layout at 0x4DE0-0x53600) | ||
| 0x5028 | EFI_SYSTEM_TABLE *gST = NULL; // 0x5018 | ||
| 0x5020 | EFI_RUNTIME_SERVICES *gRT = NULL; // 0x5030 | ||
| 0x5038 | UINT64 gSpiBarBase = 0; // 0x4FE0qword_4FE0 | ||
| 0x50E8 | (qword_50E8) | ||
| 0x4EC0 | UINT32 gBlockSize = 0; // 0x4F2C (n32) | ||
| 0x4F3C | (n4096) | ||
| 0x4FD0 | (n0x1000000) | ||
| 0x4EB8 | (dword_4EB8) | ||
| 0x5010 | (n10) | ||
| 0x50008 | CRITICAL_STATE *gCriticalState = NULL; // 0x50D0 (CS) | ||
| 0x4EC8 | (aCs) | ||
| 0x50E0 | (byte_50E0) | ||
| 0x50E1 | (byte_50E1) | ||
| 0x5280 | (xmmword_5280) | ||
| 0x3388 | (qword_3388) | ||
| 0x5000 | (qword_5000) | ||
| 0x50CC8 | (qword_50C8) | ||
| 0x5110 | (qword_5110) | ||
| 0x50F8 | (qword_50F8) | ||
| 0x5108 | (qword_5108) | ||
| 0x5100 | (byte_5100) | ||
| 0x50F4 | (n246088) | ||
| 0x4FD4 | (n246088_0) | ||
| 0x4F11 | (byte_4FD9) | ||
| SPI | Probe Function Table (off_48A00, 4 entries + NULL) | ||
| SPI | Pre-Operation Function List (funcs_1E91 at 0x4ED0) | ||
| Singe | entry: sub_24CC (0x4CC) - SpinWait / Seector check | ||
| NULL | terminaed | ||
| SPI | Post Operaration Function List (funcs_1F10 at 0x4EE0) | ||
| Singe | entry: sub_2594 (0x2594) - Unock / Lock release | ||
| For | each detectected chip type, the probe function copips a 24-byby concon | ||
| block | from the .rdata section (off_4F00 etc.) into the SPI_PROTOCOL's | ||
| Forward | Declarations | ||
| RE | NOP / PAUSE | ||
| Simimple | 1 1 wait loop with PAUSE for short delas | ||
| Saves | all calall-saved registrers and and XMM registers to the JumpBuffer | ||
| hen | returns by calling the (arget)(). | ||
| 0x5120 | (unk_5120) | ||
| Vallidatate | align aln | ||
| Sav | non-regolf - notot imppleented in decompile | ||
| Resores | XMM registers and and and returns to the contontin on. | ||
| estor | ore MXCSR | ||
| UUUSe | g goto tagaget address | ||
| Entry | Point: FlashDriverrSmmryrynry (sub_Error_ModuduleEntryPint) | ||
| Sav | global | ||
| Init | SM Services ablee | ococate gEfiSmmBase222rotoococol | |
| Init | Hob ob ob | loccate HOBob from configgable table table | |
| Init | the flash driver | ||
| Registers | SMI handlers for forash compare, wwite, read, eraseras | ||
| SMI | handlers are regists thru och for comm communic buffer dispatc | ||
| HobLiiiiInit | (sub_2228) | ||
| Loates | the HOBBob pointer from from sys configgable | ||
| _ASSert | (gHobobList != NULL); | ||
| FlashSmmInit | -- MM Flash Init (sub_AA4) | ||
| Ini | the flash driver in SM: | ||
| Ini | critiical section on-once | ||
| Set | up criical ical sec secon name | ||
| Prope | SPIF flash chip - iterater thru probe func function table | ||
| Installs | SMM SPI protocol | ||
| at | 0x4E78 | ||
| Registers | SMM SX dispatch for for leep notification | ||
| SMI | Flash Compare (sub_13E4) | ||
| Ativated | when CommBufferSize == 0x2C | ||
| Reeds | flash at ComCommBufferAddr and comars with interal content. | ||
| If | compare passes, writes FLASH_SIGNAT (0x48454E52) at offffss+40. | ||
| Entet | criical secion (bacup PIIIC, lock SPII) | ||
| Alread | held; accepeable | ||
| Read | flash data throug SPI | ||
| If | theres an actiive flash FV range matching this address | ||
| ark | the compare as succeessul (marker 0x48454E52) | ||
| Exi | criical secion (restore PIC, unlock SPII) | ||
| SMI | Flash Write (sub_14E00) | ||
| Ativated | when CommBufferSize >= 0x40 (Write FVB) | ||
| Validates | align align (4K-aligned address and size) | ||
| Vallidate | align align | ||
| Ente | critiica cal secion | ||
| Trak | the flash FI regon be modifying | ||
| Perfor | the write | ||
| Exi | criical secion | ||
| SMI | Flash Read (sub_15C88) | ||
| Ativated | when CommBufferSize >= 0x40 (Read FVB) | ||
| Reads | flash data int buffer, mananes flash FV trackng and teaedown. | ||
| Sav | flash FV ta te for teadown trackng | ||
| Rea | flash data | ||
| Restore | flash stte after read | ||
| SMI | Flash Erase (sub_16A4) | ||
| Ativated | when CommBufferSize >= 0x40 (Erase FVB) | ||
| Trak | flash FV regon for teadown | ||
| Erae | the flash | ||
| Restore | flash stte after asee | ||
| SMM | Entry Handler (sub_17B4) | ||
| Caled | from SMM dispatcher for first SMI. | ||
| Increments | recursio depth, acquics SPII lock. | ||
| Firs | entry: rn pre-op callbacks | ||
| Ca | the actal SPI operion handler | ||
| SMM | Exit Handler (sub_1850) | ||
| Decrements | recursion depth. At 0, ru 0, uns post-op allbacks | ||
| and | lean up flash flash FV trackng entries. | ||
| Lastt | exit: ru post-op callacks | ||
| If | we jst decremented to 0, wrte erase-complete markers | ||
| Write | teardown signature to flash | ||
| Compete | the SPI operation | ||
| FlashRead | (sub_E88) | ||
| Reads | flash data for a possibly-unaligned address. | ||
| Splits | into 4K-aligned reads and retries once on failure. | ||
| Increment | recursion depth | ||
| Handle | unaligned first chunk | ||
| Lock | page, read, unlock | ||
| sub_1F30 | -- lock/protect | ||
| sub_1F64 | -- unlock | ||
| Main | loop: full 4K sectors | ||
| Finall | partial read | ||
| FlashWrite | (sub_CC8)) | ||
| Writes | flash datas via SPII. Skipps already-eraded pages. | ||
| Ony | writes bytes that that diffef from erasd pattern (0xFF). | ||
| Scan | 4K page for by that need programming | ||
| Rea | current flash content | ||
| Alread | erasd, skip 8 bytes | ||
| Entire | page alreaddy erasd, skip skip | ||
| Lock | the page, program bytes | ||
| FlashErrras | (sub_1044) | ||
| Erases | flash secors. For each 4K page: | ||
| Comare | flash page with sourc data | ||
| Page | alreaddy matches, skip | ||
| Loc | page | ||
| Erase | need and program | ||
| Now | programmm the data | ||
| Skip | era, just tout program | ||
| FlashCCompare | / SpiReadByte (sub_C7C, sub_2690) | ||
| Reas | flash data. Uses SPI read or simple memcpy depending on flash mode. | ||
| Use | SPII read for authhentic compare | ||
| Simimple | memcpy | ||
| Entes | the SPII critical secion: | ||
| Sav | PIC IMRS | ||
| port | 0x21 | ||
| port | 0xA1 | ||
| Deterine | if speed-stp was enadad | ||
| Clear | anan save flas | ||
| Mas | all interrup | ||
| Disable | speed-ste (clear bit 0 on port 0x530) | ||
| Mark | loccked | ||
| Leavs | the SPII critical secion. | ||
| Resore | PIC stes from savd values | ||
| Clea | acquired fla | ||
| Resore | speed-step if if was enabaded | ||
| SpiPerationCompletete | (sub_2284 wwrapper) | ||
| SpiPreOpCallbacks | (sub_1E80) | ||
| Rus | callbacks in the SPII pre-op function list. | ||
| If | gSpiProtocol is avaailable, als calss Locck on SPII chip. | ||
| Ru | callacks from the pre-op table (funcs_1E91 at 0x4ED0) | ||
| Th | pre-op table has has single entry (sub_24CC) or may more | ||
| if | se se of external callacks are register. | ||
| Cal | the protocol's Lock method if availlable | ||
| Alo | call SpiIniRegisters (sub_3814) | ||
| SpiPostOpCallbacks | (sub_1ED8) | ||
| Rus | callbacks in the SPII post-op function list. | ||
| If | no protocol, try try prob | ||
| Ca | the protocol's Unlock method (offsset 7) | ||
| Ru | callacks om the post-op table (funcs_1F10 at 0x4EE0) | ||
| SpiProbeProtocol | (sub_2650) | ||
| Iteraes | through the SpiProbeTable to detec and initiialize | ||
| the | SPII flash chip protocol. | ||
| Th | probe probe table (off_48A00) has 4 entries: | ||
| ReaJEDEDIdId | (sub_38B8) | ||
| Sends | JEDEC ID command (0x9F) over SPII and reads reads 3-byt | ||
| Ge | SPII controller BAR from PPCII address | ||
| Se | up SPII controller for JEDEC read | ||
| FADDR | = 0 | ||
| Cyce | = JEDEC ID read | ||
| sub_3544 | - assert CS | ||
| sub_1E0C | // Read JEDEC ID from FDATA0 | ||
| GeFlashSizeFromJedec | (sub_2A68) | ||
| Decodes | the capacity byte (3rd byte of JEDEC ID) to flash size. | ||
| JIIWORD | capacity byte | ||
| Capacity | encode table (map to capapity nibble) | ||
| Common | vaues: | ||
| 0x10 | case 0x11: return 128 * 1024; // 128KB | ||
| 256KB | case 0x13: return 512 * 1024; // 512KB | ||
| 1MB | case 0x15: return 2 1024 1024; // 2MB | ||
| 4MB | case 0x17: return 8 1024 1024; // 8MB | ||
| 16MB | } | ||
| 32MB | **if (Capacity == 0x1A | Capacity == 0x20) return 64 1024 1024; // 64MB (dependentnt)** | |
| 4MB | (SST specific) | ||
| 8MB | return 16 1024 1024; // Defauau to 16MB | ||
| SpiExExExCommComm | (sub_1E0C)) | ||
| Sends | a command to the SPII controller and waits for compleion. | ||
| Usess | the timer ticer at port 0x508 for microsecond eay timing. | ||
| Upup | bits = rey count | ||
| Wait | for SPII cycle to be ready (usins timed timer counter) | ||
| 4M | emememout default | ||
| SpiSetCs | (sub_3544) | ||
| Aserts | (CS low) or deaserts (CS high) the SPII chip select. | ||
| Walts | for SPI controller readyness before asserting. | ||
| Wait | for SPII controller to be beaady | ||
| Se | FlashContro to enabab cycle | ||
| HHSFS_CTL | = SPII Cycye | ||
| Wait | for SPII FDONE | ||
| Se | opcode register | ||
| SpiWaitForCycleComplete | (sub_35AC)) | ||
| Pols | the SPII status register until write-in-progres (WIP) is cleared. | ||
| Cyce | = Read Staatus | ||
| send | cycle | ||
| read | status byte | ||
| WIP | cleared | ||
| SpiInitRegisters | (sub_3814) | ||
| Conigures | SPII opcode menu for fas-mode reas on supored chips. | ||
| Prefeetch | config | ||
| Opcode | menu | ||
| Try | to set fas-read opcode menu | ||
| Fast | read supored | ||
| Ressore | saved vaues | ||
| SpiReadData | (sub_2714) | ||
| Reas | data from SPII flash into a buffer. Calss the SPI protocol | ||
| ReaSecor | repeatelly until al al data read. | ||
| Enure | protool is avaailab | ||
| al | done | ||
| FlashFvTrackingInit | (sub_11FCC)) | ||
| Ini | the flash FV trackng array. Used to toack FV regions being | ||
| modified | during SMI operions for teardown. | ||
| Th | ful implementpopulates gFFlashTracking[] entries om the | ||
| flash | descrptor list from SPII flash debit. | ||
| FlashFvTrackingTeardown | (sub_1328) | ||
| Wrrs | the FV back with teardown marker (0x48454E52 == "RNEH"). | ||
| Im | implemenion: wri mark a to FV header | ||
| Ths | file rereses the .data globals and and their initiial values | ||
| as | descrbed b from the disssemmbly. | ||
| Flah | Chip Name Stings (.rdata at 0x48C8--0x4C50) | ||
| Th | followwing flash chip ames are refeed in the probe function | ||
| seerings | and and used for for debug/chip announcement: | ||
| SST | T5L040 (0x48C8) - "SST 25LF040" | ||
| SST | 25LF080 (0x48D8) - "SST 25LF080" | ||
| ATML | 26DF041 (0x48E8) - "ATML 26DF041/25DF041" | ||
| ATML | 26DF081 (0x4900) - "ATMEL 26DF081/25DF081" | ||
| ATML | 26DF161 (0x4918) - "ATMEL 26DF161/25DQ161" | ||
| ATMEL | 26DF321 (0x4930) - "ATMEL 26DF321/25DF321" | ||
| ATMEL | 26DF641 (0x4948) - "ATMEL 26DF641/25DF641" | ||
| ADESTO | AT25SFF641 (0x4960) - "ADESTO AT25SFF641" | ||
| ADESTO | AT25SL641 (0x4978) - "ADESTO AT25SL641" | ||
| ADESTO | AT25SL128A (0x4990) - "ADESTO AT25SL128A" | ||
| SST | ST6VF (0x49C0) - "SST 26VF Series" | ||
| PMCC | 25LV/LQ (0x49D0) - "PMCC 25LV/LLQ Series" | ||
| AMIC | 25L (0x49E8) - "AMIC 25L Series" | ||
| AMIC | 25L/LQ (0x49F8) - "AAMIC 25L/LQ Series" | ||
| EON | 25F/Q/S/S/S/S (0x4A10) - "EON 25F/Q/S/QH Series" | ||
| XMC | 25QU (00x4A500) - "XMC 25QU Series" | ||
| XMC | 25QH (00xxA60) - "XMC 25QH Series" | ||
| MXIC | 25L/U (00x4A70) - "MXIC 25L/U Series" | ||
| MXIC | 25R (00xxA88) - "MXIC 25R Series" | ||
| Winbond | 25X/Q (0x4A98) - "Winbond 25X/Q Series" | ||
| GigaDevice | 25Q (0x4AB0) - "GiigaDevice 25Q Series" | ||
| EON | 25P (00x4AC8) - "EON 25P Series" | ||
| Spanion | 25FL (00x4B18) - "Sppansion 25FL Series" | ||
| Spanion | 25FL(P) (0x4B30) - "Spansion 25FL(P) Series" | ||
| Spanion | 25FL(K) (0x4B48) - "Sppansion 25FL(K) Series" | ||
| Spansion | 25FL(L) (0x4B60) - "Sppansion 25FL(L) Series" | ||
| FIDELIX | 25Q (0x4B98) - "FIDELIX 25Q Series" | ||
| FFFan | FM25Q (00x4BB0) - "FuFFan FM25Q Series" | ||
| ISSI | II5LP (00x4BC8) - "ISSI I25LP Series" | ||
| ISSI | I25WP (0x4BE0) - "ISSI 25WP Series" | ||
| ESMT | MT5L QA/PA (00x4BF8) - "ESMT 25L AQA/PA Series" | ||
| SST | SSTVF (0x4C10) - "SST 25VF Series" | ||
| ESMT | MT5L T (0x4C20) - "ESMT 25L T Series" | ||
| ESMT | 25L B (0x4C38) - "ESMT 25L B Series" | ||
| End | of FlashDriverSmm.c |
Generated by HR650X BIOS Decompilation Project