Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / IioCfgUpdateDxeLightningRidgeEXECB2 / IioCfgUpdateDxeLightningRidgeEXECB2.md
@Ajax Dong Ajax Dong 2 days ago 6 KB Init
Raw Blame History

IioCfgUpdateDxeLightningRidgeEXECB2

Function Table

Address Name Description
ReturnNotFound
DebugPrint
DebugAssert
IsHobListGuid
ReadUnaligned64
FreePool
RegisterIioConfig
_ModuleEntryPoint
Module Globals (.data at 0xC08-0xC28)
Cached debug protocol interface (initialized on first use by GetDebugProtocol).
Address in binary: qword_DC0 at 0xDC0 (in .data).
VOID *gDebugProtocol = NULL;
Cached HOB list pointer (initialized on first use by GetHobList).
Address in binary: qword_DC8 at 0xDC8 (in .data).
VOID *gHobList = NULL;
Cached board type from CMOS (at 0xDD0 in .data).
Used by DebugPrint() when CMOS register 0x4B returns a value >3.
The non-obvious behavior: when CMOS value > 3, this cached value
overrides the CMOS read. If this cached value is 0, falls back
to MMIO register at 0xFDAF0490 for the board type.
UINT8 gBoardType = 0;
GUID Instances (.data at 0xBC0-0xBAF)
EFI_HOB_LIST_GUID instance - used to locate HOB list in config table.
Address in binary: unk_C10 at 0xC10 (.data).
EFI_GUID gEfiHobListGuid = EFI_HOB_LIST_GUID;
UBA Board-Type Protocol GUID - interface to register config data.
Address in binary: unk_BF0 at 0xBF0 (.data).
EFI_GUID gUbaBoardTypeProtocolGuid = UBA_BOARD_TYPE_PROTOCOL_GUID;
UBA IIO Config Update protocol GUIDs (one per CPU socket).
unk_C20 at 0xC20 (.data).
EFI_GUID gIioCfgUpdateProtocolGuid[IIO_CFG_UPDATE_PROTOCOL_COUNT] = {
UBA Debug Protocol GUID - protocol for debug output.
Address in binary: unk_BD0 at 0xBD0 (.data).
EFI_GUID gUbaDebugProtocolGuid = UBA_DEBUG_PROTOCOL_GUID;
IIO Configuration Protocol Header (PIIO structure at 0xC30)
UBA_IIO_CFG_UPDATE_PROTOCOL - The IIO config protocol structure
registered for each CPU socket on this platform.
This structure describes the IIO configuration table layout:
STATIC CONST UBA_IIO_CFG_UPDATE_PROTOCOL mIioCfgProtocol = {
Version 0x0D60, // TotalSize
ConfigTableOffset (UINT64)(UINTN)ReturnNotFound, // sub_50C = ReturnNotFound
ResourceTableOffset 0xFC // ResourceTableSize
IIO Configuration Table (PIIO config entries, at 0xC6C)
IIO configuration table for LightningRidgeEXECB2 (19 entries, 228 bytes).
KEY DIFFERENCES FROM EXECB1:
Entry format (12 bytes each, UBA_IIO_CFG_UPDATE_TABLE_ENTRY):
Byte 0: Type (UPT index)
Byte 1: Reserved0 (typically 0xFF = unchecked)
Bytes 2-3: Reserved1 (typically 0x0000)
Bytes 4-7: Reserved2 (typically 0x0000FFFF)
Byte 8: Value (0x00 = disabled, 0x01 = enabled)
Byte 9: Port (PCIe port number)
Bytes 10-11: AddressType (PCIE controller: 0x4C, 0x4E, 0x40, 0x42)
STATIC CONST UINT8 mIioCfgTable[] = {
Static Data: UBA Board Resource Table (at 0xD60)
UBA board resource lookup table at offset 0xD60 (part of PIIO data region).
Provides mapping between IIO resources and board interface connections.
STATIC CONST UINT8 mUbaBoardConfigTable[] = {
Check cache first
Raise TPL to TPL_HIGH_LEVEL (31) for critical section
Allocate a small buffer to check if protocol might be available.
Size 31 bytes = 0x1F (arbitrary small allocation).
On single-package platforms, this allocation may return a pointer
within a HOB page (address <= 0x10 relative to image), indicating
the debug protocol is not available.
If the allocation returned a low address (<= 0x10), this platform
The check: HobCheck <= 0x10 (16 bytes). This filters out
allocations that succeeded but returned a pointer within the
services AllocatePool is just a stub that returns HOB-base pointers).
Locate the UBA Debug protocol
shows this function leaves with high TPL. However, in UEFI
is expected to restore it. The analysis suggests RestoreTPL
is called implicitly or the caller handles it.
Looking at the actual disassembly:
oldTpl = gBS->RaiseTPL(31) at BootServices+0x18
return result
The decompiler lost the flow because the basic block
containing RestoreTPL was merged incorrectly.
Get the DebugLib protocol interface
Read CMOS register 0x4B to get board type
Port 0x70 = index, port 0x71 = data
Preserve the NMI enable bit (0x80) by reading current index first
Determine the effective board type value
Board type >3: use the cached n3 value from the global variable
at 0xDD0, which may have been set by prior firmware init
When cached board type is 0, fall back to MMIO register
Compute debug mask from board type.
Board type values 1,2,3 produce valid masks.
The subtraction + unsigned compare filters out 0 and >4 values.
Check if the requested error level is enabled by the board's mask
Call the DebugLib protocol's output function (interface offset 0x00)
Call the DebugLib protocol's assert handler at interface offset 0x08.
This is a different function pointer from the debug output at offset 0x00.
Initialize to NULL
Linear scan through configuration table entries
Found the HOB list - extract the table pointer
If HOB list was not found, trigger assertion (matches DxeHobLib.c behavior)
Read the target GUID as two 64-bit values
Read the reference GUID (EFI_HOB_LIST_GUID) as two 64-bit values
The reference is stored at gEfiHobListGuid (0xC10)
Compare both halves independently
Read 8 bytes from the given address
Print debug banner identifying this platform module
Locate the UBA board-type protocol via gBS->LocateProtocol
The protocol GUID is UBA_BOARD_TYPE_PROTOCOL_GUID at 0xBF0
Register IIO configuration protocol for each CPU socket
48 bytes
Step 1: Cache UEFI global variables with NULL pointer validation
Step 2: Locate the HOB list (needed by GetDebugProtocol/GetHobList)
Step 3: Register IIO configuration protocols for all sockets

Generated by HR650X BIOS Decompilation Project