Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / SmbiosDataUpdateDxeNeonCityEPRP / SmbiosDataUpdateDxe_analysis.md
@Ajax Dong Ajax Dong 2 days ago 8 KB Init
Raw Blame History

SmbiosDataUpdateDxeNeonCityEPRP - Analysis Report

Overview

Field Value
Module SmbiosDataUpdateDxeNeonCityEPRP.efi
Index 0349
Arch x64 (PE32+)
Image Size 0x3CE0 (15584 bytes)
MD5 fd9a4def34a205a60501951808dc4920
SHA256 fb76a40b263498672d702cdc6a7ef6d90917ed5677a8723bb3e7249b13941f08
Functions 41 total (40 unnamed originally)
Strings 69
Source Path PurleyRpPkg/Uba/UbaMain/Dxe/TypeNeonCityEPRP/SmbiosDataUpdateDxe/
Build Profile HR6N0XMLK, DEBUG_VS2015, X64
UBA Platform TypeNeonCityEPRP

Purpose

This UEFI driver updates SMBIOS data structures at runtime for the NeonCityEPRP server platform (Purley family). It uses the UBA (Universal Build Architecture) layer to customize SMBIOS Type 9 (System Slots) and Type 41 (Onboard Devices) with platform-specific string data stored in HII packages.

Architecture

Call Flow

_ModuleEntryPoint (0x370)

  +-- UefiDriverEntryPoint (0x38C)  -- Driver initialization
     |-- HII services protocol resolution
     |-- DxeServicesTable resolution
     |-- PCI MMCONFIG base protocol (mPciUsra)
     |-- HOB list initialization

  +-- SmbiosDataUpdateEntry (0x654) -- Main entry
-- Opens UBA private protocol
-- Registers HII string packages via HiiAddPackages()
-- Registers callback via UBA protocol

        +-- SmbiosDataUpdateCallback (0xF54)
-- [Loop x30] UpdateSmbiosType9SystemSlots (0x77C)
     Updates SMBIOS Type 9 (System Slots) slot names
-- Deletes all Type 9 keys from UBA
-- [Loop x8]  UpdateSmbiosType41OnboardDevices (0xA20)
     Updates SMBIOS Type 41 (Onboard Devices) device names
-- Deletes all Type 41 keys from UBA
-- [Loop x4]  UpdateSmbiosTypeUnknownExtended (0xD98)
     Updates an additional extended device type
-- FreePool cleanup

Segment Map

Segment Start End Size Permissions Contents
HEADER 0x0000 0x0280 0x280 --- PE/COFF header
.text 0x0280 0x24C0 0x2240 rx Executable code
.rdata 0x24C0 0x31A0 0xCE0 r Strings, debug paths
.data 0x31A0 0x39A0 0x800 rw Global variables
seg004 0x39A0 0x3B60 0x1C0 r HII package data
.xdata 0x3B60 0x3CE0 0x180 r Exception handling data

SMBIOS Type 9 - System Slots

The function UpdateSmbiosType9SystemSlots() handles up to 30 system slot entries (0x1E). Each slot entry has a 10-byte descriptor containing:

Offset Size Description
+0 2 Slot StringId (name) - if non-zero, string is fetched and written
+2 1 Slot Type (SMBIOS slot type enumeration)
+3 1 Slot Data Bus Width
+4 1 Current Usage
+5 1 Slot Length
+6 1 Characteristics (low byte)
+7 1 Characteristics (high byte)
+8 1 Segment Number (Group)
+9 1 Bus Number / Function Number

The slot string data is embedded in the code as an array of packed structures starting at offset 0x7A5.

Each slot can have a name string and/or a description string. These are retrieved via HiiGetString() from the HII database and written to the UBA SMBIOS data store via UbaSmbiosUpdateStringReplace().

After all slots are processed, UbaSmbiosDeleteAllKeysOfType(9) removes stale Type 9 entries.

SMBIOS Type 41 - Onboard Devices

The function UpdateSmbiosType41OnboardDevices() handles up to 8 onboard device entries. Similar pattern: for each device index, it reads configuration data, resolves string references via HII, and updates the UBA SMBIOS data store.

After processing, UbaSmbiosDeleteAllKeysOfType(41) removes stale Type 41 entries.

SMBIOS Extended Type

The function UpdateSmbiosTypeUnknownExtended() handles 4 entries of an additional type (likely a platform-specific OEM SMBIOS type). This function could not be decompiled (possibly due to optimization artifacts or inline assembly), but follows the same pattern of index-based iteration with HII string resolution and UBA data store updates.

Key Data Flow

  1. HII String Packages: The driver registers HII string packages containing platform-specific SMBIOS strings (slot names, device descriptions).

  2. UBA Protocol: Uses UBA private protocol (gSmbiosStringPackHandle) to manage SMBIOS string data through set/get/delete operations.

  3. PCI Access: Uses mPciUsra (PCI MMCONFIG base protocol) for PCI register access via PciWriteMmPciUsra().

  4. Variable Storage: Uses UEFI variable services through UbaSmbiosGetVariable() / UbaSmbiosSetVariableIfNotExist() for persistent key-value storage.

Renamed Functions (40 new names)

Address Original Renamed To Size Purpose
0x280 sub_280 InternalZeroMem 0x20 Zero memory helper
0x300 sub_300 InternalCopyMem 0x42 Copy memory helper
0x370 _ModuleEntryPoint _ModuleEntryPoint 0x1C Entry point
0x38C sub_38C UefiDriverEntryPoint 0x2C7 Driver initialization
0x654 sub_654 SmbiosDataUpdateEntry 0x125 Main entry - registers callback
0x77C sub_77C UpdateSmbiosType9SystemSlots 0x2A4 SMBIOS Type 9 update
0xA20 sub_A20 UpdateSmbiosType41OnboardDevices 0x376 SMBIOS Type 41 update
0xD98 sub_D98 UpdateSmbiosTypeUnknownExtended 0x1BC Extended type update
0xF54 sub_F54 SmbiosDataUpdateCallback 0xF0 Main update callback
0x1044 sub_1044 GetHiiDatabaseProtocol 0x7F Get HII Database protocol
0x10C4 sub_10C4 DebugPrintAssertLog 0x88 Log ASSERT error
0x114C sub_114C AssertReport 0x3E Report assertion failure
0x118C sub_118C CopyGuid 0x46 Copy GUID
0x123C sub_123C ZeroMem 0x6E Zero buffer memory
0x12AC sub_12AC ReadUnaligned32 0x2E Read unaligned UINT32
0x12DC sub_12DC ReadUnaligned64 0x2F Read unaligned UINT64
0x130C sub_130C WriteUnaligned64 0x3E Write unaligned UINT64
0x134C sub_134C AllocatePool 0x2E Allocate boot services pool
0x137C sub_137C AllocateZeroPool 0x27 Allocate zero-initialized pool
0x13A4 sub_13A4 FreePool 0x44 Free pool memory
0x13E8 sub_13E8 EfiGetSystemConfigurationTable 0xC4 Find config table by GUID
0x14AC sub_14AC GetPlatformLangVariable 0xF6 Read PlatformLang UEFI variable
0x15A4 sub_15A4 GetBestLanguage 0x141 Select best matching language
0x16E8 sub_16E8 GetHobList 0x82 Get HOB list pointer
0x176C sub_176C HiiGetString 0x199 Get HII string by ID
0x1908 sub_1908 HiiAddPackages 0x139 Register HII packages
0x1A44 sub_1A44 HiiGetSupportedLanguages 0xA2 Get supported languages
0x1AE8 sub_1AE8 UbaSmbiosUpdateStringReplace 0x2E0 Replace string in SMBIOS block
0x1DC8 sub_1DC8 UbaSmbiosFindStringBlockEnd 0x52 Find end of string block
0x1E1C sub_1E1C UbaSmbiosFlushStringPack 0x63 Flush string pack to storage
0x1E80 sub_1E80 UbaSmbiosGetVariable 0xD0 Read UEFI variable
0x1F50 sub_1F50 UbaSmbiosSetVariableIfNotExist 0x61 Set variable if absent
0x1FB4 sub_1FB4 UbaSmbiosDeleteAllKeysOfType 0xB0 Delete all keys of given type
0x2064 sub_2064 PciWriteMmPciUsra 0x46 Write PCI config via MMCONFIG
0x20AC sub_20AC CopyMem 0x99 Copy memory buffer
0x2148 sub_2148 AsciiStrLen 0x6B ASCII string length
0x2280 sub_2280 StrLen 0x66 Unicode string length
0x22E8 sub_22E8 AsciiStrnLenS 0x2A Safe ASCII string length
0x2314 sub_2314 StrToAsciiStr 0x18E Unicode to ASCII conversion

Important Strings

  • UBA:SmbiosDataUpdateEntry Image GUID=%g - Debug log at entry
  • gSmbiosStringPackHandle != ((void *) 0) - Assertion for pack handle
  • \nASSERT_EFI_ERROR (Status = %r)\n - Debug assertion format
  • Source path references: PurleyRpPkg/Uba/UbaMain/Dxe/TypeNeonCityEPRP/SmbiosDataUpdateDxe/

Dependencies

  • MdePkg - Base UEFI types and libraries
  • MdeModulePkg - UEFI HII services
  • PurleyPlatPkg - UBA platform library
  • CpRcPkg - PCI MMCONFIG base library

Notes

  • The module is compiled with DEBUG_VS2015 configuration, meaning all ASSERT macros are active.
  • The UBA protocol GUIDs and HII package data are embedded in the module's .data and seg004 sections.
  • String replacement in UbaSmbiosUpdateStringReplace() is done in-place within the SMBIOS string block buffer.
  • The driver uses a callback model: the UBA layer invokes SmbiosDataUpdateCallback() at the appropriate time for SMBIOS data customization.
  • The platform name NeonCityEPRP suggests this is for Intel Purley server platforms with a specific board revision.