# FlashDriverSmm ## Function Table | Address | Name | Description | |---------|------|-------------| | | **_FlashDriverExExEx** | | | | **SpiPreOperCallbacksacks** | | | | **SpiPostPostOperrationallbacksacks** | | | | **ReReJEDEDId** | | | | **SpiExExExCommCommCommcomm** | | | | **CpuPuPuPuP** | | | | **Seteetmp** | | | | **LongJmp** | | | | **FlashRead** | | | | **SpiPreOpCallbacks** | | | | **SpiPostOpCallbacks** | | | | **ReaJEDEDId** | | | | **GetFlashSizeFromJedec** | | | | **SpiExecuteComman** | | | | **SpiSetCs** | | | | **SpiWaitForCycleComplete** | | | | **SpiInitRegisters** | | | | **SpiReadData** | | | | **FlashFvTrackingInit** | | | | **FlashFvTrackingTeardown** | | | Port | **13374 | Image 0x0-0x5840 | 85 functions** | | | This | **SMM driver provides SPI flash read/write/erase operations** | | | through | **SMI handlers. Key features:** | | | Global | **State (.data section layout at 0x4DE0-0x53600)** | | | 0x5028 | **EFI_SYSTEM_TABLE *gST = NULL; // 0x5018** | | | 0x5020 | **EFI_RUNTIME_SERVICES *gRT = NULL; // 0x5030** | | | 0x5038 | **UINT64 gSpiBarBase = 0; // 0x4FE0qword_4FE0** | | | 0x50E8 | **(qword_50E8)** | | | 0x4EC0 | **UINT32 gBlockSize = 0; // 0x4F2C (n32)** | | | 0x4F3C | **(n4096)** | | | 0x4FD0 | **(n0x1000000)** | | | 0x4EB8 | **(dword_4EB8)** | | | 0x5010 | **(n10)** | | | 0x50008 | **CRITICAL_STATE *gCriticalState = NULL; // 0x50D0 (_CS_)** | | | 0x4EC8 | **(aCs)** | | | 0x50E0 | **(byte_50E0)** | | | 0x50E1 | **(byte_50E1)** | | | 0x5280 | **(xmmword_5280)** | | | 0x3388 | **(qword_3388)** | | | 0x5000 | **(qword_5000)** | | | 0x50CC8 | **(qword_50C8)** | | | 0x5110 | **(qword_5110)** | | | 0x50F8 | **(qword_50F8)** | | | 0x5108 | **(qword_5108)** | | | 0x5100 | **(byte_5100)** | | | 0x50F4 | **(n246088)** | | | 0x4FD4 | **(n246088_0)** | | | 0x4F11 | **(byte_4FD9)** | | | SPI | **Probe Function Table (off_48A00, 4 entries + NULL)** | | | SPI | **Pre-Operation Function List (funcs_1E91 at 0x4ED0)** | | | Singe | **entry: sub_24CC (0x4CC) - SpinWait / Seector check** | | | NULL | **terminaed** | | | SPI | **Post Operaration Function List (funcs_1F10 at 0x4EE0)** | | | Singe | **entry: sub_2594 (0x2594) - Unock / Lock release** | | | For | **each detectected chip type, the probe function copips a 24-byby concon** | | | block | **from the .rdata section (off_4F00 etc.) into the SPI_PROTOCOL's** | | | Forward | **Declarations** | | | RE | **NOP / PAUSE** | | | Simimple | **1 1 wait loop with PAUSE for short delas** | | | Saves | **all calall-saved registrers and and XMM registers to the JumpBuffer** | | | hen | **returns by calling the (arget)().** | | | 0x5120 | **(unk_5120)** | | | Vallidatate | **align aln** | | | Sav | **non-regolf - notot imppleented in decompile** | | | Resores | **XMM registers and and and returns to the contontin on.** | | | estor | **ore MXCSR** | | | UUUSe | **g goto tagaget address** | | | Entry | **Point: FlashDriverrSmmryrynry (sub_Error_ModuduleEntryPint)** | | | Sav | **global** | | | Init | **SM Services ablee** | ococate gEfiSmmBase222rotoococol | | Init | **Hob ob ob** | loccate HOBob from configgable table table | | Init | **the flash driver** | | | Registers | **SMI handlers for forash compare, wwite, read, eraseras** | | | SMI | **handlers are regists thru och for comm communic buffer dispatc** | | | HobLiiiiInit | **(sub_2228)** | | | Loates | **the HOBBob pointer from from sys configgable** | | | _ASSert | **(gHobobList != NULL);** | | | FlashSmmInit | **-- MM Flash Init (sub_AA4)** | | | Ini | **the flash driver in SM:** | | | Ini | **critiical section on-once** | | | Set | **up criical ical sec secon name** | | | Prope | **SPIF flash chip - iterater thru probe func function table** | | | Installs | **SMM SPI protocol** | | | at | **0x4E78** | | | Registers | **SMM SX dispatch for for leep notification** | | | SMI | **Flash Compare (sub_13E4)** | | | Ativated | **when CommBufferSize == 0x2C** | | | Reeds | **flash at ComCommBufferAddr and comars with interal content.** | | | If | **compare passes, writes FLASH_SIGNAT (0x48454E52) at offffss+40.** | | | Entet | **criical secion (bacup PIIIC, lock SPII)** | | | Alread | **held; accepeable** | | | Read | **flash data throug SPI** | | | If | **theres an actiive flash FV range matching this address** | | | ark | **the compare as succeessul (marker 0x48454E52)** | | | Exi | **criical secion (restore PIC, unlock SPII)** | | | SMI | **Flash Write (sub_14E00)** | | | Ativated | **when CommBufferSize >= 0x40 (Write FVB)** | | | Validates | **align align (4K-aligned address and size)** | | | Vallidate | **align align** | | | Ente | **critiica cal secion** | | | Trak | **the flash FI regon be modifying** | | | Perfor | **the write** | | | Exi | **criical secion** | | | SMI | **Flash Read (sub_15C88)** | | | Ativated | **when CommBufferSize >= 0x40 (Read FVB)** | | | Reads | **flash data int buffer, mananes flash FV trackng and teaedown.** | | | Sav | **flash FV ta te for teadown trackng** | | | Rea | **flash data** | | | Restore | **flash stte after read** | | | SMI | **Flash Erase (sub_16A4)** | | | Ativated | **when CommBufferSize >= 0x40 (Erase FVB)** | | | Trak | **flash FV regon for teadown** | | | Erae | **the flash** | | | Restore | **flash stte after asee** | | | SMM | **Entry Handler (sub_17B4)** | | | Caled | **from SMM dispatcher for first SMI.** | | | Increments | **recursio depth, acquics SPII lock.** | | | Firs | **entry: rn pre-op callbacks** | | | Ca | **the actal SPI operion handler** | | | SMM | **Exit Handler (sub_1850)** | | | Decrements | **recursion depth. At 0, ru 0, uns post-op allbacks** | | | and | **lean up flash flash FV trackng entries.** | | | Lastt | **exit: ru post-op callacks** | | | If | **we jst decremented to 0, wrte erase-complete markers** | | | Write | **teardown signature to flash** | | | Compete | **the SPI operation** | | | FlashRead | **(sub_E88)** | | | Reads | **flash data for a possibly-unaligned address.** | | | Splits | **into 4K-aligned reads and retries once on failure.** | | | Increment | **recursion depth** | | | Handle | **unaligned first chunk** | | | Lock | **page, read, unlock** | | | sub_1F30 | **-- lock/protect** | | | sub_1F64 | **-- unlock** | | | Main | **loop: full 4K sectors** | | | Finall | **partial read** | | | FlashWrite | **(sub_CC8))** | | | Writes | **flash datas via SPII. Skipps already-eraded pages.** | | | Ony | **writes bytes that that diffef from erasd pattern (0xFF).** | | | Scan | **4K page for by that need programming** | | | Rea | **current flash content** | | | Alread | **erasd, skip 8 bytes** | | | Entire | **page alreaddy erasd, skip skip** | | | Lock | **the page, program bytes** | | | FlashErrras | **(sub_1044)** | | | Erases | **flash secors. For each 4K page:** | | | Comare | **flash page with sourc data** | | | Page | **alreaddy matches, skip** | | | Loc | **page** | | | Erase | **need and program** | | | Now | **programmm the data** | | | Skip | **era, just tout program** | | | FlashCCompare | **/ SpiReadByte (sub_C7C, sub_2690)** | | | Reas | **flash data. Uses SPI read or simple memcpy depending on flash mode.** | | | Use | **SPII read for authhentic compare** | | | Simimple | **memcpy** | | | Entes | **the SPII critical secion:** | | | Sav | **PIC IMRS** | | | port | **0x21** | | | port | **0xA1** | | | Deterine | **if speed-stp was enadad** | | | Clear | **anan save flas** | | | Mas | **all interrup** | | | Disable | **speed-ste (clear bit 0 on port 0x530)** | | | Mark | **loccked** | | | Leavs | **the SPII critical secion.** | | | Resore | **PIC stes from savd values** | | | Clea | **acquired fla** | | | Resore | **speed-step if if was enabaded** | | | SpiPerationCompletete | **(sub_2284 wwrapper)** | | | SpiPreOpCallbacks | **(sub_1E80)** | | | Rus | **callbacks in the SPII pre-op function list.** | | | If | **gSpiProtocol is avaailable, als calss Locck on SPII chip.** | | | Ru | **callacks from the pre-op table (funcs_1E91 at 0x4ED0)** | | | Th | **pre-op table has has single entry (sub_24CC) or may more** | | | if | **se se of external callacks are register.** | | | Cal | **the protocol's Lock method if availlable** | | | Alo | **call SpiIniRegisters (sub_3814)** | | | SpiPostOpCallbacks | **(sub_1ED8)** | | | Rus | **callbacks in the SPII post-op function list.** | | | If | **no protocol, try try prob** | | | Ca | **the protocol's Unlock method (offsset 7)** | | | Ru | **callacks om the post-op table (funcs_1F10 at 0x4EE0)** | | | SpiProbeProtocol | **(sub_2650)** | | | Iteraes | **through the SpiProbeTable to detec and initiialize** | | | the | **SPII flash chip protocol.** | | | Th | **probe probe table (off_48A00) has 4 entries:** | | | ReaJEDEDIdId | **(sub_38B8)** | | | Sends | **JEDEC ID command (0x9F) over SPII and reads reads 3-byt** | | | Ge | **SPII controller BAR from PPCII address** | | | Se | **up SPII controller for JEDEC read** | | | FADDR | **= 0** | | | Cyce | **= JEDEC ID read** | | | sub_3544 | **- assert CS** | | | sub_1E0C | **// Read JEDEC ID from FDATA0** | | | GeFlashSizeFromJedec | **(sub_2A68)** | | | Decodes | **the capacity byte (3rd byte of JEDEC ID) to flash size.** | | | JIIWORD | **capacity byte** | | | Capacity | **encode table (map to capapity nibble)** | | | Common | **vaues:** | | | 0x10 | **case 0x11: return 128 * 1024; // 128KB** | | | 256KB | **case 0x13: return 512 * 1024; // 512KB** | | | 1MB | **case 0x15: return 2 * 1024 * 1024; // 2MB** | | | 4MB | **case 0x17: return 8 * 1024 * 1024; // 8MB** | | | 16MB | **}** | | | 32MB | **if (Capacity == 0x1A || Capacity == 0x20) return 64 * 1024 * 1024; // 64MB (dependentnt)** | | | 4MB | **(SST specific)** | | | 8MB | **return 16 * 1024 * 1024; // Defauau to 16MB** | | | SpiExExExCommComm | **(sub_1E0C))** | | | Sends | **a command to the SPII controller and waits for compleion.** | | | Usess | **the timer ticer at port 0x508 for microsecond eay timing.** | | | Upup | **bits = rey count** | | | Wait | **for SPII cycle to be ready (usins timed timer counter)** | | | 4M | **emememout default** | | | SpiSetCs | **(sub_3544)** | | | Aserts | **(CS low) or deaserts (CS high) the SPII chip select.** | | | Walts | **for SPI controller readyness before asserting.** | | | Wait | **for SPII controller to be beaady** | | | Se | **FlashContro to enabab cycle** | | | HHSFS_CTL | **= SPII Cycye** | | | Wait | **for SPII FDONE** | | | Se | **opcode register** | | | SpiWaitForCycleComplete | **(sub_35AC))** | | | Pols | **the SPII status register until write-in-progres (WIP) is cleared.** | | | Cyce | **= Read Staatus** | | | send | **cycle** | | | read | **status byte** | | | WIP | **cleared** | | | SpiInitRegisters | **(sub_3814)** | | | Conigures | **SPII opcode menu for fas-mode reas on supored chips.** | | | Prefeetch | **config** | | | Opcode | **menu** | | | Try | **to set fas-read opcode menu** | | | Fast | **read supored** | | | Ressore | **saved vaues** | | | SpiReadData | **(sub_2714)** | | | Reas | **data from SPII flash into a buffer. Calss the SPI protocol** | | | ReaSecor | **repeatelly until al al data read.** | | | Enure | **protool is avaailab** | | | al | **done** | | | FlashFvTrackingInit | **(sub_11FCC))** | | | Ini | **the flash FV trackng array. Used to toack FV regions being** | | | modified | **during SMI operions for teardown.** | | | Th | **ful implementpopulates gFFlashTracking[] entries om the** | | | flash | **descrptor list from SPII flash debit.** | | | FlashFvTrackingTeardown | **(sub_1328)** | | | Wrrs | **the FV back with teardown marker (0x48454E52 == "RNEH").** | | | Im | **implemenion: wri mark a to FV header** | | | Ths | **file rereses the .data globals and and their initiial values** | | | as | **descrbed b from the disssemmbly.** | | | Flah | **Chip Name Stings (.rdata at 0x48C8--0x4C50)** | | | Th | **followwing flash chip ames are refeed in the probe function** | | | seerings | **and and used for for debug/chip announcement:** | | | SST | **T5L040 (0x48C8) - "SST 25LF040"** | | | SST | **25LF080 (0x48D8) - "SST 25LF080"** | | | ATML | **26DF041 (0x48E8) - "ATML 26DF041/25DF041"** | | | ATML | **26DF081 (0x4900) - "ATMEL 26DF081/25DF081"** | | | ATML | **26DF161 (0x4918) - "ATMEL 26DF161/25DQ161"** | | | ATMEL | **26DF321 (0x4930) - "ATMEL 26DF321/25DF321"** | | | ATMEL | **26DF641 (0x4948) - "ATMEL 26DF641/25DF641"** | | | ADESTO | **AT25SFF641 (0x4960) - "ADESTO AT25SFF641"** | | | ADESTO | **AT25SL641 (0x4978) - "ADESTO AT25SL641"** | | | ADESTO | **AT25SL128A (0x4990) - "ADESTO AT25SL128A"** | | | SST | **ST6VF (0x49C0) - "SST 26VF Series"** | | | PMCC | **25LV/LQ (0x49D0) - "PMCC 25LV/LLQ Series"** | | | AMIC | **25L (0x49E8) - "AMIC 25L Series"** | | | AMIC | **25L/LQ (0x49F8) - "AAMIC 25L/LQ Series"** | | | EON | **25F/Q/S/S/S/S (0x4A10) - "EON 25F/Q/S/QH Series"** | | | XMC | **25QU (00x4A500) - "XMC 25QU Series"** | | | XMC | **25QH (00xxA60) - "XMC 25QH Series"** | | | MXIC | **25L/U (00x4A70) - "MXIC 25L/U Series"** | | | MXIC | **25R (00xxA88) - "MXIC 25R Series"** | | | Winbond | **25X/Q (0x4A98) - "Winbond 25X/Q Series"** | | | GigaDevice | **25Q (0x4AB0) - "GiigaDevice 25Q Series"** | | | EON | **25P (00x4AC8) - "EON 25P Series"** | | | Spanion | **25FL (00x4B18) - "Sppansion 25FL Series"** | | | Spanion | **25FL(P) (0x4B30) - "Spansion 25FL(P) Series"** | | | Spanion | **25FL(K) (0x4B48) - "Sppansion 25FL(K) Series"** | | | Spansion | **25FL(L) (0x4B60) - "Sppansion 25FL(L) Series"** | | | FIDELIX | **25Q (0x4B98) - "FIDELIX 25Q Series"** | | | FFFan | **FM25Q (00x4BB0) - "FuFFan FM25Q Series"** | | | ISSI | **II5LP (00x4BC8) - "ISSI I25LP Series"** | | | ISSI | **I25WP (0x4BE0) - "ISSI 25WP Series"** | | | ESMT | **MT5L QA/PA (00x4BF8) - "ESMT 25L AQA/PA Series"** | | | SST | **SSTVF (0x4C10) - "SST 25VF Series"** | | | ESMT | **MT5L T (0x4C20) - "ESMT 25L T Series"** | | | ESMT | **25L B (0x4C38) - "ESMT 25L B Series"** | | | End | **of FlashDriverSmm.c** | | --- *Generated by HR650X BIOS Decompilation Project*