yeet another post

2023-10-19 16:35:28 -07:00 · 2023-10-19 16:35:28 -07:00 · 26d2e57e42
commit 26d2e57e42
parent 7e0b3a05e1
1 changed files with 220 additions and 0 deletions
--- a/content/posts/pulling-apart-dell-uefi.md
+++ b/content/posts/pulling-apart-dell-uefi.md
@ -0,0 +1,220 @@
 +++
 date = "2023-10-19"
 draft = false
 path = "/blog/pulling-apart-dell-uefi"
 tags = ["uefi"]
 title = "Pulling apart Dell UEFI images and messing with ACPI"
 +++
 This is a quick post to write down the method that worked for me to acquire and
 pull apart a Dell UEFI image to get the executables out, and how to poke at
 ACPI.
 The specific issue I was curious about and trying to find more information
 about is the [`rtsx` card reader NVMe regression][rtsx-explanation] on the Dell
 XPS 15 9560, which is the laptop I use.
 [rtsx-explanation]: https://lore.kernel.org/regressions/c7bdd821686e496eb31e4298050dfb72@realtek.com/
 The regression was caused by the card reader driver no longer setting a
 register that forces the PCIe `CLKREQ#` pin to be always pulled low, which was,
 in effect, making the kernel no longer ask the chipset for PCIe clock all the
 time.
 However, this is even more confusing, because this is essentially a
 force-disabling bit for attempting to do PCIe ASPM, which was never enabled in
 the first place on the machine!
 For *some reason*, the *card reader* ceasing to ask the chipset for clock all
 the time (which, given that ASPM is purportedly disabled in the ACPI tables,
 should be a no-op!) caused the *NVMe SSD*, which has nothing to do with the
 card reader, to lose its PCIe link after the card reader driver loads. Further,
 this happened to every kind of SSD, so it must be some kind of platform bug.
 If you have any ideas of why this is happening, send me an email at &lt;bug at jade
 dot fyi&gt;, I am very curious.
 # Extracting the firwmare
 I acquired a copy of the firmware [from fwupd here][fwupd]. This is a
 Microsoft cabinet file. I then used [BIOSUtilities] and p7zip to extract it:
 [fwupd]: https://fwupd.org/lvfs/devices/com.dell.uefi34578c72.firmware
 ```
 mkdir bios
 mv ../4d77eabfe13e3d153dfe9f19b570de40cc90260ef7229b2ca070e06b5c840040-Dell_XPS_15_9560_Precision_5520_System_BIOS_Ver.1.24.0.cab bios
 (cd bios; 7z x *.cab)
 python Dell_PFS_Extract.py -i bios -o bios_ex
 ```
 This then produces some files:
 ```
 BIOSUtilities » ls bios_ex/firmware.bin_extracted/Firmware/1\ firmware\ --\ *
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 1 System BIOS with BIOS Guard v1.24.0.bin'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 2 Embedded Controller v1.0.29.bin'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 3 Intel Management Engine (VPro) Update v11.8.86.3877.bin'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 4 Main System TI Port Controller 0 v7.0.0.31.bin'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 5 System Board Map v1.0.1.bin'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 6 PCR0 XML v0.0.0.1.xml'
 'bios_ex/firmware.bin_extracted/Firmware/1 firmware -- 7 Model Information v1.0.0.0.txt'
 ```
 [BIOSUtilities]: https://github.com/platomav/BIOSUtilities
 From here, you can use UEFITool on these files:
 ```
 UEFITool firmware.bin_extracted/Firmware/1\ firmware\ --\ 1\ System\ BIOS\ with\ BIOS\ Guard\ v1.24.0.bin
 ```
 From here you can go hunting through the data in there or try `UEFIExtract`.
 You can find a PE32 image called Setup somewhere in the UEFI image, and extract
 it. With such an image, you can use [`ifrextractor`][ifrextractor] to pull out
 the BIOS options. Acquire a copy like so:
 [ifrextractor]: https://github.com/LongSoft/IFRExtractor-RS
 `ifrextractor.nix`:
 ```nix
 { rustPlatform, fetchFromGitHub }:
 rustPlatform.buildRustPackage {
  pname = "ifrextractor";
  version = "0.0.1";
  src = fetchFromGitHub {
    owner = "longsoft";
    repo = "ifrextractor-rs";
    rev = "f40b9be0da561ede62f3988072100550a73d5386";
    sha256 = "sha256-No0H91iMcOQlE0Hcc+w02w5CP3M+Ixct+92+XsreIik=";
  };
  cargoSha256 = "sha256-smVHEBhjUcy4ApyJzhV31sMTB87Cdq59fxkSJsS1/cw=";
 }
 ```
 ```
 nix-build -E 'with import <nixpkgs> {}; callPackage ./ifrextractor.nix'
 ```
 Then extract the setup stuff with the following:
 ```
 ifrextractor firmware.bin_extracted/Section_PE32_image_Setup_body.efi
 ```
 Then read the extremely large file named like:
 `Section_PE32_image_Setup_body.efi.0.0.en-US.ifr.txt`.
 If you *did* want to tamper with hidden settings, you could potentially have
 such bad ideas with similar methods to the following (please take a backup of
 the NVRAM first to not brick your computer!):
 * <https://ristovski.github.io/posts/inside-insydeh2o/#peeking-inside-the-bios-image>
 * <https://hansdegoede.livejournal.com/25413.html>
 If you want to stick the thing in Ghidra, there does [exist an extension,
 efiSeek][efiSeek], but I couldn't really tell if it was providing any useful
 analysis results.
 [efiSeek]: https://github.com/DSecurity/efiSeek
 # ACPI
 In investigating the power management issue I was curious about, I wanted to
 understand what was in the ACPI tables and what was going on. These tables are
 probably somewhere in the UEFI image as well, but I am not sure where.
 You can dump the ACPI tables from a running system using `acpidump` from `acpica-tools`:
 ```
 mkdir acpi && cd acpi
 sudo acpidump -b
 iasl -d *.dat
 ```
 If you want to get values of ACPI variables, you can use the [ACPI
 debugger][acpidbg] from the Linux kernel distribution:
 [acpidbg]: https://docs.kernel.org/firmware-guide/acpi/aml-debugger.html
 First, enable the right Kconfig options:
 ```nix
 { lib, config, ... }: {
  boot.kernelPackages = pkgs.linuxPackages.extend (self: super: {
    kernel = super.kernel.override (old: {
      kernelPatches = old.kernelPatches ++ [
        {
          name = "acpi_nonsense";
          patch = null;
          extraStructuredConfig = with lib.kernel; {
            ACPI_DEBUGGER = yes;
            ACPI_DEBUGGER_USER = module;
            DEVMEM = yes;
            STRICT_DEVMEM = no;
            IO_STRICT_DEVMEM = option no;
          };
        }
      ];
    });
  });
 }
 ```
 Then:
 ```
 cd some-linux-sources
 make acpi
 sudo ./power/acpi/acpidbg
 ```
 Inside the debugger you can print out things:
 ```
 - Evaluate UCSI
 Evaluating \UCSI
 Evaluation of \UCSI returned object 00000000a57a6a95, external buffer length 18
 [Integer] = 0000000000000000
 ```
 You can also use `Dump` to get information about a variable, such as its
 offset, if you need to peek/poke the memory.
 ---
 If you want to tamper with the ACPI tables for investigating a potential fix,
 there are a couple of ways to do it.
 At runtime, you can [load an overlay][overlay]:
 ```
 modprobe acpi_configfs
 cd /sys/kernel/config/acpi/table/
 mkdir my-ssdt ; cat ~youruser/somewhere/my-ssdt.aml > my-ssdt/aml
 # unload with:
 rmdir my-ssdt
 ```
 [overlay]: https://www.kernel.org/doc/html/latest/admin-guide/acpi/ssdt-overlays.html
 It's also possible to replace the ACPI tables [with the initrd][initrd-acpi]:
 Create a cpio archive with `kernel/firmware/acpi/*.dat`, then prepend it to the
 actual initrd.
 [initrd-acpi]: https://docs.kernel.org/admin-guide/acpi/initrd_table_override.html
 # Conclusion
 This whole affair did not achieve much, but it was very interesting, and I have
 more of an idea how firmware works on x86.
 For further information:
 - [ACPI Spec][https://uefi.org/sites/default/files/resources/ACPI_Spec_6_5_Aug29.pdf]
 There may also exist schematics of the machine online, but I cannot confirm
 this.