flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Need access to UEFI setup variables

Author
Thread Post new topic Reply to topic
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 09 Aug 2023, 11:48
Hi
I'm looking for some possibility to access NVRAM at early boot stage from UEFI itself.
I'm new on this coding and I know almost nothing. How to calculate offset? How to unpack NVRAM if needed? My RAW driver as blind kitten. I don't even know it's on CAR or RAM. All I know it's already moved to next form firmware body.
Post 09 Aug 2023, 11:48
View user's profile Send private message Visit poster's website Reply with quote
I



Joined: 19 May 2022
Posts: 58
I 23 Aug 2023, 01:44
Well I know next to nothing and only a little experience with HW that is 10 years old or more but as there haven't been any answers I will try to help.

How early? Usually 'GetVariable' call is used to read info but this info is a little like reading a data section in a program, one needs to know what is being referenced for it to make sense. If you are looking for stuff that can be seen in the BIOS Setup screen then parsing the relevant UEFI form(s) would help. Without source code the rest would probably need some serious BIOS debugging.

Can you link firmware of a UEFI/BIOS you are using and example of what you want to do? might make explaining easier.
Post 23 Aug 2023, 01:44
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 23 Aug 2023, 04:47
I need to read Voltage settings to use it in my RAW (SMM) driver as my mobo ignoring that settings for locked Xeon. So first of all I need to read it somehow by own DXE driver then modify RAW driver in SMRAM by that values.

Another solution is to modify UEFI to let it use mechanics provided to change voltage for unlocked processors. But there is another problem -- checksum, security check etc. Any modifications in PEI drivers even one byte completelly breacks loading. I tried to focus on Security using IDA but it seems protected from be clearly analysed.

https://download.asrock.com/BIOS/2011/X99%20Extreme4(3.81)ROM.zip


Last edited by Overclick on 23 Aug 2023, 11:47; edited 1 time in total
Post 23 Aug 2023, 04:47
View user's profile Send private message Visit poster's website Reply with quote
I



Joined: 19 May 2022
Posts: 58
I 23 Aug 2023, 09:38
Will take a look. Which xeon? I take it's for increasing all core turbo?
Post 23 Aug 2023, 09:38
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 23 Aug 2023, 11:53
I just don't want to reflash my firmware each time I want to change settings little bit.

Have a look at my RAW driver
https://board.flatassembler.net/topic.php?t=22733
Post 23 Aug 2023, 11:53
View user's profile Send private message Visit poster's website Reply with quote
I



Joined: 19 May 2022
Posts: 58
I 23 Aug 2023, 13:19
by Payne lol, what he did was change some of the text output, adding 'by payne' and compile by changing the master voltage setting while taking credit for someone else's work.

Yes, that's okay for checking for function but not a good way to do it IMO. Your BIOS has voltage settings suppressed in Setup, can bypass those to give voltage adjustment in BIOS setup. Maybe can use Intel FPT 9.1 for backup/flashing?

IIRC the early BIOS read variable is readonly and 32-bit when first loading.
Post 23 Aug 2023, 13:19
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 23 Aug 2023, 14:15
I wrote:
by Payne lol

You look at wrong place. I don't care who was the first to use MSR registers, I think it was Intel. That principle have used in everyone TurboBoost or Undervolt solution (RAW,DXE,PEI,boot loader)
Anyway my question is not about payne or flash tool. I'm looking for variables to read. I see some parameters for that variables in NVRAM section but need some example to calculate the address from provided offsets. No matter its Asrock offset or Default Intel as I was opened that hided default menu.


Description:
Filesize: 56.82 KB
Viewed: 2238 Time(s)

vcore.PNG


Post 23 Aug 2023, 14:15
View user's profile Send private message Visit poster's website Reply with quote
I



Joined: 19 May 2022
Posts: 58
I 24 Aug 2023, 05:22
DXE
Code:
format pe64 dll efi
entry start

struc GUID def
 {
   match d1-d2-d3-d4-d5, def
    \{
      .Data1 dd 0x\#d1
      .Data2 dw 0x\#d2
      .Data3 dw 0x\#d3
      .Data4 db 0x\#d4 shr 8,0x\#d4 and 0FFh
      .Data5 db 0x\#d5 shr 40,0x\#d5 shr 32 and 0FFh,0x\#d5 shr 24 and 0FFh,0x\#d5 shr 16 and 0FFh,0x\#d5 shr 8 and 0FFh,0x\#d5 and 0FFh
    \}
 }

macro struct name
{
  virtual at 0
    name name
  end virtual
}

struc int32 {
  align 4
  . dd ?
}

struc int64 {
  align 8
  . dq ?
}

struc intn {
  align 8
  . dq ?
}

struc dptr {
  align 8
  . dq ?
}

struc EFI_TABLE_HEADER {
 .Signature    int64
 .Revision     int32
 .HeaderSize   int32
 .CRC32        int32
 .Reserved     int32
}
struct EFI_TABLE_HEADER

struc EFI_SYSTEM_TABLE {
 .Hdr                  EFI_TABLE_HEADER
 .FirmwareVendor       dptr
 .FirmwareRevision     int32
 .ConsoleInHandle      dptr
 .ConIn                dptr
 .ConsoleOutHandle     dptr
 .ConOut               dptr
 .StandardErrorHandle  dptr
 .StdErr               dptr
 .RuntimeServices      dptr
 .BootServices         dptr
 .NumberOfTableEntries intn
 .ConfigurationTable   dptr
}
struct EFI_SYSTEM_TABLE

struc EFI_RUNTIME_SERVICES_TABLE {
 .Hdr                   EFI_TABLE_HEADER
 .GetTime               dptr
 .SetTime               dptr
 .GetWakeUpTime         dptr
 .SetWakeUpTime         dptr
 .SetVirtualAddressMap  dptr
 .ConvertPointer        dptr
 .GetVariable           dptr
 .GetNextVariableName   dptr
 .SetVariable           dptr
 .GetNextHighMonoCount  dptr
 .ResetSystem           dptr
}
struct EFI_RUNTIME_SERVICES_TABLE

struc SIMPLE_TEXT_OUTPUT_INTERFACE {
 .Reset             dptr
 .OutputString      dptr
 .TestString        dptr
 .QueryMode         dptr
 .SetMode           dptr
 .SetAttribute      dptr
 .ClearScreen       dptr
 .SetCursorPosition dptr
 .EnableCursor      dptr
 .Mode              dptr
}
struct SIMPLE_TEXT_OUTPUT_INTERFACE

;====================================================================
section '.text' code executable readable

 start:
        push    r15

        sub     rsp,20*8
        mov     r15,rdx                                         ; pointer to SystemTable

        lea     rcx,[pVariableName]                             ; Setup
        lea     rdx,[pGuid]                                     ; GUID  EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9
        lea     r8,[Attributes]
        lea     r9,[StoreSize]                                  ; 0x1a9 (will return size if wrong + error)
        lea     rax,[VarBuff]                                   ; Place to save values
        mov     qword[rsp+20h],rax
        mov     rax,[r15 + EFI_SYSTEM_TABLE.RuntimeServices]
        call    [rax + EFI_RUNTIME_SERVICES_TABLE.GetVariable]
        mov     [Result],rax
        movzx   rdx,word[VarBuff+0xf3]                          ; Vcore Voltage Additional Offset at 0xf3 (16bit)
        test    rax,rax
        jz      @f

        lea     rdx,[_Error]
        call    TextOut
        mov     rdx,[Result]

 @@:
        lea     rdi,[HexBuff+22h]                               ; Print result routine
        std
        mov     ecx,16
 NextHex:       
        mov     al,dl
        and     al,0xf
        cmp     al,9
        jbe     @f
        add     al,7
 @@:
        add     al,'0'
        stosw
        shr     rdx,4
 ;       dec     ecx                                            ; comment out for no leading zero's
        jnz     NextHex 

        lea     rdx,[rdi-2]
        mov     dword[rdx],0x780030                             ; du '0x'
        cld

        call    TextOut
        add     rsp,20*8
        xor     rax,rax
        pop     r15
        ret

 TextOut:
        sub     rsp,5*8
        mov     rcx, [r15 + EFI_SYSTEM_TABLE.ConOut]
        call    [rcx + SIMPLE_TEXT_OUTPUT_INTERFACE.OutputString]
        add     rsp,5*8
        ret

align 16
 pGuid          GUID  EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9 ;dq 4BB5EBA4EC87D643h, 0A90DB2363E3FE5A1h;
 pVariableName  du 'Setup',0
 _Error         du 'Error ',0

;====================================================================
section '.data' data readable writeable
 SystemTable    dq 0
 StoreSize      dq 0x1a9
 Result         dq 0
 Attributes     dd 0
 HexBuff        rw 18
                dd 0xa00                                        ; line feed
 VarBuff        rb 0x1a9

;====================================================================
section '.reloc' fixups data readable discardable
if ~ $-$$
    dd                  0,8
end if    




PEI
Code:
;============================================================================
; Read Setup  (PEI)
;----------------------------------------------------------------------------
        mov     eax,[ebp+0ch]                           ; PeiServices
        mov     ecx, dword [eax]
        push    ebx

        lea     edx, [ebp-4H]                           ;
        push    edx                                     ; pGetVariable
        xor     ebx, ebx
        push    ebx                                     ; Null
        push    ebx                                     ; 0
        push    EfiPeiReadOnlyVariable2PpiGuid          ; EfiPeiReadOnlyVariable2PpiGuid
        push    eax                                     ; PeiServices
        mov     dword [ebp-4H], ebx                     ; mov [pGetVariable],0
        mov     dword [ebp-8H], 0x1A9                   ; Store size
        call    near [ecx+20H]                          ; PeiServicesLocatePpi ?
        add     esp, 20
;        test    eax, eax
;        jl      StoreFail                               ; Jump if negative (failed)


        lea     eax, [ebp-200H]                         ;
        push    eax                                     ; Place to save values
        lea     eax, [ebp-8H]                           ;
        push    eax                                     ; Store Size (1A9)
        mov     eax, dword [ebp-4H]                     ;
        push    ebx                                     ; Null
        push    EfiSetupVariableGuid                    ; EfiSetupVariableGuid
        push    Setup                                   ; Store name (Setup)
        push    eax                                     ; pGetVariable
        call    near [eax]                              ; GetVariable
        add     esp, 24
        pop     ebx
;        test    eax, eax
;        jnz     StoreFail                               ; jump not success

;----------------------------------------------------------------------------

 EfiSetupVariableGuid                   GUID EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9
 EfiPeiReadOnlyVariable2PpiGuid         GUID 2ab86ef5-ecb5-4134-b556-3854ca1fe1b4
 Setup                                  du 'Setup',0
    
Post 24 Aug 2023, 05:22
View user's profile Send private message Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 25 Aug 2023, 00:54
DXE works just fine thanks. My next step will be SMM modification from that DXE for Sleep Mode
Do you know how to compile directly to <file>.ffs ? I using converter for now.

I don't touch PEI until security issues passed.
Post 25 Aug 2023, 00:54
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 13 Sep 2023, 23:12
I do not deal with SMM, my mistake. Do you know how to read variables from much earlier SEC phase? If it's impossible without huge bunch of initialisations then can I modify RAM copy of firmware somehow by DXE? As I see it checking itself for S-states it loads from, that means some modifying is possible and I think it's located in RAM copy or not?


Description:
Filesize: 10.5 KB
Viewed: 1947 Time(s)

Capture1.PNG


Description:
Filesize: 24.13 KB
Viewed: 1947 Time(s)

Capture.PNG


Post 13 Sep 2023, 23:12
View user's profile Send private message Visit poster's website Reply with quote
Overclick



Joined: 11 Jul 2020
Posts: 658
Location: Ukraine
Overclick 13 Oct 2023, 16:28
As I did not find any possibility to get settings at SEC (early boot) stage I did little patcher for boot sector of BIOS from 0xFF0000 to the end that works fast.
To accept new settings it needs only to Sleep/Wakeup after patch.


Description:
Download
Filename: FlyTurboBoostPatcher_v6.rar
Filesize: 294.36 KB
Downloaded: 70 Time(s)

Post 13 Oct 2023, 16:28
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.