Reverse Engineering

How to quickly rip apart a UEFI firmware

Imagine this. It’s been a couple of months since you upgraded your trusty laptop with a good old SSD, the speed is fair but there’s just something wrong. Hibernation is taking ages, but why? You rip your firmware apart and find out they’ve crippled your S-ATA controller..

Enter the Panasonic Toughbook CF-19 MK3, one of those built-as-a-tank laptops nobody normal has heard about, and its Intel ICH9M chipset, crippled but cool. Literally.

This hardened machine is a marvel of thermal design: the entire case is IP54 waterproof, and has MIL-STD 810F impact resistance, meaning that the entire system is only passively cooled. Chipsets and CPUs tend to get hot, and although a particular choice of low-power CPU is often easy, a chipset is better off throttled in cases of extremely tight thermal design.

As it appears, the S-ATA controller inside the CF-19’s ICH9M chipset is normally capable of Gen 2 (3.0 Gb/s) performance, but only performs at Gen 1 (1.5 Gb/s). So how did they pull this off?

From a firmware engineer’s point-of-view, the solution is quite easy: just throttle it at the lowest system level. The datasheet shows us how:

pxsctl

Now, UEFI firmwares are built using elaborate development kits from companies such as American Megatrends or Phoenix Technologies, and contain vendor-specific driver code in something called the Driver eXecution Environment.

A quick dissection of the CF-19’s UEFI firmware, which has been built using the American Megatrends Aptio development kit, shows us (among many other hidden gems) the following UEFI DXE driver:

mmtool2

This list, generated with AMI’s Aptio MMTool, alone will give anyone a good insight into the low-level functionality of your own machine. The DXE drivers themselves are built in a PE-compatible executable format called TE, for which we will save the reverse engineering for another time.

For those wanting to get rid of the throttling, look no further. Just don’t forget it was put there for a reason.

About the author / 

murray

Who are we?

We are a collective of people with different backgrounds and a shared interest in unproven technology and deep technical skills.

Trackbacks