▄▄▄▄· ▪  ▄▄▄▄▄▄▄▌         ▄▄ • 
▐█ ▀█▪██ •██  ██•  ▪     ▐█ ▀ ▪
▐█▀▀█▄▐█· ▐█.▪██▪   ▄█▀▄ ▄█ ▀█▄
██▄▪▐█▐█▌ ▐█▌·▐█▌▐▌▐█▌.▐▌▐█▄▪▐█
·▀▀▀▀ ▀▀▀ ▀▀▀ .▀▀▀  ▀█▄▀▪·▀▀▀▀

How to quickly rip apart a UEFI firmware

2014/12/12 Cecill Etheredge // ijsf

Imagine this. It’s been a couple of months since you upgraded your trusty laptop with a good old SSD, the speed is fair but there’s just something wrong. Hibernation is taking ages, but why? You rip your firmware apart and find out they’ve crippled your S-ATA controller..

Enter the Panasonic Toughbook CF-19 MK3, one of those built-as-a-tank laptops used by government agencies all around, and its Intel ICH9M chipset, crippled but cool.

This hardened machine has an interesting thermal design: the entire case is IP54 and MIL-STD-810F rated for waterproofing and impact resistance, meaning that the entire system is only passively cooled. Chipsets and CPUs tend to get hot, and although a particular choice of low-power CPU is often easy, a chipset is better off throttled in cases of extremely tight thermal design.

As it appears, the S-ATA controller inside the CF-19’s ICH9M chipset is normally capable of Gen 2 (3.0 Gb/s) performance, but only performs at Gen 1 (1.5 Gb/s). So how did they pull this off?

From an electric engineer’s point-of-view, the solution can be quite easy: just throttle the entire system to reduce its thermal output. The chipset datasheet shows us how:

pxsctl

Now, UEFI firmwares are built using elaborate development kits from companies such as American Megatrends or Phoenix Technologies, and contain vendor-specific driver code in something called the Driver eXecution Environment.

A quick dissection of the CF-19’s UEFI firmware, which has been built using the American Megatrends Aptio development kit, shows us (among many other hidden gems) the following UEFI DXE driver:

mmtool2

This list, generated with AMI’s Aptio MMTool, alone will give anyone a good insight into the low-level functionality of your own machine. The DXE drivers themselves are built in a PE-compatible executable format called TE, for which we will save the reverse engineering for another time.

For those wanting to get rid of the throttling, look no further. Just don’t forget it was put there for a reason.