* Binary MOF buffer in WMI is finally decoded!
@ 2017-06-04 16:09 Pali Rohár
2017-06-05 22:08 ` Pali Rohár
0 siblings, 1 reply; 3+ messages in thread
From: Pali Rohár @ 2017-06-04 16:09 UTC (permalink / raw)
To: Darren Hart, Mario.Limonciello, Rafael Wysocki, Andy Lutomirski,
andriy.shevchenko
Cc: platform-driver-x86, linux-kernel
[-- Attachment #1: Type: Text/Plain, Size: 1657 bytes --]
Hi!
As already mentioned in RFC: WMI Enhancements thread [1], I looked at
binary MOF buffer used by WMI which is included in ACPI DSDT table.
That binary MOF buffer contains description of WMI methods and
structures used by ACPI-WMI. It also contains mapping from human
readable function names to ACPI-WMI magical numbers used for calling WMI
methods via ACPI.
Basically in that binary MOF buffer is description of structures used as
input and output arguments for WMI methods/function calls.
Until now, there were not information nor any parser of those binary MOF
files (.bmf file). There is some Microsoft proprietary tool which can
compile text MOF file to binary and vice versa.
I was able to decode that binary MOF format and wrote simple bmfparse
tool. It is available in git repository [2]. Currently parsing of
function parameters is not implemented yet.
Binary MOF format is compressed by prehistoric DS-01 algorithm
(modification of LZ-77) which was used as compression algorithm for
FAT-16. Maybe you remember DMSDOS or DoubleSpace... After decompression,
the whole format is so shitty, probably half of data are just lengths of
sub structures and sub-sub-... structures.
I hope this bmfparse program would help in writing new wmi drivers for
Linux or inspection of available WMI methods.
Probably we could implement parser of BMOF in kernel and allow
validation of function parameters or usage of human readable names of
WMI methods?
[1] - https://www.spinics.net/lists/platform-driver-x86/msg11574.html
[2] - https://github.com/pali/bmfdec
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Binary MOF buffer in WMI is finally decoded!
2017-06-04 16:09 Binary MOF buffer in WMI is finally decoded! Pali Rohár
@ 2017-06-05 22:08 ` Pali Rohár
2017-06-16 12:53 ` Pali Rohár
0 siblings, 1 reply; 3+ messages in thread
From: Pali Rohár @ 2017-06-05 22:08 UTC (permalink / raw)
To: Darren Hart
Cc: Mario.Limonciello, Rafael Wysocki, Andy Lutomirski,
andriy.shevchenko, platform-driver-x86, linux-kernel
[-- Attachment #1: Type: Text/Plain, Size: 2414 bytes --]
On Sunday 04 June 2017 18:09:21 Pali Rohár wrote:
> Hi!
>
> As already mentioned in RFC: WMI Enhancements thread [1], I looked at
> binary MOF buffer used by WMI which is included in ACPI DSDT table.
>
> That binary MOF buffer contains description of WMI methods and
> structures used by ACPI-WMI. It also contains mapping from human
> readable function names to ACPI-WMI magical numbers used for calling
> WMI methods via ACPI.
>
> Basically in that binary MOF buffer is description of structures used
> as input and output arguments for WMI methods/function calls.
>
> Until now, there were not information nor any parser of those binary
> MOF files (.bmf file). There is some Microsoft proprietary tool
> which can compile text MOF file to binary and vice versa.
>
> I was able to decode that binary MOF format and wrote simple bmfparse
> tool. It is available in git repository [2]. Currently parsing of
> function parameters is not implemented yet.
>
> Binary MOF format is compressed by prehistoric DS-01 algorithm
> (modification of LZ-77) which was used as compression algorithm for
> FAT-16. Maybe you remember DMSDOS or DoubleSpace... After
> decompression, the whole format is so shitty, probably half of data
> are just lengths of sub structures and sub-sub-... structures.
>
> I hope this bmfparse program would help in writing new wmi drivers
> for Linux or inspection of available WMI methods.
>
> Probably we could implement parser of BMOF in kernel and allow
> validation of function parameters or usage of human readable names of
> WMI methods?
>
> [1] - https://www.spinics.net/lists/platform-driver-x86/msg11574.html
> [2] - https://github.com/pali/bmfdec
Small update: function parameters are now decoded too. I fixed some
problems and added new tool bmf2mof which decompile BMF file back to
UTF-8 encoded plain text MOF file. It is in git repository:
https://github.com/pali/bmfdec
I run it on more binary WMI MOF buffers and it successfully parsed
everything.
So if you have some time, I would like you to ask for testing those
tools if they can parse binary WMI MOF buffers without problems.
As I wrote it by just looking at decompressed dumps without any
documentation, it does not have to be correct or working... Also there
are no proper checks for buffer overflows yet.
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Binary MOF buffer in WMI is finally decoded!
2017-06-05 22:08 ` Pali Rohár
@ 2017-06-16 12:53 ` Pali Rohár
0 siblings, 0 replies; 3+ messages in thread
From: Pali Rohár @ 2017-06-16 12:53 UTC (permalink / raw)
To: Darren Hart
Cc: Mario.Limonciello, Rafael Wysocki, Andy Lutomirski,
andriy.shevchenko, platform-driver-x86, linux-kernel
[-- Attachment #1: Type: Text/Plain, Size: 2699 bytes --]
On Tuesday 06 June 2017 00:08:49 Pali Rohár wrote:
> On Sunday 04 June 2017 18:09:21 Pali Rohár wrote:
> > Hi!
> >
> > As already mentioned in RFC: WMI Enhancements thread [1], I looked
> > at binary MOF buffer used by WMI which is included in ACPI DSDT
> > table.
> >
> > That binary MOF buffer contains description of WMI methods and
> > structures used by ACPI-WMI. It also contains mapping from human
> > readable function names to ACPI-WMI magical numbers used for
> > calling WMI methods via ACPI.
> >
> > Basically in that binary MOF buffer is description of structures
> > used as input and output arguments for WMI methods/function calls.
> >
> > Until now, there were not information nor any parser of those
> > binary MOF files (.bmf file). There is some Microsoft proprietary
> > tool which can compile text MOF file to binary and vice versa.
> >
> > I was able to decode that binary MOF format and wrote simple
> > bmfparse tool. It is available in git repository [2]. Currently
> > parsing of function parameters is not implemented yet.
> >
> > Binary MOF format is compressed by prehistoric DS-01 algorithm
> > (modification of LZ-77) which was used as compression algorithm for
> > FAT-16. Maybe you remember DMSDOS or DoubleSpace... After
> > decompression, the whole format is so shitty, probably half of data
> > are just lengths of sub structures and sub-sub-... structures.
> >
> > I hope this bmfparse program would help in writing new wmi drivers
> > for Linux or inspection of available WMI methods.
> >
> > Probably we could implement parser of BMOF in kernel and allow
> > validation of function parameters or usage of human readable names
> > of WMI methods?
> >
> > [1] -
> > https://www.spinics.net/lists/platform-driver-x86/msg11574.html
> > [2] - https://github.com/pali/bmfdec
>
> Small update: function parameters are now decoded too. I fixed some
> problems and added new tool bmf2mof which decompile BMF file back to
> UTF-8 encoded plain text MOF file. It is in git repository:
>
> https://github.com/pali/bmfdec
>
> I run it on more binary WMI MOF buffers and it successfully parsed
> everything.
>
> So if you have some time, I would like you to ask for testing those
> tools if they can parse binary WMI MOF buffers without problems.
>
> As I wrote it by just looking at decompressed dumps without any
> documentation, it does not have to be correct or working... Also
> there are no proper checks for buffer overflows yet.
Now added support for parsing BMOFQUALFLAVOR11 part. Which means whole
parsing of BMOF files should be complete now.
--
Pali Rohár
pali.rohar@gmail.com
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-06-16 12:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-04 16:09 Binary MOF buffer in WMI is finally decoded! Pali Rohár
2017-06-05 22:08 ` Pali Rohár
2017-06-16 12:53 ` Pali Rohár
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).