I put "Verified" in the title because while I have run a Sandsifter on this project, I have not had time to analyze these opcodes.
Rough overview for those not familiar with my other posts, the Viliv S5 is an Ultra Mobile PC with an Intel Atom Z515 IA-32 Processor. I recently replaced the native Windows XP 2003 with Kali linux.
I wanted to find msr's, both documented and undocumented on this machine, and I figured that the best way to start would be looking into the BIOS version. Analysis using the "dmidecode" command determined that it was running an AMI SMBIOS 2.5 Version 080015.
Knowing this, I knew that it would be compatible with flashrom. I went to work capturing the BIOS. I used the "flashrom -r" command to write the bios to the file "bios.rom".
After capturing the BIOS, I wanted to know how many machine specific registers were being utilized by the BIOS. For my purposes this was a good enough indicator of how many MSR's were usable on this particular system. I analyzed the bios with Radare2 and used the "/a wrmsr" and "/a rdmsr" commands to find all of the points where msr's would be.
I may do a deeper analysis with the sandsifter results later, but for now, 31 hits on WRMSR and 29 hits on RDMSR! I was very excited by these findings. I decided to dump the addresses of these hits to separate files and the disassembled rom to a text file for further analysis.
First, however. I need to run "afl" to find the address of the first function, in order to ensure I'm not analyzing an endless row of invalid opcodes.
I have my starting point, "fcn.000f0000", and it's address, "f000:0000". I can now dump my file from this point to the end of the file using "wtf biosdump $s @ 0x000f0000" to dump the valid binary output to a the file "biosdump" and reopen that file in radare2.
I then verified to ensure that all MSR's were still present, and disassembled to a file using "pd $s >biosdis.asm".
Intel Atom Z515 MSR's I found through analysis:
0x17
0x1b
0x79
0xcd
0xee
0x194
0x198
0x199
0x1a0
0x200
0x201
0x250
0x258
0x259
0x268
0x269
0x26a
0x26b
0x26c
0x26d
0x26f
0x2ff
0xf42
0x107e7
Their Functions? Well, we know that the Atom Z515 is based on the Silverthorne architecture, so let's load up the Intel 32 bit and 64 bit architecture developer manual and search up some of these mysterious MSR's
Documented MSR's in the Intel Developer's Manual:
17h - MSR_PLATFORM_ID - The platform ID
1bh - I32_APIC_BASE - APIC status
79h - IA32_BIOS_UPDT_TRIGGER - Triggers bios update
cdh - MSR_FSB_FREQ - Indicated intended bus frequency
eeh - UNKNOWN - I thought this was a normal one based on how often I saw it, but it's function is
not documented - Interesting attributes - Always read, never written to
194h - MSR_MCG_R12 - Machine state checking
198h - IA32_PERF_STATUS - Intel Speedstep Status
199h - IA32_PERF_CTL - Intel Speedstep Control
0x1a0 - IA32_MISC_ENABLE - Enable miscellaneous processor functions - Interesting one
200h - IA32_MTRR_PHYSBASE0 - MTRR function
201h - IA32_MTRR_PHYSMASK0 - MTRR function
250h, 258h, 259h, 269h, 26ah, 26bh, 26dh, 26eh, 26fh - IA32_MTRR_FIX[x]K_[x]0000 - All associated with MTRR range
2ffh - IA32_MTRR_DEF_TYPE - Memory types (default)
f42 - MSR_C8_PMON_BOX_OVF_CTRL
107e7h - UNKNOWN - I knew this one was going to be interesting when I found it. As expected, it did not show up in the manual. Written to, never read.
Context:
and al, 0xf0
cmp eax, 0x106d0
jne 0x148c ;eventually gets to jump down below after a few other checks
;address 0x000f1476
mov ecx, 0x107e7 ;no modifications to ecx in this section, ecx is never cleared, not an addr
mov edx, 0x320505
mov eax, 0x101
wrmsr
jmp ...
;at jump
mov ecx, 0x17 ; returns platform ID, as we have already established.
;I'm guessing al also contains id related info that is checked.
rdmsr
Opcode: 66b9e7070100
When I try to read it using msr-tools, however, I get nothing. May not have an inherent value?
Anything else we can find for the MSR's Intel won't tell us about? The RE community is a great resource. I attempted to find some info using github searches, google searches, and searches on the Reverse Engineering Stackexchange.
Undocumented MSR's known to the RE community:
0xee - IA32_EXT_CONFIG - From what I could figure out on github it was some sort of control that would determine whether to sleep or not
107e7h - UNKNOWN - None of my searches could dredge up anything on this one. Wow, must be really specific and rarely used.
After that information was found, here is what was left. Hopefully I'll eventually be able to find out the purpose of these registers.
Undocumented MSR's unknown to the community:
107e7h - UNKNOWN - A truly undocumented MSR (to my knowledge). Anyone with information relevant to this opcode willing to get in touch? Is this a simple error I'm making and not an MSR? Reach out in the comments to let me know!
- Elias Augusto
Update: Want my bios file to mess around with? Here you go: http://tinyurl.com/yxweccsv
Subscribe to:
Post Comments (Atom)
Finding Undocumented Intel Atom MSR's in the Viliv S5 Pt 2: Software RE
Sandsifter logs were a bust, was unable to get the summarize started so I decided to try other means of finding MSR's. I decided ...
-
I put "Verified" in the title because while I have run a Sandsifter on this project, I have not had time to analyze these opcodes...
-
In the middle of my exploration into running Kali on the Viliv S5. Turned off the wifi chip to find alternative driver because libertas was...
-
Sandsifter logs were a bust, was unable to get the summarize started so I decided to try other means of finding MSR's. I decided ...
No comments:
Post a Comment