Re: Binary MOF buffer in WMI is finally decoded!

["Pali Rohár" <pali.rohar@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 2414 bytes --]

On Sunday 04 June 2017 18:09:21 Pali Rohár wrote:
> Hi!
> 
> As already mentioned in RFC: WMI Enhancements thread [1], I looked at
> binary MOF buffer used by WMI which is included in ACPI DSDT table.
> 
> That binary MOF buffer contains description of WMI methods and
> structures used by ACPI-WMI. It also contains mapping from human
> readable function names to ACPI-WMI magical numbers used for calling
> WMI methods via ACPI.
> 
> Basically in that binary MOF buffer is description of structures used
> as input and output arguments for WMI methods/function calls.
> 
> Until now, there were not information nor any parser of those binary
> MOF files (.bmf file). There is some Microsoft proprietary tool
> which can compile text MOF file to binary and vice versa.
> 
> I was able to decode that binary MOF format and wrote simple bmfparse
> tool. It is available in git repository [2]. Currently parsing of
> function parameters is not implemented yet.
> 
> Binary MOF format is compressed by prehistoric DS-01 algorithm
> (modification of LZ-77) which was used as compression algorithm for
> FAT-16. Maybe you remember DMSDOS or DoubleSpace... After
> decompression, the whole format is so shitty, probably half of data
> are just lengths of sub structures and sub-sub-... structures.
> 
> I hope this bmfparse program would help in writing new wmi drivers
> for Linux or inspection of available WMI methods.
> 
> Probably we could implement parser of BMOF in kernel and allow
> validation of function parameters or usage of human readable names of
> WMI methods?
> 
> [1] - https://www.spinics.net/lists/platform-driver-x86/msg11574.html
> [2] - https://github.com/pali/bmfdec

Small update: function parameters are now decoded too. I fixed some 
problems and added new tool bmf2mof which decompile BMF file back to 
UTF-8 encoded plain text MOF file. It is in git repository:

https://github.com/pali/bmfdec

I run it on more binary WMI MOF buffers and it successfully parsed 
everything.

So if you have some time, I would like you to ask for testing those 
tools if they can parse binary WMI MOF buffers without problems.

As I wrote it by just looking at decompressed dumps without any 
documentation, it does not have to be correct or working... Also there 
are no proper checks for buffer overflows yet.

-- 
Pali Rohár
pali.rohar@gmail.com

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]