Re: Binary MOF buffer in WMI is finally decoded!

["Pali Rohár" <pali.rohar@gmail.com>]

[-- Attachment #1: Type: Text/Plain, Size: 2699 bytes --]

On Tuesday 06 June 2017 00:08:49 Pali Rohár wrote:
> On Sunday 04 June 2017 18:09:21 Pali Rohár wrote:
> > Hi!
> > 
> > As already mentioned in RFC: WMI Enhancements thread [1], I looked
> > at binary MOF buffer used by WMI which is included in ACPI DSDT
> > table.
> > 
> > That binary MOF buffer contains description of WMI methods and
> > structures used by ACPI-WMI. It also contains mapping from human
> > readable function names to ACPI-WMI magical numbers used for
> > calling WMI methods via ACPI.
> > 
> > Basically in that binary MOF buffer is description of structures
> > used as input and output arguments for WMI methods/function calls.
> > 
> > Until now, there were not information nor any parser of those
> > binary MOF files (.bmf file). There is some Microsoft proprietary
> > tool which can compile text MOF file to binary and vice versa.
> > 
> > I was able to decode that binary MOF format and wrote simple
> > bmfparse tool. It is available in git repository [2]. Currently
> > parsing of function parameters is not implemented yet.
> > 
> > Binary MOF format is compressed by prehistoric DS-01 algorithm
> > (modification of LZ-77) which was used as compression algorithm for
> > FAT-16. Maybe you remember DMSDOS or DoubleSpace... After
> > decompression, the whole format is so shitty, probably half of data
> > are just lengths of sub structures and sub-sub-... structures.
> > 
> > I hope this bmfparse program would help in writing new wmi drivers
> > for Linux or inspection of available WMI methods.
> > 
> > Probably we could implement parser of BMOF in kernel and allow
> > validation of function parameters or usage of human readable names
> > of WMI methods?
> > 
> > [1] -
> > https://www.spinics.net/lists/platform-driver-x86/msg11574.html
> > [2] - https://github.com/pali/bmfdec
> 
> Small update: function parameters are now decoded too. I fixed some
> problems and added new tool bmf2mof which decompile BMF file back to
> UTF-8 encoded plain text MOF file. It is in git repository:
> 
> https://github.com/pali/bmfdec
> 
> I run it on more binary WMI MOF buffers and it successfully parsed
> everything.
> 
> So if you have some time, I would like you to ask for testing those
> tools if they can parse binary WMI MOF buffers without problems.
> 
> As I wrote it by just looking at decompressed dumps without any
> documentation, it does not have to be correct or working... Also
> there are no proper checks for buffer overflows yet.

Now added support for parsing BMOFQUALFLAVOR11 part. Which means whole 
parsing of BMOF files should be complete now.

-- 
Pali Rohár
pali.rohar@gmail.com

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]