0x20000
in the flash.type AMDFirmwareEntryTable struct {
Signature uint32
ImcRomBase uint32
GecRomBase uint32
XHCRomBase uint32
PSPDirBase uint32
NewPSPDirBase uint32
BDHDirBase uint32
Unknown1 uint32
}
0x55AA55AA
0x0000 2 Signature 0x55aa
0x0002 2 Offset to the BCD (type0?)
0x0004 2 BCD size
0x0006 2 Offset to Main FW (type1?)
0x0008 2 Main FW size
0x000a 2 Offset to the ACD (type2?)
0x000c 2 Offset to the ACD
Offset Size in bytes What
0x0000 2 Firmware version - 0x3032 means 3.0.3.2
0x0002 - Firmware data, most likely V850E1 controller
00000000 80 07 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 e0 07 40 01 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000040 80 07 3a 03 e0 07 40 01 00 00 00 00 00 00 00 00 |..:...@.........|
00000050 e0 07 40 01 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............|
00000060 80 07 34 01 e0 07 40 01 00 00 00 00 00 00 00 00 |..4...@.........|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 80 07 4a 01 e0 07 40 01 00 00 00 00 00 00 00 00 |..J...@.........|
00000090 80 07 70 01 e0 07 40 01 00 00 00 00 00 00 00 00 |..p...@.........|
000000a0 80 07 96 01 e0 07 40 01 00 00 00 00 00 00 00 00 |......@.........|
000000b0 80 07 bc 01 e0 07 40 01 00 00 00 00 00 00 00 00 |......@.........|
000000c0 80 07 e2 01 e0 07 40 01 00 00 00 00 00 00 00 00 |......@.........|
000000d0 80 07 08 02 e0 07 40 01 00 00 00 00 00 00 00 00 |......@.........|
000000e0 80 07 2e 02 e0 07 40 01 00 00 00 00 00 00 00 00 |......@.........|
000000f0 80 07 54 02 e0 07 40 01 00 08 00 10 00 18 00 20 |..T...@........ |
.data:00000000 8007f800 jr 0x000000f8
rule AGESA {
strings:
$AMDGESA = {41 4d 44 21 47 45 53 41 ?? ?? ?? ??}
$AGESA = /AGESA![0-9a-zA-Z]{0,10}\x00{0,1}[0-9a-zA-Z .\-]*/
$AAGESA = /!!AGESA[0-9a-zA-Z .\-]*/
$AMD_PI = /\$AMD[A-Z][0-9a-zA-Z]*[PIVpiv][0-9a-zA-Z.\-]*/
condition:
any of them
}
!!AGESABristolPI V1.0.0.1X
!!AGESACarrizoFM2r2PI V1.2.0.0X
!!AGESACarrizoFM2r2PI V1.2.0.2X
!!AGESACarrizoFM2r2PI V1.3.0.1X
!!AGESACarrizoLitePI V1.0.0.0
!!AGESACarrizoLitePI V1.0.0.1
!!AGESACarrizoLitePI V1.0.0.2
!!AGESACarrizoLitePI V1.0.0.4
!!AGESACarrizoPI V1.0.0.6
!!AGESACarrizoPI V1.0.8.0
!!AGESACarrizoPI V1.1.0.0
!!AGESA DanNiPI V0.0.9.2
!!AGESA DanNiPI V1.0.0.0
!!AGESA DanNiPI V1.0.0.1
!!AGESA DanNiPI V1.0.0.2
!!AGESA DanNiPI V1.0.0.3
!!AGESA DanNiPI V1.0.0.4
!!AGESAGodavariPI V0.0.9.1
!!AGESAGodavariPI V1.0.0.0
!!AGESAGodavariPI V1.0.0.1
!!AGESAKabiniPI V1.0.0.5
!!AGESAKabiniPI V1.0.0.6
!!AGESAKabiniPI V1.0.0.7
!!AGESAKabiniPI V1.0.0.8
!!AGESAKabiniPI V1.0.0.9
!!AGESAKabiniPI V1.0.0.A
!!AGESAKabiniPI V1.0.0.B
!!AGESAKabiniPI V1.1.0.0
!!AGESAKabiniPI V1.1.0.1
!!AGESAKaveriPI V0.0.6.2
!!AGESAKaveriPI V0.0.8.1
!!AGESAKaveriPI V1.0.0.0
!!AGESAKaveriPI V1.1.0.2
!!AGESAKaveriPI V1.1.0.5
!!AGESA LlanoPI V1.0.0.6
!!AGESA LlanoPI V1.1.0.0
!!AGESA LlanoPI V1.1.0.2
!!AGESA LlanoPI V1.1.0.3
!!AGESA LlanoPI V1.1.0.4
!!AGESA LlanoPI V1.1.0.5
!!AGESA LlanoPI V1.1.0.6
!!AGESA LlanoPI V1.1.0.7
!!AGESA LlanoPI V1.1.0.8
!!AGESA MarG34PIV1.1.0.4
!!AGESA MarG34PIV1.1.0.7
!!AGESAMullinsPI V1.0.0.2
!!AGESAMullinsPI V1.0.0.3
!!AGESAMullinsPI V1.0.0.4
!!AGESAMullinsPI V1.0.0.A
!!AGESA Ontar2PIV1.0.0.1
!!AGESA Ontar2PIV1.0.0.2
!!AGESA Ontar2PIV1.0.0.3
!!AGESA OntaroPIV1.0.0.2
!!AGESA OntaroPIV1.0.0.3
!!AGESA OntaroPIV1.0.0.4
!!AGESA OntaroPIV1.0.9.0
!!AGESA OntaroPIV1.1.0.0
!!AGESA OntaroPIV1.1.9.0
!!AGESA OntaroPIV1.2.0.0
!!AGESA OrochiPIV0.0.7.3X
!!AGESA OrochiPIV0.0.7.4
!!AGESA OrochiPIV0.0.7.5
!!AGESA OrochiPIV0.0.9.0
!!AGESA OrochiPIV0.0.9.1
!!AGESA OrochiPIV0.0.9.2
!!AGESA OrochiPIV1.1.0.0
!!AGESA OrochiPIV1.1.0.1
!!AGESA OrochiPIV1.1.0.2
!!AGESA OrochiPIV1.2.0.0
!!AGESA OrochiPIV1.2.0.1
!!AGESA OrochiPIV1.2.0.3
!!AGESA OrochiPIV1.2.0.4
!!AGESA OrochiPIV1.2.7.1
!!AGESA OrochiPIV1.2.9.0
!!AGESA OrochiPIV1.4.9.0
!!AGESA OrochiPIV1.5.0.0
!!AGESA OrochiPIV1.5.0.1
!!AGESA OrochiPIV1.5.0.2
!!AGESA OrochiPIV1.5.0.5
!!AGESA OrochiPIV1.5.0.7
!!AGESA OrochiPIV1.5.0.8
!!AGESARichlandPI V1.1.0.1
!!AGESARichlandPI V1.1.0.2
!!AGESAStoneyPI V1.0.0.2
!!AGESAStoneyPI V1.3.0.2
!!AGESAStoneyPI V1.3.0.3
!!AGESAStoneyPI V1.3.0.6
!!AGESAStoneyPI V1.3.0.8
!!AGESAStoneyPI V1.3.0.9
!!AGESAStoneyPI V1.3.0.A
!!AGESA TrinyPI V1.1.0.2
!!AGESA TrinyPI V1.1.0.3
!!AGESA TrinyPI V1.1.0.5
!!AGESA TrinyPI V1.1.0.7
!!AGESA TrinyPI V1.1.0.8
!!AGESA V3.1.1.0
!!AGESA V3.1.3.0
!!AGESA V3.1.3.1
!!AGESA V3.1.4.0
!!AGESA V3.1.5.0
!!AGESA V3.1.6.0
!!AGESA V3.1.7.0
!!AGESA V3.1.8.0
!!AGESA V3.1.9.0
!!AGESA V3.1.9.1
!!AGESA V3.2.7.2
!!AGESA V3.3.0.0
!!AGESA V3.3.1.0
!!AGESA V3.3.2.0
!!AGESA V3.3.2.2
!!AGESA V3.3.2.3
!!AGESA V3.3.2.4
!!AGESA V3.3.2.5
!!AGESA V3.3.2.7
!!AGESA V3.5.0.0
!!AGESA V3.5.0.1
!!AGESA V3.5.0.2
!!AGESA V3.5.2.0
!!AGESA V3.5.2.1
!!AGESA V3.5.3.1
!!AGESA V3.5.4.0
!!AGESA V3.5.5.0
!!AGESA V3.6.9.0
!!AGESA V3.7.0.0
!!AGESA V3.7.0.1
!!AGESA V3.7.1.0
!!AGESA V3.7.1.1
!!AGESA V4.1.0.3
!!AGESA V4.3.0.0
!!AGESA V4.4.0.0
!!AGESA V4.6.0.1
!!AGESA V4.6.1.0
!!AGESA V6.0.9.0
!!AGESA V6.1.0.0
!!AGESA V6.1.1.0
!!AGESA V6.1.2.0
!!AGESA V6.1.2.2
!!AGESA V6.1.5.0
AGESA!V9\x00NaplesPI-SP3 1.0.0.9
AGESA!V9\x00NaplesPI-SP3 1.0.0.A
AGESA!V9\x00NaplesPI-SP3 1.0.0.B
AGESA!V9\x00PinnaclePI-AM4 1.0.0.0a
AGESA!V9\x00PinnaclePI-AM4 1.0.0.2
AGESA!V9\x00PinnaclePI-AM4 1.0.0.3
AGESA!V9\x00PinnaclePI-AM4 1.0.0.6
AGESA!V9\x00RavenPI-FP5-AM4 1.0.7.1
AGESA!V9\x00RavenPI-FP5-AM4 1.1.0.2
AGESA!V9\x00RavenPI-FP5-AM4 1.1.0.5
AGESA!V9\x00SummitPI-AM4 1.0.0.4a
AGESA!V9\x00SummitPI-AM4 1.0.0.6
AGESA!V9\x00SummitPI-SP3r2-1.1.0.1
AGESA!V9\x00SummitPI-SP3r2-1.1.0.2
AGESA!V9\x00ThreadRipperPI-SP3r2-0.0.6.0
AGESA!V9\x00UnkownPI 0.0.0.0
!!AGESA X3.5.2.0
!!AGESA X4.3.9.0
!!AGESA X4.4.0.0
!!AGESA X4.6.1.0
Lenovo did not update their AGESA on their Thinkpad A285.
— Mimoja (◕ᴗ◕✿) (@WingsOfMimoja)
Still on 1.0.0.4, while 1.1.0.5 is in the wild since at least September 4th 2018. (Acer Aspire TC-380)
Over a year before release(December 2017) ASUS shipped the 1.0.7.1 update.
Lenovo released with a 2 year old AGESA...
Type GUID/Name Size
BIOS 0x1000000
BIOS Pad 0x40000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x20000
BIOS Pad 0x5b0000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x40000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x6b0000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x300000
PSPDirBase uint32
NewPSPDirBase uint32
BDHDirBase uint32
type AMDPSPDirectoryHeader struct {
PspCookie [4]byte
Checksum uint32
TotalEntries uint32
Reserved uint32
}
type AMDPSPDirectoryBinaryEntry struct {
Type uint32
Size uint32
Location uint32
Reserved uint32
}
var AMDPSPDirectoryEntries = []AMDPSPDirectoryEntryType{
{0x00, "AMD_PUBLIC_KEY", "AMD public key"},
{0x01, "PSP_FW_BOOT_LOADER", "PSP boot loader in SPI space"},
{0x02, "PSP_FW_TRUSTED_OS", "PSP Firmware region in SPI space"},
{0x03, "PSP_FW_RECOVERY_BOOT_LOADER", "PSP recovery region"},
{0x04, "PSP_NV_DATA", "PSP data region in SPI space"},
{0x05, "BIOS_PUBLIC_KEY", "BIOS public key stored in SPI space"},
{0x06, "BIOS_RTM_FIRMWARE", "BIOS RTM code (PEI volume) in SPI space"},
{0x07, "BIOS_RTM_SIGNATURE", "Signed BIOS RTM hash stored in SPI space"},
{0x08, "SMU_OFFCHIP_FW", "SMU image"},
{0x09, "AMD_SEC_DBG_PUBLIC_KEY", "Secure Unlock Public key"},
{0x0A, "OEM_PSP_FW_PUBLIC_KEY", "Optional public part of the OEM PSP Firmware"},
{0x0B, "AMD_SOFT_FUSE_CHAIN_01", "64bit PSP Soft Fuse Chain"},
{0x0C, "PSP_BOOT_TIME_TRUSTLETS", "Boot-loaded trustlet binaries"},
{0x0D, "PSP_BOOT_TIME_TRUSTLETS_KEY", "Key of the boot-loaded trustlet binaries"},
{0x10, "PSP_AGESA_RESUME_FW", "PSP Agsa-Resume-Firmware"},
{0x12, "SMU_OFF_CHIP_FW_2", "Secondary SMU image"},
{0x14, "!PSP_MCLF_TRUSTLETS", "very similiar to ~PspTrustlets.bin~ in coreboot blobs"},
{0x1A, "PSP_S3_NV_DATA", "S3 Data Blob"},
{0x31, "{0x31~ABL_ARM_CODE~", "a _lot_ of strings and also some ARM code"},
{0x38, "!PSP_ENCRYPTED_NV_DATA", ""},
{0x39, "!SEV_APP", ""},
{0x40, "!PL2_SECONDARY_DIRECTORY", ""},
{0x5f, "FW_PSP_SMUSCS", "Software AppConfiguration Settings Data Block"},
{0x60, "FW_IMC", ""},
{0x61, "FW_GEC", ""},
{0x62, "FW_XHCI", ""},
{0x63, "FW_INVALID", ""},
{0x70, "!BL2_SECONDARY_DIRECTORY", ""},
{0x108, "PSP_SMU_FN_FIRMWARE", ""},
{0x112, "!SMU_OFF_CHIP_FW_3", "seems to tbe a tertiary SMU image"},
{0x118, "PSP_SMU_FN_FIRMWARE2", ""},
{0x15f, "!FW_PSP_SMUSCS_2", "seems to be a secondary FW_PSP_SMUSCS"},
{0x30062, "{0x30062~UEFI-IMAGE~", ""},
}
+-----------+---------+---------+-------+---------------------+
| Directory | Addr | Type | Magic | Secondary Directory |
+-----------+---------+---------+-------+---------------------+
| 2 | 0xd1000 | PSP_NEW | $PSP | 0x261000 |
+-----------+---------+---------+-------+---------------------+
+---+-------+----------+---------+------------------------------------+-----------+-----------------------+------------+
| | Entry | Address | Size | Type (Magic) | Version | Signed by | Info |
+---+-------+----------+---------+------------------------------------+-----------+-----------------------+------------+
| | 0 | 0xd1400 | 0x240 | AMD_PUBLIC_KEY | | AMD_PUBLIC_KEY | pubkey |
| | | | | | | [not verified] | |
| | 1 | 0x261400 | 0x20000 | PSP_FW_BOOT_LOADER ($PS1) | 0.9.3.34 | AMD_PUBLIC_KEY | |
| | | | | | | [not verified] | |
| | 2 | 0xd1700 | 0xbb40 | PSP_FW_RECOVERY_BOOT_LOADER ($PS1) | FF.9.3.34 | AMD_PUBLIC_KEY | |
| | | | | | | [not verified] | |
| | 3 | 0xdd300 | 0x1d300 | SMU_OFFCHIP_FW (SMUR) | 0.19.4D.0 | AMD_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 4 | 0xfa600 | 0x340 | OEM_PSP_FW_PUBLIC_KEY | | AMD_PUBLIC_KEY | pubkey |
| | | | | | | [not verified] | |
| | 5 | 0xfaa00 | 0x2740 | SMU_OFF_CHIP_FW_2 (SMUR) | 0.19.4D.0 | AMD_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 6 | 0xfd200 | 0x10 | 0x21 | | | |
| | 7 | 0xfd300 | 0x4d0 | 0x30 (0BAR) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 8 | 0xfd800 | 0xbac0 | 0x31~ABL_ARM_CODE~ (AR1B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 9 | 0x109300 | 0x96d0 | 0x32 (AR2B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 10 | 0x112a00 | 0xd610 | 0x33 (AR3B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 11 | 0x120100 | 0x9960 | 0x34 (AR4B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 12 | 0x129b00 | 0xe800 | 0x35 (AR5B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 13 | 0x138300 | 0xa7c0 | 0x36 (AR6B) | 17.5.15.1 | OEM_PSP_FW_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 14 | 0x142b00 | 0xb90 | 0x24 ($PS1) | 0.7.0.1 | AMD_PUBLIC_KEY | compressed |
| | | | | | | [not verified] | |
| | 15 | 0x261000 | 0x400 | !PL2_SECONDARY_DIRECTORY | | | |
+---+-------+----------+---------+------------------------------------+-----------+-----------------------+------------+
Header is verified
type AMDPSPEntryBinaryHeader struct {
Unknown1 [16]byte
ID uint32
SizeSigned uint32
Unknown2 [0x18]byte
AlwaysOne uint32 // Could be a type?
Unknown3 [4]byte
SigFingerprint [16]byte
IsCompressed uint32
Unknown4 uint32
FullSize uint32
Unknown5 [12]byte
Version [4]byte
Unknown6 [4]byte
Unknown7 [4]byte
SizePacked uint32
}
-> Ryzenfall