Disassembly of GPU-Z, I2C and GPUs in between part 2

I decided to focus on something easy this time, I wanted to figure out where on the memory of the card is the ATI ATOMBIOS stored, so I followed GPU-Z stepping into, for at least 2 hours and found something only for GPU-Z to trick me and give me false leads.

The line where it says "Writes bios byte by byte" is a bit misleading, since I found out that only the header of the ATOMBIOS was written to the buffer, odd as that may be. After stepping into the functions I suddenly found an address that pointed to where the BIOS was mapped to but how or when it got set, was a mystery to me.

However, what I did find is that for >=HD5k series of graphics cards, GPU-Z assumes a size of 0x20000(131072 bytes) for the BIOS.

After studying the tool radeontool, there is an interesting function here

void radeon_rom_tables(const char * file)
{
#define _64K (64*1024)
    unsigned char bios[_64K];
    char *biosmem;
    int fd, hdr, atom;
    if (strcmp(file, "mmap") == 0) {
        fd = open("/dev/mem", O_RDWR);
        biosmem = mmap(0, _64K, PROT_READ, MAP_SHARED, fd, 0xc0000);
        if (biosmem == MAP_FAILED) {
            perror("can't mmap bios");
            return;
        }
        memset(bios, 0, _64K);
        memcpy(bios, biosmem, _64K);
        munmap(biosmem, _64K);
        close(fd);
    }

It might indicate that the rom is located at offset  0xc0000 in physical memory. However is this also true for multiple graphics cards?

Disassembly of GPU-Z, I2C and GPUs

It's been a while since I've written anything, I wasn't going to but I did want to share some findings.

Now, I am not exactly versed in programming, I still struggle at the basics, linked lists let alone x86 assembly, but I delved into GPU-Z, a tool used to monitor vital sensors inside any modern graphics card. What sets it apart from other general purpose tools like AIDA64,HWMon,Open Hardware Monitor is that it specializes only in GPUs and is therefore very thorough, displaying information like VRM temperatures and currents. AIDA64 is the only one that also displays this data, but not all of the sensors.

When I first started disassembling GPU-Z with OllyDbg 2, I was greeted with a warning that it's likely packed, and indeed it was. As of version 0.7.5 the packer used is PECompact 2.x or 3.x, it's apparently easy to unpack a PECompact packed executable, but after trying it, I must have got it wrong somewhere and didn't get a multitude of functions imported correctly and after running the executable I got an error stating "floating point support not loaded". I gave up after a couple of more tries and used Nacho_dj's pecompact unpacker to unpack it, it worked.

How exactly does the Temperature component of GPU-Z work? It works by mapping physical memory to userspace and doing bit-banging on the I2C bus. Here is where it gets tricky, under Linux it's trivial to map physical memory to userspace(root and mmap roughly), but under Windows you need a driver, and not just any driver, but a kernel mode driver, and not just any kernel mode driver, a digitally signed driver to do this, usually only for x64 but may also apply to x86(32-bit Windows). Digital signatures cost a minimum of $100, may be cheaper somewhere but it costs money regardless. Lucky, it's possible to enable Test-mode in Windows and allow the running of unsigned drivers, but this makes your installation extremely vulnerable. But where do you get such a driver?

Luckily for you and me, an open source driver is available and it can be compiled to work with Windows 7 x64 as well. It's called PhyMem. I will not go into details how it works, because I myself have not yet figured that out.

Does GPU-Z use this driver? Probably not, GPU-Z predates this driver. It however uses it's own driver which is stored in the executable itself and is written in %temp% during runtime where it's executed from and removed.

Here is the GPU-Z(not source code) driver if you want it http://www.filedropper.com/gpu-z.

In part 2 I will try to explain what is being mapped, how much of it and explain more of what I found in GPU-Z.