Reverse Engineering - Wer-Wolf/uniwill-laptop GitHub Wiki

WMI interface

The following WMI interface is used to communicate with the embedded controller on Uniwill devices:

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class used to operate methods on a ULong"), guid("{ABBC0F6F-8EA1-11d1-00A0-C90629100000}")]
class AcpiTest_MULong {

  [key, read] string InstanceName;
  [read] boolean Active;

  [WmiMethodId(1), Implemented, read, write, Description("Return the contents of a ULong")] void GetULong([out, Description("Ulong Data")] uint32 Data);
  [WmiMethodId(2), Implemented, read, write, Description("Set the contents of a ULong")] void SetULong([in, Description("Ulong Data")] uint32 Data);
  [WmiMethodId(3), Implemented, read, write, Description("Generate an event containing ULong data")] void FireULong([in, Description("WMI requires a parameter")] uint32 Hack);
  [WmiMethodId(4), Implemented, read, write, Description("Get and Set the contents of a ULong")] void GetSetULong([in, Description("Ulong Data")] uint64 Data, [out, Description("Ulong Data")] uint32 Return);
  [WmiMethodId(5), Implemented, read, write, Description("Get and Set the contents of a ULong for Dollby button")] void GetButton([in, Description("Ulong Data")] uint64 Data, [out, Description("Ulong Data")] uint32 Return);
};

For reading/writing EC RAM, the GetSetULong method is being used.

The Data argument holds the following information (starting with the least significant byte):

  1. 16-bit address
  2. 16-bit data (set to 0x0000 when reading)
  3. 16-bit operation (0x0100 for reading and 0x0000 for writing
  4. 16-bit reserved (set to 0x0000)

Access under Windows

You can interact with the WMI interface using the powershell (needs admin privileges):

> $obj = Get-CimInstance -Namespace root/wmi -ClassName AcpiTest_MULong | Select-Object -First 1
> Invoke-CimMethod -InputObject $obj -MethodName GetSetULong -Arguments @{Data = 0x000001000000ABCD}

In the above case, we issue a read command for address 0xABCD. The value for the Data argument thus is 0x000001000000ABCD (0x0000 reserved, 0x0100 for reading, 0x0000 for data and 0xABCD for address).

The first 8 bit of the Return property inside the result are the data returned by the EC.