-
Notifications
You must be signed in to change notification settings - Fork 11
/
requests.txt
459 lines (343 loc) · 20.9 KB
/
requests.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
List of Known EC Requests
================================================================================
Basics / Concepts / Nomenclature
--------------------------------------------------------------------------------
Requests consist of the following bytes:
- TC: Target category. The category of the command.
- TID: Target ID. Currently known values are 0x01 and 0x02.
- CID: Command ID. The ID of the command.
- IID: Instance ID. In case of multiple devices with the same functionality,
this is non-zero and indicates the device.
These four bytes uniquely define a command. In addition, commands can have a
payload and return a response.
Additionally, we differentiate between requests (sent from hosts to EC,
potentially prompting a response) and events (sent by the EC without any
direct prior request, may need to be set up).
List of Target Categories:
--------------------------------------------------------------------------------
Some of these have been extracted from the MS SSH driver and are noted with
the abbreviation found there.
TC Name/Function
-----------------------------------------------------------------------
0x00 N/A
0x01 Generic system functionality and real-time clock [SAM]
0x02 Battery/Power-subsystem [BAT]
0x03 Thermal subsystem, temperature probes [TMP]
0x04 PMC
0x05 FAN
0x06 PoM
0x07 DBG
0x08 Laptop 1/Laptop 2 keyboard [KBD]
0x09 FWU
0x0A UNI
0x0B LPC
0x0C TCL (Telemetry, Crashdumps, and Logs?)
0x0D SFL
0x0E KIP (Keyboard and Integrated Peripherals, aka hotplug stuff?)
0x0F EXT
0x10 BLD
0x11 Detachment system and discrete graphics (Surface Book 2) [BAS]
0x12 SEN
0x13 SRQ
0x14 MCU
0x15 User Input/HID subsystem (Keyboard + Touchpad) [HID]
0x16 TCH
0x17 BKL
0x18 TAM
0x19 ACC0
0x1A UFI
0x1B USC
0x1C PEN
0x1D VID
0x1E AUD
0x1F SMC
0x20 KPD
0x21 Event/notifier registry [REG]
0x22 SPT
0x23 SYS
0x24 ACC1
0x25 SHB
0x26 Laptop Studio screen position [POS]
List of System Requests (TC = 0x01)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 0x00 0x01 no yes Get FWCHK_PENDING probing
0x02 0x00 0x01 no yes Set FWCHK_PENDING probing
0x03 0x00 0x01 no yes Clear FWCHK_PENDING probing
0x0b 0x00 0x01 yes yes Enable event source log
0x0c 0x00 0x01 yes yes Disable event source log
0x0f 0x00 0x01 u32 no Set Unix timestamp probing
0x10 0x00 0x01 no yes Get Unix timestamp probing
0x13 0x00 0x01 no yes SAM Controller version rev
0x14 0x00 0x01 no no Hard Reset (Reboot) probing
0x15 0x00 0x01 no yes Notify display off log
0x16 0x00 0x01 no yes Notify display on log
0x17 0x00 0x01 no yes GPIO wake IRQ callback rev
0x1a 0x00 0x01 yes yes RTC: ACPI/_STV dsdt
0x1b 0x00 0x01 yes yes RTC: ACPI/_GWS dsdt
0x1c 0x00 0x01 yes yes RTC: ACPI/_CWS dsdt
0x1d 0x00 0x01 yes yes RTC: ACPI/_TIV dsdt
0x1e 0x00 0x01 no yes RTC: ACPI/_GCP probing
0x1f 0x00 0x01 no yes RTC: ACPI/_GRT dsdt
0x20 0x00 0x01 yes yes RTC: ACPI/_SRT dsdt
0x22 0x00 0x01 no yes RTC: get time/date v2 probing
0x23 0x00 0x01 yes yes RTC: set time/date v2 probing
0x33 0x00 0x01 no yes Device D0 exit rev
0x34 0x00 0x01 no yes Device D0 entry rev
Abbreviations:
- FWCHK: Firmware integrity check (likely UEFI only). If FWCHK_PENDING is
set, a FW/UEFI integrity check is triggered after reboot.
- RTC: Real-Time Clock.
List of Power Subsystem Requests (TC = 0x02)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 #BAT 0x01 no yes ACPI/_STA dsdt
0x02 #BAT 0x01 no yes ACPI/_BIX dsdt
0x03 #BAT 0x01 no yes ACPI/_BST dsdt
0x04 #BAT 0x01 yes no ACPI/_BTP dsdt
0x0b #BAT 0x01 no yes ACPI/PMAX dsdt
0x0c #BAT 0x01 no yes ACPI/PSOC dsdt
0x0d #BAT 0x01 no yes ACPI/PSRC, ACPI/_PSR dsdt
0x0e #BAT 0x01 yes no ACPI/CHGI dsdt
0x0f #BAT 0x01 no yes ACPI/ARTG dsdt
Note: CID 0x0b to 0x0f are Intel DPTF commands.
List of Power Subsystem Events (TC = 0x02)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x15 #BAT 0x01 no _BIX data changed log(+dsdt)
0x16 #BAT 0x01 no _BST data changed log(+dsdt)
0x17 0x01 0x01 no Power adapter status changed log(+dsdt)
0x18 #BAT 0x01 no Protection status changed rev+log
0x4f 0x00 0x01 yes DPTF notification log(+dsdt)
0x53 #BAT 0x01 yes TpUpdate (?) log/rev
List of Thermal Subsystem Requests (TC = 0x03)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 #SEN 0x01 no yes ACPI/_TMP dsdt
0x02 0x00 0x01 no yes Get performance mode log
0x03 0x00 0x01 yes no Set performance mode log
0x04 0x00 0x01 no yes Get available sensors dsdt
0x09 #SEN 0x01 yes yes Set sensor trip point dsdt
Note: CID 0x09 is an Intel DPTF command.
List of Thermal Subsystem Events (TC = 0x03)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x0b #SEN 0x01 ? Notify sensor trip-point log+dsdt
List of SL1/SL2 Keyboard Requests (TC = 0x08)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x00 0x00 0x02 yes yes get descriptor rev
0x01 0x00 0x02 yes yes set caps lock led rev
0x0b 0x00 0x02 yes yes get feature report rev
List of SL1/SL2 Keyboard Events (TC = 0x08)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x03 0x00 0x02 yes Keyboard HID input log
0x04 0x00 0x02 yes Hot-Keys HID input log
List of KIP System Requests (TC = 0x0e)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x02 0x00 0x02 no Reconnect devices probing
0x0a 0x00 0x02 no Notify KIP display off rev
0x0b 0x00 0x02 no Notify KIP display on rev
0x1d 0x00 0x01 no Get KIP lid state rev
0x27 ? 0x02 yes Events enable rev
0x28 ? 0x02 yes Events disable rev
0x2c 0x00 0x01 no Get KIP connect state rev
List of KIP System Events (TC = 0x0e)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x1d 0x00 0x01 yes Notify KIP lid/kbd state rev
0x2c 0x00 0x01 yes Notify KIP connect state rev
List of Detachment System Requests (TC = 0x11)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x06 0x00 0x01 no no Lock latch dsdt
0x07 0x00 0x01 no no Unlock latch dsdt
0x08 0x00 0x01 no no Request latch open log
0x09 0x00 0x01 no no Confirm latch open log
0x0a 0x00 0x01 no no DTX command heartbeat rev
0x0b 0x00 0x01 no no Cancel DTX command rev
0x0c 0x00 0x01 no yes Get state cause rev
0x0d 0x00 0x01 no yes Get device OpMode dsdt
0x11 0x00 0x01 no yes Get latch status rev
List of Detachment System Events (TC = 0x11)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x0c 0x00 0x01 yes connection log
0x0e 0x00 0x01 no button/request log
0x0f 0x00 0x01 yes error/timeout log
0x11 0x00 0x01 yes latch status log
List of Input System Requests (TC = 0x15)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 any 0x02 yes no output report log
0x02 any 0x02 yes yes get feature report log
0x03 any 0x02 yes no set feature report log
0x04 #ID 0x02 yes yes subdevice meta (HID) log
Note: #ID can be any device ID plus 0 which represents all of the device data
accumulated.
List of Input System Events (TC = 0x15)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x00 #ID 0x02 yes input report (touchpad) log
Note: Keyboard events are sent over IID 0 for SL3
List of REG System Requests (TC = 0x21)
--------------------------------------------------------------------------------
CID IID TID Payload Name/Function Source
------------------------------------------------------------------------
0x01 ? 0x02 yes Events enable rev
0x02 ? 0x02 yes Events disable rev
List of Unknown EC Requests
================================================================================
Note: Currently only commands returning data or causing noticeable
side-effects can be discovered via probing, i.e. sending data to the EC and
awaiting a response. It is also unclear if and what kind of payload these
commands take. Furthermore, Some commands that we assume are undefined (e.g.
TC=2, CID=1, IID=6) can lead to unexpected behavior (in this case turning
off the system), which might be undefined.
List of Unknown System Requests (TC = 0x01)
--------------------------------------------------------------------------------
CID IID TID Payload Response Function/Behavior Source
------------------------------------------------------------------------
0x0d 0 0x01 ? yes ? probing
0x0e 0 0x01 ? yes ? probing
0x24 0 0x01 ? yes RTC: ? probing
0x27 0 0x01 ? yes RTC: ? probing
0x29 0 0x01 ? yes RTC: ? probing
0x2b 0 0x01 yes yes RTC: ? probing
0x2c 0 0x01 yes yes RTC: ? probing
0x2e 0 0x01 ? yes RTC: ? probing
0x2f 0 0x01 ? yes RTC: ? probing
0x38 0x00 0x01 2b 2b tcon: ? rev
List of Unknown Power Subsystem Requests (TC = 0x02)
--------------------------------------------------------------------------------
CID IID TID Payload Response Function/Behavior Source
------------------------------------------------------------------------
0x00 01 0x01 ? yes ? probing
0x08 01 0x01 ? yes ? probing
0x18 012 0x01 ? yes ? probing
0x1e 01 0x01 ? yes ? probing
0x1f 01 0x01 ? yes ? probing
0x20 01 0x01 ? yes ? probing
0x21 01 0x01 ? yes ? probing
0x29 01 0x01 ? yes ? probing
0x2a 01 0x01 ? yes ? probing
0x2b 01 0x01 ? yes ? probing
0x2c 01 0x01 ? yes ? probing
0x2d 012 0x01 ? yes ? probing
0x2e 012 0x01 ? yes ? probing
0x2f 012 0x01 ? yes ? probing
0x30 012 0x01 ? yes ? probing
0x31 012 0x01 ? yes ? probing
0x32 012 0x01 ? yes ? probing
0x32 012 0x01 ? yes ? probing
0x34 012 0x01 ? yes ? probing
0x35 01 0x01 ? yes ? probing
0x36 01 0x01 ? yes ? probing
0x37 01 0x01 ? yes ? probing
0x38 01 0x01 ? yes ? probing
0x39 01 0x01 ? yes ? probing
0x3a 01 0x01 ? yes ? probing
0x3b 01 0x01 ? yes ? probing
0x3c 012 0x01 ? yes ? probing
0x3d 012 0x01 ? yes ? probing
0x3e 012 0x01 ? yes ? probing
0x3f 012 0x01 ? yes ? probing
0x42 012 0x01 ? yes ? probing
0x43 01 0x01 ? yes ? probing
0x44 01 0x01 ? yes ? probing
0x45 01 0x01 ? yes ? probing
0x47 01 0x01 ? yes ? probing
0x48 01 0x01 ? yes ? probing
0x4d 01 0x01 ? yes ? probing
0x4f 012 0x01 ? yes ? probing
0x50 0 0x01 ? yes ? probing/rev
0x51 0 0x01 yes no ? rev
0x52 01 0x01 ? yes ? probing
Note: IID 01 means the command works both on IID=0 and IID=1, similarly IID
012 means the command works on IID=0, IID=1, and IID=2. Note that commands
run on IID=0 likely return the same data as if run on IID=1.
List of Unknown PMC Requests (TC = 0x04)
--------------------------------------------------------------------------------
CID IID TID Payload Response Function/Behavior Source
------------------------------------------------------------------------
0x01 0x00 0x01 no no reboot probing
0x04 0x00 0x01 no no power-off probing
0x05 0x00 0x01 ? yes ? probing
0x06 0x00 0x01 yes yes telemetry? probing/rev
0x07 0x00 0x01 ? yes ? probing
List of Unknown KBD Requests (TC = 0x08)
--------------------------------------------------------------------------------
CID IID TID Payload Function/Behavior Source
------------------------------------------------------------------------
0x16 ? 0x02 no connection state? rev
List of Unknown TCL Requests (TC = 0x0C)
--------------------------------------------------------------------------------
CID IID TID Payload Response Function/Behavior Source
------------------------------------------------------------------------
0x0a 0x00 ? yes yes called for CID=0x0c rev
0x0b 1+ ? yes yes called for CID=0x0c rev
0x0c 1+ ? yes yes reads some buffer rev
0x0e 0 0x01 yes yes ? rev
CID=0x0a takes an u16 buffer ID as payload and returns that buffer ID,
followed by a maximum IID. With that, CID=0x0c can be called for IIDs in
range 1 to the obtained maximum (inclusively).
CID=0x0b takes an u16 buffer ID as payload and returns that buffer ID, followed
by unknown data ([0:2] seems to be buffer id, [2] instance ID, [3] flags with
[3]==1 meaning data available).
CID=0x0c takes the following struct as input (in order):
Type Description
------------------------------------------------------------------------
u16 Buffer ID
u32 Buffer offset (offset to read at, in bytes)
u16 Read length (length to read in bytes)
u8 End flag (zero for input, nonzero on output if exhausted)
The same struct is returned with same buffer ID and offset, but read length
represents the number of bytes actually read, and the end flag is nonzero if
the buffer does not hold any more data beyond this read request.
List of Unknown KIP Requests (TC = 0x0E)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 ? 0x02 no yes get connection state? rev
List of Unknown KIP Events (TC = 0x0E)
--------------------------------------------------------------------------------
CID IID TID Payload Function/Behavior Source
------------------------------------------------------------------------
0x26 0x00 0x01 yes hot-plug device state? rev+log
List of Unknown BAS Requests (TC = 0x11)
--------------------------------------------------------------------------------
CID IID TID Payload Response Function/Behavior Source
------------------------------------------------------------------------
0x0a 0x00 0x01 no yes fw-version? probing
List of Unknown REG Requests (TC = 0x21)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x02 0x00 0x02 yes yes ?? (possibly toggle) log
List of Unknown POS Requests (TC = 0x26)
--------------------------------------------------------------------------------
CID IID TID Payload Response Name/Function Source
------------------------------------------------------------------------
0x01 ? 0x01 no 28 bytes ? rev
0x02 ? 0x01 4 bytes 4 bytes ? rev
List of Unknown POS Events (TC = 0x26)
--------------------------------------------------------------------------------
CID IID TID Payload Function/Behavior Source
------------------------------------------------------------------------
0x03 0x00 0x01 yes form factor change log
Note: This list may not be exhaustive.