ProjectReverseEngineerESIdriver

From RevSpace
Revision as of 17:19, 26 November 2012 by Maxell (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Due to sloppy procurement practices we have acquired a ESI ESP1010e PCIe soundcard for the radio studio for which there is no Linux driver available. A proper hackerspace fixes this issue by writing its own driver. The Windows driver is available at http://www.esi-audiotechnik.com/download/ESI/ESP1010e/ESP1010e-v2_01.zip

The EP10eDrv.sys file from abovementioned archive has been disassembled using IDA Pro 5.0 Free (which runs fine under Wine, provide that you don't use an uncouth Linux distro such as Debian), see attachments to this page for the output.

  • [%ATTACHURL%/EP10eDrv.idb|EP10eDrv.idb]: IDA Pro 5.0 Free disassembly of EP10eDrv.sys (2011-03-21 version by smeding)
  • [%ATTACHURL%/ep10drv.html|ep10drv.html]: HTML version of the IDA Pro 5.0 Free disassembly of EP10drv.sys driver
  • [%ATTACHURL%/EP10eDrv.S|EP10eDrv.S]: objdump -d from 32 bit EP10eDrv.sys
  • [%ATTACHURL%/EP10eWDM.S|EP10eWDM.S]: objdump -d from 32 bit EP10eWDM.sys

Status as of 2011-03-21 (by smeding)

So far I've mostly managed to figure out the basic Windows driver stuff. This should however still be useful in providing more context for what the low-level stuff actually does.

The driver starts execution in what it exports as 'start' (which I've renamed DriverEntry as per the standard). It receives two arguments on the stack. The second is a Unicode string containing a registry entry it can store any persistent configuration in. The first is a DRIVER_OBJECT structure, which it fills with several things. The most interesting to us is the MajorFunction array, which specifies a list of IRP handlers. I've tagged those with the major IRP number they handle.

The Create and Close handlers seem to just return success and increment/decrement an internal register, and thus aren't very interesting. The Power and PnP handlers mainly check the minor IRP function, then use that as an index into their separate jump tables, from which they branch off into any of a number of subroutines. Some of these are boring and just return success as well, but others seem more interesting and contain a few more layers until finally calling raw I/O functions to write data to the PCI bus. Those are probably worth investigating the most.

The currently plan I have is to dig a little deeper into the PnP/Power handlers to see if I can figure out some more high-level handling, then work up from the raw I/O and try to piece results from these two approaches together into a general "send what where on what occasion" kind of spec. The other driver (EP10eWDM.sys) seems to be an audio miniport driver and is likely worth investigating as well.

Meanwhile, it also seems useful to take a close look at the audio hardware and try to glean as much about the chipset etc. as possible from there, if this hasn't been done already.