Modern firmware complexity increases with the hardware it runs on. Many hardware manufacturers decided to only release closed source. Some provide close source BLOBs to be used with open source firmware. Lacking a good documentation and having no insight what's actually done and when it's done, causes serve problems when those BLOBs are integrated into an Open Source environment.

AUTOREV is an Open Source framework that tries to shine some light onto specific parts of those closed source BLOBs, giving FOSS firmware developers a better understanding of what's actually going on. It's based on black testing and thus can only analyze a small part of the firmware BLOB by observing the I/O it generates.

AUTOREV collects I/O traces for various BIOS settings, creates an abstract syntax tree (AST), which then can be converted into High Level Source code (HLS). It has been successfully tested on x86 platforms.

Abstract Syntax Tree

The generated AST of a simple source program, where every node is one I/O instruction, looks like this:

The source code, that generated the AST, was:

outw(0xddaa, 0x80);

if (config) {
        struct testconfig {
                uint32_t config1;
                uint32_t config2;
                uint32_t config3;
                uint32_t config4;
        } *myconfig = (struct testconfig *)config;

        if (myconfig->config1 || myconfig->config2) {
                pci_write_config8(dev, Q35_PAM0 + 6, 0x30);
        if (myconfig->config1) {
                pci_read_config32(dev, Q35_PAM0);
        if (myconfig->config2) {
                outb(0x00, 0x80);
        pci_write_config8(dev, Q35_PAM0 + 2, myconfig->config3);
        if (myconfig->config4) {
                pci_write_config8(dev, Q35_PAM0 + 1, myconfig->config4 + 1);
        } else {
                outb(0x12, 0x80);
                outb(0x34, 0x80);
outw(0xaadd, 0x80);


The proposed framework is still under development and misses lot's of features, like:

  • Loop detection and HLS loop generation
  • Conditional based on input I/O
  • Grouping code blocks into functions
  • Deadlock detechtion
  • Read-Modify-Write detection