GMABooster? Overclock?

I decided to publish the results of my research on the GMABooster program , which was presented to the harazhitelami just yesterday. I must say right away that the analysis would not have been carried out so quickly if it were not for the completely unfamiliar Werat habraiser , who remotely tested my code from the admin on his Acer Aspire One a150 (the man ventured).

With my topic I would like to emphasize the importance of open products, the freedom of information exchange between people [and also remind everyone who complains and cries that Habr is a cake!].

Disclaimer: The analysis is provided solely for educational and peaceful purposes, least of all I would like to reduce the amount of donations towards the author of the program. In any case, he carried out work that deserves respect. Also, I have to consider an “alternative” solution for some platforms, due to the fact that GMABooster is not convenient for a number of criteria, especially for Linux and Mac users.



The topic was raised quite interesting, in the topic there were thoughts about a possible fraud and it was decided to check it out myself. Being the owner of the Acer Aspire 8735G, it was not easy to do, so I went from the opposite, took up reverse engineering. I’ll clarify right away that we will not bypass the author’s protection.

Windows Inside

At the moment, two versions of GMABooster can be downloaded from the official site. For GMA900 and GMA950. In fact, there is only one version and one distribution. Unpack and dive into the analysis of the content - immediately discard the uninstaller, presets for different frequencies, documentation. Let's leave the following set of files:

Auto.exe - a console utility for changing the frequency. This utility can be invoked with command line parameters that set the frequency value.

As you can see, implemented on .Net (language is not important). GUI, launchers and other presets are written on .Net. Here is such a wild mix of drivers and high-level frameworks. Decompilation lovers can use .Net Reflector to find out what they want. The license agreement forbids me to decompile, while I accept the terms of the game and look for other ways.

Porttalk.sys is actually some kind of driver. Googling, you may find that this is really PortTalk- A driver for the NT-family of Windows OS, which allows you to directly access I / O ports. It really does not have x64 support, and the last update was in the 2002th year. By the way, PortTalk uses tricky enough tricks to provide access (yes, it was only simple in Windows 9x). I recommend that you familiarize yourself with the details on the project page, especially since the project is open and free.

Helper.exe - absolutely accidentally noticed in the documentation for PortTalk that it comes with the AllowIO program, which allows you to run a third-party application and open specific (or all) ports for it through the installed PortTalk driver. Actually this is AllowIO.exe, except that the author renamed it and made funny changes:

Links to the official PortTalk website are erased and copyright is destroyed as a class. It became sad.

GMABooster’s workflow is getting a little clearer. Someone runs Helper.exe, which gives the application access to I / O ports. Now the application should go to the ports and make a series of requests. ASM inserts in .Net will not be entirely appropriate (and impossible in this form), so the author was obliged to place them in separate modules. Let's look further.

AsmDll.dll and AsmDll2.dll - the actual implementation of communication at the I / O ports level [0CF8h / 0CFCh, configure PCI]. Well, we won’t decompile, there will probably be something painfully classical (although I’m far enough from this):

We set the parameters Bus / Device / Function / Register and execute the request + write the value of the parameter. You can read more at the links: PCI Configuration Space and the same, but for programmers .

Let us dwell only on AsmDll.dll (they practically do not differ among themselves, just Auto.exe does not use AsmDll2 at all, respectively, you can deal without it). I won’t tell how I got a prototype of one single exported function [ int32 AsmAdd (int32, int32)], but here I am clean before the law. I have repeatedly emphasized that we will not decompile, therefore, a substitution of the AsmDll library was written, which also exported only one AsmAdd function and outputted information to the log. Having tormented Mr. Werat'a and his netbook a bit , the values ​​of the input parameters for each frequency were obtained.

166 MHz [0xF0, 0x34646000] [0xF0, 0x34646000] [0xF0, 0x34646000]
200 MHz [0xF0, 0x34646000] [0xF0, 0x34640534]
250 MHz [0xF0, 0x34646000] [0xF0, 0x346405]
0x340400] 0x34640z , 0x34640533]

In [], one call to AsmAdd was made by the “frequency switching” utility, respectively, it was called three times for 166 MHz (maybe this is an error, or some author's watermark - I won’t judge, for it is amateur), for the others twice.

Actually for me, 0x34640533 will remain a magic number, I'm sure that there will be someone on the hub who can explain what / where and how.

Alternative

Thus, to overclock your Intel-based GPU to a frequency of 400 MHz (according to GMABooster), it is enough to write to hardware registers.

For example, a script for Mac OS will look something like this:
reggie_se -w 0x34646000 -D PCI -i 16 -a 0xF0 -B 32
reggie_se -w 0x34640533 -D PCI -i 16 -a 0xF0 -B 32

You can without any problems add it to autoload. I am sure that a utility similar to reggie_se is also available on Linux.

Conclusions for yourself

1. I don’t want to talk about changing the frequency, because the voltage does not change, I'm sure of it;
2. The utility is safe (in terms of malware);
3. The utility performs the simplest (from the point of view of implementation) action — writing a certain value to the register, a certain change in the PCI device configuration. Why the author keeps this a secret and arranges a headache for users [weekly update, etc.], I personally do not understand;
4. The changes made work until the moment of going into sleep mode / hibernation / shutdown;
5. The author of GMABooster has hooked many on the needle :)
6. Based on numerous reviews, slight acceleration is indeed observed;
7. I was wrong using slightly blurry floomby jpg-images in the topic.

I do not deny the merits of the author, I would still like to see him on Habré, hear the story of the appearance of magic number and apologize to him for his article.

I would really like to find people who could correctly use the results (implementation for x64, for example). I will also be glad to hear any additions from knowledgeable experts - being far from such low-level things, I can’t understand everything, let alone explain why I apologize.

Update # 1 News from the front of the macrobuckers , there the Mac'a owner drew attention to how GMABooster works (he turns out to call the same reggie_se) and offered his own version of the script + made quite funny comments. And more useful stuff (untested, true) for Linux owners