Reverse Engineering the Binary MOF Format for enhancing FOSS Hardware-Driver Capabilities

Current computer systems rely on a wide range of firmware interfaces to
expose platform-specific controls to the operating system. On
contemporary desktop computers, the Advanced Configuration and Power
Interface (ACPI) serves as the basic firmware interface to control
essential platform functionality like power management, device discovery
and sleep states.
Nevertheless there exist various proprietary extensions to the standard
ACPI specification used for controlling platform-specific features like
the WMI-ACPI interface used on computers designed for Microsoft Windows.
This interface allows user space applications to call ACPI methods in a
well-defined manner using Windows Management Instrumentation (WMI), and
is widely used by device manufacturers for system configuration and
management.
The WMI-ACPI interface relies on a binary format, the Binary MOF format,
for describing existing WMI interfaces. This format however is not
documented by Microsoft, a circumstance that impairs the usage of the
WMI-ACPI interface by other operating systems.
The ability to decode the Binary MOF format is essential for using the
WMI-ACPI interface in a safe and stable manner. Thus other operating
systems with WMI-ACPI support like the Linux kernel and FreeBSD would
benefit from such a ability. Firmware security researchers might also
gain valuable insights when auditing WMI interfaces exposed over
WMI-ACPI by being able to decode the associated Binary MOF buffers.
We will thus reverse engineer the Binary MOF format and develop a
utility for decoding it. For demonstration purposes we will be using the
official Microsoft MOF compiler (mofcomp) to compile a regular MOF file
into a Binary MOF file and use the newly developed utility to extract
the original WMI interface description from the result.