Better understanding EC structure, model and firmware naming

[glpnk]

Information presented here is just guesses and theories. Some information could be outdated.

Preamble

Thanks all who shared EC dumps.

For better readability screenshots made with this HexPat

Model naming

Model name regularly contain display size and CPU generation. For newer devices is easy to spot as part of model name something like 10-11-12-13... for Intel 10+gen based and 3-4-5-7... for AMD Ryzen based CPU/SoC. Older Intel i3/i5/i7 based devices follows same rule but it submission to this repo is rare. Some models submitted without EC dump or full name.

EC firmware naming

Most fresh models named like abcdEMS1.ver, where ab frequently but not always equals to screen diagonal, bc is some model code, EMS1 is something, ver is version number.

Some models have xxxxEMS2 or different code but it structure seems near the same

Seems that xxxx part in EC name is mainboard or model codename.
Look at the value Motherboard -> Model and compare it to BIOS Version.

Source #66 @benitozh

Intel VS AMD

Intel 10+gen have shift, backlight, fan settings on 0xD_ addresses.

AMD Ryzen models - on 0xF_ addresses.

Older Intel requires more data and research.

[For now] Unusual models

Highlighted values may be different from real

16K2ED61.101 not like xxxxEMS1 #88

17G1EMS2.106 with EMS2 #82

Older models

Very unusual model+release datetime from #35 168AEMS1 Ver4.04, 05/31/2010 but follows xxxxEMS1 pattern

Experiments [DO NOT RETRY it can destroy your hardware]

If I understood correctly in #64 @vt92i tried to fix broken keyboard backlight. For this he wrote 0xFF to all EC registers and this somehow impacted some default values, some of them seemed readonly but some was read/wright.
Highlighted values with binary pattern ?4. Some other values are changed too, like datetime in EC name/

Deltas

Very similar AMD based devices.

Some values could be ignored, but range 0x30-4f looks interesting.

AMD based device with EC name IMS1 look similar to Intel based device with EMS1 (which is more submitted)

In many cases EMS1 AMD and Intel devices is less compatible

If you have model with different from usual xxxxEMS1.ver EC firmware name please send it dump

[glpnk]

Is it legal to obtain/share/use reverse engineered by C# dotnet binary decompilation? Or at least "Trust me bro" representation without direct sharing result of decompilation

[teackot]

No, I have a 10 gen Intel i7-10710U

[glpnk]

Check this #98 (reply in thread) if GUIDs are same it is "WMI1"

[teackot]

Yep, they are the same

[teackot]

If you need the GUIDs:

05901221-D566-11D1-B2F0-00A0C9062910
05901221-D566-11D1-B2F0-00A0C9062910-1
1EC3EC7A-1E9B-E74A-9026-CF122B0BBD21
1F13AB7F-6220-4210-8F8E-8BB5E71EE969
24418D6A-0A79-524C-9AB1-18B78CA68CE7
2BC49DEF-7B15-4F05-8BB7-EE37B9547C0B
2D3CBA6C-1C9C-7F41-B54C-F5D5D580D482
40BA026D-075D-CD4A-9710-F7C57347CAC9
4AFBD56B-9F91-8F49-81F5-995BA73822AF
5B3CC38A-40D9-7245-8AE6-1145B751BE3F
86CCFD48-205E-4A77-9C48-2021CBEDE341
8DBCCF6E-9DB4-0E46-A3F2-99AFAAA77A7A
A1753D7B-B621-DE4A-B41A-55716A0ECE7A
A1753D7C-B621-DE4A-B41A-55716A0ECE7A
A486D8F8-0BDA-471B-A72B-6042A6B5BEE0
A6FEA33E-DABF-46F5-BFC8-460D961BEC9F
BD2A216F-2FB9-A640-B807-DDDBAD656891
CA4982BF-C230-458E-B12F-6F16475F351B
F6CB5C3C-9CAE-4EBD-B577-931EA32A2CC0

[glpnk]

Actually some EC addresses could be decoded from DSDT, because EC map defined at least twice: named and in address form, we can guess what was encoded in 4 byte ACPI name for first and check addresses in form ??xx or ?xxy, where xx is byte, y - bit

If you want to read some ACPI tables (like DSDT) content try this editor

MSI forum contain section with mod-BIOSes and mod-ECs

Thread about (no) Linux support; Another; Yet another; And another; The last one

Admins of the forum say that Linux is not main target which is understandable. Look like no one reported their ticket to support or don't got and shared positive response

[glpnk]

Please suggest list of apps for MSI laptops and it compatibility:

• MSI SCM (possibly it is only backend for Dragon Center for some models)
• Dragon Center
• Creator Center
• MSI Center Pro (codename Business Center)
• MSI Center

I'm interested in older ones an it cross compatibility.

Each device is supported only by one App, unless the opposite is stated on the support page. Some model supports two Apps, but with different BIOS version.

Interesting facts - there are at least 2 or 3 method of accessing EC:

• WMI2 - reasons why MsiEcRamEditor works. Accessible with NamedPipeClientLib or directly by MSIWMIACPI2. Possibly works only on Intel.
• WMI1
• WinIO - works on AMD through NamedPipeClient/Server, require running MSIAPService which use KernCoreLib64.dll/sys

About similar case with WinIO on MSI hardware on Reddit

WinIO returns 4 byte for each requested address, 1 current and 3 next. On write WinIO require all 4 bytes as uint32, so usage is quite dangerous if we mess with some important realtime value after it had been changed by hardware.

All Apps contain some WMI code called binary MOF/BMOF/.bmf which stored inside the DSDT/SSDT tables and App backend. It describes WMI API which is safe to use (but in AMD devices case some of it is replaced with kernel level module, which is at least strange). I can assume that it named like WMI1 and WMI2 (because WMI2 is name of module in newer Apps).

WMI1:

• MSI SCM

WMI2: (Also shares same BMOF code inside)

• Creator Center
• MSI Center Pro
• MSI Center
• Dragon Center

MOF code from older Apps is extended in newer with WMI2 section

---

Some EFI vars store info and preferences for model, like Win-FN swap direction. But possibly it's just temp storage. [TODO]

[glpnk]

Info from DSDT table by https://github.com/aymanbagabas/bmf2mof.wasm

Technically speaking, I think that MSI app interact with some BIOS backend via WMI, not EC RAM directly, but also part of this code stored inside the driver.

MTDE _WDG

B2526ED4-CB45-49FA-9230-8D2FE8AFB8EC
        	notify_id: 4d
        	reserved: 4b
        	instance_count: 01
        	flags: ACPI_WMI_METHOD(0x2)
1E2A0DA0-2B9E-424F-9C87-B1DAC3F4E9DA
        	notify_id: b0
        	reserved: 00
        	instance_count: 01
        	flags: ACPI_WMI_EVENT(0x8)
05901221-D566-11D1-B2F0-00A0C9062910
        	notify_id: 4d
        	reserved: 4d
        	instance_count: 01
        	flags: 0x00

SCM0 _WDG

24418D6A-0A79-524C-9AB1-18B78CA68CE7 # MSI_Software
        	notify_id: 41
        	reserved: 41
        	instance_count: 22
        	flags: ACPI_WMI_EXPENSIVE(0x1)
4AFBD56B-9F91-8F49-81F5-995BA73822AF # MSI_Device
        	notify_id: 41
        	reserved: 42
        	instance_count: 04
        	flags: ACPI_WMI_EXPENSIVE(0x1)
2D3CBA6C-1C9C-7F41-B54C-F5D5D580D482 # MSI_Power
        	notify_id: 41
        	reserved: 43
        	instance_count: 03
        	flags: ACPI_WMI_EXPENSIVE(0x1)
40BA026D-075D-CD4A-9710-F7C57347CAC9 # MSI_Master_Battery
        	notify_id: 41
        	reserved: 44
        	instance_count: 10
        	flags: ACPI_WMI_EXPENSIVE(0x1)
8DBCCF6E-9DB4-0E46-A3F2-99AFAAA77A7A # MSI_Slave_Battery
        	notify_id: 41
        	reserved: 45
        	instance_count: 0e
        	flags: ACPI_WMI_EXPENSIVE(0x1)
BD2A216F-2FB9-A640-B807-DDDBAD656891 # MSI_CPU
        	notify_id: 41
        	reserved: 46
        	instance_count: 13
        	flags: ACPI_WMI_EXPENSIVE(0x1)
1EC3EC7A-1E9B-E74A-9026-CF122B0BBD21 # MSI_VGA
        	notify_id: 41
        	reserved: 47
        	instance_count: 12
        	flags: ACPI_WMI_EXPENSIVE(0x1)
A1753D7B-B621-DE4A-B41A-55716A0ECE7A # MSI_System
        	notify_id: 41
        	reserved: 48
        	instance_count: 15
        	flags: ACPI_WMI_EXPENSIVE(0x1)
A1753D7C-B621-DE4A-B41A-55716A0ECE7A # MSI_AP
        	notify_id: 41
        	reserved: 49
        	instance_count: 08
        	flags: ACPI_WMI_EXPENSIVE(0x1)
5B3CC38A-40D9-7245-8AE6-1145B751BE3F # MSI_Event
        	notify_id: c0
        	reserved: 00
        	instance_count: 01
        	flags: ACPI_WMI_EXPENSIVE(0x1) | ACPI_WMI_EVENT(0x8)

WLAN QR01

FC0E0C01-080C-08FA-04FC-0A0DFC0A08FA
        	notify_id: 06
        	reserved: 04
        	instance_count: fc
        	flags: 00

[glpnk]

GUID's from DSDT SCM0 _WDG binary MOF (bmf) file match with GUID's from msiapcfg.dll (which contain only binary MOF in MS Windows format)

MSI_Software - Class to ECRam Query/Set Software
MSI_SoftwareGuid { 24418d6a-0a79-524c-9ab1-18b78ca68ce7 }

MSI_Device - Class to ECRam Query/Set Device
MSI_DeviceGuid { 4afbd56b-9f91-8f49-81f5-995ba73822af }

MSI_Power - Class to ECRam Query/Set Power
MSI_PowerGuid { 2d3cba6c-1c9c-7f41-b54c-f5d5d580d482 }

MSI_Master_Battery - Class to ECRam Query/Set Master_Battery
MSI_Master_BatteryGuid { 40ba026d-075d-cd4a-9710-f7c57347cac9 }

MSI_Slave_Battery - Class to ECRam Query/Set Slave_Battery
MSI_Slave_BatteryGuid { 8dbccf6e-9db4-0e46-a3f2-99afaaa77a7a }

MSI_CPU - Class to ECRam Query/Set CPU
MSI_CPUGuid { bd2a216f-2fb9-a640-b807-dddbad656891 }

MSI_VGA - Class to ECRam Query/Set VGA
MSI_VGAGuid { 1ec3ec7a-1e9b-e74a-9026-cf122b0bbd21 }

MSI_System - Class to ECRam Query/Set System
MSI_SystemGuid { a1753d7b-b621-de4a-b41a-55716a0ece7a }

MSI_AP - Class to ECRam Query/Set AP
MSI_APGuid { a1753d7c-b621-de4a-b41a-55716a0ece7a }

MSI_Event - Event defined by MSI
MSI_EventGuid { 5b3cc38a-40d9-7245-8ae6-1145b751be3f }

This part is not match

Package - This class contains the definition of the package used in other classes
PackageGuid { abbc0f60-8ea1-11d1-00a0-c90629100000 }

Package_1 - This class contains the definition of the package used in other classes
Package_1Guid { abbc0f61-8ea1-11d1-00a0-c90629100000 }

Package_10 - This class contains the definition of the package used in other classes
Package_10Guid { abbc0f62-8ea1-11d1-00a0-c90629100000 }

Package_32 - This class contains the definition of the package used in other classes
Package_32Guid { abbc0f63-8ea1-11d1-00a0-c90629100000 }

MSI_ACPI - Class used to operate methods on a package
MSI_ACPIGuid { abbc0f6e-8ea1-11d1-00a0-c90629100000 }

I'll add comments in post above

[glpnk]

DSDT table of Intel 10 gen and earlier devices contain same GUIDs like any AMD, but on 11+ gen only:

MSI_Event - Event defined by MSI
MSI_EventGuid { 5b3cc38a-40d9-7245-8ae6-1145b751be3f }

MSI_ACPI - Class used to operate methods on a package
MSI_ACPIGuid { abbc0f6e-8ea1-11d1-00a0-c90629100000 }

MSI_ACPI is New GUID and not contained in older models

[glpnk]

MOF from MSI SCM for gaming series (around Intel 8+ gen) decompiled by https://github.com/aymanbagabas/bmf2mof.wasm

MOF from newer driver is longer, so it possibly crash decompiler, or has different structure that supported only by proprietary MS Driver Kit

Spoiler: MOF from MSI SCM

#pragma namespace("\\\\.\\root\\wmi")
class WMIEvent : __ExtrinsicEvent {
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Software"), guid("{24418D6A-0A79-524C-9AB1-18B78CA68CE7}")]
class MSI_Software {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Software")] uint8 Software;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Device"), guid("{4AFBD56B-9F91-8f49-81F5-995BA73822AF}")]
class MSI_Device {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Device")] uint8 Device;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Power"), guid("{2D3CBA6C-1C9C-7f41-B54C-F5D5D580D482}")]
class MSI_Power {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Power")] uint8 Power;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Master_Battery"), guid("{40BA026D-075D-cd4a-9710-F7C57347CAC9}")]
class MSI_Master_Battery {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Master_Battery")] sint16 Master_Battery;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Slave_Battery"), guid("{8DBCCF6E-9DB4-0e46-A3F2-99AFAAA77A7A}")]
class MSI_Slave_Battery {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Slave_Battery")] sint16 Slave_Battery;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set CPU"), guid("{BD2A216F-2FB9-a640-B807-DDDBAD656891}")]
class MSI_CPU {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("CPU")] uint8 CPU;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set VGA"), guid("{1EC3EC7A-1E9B-e74a-9026-CF122B0BBD21}")]
class MSI_VGA {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("VGA")] uint8 VGA;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set System"), guid("{A1753D7B-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_System {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("System")] uint8 System;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set AP"), guid("{A1753D7C-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_AP {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("AP")] uint8 AP;
};

#pragma namespace("\\\\.\\root\\wmi")
[WMI, Dynamic, Provider("WmiProv"), Local("MS\\0x409"), Description("Event defined by MSI"), guid("{5B3CC38A-40D9-7245-8AE6-1145B751BE3F}")]
class MSI_Event : WMIEvent {
  [key, read] String InstanceName;
  [read] Boolean Active;
  [WmiDataId(1), read, write, Description("Event defined by MSI")] uint32 MSIEvt;
};

Also I managed to decompile bMOF from newer version. It more complicated and also somehow breaks program. So I edited original program used in web tool and removed some exceptions. Original program https://github.com/pali/bmfdec

Spoiler: MOF from MSI CenterPro (business)

class WMIEvent : __ExtrinsicEvent {
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Software"), guid("{24418D6A-0A79-524C-9AB1-18B78CA68CE7}")]
class MSI_Software {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Software")] uint8 Software;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Device"), guid("{4AFBD56B-9F91-8f49-81F5-995BA73822AF}")]
class MSI_Device {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Device")] uint8 Device;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Power"), guid("{2D3CBA6C-1C9C-7f41-B54C-F5D5D580D482}")]
class MSI_Power {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Power")] uint8 Power;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Master_Battery"), guid("{40BA026D-075D-cd4a-9710-F7C57347CAC9}")]
class MSI_Master_Battery {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Master_Battery")] sint16 Master_Battery;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set Slave_Battery"), guid("{8DBCCF6E-9DB4-0e46-A3F2-99AFAAA77A7A}")]
class MSI_Slave_Battery {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Slave_Battery")] sint16 Slave_Battery;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set CPU"), guid("{BD2A216F-2FB9-a640-B807-DDDBAD656891}")]
class MSI_CPU {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("CPU")] uint8 CPU;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set VGA"), guid("{1EC3EC7A-1E9B-e74a-9026-CF122B0BBD21}")]
class MSI_VGA {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("VGA")] uint8 VGA;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set System"), guid("{A1753D7B-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_System {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("System")] uint8 System;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class to ECRam Query/Set AP"), guid("{A1753D7C-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_AP {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("AP")] uint8 AP;
};

[WMI, Dynamic, Provider("WmiProv"), Local("MS\\0x409"), Description("Event defined by MSI"), guid("{5B3CC38A-40D9-7245-8AE6-1145B751BE3F}")]
class MSI_Event : WMIEvent {
  [key, read] string InstanceName;
  [read] boolean Active;
  [WmiDataId(1), read, write, Description("Event defined by MSI")] uint32 MSIEvt;
};

[WMI, Locale("MS\\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F60-8EA1-11d1-00A0-C90629100000}")]
class Package {
  [WmiDataId(1), read, write, Description("16 bytes of data")] uint8 Bytes[16];
};

[WMI, Locale("MS\\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F61-8EA1-11d1-00A0-C90629100000}")]
class Package_1 {
  [WmiDataId(1), read, write, Description("1 bytes of data")] uint8 Bytes[1];
};

[WMI, Locale("MS\\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F62-8EA1-11d1-00A0-C90629100000}")]
class Package_10 {
  [WmiDataId(1), read, write, Description("10 bytes of data")] uint8 Bytes[10];
};

[WMI, Locale("MS\\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F63-8EA1-11d1-00A0-C90629100000}")]
class Package_32 {
  [WmiDataId(1), read, write, Description("32 bytes of data")] uint8 Bytes[32];
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\\0x409"), Description("Class used to operate methods on a package"), guid("{ABBC0F6E-8EA1-11d1-00A0-C90629100000}")]
class MSI_ACPI {
  [key, read] string InstanceName;
  [read] boolean Active;

  [WmiMethodId(1), Implemented, read, write, Description("Return the contents of a package")] void GetPackage();
  [WmiMethodId(2), Implemented, read, write, Description("Set the contents of a package")] void SetPackage();
  [WmiMethodId(3), Implemented, read, write, Description("Return the contents of a package")] void Get_EC();
  [WmiMethodId(4), Implemented, read, write, Description("Set the contents of a package")] void Set_EC();
  [WmiMethodId(5), Implemented, read, write, Description("Return the contents of a package")] void Get_BIOS();
  [WmiMethodId(6), Implemented, read, write, Description("Set the contents of a package")] void Set_BIOS();
  [WmiMethodId(7), Implemented, read, write, Description("Return the contents of a package")] void Get_SMBUS();
  [WmiMethodId(8), Implemented, read, write, Description("Set the contents of a package")] void Set_SMBUS();
  [WmiMethodId(9), Implemented, read, write, Description("Return the contents of a package")] void Get_MasterBattery();
  [WmiMethodId(10), Implemented, read, write, Description("Set the contents of a package")] void Set_MasterBattery();
  [WmiMethodId(11), Implemented, read, write, Description("Return the contents of a package")] void Get_SlaveBattery();
  [WmiMethodId(12), Implemented, read, write, Description("Set the contents of a package")] void Set_SlaveBattery();
  [WmiMethodId(13), Implemented, read, write, Description("Return the contents of a package")] void Get_Temperature();
  [WmiMethodId(14), Implemented, read, write, Description("Set the contents of a package")] void Set_Temperature();
  [WmiMethodId(15), Implemented, read, write, Description("Return the contents of a package")] void Get_Thermal();
  [WmiMethodId(16), Implemented, read, write, Description("Set the contents of a package")] void Set_Thermal();
  [WmiMethodId(17), Implemented, read, write, Description("Return the contents of a package")] void Get_Fan();
  [WmiMethodId(18), Implemented, read, write, Description("Set the contents of a package")] void Set_Fan();
  [WmiMethodId(19), Implemented, read, write, Description("Return the contents of a package")] void Get_Device();
  [WmiMethodId(20), Implemented, read, write, Description("Set the contents of a package")] void Set_Device();
  [WmiMethodId(21), Implemented, read, write, Description("Return the contents of a package")] void Get_Power();
  [WmiMethodId(22), Implemented, read, write, Description("Set the contents of a package")] void Set_Power();
  [WmiMethodId(23), Implemented, read, write, Description("Return the contents of a package")] void Get_Debug();
  [WmiMethodId(24), Implemented, read, write, Description("Set the contents of a package")] void Set_Debug();
  [WmiMethodId(25), Implemented, read, write, Description("Return the contents of a package")] void Get_AP();
  [WmiMethodId(26), Implemented, read, write, Description("Set the contents of a package")] void Set_AP();
  [WmiMethodId(27), Implemented, read, write, Description("Return the contents of a package")] void Get_Data();
  [WmiMethodId(28), Implemented, read, write, Description("Set the contents of a package")] void Set_Data();
  [WmiMethodId(29), Implemented, read, write, Description("Return the contents of a package")] void Get_WMI();
};

Same BMOF decompiled with Microsoft mofcomp.exe. Guide

mofcomp.exe -MOF:recovered.mof -MFL:ms_409.mof -Amendment:MS_409 .\mof.bmf

Spoiler: MOF from MSI CenterPro (business) by `mofcomp.exe`

class WMIEvent : __ExtrinsicEvent
{
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set Software"),guid("{24418D6A-0A79-524C-9AB1-18B78CA68CE7}")] 
class MSI_Software
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Software")] Software;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set Device"),guid("{4AFBD56B-9F91-8f49-81F5-995BA73822AF}")] 
class MSI_Device
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Device")] Device;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set Power"),guid("{2D3CBA6C-1C9C-7f41-B54C-F5D5D580D482}")] 
class MSI_Power
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Power")] Power;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set Master_Battery"),guid("{40BA026D-075D-cd4a-9710-F7C57347CAC9}")] 
class MSI_Master_Battery
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Master_Battery")] Master_Battery;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set Slave_Battery"),guid("{8DBCCF6E-9DB4-0e46-A3F2-99AFAAA77A7A}")] 
class MSI_Slave_Battery
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Slave_Battery")] Slave_Battery;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set CPU"),guid("{BD2A216F-2FB9-a640-B807-DDDBAD656891}")] 
class MSI_CPU
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("CPU")] CPU;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set VGA"),guid("{1EC3EC7A-1E9B-e74a-9026-CF122B0BBD21}")] 
class MSI_VGA
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("VGA")] VGA;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set System"),guid("{A1753D7B-B621-de4a-B41A-55716A0ECE7A}")] 
class MSI_System
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("System")] System;
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class to ECRam Query/Set AP"),guid("{A1753D7C-B621-de4a-B41A-55716A0ECE7A}")] 
class MSI_AP
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("AP")] AP;
};

[WMI,Dynamic,Provider("WmiProv"),Local("MS\\0x409"),Description("Event defined by MSI"),guid("{5B3CC38A-40D9-7245-8AE6-1145B751BE3F}")] 
class MSI_Event : WMIEvent
{
  [key,read] InstanceName;
  [read] Active;
  [WmiDataId(1),read,write,Description("Event defined by MSI")] MSIEvt;
};

[WMI,Locale("MS\\0x409"),Description("This class contains the definition of the package used in other classes"),guid("{ABBC0F60-8EA1-11d1-00A0-C90629100000}")] 
class Package
{
  [WmiDataId(1),read,write,Description("16 bytes of data"),MAX(16)] Bytes[];
};

[WMI,Locale("MS\\0x409"),Description("This class contains the definition of the package used in other classes"),guid("{ABBC0F61-8EA1-11d1-00A0-C90629100000}")] 
class Package_1
{
  [WmiDataId(1),read,write,Description("1 bytes of data"),MAX(1)] Bytes[];
};

[WMI,Locale("MS\\0x409"),Description("This class contains the definition of the package used in other classes"),guid("{ABBC0F62-8EA1-11d1-00A0-C90629100000}")] 
class Package_10
{
  [WmiDataId(1),read,write,Description("10 bytes of data"),MAX(10)] Bytes[];
};

[WMI,Locale("MS\\0x409"),Description("This class contains the definition of the package used in other classes"),guid("{ABBC0F63-8EA1-11d1-00A0-C90629100000}")] 
class Package_32
{
  [WmiDataId(1),read,write,Description("32 bytes of data"),MAX(32)] Bytes[];
};

[WMI,Dynamic,Provider("WmiProv"),Locale("MS\\0x409"),Description("Class used to operate methods on a package"),guid("{ABBC0F6E-8EA1-11d1-00A0-C90629100000}")] 
class MSI_ACPI
{
  [key,read] InstanceName;
  [read] Active;
  [WmiMethodId(1),Implemented,read,write,Description("Return the contents of a package")] GetPackage();
  [WmiMethodId(2),Implemented,read,write,Description("Set the contents of a package")] SetPackage();
  [WmiMethodId(3),Implemented,read,write,Description("Return the contents of a package")] Get_EC();
  [WmiMethodId(4),Implemented,read,write,Description("Set the contents of a package")] Set_EC();
  [WmiMethodId(5),Implemented,read,write,Description("Return the contents of a package")] Get_BIOS();
  [WmiMethodId(6),Implemented,read,write,Description("Set the contents of a package")] Set_BIOS();
  [WmiMethodId(7),Implemented,read,write,Description("Return the contents of a package")] Get_SMBUS();
  [WmiMethodId(8),Implemented,read,write,Description("Set the contents of a package")] Set_SMBUS();
  [WmiMethodId(9),Implemented,read,write,Description("Return the contents of a package")] Get_MasterBattery();
  [WmiMethodId(10),Implemented,read,write,Description("Set the contents of a package")] Set_MasterBattery();
  [WmiMethodId(11),Implemented,read,write,Description("Return the contents of a package")] Get_SlaveBattery();
  [WmiMethodId(12),Implemented,read,write,Description("Set the contents of a package")] Set_SlaveBattery();
  [WmiMethodId(13),Implemented,read,write,Description("Return the contents of a package")] Get_Temperature();
  [WmiMethodId(14),Implemented,read,write,Description("Set the contents of a package")] Set_Temperature();
  [WmiMethodId(15),Implemented,read,write,Description("Return the contents of a package")] Get_Thermal();
  [WmiMethodId(16),Implemented,read,write,Description("Set the contents of a package")] Set_Thermal();
  [WmiMethodId(17),Implemented,read,write,Description("Return the contents of a package")] Get_Fan();
  [WmiMethodId(18),Implemented,read,write,Description("Set the contents of a package")] Set_Fan();
  [WmiMethodId(19),Implemented,read,write,Description("Return the contents of a package")] Get_Device();
  [WmiMethodId(20),Implemented,read,write,Description("Set the contents of a package")] Set_Device();
  [WmiMethodId(21),Implemented,read,write,Description("Return the contents of a package")] Get_Power();
  [WmiMethodId(22),Implemented,read,write,Description("Set the contents of a package")] Set_Power();
  [WmiMethodId(23),Implemented,read,write,Description("Return the contents of a package")] Get_Debug();
  [WmiMethodId(24),Implemented,read,write,Description("Set the contents of a package")] Set_Debug();
  [WmiMethodId(25),Implemented,read,write,Description("Return the contents of a package")] Get_AP();
  [WmiMethodId(26),Implemented,read,write,Description("Set the contents of a package")] Set_AP();
  [WmiMethodId(27),Implemented,read,write,Description("Return the contents of a package")] Get_Data();
  [WmiMethodId(28),Implemented,read,write,Description("Set the contents of a package")] Set_Data();
  [WmiMethodId(29),Implemented,read,write,Description("Return the contents of a package")] Get_WMI();
};

[glpnk]

Spoiler: full MOF from MSI Center shared by @Wer-Wolf #108

class WMIEvent : __ExtrinsicEvent {
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set Software"), guid("{24418D6A-0A79-524C-9AB1-18B78CA68CE7}")]
class MSI_Software {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Software")] uint8 Software;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set Device"), guid("{4AFBD56B-9F91-8f49-81F5-995BA73822AF}")]
class MSI_Device {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Device")] uint8 Device;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set Power"), guid("{2D3CBA6C-1C9C-7f41-B54C-F5D5D580D482}")]
class MSI_Power {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Power")] uint8 Power;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set Master_Battery"), guid("{40BA026D-075D-cd4a-9710-F7C57347CAC9}")]
class MSI_Master_Battery {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Master_Battery")] sint16 Master_Battery;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set Slave_Battery"), guid("{8DBCCF6E-9DB4-0e46-A3F2-99AFAAA77A7A}")]
class MSI_Slave_Battery {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Slave_Battery")] sint16 Slave_Battery;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set CPU"), guid("{BD2A216F-2FB9-a640-B807-DDDBAD656891}")]
class MSI_CPU {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("CPU")] uint8 CPU;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set VGA"), guid("{1EC3EC7A-1E9B-e74a-9026-CF122B0BBD21}")]
class MSI_VGA {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("VGA")] uint8 VGA;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set System"), guid("{A1753D7B-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_System {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("System")] uint8 System;
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class to ECRam Query/Set AP"), guid("{A1753D7C-B621-de4a-B41A-55716A0ECE7A}")]
class MSI_AP {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("AP")] uint8 AP;
};

[WMI, Dynamic, Provider("WmiProv"), Local("MS\0x409"), Description("Event defined by MSI"), guid("{5B3CC38A-40D9-7245-8AE6-1145B751BE3F}")]
class MSI_Event : WMIEvent {
[key, read] string InstanceName;
[read] boolean Active;
[WmiDataId(1), read, write, Description("Event defined by MSI")] uint32 MSIEvt;
};

[WMI, Locale("MS\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F60-8EA1-11d1-00A0-C90629100000}")]
class Package {
[WmiDataId(1), read, write, Description("16 bytes of data")] uint8 Bytes[16];
};

[WMI, Locale("MS\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F61-8EA1-11d1-00A0-C90629100000}")]
class Package_1 {
[WmiDataId(1), read, write, Description("1 bytes of data")] uint8 Bytes[1];
};

[WMI, Locale("MS\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F62-8EA1-11d1-00A0-C90629100000}")]
class Package_10 {
[WmiDataId(1), read, write, Description("10 bytes of data")] uint8 Bytes[10];
};

[WMI, Locale("MS\0x409"), Description("This class contains the definition of the package used in other classes"), guid("{ABBC0F63-8EA1-11d1-00A0-C90629100000}")]
class Package_32 {
[WmiDataId(1), read, write, Description("32 bytes of data")] uint8 Bytes[32];
};

[WMI, Dynamic, Provider("WmiProv"), Locale("MS\0x409"), Description("Class used to operate methods on a package"), guid("{ABBC0F6E-8EA1-11d1-00A0-C90629100000}")]
class MSI_ACPI {
[key, read] string InstanceName;
[read] boolean Active;

[WmiMethodId(1), Implemented, read, write, Description("Return the contents of a package")] void GetPackage([out, id(0)] Package Data);
[WmiMethodId(2), Implemented, read, write, Description("Set the contents of a package")] void SetPackage([in, id(0)] Package Data);
[WmiMethodId(3), Implemented, read, write, Description("Return the contents of a package")] void Get_EC([out, id(0)] Package_32 Data);
[WmiMethodId(4), Implemented, read, write, Description("Set the contents of a package")] void Set_EC([in, id(0)] Package_32 Data);
[WmiMethodId(5), Implemented, read, write, Description("Return the contents of a package")] void Get_BIOS([in, out, id(0)] Package_32 Data);
[WmiMethodId(6), Implemented, read, write, Description("Set the contents of a package")] void Set_BIOS([in, out, id(0)] Package_32 Data);
[WmiMethodId(7), Implemented, read, write, Description("Return the contents of a package")] void Get_SMBUS([in, out, id(0)] Package_32 Data);
[WmiMethodId(8), Implemented, read, write, Description("Set the contents of a package")] void Set_SMBUS([in, out, id(0)] Package_32 Data);
[WmiMethodId(9), Implemented, read, write, Description("Return the contents of a package")] void Get_MasterBattery([in, out, id(0)] Package_32 Data);
[WmiMethodId(10), Implemented, read, write, Description("Set the contents of a package")] void Set_MasterBattery([in, out, id(0)] Package_32 Data);
[WmiMethodId(11), Implemented, read, write, Description("Return the contents of a package")] void Get_SlaveBattery([in, out, id(0)] Package_32 Data);
[WmiMethodId(12), Implemented, read, write, Description("Set the contents of a package")] void Set_SlaveBattery([in, out, id(0)] Package_32 Data);
[WmiMethodId(13), Implemented, read, write, Description("Return the contents of a package")] void Get_Temperature([in, out, id(0)] Package_32 Data);
[WmiMethodId(14), Implemented, read, write, Description("Set the contents of a package")] void Set_Temperature([in, out, id(0)] Package_32 Data);
[WmiMethodId(15), Implemented, read, write, Description("Return the contents of a package")] void Get_Thermal([in, out, id(0)] Package_32 Data);
[WmiMethodId(16), Implemented, read, write, Description("Set the contents of a package")] void Set_Thermal([in, out, id(0)] Package_32 Data);
[WmiMethodId(17), Implemented, read, write, Description("Return the contents of a package")] void Get_Fan([in, out, id(0)] Package_32 Data);
[WmiMethodId(18), Implemented, read, write, Description("Set the contents of a package")] void Set_Fan([in, out, id(0)] Package_32 Data);
[WmiMethodId(19), Implemented, read, write, Description("Return the contents of a package")] void Get_Device([in, out, id(0)] Package_32 Data);
[WmiMethodId(20), Implemented, read, write, Description("Set the contents of a package")] void Set_Device([in, out, id(0)] Package_32 Data);
[WmiMethodId(21), Implemented, read, write, Description("Return the contents of a package")] void Get_Power([in, out, id(0)] Package_32 Data);
[WmiMethodId(22), Implemented, read, write, Description("Set the contents of a package")] void Set_Power([in, out, id(0)] Package_32 Data);
[WmiMethodId(23), Implemented, read, write, Description("Return the contents of a package")] void Get_Debug([in, out, id(0)] Package_32 Data);
[WmiMethodId(24), Implemented, read, write, Description("Set the contents of a package")] void Set_Debug([in, out, id(0)] Package_32 Data);
[WmiMethodId(25), Implemented, read, write, Description("Return the contents of a package")] void Get_AP([in, out, id(0)] Package_32 Data);
[WmiMethodId(26), Implemented, read, write, Description("Set the contents of a package")] void Set_AP([in, out, id(0)] Package_32 Data);
[WmiMethodId(27), Implemented, read, write, Description("Return the contents of a package")] void Get_Data([in, out, id(0)] Package_32 Data);
[WmiMethodId(28), Implemented, read, write, Description("Set the contents of a package")] void Set_Data([in, out, id(0)] Package_32 Data);
[WmiMethodId(29), Implemented, read, write, Description("Return the contents of a package")] void Get_WMI([out, id(0)] Package_32 Data);
};

[glpnk]

Some obtained data for "New EC/WMI2" (possible Intel) and "Old" (possible AMD). Data from MSI Center Pro (AKA Business)

Some settings presented as MWI1 with different from original address

Aside from EC addresses program is changing some UEFI vars:

• "MsiDCVarData", "{DD96BAAF-145E-4F56-B1CF-193256298E99}"

UPD: this GUID is included in UEFI BIOS image 2 times, but without code

$ efivar -n dd96baaf-145e-4f56-b1cf-193256298e99-MsiDCVarData -p
GUID: dd96baaf-145e-4f56-b1cf-193256298e99
Name: "MsiDCVarData"
Attributes:
	Non-Volatile
	Boot Service Access
	Runtime Service Access
Value:
00000000  00 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00                                       |....            |

Format: hex b bit

New:

• WinFn - E8b4 RW (in one place used this val, in other: [on change read Old/write to UEFI var; in case of reading err - reads Old])
• USBsup - BFb3 RO?
• USBstatus - BFb5 RW - USB Power Charge
• WLAN - 2Eb3 RW
• BlueTooth - 2Eb0 RW
• SCM_Install - D9b0 RW
• Microphone - 2Cb1 RW
• VolumeMute - 2Db1 RW
• Tile - E9b1 RW
• MonitorOff_ModernStandby - D9b2
• FnLock - D9b1 RO

Old:

• WinFn - BFb4 RW
• set QC - 2Cb[0,1]? RW (original func subtract 1 from value) (quick charge???) value 0-3

WMI1: (address with bit is toggle)

• WebCam - Dev-0b1
• WLAN - Dev-0b3
• BlueTooth - Dev-0b0
• SCM_Install - Soft-0b? (on enable set bit 0, or disable set whole byte to 0)
• Graphics_switch - Sys-4 RO (return [val & 0xFC | 0x01] to write)
• S5_Wakeup_time - Sys-2 value 2 (just return value to write)
• Microphone - Dev-2b2
• VolumeMute - Dev-3b2
• FnLock - Dev-2b3 RO

[glpnk]

Useful links

• https://aymanbagabas.com/wmidumpper/
• https://github.com/hirschmann/nbfc/wiki/Analyze-your-notebook%27s-DSDT
• https://github.com/zllovesuki/G14Manager
• https://github.com/johnfanv2/LenovoLegionLinux
• https://github.com/LongSoft/UEFITool
• https://wiki.ubuntu.com/Kernel/Reference/ACPITricksAndTips
• https://wiki.ubuntu.com/Kernel/Reference/WMI
• https://wiki.ubuntu.com/FirmwareTestSuite
• https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/19_ASL_Reference/ACPI_Source_Language_Reference.html
• https://github.com/Lekensteyn/acpi-stuff/blob/master/notes.txt
• https://github.com/system76/firmware-update/blob/master/src/app/ec.rs
• https://github.com/microsoft/Windows-driver-samples/blob/main/wmi/wmiacpi/acpimof.mof
• https://docs.kernel.org/next/wmi/devices/wmi-bmof.html
• https://docs.kernel.org/next/wmi/acpi-interface.html
• https://github.com/torvalds/linux/blob/master/drivers/platform/x86/msi-wmi.c
• https://gist.github.com/lamperez/d5b385bc0c0c04928211e297a69f32d7
• https://github.com/ic005k/Xiasl
• https://github.com/managarm/lai
• http://www.rohitab.com/apimonitor
• https://gitlab.com/OpenRGBDevelopers/OpenRGB-Wiki/-/blob/stable/Developer-Documentation/Reverse-Engineering.md
• https://www.coreboot.org/Embedded_controller#ENE_KB3310/KB3910/KB3920
• https://docs.dasharo.com/variants/msi_z690/releases/
• https://cohost.org/8051enthusiast/post/617826-some-pointers-for-re
• IT8587 lm-sensors/lm-sensors#380
• https://github.com/hfiref0x/KDU
• https://www.eff.org/issues/coders/reverse-engineering-faq
• Small LKLM for single model mentioned on MSI forum
• https://www.kernel.org/doc/html/v5.2/firmware-guide/acpi/method-customizing.html | https://docs.kernel.org/firmware-guide/acpi/method-customizing.html
• https://github.com/mkottman/acpi_call | newer maintained version https://github.com/nix-community/acpi_call
• https://github.com/dmitry-s93/MControlCenter/blob/main/docs/tested_devices.md
• https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/19_ASL_Reference/ACPI_Source_Language_Reference.html#field-declare-field-objects
• https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/19_ASL_Reference/ACPI_Source_Language_Reference.html#operationregion-declare-operation-region
• https://github.com/pali/bmfdec
• https://gitlab.com/tuxedocomputers/development/packages/tuxedo-drivers

---

Legacy of older projects:

• ISW:

  • Probably, oldest documented EC map https://github.com/YoyPa/isw/blob/master/wiki/msi%20ec.pdf
  • Thread with good summary about project This repository has been abandoned. Contribute to active forks instead! YoyPa/isw#263
  • Another one good thread Support Katana GF66 12UG (EC ver 1583EMS1) YoyPa/isw#259

• Nice frontend https://github.com/LucaPatarca/MsiPowerCenter

• Windows WMI1 based app https://github.com/kykc/MsiFanControl

• Linux pseudo hwmon compatible https://github.com/Bezzumnbiu/msi-fan-control/tree/main

• https://gitlab.com/coolercontrol/coolercontrol

---

Already existing MSI related drivers:

• List: https://github.com/torvalds/linux/blob/master/Documentation/ABI/testing/sysfs-platform-msi-laptop
• https://github.com/torvalds/linux/blob/master/drivers/platform/x86/msi-wmi.c
• https://github.com/torvalds/linux/blob/master/drivers/platform/x86/msi-laptop.c

WMI tools:

• https://github.com/Alois-xx/WMIWatcher

MSI monitor tools:

• https://github.com/couriersud/msigd

---

Wikipedia article about coreboot mention some MSI related opensource solutions

Also seems MSI devices manufactured (only?) by Clevo OEM/ODM according to Wikipedia

Clevo also manufacture hardware for System76 so maybe their solutions may be applicable for us

[glpnk]

@teackot Here is pattern of used addresses from DSDT. Can you share your model name and DSDT dump saved in txt (because Github restricts uploading binary files in issues, or try pastebin)

sudo cat /sys/firmware/acpi/tables/DSDT > dsdt.txt

In my case there were two EC sequences. ImHex [Remove .txt at the end of filename]
// Old (both.hexpat.txt)
// Old (four.hexpat.txt)

five.hexpat.txt
m14-c5m-clean.txt

Some values are named but unused inside DSDT code, some intersects inside both tables

• "EC0" sequence contain named attributes
• "EC1" - only references to specific address(+bit)
• "EC2" - RTC related stuff??? (Also this method _Q9A figure in dmesg sometimes with RTC keywords)
• "ECS" - not connected to EC mechanism but use offset 0xFC000800 that is used in WinIO EC dump method
• "_Qxx" - EC Query methods

But anyway many addresses is not highlighted

[glpnk]

BIOS and EC naming:

• ExxxxIMS.yyy - Intel BIOS
• ExxxxAMS.yyy - AMD BIOS
• ExxxxIWS.yyy - Intel BIOS Workstation/CreatorPRO series
• xxxxEWSn.yyy - ENE EC on Workstation/CreatorPRO series
• xxxxEMSn.yyy [ENE Haru] 128kb - EC Firmware [AMD/Intel 10 gen max] [possible to download / inside BIOS file]
• xxxxEMSn.yyy [02 0F 61 90 EC 01 magic number] 160kb - EC Firmware [Intel] [only inside BIOS file]
• xxxxIMSn.yyy- [ITE EC-V14.6] at 0x50; model info at {0x7F80-0x7FCA}; Ryzen 7 gen? + RX/RTX GPU (Bravo Series) [only inside BIOS file]
• xxxxIMSn.yyy - [ITE EC-V14.6] at 0x50; model info at {0x7F80-0x7FCA}; Intel 12-13+? [only inside BIOS file]
• xxxxIWSn.yyy - possible ITE EC firmware for Workstation/CreatorPRO series
  Interesting facts:
• EC Firmware between next AMD models are identical:
  • Modern 14 C5M -> C7M
  • Modern 15 B5M -> B7M
• Seems BIOS for 12 and 13 gen intel models could be identical, but EC version code is different. Look like firmware are for similar ECs with minor differences
• On Intel/rarely AMD for each model could be several incompatible bios version with different EC firmware. One bios could be compatible with multiple models across one or two generations.
• EC firmware name located at 0x9010

FW name	EC branding	EC vendor	FW name at	Used on	Extras
EMSn	ENE Haru at 0x08	ENE	0x9010	AMD, Intel until 10 gen?	Shared on MSI support / Built in BIOS
EMSn	any? 02 0F 61 90 EC 01	ENE?	0x9010	Intel 11+ gen?	Built in BIOS
IMSn	ITE EC-V14.6 at 0x50	ITE	0x7F80-0x7FCA	Gaming AMD, Intel 12+?	Built in BIOS

On EMSn/IMSn - n means product "revision" or modification of board for other model. You can prove it by searching on MSI site by xxxx model code.

---

Look like all current generation EC FW are made on 8051-like architecture

[glpnk]

Model to software list

1. All model Classes/Series:
   • Business (x4)
   • Creator (x2)
   • Gaming (x10-13)
2. By CPU
   • Intel 10 and earlier
   • Intel 11+
   • AMD 4, 5, 7 gen
3. By GPU
   • iGPU
   • Nvidia MX/GTX/RTX/PRO
   • AMD RX
   • Intel Arc

Cases:

1. Business
   1. Modern:
      1. AMD + iGPU => [EMS1 + downloadable]
      2. Intel [10-] + iGPU => [EMS1 + downloadable]
      3. Intel [11+] + iGPU => [EMS1 + builtin]
      4. Intel [11] + Nvidia MX=> [TODO]
   2. Modern / Prestige
      1. Intel [10] + Nvidia MX/GTX => [EMS1 + downloadable] [TODO]
   3. Prestige / Summit
      1. Intel [11+] + iGPU => [TODO]
      2. Intel [11+] + Nvidia GTX/RTX => [TODO]
   4. Summit with touchscreen
2. Content
   1. Creator
      1. Intel [10] + Nvidia GTX/RTX => [EMS1/2/3 + downloadable] [TODO]
      2. Intel [11+] + Nvidia RTX => [TODO]
   2. CreatorPro
      1. Intel [11+] + Nvidia PRO => [later]
3. Gaming
   1. Alpha / Delta
      1. AMD + AMD RX => [EMS1? + downloadable] [TODO]
   2. Bravo
      1. AMD + AMD RX => [EMS1? + downloadable] [TODO]
      2. AMD + Nvidia RTX => [TODO]
   3. Titan GT / Stealth / Raider GE / Vector GP / [Crosshair / Pulse] / [Sword / Katana] / [Cyborg / Thin GF] Series
      1. Intel [10] + Nvidia GTX/RTX => [EMS1? + downloadable] [TODO]
      2. Intel [11+] + Nvidia GTX/RTX => [TODO]
      3. Intel [11+] + Intel Arc => [EMS1, typical for Intel 11+]

Some mode like Commercial or Limited Series are offshots of base models and not shown.

[glpnk]

There are at least 2 or 3 WMI API for different hardware:

Intel 12+ gen Business, Gaming, Creator? & AMD Ryzen 7 gen Gaming devices on ITE EC & Intel 11+gen on ENE EC
This is "WMI2" methods
Actually look like it was copied from Microsoft's WMI-ACPI guide

ABBC0F6A-8EA1-11D1-00A0-C90629100000 # Class to test Query/Set a package
        	notify_id: 41
        	reserved: 4b
        	instance_count: 01
        	flags: ACPI_WMI_EXPENSIVE(0x1)
ABBC0F6B-8EA1-11D1-00A0-C90629100000 # Class to test Query/Set a string
        	notify_id: 41
        	reserved: 4c
        	instance_count: 01
        	flags: ACPI_WMI_EXPENSIVE(0x1)
ABBC0F6D-8EA1-11D1-00A0-C90629100000 # Class used to operate methods on a package
        	notify_id: 41
        	reserved: 4a
        	instance_count: 01
        	flags: ACPI_WMI_METHOD(0x2)
ABBC0F6E-8EA1-11D1-00A0-C90629100000 # MSI_ACPI, also "Class used to operate methods on a string" from MS guide
        	notify_id: 41
        	reserved: 4d
        	instance_count: 01
        	flags: ACPI_WMI_METHOD(0x2)
5B3CC38A-40D9-7245-8AE6-1145B751BE3F # MSI_Event
        	notify_id: c0
        	reserved: 00
        	instance_count: 01
        	flags: ACPI_WMI_EXPENSIVE(0x1) | ACPI_WMI_EVENT(0x8)

AMD Ryzen 5 gen Gaming on ITE EC & Ryzen 4,5,7 gen Business on ENE EC & Intel 10 gen and older on ENE EC
This is "WMI1" methods

UPD: Presence of MSI_AP class is check mark for WMI1

24418D6A-0A79-524C-9AB1-18B78CA68CE7 # MSI_Software
        	notify_id: 41
        	reserved: 41
        	instance_count: 22
        	flags: ACPI_WMI_EXPENSIVE(0x1)
4AFBD56B-9F91-8F49-81F5-995BA73822AF # MSI_Device
        	notify_id: 41
        	reserved: 42
        	instance_count: 04
        	flags: ACPI_WMI_EXPENSIVE(0x1)
2D3CBA6C-1C9C-7F41-B54C-F5D5D580D482 # MSI_Power
        	notify_id: 41
        	reserved: 43
        	instance_count: 03
        	flags: ACPI_WMI_EXPENSIVE(0x1)
40BA026D-075D-CD4A-9710-F7C57347CAC9 # MSI_Master_Battery
        	notify_id: 41
        	reserved: 44
        	instance_count: 10
        	flags: ACPI_WMI_EXPENSIVE(0x1)
8DBCCF6E-9DB4-0E46-A3F2-99AFAAA77A7A # MSI_Slave_Battery
        	notify_id: 41
        	reserved: 45
        	instance_count: 0e
        	flags: ACPI_WMI_EXPENSIVE(0x1)
BD2A216F-2FB9-A640-B807-DDDBAD656891 # MSI_CPU
        	notify_id: 41
        	reserved: 46
        	instance_count: 13
        	flags: ACPI_WMI_EXPENSIVE(0x1)
1EC3EC7A-1E9B-E74A-9026-CF122B0BBD21 # MSI_VGA
        	notify_id: 41
        	reserved: 47
        	instance_count: 12
        	flags: ACPI_WMI_EXPENSIVE(0x1)
A1753D7B-B621-DE4A-B41A-55716A0ECE7A # MSI_System
        	notify_id: 41
        	reserved: 48
        	instance_count: 15
        	flags: ACPI_WMI_EXPENSIVE(0x1)
A1753D7C-B621-DE4A-B41A-55716A0ECE7A # MSI_AP
        	notify_id: 41
        	reserved: 49
        	instance_count: 08
        	flags: ACPI_WMI_EXPENSIVE(0x1)
5B3CC38A-40D9-7245-8AE6-1145B751BE3F # MSI_Event
        	notify_id: c0
        	reserved: 00
        	instance_count: 01
        	flags: ACPI_WMI_EXPENSIVE(0x1) | ACPI_WMI_EVENT(0x8)

[glpnk]

On Linux we have wmi and wmi-bmof drivers. This allow to check which GUID's are shared with

ls /sys/bus/wmi/devices/ > guid.txt

In my case for Modern C5M it's

05901221-D566-11D1-B2F0-00A0C9062910 # general purpose BMOF descriptor (in my case AMD_ACPI)
1E2A0DA0-2B9E-424F-9C87-B1DAC3F4E9DA # WLAN Event (useless for our case)
1EC3EC7A-1E9B-E74A-9026-CF122B0BBD21 # MSI_VGA
24418D6A-0A79-524C-9AB1-18B78CA68CE7 # MSI_Software
2D3CBA6C-1C9C-7F41-B54C-F5D5D580D482 # MSI_Power
40BA026D-075D-CD4A-9710-F7C57347CAC9 # MSI_Master_Battery
4AFBD56B-9F91-8F49-81F5-995BA73822AF # MSI_Device
5B3CC38A-40D9-7245-8AE6-1145B751BE3F # MSI_Event
8DBCCF6E-9DB4-0E46-A3F2-99AFAAA77A7A # MSI_Slave_Battery
A1753D7B-B621-DE4A-B41A-55716A0ECE7A # MSI_System
A1753D7C-B621-DE4A-B41A-55716A0ECE7A # MSI_AP
ABBC0F6A-8EA1-11D1-00A0-C90629100000 # general purpose Query/Set package
B2526ED4-CB45-49FA-9230-8D2FE8AFB8EC # WLAN Method (useless for our case)
BD2A216F-2FB9-A640-B807-DDDBAD656891 # MSI_CPU

MSI does not include BMOF for SCM0 interface in any ACPI tables, it's only shared with Windows drivers inside App, seems identical for all models, except older builds not include MSI_ACPI wrapper

[glpnk]

Method to address and value table wmi1-14.txt

[glpnk]

• WMI1 address map is identical for many different models from Intel 9 gen and AMD
• EC map for WMI1 models is +- identical

---

• WMI2 address map is the same for many different models. Gaming models could have 2 EC (or it is actually RGB controller, who knows?)
• EC map for WMI2 models is +- identical

---

Based on DSDT tables

[glpnk]

Today LTT showed new Handheld from MSI and look like it running on ENE EC

So maybe new community will be interested in porting windows software to linux

[glpnk]

I found awesome module which can read and call ACPI methods.

mkottman/acpi_call and newer maintained version nix-community/acpi_call

By using this module, ImHex pattern made from DSDT field-structure map we can read required fields.

• Tachometer (0xc9 or \_SB_.PCI0.SBRG.EC__.SCM0.TDC9) registry looks strange because when cooler is off it reports possibly random values
• Possible to change keyboard backlight level via WMI purpose methods
• ACPI set OSVR=0x10 which equals to Windows 2013; other OS version related registers are set to Windows 2015

Drawbacks:

• not returns i16/u16 value
• can't write to registers, only call methods so we possibly need to insert own methods as workaround

[glpnk]

Memory "fields" addressing in ACPI, as it turned out, is not linear as you can assume after looking at mapped address space, which look like this:

Field (EC, ByteAcc, NoLock, Preserve){
...
a, 8,
b, 1,
c, 3,
, 4,
d, 16,
...
}

I've assumed that they are mapped linearly. Possibly, this mode is present, when AnyAcc selected instead of ByteAcc. But in the current case, sub-fields are aligned per byte. And values of b and c should be described like this.

b = EC[n] & 1;
c = (EC[n] & 0b00001110) >> 1;

Correct me if I'm wrong, please.

[glpnk]

Bogus screen brightness events are caused by EC, probably in firmware or even board traces

[brokencog]

Are you still collecting USB PCAP dumps for new hardware? If so, where do we submit them?

I have a GE76 which I'm trying to get the keyboard perkey RGB to turn on -- just turning on would be nice, changing colors isn't necessary.

[glpnk]

Hi, we're doing only EC related stuff. So you probably need to ask the OpenRGB community. Some laptops may have keyboard backlight control from the EC and USB, but they are rare. Please follow their guide https://gitlab.com/OpenRGBDevelopers/OpenRGB-Wiki/-/blob/stable/OpenRGB-doesn't-have-my-device.md

If you want to check, is it possible to control keyboard BL brightness from the EC, please follow firmware request template. Please make few dumps with different brightness and share them. I hope that your laptop have some keyboard BL brightness buttons

[glpnk]

Probably, it is possible to log WMI commands https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity

[glpnk]

It works, so if you have laptop with WMI2 or Claw (probably), please reply

[glpnk]

PD charger after connection generates next scancodes as generic keyboard:

Event: time 1718710200.890219, type 4 (EV_MSC), code 4 (MSC_SCAN), value f0
Event: time 1718710200.890219, -------------- SYN_REPORT ------------
Event: time 1718710200.892441, type 4 (EV_MSC), code 4 (MSC_SCAN), value f0
Event: time 1718710200.892441, -------------- SYN_REPORT ------------
Event: time 1718710201.078496, type 4 (EV_MSC), code 4 (MSC_SCAN), value f0
Event: time 1718710201.078496, -------------- SYN_REPORT ------------
Event: time 1718710201.082206, type 4 (EV_MSC), code 4 (MSC_SCAN), value f0
Event: time 1718710201.082206, -------------- SYN_REPORT ------------

[ 6553.313641] atkbd serio0: Unknown key pressed (translated set 2, code 0xf0 on isa0060/serio0).
[ 6553.313686] atkbd serio0: Use 'setkeycodes e070 <keycode>' to make it known.
[ 6553.317655] atkbd serio0: Unknown key released (translated set 2, code 0xf0 on isa0060/serio0).
[ 6553.317717] atkbd serio0: Use 'setkeycodes e070 <keycode>' to make it known.
[ 6553.413614] atkbd serio0: Unknown key pressed (translated set 2, code 0xf0 on isa0060/serio0).
[ 6553.413655] atkbd serio0: Use 'setkeycodes e070 <keycode>' to make it known.
[ 6553.414285] msi_wmi: Got buffer, len: 2
[ 6553.414299] msi_wmi: Array: [
[ 6553.414306] 0x13,
[ 6553.414316] 0x0,
[ 6553.414324] ]
[ 6553.417119] atkbd serio0: Unknown key released (translated set 2, code 0xf0 on isa0060/serio0).
[ 6553.417154] atkbd serio0: Use 'setkeycodes e070 <keycode>' to make it known.
[ 6553.497762] msi_wmi: Got buffer, len: 2
[ 6553.497790] msi_wmi: Array: [
[ 6553.497797] 0x13,
[ 6553.497808] 0x0,
[ 6553.497816] ]

[glpnk]

Now we have 4 MSI related modules in kernel:

• msi-wmi from ~2010. Handle events + some keys via WMI interface (why MSI used WMI events instead of scancodes, like for newer devices; is it caused by windows limitations)
• msi-wmi-platform by @Wer-Wolf - supports get fan RPM for lm-sensors
• msi-ec with model matching and limited to battery
• msi-laptop - for few old devices, from ~2006

What we really can do, to not create duplicated projects?

[glpnk]

I checked DSDT from my ASUS (TUF x505) laptop, and it's way more complicated. It annotates 2 WMI devices WMI0 and ATKD, 1 WMI0 event with 32 bit variable, which notified in 1 method. And 1 ATKD event, which is not included in MOF file.
SSDTs not mention WMI0/ATKD.

Should I check what event returns on ASUS, or it is useless?

Spoiler: DSDT code

WMI0 ```asl Method (_WED, 1, NotSerialized) // _Wxx: Wake Event, xx=0x00-0xFF { Return (Arg0) } ``` And only 1 place where it notified in DSDT ```asl Method (NTFY, 1, Serialized) { XVCD = Arg0 Notify (WMI0, 0x80) // Status Change } ``` --- ATKD ```asl Method (_WED, 1, NotSerialized) // _Wxx: Wake Event, xx=0x00-0xFF { If ((Arg0 == 0xFF)) { Return (GANQ ()) }

            Return (One)
        }

///
Method (GANQ, 0, Serialized)
{
P8XH (Zero, 0xF2)
If (AQNO)
{
AQNO--
Local0 = DerefOf (ATKQ [AQHI])
AQHI++
AQHI &= 0x0F
Return (Local0)
}

            Return (One)
        }

///
Name (ATKQ, Package (0x10)
{
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF,
0xFFFFFFFF
})

</details>

[Wer-Wolf]

Tje ASUS event should have nothing to do with the MSI WMI interface, do they share GUIDs?

[glpnk]

no, only thing they share is event format, which is (u/s)int32, but i don't know how it packed

plus, ASUS have awesome community which support the majority of modern laptops

[Wer-Wolf]

GANQ returns ACPI integers, and they will be convertet to uint32 by the WMI stack.

[glpnk]

Ok, thanks for explanation