efiXplorer: IDA plugin for UEFI firmware analysis and RE

[[Update: adding Tweet with announcement:


This new plugin looks powerful!

Alex Matrosov (@matrosov)
Andrey Labunets (@isciurus)
Philip Lebedev (@p41l)
Yegor Vasilenko (@yeggor)



AMD UEFI Inside: What is really behind AGESA, the PSP and Combo PI?

AMD UEFI Inside: What is really behind AGESA, the PSP (Platform Security Processor) and especially Combo PI?
Igor Wallossek

Since there are always questions and some things are often confused, we will give you some insights into AMD-UEFI, what is colloquially called “the BIOS” (although it is no longer correct). I have also broken down the following extremely to remain as simple and understandable as possible. Nevertheless, what happens when the PC starts up is the classic hen-and-egg problem that you simply have to talk about. Software starts hardware, whereas hardware without software does not actually work and software without hardware does nothing. Now what?[…]

In BOTH English and German:



thinkpad-shahash: validates firmware integrity of some Lenovo ThinkPads

Re: https://firmwaresecurity.com/2020/06/23/thinkpad-uefi-sign-tools-to-check-and-cryptographically-sign-uefi-firmware-images-found-in-thinkpads/

see this Comment on that post:


This is the original codebase:

This is a small utility which checks and recomputes sha1 hashes used to validate Lenovo ThinkPad X220/T420 (and probably other Sandy Bridge ThinkPads) firmware integrity. You can hear 5 beeps twice if the firmware fails validation and you have TPM (security chip) turned on, which is pretty common for modified firmwares.[…]


But the one in the previous blog post has had a recent checkin, whereas this one has had no changes in a long time, so the new branch still may be of interest. Change is in this file:



Reverse Engineering PCBs using CV and ML

Not to be confused with the Capstone Engine: the ECE Capstone Project: a current project at Oregon State University:

Our goal is to develop a software tool that when supplied with images of a printed circuit board will reverse engineer the netlist for the board. The software will be implemented as a web based service allowing for users to publish the netlist that they generate. This web page will be available to the engineering community for prolonging the life of old equipment as well as documenting systems for repair to reduce waste. Integrating Computer Vision & Deep Learning to the software, this project is aimed to provide precision and reliability without compromises.[…]




ESET Research identified multiple malicious EFI bootloaders

So far, the only info are these tweets:

Microsoft ports Defender to Linux and Android

Microsoft Defender has been a Windows-cenric AV tool. Recently, Microsoft has ported it to Android and Linux. Recently, Microsoft also started adding UEFI scanning to Defender. So maybe now Android and Linux users can use Defender to scan for UEFI vulns?

CHIPSEC has been the main option for UEFI scanning. It works only on Intel systems. It works as an OS-level app (“OS-present”) on Mac, Windows, and Linux. And runs on UEFI. The OS-level scanners from Apple and Microsoft now both cover UEFI. Will either scan non-Intel systems: ARM64 and AMD64?



AMD update on CVE-2020-12890: SMM Callout Privilege Escalation

AMD issued an update last week saying that it will provide an actual update in a few weeks, and sarcastically advises vendors to stay “up-to-date”…


AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.[…]AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches.[…]

We thank Danny Odler for his ongoing security research.

Full announcement paragraph:

No news here:

AGESA status page:
just kidding, there is no such page, only AMD clients get AGESA status updates under NDA.

I wonder if the Apple macOS or Microsoft Defender UEFI scanners will be updated to catch this on AMD systems. CHIPSEC can’t, it does not work on AMD systems.

thinkpad-uefi-sign: Tools to check and cryptographically sign UEFI firmware images found in ThinkPads

[The main branch is 9 months old, but there’s another branch that has just been updated…]

Tools to check and cryptographically sign UEFI firmware images found in ThinkPads. This will resolve the issue where your ThinkPad lets out two groups of five beeps before continuing to boot (the error indicating an invalid signature). These tools are written in Python 3 and rely on the “pycryptodome” library.[…]


MALOnt: An Ontology for Malware Threat Intelligence

By: Nidhi Rastogi, Sharmishtha Dutta, Mohammed J. Zaki, Alex Gittens, Charu Aggarwal

Malware threat intelligence uncovers deep information about malware, threat actors, and their tactics, Indicators of Compromise(IoC), and vulnerabilities in different platforms from scattered threat sources. This collective information can guide decision making in cyber defense applications utilized by security operation centers(SoCs). In this paper, we introduce an open-source malware ontology – MALOnt that allows the structured extraction of information and knowledge graph generation, especially for threat intelligence. The knowledge graph that uses MALOnt is instantiated from a corpus comprising hundreds of annotated malware threat reports. The knowledge graph enables the analysis, detection, classification, and attribution of cyber threats caused by malware. We also demonstrate the annotation process using MALOnt on exemplar threat intelligence reports. A work in progress, this research is part of a larger effort towards auto-generation of knowledge graphs (KGs)for gathering malware threat intelligence from heterogeneous online resources.


Forescout: DOE/IRL: Firmware Command and Control project: ML-powered vuln scanner

Firmware Command and Control will create an agile embedded response capability foundational with baselined firmware and behaviors with bi-directional sharing of threat to upstream energy security operations

Value Proposition
* Embedded devices control the most critical functions on the electric grid with little to no insight into the firmware or ability to mitigate from cyber attacks.
* The adversaries have ‘raced to the bottom’ hiding access in embedded devices
* Firmware will be baselined to detect changes with advanced ML similarity with constraints
* Embedded host agile response
* Structured threat sharing between the device and upstream security
* Firmware C2 will monitor and mitigate previously unmonitored devices controlling the most critical functions in the electric grid.

Project Objectives:
* Baselined embedded firmware with all constraints for setting changes
* Low-impact cyber operations protected/hidden from adversaries
* Structured Threat: Visual, Sharable, Actionable, and Implementable (IT/OT)
* Firmware C2 uses recent ML concepts to baseline firmware to detect unexplained changes, described in structured threat for bi-direction upstream energy security operations actions and awareness.


Forescout selected by U.S. Department of Energy to Participate in Firmware Project Under Grid Modernization Lab Consortium

FWTS: improved ACPI dumping

FirmWare Test Suite’s ACPI tests are improving. It sounds like they are acpica-dump compatible now, and FTWS dumps more than acpidump!

[PATCH 1/2] doc: add new –dump-acpi-from-sysfs option

[PATCH 0/2] make the acpi logs from fwts can be used acpica debugging

“-dumpfile=acpidump.log:  load ACPI tables from output generated from acpidump or from sudo fwts –dump. The latter is preferred as fwts –dump is able to dump more tables than acpidump.[…]

SymCC: efficient compiler-based symbolic execution

SymCC is a compiler wrapper which embeds symbolic execution into the program during compilation, and an associated run-time support library. In essence, the compiler inserts code that computes symbolic expressions for each value in the program. The actual computation happens through calls to the support library at run time. To build the pass and the support library, make sure that LLVM 8, 9 or 10 and Z3 version 4.5 or later, as well as a C++ compiler with support for C++17 are installed. […]


IntelMCDowngrade: Scripts to downgrade Intel Microcodes


IntelMCDowngrade: Scripts to collect microcode from CPUMicrocodes Repo and to downgrade to a compatible microcode.[…]

See-also: https://github.com/platomav/CPUMicrocodes

exynos-usbdl: unsigned code loader for Exynos BootROM

Samsung AArch64-centric:

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack.[…]


NetBSD UEFI bootloader: config file and module loading support added

NetBSD’s UEFI bootloader is getting some new features; Module support should get interesting.



Alex Ionescu online accounts?

Hmm, it seems that Alex Ionescu, author of VisualUEFI has disappeared online, partially.

I was going to point someone to an old post of his on Windows binaries included in WBPT ACPI, for an answer to the below question:



but it appears his Twitter account is no longer active and all the old tweets are gone:


His web site appears to be blank (default, unconfigured) state:


The Github web page for Alex has a link to his Twitter URL, which appears to redirect to another user:


https://github.com/aionescu (maybe this is innocent Github redirection foo?).

Just being a bit paranoid, but maybe you should be careful about using some of the binaries checked into  VisualUEFI:


Keep an eye out for any strange checkins:


I’ve probably missed something and he’s moved onto another account or something. But be careful with anything in binary (or source form) online, in general, anyway.

If someone can clarify things, please leave a Comment on this post. Thanks.

Wireshark can sniff TPM2 protocol

[ This is 2 year old news, but I’m just learning about it… 😦 ]

Wireshark is a tool used to sniff network packets and dissect the protocols and help debug them. Since version 3.0.0 or so, you can use Wireshark to sniff TPM v2. Not the hardware TPM chip, but a TPM2 simulator, which is simulated over the network, so Wireshark can capture it, and there’s a Wireshark Dissector (parser) for TPM2 protocol.



Sample PCAP:

Created by the TPM2 community:

There is a brief mention of this Wireshark TPM2 dissector in this FOSDEM presentation:

PS: Mostly only related by the “Shark” suffix string, but if you are debugging Linux, KernelShark is a nice tool. I haven’t tried it with a TPM, but you might be able to see Linux kernel TPM trace log traffic through KernelShark…