HydraBus+HydraNFC Shield+HydraFW: an open source diagnostic multi-tool for NFC communications

[…]The HydraBus+HydraNFC Shield v2(hardware[1]) with HydraFW[2] (firmware) are used as an open source multi-tool for anyone interested in Learning/Developping/Debugging/Hacking/Penetration Testing for basic or advanced NFC communications.[…]

[1] https://hydrabus.com/hydranfc-shield-v2-specifications/
[2] https://github.com/hydrabus/hydrafw_hydranfc_shield_v2

HydraBus+HydraNFC Shield V2 boards

 

List of recently-updated ‘UEFI hobby operating systems”

Re: https://firmwaresecurity.com/2015/08/28/new-efi-based-operating-systems/

Below is a list of currently-actively “UEFI hobby operating system”-style projects on Github, defining “active” as updated in last 2 months. Projects which haven’t been updated recently are not listed, but there are a few dozen other projects between above link and below list. Most are barely more than a hello-world bootloader; others are nearly-complete operating systems, some in C a few in Rust, I think one was in C#. List not sorted in any order:

https://github.com/vvaltchev/tilck
https://github.com/Michael-Kelley/RoseOS
https://github.com/GreenteaOS/Tofita
https://github.com/ondralukes/OndrOS
https://github.com/MCJack123/craftos-efi
https://github.com/Totsugekitai/minOSv2
https://github.com/portasynthinca3/neutron
https://github.com/wordandahalf/Stelox
https://github.com/kazuminn/minos
https://github.com/hikalium/liumos
https://github.com/sonjt0705/afwj-uefi
https://github.com/justinian/jsix
https://github.com/VerdureOS/Verdure
https://github.com/bSchnepp/Feral
https://github.com/DylanGTech/PiousOS
https://github.com/Lan-t/MyOsLoader
https://github.com/Ocean-git-hub/EgoisticOS
https://github.com/approvers/minimos

DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis

By Alejandro Mera, Bo Feng, Long Lu, Engin Kirda, William Robertson

[…]We present DICE, a drop-in solution for firmware analyzers to emulate DMA input channels and generate or manipulate DMA inputs. DICE is designed to be hardware-independent, and compatible with common MCU firmware and embedded architectures. DICE identifies DMA input channels as the firmware writes the source and destination DMA transfer pointers into the DMA controller. Then DICE manipulates the input transferred through DMA on behalf of the firmware analyzer. […]All our source code and dataset are publicly available.

https://arxiv.org/abs/2007.01502

PS: If someone can find the source code, leave the URL in a Comment, please.

efiSeek: UEFI Ghidra plugin: analyzes exploring EFI files, protocols, interrupts, etc.

Features:
* Find known EFI GUID’s
* Identified protocols which are finding with LOCATE_PROTOCOL function
* Identified functions used as the NOTIFY function
* Identified protocols installed in the module through INSTALL_PROTOCOL_INTERFACE
* Identified functions used as an interrupt function (like some hardware, software or child interrupt)
* Script for loading efi modules to relevant directories upon import in Headless mode
* Sorting smm modules relying on meta information by next folders[…]

https://github.com/DSecurity/efiSeek

 

Mohsen Ahmadi: The Evolution of Firmware Fuzzing (November 2019)

Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be obfuscated. Also, binary analysis provides the ground truth about program behavior since computers execute binaries (executables), not source code. However, binary analysis is challenging due to the lack of higher-level semantics. Many higher level techniques are often inadequate for analyzing even benign binaries, let alone potentially malicious binaries. Thus, we need to develop tools and techniques which work at the binary level, can be used for analyzing COTS software, as well as malicious binaries. One of the most challenging problems in the binary analysis is firmware analysis because of the given inter-dependencies between modules and pipelines inside the device, in most cases, it’s almost impossible to take the binary out of its environment and perform fuzzing on the binary individually. So, dynamic testing or fuzzing of embedded firmware is severely limited by the hardware-dependence and poor scalability, partly contributing to the widespread vulnerable IoT devices. Over the years, researchers found ways around this shortcoming by either emulating the I/O communication of peripherals to perform off-device fuzzing or using some tricks to perform on-the-device fuzzing. In this talk, I’ll cover the state-of-the-art for the firmware fuzzing by going through the history and the evolution of techniques that have been proposed so far and then I’ll go through another idea to perform fuzzing of IoT devices in large scale.

https://www.isi.edu/events/calendar/12822

efiXplorer: IDA plugin for UEFI firmware analysis and RE

[[Update: adding Tweet with announcement:

]]

This new plugin looks powerful!

Contributors:
Alex Matrosov (@matrosov)
Andrey Labunets (@isciurus)
Philip Lebedev (@p41l)
Yegor Vasilenko (@yeggor)

https://github.com/binarly-io/efiXplorer

overview

AMD UEFI Inside: What is really behind AGESA, the PSP and Combo PI?

AMD UEFI Inside: What is really behind AGESA, the PSP (Platform Security Processor) and especially Combo PI?
Igor Wallossek

Since there are always questions and some things are often confused, we will give you some insights into AMD-UEFI, what is colloquially called “the BIOS” (although it is no longer correct). I have also broken down the following extremely to remain as simple and understandable as possible. Nevertheless, what happens when the PC starts up is the classic hen-and-egg problem that you simply have to talk about. Software starts hardware, whereas hardware without software does not actually work and software without hardware does nothing. Now what?[…]

In BOTH English and German:

https://www.igorslab.de/en/inside-amd-bios-what-is-really-hidden-behind-agesa-the-psp-platform-security-processor-and-the-numbers-of-combo-pi/

https://www.igorslab.de/inside-amd-bios-was-verbirgt-sich-wirklich-hinter-agesa-dem-psp-platform-security-processor-und-den-zahlen-von-combo-pi/

thinkpad-shahash: validates firmware integrity of some Lenovo ThinkPads

Re: https://firmwaresecurity.com/2020/06/23/thinkpad-uefi-sign-tools-to-check-and-cryptographically-sign-uefi-firmware-images-found-in-thinkpads/

see this Comment on that post:

https://firmwaresecurity.com/2020/06/23/thinkpad-uefi-sign-tools-to-check-and-cryptographically-sign-uefi-firmware-images-found-in-thinkpads/#comment-3953

This is the original codebase:

This is a small utility which checks and recomputes sha1 hashes used to validate Lenovo ThinkPad X220/T420 (and probably other Sandy Bridge ThinkPads) firmware integrity. You can hear 5 beeps twice if the firmware fails validation and you have TPM (security chip) turned on, which is pretty common for modified firmwares.[…]

https://github.com/ValdikSS/thinkpad-shahash/

But the one in the previous blog post has had a recent checkin, whereas this one has had no changes in a long time, so the new branch still may be of interest. Change is in this file:

https://github.com/thrimbor/thinkpad-uefi-sign/commit/83ca863d593becc8ea8ba3a9a6a699c922549b0a#diff-9f4286b8580d8928becab03e268e59f5

 

Reverse Engineering PCBs using CV and ML

Not to be confused with the Capstone Engine: the ECE Capstone Project: a current project at Oregon State University:

Our goal is to develop a software tool that when supplied with images of a printed circuit board will reverse engineer the netlist for the board. The software will be implemented as a web based service allowing for users to publish the netlist that they generate. This web page will be available to the engineering community for prolonging the life of old equipment as well as documenting systems for repair to reduce waste. Integrating Computer Vision & Deep Learning to the software, this project is aimed to provide precision and reliability without compromises.[…]

https://sites.google.com/oregonstate.edu/ece44x201913/completion-timeline

https://eecs.oregonstate.edu/project-showcase/projects/?id=DjjEhrfP6Jv0yWqi

 

ESET Research identified multiple malicious EFI bootloaders

So far, the only info are these tweets:

Microsoft ports Defender to Linux and Android

Microsoft Defender has been a Windows-cenric AV tool. Recently, Microsoft has ported it to Android and Linux. Recently, Microsoft also started adding UEFI scanning to Defender. So maybe now Android and Linux users can use Defender to scan for UEFI vulns?

CHIPSEC has been the main option for UEFI scanning. It works only on Intel systems. It works as an OS-level app (“OS-present”) on Mac, Windows, and Linux. And runs on UEFI. The OS-level scanners from Apple and Microsoft now both cover UEFI. Will either scan non-Intel systems: ARM64 and AMD64?

https://www.microsoft.com/security/blog/2020/06/23/microsoft-continues-to-extend-security-for-all-with-mobile-protection-for-android/

https://www.microsoft.com/security/blog/2020/06/17/uefi-scanner-brings-microsoft-defender-atp-protection-to-a-new-level/

AMD update on CVE-2020-12890: SMM Callout Privilege Escalation

AMD issued an update last week saying that it will provide an actual update in a few weeks, and sarcastically advises vendors to stay “up-to-date”…

6/17/20

AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020.[…]AMD has delivered the majority of the updated versions of AGESA to our motherboard partners and plans to deliver the remaining versions by the end of June 2020. AMD recommends following the security best practice of keeping devices up-to-date with the latest patches.[…]

We thank Danny Odler for his ongoing security research.

Full announcement paragraph:
https://www.amd.com/en/corporate/product-security

No news here:
https://developer.arm.com/support/arm-security-updates

AGESA status page:
just kidding, there is no such page, only AMD clients get AGESA status updates under NDA.

I wonder if the Apple macOS or Microsoft Defender UEFI scanners will be updated to catch this on AMD systems. CHIPSEC can’t, it does not work on AMD systems.

thinkpad-uefi-sign: Tools to check and cryptographically sign UEFI firmware images found in ThinkPads

[The main branch is 9 months old, but there’s another branch that has just been updated…]

Tools to check and cryptographically sign UEFI firmware images found in ThinkPads. This will resolve the issue where your ThinkPad lets out two groups of five beeps before continuing to boot (the error indicating an invalid signature). These tools are written in Python 3 and rely on the “pycryptodome” library.[…]

https://github.com/thrimbor/thinkpad-uefi-sign