Hastily-written news/info on the firmware security/development communities, sorry for the typos.
bootoption: A program to create and save an EFI boot load option – so that it might be added to the firmware menu later. May be used to work around situations where it is problematic to modify BootOrder, BootXXXX in NVRAM, while targeting a given instance of a loader from the booted OS: during loader installation, for example.
Usage: bootoption -p path -d description -o file
-p path to EFI executable
-d boot option description
-o file to write to (XML property
Latest commit: 2 days ago
PCIe Injector Gateware
The PCIe bus is now the main high speed communication bus between a processor and its peripherials. It is used in all PC (sometime encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on PCIe systems can requires very expensive tools (>$50k) and packet generaration for such tools is not a common feature. PCIe Injector provides a such tool at a more reasonable price. Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.
The PCIe injector is based on a Artix7 FPGA from Xilinx connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI. It allows:
* Having a full control of the PCIe core.
* Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
* Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, …)
https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/
https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit
A fully implemented kernel exploit for the PS4 on 4.05FW. In this project you will find a full implementation of the “namedobj” kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.
oppo_decrypt – Oppo/Oneplus .ops Firmware decrypter
Tested with “MSMDownloadTool V4.0” for Oneplus 5, Frida 10.4 and Windoze
backdoor.py : Enables hidden “readback” functionality
decrypt.py : Decrypts any part of the firmware
Based on Frida.re and python 3.6
Windows only, sorry folks !
Oneplus 5 QD-Loader decryption: ‘python decrypt.py “MsmDownloadTool V4.0.exe” 0 0x92880’
Enable readback mode: ‘python backdoor.py “MsmDownloadTool V4.0.exe”‘
https://github.com/bkerler/oppo_decrypt
http://www.oppo.com/
https://oneplus.net/
Dump/Verify Android Verified Boot Signature Hash
For researching Android Verified Boot issues
To exploit TZ image verification 🙂
python verify_signature.py boot.img
Issues: Might not work with AVB Version 2.0 or higher
https://github.com/bkerler/dump_avb_signature
android-efi is a simple EFI bootloader for Android™ boot images. It accepts the partition GUID of an Android boot partition on the command line, loads the kernel, ramdisk and command line and finally hands over control to the kernel.[…]
This library allows you to write UEFI applications in Rust. UEFI is the successor to the BIOS. It provides an early boot environment for OS loaders and other low-level applications. The objective of this library is to provide safe and performant wrappers for UEFI interfaces, and allow developers to write idiomatic Rust code. This crate’s documentation is fairly minimal, and you are encouraged to refer to the UEFI specification for detailed information. You can find some example code in the tests directory, as well as use the build.py script to generate the documentation. This repo also contains a x86_64-uefi.json file, which is a custom Rust target for 64-bit UEFI applications.[…]
This is a small C framework for UEFI development built on top of TianoCore EDK2. This project is not a comprehensive course in UEFI development. If you’re just starting to write UEFI code you’ll need to use additional material like the official TianoCore documentation, and the UEFI Specification. The library and UEFI applications included in this code are meant to simplify a few repetitive tasks when developing UEFI code. For example there is a configurable command line argument parser that will validate input strings and convert them into the target datatype, e.g. integers. This project started out with another UEFI development kit (gnu-efi) but eventually outgrew the original SDK, so I migrated it to TianoCore EDK2017. As a result of this there are still a few library functions included that are already built-in into TianoCore. It is my hope that this code helps anyone looking into, or starting with, UEFI development: I did that myself a few months ago and found parts of the various documentations frustratingly lacking. If I can spare you some of the headache I had I’m happy.
An interesting site for consumer devices, not enough on firmware yet.
Defending From Platform Firmware Threats
Instructor: Yuriy Bulygin, Oleksandr Bazhaniuk
Dates: 29 to 31 January 2018
Price: 2625 EURO before January 1, 3500 EURO after.
A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.
https://recon.cx/2018/brussels/training/trainingfirmware.html
PS: Looking forward to when Eclypsium will release their ARM port of the GPL CHIPSEC project. They’ve been saying they’d release this since Black Hat. It would be nice if ARM OEMs could use it, not just Eclypsium clients.
https://twitter.com/NikolajSchlej/status/946761209721835521
Re: CCC: https://firmwaresecurity.com/2017/12/26/intel-me-at-ccc/
the videos are already uploaded! Thanks, CCC staff!
https://media.ccc.de/b/congress/2017
By Kathleen Maher December 27, 2017
Bye-bye 32, says Nvidia
In a no frills, no hoopla, in a very un-Nvidia like fashion, the company announced that after Release 390, Nvidia will no longer release drivers for 32-bit operating systems for any GPU architecture. The company is currently shipping WHQL driver version 388.71 which suggests there will be a few more 32-bit drivers before the cutoff. Later driver release versions will not operate, nor install, on 32-bit operating systems. Driver enhancements, driver optimizations, and operating system features in driver versions after Release 390 will not be incorporated back into Release 390 or earlier versions. This impacts operating systems such as Microsoft Windows 7, Microsoft Windows 8/8.1, Microsoft Windows 10, Linux, and FreeBSD—applicable to operating systems running on x64 and x32 CPU architectures.
Hmm, I can’t find this info on the NVIDIA pr site:
https://github.com/quarkslab/QBDI
https://events.ccc.de/congress/2017/Fahrplan/events/9006.html
QuarkslaB Dynamic binary Instrumentation (QBDI) is a modular, cross-platform and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS and Windows operating systems running on x86, x86-64, ARM and AArch64 architectures.
Firmware bugs are like buses
Created: 23 Nov 2017
Author: Mike H
[…]These vulnerabilities serve as a great example of the importance of firmware updates and the need for a strategy to be in place to automate them. If you are not already applying firmware updates within your organisation, maybe this is a good time to think about starting.
https://www.ncsc.gov.uk/guidance/eud-security-guidance-windows-10-1703#devicefirmware
https://www.ncsc.gov.uk/blog-post/firmware-bugs-are-buses
Hopefully they update their Linux guidance to include recent firmware security advice, not just the Windows guidance. 🙂
See-also:
https://www.ncsc.gov.uk/guidance/end-user-device-security
eg:
https://www.ncsc.gov.uk/guidance/end-user-device-guidance-factory-reset-and-reprovisioning
It appears PTSecurity may have a GUI Debugger for Intel ME??
The “Minix Inside” stickers look great, click on the tweet from frdnd.
Hoping CCC staff does the great job they do ever year and get the videos for these events online quickly! 😉
https://twitter.com/frdnd/status/942984718613610496
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8762.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8782.html
PS: Of course, this isn’t all that is happening at CCC. There are multiple other interesting talks, eg:
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9111.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9056.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9205.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8725.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9207.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8920.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8950.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9237.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9202.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9195.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8784.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8831.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9159.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9058.html
https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8956.html
Vesion 1.1 of Cutter, the GUI for Radare2 formerly known as Iaito, has been released. Click on the second tweet below for an animation of the GUI in action.
https://github.com/radareorg/cutter
Nice article by Sysdream on using PCIleech to attack Windows DMA.
Nexmon Debugger
To analyze the FullMAC firmware running on the ARM microcontroller in the BCM4339 Wi-Fi chip, we created a debugger in software that directly accesses the hardware registers of the ARM Debugging core. As we do not have access to the JTAG port, we generate exceptions whenever a breakpoint or watchpoint is triggered. We handle those exceptions in our firmware patch and can then continue with the execution of the firmware code.[…]
https://twitter.com/bitkeks/status/939900188210147328
The Intel Management Engine
This blog post is based on a research paper I wrote for university. Although my work was mainly reading and summarising, I hope this article helps to bring some clarification about the details of the ME. At the bottom, you will also find some sources I used. Please be aware that since I wrote this report until June 2017, a new generation of ME was deployed, the one running the Minix microkernel on a x86 coprocessor. Nevertheless–to understand the development and architecture of the whole concept, it’s good to understand the details up from 2009.[…]
https://bitkeks.eu/blog/2017/12/the-intel-management-engine.html
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.