EFI_BruteForce: EFI PIN of Apple MacBooks

January 2, 2016 ~ hucktech ~ Leave a comment

I just noticed an old article and tool by Kooftness, for brute-forcing the (or an) Apple EFI firmware password. As I understand the article, the original code didn’t generate results while they had access to the laptop, but since then the code has been revised (7 months ago) and others claim success with the code. I am unclear if this is a 3rd party PIN tool or the main Apple Firmware Password feature.

These Teensyduino sketches (for Teensy embeded boards) and shell scripts are tools to bruteforce EFI or iCloud locks.

Recently I got my hands on a MacBook Pro that after three weeks of being bought the seller desided that he wanted it back. He expressed this by locking it with a 4 digit PIN and a message that stated “Give me back the laptop and give you back the money”, with out calling or anything. […] I was told that an alternative solution would be to get a fresh MBP, extract its firmware and flash it using a PIC programmer. He also told me that there are ways to get around this attacking the thunderbolt port but these two options have a high risk in bricking the $2.000 laptop. […] I have received confirmation that this code is working, as we can see in this thread at MacRumors […]

http://orvtech.com/atacar-efi-pin-macbook-pro-en.html
https://github.com/Kooftness/efi_bruteforce
https://github.com/Kooftness/efi_bruteforce/blob/master/efi_attack_modifyed

https://support.apple.com/en-us/HT204455
https://support.apple.com/en-us/HT203409

“If you can’t remember the firmware password for your Mac, schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider.”

It appears that any current/former Apple Store “genius” can most likely bypass the Apple Firmware Password protection. 😦 I suppose any vendor who can reset the PIN can use it like the above merchant, to blackmail the customer for access to their device.

I look forward to seeing the results of LegbaCore working at Apple …though I am afraid that their new models will become less configurable, more like modern Windows boxes, unable to run anything but Apple-approved OSes and pre-OS code (eg, rEFInd).

Ultrasoc diagnostic hardware

January 2, 2016 ~ hucktech ~ Leave a comment

It appears Ultrasoc has some hardware-level diagnostic abilities that will be interesting to some:

http://electronicdesign.com/blog/turning-debug-hardware-based-iot-security

http://www.ultrasoc.com/

“Our products allow engineers to look inside systems-on-chip (SoCs) during the development process, and understand exactly how they operate under real-life conditions. Development teams are using our on-chip monitoring and analytics IP to equip their SoCs with an exciting range of new capabilities, applicable in markets from network infrastructure to mobile phones, and from safety-critical systems to the Internet of Things (IoT). These include value-add functions such as service level agreement (SLA) enforcement and in-service performance enhancement – functionality enabled by chips with hard-wired self-monitoring capabilities. UltraSoc’s “smart” modules operate across the whole SoC: reporting rich information in real-time, non-intrusively, from hardware and software. And because the system is vendor-neutral, it provides an efficient way to integrate IP from different vendors, into one coherent framework, including legacy solutions or in-house custom logic.”

ARM TrustZone support for QEMU

January 2, 2016 ~ hucktech ~ Leave a comment

qemu-trustzone: Experimental QEMU version w/ basic support for ARM TrustZone (security extensions) – https://t.co/9cLBwEb9Ie via @insitusec

— Pau Oliva (@pof) December 31, 2015

“Experimental version of QEMU with basic support for ARM TrustZone (security extensions)”

https://github.com/jowinter/qemu-trustzone

VirtualKD 3.0 released

January 2, 2016 ~ hucktech ~ Leave a comment

If you do Windows kernel debugging in VMWare/VirtualBox VMs, and don’t know about VirtualKD, this will be exciting for you:

Nice! VirtualKD v3.0 Added support for Windows 10 and VirtualBox 5.x. https://t.co/2GreqabrbB

— powertool (@ithurricanept) December 29, 2015

http://securityblog.gr/3092/faster-windows-kernel-debugging-with-virtual-machines/

IOKit-Dumper

January 1, 2016 ~ hucktech ~ Leave a comment

A simple tool to dump the IOKit hierarchy of any KEXT or the kernel -> https://t.co/VVNWV2Uka1

— @jndok@nso.group (@jndok) January 1, 2016

OS X tool for dumping and reconstructing the IOKit classes hierarchy. iokit-dumper directly generates DOT files (see here, which can then be processed with dot tool. Keep in mind this tool is in its early release, so stuff may happen. Also, careful when playing with the code, since a wrong read in the kernel will cause a kernel panic. Remember to always slide kernel addresses before reading from them.

https://github.com/jndok/iokit-dumper

Pinczakko on firmware security in Russia

January 1, 2016 ~ hucktech ~ Leave a comment

Interesting stuff, about Kraftway, Cisco, and other vendors! I wish I could find more information like this for other countries!

Looking into The State of Firmware Security in Russia: https://t.co/0q164pBTue

— pinczakko (@Pinczakko) January 1, 2016

https://sites.google.com/site/pinczakko/

http://bioshacking.blogspot.co.id/2016/01/looking-into-state-of-firmware-security.html

Hardware Freedom Day: January 17th

January 1, 2016 ~ hucktech ~ Leave a comment

Time to get your city planned for HFD’16!

http://www.hardwarefreedomday.org/2016/index.html

https://en.wikipedia.org/wiki/Hardware_Freedom_Day

Tweets by hardwarefreedom

Hardware Freedom Day (inspired by Software Freedom Day, Document Freedom Day and Geo Freedom Day) is a worldwide celebration and promotion of free and open hardware. The goal of this day is to educate the public about free and open hardware, in education, government and business.

Matthew on x86 boot security

January 1, 2016 ~ hucktech ~ Leave a comment

Happy new year and here's a description of the current state of boot security https://t.co/YQT8lAkQMK

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) January 1, 2016

Apple has a lot of work to do, but they just hired LegbaCore, so they should be able to improve.

Linux has a lot of work to do, to catch up to Windows. Luckily there are people like Matthew working on it.

OEMs/Intel has a lot of work to do: they should be working to build the Stateless Laptop that ITL has proposed.

http://mjg59.dreamwidth.org/39339.html

@flamsmark @xor I'm going to be controversial and say that Windows is probably the most secure choice for an unskilled user

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) December 30, 2015

RIP Ian Murdock, creator of Debian

December 31, 2015 ~ hucktech ~ Leave a comment

Debian is saddened to share the news of the passing of Ian Murdock. We will miss him dearly. https://t.co/1EhZ5BwKSH

— The Debian Project (@debian) December 30, 2015

Debian mourns the passing of Ian Murdock:
With a heavy heart Debian mourns the passing of Ian Murdock, stalwa… https://t.co/96xLPG1Riv

— The Debian Project (@debian) December 30, 2015

https://bits.debian.org/2015/12/mourning-ian-murdock.html

http://ianmurdock.com/

JavaScript for UEFI

December 30, 2015 ~ hucktech ~ Leave a comment

Seiya Nuta has created the EFI.js project on Github: JavaScript for UEFI! It is related to the Resea OS projec,t, which apparently also targets EFI.

EFI.js lets you create UEFI applications in JavaScript powered by Resea, a great operating system kernel framework.

At the time it is work in progress but pull requests are welcome 😀

https://github.com/nuta/efi.js

http://resea.net/

https://github.com/resea/resea

Brainfuck for EFI

December 30, 2015 ~ hucktech ~ 1 Comment

Kirn Gill has ported the Brainfuck language’s interpreter to UEFI!

https://github.com/segin/efibrainfuck

https://en.wikipedia.org/wiki/Brainfuck

http://segin-rr.blogspot.com/

So we have another language option for pre-OS scripting. And something else to look for when searching the UEFI’s ESP (EFI System Partition) for security threats: also look for Brainfuck scripts (and the interpreter), in addition to Python, Lua, Ruby, etc. scripts.

It is built with GNU-EFI, not Tianocore’s EDK-II.

osxlockdown

December 30, 2015 ~ hucktech ~ Leave a comment

osxlockdown: A simple tool to audit and fix security settings on Apple OS X 10.11 (El Cap): https://t.co/m8G4bQPs6V

— Summit Route (@SummitRoute) December 30, 2015

https://summitroute.com/blog/2015/12/29/osxlockdown/

https://github.com/SummitRoute/osxlockdown

SummitRoute has a new Mac OS X security tool, OSXlockdown. Excerpt from readme follows, note especially the scarily-humorous warnings at the end. 🙂

osxlockdown was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan).

This checks and flips various configuration settings. This is a compilation of numerous resources listed in the Resources section which could be converted to bash scripts. This is different than those resources in that instead of requiring the user to read a 100+ page doc, click through numerous GUIs, and try to decide if some esoteric output is good or bad, this tool combines all the steps into a single command. This tool is focused on enterprise deployments of OSX with regard to what it does, but made to be usable for stand-alone home users as well. Running the command by itself will tell you which audit checks passed and failed. Adding the –remediate flag will fix the problems identified. The commands.json file may be edited to disable certain rules by setting enabled to false.

Warning: Many of the rules disable functionality in the name of security. This may make you sad.

Warning: System commands and dark arts are involved, so ensure you have your system backed up first.

ru.efi + ru.exe updated

December 30, 2015 ~ hucktech ~ Leave a comment

It has only been a few weeks since the last update, but there is a new release of ru.efi and ru.efi freeeware. This release fixes some ACPI-related problems.

https://github.com/JamesAmiTw/ru-uefi

http://ruexe.blogspot.com/2015/12/ru-5160248-beta.html

https://firmwaresecurity.com/tag/ru-efi/

Teddy Reed’s SMC fuzzer

December 30, 2015 ~ hucktech ~ Leave a comment

In addition to UEFI Firmware Parser, and other tools, Teddy Reed *ALSO* has written a fuzzer for Apple SMC firmware:

Anyone doing Apple SMC research? Here's a fledgling fuzzer: https://t.co/D9tds4ge90 interesting finds are insta-halt and 'hidden' keys

— Teddy Reed (@teddyreedv) December 29, 2015

devnull’s SMC read/write code, along with simple fuzz options. This smc tool uses the AppleSMC IOKit interface and a userland API for interacting with the System Management Controller (Mac embedded controllers). The tool focuses on the SMC key/value API, but could be expanded to more API methods.

https://github.com/theopolis/smc-fuzzer

Click on the above Twitter URL for the follow-up conversation with some more information about SMC.

Video/Slides for Jethro’s CCC UEFIreverse talk!

December 30, 2015 ~ hucktech ~ Leave a comment

Yesterday I mentioned Jethro Beekman had a lecture at CCC on UEFIreverse, but was not sure about video. Video/slides are now available!

UEFIreverse lecture at CCC!

(re-)Watch my #32c3 talk "Reverse engineering UEFI by execution": https://t.co/HvwwHXfnis (starts @ 16:45). Slides @ https://t.co/T4HIvajjoF

— Jethro Beekman (@JethroGB) December 29, 2015

Click to access uefireverse.pdf

https://jbeekman.nl/research/

https://streaming.media.ccc.de/32c3/relive/7245/

UEFI Firmware Parser now in Cheese Shop

December 30, 2015 ~ hucktech ~ Leave a comment

The other day I noticed some Github activity for Teddy Reed’s UEFI Firmware Parser, but didn’t notice any formal new announcement. It appears I was not looking in the right place. The parser is now in the official Python Cheese Shop! And it is named “uefi_firmware”, not UEFI Firmware Parser, that explains that comment in the comment log. 🙂 It’ll be nice to have this tool more easily-available in Python. I hope the next time the UEFI Forum updates it’s UEFI port of CPython, they add this module to the UEFI port.

This is great, @JethroGB! There's also a python-based UEFI (and friends) parser in PyPi https://t.co/synDKqBYeZ https://t.co/KmTCfzIha4

— Teddy Reed (@teddyreedv) December 29, 2015

https://pypi.python.org/pypi/uefi_firmware

UEFI Firmware Parser updated

new UEFI support in Citrix 7.7

December 29, 2015 ~ hucktech ~ Leave a comment

What's new in Citrix Provisioning Services 7.7? – https://t.co/bytO1Xx9Jr – #Win10 #UEFI #API #vGPU #FIPS #VHDX

— Ingmar Verheij (@IngmarVerheij) December 29, 2015

One of the new features in this release:

Support for UEFI pre-boot environments. This enables you to stream at startup time using gigabit network speeds, so users experience faster startups, and to use disks over 2 TB.

https://docs.citrix.com/en-us/provisioning/7-7/pvs-new.html

I’m unclear of the specifics. What does ‘UEFI pre-boot environments’ mean? Does this mean OVMF support or something else? How does this help my startup time using gigabit network speeds, does this mean UEFI pre-OS network functionality is used, or something else?
Where is the security documentation for Citrix sysadmins, clarifying pre-OS issues if they’re being added to the stack for the first time? (For that matter, I’ve not found any good docs on this latter topic by any VMM vendor.)

Hardsploit!

December 29, 2015 ~ hucktech ~ Leave a comment

https://twitter.com/daniel_bilar/status/681593061139451904

HardSploit: a complete tool box (Hardware + Software), a Framework which aims to:
* Facilitate the audit of electronic systems for industry ‘security’ workers (Consultant, Auditor, Pentesters, product designer etc.)
* Increase the level of security (and trust!) of new communicating products designed by industry

http://hardsploit.io/

UEFIreverse lecture at CCC!

December 29, 2015 ~ hucktech ~ Leave a comment

From the last blog post, Jethro is the person who created UEFIreverse, which has been discussed earlier.

I didn’t noticed that he’s got a CCC talk on UEFIreverse! Either CCC’s AV archives are still coming, or this wasn’t videotaped (or I can’t find it)…

https://twitter.com/andersonc0d3/status/681916225639825409
https://events.ccc.de/congress/2015/Fahrplan/events/7245.html
https://github.com/jethrogb/uefireverse
https://firmwaresecurity.com/tag/uefireverse/
https://jbeekman.nl/

lecture: Reversing UEFI by execution

This talk will be an overview of how to reverse-engineer Unified Extensible Firmware Interface (UEFI) firmware, the replacement for BIOS. Various useful tools will be discussed, including those written by the presenter and those written by others. One of the highlights will be a tool that enables running parts of the firmware in userspace on a standard Operating System. The Unified Extensible Firmware Interface (UEFI) is a programming environment quite different from regular Operating Systems models, and as such reverse engineering UEFI software is quite different from reversing standard software. This talk will consits of three parts. First, an overview of UEFI and what makes it different will be presented. Then, existing and new tools that aid in reversing UEFI are discussed, including a demonstration of the efiperun tool that enables running UEFI modules in userspace. The talk will conclude with the recounting of a succesful reverse engineering project to uncover the Lenovo hard drive password hashing algorithm.

Jethro Beekman’s Intel SGX blog series

December 29, 2015 ~ hucktech ~ Leave a comment

I just noticed Jethro Beekman’s blog.

The last post, from October, on Intel SGX, is interesting:

https://jbeekman.nl/blog/2015/10/intel-has-full-control-over-sgx/

His blog is much better than mine w/r/t use of tags, so it’s easy to find earlier SGX posts. One was revised this month, all very good reading:

https://jbeekman.nl/blog/2015/10/sgx-hardware-first-look/
https://jbeekman.nl/blog/