EFI Swiss Knife: IDA plugin

June 13, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/874636697841152001

EFI Swiss Knife – An IDA plugin to improve (U)EFI reversing
Today I am finally releasing one of the EFI reversing tools I built when I was working on the SCBO post. Yesterday there were some tweets about IDA improving its support for EFI binaries (although I’m not sure it’s the same thing as in here) so I decided to finally release this one. Tested with IDA 6.9 and IDA 6.95 OS X versions, might work in Windows with just paths modification. It is based on Snare’s work, https://github.com/snare/ida-efiutils. Since I hate Python I rewrote it in C and added some extra features.[…]

https://reverse.put.as/2017/06/13/efi-swiss-knife-an-ida-plugin-to-improve-uefi-reversing/

https://github.com/gdbinit/EFISwissKnife

SPIflash

May 5, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/860539774402260993
Very fast reader for SPI flashes for Teensy 2.x.

Original code by Trammell Hudson.

Modifications and addons by Pedro Vilaça.

I have added a few new commands and options. Also added led flashing when dumping/uploading contents. I’m definitely not an AVR coder so excuse me some ugly things 🙂

To be used with Teensy 2.x devices (and maybe Chinese clones).

https://github.com/gdbinit/spiflash

Unicorn-based EFI emulator?

June 25, 2016 ~ hucktech ~ 1 Comment

OSX Reverser has a new blog post on Apple EFI firmware passwords:

https://twitter.com/osxreverser/status/746479354570477568

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

https://reverse.put.as/2016/06/25/apple-efi-firmware-passwords-and-the-scbo-myth/
https://sentinelone.com/blogs/apple-efi-firmware-passwords-and-the-scbo-myth/

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦

tool: TELoader, TE image loader for IDA

September 14, 2015 ~ hucktech ~ Leave a comment

The EFI Monster (@osxreverser) has just released a UEFI TE (Terse Executable) image loader for IDA. See the readme for a pointer to the 44con talk’s PDF, as well as the source:

https://twitter.com/osxreverser/status/643448813567524864

https://github.com/gdbinit/TELoader

Apple UEFI bootkit

June 1, 2015 ~ hucktech ~ Leave a comment

There’s stories in multiple news sites today about a UEFI firmware bug in Apple systems, by security researcher Pedro Vilaça (@osxreverser), that is somewhat similar to Thunderstrike.

According to Dennis Fisher’s story at Threatpost, “The vulnerability can be exploited remotely, Vilaca said.” Threatpost also states: “He added that he believes Apple may know about this vulnerability already, as it doesn’t seem to be present on machines sold after about the middle of 2014.”

If you have Apple — or perhaps other UEFI-based — hardware, you should follow this story!

More information:

Firmware Bug in OSX Could Allow Installation of Low-Level Rootkits

http://www.pcworld.com/article/2929172/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html
http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher