Uncategorized

SPIflash

Very fast reader for SPI flashes for Teensy 2.x.

Original code by Trammell Hudson.

Modifications and addons by Pedro Vilaça.

I have added a few new commands and options. Also added led flashing when dumping/uploading contents. I’m definitely not an AVR coder so excuse me some ugly things 🙂

To be used with Teensy 2.x devices (and maybe Chinese clones).

https://github.com/gdbinit/spiflash

Standard
Uncategorized

Unicorn-based EFI emulator?

OSX Reverser has a new blog post on Apple EFI firmware passwords:

[…] This is when I had an idea! How about creating an EFI emulator and debugger using the Unicorn Engine framework? I had a feeling this wouldn’t be extremely hard and time consuming because the EFI environment is self contained – for example no linkers and syscalls to emulate. I also knew that this binary was more or less isolated, only using a few Boot and RunTime services and very few external protocols. Since the total number of Boot and RunTime services are very small this meant that there wasn’t a lot of code to be emulated. And with a couple of days work the EFI DXE Emulator was born. To my surprise I was finally able to run and debug an EFI binary in userland, speeding the reverse engineering process up immensely and quickly providing insight to previously tricky code. […]

Apple EFI firmware passwords and the SCBO myth

Apple EFI firmware passwords and the SCBO myth

Looking forward to an URL to this EFISwissKnife IDA plugin, and ESPECIALLY this new Unicorn-based EFI emulator! I can’t find an URL yet, though. 😦

Standard
Uncategorized

tool: TELoader, TE image loader for IDA

The EFI Monster (@osxreverser)  has just released a UEFI TE (Terse Executable) image loader for IDA. See the readme for a pointer to the 44con talk’s PDF, as well as the source:

https://github.com/gdbinit/TELoader

 

Standard
Uncategorized

Apple UEFI bootkit

There’s stories in multiple news sites today about a UEFI firmware bug in Apple systems, by security researcher Pedro Vilaça (@osxreverser), that is somewhat similar to Thunderstrike.

According to Dennis Fisher’s story at Threatpost, “The vulnerability can be exploited remotely, Vilaca said.” Threatpost also states: “He added that he believes Apple may know about this vulnerability already, as it doesn’t seem to be present on machines sold after about the middle of 2014.

If you have Apple — or perhaps other UEFI-based — hardware, you should follow this story!

More information:
https://threatpost.com/firmware-bug-in-osx-could-allow-installation-of-low-level-rootkits/113076
http://www.pcworld.com/article/2929172/apple-vulnerability-could-allow-firmware-modifications-researcher-says.html
http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher

Standard