Jethro Beekman: Reversing UEFI by execution

0:09 - 0:12

Herald: So, in this talk we will hear about
0:12 - 0:16

what UEFI is, how it can be used,
0:16 - 0:19

and how it can be executed in userspace,
0:19 - 0:20

and our speaker is Jethro Beekman,
0:20 - 0:26

and... the stage is yours.
0:26 - 0:28

Jethro Beekman: Thank you for the introduction.
0:28 - 0:32

applause
0:32 - 0:35

Alright, thank you for the introduction.
0:35 - 0:38

So, I'm a PhD student at UC Berkeley,
0:38 - 0:40

and in my copious amounts of free time,
0:40 - 0:43

I like to reverse-engineer things.
0:43 - 0:45

In particular, this time,
0:45 - 0:47

I reverse-engineered UEFI,
0:47 - 0:50

which is the modern BIOS replacement.
0:50 - 0:53

And, in this talk, I will discuss some tools
0:53 - 0:55

that you can use - that you too can use
0:55 - 0:57

to reverse-engineer UEFI,
0:57 - 0:59

including some tools that I wrote,
0:59 - 1:02

and tools that other people wrote.
1:02 - 1:05

So, this whole project started
1:05 - 1:08

when I bought a new SSD for my laptop
1:08 - 1:11

and, as you might know, modern SSDs have
1:11 - 1:14

built-in encryption capabilities,
1:14 - 1:16

whether this is secure or not is a question,
1:16 - 1:18

is a good question, but really,
1:18 - 1:20

reverse-engineering SSD firmware
1:20 - 1:23

is a talk for another day.
1:23 - 1:28

So, I decided to use this encryption,
1:28 - 1:31

and use it using the built-in
1:31 - 1:33

hardware password option
1:33 - 1:36

of my UEFI firmware.
1:36 - 1:39

This is the password I chose, 64 characters,
1:39 - 1:42

"correct horse battery staple galaxy
piece position require house".
1:42 - 1:48

It's very secure, obviously.
1:48 - 1:50

So this all seemed to be working fine,
1:50 - 1:51

and I was trusting that my hard drive
1:51 - 1:54

was encrypted properly,
1:54 - 1:55

but once you start to think about
1:55 - 1:56

how it actually works,
1:56 - 1:59

there's a small discrepancy, really,
1:59 - 2:02

because the way this password's input
2:02 - 2:05

to the hard drive is using
2:05 - 2:07

the ATA security feature set,
2:07 - 2:09

the security-unlock command.
2:09 - 2:11

And if you look at the unlock command,
2:11 - 2:13

you clearly see that the password
2:13 - 2:17

is supposed to be 32 bytes.
2:17 - 2:21

How are these 64 characters
turned into 32 bytes?
2:21 - 2:23

That is my question,
2:23 - 2:25

because if my laptop dies
2:25 - 2:28

but my SSD is still functional,
2:28 - 2:30

I want to be able to take my SSD
2:30 - 2:32

and put it into another computer
2:32 - 2:34

to get access to my data.
2:34 - 2:36

I tried all the standard things,
2:36 - 2:41

like truncating it, or using a standard
2:41 - 2:43

hash function like SHA-256
2:43 - 2:45

that has 32-byte output,
2:45 - 2:48

but these things all didn't work.
2:48 - 2:50

So then I decided to, you know,
2:50 - 2:53

really dive into the firmware
2:53 - 2:55

to figure out how it works.
2:55 - 2:56

So this talk will also be called
2:56 - 3:00

"How to turn 64 characters into 32 bytes".
3:00 - 3:07

applause
3:08 - 3:09

So what are some challenges
3:09 - 3:12

when reverse-engineering UEFI?
3:12 - 3:14

So first of all, this is the first thing
3:14 - 3:18

that runs when your computer is booted up.
3:18 - 3:19

So that means you will not be able
3:19 - 3:21

to use a standard debugger.
3:21 - 3:24

Surely people who develop firmware for a living
3:24 - 3:27

have some kind of hardware debugger
3:27 - 3:31

but that's unlikely to work on a commodity
system
3:31 - 3:35

such as this laptop,
which is all I got from the store.
3:35 - 3:37

Maybe you think you can emulate the firmware
3:37 - 3:39

using qemu or something like that,
3:39 - 3:41

but the hardware that the firmware
3:41 - 3:43

is designed to support
3:43 - 3:46

is unlikely to be correctly emulated by qemu.
3:46 - 3:50

So that is also probably not a viable way
3:50 - 3:52

to debug this.
3:52 - 3:58

Also, because UEFI is basically one big process,
3:58 - 4:01

using one address space,
4:01 - 4:02

there's no operating system
4:02 - 4:05

so there's no system calls.
4:05 - 4:07

Also there's no dynamic linker,
4:07 - 4:09

so there's no dynamic symbols,
4:09 - 4:10

there's no symbol table that you can use
4:10 - 4:13

as a starting point in your reverse-engineering.
4:13 - 4:16

You know, if you were reverse-engineering
4:16 - 4:20

a standard password utility in userspace
4:20 - 4:22

or something, you might start at
4:22 - 4:24

the read system call for,
4:24 - 4:27

that would be displayed to the user
4:27 - 4:28

to enter the password.
4:28 - 4:35

But in UEFI, no, that is not an option.
4:35 - 4:37

And even though there's no dynamic linker,
4:37 - 4:38

the whole firmware consists
4:38 - 4:42

of 281 different modules, in my case,
4:42 - 4:46

and it could be similar numbers
on your UEFI laptop.
4:46 - 4:51

And these modules all need to interact
in some way.
4:51 - 4:54

So, let's take a look at these different modules.
4:54 - 4:57

There's a tool called UEFITool,
4:57 - 4:59

written by Nikolaj Schlej, and
4:59 - 5:00

this really should be in your bag of tricks
5:00 - 5:02

if you're interested in doing anything
5:02 - 5:05

with UEFI firmware.
5:05 - 5:11

So, here I'll just go and use UEFIExtract,
5:11 - 5:15

which is a command line utility
5:15 - 5:17

included with UEFITool
5:17 - 5:20

that allows you to extract a firmware blob,
5:20 - 5:22

so in this case I took the firmware blob
5:22 - 5:26

from the Lenovo firmware update CD
5:26 - 5:30

and we're going to extract that.
5:30 - 5:34

After extracting it, we get this nice
directory structure
5:34 - 5:38

with one subdirectory per module
5:38 - 5:40

and as you can see, there's quite a few of
them.
5:40 - 5:45

Here's, there's system management
mode control module,
5:45 - 5:48

timer module, things like that.
5:48 - 5:49

And as you can see,
5:49 - 5:51

each module has a bunch of subdirectories
5:51 - 5:52

for the different sections
5:52 - 5:53

that are included in that module.
5:53 - 5:57

And one that appears a lot is the PE32+ image.
5:57 - 5:59

This is a portable execution image,
5:59 - 6:03

this is a format that Windows uses for executables.
6:03 - 6:06

So, you might think you might be able to run
6:06 - 6:11

these modules, and that is true.
6:11 - 6:14

But first, let's take a look at
6:14 - 6:16

what happens when you run a module like that.
6:16 - 6:20

Each module has an entry point, main,
6:20 - 6:23

and the main function gets passed
6:23 - 6:25

a pointer to the system table.
6:25 - 6:27

The system table is just...
6:27 - 6:30

contains more pointers to other structures.
6:30 - 6:32

For example, for the terminals,
6:32 - 6:35

cons in, cons out, standard error,
6:35 - 6:38

the standard text inputs and outputs,
6:38 - 6:41

and also the boot services structure.
6:41 - 6:43

The boot services structure contains
6:43 - 6:45

a bunch of function pointers,
6:45 - 6:48

including these install protocol interface
6:48 - 6:51

and locate protocol functions.
6:51 - 6:53

The install protocol interface allows
6:53 - 6:56

a module to install a protocol interface
6:56 - 7:00

using, specified by a particular GUID
7:00 - 7:03

and the interface is specified by just some
pointer.
7:03 - 7:06

Then, later, another module can call
7:06 - 7:09

a locate protocol function with the same GUID
7:09 - 7:11

and it will receive a pointer
7:11 - 7:13

to this interface that was previously installed
7:13 - 7:14

by the other modules.
7:14 - 7:18

So, most modules in their main function
7:18 - 7:21

start by loading a bunch of protocols
7:21 - 7:24

and then, after that, installing one more
7:24 - 7:28

of their own protocols.
7:28 - 7:29

This is all done at runtime.
7:29 - 7:31

So there's really no static way of
7:31 - 7:33

viewing the dependencies
7:33 - 7:35

between the different modules.
7:35 - 7:36

Luckily, we might be able to
7:36 - 7:37

execute these modules,
7:37 - 7:41

as I was alluding to before.
7:41 - 7:42

These modules, they're written
7:42 - 7:44

for the hardware you're currently using,
7:44 - 7:47

with your current operating system.
7:47 - 7:49

So they have a compatible instruction set.
7:49 - 7:50

So in order to execute them,
7:50 - 7:52

you just need a compatible
7:52 - 7:55

application binary interface, or ABI.
7:55 - 7:56

This is what I've written,
7:56 - 7:58

with the efiperun tool.
7:58 - 8:02

You can think of efiperun as WINE for UEFI.
8:02 - 8:04

Just like WINE allows you to run
8:04 - 8:06

Windows applications on Linux,
8:06 - 8:09

efiperun allows you to run EFI modules
8:09 - 8:12

on Linux.
8:12 - 8:19

applause
8:22 - 8:25

So, efiperun has a bunch of features,
8:25 - 8:29

it includes many of the standard EFI APIs
8:29 - 8:32

and it's very easy to add implementations
8:32 - 8:33

for missing APIs.
8:33 - 8:36

Also, at runtime, a missing API
8:36 - 8:37

will be generated automatically
8:37 - 8:40

with some stub functions.
8:40 - 8:41

It supports memory map annotations,
8:41 - 8:46

so that you can see which parts of memory
8:46 - 8:48

have been allocated by which module
8:48 - 8:50

and you can all run these in your standard
8:50 - 8:53

debugger environments, like gdb.
8:53 - 8:55

Also, as an interesting aside,
8:55 - 8:57

I think this the only project
8:57 - 8:58

I could find online
8:58 - 9:00

that uses the cross-stdarg header
9:00 - 9:03

which is used for calling
9:03 - 9:04

variable-argument functions
9:04 - 9:07

across calling conventions.
9:07 - 9:14

So, let's do a little demo of efiperun.
9:14 - 9:16

In this demo, I will just
9:16 - 9:21

run efiperun on each different module
9:21 - 9:24

to see which other modules it interacts with.
9:34 - 9:36

So, I just wrote this little Ruby script
9:36 - 9:38

which traverses the directory tree
9:38 - 9:42

that we just saw from the UEFIExtract utility
9:42 - 9:44

and then it executes efiperun
9:44 - 9:47

for each different module.
9:47 - 9:48

Whee!
9:50 - 9:52

Assertion error that I've never seen before,
9:52 - 9:54

that's always fun.
9:54 - 9:56

As you can see, 281 processes are launched,
9:56 - 9:58

most modules return
9:58 - 10:00

from the main function, normally,
10:00 - 10:01

but some of them get stuck
10:01 - 10:04

in an infinite loop,
10:04 - 10:06

so efiperun will automatically terminate
10:06 - 10:08

after 10 seconds in this case.
10:08 - 10:10

Let's look at the output of
10:10 - 10:14

all these different efiperun modules.
10:17 - 10:18

You can see a bunch of them segfault,
10:18 - 10:21

which, you know, can be, is understandable
10:21 - 10:23

because they might be expecting
10:23 - 10:26

some memory setup from the early boot
10:26 - 10:29

that is not existent anymore,
10:29 - 10:32

but there are a bunch of modules that do work
10:32 - 10:37

such as system boot manager.
10:37 - 10:40

You can see that it prints out
a bunch of stuff,
10:40 - 10:44

version information, copyright information,
10:44 - 10:46

then it requests a protocol,
10:46 - 10:48

this protocol has a GUID that is specified
10:48 - 10:50

by the EFI specification,
10:50 - 10:53

so we can interpret that GUID
10:53 - 10:56

and then it calls some stub functions
10:56 - 10:58

that we have not implemented
10:58 - 10:59

and then afterwards,
10:59 - 11:00

it installs its own protocol,
11:00 - 11:02

which is also a protocol specified
11:02 - 11:07

by the EFI specification.
11:07 - 11:08

Another interesting module
11:08 - 11:12

is the system splash module,
11:12 - 11:16

which we see over here.
11:16 - 11:19

As you can see, it actually requests
11:19 - 11:21

a bunch of protocols that are not implemented
11:21 - 11:23

by efiperun and you will see
11:23 - 11:25

it will automatically generate
11:25 - 11:28

a dummy interface for that purpose.
11:28 - 11:31

And then you will see that it calls
11:31 - 11:32

a function in this dummy interface
11:32 - 11:34

that was created here,
11:34 - 11:36

namely function number 2,
11:36 - 11:40

and because we are unable to handle this function
11:40 - 11:43

we just abort.
11:43 - 11:46

Okay, so now that I've shown you
11:46 - 11:49

that we can run these different modules,
11:49 - 11:50

we really need to get started with
11:50 - 11:52

the reverse-engineering of my BIOS
11:52 - 11:54

to figure how to turn those 64 characters
11:54 - 11:57

into 32 bytes.
11:57 - 12:00

You might remember this picture
from slide 2.
12:00 - 12:02

You can see that there's a little graphic
12:02 - 12:04

displayed in the password prompt.
12:04 - 12:05

So this graphic needs to be stored
12:05 - 12:06

somewhere in the BIOS,
12:06 - 12:08

and it needs to be coded to display
12:08 - 12:12

this graphic to the user at some point.
12:12 - 12:14

So, let's take a look at the different modules
12:14 - 12:15

that might have something to do with images
12:15 - 12:18

and graphics and things like that.
12:18 - 12:20

Turns out there's only 4 of the 281
12:20 - 12:22

that have a file names that seems to correspond
12:22 - 12:24

to something with graphics or images.
12:24 - 12:28

And if this, the first module is called
12:28 - 12:30

by another module,
12:30 - 12:32

which is Lenovo prompt service.
12:32 - 12:34

And Lenovo prompt service contains
12:34 - 12:36

in one of its data sections,
12:36 - 12:38

this image over here.
12:38 - 12:40

So now we know that we've found something
12:40 - 12:45

that has to do with the password prompt.
12:45 - 12:47

This prompt module is called by only one
12:47 - 12:48

other module, which is
12:48 - 12:50

the Lenovo password CP module,
12:50 - 12:51

which probably means something like
12:51 - 12:56

password control panel or something like that.
12:56 - 12:57

The password CP module also calls
12:57 - 13:00

into 3 other modules, namely
13:00 - 13:02

the sound service module, presumably to
13:02 - 13:04

play beeps if the user does something wrong
13:04 - 13:06

while entering the password,
13:06 - 13:08

the translate service module, which is used
13:08 - 13:10

to translate characters,
13:10 - 13:12

which I've reverse-engineered,
13:12 - 13:16

I've figured out that it's used to translate
13:16 - 13:20

ascii characters back into keyboard scan codes.
13:20 - 13:22

Keyboard scan codes are codes that are assigned
13:22 - 13:24

to each different key on your keyboard.
13:24 - 13:26

It's the way the hardware keyboard
13:26 - 13:30

communicates with your computer.
13:30 - 13:32

And then there's the Lenovo crypt service
module,
13:32 - 13:34

which turns out to be
13:34 - 13:37

standard SHA-256 hash function.
13:40 - 13:42

Right, so let's see and have a demo,
13:42 - 13:44

in which we are going to call
13:44 - 13:45

one of the functions in
13:45 - 13:48

this Lenovo password CP module.
13:54 - 13:58

So, efiperun allows you to write code
13:58 - 14:00

to interact with the EFI modules
14:00 - 14:03

that are loaded at runtime.
14:03 - 14:05

Here I've written this Lenovo-specific
14:05 - 14:07

debug module and you can specify
14:07 - 14:10

two functions that will be called.
14:10 - 14:12

The first function in it will be called
14:12 - 14:15

before all the EFI modules are loaded,
14:15 - 14:17

the second function will be called after
14:17 - 14:19

all the EFI functions are loaded.
14:19 - 14:20

So in this case, we'll first call
14:20 - 14:22

the install something function, and then
14:22 - 14:24

call, after loading the EFI modules,
14:24 - 14:27

the call something function.
14:27 - 14:31

The install function installs a stub
14:31 - 14:34

Lenovo crypt service protocol.
14:34 - 14:36

This is necessary because the standard
14:36 - 14:37

Lenovo crypt service calls into system
14:37 - 14:39

management mode to do the hashing,
14:39 - 14:41

which is currently not possible from
14:41 - 14:44

Linux userspace.
14:44 - 14:48

The second function,
call_LenovoPasswordCp_8cc,
14:48 - 14:51

will determine the address of the function
14:51 - 14:52

in the Lenovo password CP module
14:52 - 14:55

at offset 8cc and then call it.
14:55 - 14:57

It will take two parameters, in and out.
14:57 - 15:01

In will use this unicode string, my password,
15:01 - 15:02

and for the output,
15:02 - 15:06

we'll just pass this array buffer.
15:07 - 15:10

Then we'll just print the output
15:10 - 15:13

of the buffer after calling the function.
15:30 - 15:32

So, as you can see here,
15:32 - 15:34

the Lenovo translate service module
15:34 - 15:37

installs this protocol E3AB-etc.
15:37 - 15:39

and then later Lenovo password CP module
15:39 - 15:43

requests the same protocol E3AB-etc.
15:43 - 15:46

Also, you will see that
15:46 - 15:48

the Lenovo password CP module
15:48 - 15:52

requests the protocol C73E4-etc.
15:52 - 15:54

which is the Lenovo crypt service protocol
15:54 - 15:56

that we installed earlier.
15:56 - 15:58

Then it does a bunch of memory operations,
15:58 - 16:00

and at the end, we get the output.
16:00 - 16:02

So I reverse-engineered this function
16:02 - 16:08

at offset 8cc, and it turns out that
16:08 - 16:10

it is, in fact, the following function:
16:10 - 16:13

it takes the input password and
16:13 - 16:15

converts it into scan codes,
16:20 - 16:26

and then it pads it to 64 characters,
16:26 - 16:30

and then it takes a SHA-256 hash
16:30 - 16:34

and then it displays the first half of that.
16:37 - 16:40

Alright, here we go, so...
16:40 - 16:46

applause
16:46 - 16:47

We have reverse-engineered to
16:47 - 16:51

the first half of the password algorithm.
16:51 - 16:53

Took me about three weeks to decode
16:53 - 16:55

the entire algorithm,
16:55 - 16:58

and here it is.
16:58 - 16:59

So this is the hash that we just saw
16:59 - 17:02

of the password, and then this hash is
17:02 - 17:04

concatenated with the serial number and
17:04 - 17:06

model number of the hard drive.
17:06 - 17:09

That all is then hashed again,
17:09 - 17:12

and that is then passed to the SATA drive
17:12 - 17:14

over the ATA protocol.
17:14 - 17:15

Now this is actually quite a good idea
17:15 - 17:18

because it means that if you sniff
17:18 - 17:21

the password on the SATA bus
17:21 - 17:23

you will only be able to then later
17:23 - 17:24

unlock the same drive.
17:24 - 17:25

Because other drives, even though
17:25 - 17:27

they might be using the same password,
17:27 - 17:28

will have a different serial number
17:28 - 17:30

and model number.
17:30 - 17:33

So this hash will not work for them.
17:33 - 17:36

Unfortunately, the algorithm is
17:36 - 17:41

a little more complex than this.
17:41 - 17:43

The password hash, as I said, actually
17:43 - 17:45

uses the scan codes of the password, which
17:45 - 17:47

means that there is no distinguishing in
17:47 - 17:49

case of the letters.
17:49 - 17:52

Also, after hashing it, it truncates it
17:52 - 17:54

to only 12 bytes. Which means that
17:54 - 17:57

there's a maximum of 96 bits of entropy
17:57 - 18:00

in this password hash.
18:00 - 18:02

This is quite unfortunate.
18:02 - 18:05

But most human passwords have less than
18:05 - 18:08

96 bits of entropy to start with,
18:08 - 18:12

so it's probably not that big of a deal.
18:12 - 18:15

Okay, then again this part of the hash is
18:15 - 18:17

concatenated with the serial number
18:17 - 18:18

and the model number,
18:18 - 18:19

except the bytes are swapped.
18:19 - 18:22

And I really can't figure out why
18:22 - 18:23

the bytes are swapped here.
18:23 - 18:25

But it probably has to do something with
18:25 - 18:28

the fact that the ATA protocol uses
18:28 - 18:30

16-bit words while this model number and
18:30 - 18:33

serial number are 8-bit character strings.
18:33 - 18:35

So maybe they did some endianness mess-up
18:35 - 18:37

or something like that.
18:37 - 18:41

Alright, so in this talk, I've shown you
18:41 - 18:44

how you too can reverse-engineer UEFI
18:44 - 18:45

with some tools that you can use
18:45 - 18:47

in this including the efiperun tool
18:47 - 18:49

which allows you to run EFI modules
18:49 - 18:51

in linux userspace.
18:51 - 18:53

The code of this is of course available
18:53 - 18:55

under GPL license on github,
18:55 - 18:56

and if you want to read about
18:56 - 18:58

the second part of reverse-engineering
18:58 - 18:59

the algorithm, you can find more
18:59 - 19:01

information on my blog.
19:01 - 19:03

Thank you very much.
19:03 - 19:12

applause
19:12 - 19:15

H: So, thank you, Jethro, and we have
19:15 - 19:17

more than ten minutes' time for Q&A.
19:17 - 19:19

Is there a question from the Internet,
19:19 - 19:21

signal angel?
19:21 - 19:23

Signal: Not right now.
19:23 - 19:24

H: And do we have questions
19:24 - 19:25

from the audience?
19:25 - 19:31

Please line up at the microphones.
19:31 - 19:35

Then we'll start with microphone 2, please.
19:35 - 19:38

Q: Thanks a lot for making your tools available,
19:38 - 19:39

as someone else who does a lot of
19:39 - 19:42

UEFI reversing, I've been through similar
19:42 - 19:45

rabbit holes of trying to track this down.
19:45 - 19:47

You mentioned that SMM is not supported
19:47 - 19:49

and I assumed also the real mode
19:49 - 19:51

in the transition into long mode
19:51 - 19:52

is not supported.
19:52 - 19:54

Is that on your roadmap or something,
19:54 - 19:56

that you're interested in continuing
19:56 - 19:57

development on?
19:57 - 20:00

A: Yeah, I'm interested in it, but
20:00 - 20:02

I'm not quite sure how to do it,
20:02 - 20:06

especially calling into
system management mode,
20:06 - 20:07

protected mode should probably,
20:07 - 20:09

you know, also be possible,
20:09 - 20:11

but currently I'm also doing 64-bit mode
20:11 - 20:15

but, yeah, if anyone wants to help me
20:15 - 20:24

implement it, obviously I welcome your support.
20:24 - 20:25

H: Okay, and from the Internet, please.
20:25 - 20:27

Q: Yes. The Internet wants to know
20:27 - 20:33

what is the advantage of UEFI
compared to coreboot?
20:33 - 20:33

A: I'm sorry, I didn't...
20:33 - 20:35

Q: The Internet wants to know
20:35 - 20:38

what is the advantage of UEFI compared
20:38 - 20:40

with coreboot, for example?
20:40 - 20:42

A: The advantage of UEFI compared to what?
20:42 - 20:45

Q: To coreboot, coreboot, this open source
20:45 - 20:46

BIOS replacement.
20:46 - 20:48

A: Oh okay. coreboot is UEFI,
20:48 - 20:50

coreboot is Intel's open source
20:50 - 20:51

implementation of UEFI.
20:51 - 20:54

Q: Actually, well, actually it's not.
20:54 - 20:56

A: Oh, it's not, no, that's tianocore,
20:56 - 21:00

you're right.
21:00 - 21:03

The only advantage is,
21:03 - 21:05

I don't know what the advantage is,
21:05 - 21:07

this is just what's supported on my laptop.
21:07 - 21:09

So that's what I was interested in.
21:09 - 21:15

laughter, applause
21:15 - 21:18

H: Okay. Microphone 3, please.
21:18 - 21:20

Q: Hi. Thank you for your talk.
21:20 - 21:21

Have you looked at any other firmware
21:21 - 21:25

besides your Lenovo?
21:25 - 21:28

A: I've not personally, but
21:28 - 21:33

I know other people have.
21:33 - 21:35

H: Okay. 4, please.
21:35 - 21:37

Q: Thank you for the talk. How did you
21:37 - 21:42

come out how to get the password, the hash
21:42 - 21:48

with the combination of the serial number
21:48 - 21:50

and the module number?
21:50 - 21:53

A: So, the full details of this
21:53 - 21:56

are in my blog post, but in short,
21:56 - 21:59

there is a EFI protocol for talking
21:59 - 22:01

to the hard drive, which is
22:01 - 22:02

the ATA support protocol,
22:02 - 22:04

if I remember correctly,
22:04 - 22:06

there's a special module,
22:06 - 22:07

there are only a few modules,
22:07 - 22:09

that invoke this protocol,
22:09 - 22:12

so I just disassembled those, and looked
22:12 - 22:13

at what they did, and what commands
22:13 - 22:15

they sent to the ATA drive.
22:15 - 22:17

Q: Thank you.
22:17 - 22:19

H: And there is another question
from the chat.
22:19 - 22:22

Q: Yes. The chat wants to know if you found
22:22 - 22:25

any other unexpected bugs and
22:25 - 22:29

if it is possible to check UEFI code,
22:29 - 22:31

for example, when running it with valgrind
22:31 - 22:35

or something.
22:35 - 22:37

A: I've not really run into any other
22:37 - 22:39

unexpected bugs, but I must say I also
22:39 - 22:42

really wasn't looking for them.
22:42 - 22:44

H: Okay. 2, please.
22:44 - 22:49

Q: I have little understanding of EFI, but
22:49 - 22:55

I had the idea to look into trying to get
22:55 - 23:01

boot ROMs from PC graphic cards
23:01 - 23:04

to be running on a MacOS computer,
23:04 - 23:10

old Mac Pros when they
still were having cards,
23:10 - 23:12

and I was wondering,
I wanted to figure out...
23:12 - 23:16

these cards run, apparently, the old BIOS,
23:16 - 23:19

real mode, and I wanted to figure out
23:19 - 23:23

if I can write a stub that gets loaded
23:23 - 23:27

by the EFI system and then that...
23:27 - 23:31

my code would then invoke
the initialization boot ROM
23:31 - 23:34

for the graphics card
and provide the functions.
23:34 - 23:38

Would your toolset, would that help me in
23:38 - 23:41

tracing that while my Mac is running,
23:41 - 23:43

because I can't do it while it's booting?
23:43 - 23:48

A: I don't... it sounds like a,
quite a complex setup,
23:48 - 23:50

I think it would be possible to write
23:50 - 23:52

an EFI module to do what you're saying,
23:52 - 23:53

but I'm not sure if you'll be able
23:53 - 23:57

to run that while your operating system
is also running.
23:57 - 24:02

So... I'm not sure, I'll have to talk more
24:02 - 24:06

offline to discuss your specific situation.
24:06 - 24:08

H: Okay, and microphone 3, please.
24:08 - 24:16

Q: Hi. Have you looked into using
SerialICE for emulation of the UEFI
24:16 - 24:23

which is essentially qemu but it has,
does forward all of the hardware accesses
24:23 - 24:26

to real hardware, so you can just trace it
24:26 - 24:30

and run arbitrary BIOS or UEFI code in it?
24:30 - 24:31

A: I've not looked into that, but that
24:31 - 24:34

sounds a very interesting
avenue to explore.
24:34 - 24:36

Q: Thank you.
24:36 - 24:38

H: Okay. I see no more questions.
24:38 - 24:40

Thank you to our speaker.
24:40 - 24:41

applause
24:41 - 24:53

subtitles created by c3subtitles.de
Join, and help us!

Title:: Jethro Beekman: Reversing UEFI by execution
Description:: This talk will be an overview of how to reverse-engineer Unified Extensible Firmware Interface (UEFI) firmware, the replacement for BIOS. Various useful tools will be discussed, including those written by the presenter and those written by others. One of the highlights will be a tool that enables running parts of the firmware in userspace on a standard Operating System.

Jethro Beekman

more » « less
Video Language:: English
Duration:: 24:53

	C3Subtitles edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	Bar Sch edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	Maggie S (Amara staff) edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	C3Subtitles edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	C3Subtitles edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	Retired user edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	Bar Sch edited English subtitles for Jethro Beekman: Reversing UEFI by execution
	Bar Sch edited English subtitles for Jethro Beekman: Reversing UEFI by execution

Show all

English subtitles

Revisions

Revision 19 Edited

C3Subtitles

Jethro Beekman: Reversing UEFI by execution

Revisions

Our website uses cookies

Operating cookies (Required)