tag:blogger.com,1999:blog-42594029018248967912024-03-16T03:10:22.664-07:00The BIOS BlogWelcome to the dark corner of BIOS reverse engineering, code injection and various modification techniques only deemed by those immensely curious about BIOSDarmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.comBlogger80125tag:blogger.com,1999:blog-4259402901824896791.post-20111096063506506402017-08-15T00:38:00.001-07:002017-08-15T00:38:33.911-07:00(Rather Late) Surprise: Intel has "PCI Expansion ROM OS" Implementation for Computer ClusterFor some reason I stumbled upon one of Intel's patent application: Cluster computing - nic based os provision WO 2012040606 A2. The patent application cited my BUILDING A ''KERNEL'' IN PCI EXPANSION ROM article as non-patent citation.
I had that thought back then, that some companies must've built (or will build) something usable out of the principle explained there. I'm actually Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-82284600536081849772017-07-11T23:42:00.002-07:002017-07-11T23:52:49.528-07:00Migrating AMIBIOS 1B Module Utilities Source Code to GitHubA long time ago (read: 10+ years) I created some small, mostly BIOS-related, utilities and dumped the source code on the web. I even forgot that they're there in my website (https://sites.google.com/site/pinczakko/source-code). Fortunately, over time, some people come across those source code and found the source code useful for them. Some of them asked question or give suggestions. Therefore, I Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-73232341984934162792017-01-30T10:03:00.002-08:002017-01-30T10:03:08.477-08:00Experimental PCI Expansion ROM "OS" Code Migrated to GitHubThe code for the experimental PCI Expansion ROM "OS" explained in the Building a "Kernel" in PCI Expansion ROM article is now in GitHub: https://github.com/pinczakko/PCI-Expansion-ROM-OS. I made some changes to make it compile-able in current version of Nasm and GCC. I've only tested the compilation in Arch Linux (x86-64). I'm not sure it will work in other Linux distros. Give it a try ;-). Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-73687442912132182752017-01-30T06:25:00.001-08:002017-01-30T06:25:27.616-08:00IBM OpenPower Firmware Source Code Brief AnalysisFirst post this year ;-)
I'm taking a detour to other hardware architecture here, despite this blog is focused on x86/x86-64. As for why, it's because I was working with IBM Power 5 machine for more than a year and I found it interesting. I'm not going to talk about Power 5 here though because it's a closed system, in terms of firmware. I'm here to talk about Power 8 and its successor.
The Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-19248574038756782532016-12-12T22:41:00.000-08:002016-12-12T22:41:11.395-08:00BIOS Disassembly Ninjutsu Uncovered on Play StoreSomebody has just put BIOS Disassembly Ninjutsu Uncovered "scanlation" on Play Store. Well, it's not really manga "scanlation" quality. But, I'm rather surprised someone put the effort to do that: https://play.google.com/store/apps/details?id=com.appjik.book.bios. You might want to give it a try.
In my opinion, the PDF version in github is much more readable. Perhaps, I Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-351066448373278832016-09-22T06:54:00.002-07:002016-09-22T06:54:22.165-07:00Down to Silicon Level DebuggingFirst off, I'm not a "forward" BIOS/UEFI engineer. At least not one who worked officially in a BIOS/UEFI software development company or motherboard company. I did got an official access to AMIBIOS Core8 source code and tools back then under NDA for one of my clients to customize it for a custom x86 motherboard. But, that's as far as I got into the game. This is relevant to this post as I don't Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com4tag:blogger.com,1999:blog-4259402901824896791.post-66206777565620870452016-08-31T07:25:00.002-07:002016-08-31T07:28:13.690-07:00Base-board Management Controller (BMC) Firmware SecurityThe security of the BMC firmware is very important, as compromising it means unfettered remote access to the target machine. There has been research into this area in the not too distant past:
Exploiting Hardware Management Subsystem, by Simon Clow.
Reversing Firmware using Radare2, by Anton Kochkov.
IPMI: Understanding Your Server's Remote Backdoor, by Anthony J. Bonkoski.
All of them are Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com1tag:blogger.com,1999:blog-4259402901824896791.post-71773191635730268532016-08-18T07:57:00.001-07:002016-08-18T07:57:20.331-07:00Firmware/BIOS-related Patent FilingsI don't know if security researchers are used to looking at patent filings--because I'm not officially one of them. However, I found that reading and trying to understand firmware/BIOS-related patent filings is enlightening. It is also interesting because the filings are related to each other via cross-referencing, which make the activity all the more interesting, given enough time to dig into itDarmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-29674821390496376332016-07-23T11:35:00.001-07:002016-07-23T11:35:22.110-07:00UEFI Boot from WebI think I've been living under a rock in these last few months and not exactly following UEFI development. Nonetheless, I managed to spot this stuff over at https://firmware.intel.com/develop/server-development-kit. What's interesting is the SDK supports "Firmware Boot from Web" so to speak. This is the relevant excerpt:
The Intel® Server Board S1200RP UEFI Development Kit supports Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-10317477322208626392016-05-26T20:41:00.002-07:002016-05-26T23:57:06.018-07:00BIOS Disassembly Ninjutsu PDF Moved to GitHubThe primary download site for BIOS Disassembly Ninjutsu PDF (free) is now moved to https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered (direct download at https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered/archive/master.zip). The previous download at 4shared is a malware-invested place, thus the change.
The addendum to the book is also included inDarmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-39061461446169708302016-04-18T03:49:00.000-07:002016-04-18T03:49:53.344-07:00Moving Winflashrom code to GithubI ported Coreboot (formerly LinuxBIOS) flashrom utility to Windows a long time ago as my activity in Google Summer of Code and named it winflashrom. Because code.google.com will be shutdown this year, I moved the code to github: https://github.com/pinczakko/winflashrom.
This is old news because the code haven't been updated for years. However, it might still relevant for those who wantDarmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-39755372044907825102016-01-01T07:40:00.002-08:002016-01-28T08:13:00.222-08:00Looking into The State of Firmware Security in Russia I think every major industrialized country has its own policies in preventing malicious IT equipment and products to enter their premises, let alone being used within the country. In this post, we will look into one of Russian computer hardware maker, Kraftway (http://www.kraftway.ru/en/). This company might be a bit obscure to you. But, I think it serves quite a big chunk of the Russian and Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com8tag:blogger.com,1999:blog-4259402901824896791.post-35415017671573729192015-07-12T00:52:00.001-07:002015-07-12T00:53:46.100-07:00The State of My Firmware Research Well, I decided to post this because I've been over-promising and under-delivering for several years now.
Straight to the matter, I've been leaving my firmware research work in a state of hibernation for almost a year now due to a (some?) product development work I'm still working on as of now (which I cannot elaborate further). It's not that I feel firmware is not interesting anymore. OnDarmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com4tag:blogger.com,1999:blog-4259402901824896791.post-59932928784055653612015-03-02T07:34:00.000-08:002015-03-02T07:55:11.605-08:00Remote Access in Legacy BIOSIn this post I'm going to talk about Remote Access in Legacy BIOS via serial console. I aware some (or most) of you are aware that BIOS has provided management console via serial port for a long time. I have the opportunity to modify a customer custom Geode board BIOS to add support for Serial Console a few years ago. It's a quite nifty but rather buggy implementation though (I meant the serial Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com3tag:blogger.com,1999:blog-4259402901824896791.post-28879143172637599452014-07-12T08:36:00.001-07:002014-07-12T08:36:28.331-07:00How Boot Firmware Development and Driver Development Differs--PCI Bus Implementation Case StudyThis post is not BIOS/UEFI specific per-se. However, it has a very close relation to it because it delves deep into Windows device driver architecture.
Most of BIOS/UEFI modules are aware of the CPU architecture, motherboard chipset and all supporting logic in which it runs. However, the same assumption cannot be made for an OS, such as Windows. Therefore, BIOS/UEFI modules mostly can take for Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-10285098384910677002014-05-11T13:58:00.004-07:002014-05-11T23:30:27.938-07:00(Cross) Compiling My Sample PCI Expansion ROM CodeMy sample PCI Expansion ROM code over at Low Cost Embedded x86 Teaching Tool is no longer compile-able on recent x64 Linux distributions. This is due to the fact that the default GCC toolchain in those Linux distros doesn't support output in the form of the particular ELF32 i386 required by the source code. Other possible problem is the GCC toolchain doesn't support 16-bit code output Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-7523812806887933192014-05-11T07:48:00.001-07:002014-05-11T07:48:36.635-07:00Gentle Introduction to CorebootI've just stumbled upon this series of articles by Lennart Benschop about Coreboot. It's a very smooth introduction to Coreboot that explains Coreboot components from a high level view and proceed toward more specific parts of it. You can read it over here. Note that Coreboot specific stuff starts at "Column" no.4. Have a nice reading :-)Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-37498836145412140572014-02-17T09:33:00.001-08:002014-02-24T01:32:51.953-08:00NSA BIOS Backdoor Article Part 2: BULLDOZER is upYou can read the complete article at: NSA Backdoor Part 2, BULLDOZER: And, Learn How to DIY a NSA Hardware Implant
This is the excerpt:
This article is the second part of a series on NSA BIOS Backdoor internals. This part focuses on BULLDOZER, a hardware implant acting as malware dropper and wireless communication “hub” for NSA covert operations.Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-29590628445881845802014-01-30T01:17:00.003-08:002014-01-30T01:18:09.194-08:00NSA BIOS Backdoor Article Part 1OK. This is part one of my controversial article series of the year :P
NSA BIOS Backdoor a.k.a. God Mode Malware Part 1: DEITYBOUNCE
This first part focuses on the DEITYBOUNCE malware described in the NSA ANT Server document.
I won't spoil the details here. Head to the link above for the details :-).Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-31447145326845642812014-01-09T13:35:00.001-08:002014-01-09T13:36:37.793-08:00System Address Map Initialization Part 2 ArticleFinally, System Address Map Initialization Part 2 article is up. Check out : http://resources.infosecinstitute.com/system-address-map-initialization-x86x64-architecture-part-2-pci-express-based-systems/. It's a lengthy article. There could be minor error coz I didn't have enough time to review some parts of the detail close to the end of it.Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-61438255545277615622014-01-06T21:57:00.001-08:002014-01-06T21:57:52.669-08:00PDF of My Past Articles on InfosecinstituteYou can download the PDF version of my past articles on Infosecinstitute via these links:
https://sites.google.com/site/pinczakko/bios-articles
and
https://sites.google.com/site/pinczakko/miscellaneus
Future articles will be available as PDF as the embargo lifts up.Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-91885669067975313632013-10-27T21:50:00.003-07:002013-10-27T21:50:43.847-07:00Intel 8-series Chipset SPI - The new standard for x64 platform firmware storage?I've just skimmed over the SPI section in the Intel 8-series chipset datasheet. One interesting thing to note is the flash memory organization has been regulated closely. If you recall from the legacy BIOS days, the flash memory used to store the BIOS code is just a plain block of writable bytes. This has changed in the SPI flash memory "regulation" because now we have SPI flash memory that Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com1tag:blogger.com,1999:blog-4259402901824896791.post-61149644309874119512013-09-16T07:18:00.001-07:002013-09-16T07:18:22.847-07:00System Address Map Initialization in x86/x64 Architecture Part 1 - ArticleNew article explaining details of PCI-based system address map initialization is up: http://resources.infosecinstitute.com/system-address-map-initialization-in-x86x64-architecture-part-1-pci-based-systems/. This is part one of two articles. I started with PCI because the basic knowledge on the bus protocol is essential before moving to part two which covers present day PCIe systems.Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-78786902154541108762013-08-27T04:13:00.003-07:002013-08-27T04:13:36.089-07:00AMBA-PCIe InteroperabilityThe native bus in ARM systems, Advanced Microcontroller Bus Architecture (AMBA)
[see: http://en.wikipedia.org/wiki/Advanced_Microcontroller_Bus_Architecture] has been interoperable with
PCI Express (PCIe) for several years now. These are related documentation that helps understanding
how it works:
1. Designing an AMBA-based SoC with a PCI Express Interface,
link: http://Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0tag:blogger.com,1999:blog-4259402901824896791.post-50563044815824105552013-08-08T11:39:00.001-07:002013-08-08T11:39:49.886-07:00UEFI replacement for BIOS Int 15h AX=E820h InterfaceThose who play with low level code are familiar with the BIOS Int 15h AX=E820h interface to query memory map of the system (x86/x64). In fact, it's probably the safest way to do that.
In EFI/UEFI, the interface is replaced by a new function call interface. The function name is GetMemoryMap() and it's part of EFI/UEFI boot services. The definition of this function as follows:
typedef
Darmawan Salihunhttp://www.blogger.com/profile/16192437872942077146noreply@blogger.com0