Welcome to the dark corner of BIOS reverse engineering, code injection and various modification techniques only deemed by those immensely curious about BIOS

Wednesday, February 29, 2012

BIOS Disassembly Ninjutsu Uncovered (1st Edition) [Unedited] PDF released

Hi guys,

I have released the BIOS Disassembly Ninjutsu Uncovered (1st Edition) [Unedited] PDF in GitHub. You can clone it from this URL: https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered.git or download the zip https://github.com/pinczakko/BIOS-Disassembly-Ninjutsu-Uncovered/archive/master.zip for free. Well, the (copy) rights have expired and I guess lot's of people look forward to it. I don't have enough bandwidth to host it. If somebody wants to host it, please do so but please notify me via email.

Anyway, mind you that this is the unedited version, not the shipping version. You might find it a little rough here and there, but the manuscript is complete. If you remember, the English version of the book is 450 pages, but the Russian version is more than 600 pages. I haven't had time to check what was missing in the English edition compared to the Russian edition.

There are two alternative places to download the book at present (but be advised to try downloading from GitHub first in order not to burden the other two sites):
Happy reading :-)

PS: I have created a new group over at linkedin, i.e. "BIOS/UEFI Vulnerability and Reverse Engineering" if you want to discuss a thing or two.

BIOS Disassembly Ninjutsu Uncovered Errata:

1. The address aliasing mentioned in Chapter 4 section 4.1.1 page 4 (the paging messed-up in the PDF) should cover both E-segment and F-Segment (E_0000h-F_FFFFh), not just the last 64-KB segment. Somebody used a sort of CPU logic analyzer to confirm this fact.
2. Chapter 9 section 9.2: The Flash_n_burn utility mentioned there is now named flashrom and become a quite independent part of the Coreboot (previously LinuxBIOS) project. See: http://flashrom.org/Flashrom

Anyway, if you found another errata please post it below. Thanks.

Wednesday, February 22, 2012

Passing Parameter(s) to BIOS/UEFI SMI Handlers

There are two ways to pass parameter(s) to SMI handler(s) in BIOS/UEFI:

  1. Via the Global Non-Volatile Storage (GNVS). This is a region in the non-volatile storage area. I'm not 100% sure about the physical implementation of the GNVS, but it's part of RAM reserved for Non-Volatile Storage by ACPI BIOS subsystem on the motherboard. [Thanks to Kun-Yi Chen for pointing out].
  2. Via General Puupose Registers (GPRs). In this technique physical address pointer is passed via GPR to the SMI handler code. I've been thinking about giving some IDA Pro disassembly for this one. Maybe later. 
There you have it. Next time you encounter a suspicous code with one of the attributes above, it might just be one of them :-).

Monday, February 6, 2012

PCI Expansion ROM Execution Environment Peculiarity

This post is related to the x86 Segment Descriptor Cache stuff I posted a while ago. In my previous book, this fact is not included. So, what's the weird thing about the PCI Expansion ROM execution environment? Well, it runs in "big-real mode"/unreal mode. It may not sound obvious but this is the excerpt from a related specification:
"When control is passed to an option ROM from a BIOS that supports PMM, the processor will be in big real mode, and Gate A20 will be disabled (segment wrap turned off). This allows access to extended memory blocks using real mode addressing."
 To put things in perspective, I plan to just combine it with the upcoming POST Memory Manager article on my website. I haven't had enough time to finish that one.