IRC Client On Bare Metal

In the beginning, there was the BIOS, and it was good. A PC’s BIOS knows how to set up the different hardware devices, grab a fixed part of a hard drive, load it, and run it. That’s all you need. While it might be all you need, it isn’t everything people want, so a consortium developed UEFI, which can do all the things a normal BIOS can’t. Among other things, UEFI can load code for the operating system over the network instead of from the hard drive.

In true hacker fashion, [Phillip Tennen] thought, “Does it have to be an operating system?” The answer, of course, is no. It could be an IRC client.┬áHe chose Rust to implement everything. While UEFI does provide a network stack, it isn’t very easy to use, apparently. It also provides support for a mouse. [Phillip] ported his GUI toolkit library over, and then the rest is just building an IRC client.

The client isn’t the easiest to use because, after all, this is a lark. Why would you want to do this? On the other hand, we can think of reasons we might want to take control of a UEFI motherboard and use it for something. If you want to do that, this project is a great template to jump-start your endeavors.

We’ve looked at the UEFI system a few times. Or, you can use it to play DOOM.

Continue reading “IRC Client On Bare Metal”

Two pictures of the mobo side by side, both with kapton tape covering everything other than the flash chip. On the left, the flash chip is populated, whereas on the right it's not

Enabling Intel AMT For BIOS-over-WiFi

Intel ME, AMT, SMT, V-Pro… All of these acronyms are kind of intimidating, all we know about them is that they are tied to remote control technologies rooted deep in Intel CPUs, way deeper than even operating systems go. Sometimes though, you want remote control for your own purposes, and that’s what [ABy] achieved. He’s got a HP ProDesk 600 G3 Mini, decided to put it into a hard to reach spot in his flat, somewhere you couldn’t easily fetch a monitor and a keyboard for any debugging needs. So, he started looking into some sort of remote access option in case he’d need to access the BIOS remotely, and went as far as it took to make it work. (Google Translate)

The features he needed are covered by Intel AMT — specifically, BIOS access over a WiFi connection. However, his mini PC only had SMT enabled from the factory, the cut-down version of AMT without features like wireless support. He figured out that BIOS dumping was the way, promptly did just that, found a suitable set of tools for his ME region version, and enabled AMT using Intel’s FIT (Flash Image Tool) software.

Now, dumping the image could be done from a running system fully through software, but apparently, flashing back requires an external programmer. He went with the classic CH341, did the 3.3 V voltmod that’s required to make it safe for flash chip use, and proceeded to spend a good amount of time making it work. Something about the process was screwy, likely the proprietary CH341 software. Comments under the article highlight that you should use flashrom for these tasks, and indeed, you should.

This article goes into a ton of detail when it comes to working with Intel BIOS images — whichever kind of setting you want to change, be it AMT support or some entirely different but just as tasty setting, you will be well served by this write-up. Comments do point out that you might want to upgrade the Intel ME version while at it, and for what it’s worth, you can look into disabling it too; we’ve shown you a multitude of reasons why you should, and a good few ways you could.

This Week In Security: LogoFail, National DNS Poison, And DNA

When there’s a vulnerability in a system library, we install updates, and go on with our lives. When there’s a vulnerability in a Java library, jars get rebuilt, and fixed builds slowly roll out. But what happens when there’s a vulnerability in a library used in firmware builds? And to make it even more fun, it’s not just a single vulnerability. All three major firmware vendors have problems when processing malicious images. And LogoFail isn’t limited to x86, either. UEFI Arm devices are vulnerable, too.
Continue reading “This Week In Security: LogoFail, National DNS Poison, And DNA”

Linux Fu: UEFI Booting

Unless your computer is pretty old, it probably uses UEFI (Unified Extensible Firmware Interface) to boot. The idea is that a bootloader picks up files from an EFI partition and uses them to start your operating system. If you use Windows, you get Windows. If you use Linux, there’s a good chance you’ll use Grub which may or may not show you a menu. The problem with Grub is you have to do a lot of configuration to get it to do different things. Granted, distros like Ubuntu have tools that go through and do much of the work for you and if you are satisfied with that, there’s no harm in using Grub to boot and manage multiple operating systems.

An alternative would be rEFInd, which is a nice modern UEFI boot manager. If you are still booting through normal (legacy) BIOS, the installation might be a hassle. But, in general, rEFInd, once installed, just automatically picks up most things, including Windows, Mac, and Linux operating systems and kernels. The biggest reasons you might change the configuration is if you want to hide some things you don’t care about or change the visual theme.

Continue reading “Linux Fu: UEFI Booting”

Screenshot of the EFI shell, showing doom.wad and doom.efi in 'ls' command output, and then doom.efi being loaded

DOOM? In Your BIOS? More Likely Than You Think!

We’ve seen hackers run DOOM on a variety of appliances, from desk phones to pregnancy tests. Now, the final frontier has been conquered – we got DOOM to run on an x86 machine. Of course, making sure we utilize your PC hardware to its fullest, we have to forego an OS. Here are two ways you can run the classic shooter without the burden of gigabytes of bloated code in the background.

[nic3-14159] implemented this first version as a payload for coreboot, which is an open-source BIOS/UEFI replacement for x86 machines. Some might say it’s imperfect — it has no sound support, only works with PS/2 keyboards, and exiting the game makes your computer freeze. However, it’s playable, and it fits into your BIOS flash chip.

But what if your computer hasn’t yet been blessed with a free BIOS replacement? You might like this UEFI module DOOM port instead, originally made by [Warfish] and then built upon by [Cacodemon345]. To play this, you only need to compile the binary and an UEFI shell, then use the “Load EFI Shell” option in your UEFI menu – something that’s widely encountered nowadays. This version also lacks sound, but is a bit more fully featured due to all the facilities that UEFI provides for its payloads.

Of course there’s far more efficient ways to slay demons on your computer, but even if they aren’t necessarily practical from a gaming standpoint, these two projects serve as decent examples of Coreboot and UEFI payloads. BIOS replacements like coreboot take up so little space, we’ve even seen Windows 3.1 fit alongside coreboot in the BIOS chip. Wondering what UEFI is, even? Here’s a primer for you. And, if you don’t mind the exceptional bloat of a stripped-down Linux install, here’s a Linux image built from the ground up to run DOOM specifically.

Continue reading DOOM? In Your BIOS? More Likely Than You Think!”

An artistic representation of a red Moon, hovering over the Earth

Is That The Moon Worming Its Way Into Your BIOS?

When facing a malware situation, the usual “guaranteed solution” is to reinstall your OS. The new developments in malware world will also require you to have a CH341 programmer handy. In an arguably inevitable development, [Kaspersky Labs] researchers have found an active piece of malware, out in the wild, that would persist itself by writing its bootstrap code into the BIOS chip. It doesn’t matter if you shred the HDD and replace it with a new one. In fact, so-called MoonBounce never really touches the disk at all, being careful to only store itself in RAM, oh, and the SPI flash that stores the BIOS code, of course.

MoonBounce is Microsoft-tailored, and able to hook into a chain of components starting from the UEFI’s DXE environment, through the Windows Loader, and finishing as a part of svchost.exe, a process we all know and love.

This approach doesn’t seem to be widespread – yet, but it’s not inconceivable that we’ll eventually encounter a ransomware strain using this to, ahem, earn a bit of extra cash on the side. What will happen then – BIOS reflashing service trucks by our curbsides? After all, your motherboard built-in BIOS flasher UI is built into the same BIOS image that gets compromised, and at best, could be disabled effortlessly – at worst, subverted and used for further sneaky persistence, fooling repairpeople into comfort, only to be presented with one more Monero address a week later.

Will our hardware hacker skills suddenly go up in demand, with all the test clip fiddling and SOIC-8 desoldering being second nature to a good portion of us? Should we stock up on CH341 dongles? So many questions!

This week’s installment of “threat vectors that might soon become prevalent” is fun to speculate about! Want to read about other vectors we might not be paying enough attention to? Can’t go wrong with supply-chain attacks on our repositories! As for other auxiliary storage-based persistence methods – check out this HDD firmware-embedded proof-of-concept rootkit. Of course, we might not always need the newfangled ways to do things, the old ways still work pretty often – you might only need to disguise your malicious hardware as a cool laptop accessory to trick an average journalist, even in a hostile environment.

Continue reading “Is That The Moon Worming Its Way Into Your BIOS?”

What’s The Deal With UEFI?

It seems like there are two camps, the small group of people who care about UEFI and everyone else who doesn’t really notice or care as long as their computer works. So let’s talk about what UEFI is, how it came to be, what it’s suitable for, and why you should (or shouldn’t) care.

Continue reading “What’s The Deal With UEFI?”