Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

1/30

Introduction to Reversing DXE drivers

Bruno Pujos

February 9, 2016

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

2/30

Perspective

SubjectTalk about reverse engineering firmwareUnified Extended Firmware Interface (UEFI)Driver eXecution EnvironmenentEverything here concern Intel x86 architecture

InterestWhat’s going on my computer ?Developing your ownSecurityFor all this reading the documentation is not enough

Wait firmware ?

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

3/30

Agenda

1 Firmware and Flash

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

4/30

Firmware

Firmware is a softwareIt is stored on non-volatile memory (ROM, flash, . . . )Low-level control program for the devicePretty much a firmware in everythingIt is also the ”first” code running at boot time

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

5/30

(Really) Basic computer

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

6/30

SPI Flash

Serial Peripheral InterfaceSPI is not a ”real” standard. . .Store our firmware and other stuff

In theory could be a LPC FlashWhat is inside it ?

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

7/30

SPI Flash

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

8/30

Getting the SPI Flash content

HardwareNot ”simple” (at least for me)Full accessRead and Write

SoftwareSimple but limited accessNever seen a flash limited for reading but possibleAccessible through the PCH using MMIO registers(FADDR, FDATA and HSFC)Several tools allow you to dump the SPI Flash

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

9/30

Demo!

Demo!

Chipsec1

Open-source tool developed by IntelWritten in PythonWorks on Windows, Linux and UEFI shellGive a good abstraction on hardwareDriver not signedNot complete and some bugs

Getting the SPI Flash contentpython chipsec_util.py spi dump <FILE.BIN>

1https://github.com/chipsec/chipsec

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

10/30

Agenda

2 UEFI

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

11/30

UEFI

UEFI 101Unified Extended Firmware InterfaceSpecification for firmware development since 2005Successor of EFI (1998)”BIOS firmware following the UEFI specification”(or just say UEFI)

GoalCompatible with legacyAbstraction from the hardware and theimplementationModular: allowing code reuseCommunity effort. . .

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

12/30

We got our BIOS what now ?

What is in our BIOS ? Where is the code ?

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

13/30

FileSystem

UEFI PI specification

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

14/30

FileSystem content

Different section containing different fileRecursive FileSystemMost of the things are compressed

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

15/30

Demo!

Demo!Tools

Lots of tools for parsing the FileSystemSome constructor have addition to the specificationchipsec does it but fail on certain things (inparticular parsing of updates)Just grep -r ’uefi firmware parser tool’ internetUsing UEFIExtract1

1https://github.com/LongSoft/UEFITool

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

16/30

FileSystem Content

Several binaryDifferent formatsData. . .Lot of filesDivided in sections

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

17/30

Boot step

1 Security (SEC) Phase2 Pre-EFI Initialization (PEI) Phase3 Driver Execution Environment (DXE) Phase4 Boot Device Selection (BDS) Phase5 Runtime (RT) Phase6 Afterlife (AL) Phase

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

18/30

Agenda

3 DXE

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

19/30

Driver Execution Environment

Biggest part of a firmwareMost of ”user-input” will be handle hereDXE phase is split in driversDXE phase is generally concentrate in one section ofthe FileSystem

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

20/30

DXE driver

DXE drivers generalityDrivers are executable PE32+ or TE (TianoExecutable)Native code or EFI Byte Code (never encounter EBC)different kind of ”drivers”:

EFI ApplicationBoot Service DriverRuntime Driver

DXE driver goalInitialize hardwareHardware abstractionManagement interface (GUI and so on)Network (PXE!)Boot paths. . .

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

21/30

DXE driver loading order

Loading orderPretty much arbitraryDependencies between driversGlobal order can be defineGenerally use DEPEX

DEPEXStore in a file at the same level than the driver (DXEor PEI)Really simple bytecode with 10 opcodeAllow to precise protocol GUID necessaryCan give you information about the dependenciesDemo

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

22/30

Services and Protocols

ServicesDriver need an API for basic thingsDXE Foundation MUST provide a limited set ofservices to the driverAllow timing, allocation, global variable, . . .And in particular declaration and request ofprotocols

ProtocolsDrivers need a way to communicateProtocols allow to propose servicesCan be anything from printing on the screen tosending network packet, or handling the USB.

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

23/30

EFI System Table

UEFI specification

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

24/30

Reversing first step

EFI System Table and the services tables decodingFind any references to the services and in particulardeclaration and request of protocolsLook for GUIDWith only that you can have a good idea of what thedriver doesIDA python plugin: efi-utils1

Demo!

1https://github.com/snare/ida-efiutils

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

25/30

Input and Output

MMIOMemory Map IOTypically a hard-coded address (but not always)Can give good informationUse chipsec for finding the bases

IO portIO PortCan give good informationCan be relativeSome important one:

0x80 IO_POST0xcf8 IO_PCI_CONFIG_ADDRESS0xcfc IO_PCI_CONFIG_DATA

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

26/30

Finding the documentation

Material DatasheetProcessorPCH (or your equivalent)Graphics Card, network card, . . .

CodeEDK, EDK2, UDK2014. . .CorebootDriver implementation, . . .

SpecificationUEFI specificationUEFI PI specificationACPI, PCI, TPM, . . .

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

27/30

Agenda

4 Conclusion

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

28/30

RE DXE driver 101

Nothing really hardTime consumingA lot of things are not documented (at least publicly)You don’t need to read the specification for beginningIf you are interested just go for it

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

29/30

Going further

SMMSecureBootMeasureBoot & TPMVulnerability research. . .

Introduction toReversing DXE

drivers

Firmware andFlash

UEFI

DXE

Conclusion

Bruno Pujos

30/30

Questions ?

Questions ?