So, shortly after ThinkPwn release, I bought NUC6i3SYH model of Intel NUC and started its reverse engineering. It also looks interesting because platform vendor knows his hardware better than anyone else, so, from firmware security perspective, Intel NUC is definitely not the worst choice. Because I like all kinds of small x86 compatible computers, I've put my eye on the latest generation of Intel NUC. As my next target for firmware security adventures I’ve decided to take some Skylake based machine of well-known vendor who might have a decent firmware that would be interesting to break. Well, I guess at this point it’s much or less clear that currently there’s nothing to do with ThinkPad anymore, it was pwned with 0day, it has too awkward code base that follows ancient version of EFI specification and 8 series chipset that is not the freshest stuff you can get. Due to this IBVs had no chance to fix this vulnerability in their relatively old code base and the bug appeared in modern computers from Lenovo, Intel, GIGABYTE, Dell, HP, Fujitsu and other OEM’s (oops!). The horrible and vulnerable by design piece of code was removed by Intel somewhere in the middle of 2014, but it seems that there were no security advisories regarding this issue. It’s also interesting that vulnerable code is quite old (it comes from EFI 1.x era) but nevertheless, it was never present in EDK2 source from public repository - its version of QuarkSocPkg was heavily modified in comparison with vulnerable one. For example, SmmRuntimeManagementCallback() function from Intel Quark BSP it's exactly the same vulnerable code that I've found in firmware of my T450s. This exact code is not available in public, but open source firmware of some Intel boards has it too.
#SPI PROGRAMMER AMI BIOS DRIVER#
Firstly I supposed that vulnerable code was written by Lenovo or its Independent BIOS Vendor (IBV), but later it turned out that they've taken this totally mad driver from Intel reference code. Lots of interesting things happened since release of ThinkPwn exploit.
#SPI PROGRAMMER AMI BIOS PATCH#
Also, this time I did responsible disclosure to Intel and AMI, so, at the moment of this publication you already can patch some of vulnerable products. Today I’m sharing with you the story of my next x86 machine hacking - we’re going to talk about UEFI vulnerabilities, exploit mitigation features of System Management Mode and new exploit called Aptiocalypsis. Also, I released exploit for 0day vulnerability in SystemSmmRuntimeRt UEFI SMM driver called ThinkPwn.
#SPI PROGRAMMER AMI BIOS HOW TO#
In another, " Exploring and exploiting Lenovo firmware secrets", I've shown how to achieve flash write protection bypass using any vulnerability that allows arbitrary System Management Mode code execution. In " Exploiting SMM callout vulnerabilities in Lenovo firmware" I've shown some basic things related to exploitation and reverse engineering of its firmware on example of re-discovering already fixed 1day vulnerability.
Two previous articles were about my Lenovo ThinkPad T450s laptop. Hi, everyone! This blog post is another usual article about firmware security of x86 compatible machines.