Is There An EFI Monster Inside Your Apple?: FG! at CODE BLUE 2015
Is There An EFI Monster Inside Your Apple?: FG! at CODE BLUE 2015
Is There An EFI Monster Inside Your Apple?: FG! at CODE BLUE 2015
monster inside
your apple?
fG! @ CODE BLUE 2015
Who am I?
§ An Economist.
§ How to
§ Reverse engineer (U)EFI binaries.
§ Modular.
§ https://github.com/informationextraction/vector-
edk/blob/master/MdeModulePkg/Application/
fsbg/fsbg.c
What evil things can we do?
§ https://www.youtube.com/watch?
v=sNYsfUNegEA.
What evil things can we do?
§ Bootloader
§ Redirect to a custom bootloader.
§ http://blog.cr4.sh/2015/02/exploiting-uefi-
boot-script-table.html
§ Hardware
§ The best and most reliable way.
§ Trustable.
§ Software
§ Possible if chip supported by flashrom.
§ Not (very) trustable.
Hardware
§ https://www.pjrc.com/store/mcp1825.html
Teensy 3.1 pinout
Tips & Tricks
§ Requirements
§ Flashrom
§ DirectHW.kext
§ Or readphysmem.
Software
§ DarwinDumper.
§ http://flashrom.org/Flashrom
§ http://www.coreboot.org/DirectHW
§ https://bitbucket.org/blackosx/
darwindumper/downloads
§ https://github.com/osresearch/rwmem
§ https://github.com/gdbinit/readphysmem
Software
§ AppleHWAccess.kext.
§ Unpacker
§ http://io.smashthestack.org/me/
Intel ME region
§ Contains
§ EFI binaries for different phases.
§ NVRAM.
§ No filenames.
§ https://github.com/gdbinit/TELoader
EFI Services
§ v is Microcode.
§ Trolling?
§ Real?
PGP Fingerprint
7B05 44D1 A1D5 3078 7F4C E745 9BB7 2A44 ED41 BF05
A day full of possibilities!
Let's go exploring!
References
§ Alex Ionescu, Ninjas and Harry Potter: “Spell”unking in Apple SMC
Land
§ http://www.nosuchcon.org/talks/2013/D1_02_Alex_Ninjas_and_Harry_Potter.pdf
§ Alex Ionescu, Apple SMC The place to be definitely For an implant
§ https://www.youtube.com/watch?v=nSqpinjjgmg
§ fG!, The Empire Strikes Back Apple – how your Mac firmware
security is completely broken
§ https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-
mac-firmware-security-is-completely-broken/
§ Cr4sh, Building reliable SMM backdoor for UEFI based platforms
§ http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html
§ Intel ATR - Black Hat 2015 / Def Con 23 - Firmware rootkit
§ https://www.youtube.com/watch?v=sJnIiPN0104&app=desktop