belated catch-up: - YES! i am still looking for anyone who kept the copies of taobios-v2.tar.bz2 downloaded on the 10th, 11th, or 13th and not the expected sha256sum as in https://lists.torproject.org/pipermail/tor-talk/2015-December/039678.html - this or some FOIAs or maybe *ahem* got peertech.org dedi burned; (~_~;) , shit rained - keys died in a fire... at least learning was enjoyed in large measure? *grin* [ see addendum. ] - if you didn't get the bios captures the first time, they are also now at: http://cubicmeteryhbozt.onion/taobios-v2.tar.bz2 L1-bios-readA.bin and L2-bios-readA.bin images have been submitted to VirusTotal, no hits. however, remember it is looking at UEFI code modules, and as discussed, both payloads take pains to avoid common BIOS forensic techniques - they're not rogue UEFI malmodules sitting in easy reach! :) - the FOIAs are, = Meta-FOIA: https://www.muckrock.com/foi/united-states-of-america-10/procnopenopes-24179... = New Req(FBI): https://www.muckrock.com/foi/united-states-of-america-10/keykeeperkomikal-24... = New Req(DoJ): https://www.muckrock.com/foi/united-states-of-america-10/keykeeperkomikaldep... and list at ello still excellent, too: https://ello.co/ohj2eevi/post/SDNS4ZsILYAG_SQ8yMl9Ew … :P ... Addendum: the incident and response info: https://ello.co/ohj2eevi/post/AcOPfljWjTmfuFEkpc5Pbg , however it seems they've lost the 8 comments which contained the detailed updates. i can find archives in PDF if anyone cares? - the "signal" honey token service used to detect the TLS MitM is described here: https://ello.co/ohj2eevi/post/JwQUX_nGF4OhtaJXDySzjg . best regards, [ fwd is for posterity; with apologies by the megabyte, :o ] ---------- Forwarded message ---------- From: coderman <coderman@gmail.com> Date: Sun, 6 Dec 2015 19:31:28 -0800 Subject: Re: [tor-talk] How does one remove the NSA Virus off the BIOS Chip as described by Snowden in the ANT Program To: <PARTIED TO REMAIN NAMELESS...> are you going to take a look, at least? there is a write up, using rpi2: $ flashrom -r bios.bin -V -p linux_spi:dev=/dev/spidev0.0 . . . Found Winbond flash chip "W25Q64.V" (8192 kB, SPI). with the pre-built program (flashrom): flashrom-piprebuilt-0.9.8.tar.bz2 i show you binwalk diff, with a rogue storage area: < Scan Time: 2015-12-05 23:14:56 < Target File: L1-bios-readA.bin < MD5 Checksum: 26857cc3e814d5e924c133e961d1a993 ---
Scan Time: 2015-12-05 23:15:16 Target File: L2-bios-readA.bin MD5 Checksum: b47e3205e77e94b8f2e9400d4f915e76 9d8 < 806912 0xC5000 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
See also, https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/ and even take pictures for you to replicate, [ see attached ] don't you want to learn to fish, young padwan?
