[Cryptography] trojans in the firmware

Blibbet blibbet at gmail.com
Thu Feb 19 17:26:52 PST 2015


> How would I test that? I suppose that I could setup a VM to boot from an
> HDD, and then see if I can flash the HDD's firmware.

If this firmware trojan is EFI-based:

For PCI-based devices, use an Intel Tunnel Mountain box, an EFI dev box.
You can install a debug version of the firmware with symbols or
full-source level debug info, and debug it with a second machine using
GDB or Windbg.
http://tunnelmountain.net/

For USB-based devices, use an Intel Minnowboard MAX, a low-end dev board
for 'hobbiests'/'hackers' for Yocto and UEFI. Much cheaper than the
Tunnel Mtn box.
http://www.minnowboard.org/

Consider trying to use QEMU to test a virtual drivers for native
passthru. QEMU has the best diagnostic options for UEFI, it is the UEFI
Forum's main virtualization option for EFI dev. You can build the same
kind of debug firmware image for QEMU (called OVMF) as with live box.
VirtualBox has some EFI support, especially when you build it with
custom flags and set some environment variables. But AFAIK, VirtualBox's
EFI support is less powerful than QEMUs.
http://www.tianocore.org/ovmf/

If malware vendor provided ARM OpROMs in addition to Intel ones, use one
of Linaro's target ARM dev boards. They have a fork of TianoCore EFI for
each of these boards, and you can use that OVMF with QEMU as well.
https://wiki.linaro.org/LEG/Engineering/Kernel/UEFI





More information about the cypherpunks mailing list