Update: [tor-talk] How does one remove the NSA Virus off the BIOS Chip as described by Snowden in the ANT Program

coderman coderman@gmail.com
Sat Feb 27 01:48:39 PST 2016 

belated catch-up:

- YES! i am still looking for anyone who kept the copies of
taobios-v2.tar.bz2 downloaded on the 10th, 11th, or 13th and not the
expected sha256sum as in
https://lists.torproject.org/pipermail/tor-talk/2015-December/039678.html

- this or some FOIAs or maybe *ahem* got peertech.org dedi burned;
(~_~;) ,  shit rained - keys died in a fire... at least learning was
enjoyed in large measure? *grin* [ see addendum. ]

- if you didn't get the bios captures the first time, they are also now at:
    http://cubicmeteryhbozt.onion/taobios-v2.tar.bz2
 L1-bios-readA.bin and L2-bios-readA.bin images have been submitted to
VirusTotal, no hits. however, remember it is looking at UEFI code
modules, and as discussed, both payloads take pains to avoid common
BIOS forensic techniques - they're not rogue UEFI malmodules sitting
in easy reach! :)

- the FOIAs are,
= Meta-FOIA: https://www.muckrock.com/foi/united-states-of-america-10/procnopenopes-24179/
= New Req(FBI):
https://www.muckrock.com/foi/united-states-of-america-10/keykeeperkomikal-24180/
= New Req(DoJ):
https://www.muckrock.com/foi/united-states-of-america-10/keykeeperkomikaldept-24181/
and list at ello still excellent, too:
 https://ello.co/ohj2eevi/post/SDNS4ZsILYAG_SQ8yMl9Ew
 … :P


... Addendum:
the incident and response info:
 https://ello.co/ohj2eevi/post/AcOPfljWjTmfuFEkpc5Pbg
 , however it seems they've lost the 8 comments which contained the
detailed updates. i can find archives in PDF if anyone cares?
-
the "signal" honey token service used to detect the TLS MitM is described here:
 https://ello.co/ohj2eevi/post/JwQUX_nGF4OhtaJXDySzjg
.


best regards,


[ fwd is for posterity; with apologies by the megabyte, :o ]



---------- Forwarded message ----------
From: coderman <coderman@gmail.com>
Date: Sun, 6 Dec 2015 19:31:28 -0800
Subject: Re: [tor-talk] How does one remove the NSA Virus off the BIOS
Chip as described by Snowden in the ANT Program
To: <PARTIED TO REMAIN NAMELESS...>


are you going to take a look, at least?

there is a write up, using rpi2:

 $ flashrom -r bios.bin -V -p linux_spi:dev=/dev/spidev0.0
 . . .
  Found Winbond flash chip "W25Q64.V" (8192 kB, SPI).

with the pre-built program (flashrom):
 flashrom-piprebuilt-0.9.8.tar.bz2

i show you binwalk diff, with a rogue storage area:
 < Scan Time:     2015-12-05 23:14:56
 < Target File:   L1-bios-readA.bin
 < MD5 Checksum:  26857cc3e814d5e924c133e961d1a993
 ---
 > Scan Time:     2015-12-05 23:15:16
 > Target File:   L2-bios-readA.bin
 > MD5 Checksum:  b47e3205e77e94b8f2e9400d4f915e76
 9d8
 < 806912        0xC5000         LZMA compressed data, properties:
0x5D, dictionary size: 16777216 bytes, missing uncompressed size
 ___________________________________________________________________________________________________________________________________

 See also, https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/

and even take pictures for you to replicate,

[ see attached ]



don't you want to learn to fish, young padwan?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi-to-spi-flash-pinout.jpg
Type: image/jpeg
Size: 145687 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160227/ff34bbb1/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpi-connector.jpg
Type: image/jpeg
Size: 79846 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160227/ff34bbb1/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpi2-connector.jpg
Type: image/jpeg
Size: 222875 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160227/ff34bbb1/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: piflashread1.jpg
Type: image/jpeg
Size: 153542 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160227/ff34bbb1/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: piflashread2.jpg
Type: image/jpeg
Size: 274524 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160227/ff34bbb1/attachment-0009.jpg>

More information about the cypherpunks mailing list