Introduction to UEFI BIOS Reverse Engineering
Learn how UEFI works and how you can reverse engineer the code of your computer firmware.
The UEFI BIOS firmware will handle some of the first steps of the boot of a computer. This low-level firmware developed by the computer manufacturers is best known for implementing SecureBoot, the security protection which should guarantee that the next steps in the boot, the bootloader and the kernel, are not corrupted. In recent years, compromising this firmware has allowed attackers to inject invisible backdoors in the UEFI code: allowing them to get code execution in the kernel during the boot and to be persistent across the re-initialization of the computer.
This training is ideally suited for software engineers and security researcher who wish to better understand the boot of a computer and wants to acquire the basics for being able to reverse firmware. No prior knowledge is required in this field and the course will start by introducing how this works before making practices for interfacing with the UEFI. Practice will be made using emulation and an external hardware board, but the students are encouraged to look at the UEFI firmware on their own computer.
At the end of this training, students will have a global understanding of the main part of an UEFI firmware and how an Intel computer boots. They will be able to look at an unknown UEFI firmware implementation and will be able to reverse engineer its drivers.
Prerequisites and Requirements
The prerequisites for this course are a basic programming background as well as some knowledge in reverse engineering. The background on the boot and how the UEFI specification works will be covered in the course, as well as all the necessary knowledge on the Intel architecture. Each day will feature practical applications where the student will implement tools for interfacing with the firmware and end with how to reverse firmware.
The training will be mainly done through a Qemu virtualization VM, for people wishing to work on a real computer there is some optional requirements.
Requirements:
- Computers should be able to run VMWare and Qemu virtualization software.
- Students should have IDA Pro with the possibility of running scripts.
- Being able to launch software as root (administrator) on an x64 Intel computer.
Optional requirements for working on a real computer:
-
A computer allowing to reflash the firmware without protection:
- MinnowBoard MAX (tested),
- MaxMini B1 computer by BMAX (tested),
- Beelink T4 (not tested),
- Odyssey-X86J4105 (not tested),
- UP Squared board (not tested).
- A CH341A Miniprogrammer with a 1.8V shield or anything allowing to read and write SPI Flash on 1.8V which work with flashrom.
- A USB key of at least 8Go
Topics Covered during this Course
- Understanding the boot process of a computer.
- Introduction to the UEFI specification and its implementation.
- Compilation of open source UEFI implementation (EDK2) and its emulation.
- BIOS UEFI implementation and reverse engineering.
- Communication and configuration with the chipset components, including communication with PCIe and DMA.
Theory
-
Boot Theory
- Basic initialization of computer
- Step by step of a boot
- Necessary hardware initialization
- SPI Flash storage
- UEFI stages
- UEFI Firmware FileSystem (FFS)
-
UEFI Basics
- UEFI specifications
- EDK2
- UEFI executable
- UEFI services
- UEFI protocols & variables
- UEFI events
-
Chipset and hardware devices
- Components of a modern computer
- IO and MMIO
- PCI and PCIe
- DMA
-
Reversing UEFI
- Basic reverse of drivers
- Load order and dependencies
- Searching for the correct driver
- Handling protocols and communication with the hardware
- Tools for helping to reverse UEFI
Assignments
Assignment 1: Understanding UEFI storage
This assignment will show how the firmware can be fetched from a computer. Students will start by using chipsec, an open-source software for auditing PC platforms, for dumping the firmware on their computer. Following this, it will be shown how to both read and write the SPI Flash which stores the firmware. This will demonstrate how to recuperate the firmware and get a first look at its content.
Assignment 2: UEFI Implementation
The goal of this assignment will be to create applications and drivers for understanding how they work. Subsequently students will execute them in an emulation environment and on a real device. This assignment ensures an understanding of how UEFI works and will allow students to develop their own tools for interfacing with UEFI.
Assignment 3: Communication with the Chipset
In this assignment, it will be shown how it is possible to communicate with the different hardware components of a modern computer. Students will look at the configuration of their processor and its different components as well as communicating with different devices. Enumeration of PCI(e) devices will be done as well as looking at their configuration and how DMA communication works.
Assignment 4: Reverse Engineering UEFI
When looking at the security of firmware, in most cases, the source code of the firmware will not be available. Several UEFI drivers will be reversed, how they interface with each other will be investigated and how the control flow can be followed. When looking at some drivers the way they discuss with the hardware will be investigated and common code patterns will be shown.