This is an instruction to run your own SMM code.

Related tags

Math HelloSmm
Overview

Building BIOS with a Custom SMM Module

This is an instruction to run your own SMM code.

In this document, we will walk-through:

  • building a custom SMM module as part of OVMF-based BIOS,
  • loading the OVMF-based BIOS onto QEMU, and
  • embedding the custom SMM module into existing device's BIOS.

HelloSmm is the custom SMM module used in this instruction. This SMM module receives any SMI and simply logs SMI command numbers (video)

Prerequisites

  • Ubuntu host or Ubuntu on WSL.
  • The target device with serial output. I use MinnowBoard Turbot and SS-TTL3VT.
  • The SPI programmer. I use SF100.
    • If you are going to test on QEMU only, those two are not required.

Outline

High-level steps to test against a physical device are as follows:

  1. Building the custom SMM module
  2. Get the BIOS image and embed HelloSmm
  3. Flash the modified BIOS image

Building the Custom SMM Module

To build HelloSmm, first, check out the repositories:

$ git clone https://github.com/tandasat/HelloSmm.git
$ git clone -b edk2-stable202011 --recurse-submodules https://github.com/tianocore/edk2
$ cp -r HelloSmm/HelloSmm edk2/OvmfPkg

Open edk2/OvmfPkg/OvmfPkgIa32X64.dsc and add a dependency to HelloSmm.inf

  #
  # Variable driver stack (SMM)
  #
  ...
  OvmfPkg/HelloSmm/HelloSmm.inf

Similarly, open edk2/OvmfPkg/OvmfPkgIa32X64.dsc and add a a dependency to HelloSmm.inf

#
# Variable driver stack (SMM)
#
...
INF  OvmfPkg/HelloSmm/HelloSmm.inf

Then, build the BIOS image.

$ python3 -m venv ovmf_env
$ source ovmf_env/bin/activate
$ pip3 install --upgrade -r pip-requirements.txt
$ sudo apt-get install mono-complete

$ cd edk2/
$ stuart_setup -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 -a IA32,X64
$ stuart_update -c OvmfPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 -a IA32,X64
$ python3 BaseTools/Edk2ToolsBuild.py -t GCC5
$ stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py -a IA32,X64 TOOL_CHAIN_TAG=GCC5 BLD_*_SMM_REQUIRE=1 BLD_*_DEBUG_ON_SERIAL_PORT=1

(If you are going test on QEMU, omit BLD_*_DEBUG_ON_SERIAL_PORT=1 in the last command.)

The above steps install dependencies under the virtual environment called ovmf_env, and build the OvmfPkg package for 32bit PEI, 64bit DXE (including HelloSmm) as edk2/Build/Ovmf3264/DEBUG_GCC5/FV/OVMF.fd.

Testing on QEMU

Simply, start QEMU with the compiled BIOS.

# If you are on WSL, install vcxsrv (https://sourceforge.net/projects/vcxsrv/)
# and start XLaunch first, then:

$ export DISPLAY=0:0
$ stuart_build -c OvmfPkg/PlatformCI/PlatformBuild.py -a IA32,X64 TOOL_CHAIN_TAG=GCC5 BLD_*_SMM_REQUIRE=1 --FlashOnly

You should see multiple SMI 0x00 logged by the HelloSMM.

Testing on a physical device

To test on the physical device, get the BIOS image of the target device first by either,

  • using a SPI programmer to keep the current BIOS, or
  • downloading a BIOS image if available

Next, embed the compiled custom SMM module into the BIOS image.

  1. Download UEFITool with the old engine. The latest version is 0.28.0 as of this writing.
  2. Open the base BIOS image and search E94F54CD-81EB-47ED-AEC3-856F5DC157A9
  3. Right click, and Insert after..
  4. Select edk2/Build/Ovmf3264/DEBUG_GCC5/FV/Ffs/A0F56EC8-CAC5-460B-8D1F-DBF4A0836C80HelloSmm/A0F56EC8-CAC5-460B-8D1F-DBF4A0836C80.ffs
  5. Save the modified BIOS image.

Finally, wite the modified BIOS image onto the target device.

  1. Physically connect the SPI programmer with the target.
  2. Start DediProg Engineering, click the File button, and select the modified BIOS image.
  3. Click Batch button to write the image to the SPI flash.
  4. Disconnect the programmer from the device.

To verify your custom SMM is loaded and active, connect to the target device through the serial port to view logs, then start the target device. You should see SMI is logged onto the serial session. Easy 😻

References

Owner
Satoshi Tanda
Engineer (he/him)
Satoshi Tanda
A Code Base for Matrix operations in C++

SimpM A Code Base for Matrix operations in C++ Dependencies: GNU Bignum Library: https://gmplib.org Needed to be installed on you computer. Check your

null 2 Dec 27, 2021
A fully customisable assembler for your own instruction sets

CASM A fully customisable assembler for your own instruction sets! What Is CASM? ?? Documentation ?? Command-Line Usage ?? How To Install CASM ?? Buil

Sjoerd Vermeulen 2 May 7, 2022
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

null 195 Jun 19, 2022
A draft C++ app to run Linux files, made in UWP for my own learning experiment

FLinux : Uncompleted port of FLinux to UWP... About A draft C++ app to run Linux files, made in UWP for my own learning experiment What is it? As a wa

Media Explorer 1 Jan 26, 2022
Program that allows you to get the source code of a website's home page without doing it manually. Use it at your own risk.

Website-Homepage-Grabber Install one of the folders x64 or x32 if the program doesn't work(probably because you don't have visual studio installed) If

null 5 Feb 19, 2022
A virtual processor with a unique instruction set written in C++

Processor-Project A virtual processor with an instruction set similar to ARM made in C++. How it works This virtual processor allows the user to write

null 20 May 27, 2022
x64dbg plugin for simple spoofing of CPUID instruction behavior

CPUID Spoofer CpuidSpoofer is a x64dbg plugin which helps you to modify the behaviour of the CPUID instruction. For example, you can easily change the

null 48 Jun 11, 2022
Tools for analyzing and browsing Tarmac instruction traces.

Tarmac Trace Utilities Arm Tarmac Trace Utilities is a suite of tools to read, analyze and browse traces of running programs in the 'Tarmac' textual f

Arm Software 28 Jun 26, 2022
rdtsc x86 instruction to detect virtual machines

rdtsc_detector rdtsc x86 instruction to detect virtual machines What is rdtsc? The Time Stamp Counter (TSC) is a 64-bit register present on all x86 pr

null 4 Apr 29, 2022
Operating system model using an assembler RISC-V RV32I instruction set.(development)

General Information Operating system model using an assembler RISC-V RV32I instruction set.(development) С++ Standard - c++17 gcc 9.3.0(Linux,unicode)

Alex Green 1 Dec 21, 2021
RISCAL is a 32-bit reduced instruction-set computer (RISC) designed for learning and research purposes. It is named after my dog, Rascal.

RISCAL CPU RISCAL is a 32-bit custom instruction set architecture virtual machine. It is intended to be used for learning/research purposes. In a nuts

null 3 Dec 23, 2021
TinyDBR is meant for tiny dynamic binary rewriter fox x86 instruction set

TinyDBR What is TinyDBR? TinyDBR is meant for tiny dynamic binary rewriter fox x86 instruction set. This is a port to the TinyInst by Google Project Z

Asuka 34 Jun 20, 2022
Phan Sang 4 Jun 21, 2022
Cross-platform, graphics API agnostic, "Bring Your Own Engine/Framework" style rendering library.

bgfx - Cross-platform rendering library GitHub Discussions Discord Chat What is it? Cross-platform, graphics API agnostic, "Bring Your Own Engine/Fram

Бранимир Караџић 11.8k Jul 2, 2022
Advanced keylogger written in C++ , works on all windows versions use it at your own risk !

About Keylogger Keyloggers or keystroke loggers are software programs or hardware devices that track the activities (keys pressed) of a keyboard. Key

anas 157 Jun 30, 2022
civilized Game Boy Advance development from the comfort of your own editor

Rath - civilized Game Boy Advance development from the comfort of your own editor what is it Rath is an interactive development environment for the Ga

Ties Stuij 21 May 23, 2022
KePOS is a 64-bit operating system. Design and implement your own operating system

KePOS is a 64-bit operating system. The purpose of this system is to combine the theoretical knowledge and practice of the operating system, and to deepen the understanding of the operating system.

null 63 Jun 8, 2022
A continuation of FSund's pteron-keyboard project. Feel free to contribute, or use these files to make your own! Kits and PCBs are also available through my facebook page.

pteron-pcb Intro This project is the evolution of the Pteron-Keyboard project, an incredible ergonomic keyboard that was handwired only. I aimed to in

null 15 Mar 20, 2022
Control Heidelberg Wallbox Energy Control over WiFi using ESP8266 and configure your own local load management

< scroll down for English version and additional information > wbec WLAN-Anbindung der Heidelberg WallBox Energy Control über ESP8266 Die Heidelberg W

null 69 Jun 21, 2022
Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

Jacob Baines 206 Jun 16, 2022
Apex cheat without R/W. can implement your own R/W and it will work fine

pubApexCheat Apex cheat without R/W. can implement your own R/W and it will work fine. will update readme later Aimbot Prediction and imGui draw funct

null 22 Jun 20, 2022
PSTensor provides a way to hack the memory management of tensors in TensorFlow and PyTorch by defining your own C++ Tensor Class.

PSTensor : Custimized a Tensor Data Structure Compatible with PyTorch and TensorFlow. You may need this software in the following cases. Manage memory

Jiarui Fang 8 Feb 12, 2022
MyOwnBricks - A library for building your own sensors and devices compatible with the modern LEGO PoweredUp system.

English version (See at the end for the French version) MyOwnBricks MyOwnBricks is a library for building your own sensors and devices compatible with

null 5 Jun 27, 2022
Broadsheet allows you to check world news anywhere, anytime - from the comfort of your own terminal.

Broadsheet Broadsheet allows you to check world news anywhere, anytime - from the comfort of your own terminal. Table of Contents Broadsheet Table of

Gabriel Carvalho 18 Apr 23, 2022