Reading the SMRAM

Programming, for all ages and all languages.
Post Reply
smoothCoder
Member
Member
Posts: 43
Joined: Sat Aug 28, 2010 10:32 pm

Reading the SMRAM

Post by smoothCoder »

Hi!

I want to dump the SMRAM to an archive and disassemble it.
I have not tested it yet, but apparently there is one (not guaranteed to work) way to re-allocate the SMBASE to nowhere. But I dont want to kill usefull SMM functionality.
I am not trying to create rootkits. I just want to get the total control over my machine. I dislike the idea of having closed source code executing transparently on the machine.
I dont know if there is a way to read the SMRAM code from the somewhere in the BIOS area. From some place, BIOS have to load it.
Whatever I search in google about reading SMM code, it direct me to rootkits.

Cheers!
Top
User avatar
Brendan
Member
Member
Posts: 8561
Joined: Sat Jan 15, 2005 12:00 am
Location: At his keyboard!
Contact:
Contact Brendan

Re: Reading the SMRAM

Post by Brendan »

Hi,
smoothCoder wrote:I want to dump the SMRAM to an archive and disassemble it.
Why? There's nothing you could do with this information if you can get it, and usually no way to get it.
smoothCoder wrote:I have not tested it yet, but apparently there is one (not guaranteed to work) way to re-allocate the SMBASE to nowhere. But I dont want to kill usefull SMM functionality.
If you can change the SMBASE, it won't magically make the information at the old SMBASE suddenly appear at the new SMBASE.
smoothCoder wrote:I just want to get the total control over my machine. I dislike the idea of having closed source code executing transparently on the machine.
Then you've only really got 3 choices - use open source firmware (e.g. coreboot), write your own firmware for existing hardware, or write your own firmware for your own hardware. The first 2 choices won't give you total control over the machine (only control of all software on the machine - for example, there can still be hardware doing things without your knowledge).
smoothCoder wrote:Whatever I search in google about reading SMM code, it direct me to rootkits.
There's only 2 reasons to be messing with SMM:
  • you're writing firmware, and therefore you have the necessary knowledge/experience to get all information you need from the chipset's data sheet/s (and therefore have no need to search for information)
  • you're a 12-year-old script kiddie who lacks the necessary knowledge/experience to realise an SMM rootkit is stupid (and therefore you do have a need to search for information)
Basically what I'm saying is that SMM should be considered part of the motherboard's hardware. If you don't trust the motherboard's SMM, then you shouldn't be trusting the motherboard's hardware either.


Cheers,

Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Top
smoothCoder
Member
Member
Posts: 43
Joined: Sat Aug 28, 2010 10:32 pm

Re: Reading the SMRAM

Post by smoothCoder »

Brendan wrote:If you can change the SMBASE, it won't magically make the information at the old SMBASE suddenly appear at the new SMBASE.
I knew that before posting. This is part of the problem, re-allocating the SMBASE not help me for nothing.
Brendan wrote:There's only 2 reasons to be messing with SMM:
I have one third reason, but it is part of the secret part of my project.

I looked at the coreboot and there I found a lot of new things to learn. Lamentably, for me getting inside the coreboot will take six monts of learning and coding more. I'll keep searching a few days more in SMM-rootkits papers. If I find there the answer, it will be not necessary to mess with coreboot.

Cheers!
Top
a5498828
Member
Member
Posts: 99
Joined: Thu Aug 12, 2010 7:25 am

Re: Reading the SMRAM

Post by a5498828 »

i belive smm has its own address space, and can be accessed only by special way. You can read its content by writing dump routine into it through cache poisoning.
Top
marcbuck
Posts: 1
Joined: Sat Feb 05, 2011 12:21 pm

Re: Reading the SMRAM

Post by marcbuck »

Hi,
Brendan wrote: There's only 2 reasons to be messing with SMM:
  • you're writing firmware, and therefore you have the necessary knowledge/experience to get all information you need from the chipset's data sheet/s (and therefore have no need to search for information)
  • you're a 12-year-old script kiddie who lacks the necessary knowledge/experience to realise an SMM rootkit is stupid (and therefore you do have a need to search for information)
Basically what I'm saying is that SMM should be considered part of the motherboard's hardware. If you don't trust the motherboard's SMM, then you shouldn't be trusting the motherboard's hardware either.
Please tell me Brendan, why is it a "work" of a "12yo script kiddie" to mess around with SMM Rootkits - eg. J. Rutkowska, IvanLefou did hold conferences at BH about that? What is the reason against to go deeper in the machine to see the SMM RAM?
Top
User avatar
Combuster
Member
Member
Posts: 9301
Joined: Wed Oct 18, 2006 3:45 am
Libera.chat IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:
Contact Combuster

Re: Reading the SMRAM

Post by Combuster »

The whole security issue behind SMM has been documented - what's left is people making use of the system for their own bad sense of humour: the scriptkiddies.
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]
Top
Post Reply

Return to “General Programming”