write to BIOS Flash ROM

[Attacker]

i'm trying to write a program that is installed onto BIOS but when i tryed to run black screen of death happens and i lost my computer. what is wrong in my source below:

Code: Select all

cli
mov ax,0B108h
xor bx,bx 
mov di,0090h
int 1Ah
push cx
or cl,00110000b 
mov ax,0B10Bh 
xor bx,bx 
int 1Ah

mov ax,0F000h
mov es,ax
xor di,di
mov cx,0010h 
mov al,11h 
cld
rep stosb

pop cx 
mov ax,0B10Bh 
xor bx,bx
mov di,0090h 
int 1Ah
sti
wbinvd 

[iansjack]

I've no idea what your code does, but if it did overwrite the BIOS then you have probably bricked your computer permanently. You could ruin a lot of computers trying to get this right.

Again, given your username and the nature of your query, I have to wonder about your motives. Along with your previous query, you seem to be very interested in techniques typically used by malware.

[Attacker]

I've no idea what your code does, but if it did overwrite the BIOS then you have probably bricked your computer permanently. You could ruin a lot of computers trying to get this right.

Again, given your username and the nature of your query, I have to wonder about your motives. Along with your previous query, you seem to be very interested in techniques typically used by malware.

My code only install a code onto BIOS. This is no malware, is only for educacional purposes.
I only want to inject my code onto Flash ROM BIOS.

[iansjack]

I wouldn't expect you to say otherwise.

As a matter of interest, is the name "Attacker" just for educational purposes?

[zaval]

Young attacker inclined to education.)
Just an idea for you. If you want that bad to be able to flash SPI NOR chips on computers without bricking them down, try something other than common PCs. Like Rock64 board for example. It's a very cute armv8 64-bit mini-PC, with an impressive feature set for such a low price (upcomming Rock64Pro is even meatier). There, the ROM code is permanently present and it is not possible to get rid of of it, and brick the board too. But it almost does nothing, the real FW should take control and do stuff. You can play with the SPI NOR chip which is btw HUGE there - 128Mbit!!! and if you screw it up, the board still will be able to boot from eMMC, SD so that you could recreate NOR chip content and keep learning. for educational purposes, of course.

But you are just a kind of script kiddie willing to become a c00l h4ck3r... shame on you!

[Schol-R-LEA]

This is no malware,

Would the defendant like to change their plea? To quote from the (auto-translated) article this code is originally from:

One of the main directions in the "battle of wits" between the authors of computer viruses and anti-virus programs is associated with the placement of the body of the virus in the RAM. At first glance, everything is trite: the task of the virus is to hide so that they do not find it, the task of the antivirus is to find it.

In the course of the evolution of technologies used both for writing malicious programs and for countering them, quite non-trivial solutions have appeared. The field of activity has long been not limited to the memory management mechanisms that are part of the operating system.

Today, in order to be "at the level", authors, both viruses and antiviruses need an understanding of the principles of program interaction and equipment, such as working with the configuration registers of the chipset, Model-Specific Processor Registers (MSR), the use of memory areas that have special status in terms of memory controller (SMRAM, Shadow, etc.).

The author of this article is not a virologist, much less a "virus writer", but works in the field of hardware and system software development. Therefore, the proposed material is prepared as information about a potential vulnerability, which makes it possible for the virus to "hide" in a non-trivial way. It's about using "shadow" memory or Shadow RAM and representing the virus in the status of the part of the executable BIOS block.

As the article itself states, that code will work only on the circa 2006 model of motherboard it was written for (Gigabyte GA-8i915PL-G with an Intel 915 chipset), on which it disables shadow RAM security features. I am pretty sure you didn't notice that part, assuming you even read the article rather than getting the code third- or fourth-hand from some other script kiddie.

Oh, and look, you didn't get this part of it either:

Immediately we mention that it's not about modifying the contents of the BIOS ROM (Flash ROM), but about modifying the area of ​​RAM (Shadow RAM), where the contents of ROM BIOS are overwritten during the working session. Therefore, we are not talking about the failure of the motherboard here.

Ooooops. Someone told you some fibs, I think. A nice match for those you've told here...

is only for educacional purposes.

Education for what? There are no legitimate uses for flashing a PC's BIOS with anything except the code the manufacturer provides. For that matter, there are damn few illegitimate ones, really. I am not sure what you mean to learn, other than how to brick a PC.

In any case, writing a BIOS for hardware you didn't have a hand in designing yourself is a fool's errand, as we've explained countless times to others here. Writing a BIOS requires detailed knowledge of the motherboard hardware, and the information in question is a) mostly specific to the exact model of motherboard, meaning the BIOS written based on it won't run on any other mobo, and b) usually proprietary, and thus unavailable to anyone other than the manufacturer.

(Well, them, or anyone willing to commit the money, time, resources, and expertise to spend 2+ years reverse engineering it, a task which involves an oscilloscope, de-soldering wick, datasheets for every IC on the board, and maybe a scanning electron microscope.)

There are a handful of SBCs that use (mostly) open-source hardware (and at least one MIPS/Loongson-based laptop from China, the Lemote 3A, but good luck finding one of those anywhere outside of the PRC if you aren't Richard Stallman), for which one might conceivably have the necessary information; I don't know of even a single stock x86 PC motherboard for which that is the case.

Note also that Flash devices, even ones not used for emulating disks, are generally block devices due to the nature of NAND flash memory - you can't just insert a snippet of code, you have to write a whole section out, overwriting whatever was there. The less common NOR flash memory can read by bytes, but still erases and writes en bloc. On most mobos flashing the BIOS is an all-or-nothing deal - anything in the flash memory prior to re-flashing is gone, no backsies.

But all that is beside the point, because the code is very definitely malware and nothing but (while it was published as an experimental process, it was done with the understanding that it was part of a pentest to show a vulnerability - one specific to the now twelve-year-old hardware being tested), and you have been caught dead to rights.

[Octocontrabass]

Education for what? There are no legitimate uses for flashing a PC's BIOS with anything except the code the manufacturer provides.

The coreboot developers would disagree with you there.

Of course, for a project undertaken by a single person, a motherboard from 2006 may be a bit too ambitious. A motherboard from 1996 may be a simpler task, if you can find one where all of the components are suitably documented (or don't mind reverse-engineering the original ROM).

I am not sure what you mean to learn, other than how to brick a PC.

Pick a board with a socketed ROM and dump its contents with an EEPROM programmer. If anything goes wrong, you can reflash the ROM using the programmer and your backup copy. You don't need to rewrite the ROM while it's attached to the motherboard, since you're not writing malware.

[Schol-R-LEA]

Education for what? There are no legitimate uses for flashing a PC's BIOS with anything except the code the manufacturer provides.

The coreboot developers would disagree with you there.

OK, I did overlook them. However, they collectively have the resources to figure out the details, and/or convince the manufacturers to provide them, which it seems unlikely that our 'student' would be able to do.

This is above and beyond the fact that Attacker was using code which they clearly didn't understand the purpose of, in a way it wasn't intended, and presumably on a system it wasn't for. Not that it matters much, as I highly doubt that Attacker will be back after they stopped in Tuesday morning to find my earlier post (gee, nothing to say, Attacker? What a shame.).

/me does a quick check Hmmn, it doesn't look like they have an implementation for the Thinkpad T410, pity.

[ggodw000]

I worked in bios but there is a certain strict protocol for writing to EEPROM BIOS chip. and I think it varies by manufacturer model.
I did not specifically worked with flash code but that is as far as I know but I do remember i peaked at the code and it did not look simple at all. There are some GPIO pins that can fool you by giving into illusion that writing into certain segment i.e. F000 but that could simply be empty address space or physical memory depending on how the hardware is wired up.
Bottom line, flashing ROM is not straightfwd!

Thanks.,