OSDev.org

Hi!

I want to dump the SMRAM to an archive and disassemble it.
I have not tested it yet, but apparently there is one (not guaranteed to work) way to re-allocate the SMBASE to nowhere. But I dont want to kill usefull SMM functionality.
I am not trying to create rootkits. I just want to get the total control over my machine. I dislike the idea of having closed source code executing transparently on the machine.
I dont know if there is a way to read the SMRAM code from the somewhere in the BIOS area. From some place, BIOS have to load it.
Whatever I search in google about reading SMM code, it direct me to rootkits.

Cheers!

Hi,

smoothCoder wrote:I want to dump the SMRAM to an archive and disassemble it.

Why? There's nothing you could do with this information if you can get it, and usually no way to get it.

smoothCoder wrote:I have not tested it yet, but apparently there is one (not guaranteed to work) way to re-allocate the SMBASE to nowhere. But I dont want to kill usefull SMM functionality.

If you can change the SMBASE, it won't magically make the information at the old SMBASE suddenly appear at the new SMBASE.

smoothCoder wrote:I just want to get the total control over my machine. I dislike the idea of having closed source code executing transparently on the machine.

Then you've only really got 3 choices - use open source firmware (e.g. coreboot), write your own firmware for existing hardware, or write your own firmware for your own hardware. The first 2 choices won't give you total control over the machine (only control of all software on the machine - for example, there can still be hardware doing things without your knowledge).

smoothCoder wrote:Whatever I search in google about reading SMM code, it direct me to rootkits.

There's only 2 reasons to be messing with SMM:

• you're writing firmware, and therefore you have the necessary knowledge/experience to get all information you need from the chipset's data sheet/s (and therefore have no need to search for information)
• you're a 12-year-old script kiddie who lacks the necessary knowledge/experience to realise an SMM rootkit is stupid (and therefore you do have a need to search for information)

Basically what I'm saying is that SMM should be considered part of the motherboard's hardware. If you don't trust the motherboard's SMM, then you shouldn't be trusting the motherboard's hardware either.


Cheers,

Brendan

Brendan wrote:If you can change the SMBASE, it won't magically make the information at the old SMBASE suddenly appear at the new SMBASE.

I knew that before posting. This is part of the problem, re-allocating the SMBASE not help me for nothing.

Brendan wrote:There's only 2 reasons to be messing with SMM:

I have one third reason, but it is part of the secret part of my project.

I looked at the coreboot and there I found a lot of new things to learn. Lamentably, for me getting inside the coreboot will take six monts of learning and coding more. I'll keep searching a few days more in SMM-rootkits papers. If I find there the answer, it will be not necessary to mess with coreboot.

Cheers!

i belive smm has its own address space, and can be accessed only by special way. You can read its content by writing dump routine into it through cache poisoning.

Hi,

Brendan wrote: There's only 2 reasons to be messing with SMM:

• you're writing firmware, and therefore you have the necessary knowledge/experience to get all information you need from the chipset's data sheet/s (and therefore have no need to search for information)
• you're a 12-year-old script kiddie who lacks the necessary knowledge/experience to realise an SMM rootkit is stupid (and therefore you do have a need to search for information)

Basically what I'm saying is that SMM should be considered part of the motherboard's hardware. If you don't trust the motherboard's SMM, then you shouldn't be trusting the motherboard's hardware either.

Please tell me Brendan, why is it a "work" of a "12yo script kiddie" to mess around with SMM Rootkits - eg. J. Rutkowska, IvanLefou did hold conferences at BH about that? What is the reason against to go deeper in the machine to see the SMM RAM?

The whole security issue behind SMM has been documented - what's left is people making use of the system for their own bad sense of humour: the scriptkiddies.