### Advanced x86:

### BIOS and System Management Mode Internals PCI {Option/Expansion} ROMs

### Xeno Kovah && Corey Kallenberg LegbaCore, LLC



#### All materials are licensed under a Creative Commons "Share Alike" license. http://creativecommons.org/licenses/by-sa/3.0/

You are free:



to Share — to copy, distribute and transmit the work

to Remix - to adapt the work

#### Under the following conditions:

Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work).



Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license.

Attribution condition: You must indicate that derivative work

"Is derived from John Butterworth & Xeno Kovah's 'Advanced Intel x86: BIOS and SMM' class posted at http://opensecuritytraining.info/IntroBIOS.html" 2

# PERSISTENCE PCI DEVICE EXPANSION ROMS

- Hardware-specific
- Graphics cards in iMacs have them
  - MacBook Pros too
  - My old test MacBook no dice
  - VMware's ethernet interfaces do hurr (good for testing)
- Can write to them from the OS
  - Thanks, iMacGraphicsFWUpdate.pkg!
  - Probably with flashrom
- Pretty awesome. 7/10.



#### https://trmm.net/Thunderstrike\_31c3















# Thunderstrike 2: Sith Strike

Trammell Hudson – Two Sigma Xeno Kovah, Corey Kallenberg – LebgaCore

#### PCI/PCIe Expansion ROMs (XROMs) aka Option ROMs (OROMs)

- A PCI/PCIe Expansion ROM is *x86 native executable code* located on a PCI device
  - Can technically have multiple architectures' native code on it, so that the device can load just as well on a PPC device as an x86 one.
- Not every device will have one
  - Graphics cards, network cards will likely have one
  - A device can have multiple XROMs (for multiple architectures)
- Benign or otherwise this code gets executed by the CPU/ BIOS during the boot process
- They are handled the same on PCI Express as they are in PCI
- They are configured via a separate BAR called the Expansion ROM Base Address Register

### **Expansion ROMs**

| 31                            | 16                     | 15               | 0                  | _   |  |  |  |  |  |  |  |  |
|-------------------------------|------------------------|------------------|--------------------|-----|--|--|--|--|--|--|--|--|
| Devle                         | Device ID Vendor ID    |                  |                    |     |  |  |  |  |  |  |  |  |
| Sta                           | Status Command         |                  |                    |     |  |  |  |  |  |  |  |  |
|                               | Class Code Revision ID |                  |                    |     |  |  |  |  |  |  |  |  |
| BIST                          | Header<br>Type         | Latency<br>Timer | Cache Llne<br>Slze | 0Ch |  |  |  |  |  |  |  |  |
|                               |                        |                  |                    |     |  |  |  |  |  |  |  |  |
|                               |                        |                  |                    | 14h |  |  |  |  |  |  |  |  |
| Base Address Registers        |                        |                  |                    |     |  |  |  |  |  |  |  |  |
|                               |                        |                  |                    |     |  |  |  |  |  |  |  |  |
|                               |                        |                  |                    | 20h |  |  |  |  |  |  |  |  |
|                               |                        |                  |                    | 24h |  |  |  |  |  |  |  |  |
|                               | Cardbus C              | IS Pointer       |                    | 28h |  |  |  |  |  |  |  |  |
| Subsys                        | tem ID                 | Subsystem        | Vendor ID          | 2Ch |  |  |  |  |  |  |  |  |
| E                             | Expansion RC           | M Base Addr      | ess                | 30h |  |  |  |  |  |  |  |  |
| Reserved Capabilities Pointer |                        |                  |                    |     |  |  |  |  |  |  |  |  |
|                               | Reserved               |                  |                    |     |  |  |  |  |  |  |  |  |
| Max_Lat                       | MIn_Gnt                | Interrupt<br>Pln | Interrupt<br>Line  | 3Ch |  |  |  |  |  |  |  |  |

- XROMs have their own BAR called the Expansion ROM Base Address Register
  - On general type PCI devices it's located at offset 30h
  - On bridge type devices it's at 38h
- BIOS initializes the XROM BAR like the other BARs, but hands off execution control to the code it points to
- XROMs are copied to memory before being executed
  - On legacy systems they are copied to C0000 to DFFFFh range
- The XROM BAR operates similarly to the other BARs but the interpretation of the field's bits is slightly different

#### **Expansion ROM Base Address Register**

| 31 |                                               | 11 10 |          | 1 | 0 |
|----|-----------------------------------------------|-------|----------|---|---|
|    | Expansion ROM Base Address<br>(Upper 21 bits) |       | Reserved |   |   |
|    | Expansion ROM Enable                          |       |          |   |   |

- The LSB determines whether accesses to the Expansion ROM are permitted. When asserted to 1, they are permitted
- Even when a device has an Expansion ROM, its BAR may still be 0 (meaning access to it is not permitted)
- Like the PCI BARs, the Expansion ROM BAR is also R/W

#### **Command Register and Address Space Access**

| 31       | 16                                                | 15                                                    | 0                 |                             |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
|----------|---------------------------------------------------|-------------------------------------------------------|-------------------|-----------------------------|-------------------------------------|----------------------------------------------------------|----------------------|------|------|---|---|---|---|---|----|---|---|---|
| Devie    | Device ID Vendor ID 0                             |                                                       |                   |                             |                                     | 15                                                       |                      | 10   | 9    | 8 | 7 | 6 | 5 | 4 | 3  | 2 | 1 | 0 |
| Sta      | Status Command                                    |                                                       |                   |                             |                                     | F                                                        | Reserved             |      |      |   |   |   |   |   |    |   | 1 |   |
|          | Class Code                                        | 08h Interrupt Disable A A A A A A A A A A A A A A A A |                   |                             |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
| BIST     | BIST Header Latency Cache Line<br>Type Timer Size |                                                       |                   |                             |                                     | Fast Back-to-Back Enable<br>0Ch SERR# Enable<br>Reserved |                      |      |      |   |   |   |   |   |    |   |   |   |
|          |                                                   |                                                       | 10h               | Parity                      | / Error Res                         | sponse —                                                 |                      |      |      |   |   |   |   |   |    |   |   |   |
|          |                                                   |                                                       |                   | 14h                         | Memo                                | ory Write a                                              | oop<br>nd Invalidate | e En | able |   |   |   |   |   |    |   |   |   |
|          | Base Addres                                       | s Registers                                           |                   | 18h                         | -                                   | -                                                        |                      |      |      |   |   |   |   |   |    |   |   |   |
|          |                                                   |                                                       |                   | 1Ch                         |                                     | • •                                                      |                      |      |      |   |   |   |   |   |    |   |   |   |
|          |                                                   |                                                       |                   | 20h                         |                                     |                                                          |                      |      |      | _ |   |   |   |   |    |   |   |   |
|          |                                                   |                                                       |                   | 24h                         |                                     |                                                          | pansio               |      |      |   |   |   |   |   | ly |   |   |   |
|          | Cardbus C                                         | IS Pointer                                            |                   | respond to accesses if the  |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
| Subsys   | tem ID                                            | Subsystem                                             | Vendor ID         | 2Ch                         | Expansion ROM Enable bit <u>and</u> |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
| E        | Expansion RO                                      | M Base Addr                                           | ess 1             | the memory space bit in the |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
|          | Reserved Capabilities Pointer                     |                                                       |                   |                             |                                     | <sup>34h</sup> Command Register are both set             |                      |      |      |   |   |   |   |   |    |   |   |   |
| Reserved |                                                   |                                                       |                   |                             |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |
| Max_Lat  | MIn_Gnt                                           | Interrupt<br>Pln                                      | Interrupt<br>Line | 3Ch                         |                                     |                                                          |                      |      |      |   |   |   |   |   |    |   |   |   |



- To determine whether the device has implemented an Expansion ROM base:
- All 1's are written to the top 21 bits (31:11) of the Expansion ROM BAR
- If the device returns anything other than 0, then it has implemented an Expansion ROM



- The return address indicates both the size of the ROM and the memory alignment (mask) required by the ROM:
- Per the above example:
- Size = ~FFFE\_0000 +1 = 2\_0000h bytes
- ROM must be mapped to a 128KB-aligned memory address
  - So addresses like XXX00000, XXX20000, XXX40000, etc



- Next the CPU/BIOS maps the ROM to an unused portion of memory
- Then it sets the enable bit so that the ROM is now accessible at the address defined by the BIOS

| Offset  | Length | Value | Description                                                           |
|---------|--------|-------|-----------------------------------------------------------------------|
| 0h      | 1      | 55h   | ROM Signature byte 1                                                  |
| 1h      | 1      | AAh   | ROM Signature byte 2                                                  |
| 2h      | 1      | xx    | Initialization Size - size of the code in units of 512 bytes          |
| 3h      | 3      | xx    | Entry point for INIT function. POST does a FAR CALL to this location. |
| 6h-17h  | 12h    | хх    | Reserved (application unique data)                                    |
| 18h-19h | 2      | хх    | Pointer to PCI Data Structure                                         |
|         | •      |       |                                                                       |

#### CPU/BIOS checks memory for Option ROM structure

- If anything other than the "AA55" signature is present, there is actually no Option ROM provided by the device, despite the fact that it returns a mask as if there were
  - I have some ice cream. Want a lick? Psych!
- There may still be an option ROM, however, some companies implement them in non-standard ways

## **CPU/BIOS Expansion ROM Discovery**

- A PCI device can share a decoder between the Expansion ROM BAR and other BARs
- For example:
- Some vendors mirror their Expansion ROMs at BAR[n] or at an offset from BAR[n]
  - NVidia sometimes puts them at BAR[0] + 30\_000h (per the developers of Flashrom )
  - <u>http://flashrom.org/Flashrom</u>
- It is possible that there simply is no Expansion ROM present on the device
  - Could be located in a compressed module in the BIOS binary

#### Expansion ROM Discovery: User Example (Same as BIOS)

| 🔣 PCI          |                       |                      |          |               |                       |                      |                  |          |                                |
|----------------|-----------------------|----------------------|----------|---------------|-----------------------|----------------------|------------------|----------|--------------------------------|
|                | 🛗 🚰 👬 (               | byte wor<br>8bit 16b | al 225al | PCI           |                       | l                    | Refresh          |          |                                |
| Bus 01, Device | e 00, Function 00 - n | Vidia Corporatio     |          |               | 🖮 🚰 🏔                 | byte wor<br>8bit 16b |                  | 2        |                                |
| 48             | 03020100              | 07060504             | 0B0A090  |               |                       |                      |                  |          | ````                           |
| 000            | 06EB10DE              | 001 0007             | 030000/  | Bus 01, Devic | e 00, Function 00 - n | Vidia Corporatio     | n VGA Controller | (PCIE) 🔹 | Info Tex                       |
| 010            | F5000000              | E00000C              | 000000   | 8             | 03020100              | 07060504             | 0B0A0908         | 0F0E0D0C | Device/Vend                    |
| 020            | 00000000              | 0000DF01             | 0000000  |               | 06EB10DE              | 00100007             | 030000A1         | 00000010 | Revision ID                    |
| 030            | FFFFF800              | 00000060             | 000000   | 000           | F5000000              | E000000C             | 00000000         | F2000004 | Class Code<br>   Cacheline Si; |
| 040            | 02331028              | 0000000              | 0000000  | 010           |                       |                      |                  |          | Latency Time                   |
| 050            | 0000001               | 00000001             | 0023D6   |               | 00000000              | 0000DF01             | 00000000         | 02331028 | Interrupt Pin                  |
| 060            | 00036801              | 0000008              | 0080780  | 030           | FFFE0000              | 00000060             | 00000000         | 00000110 | Interrupt Line                 |
| 070            | 00000000              | 00000000             | 000200:  | 040           | 02331028              | 00000000             | 00000000         | 00000000 | BAR2                           |
| 080            | 00002910              | 00002D02             | 1101004  | 050           | 00000001              | 00000001             | 0023D6CE         | 00000000 | BAR3<br>BAR4                   |
| 090            | 00000000              | 00000000             | 000000   | 060           | 00036801              | 0000008              | 00807805         | 00000000 | BAR5                           |
|                |                       |                      |          | 070           | 00000000              | 00000000             | 00020010         | 012C84A0 | BAR6                           |
|                |                       |                      |          | 080           | 00002910              | 00002D02             | 1011004B         | 00000000 | Expansion R(<br>Subsystem ID   |
|                |                       |                      |          | 090           | 0000000               | 00000000             | 00000000         | 00000010 |                                |

- This example pertains to the nVidia VGA card on the E6400 laptop
- Verify that the memory-enable space bit 1 in the command register (offset 04h) is asserted
- Writing FFFF\_F800h to offset 30h returns FFFE\_0000h indicating that an Expansion ROM [might be] present
  - Bit 17 is the LSB, which indicates a 128KB ROM
  - Size = ~FFFE\_0000 + 1 = 2\_0000h bytes

#### Expansion ROM Discovery: User Example (Same as BIOS)

| 📕 Mem | iory     |        |          |              |                      |         |                  |                     |                      |                  |          |                               |
|-------|----------|--------|----------|--------------|----------------------|---------|------------------|---------------------|----------------------|------------------|----------|-------------------------------|
|       | bin]     |        |          | byte<br>8bit | word dw<br>16 bit 32 | Lad d   |                  |                     |                      | Refresh          |          |                               |
|       |          |        | <u> </u> |              | 16bit 32             | <u></u> | 🌉 PCI            |                     |                      |                  |          |                               |
| A     | ddress = | 000000 | 000010   | 0000         |                      |         |                  | i 🚰 🏟               | byte wor<br>8bit 16b |                  | 2        |                               |
| 0     | 0100     | 0302   | 0504     | 070          | 0908                 | OBC     |                  |                     |                      |                  |          |                               |
| 00    | DE18     | CABF   | 0000     | 0000         | . 312                | 000     | Bus 01, Device ( | )0, Function 00 - r | nVidia Corporatio    | n VGA Controller | (PCIE) 🔻 | Info Text                     |
| 10    | 0000     | 0000   | 0000     | 0000         | C000                 | 000     | 8                | 03020100            | 07060504             | 0B0A0908         | 0F0E0D0C | Device/Vend                   |
| 20    | 0001     | 0000   | 0000     | 0000         | C000                 | 000     | 000              | 06EB10DE            | 00100007             | 030000A1         | 00000010 | Revision ID<br>Class Code     |
| 30    | 4000     | 0001   | 0000     | 0000         | 0002                 | 000     | 0.3              | F5000000            | E000000C             | 00000000         | F2000004 | Cacheline Siz                 |
| 40    | 0000     | 000E   | 0000     | 0000         | 0000                 | 000     | 020              | 00000000            | 0000DF01             | 00000000         | 02331028 | Latency Time<br>Interrupt Pin |
| 50    | 0002     | 0000   | 0000     | 0000         | 0000                 | 001     | 030              | 00100001            | 0000060              | 00000000         | 00000110 | Interrupt Line                |
| 60    | 0000     | 1FF0   | 0000     | 0000         | 0001                 | 000     | 040              | 02331028            | 00000000             | 00000000         | 00000000 | BAR1<br>BAR2                  |
| 70    | 0000     | 2000   | 0000     | 0000         | 0000                 | 002     | 050              | 0000001             | 0000001              | 0023D6CE         | 00000000 | BAR3                          |
| 80    | 0002     | 0000   | 0000     | 0000         | 0000                 | 202     | 060              | 00036801            | 80000008             | 00807805         | 0000000  | BAR4<br>BAR5                  |
| 90    | 0000     | 1FE0   | 0000     | 0000         | 0001                 | 000     | 070              | 00000000            | 00000000             | 00020010         | 012C84A0 | BAR6                          |
|       |          |        |          |              |                      |         | 080              | 00002910            | 00002D02             | 1011004B         | 0000000  | Expansion R0<br>Subsystem ID  |
|       |          |        |          |              |                      |         | 090              | 00000000            | 00000000             | 00000000         | 0000010  | 2.200,000,000                 |

- We (or the BIOS) should be able to choose a memory address for the ROM to be mapped to
- Address must meet alignment requirements
- Address must provide enough room for the XROM
- Must enable the XROM decoding (assert bit 0, enable)

#### Expansion ROM Discovery: User Example (Same as BIOS)

|          | Memor    | у            |              |        |              |                      |            |                  |                     |                      |                  |          |                              |
|----------|----------|--------------|--------------|--------|--------------|----------------------|------------|------------------|---------------------|----------------------|------------------|----------|------------------------------|
|          |          | I 🚈          |              |        | byte<br>8bit | word dw<br>16 bit 32 | List d     |                  |                     |                      | Refresh          |          |                              |
|          |          |              |              |        |              | 16bit 32             |            | 🌉 PCI            |                     |                      |                  |          |                              |
|          | Add      | iress = (    | 000000       | 000010 | 0000         |                      |            |                  |                     | byte wor<br>8bit 16b |                  | 2        |                              |
|          | 0        | 0100         | 0302         | 0504   | 0706         | 0908                 | OBC        |                  |                     |                      |                  |          | 1                            |
|          | 00       | DE18         | CABF         | 0000   | 0000         | 0012                 | 000        | Bus 01, Device ( | 00, Function 00 - r | nVidia Corporatio    | n VGA Controller | (PCIE) 🔹 | Info Text                    |
|          | 10       | 0000         | 0000         | 0000   | 0000         | C000                 | 000        | 8                | 03020100            | 07060504             | 0B0A0908         | 0F0E0D0C | Device/Vend                  |
|          | 20       | 0001         | 0000         | 0000   | 0000         | C000                 | 000        | 000              | 06EB10DE            | 00100007             | 030000A1         | 00000010 | Revision ID<br>Class Code    |
|          | 30       | 4000         | 0001         | 0000   | 0000         | 0002                 | 000        | 010              | F5000000            | E000000C             | 00000000         | F2000004 | Cacheline Siz                |
| <u> </u> | 40       | 0000         | 000E         | 0000   | 0000         | 0000                 | 000        | 020              | 00000000            | 0000DF01             | 00000000         | 02331028 | Latency Time                 |
| 1        | 50       | 0002         | 0000         | 0000   | 0000         | 0000                 | 001        | 030              | 00100001            | 0000060              | 00000000         | 00000110 | Interrupt Line               |
|          | 60<br>70 | 0000         | 1FF0         | 0000   | 0000         | 0001<br>0000         | 000        | 040              | 02331028            | 00000000             | 00000000         | 00000000 | BAR1<br>BAR2                 |
|          | 80       | 0000<br>0002 | 2000<br>0000 | 0000   | 0000         | 0000                 | 002<br>202 | 050              | 0000001             | 0000001              | 0023D6CE         | 00000000 | BAR3                         |
|          | 90       | 0002         | 1FE0         | 0000   | 0000         | 0001                 | 000        | 060              | 00036801            | 0000008              | 00807805         | 00000000 | BAR4<br>BAR5                 |
|          | 30       | 0000         | 11-20        | 0000   | 0000         | 0001                 | 000        | 070              | 00000000            | 0000000              | 00020010         | 012C84A0 | BAR6                         |
|          |          |              |              |        |              |                      |            | 080              | 00002910            | 00002D02             | 1011004B         | 00000000 | Expansion R0<br>Subsystem ID |
|          |          |              |              |        |              |                      |            | 090              | 00000000            | 00000000             | 00000000         | 0000010  |                              |

- If there is anything other than the "AA55" XROM signature, then there is actually no option ROM present
- As it turns out, in this case, there is no option ROM located on the device
- This option ROM is located on the BIOS flash as a compressed module

### **Expansion ROM Hacking**

- Hacking an Expansion ROM typically requires reflashing the firmware on the device
  - Often the "RO" in "ROM" is a misnomer
  - Although in the case we just saw, modifying the BIOS itself could permit an attacker to insert a malicious XROM
- If a vendor offers a utility to update the flash then you know the flash is writeable
- Good reference on XROM hacking:
- <u>http://resources.infosecinstitute.com/pci-expansion-rom/</u>
- It's important for Option ROMs to be measured (measured boot) before being executed

## Secure Boot

- Systems that support UEFI/Windows 8 Secure Boot require XROMs to be signed before it will execute them
  - Assuming you didn't turn off SecureBoot
- Apple systems don't support SecureBoot, therefore what worked in 2012 still works today
  - The fact that systems load XROMs off external peripherals like the Thunderbolt Ethernet adapter make it just that much easier to attack Macs this way

# References

- <u>https://sites.google.com/site/pinczakko/building-a-kernel-in-pci-expansion-rom</u> (Darmawan Salihun)
- <u>http://www.blackhat.com/presentations/bh-dc-07/Heasman/</u> <u>Paper/bh-dc-07-Heasman-WP.pdf</u> (John Heasman)
- <u>http://pacsec.jp/psj13/psj2013-day2\_Pierre\_pacsec-uefi-pci.pdf</u> (Pierre Chifflier)
- <u>http://ho.ax/downloads/</u>
  <u>De\_Mysteriis\_Dom\_Jobsivs\_Black\_Hat\_Slides.pdf</u> (Snare)
- <u>https://trmm.net/Thunderstrike</u> (Trammel Hudson)
- <u>http://legbacore.com/Research\_files/ts2-blackhat.pdf</u> (Trammel Hudson, Xeno Kovah, Corey Kallenberg)