Wednesday, August 22, 2018

Instructions on how to dump your firmware

Hi folks,

A number of people have asked me how they can participate in firmware gathering, and the short answer is, "Dump your firmware, and upload it to us, at https://armor.ai".

As you might expect, the actual answer is a little longer, so here are the instructions for firmware dumping...

On a Mac running High Sierra, it's easy, because there is a built-in command, eficheck. Here are the steps:

1) Open up a terminal

2) This command saves system's EFI firmware, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --save -b YourFilenameOfChoice.bin

3) This command overwrites EFI variables portions, scrubbing any privacy-sensitive bits, enabling the image to be shared for analysis, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --cleanup -b YourFilenameOfChoice.bin

4) upload firmware.bin to https://www.armor.ai/scan

Windows is trickier. There are a number of ways, but currently, the easiest seems to be these steps:

Either, (a) download your own version of ChipSec from https://github.com/chipsec, read the manual, and make your own zips, or (b) Download a version of ChipSec and an EFI shell from my DropBox (my EFI shell is set for an x86 machine)

https://www.dropbox.com/s/hyftzcttq14pm2p/chipsec.7z?dl=0
https://www.dropbox.com/s/7982bi2qrkhkosh/efi.7z?dl=0

and unzip each of those into the root of the thumb drive, and then:
(1) Boot your computer into BIOS, and turn off secure boot
(2) Boot into the thumb drive. This should bring up an EFI shell, that looks a lot like old MsDOS, but is neither Dos nor a Linux shell. It brings up a command prompt that says, “Shell>”
(5) You need to get into the root directory of the thumb drive, by typing FS0:
(I have seen machines where the thumb drive came up as FS1:, and even FS2:, but generally, it’s FS0:)
(6) You should then be able to do a Dir or LS, and see the Chipsec directory, and an EFI directory.
(7) Change directory to chipsec ... cd \chipsec
(8) type: python chipsec_util.py spi dump filename.bin
(9) type: exit

That should allow you to boot back into BIOS, and turn secure boot back on, and then boot to your OS, and upload the captured file to https://www.armor.ai/scan

Be sure to put your email into the webpage, because some analyses take a while, and your email will allow us to send it to you, when it is complete.

Thanks in advance for your help

No comments: