$ efibootmgr -create -loader '\EFI\modGRUBShell.efi' This is one of the few variables efivarfs can write to, and efibootmgr is a simple frontend for manipulating it: It works if you see the GRUB shell and setup_var is a valid command.īefore we are able to able to reboot into this shell, we need to add an entry for it in the EFI boot manager. bios /usr/share/edk2-ovmf/OVMF_CODE.fd \ Luckily, a modded GRUB exists for this purpose.Īssuming our EFI system partition is /boot/EFI, we simply place modGRUBShell.efi in that directory.Īlthough not really necessary, we can avoid a potentially wasted reboot due to a broken EFI application by testing with QEMU: Now we might try to modify the EFI NVRAM by writing to the correct locations in efivarfs, but its restrictions are too limiting for our purposes. Using offsets for a different machine will write to an unexpected location, possibly bricking your machine!) (It should be noted that these offsets are different on different machines. We mark down the offsets of both, in this case 0x4ED and 0x59C. Next to the Overclocking Lock is the CFG Lock, which needs to be disabled for Hackintosh machines to have correct native power management. Skipping down to the Overclocking Lock mentioned before, we see:Ġx3A195 Form: View/Configure CPU Lock Options, FormId: 0x2732 Looking through the file, it is clear that much of the advanced configuration available on desktops is also present on laptops, but the Setup menus are hidden. While we could modify this image and flash it, the whole point of this experiment is to avoid flashing the BIOS again, so we use UEFITool to Extract body and run it through yet another tool, the Universal IFR Extractor.Īfter all this trouble, we finally have a human-readable Internal Forms Representation of the BIOS Setup utility. bin in UEFITool, and search for the text Overclocking Lock. Next, we need to analyze the firmware to find the offsets of the locked variable. The only file we are interested in from this set is 1 System BIOS with BIOS Guard v1.17.1.bin. #Uefitool options greyed out updateMy update package from Dell came in the form of a Windows executable, so I used the Dell PFS BIOS Extractor tool to dump its contents. The good news: this is relatively easy to fix, and can be done without downgrading the BIOS.įirst, we take the BIOS update package and extract the individual firmware components using BIOSUtilities. #Uefitool options greyed out softwareUnfortunately, many manufacturers have patched the issue by disabling software undervolting, regardless of if the SGX is in use. It is relatively hard to exploit, as typical users don't use the SGX and the attack requires root privileges. Plundervolt was a vulnerability found in Intel SGX (Software Guard Extensions) around mid-2019. ~jlin: blog: :: Hacking UEFI Variables home
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |