Forensic tools

[ioerror]

It would be fantastic if upon the first install of SGOS, a user could easily dump all their option roms, their bios and other details into a directory on the system. Even better would be to automatically upload it to VirusTotal: http://blog.virustotal.com/2016/01/putting-spotlight-on-firmware-malware_27.html

I believe there are a few different ways to accomplish this goal. I have used ree and flashrom to dump option roms and coreboot from the flash chip, for example.

It would generally be interesting to gather a lot of information to better understand what attack surface and persistence methods are present for attackers. This does not need to be shared with Subgraph and could simply be stored for the user in some offline backup.

[ioerror]

As an example, I ran ree on two machines (an x60 and a chromebook pixel 2), dumped various option roms and then uploaded them to virus total:

To test - run:

sudo apt-get install ree
sudo ree

On the pixel 2 it output:

Please wait, scanning... c0000
Found something at c0000 (28160 bytes) (checksum 0)
Please wait, scanning... ee800
Found something at ee800 (6144 bytes) (checksum 78)
Please wait, scanning... f0000

This produced these two files:

sha1sum *
2acea307935ac6ce24cf3440f35969b3e523468f  c0000.rom
64cb4aa6dfe11463ea0a341e16cd4adeacb284ec  ee800.rom

If you want to share - take the resulting files and upload them to VT.

I have used flashrom to dump the coreboot bios on the x60 like so:

# To verify the coreboot BIOS - do the following:
# 
# ./flashrom -p internal -c MX25L1605A/MX25L1606E -v coreboot.rom 
#
# To dump the current bios to a file - do the following:
#
# ./flashrom -p internal -c MX25L1605A/MX25L1606E -r internal-bios-dump.bios
#
# The last known good bios for this machine is:
#
# sha1sum: 7654c754fc9af2824ac72c86b8655af319436bff  coreboot.rom

These are the files that I uploaded: https://www.virustotal.com/en/file/9e2920bcacc459ed19767ae62babaf8499e6f190968c461b3257a032b12f633c/analysis/1454278099/ https://www.virustotal.com/en/file/8438e11dbb8961b72313791a41dd12097d274f90d3f7f83b0fee1e319de1a606/analysis/1454278061/ https://www.virustotal.com/en/file/06b18f2c99952d485ed4a6bca022bd6d63dd8ba0af9dc8c6b5418da9f6fb4474/analysis/1454278024/ https://www.virustotal.com/en/file/11c160e2436d4d2ffc96ecd12bee0c9e350a884e57405f1008bf01335a4bbecb/analysis/1454277989/ https://www.virustotal.com/en/file/45b9b1c643d89f095f41a0108c414cf55611874892ea4381077188b3cb08f6e9/analysis/1454277927/ https://www.virustotal.com/en/file/7c6462b0890229c0756dd9c8e10abdca0d08e67b648c7c43ba4f3b2b5dc42a4f/analysis/1454278366/ https://www.virustotal.com/en/file/4d46acb7f9188d199d03c7cc5a84903e2785c7628377295b0044af6eb5238b4c/analysis/1454278374/

[ioerror]

In the past, I also found it useful to dump a great deal of information that the system thought it had as hardware by collecting the output of a number of commands:

#!/bin/bash
# 
# First ensure that you:
# modprobe coretemp
# modprobe i2c_core
# modprobe i2c-dev
# modprobe msr
# modprobe thinkpad_acpi force_load=1 debug=0xffff fan_control=1 experimental=1
#
#
dmesg
superiotool -deV 
lspci -nnvvvxxxx
inteltool -a 
msrtool
biosdecode
nvramtool -x
# 
# ectool
#
# Dump acpi info
acpitool
# Dump pnp
lspnp
# Dump USB
lsusb
# Dump the BIOS details
dmidecode
# List the available i2c bus
i2cdetect -l
# Dump the ethernet card registers
ethtool -d eth0
# Dump the ethernet card eeprom
ethtool -e eth0
# Dump the pci-option roms to PWD
ree
# Dump the available programmable chips
flashrom -p internal
# Dump the bios from the chip
flashrom -p internal -c MX25L1605D/MX25L1608D -r /tmp/MX25L1605D-MX25L1608D.rom
# Dump the nvram
nvramtool -a
# Dump all NVRAM raw
nvramtool -y ~/src/coreboot/src/mainboard/lenovo/x60/cmos.layout -x
# List all the pci devices
lspci
# List them again with lots of details
lspci -vvvvv
cat /proc/ioports
cat /proc/iomem
cat /proc/interrupts
# Dump the CPU info
cat /proc/cpuinfo

This doesn't properly dump the EC on a laptop, for example. Also if the system is compromised, a reasonable attacker could cause the output of many of those tools to fail or to be incorrect in their favor.

[ioerror]

As an example, it could be possible to easily look at https://johnlewis.ie/custom-chromebook-firmware/rom-archive/ - upload it all to VT and match a bios on a system. That might be useful just generally if we can't rid ourselves of blobs, perhaps we can recognize them in a useful manner?