Switching to SMM with FreeBSD 6.2 onwards
Won De Erick
won.derick at yahoo.com
Fri Mar 27 07:00:14 PDT 2009
--- On Fri, 3/27/09, Andriy Gapon <avg at icyb.net.ua> wrote:
> on 27/03/2009 12:35 Ivan Voras said
> the following:
> > Takanori Watanabe wrote:
> >> In message <17314.10813.qm at web45811.mail.sp1.yahoo.com>,
> Won De Erick wrote:
> >>> Hi All,
> >>>
> >>> I'm not quite familiar with FreeBSD, but I
> >>> want to do the following in 6.2/7.1
> >>> .
> >>>
> >>> /* Raise IOPL to 3 to open all I/O ports
> >>> */
> >>> /* something like 'i386_iopl(3)' */
> >>> ...
> >> see i386_get_ioperm(2) or io(4).
> >>
> >>> /* Open SMRAM access */
> >>> outl(unsigned int port, unsigned long
> >>> int data);
> >>>
> >>>
> >>> Also, I appreciate comments on the following
> >>> wrapper:
> >>>
> >>> static inline outl(unsigned int port, unsigned
> >>> long int data)
> >>> {
> >>> asm("outl %0, %1" : : "a" (data), "dN"
> >>> (port));
> >>> }
> >>>
>
> Take a look at machine/cpufunc.h
Oh I see. :)
>
> >>> My goal is to switch the processor to SMM by
> >>> triggering SMI from userland.
> >>
> >> Probably this will work.
> >> So what do you want ask about that?
If it is possible, I should want to write data to certain registers or portion of a memory where the BIOS firmware or the BMC firmware could possibly detect it as 'reconfiguration', and make significant log on SEL as "System Reconfigured". If someone has a better idea, it is very much welcome.
> >
> > One thing that comes to my mind is this:
> > http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
I will add that to the ff:
http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf
I've made the Exploit code found at the appendix runnable on FreeBSD 7.1 replacing some of the unsupported functions, but I'm still finding ways how to verify whether I've written successfully a data to the intended address or not. I've replaced '/dev/xf86 with '/dev/mem'. Then opened 'dev/io' instead of using 'i386_get_ioperm()'. Am I on the right track?
> >
> > :)
>
> Yeah, and IDA Pro rocks too :-)
>
>
> --
> Andriy Gapon
More information about the freebsd-hackers
mailing list