Dumping PCI device firmware / BIOS firmware to file

Only for programmers and BIOS gurus with technical questions.
Post Reply
Won-A-Dump
New visitors - please read the rules.
Posts: 2
Joined: Tue Nov 03, 2009 5:32 am

I made a post about this, got a whole load of views but no replies. From what I was reading about in the Phrank magazine makes me believe this is a better place to post it.

I believe that PCI cards in computers, eg sound cards, gfx cards, network cards etc sometimes have a writeable area called an Expansion ROM where a BIOS can be kept.

For a research project of mine I need to find a way of dumping the contents of the Expansion ROM of certain PCI devices to a file. I then want to compare this with the contents of the expansion ROM that comes with the card using MD5s or whatever.

I imagine the hard bit will be dumping the contents of the flash BIOS on PCI card to a file. I want to do this for all devices on my laptop. I started off with the sound card. After digging around in Control Panel I found the Device ID, and found it on pcidatabase .com. The only link provided however was a link to a Driver update :(

I would also like to find out if a card has an Expansion ROM for a BIOS in the first place. If it doesn't I dont want to bother backing up the BIOS for it to file.

Here is one device that I've been working on. "Realtek High Definition Audio". The Device ID is 0x0660 from Realtek Semiconductor 0x10EC. Ive been digging around and cant find anything that lets you backup the expansion ROM, or even tells me if an expansion ROM for it exists. I have reason to believe there is one though.

I will post up a whole list of PCI devices/motherboards of whose flash BIOSes I need backed up to a file once I compile it. Theres probably about 12 in total. The Sound card is the most important for me though so if anybody can point me in the right direction of how I can do this, it would be appreciated.

Thanks
cp
BIOS Guru
Posts: 1914
Joined: Mon Oct 21, 2002 9:07 pm
Location: Germany

NICs don't have a firmware or a bios. they support external i2c chips however to save things like configuration, id and such. they also have mapped registers (just like every pci card) that can be accessed through pci memory (address of the pci card + offset). those registers contain a configuration which can be changed (and will be) by the OS drivers, too. there's nothing to dump here.
vga cards have a bios but without hardware (register) documents and a disassembly or the original sources it's impossible to tell what the difference between one version or the other really is. there are (were?) a few sites on the net saving vga bios dumps.
soundcards (at least the AC'97 codecs) are just serial stream decoders attached to the southbridge on a serial bus. they just contain a few bytes configuration data (mixer settings, volume, effects) which WILL be changed by the OS drivers. soundcards don't have a bios or a build-in firmware. useless to dump anything here.
If you email me include [WIMSBIOS] in the subject.
Won-A-Dump
New visitors - please read the rules.
Posts: 2
Joined: Tue Nov 03, 2009 5:32 am

http://www.antirootkit.com/blog/category/pci-rootkits/

is the kind of thing i was thinking about. i am almost 100% sure due to information that was given to me that a rootkit has been flashed somewhere on my laptop. i dont really care what the exact differences are, but if i can atleast identify that the md5's of the dump vs manufacturers version are different, i can show that thats where the rootkit resides, since nobody else would flash the cards, and theres no other reason for them to be different.

how do i check if the pci cards have a flashable area or not? because according to several articles ive read all over the place eg the one i linked to, it is possible. i know its unlikely and is a rare attack, and people are more likely to use dll trojans, but this is definately a reel threat for me and i'd like to dig a little deeper to prove it to people.

thanks
cp
BIOS Guru
Posts: 1914
Joined: Mon Oct 21, 2002 9:07 pm
Location: Germany

how do i check if the pci cards have a flashable area or not?
check the datasheets of the pci chips in question. i doubt that there are any free datasheets out there...they usually require an NDA to be signed.
i am almost 100% sure due to information that was given to me that a rootkit has been flashed somewhere on my laptop
what exactly makes you think that there's a rootkit in a flash device on your machine? what kind of information are you talking about? who gave you that information? is there something on your laptop that is WORTH the effort?

the author of that research (RESEARCH!!!) paper used a PXE module as an example. the good thing of today's chipsets is that NICs are already integrated. so the PXE ROMs can be found in the normal BIOS. to get rid of a manipulated PXE module you just have to flash the mainboard bios with a known-good one. there are no PXE modules for WLAN cards btw.
but this is definately a reel threat for me and i'd like to dig a little deeper to prove it to people
if there's something on your machine then it would/should contact someone. so the first thing would be to check your network traffic. set up a router that logs all traffic and wait for something suspicious to come up. who would write software that isn't calling home?
it would be even easier to change the OS on your laptop. if the manipulated code inside the flash relies on a certain OS, another OS would render that attack useless. you can even try a live-cd/live-usb/live-whateverdevice.
finally you can remove all pci devices from your laptop to prevent firmware to be loaded into your clean system.

oh, btw. if someone altered the flash contents, he should have made sure that the functionality of the device is still completely intact e.g. a wlan nic is still working like a wlan nic is supposed to work. otherwise the manipulation would be discovered rather quickly. so i really really hope you are a target that is worth all the effort (selecting a pci device with flashable firmware that is in YOUR machine, disassembling the original firmware, make sure to insert highly optimised OS generic asm code, putting it all back together, preparing an OS generic flasher and finally making you execute it)
If you email me include [WIMSBIOS] in the subject.
sharky
BIOS Newbie
Posts: 27
Joined: Wed Oct 07, 2009 2:29 pm

Heh. That blog post implies that a TPM would protect you against those rootkits. At least I had a good laugh.
Won-A-Dump wrote: i am almost 100% sure due to information that was given to me that a rootkit has been flashed somewhere on my laptop. i dont really care what the exact differences are, but if i can atleast identify that the md5's of the dump vs manufacturers version are different,
The MD5 sum of a BIOS ROM dump will differ on all modern BIOS/EFI from the manufacturer download. Whoever gave you your information didn't know too much about BIOS/EFI. Ask him/her why he/she didn't tell you this.
Won-A-Dump wrote: i can show that thats where the rootkit resides, since nobody else would flash the cards, and theres no other reason for them to be different.
Cool. If you really found a rootkit, you can surely upload the original and the modified image somewhere so others can analyze it.
I've done such analysis before, and usually it turned out that everything was okay even when the MD5 sums didn't match (well, if you're doing this seriously, you won't rely on MD5 anyway).
Won-A-Dump wrote: how do i check if the pci cards have a flashable area or not? because according to several articles ive read all over the place eg the one i linked to, it is possible. i know its unlikely and is a rare attack, and people are more likely to use dll trojans, but this is definately a reel threat for me and i'd like to dig a little deeper to prove it to people.
You said you can't prove it, but you believe you have a rootkit. Now let me ask you a small question: If you can't prove it, why do you believe it?
Please don't get me wrong, I'd love to see a real BIOS rootkit and pull it apart, but so far the BIOS rootkits I saw were mostly research.

(Disclaimer: I do earn money with security analysis. I'd usually charge for such stuff, but since you're not a large corporation, you get that info for free. No, this is not an advertisement, and any commercial inquiries will be ignored. I'm here because I like to help people, not to earn money.)
Post Reply