def EficheckCollectHashes(self, args):
stderr = b"Unable to collect the hashes"
exec_response = rdf_client_action.ExecuteBinaryResponse(stderr=stderr,
exit_status=-1)
response = rdf_apple_firmware.CollectEfiHashesResponse(
response=exec_response)
return [response]
def Run(self, args):
"""Use eficheck to extract the binary image of the flash.
Args:
args: EficheckConfig
Returns:
DumpEfiImageResponse
This action executes eficheck multiple times:
* First to get the binary version, using --version.
* Use --save -b firmware.bin to save the image.
"""
eficheck_version = self._GetVersion(args)
if not eficheck_version:
return False
with tempfiles.TemporaryDirectory(cleanup=False) as tmp_dir:
res = client_utils_common.Execute(
args.cmd_path, ["--save", "-b", "firmware.bin"], cwd=tmp_dir.path)
stdout, stderr, exit_status, time_used = res
binary_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=exit_status,
time_used=time_used)
response = rdf_apple_firmware.DumpEfiImageResponse(
eficheck_version=eficheck_version, response=binary_response)
if exit_status:
tmp_dir.cleanup = True
else:
response.path = rdf_paths.PathSpec(
path=os.path.join(tmp_dir.path, "firmware.bin"),
pathtype=rdf_paths.PathSpec.PathType.TMPFILE)
self.SendReply(response)
def EficheckDumpImage(self, args):
stderr = "Unable to connect to the kernel driver."
exec_response = rdf_client_action.ExecuteBinaryResponse(
stderr=stderr.encode("utf-8"), exit_status=1)
response = rdf_apple_firmware.DumpEfiImageResponse(
eficheck_version="1.9.6", response=exec_response)
return [response]
def EficheckDumpImage(self, args):
flash_fd, flash_path = tempfiles.CreateGRRTempFileVFS()
flash_fd.close()
stdout = "Image successfully written to firmware.bin."
exec_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout.encode("utf-8"), exit_status=0)
response = rdf_apple_firmware.DumpEfiImageResponse(
eficheck_version="1.9.6", response=exec_response, path=flash_path)
return [response]
def Run(self, args):
del args # Unused.
stdout = "żółć %s gęślą {} jaźń # ⛷".encode("utf-8")
stderr = b"\x00\xff\x00\xff\x00"
response = rdf_client_action.ExecuteBinaryResponse(stdout=stdout,
stderr=stderr,
exit_status=0,
time_used=0)
self.SendReply(response)
def EficheckCollectHashes(self, args):
stdout = (
b"01:00:00:00190048:00003c5f:"
b"4d37da42-3a0c-4eda-b9eb-bc0e1db4713b:"
b"03a3fb4ca9b65be048b04e44ab5d1dd8e1af1ca9d1f53a5e96e8ae0125a02bb2")
exec_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout, exit_status=0)
response = rdf_apple_firmware.CollectEfiHashesResponse(
eficheck_version="1.9.6",
boot_rom_version="MBP101.B00",
response=exec_response)
return [response]
def _GetVersion(self, args):
"""Call eficheck to find out its version."""
res = client_utils_common.Execute(args.cmd_path, ["--version"])
stdout, stderr, exit_status, time_used = res
# If something went wrong, forward the output directly.
if exit_status:
binary_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=exit_status,
time_used=time_used)
self.SendReply(self.out_rdfvalues[0](response=binary_response))
return
return stdout
def ProcessFile(self, path, args):
res = client_utils_common.Execute(
path, args.args, args.time_limit, bypass_allowlist=True)
(stdout, stderr, status, time_used) = res
# Limit output to 10MB so our response doesn't get too big.
stdout = stdout[:10 * 1024 * 1024]
stderr = stderr[:10 * 1024 * 1024]
self.SendReply(
rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=status,
# We have to return microseconds.
time_used=int(1e6 * time_used)))
def ProcessFile(self, path, args):
cmd = "/usr/sbin/installer"
cmd_args = ["-pkg", path, "-target", "/"]
time_limit = args.time_limit
res = client_utils_common.Execute(
cmd, cmd_args, time_limit=time_limit, bypass_whitelist=True)
(stdout, stderr, status, time_used) = res
# Limit output to 10MB so our response doesn't get too big.
stdout = stdout[:10 * 1024 * 1024]
stderr = stderr[:10 * 1024 * 1024]
self.SendReply(
rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=status,
# We have to return microseconds.
time_used=int(1e6 * time_used)))
def Run(self, args):
"""Use eficheck to extract hash files in plaintext.
Args:
args: EficheckConfig
Returns:
CollectEfiHashesResponse
This action executes eficheck multiple times:
* First to get the binary version, using --version.
* Then with the --generate-hashes option. This will create one or more
.ealf files. Each file contains a binary representation of the hashes
extracted from a part of the flash image (e.g, EFI, SEC).
* For each file generated, we use the --show-hashes option to get a
plaintext representation of the hashes. This raw output is sent to the
server which will perform further parsing.
"""
eficheck_version = self._GetVersion(args)
if not eficheck_version:
return False
with tempfiles.TemporaryDirectory() as tmp_dir:
res = client_utils_common.Execute(args.cmd_path,
["--generate-hashes"],
cwd=tmp_dir.path)
stdout, stderr, exit_status, time_used = res
# If something went wrong, forward the output directly.
if exit_status:
binary_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=exit_status,
time_used=time_used)
self.SendReply(
rdf_apple_firmware.CollectEfiHashesResponse(
response=binary_response))
return
# Otherwise, convert all the files generated and forward the output.
for filename in glob.glob(os.path.join(tmp_dir.path, "*.ealf")):
cmd_args = ["--show-hashes", "-h", filename]
# Get the boot rom version from the filename.
basename = os.path.basename(filename)
if not self._FILENAME_RE.match(basename):
continue
boot_rom_version, _ = os.path.splitext(basename)
stdout, stderr, exit_status, time_used = client_utils_common.Execute(
args.cmd_path, cmd_args, bypass_allowlist=True)
binary_response = rdf_client_action.ExecuteBinaryResponse(
stdout=stdout,
stderr=stderr,
exit_status=exit_status,
time_used=time_used)
self.SendReply(
rdf_apple_firmware.CollectEfiHashesResponse(
eficheck_version=eficheck_version,
boot_rom_version=boot_rom_version,
response=binary_response))
tempfiles.DeleteGRRTempFile(filename)
