def __init__(self):
BaseModule.__init__(self)
self.interrupts = Interrupts( self.cs )
self.is_check_memory = True
self.test_ptr_in_buffer = False
self.fill_byte = _MEM_FILL_VALUE
self.fill_size = _MEM_FILL_SIZE
def run(self):
if len(self.argv) < 3:
print (SMICommand.__doc__)
return
try:
interrupts = Interrupts( self.cs )
except RuntimeError as msg:
print (msg)
return
op = self.argv[2]
t = time.time()
if 'count' == op:
self.logger.log( "[CHIPSEC] SMI count:" )
for tid in range(self.cs.msr.get_cpu_thread_count()):
smi_cnt = self.cs.read_register_field('MSR_SMI_COUNT', 'Count', cpu_thread=tid)
self.logger.log( " CPU{:d}: {:d}".format(tid,smi_cnt) )
else:
SMI_code_port_value = 0xF
SMI_data_port_value = 0x0
if len(self.argv) > 4:
thread_id = int(self.argv[2],16)
SMI_code_port_value = int(self.argv[3],16)
SMI_data_port_value = int(self.argv[4],16)
self.logger.log( "[CHIPSEC] Sending SW SMI (code: 0x{:02X}, data: 0x{:02X})..".format(SMI_code_port_value, SMI_data_port_value) )
if 5 == len(self.argv):
interrupts.send_SMI_APMC( SMI_code_port_value, SMI_data_port_value )
elif 11 == len(self.argv):
_rax = int(self.argv[5],16)
_rbx = int(self.argv[6],16)
_rcx = int(self.argv[7],16)
_rdx = int(self.argv[8],16)
_rsi = int(self.argv[9],16)
_rdi = int(self.argv[10],16)
self.logger.log( " RAX: 0x{:016X} (AX will be overwridden with values of SW SMI ports B2/B3)".format(_rax) )
self.logger.log( " RBX: 0x{:016X}".format(_rbx) )
self.logger.log( " RCX: 0x{:016X}".format(_rcx) )
self.logger.log( " RDX: 0x{:016X} (DX will be overwridden with 0x00B2)".format(_rdx) )
self.logger.log( " RSI: 0x{:016X}".format(_rsi) )
self.logger.log( " RDI: 0x{:016X}".format(_rdi) )
ret = interrupts.send_SW_SMI( thread_id, SMI_code_port_value, SMI_data_port_value, _rax, _rbx, _rcx, _rdx, _rsi, _rdi )
if not ret is None:
self.logger.log( "Return values")
self.logger.log( " RAX: {:16X}".format(ret[1]) )
self.logger.log( " RBX: {:16X}".format(ret[2]) )
self.logger.log( " RCX: {:16X}".format(ret[3]) )
self.logger.log( " RDX: {:16X}".format(ret[4]) )
self.logger.log( " RSI: {:16X}".format(ret[5]) )
self.logger.log( " RDI: {:16X}".format(ret[6]) )
else: print (SMICommand.__doc__)
else:
self.logger.error( "unknown command-line option '{:32}'".format(op) )
print (SMICommand.__doc__)
return
self.logger.log( "[CHIPSEC] (smi) time elapsed {:.3f}".format(time.time()-t) )
def nmi(argv):
if 2 < len(argv):
print usage
try:
interrupts = Interrupts( chipsec_util._cs )
except RuntimeError, msg:
print msg
return
def run(self):
if len(self.argv) < 3:
print SMICommand.__doc__
return
try:
interrupts = Interrupts(self.cs)
except RuntimeError, msg:
print msg
return
def run(self):
try:
interrupts = Interrupts( self.cs )
except RuntimeError as msg:
print (msg)
return
t = time.time()
self.logger.log( "[CHIPSEC] Sending NMI#.." )
interrupts.send_NMI()
self.logger.log( "[CHIPSEC] (nmi) time elapsed {:.3f}".format(time.time()-t) )
def run(self):
try:
self.interrupts = Interrupts(self.cs)
except RuntimeError as msg:
self.logger.log(msg)
return
t = time.time()
self.func()
self.logger.log(
"[CHIPSEC] (smi) time elapsed {:.3f}".format(time.time() - t))
def smi(argv):
"""
>>> chipsec_util smi <thread_id> <SMI_code> <SMI_data> [RAX] [RBX] [RCX] [RDX] [RSI] [RDI]
Examples:
>>> chipsec_util smi 0x0 0xDE 0x0
>>> chipsec_util smi 0x0 0xDE 0x0 0xAAAAAAAAAAAAAAAA ..
"""
try:
interrupts = Interrupts(chipsec_util._cs)
except RuntimeError, msg:
print msg
return
def nmi(argv):
"""
>>> chipsec_util nmi
Examples:
>>> chipsec_util nmi
"""
if 2 < len(argv):
print nmi.__doc__
try:
interrupts = Interrupts(chipsec_util._cs)
except RuntimeError, msg:
print msg
return
def __init__(self):
BaseModule.__init__(self)
self._interrupts = Interrupts(self.cs)
# SMI code to be written to I/O port 0xB2
self.smic_start = 0x00
self.smic_end = SMI_CODE_LIMIT
# SMI data to be written to I/O port 0xB3
self.smid_start = 0x00
self.smid_end = SMI_DATA_LIMIT
# SMI handler "function" often supplied in ECX register
self.smif_start = 0x00
self.smif_end = SMI_FUNC_LIMIT
# SMM communication buffer often supplied in EBX register
self.comm = 0x00
self.reloc_mmio = None
def __init__(self):
BaseModule.__init__(self)
self._interrupts = Interrupts( self.cs )
self.generate_smi = False
self.bar_names = []
self.bars = {}
self.bars_diff = {}
# SMI code to be written to I/O port 0xB2
self.smic_start = 0x00
self.smic_end = SMI_CODE_LIMIT
# SMI data to be written to I/O port 0xB3
self.smid_start = 0x00
self.smid_end = SMI_DATA_LIMIT
# SMI handler "function" often supplied in ECX register
self.smif_start = 0x00
self.smif_end = SMI_FUNC_LIMIT
# SMM communication buffer often supplied in EBX register
self.comm = 0x00
def smi(argv):
try:
interrupts = Interrupts( chipsec_util._cs )
except RuntimeError, msg:
print msg
return
from struct import pack, unpack
from crc_spoof import *
import chipsec.chipset
from chipsec.hal.interrupts import Interrupts
PAGE_SIZE = 0x1000
SMI_USB_RUNTIME = 0x31
cs = chipsec.chipset.cs()
cs.init(None, True, True)
intr = Interrupts(cs)
SMRAM = cs.cpu.get_SMRAM()[0]
mem_read = cs.helper.read_physical_mem
mem_write = cs.helper.write_physical_mem
mem_alloc = cs.helper.alloc_physical_mem
io_read = cs.helper.read_io_port
# check if system is in ACPI mode
# assert (io_read(0x1804, 1) & 1) == 0, "this system is in ACPI mode now"
# locate EFI_USB_PROTOCOL and usb_data in the memory
for addr in xrange(SMRAM / PAGE_SIZE - 1, 0, -1):
if mem_read(addr * PAGE_SIZE, 4) == 'USBP':
usb_protocol = addr * PAGE_SIZE
usb_data = unpack("<Q", mem_read(addr * PAGE_SIZE + 8, 8))[0]
break
assert usb_protocol != 0, "can't find EFI_USB_PROTOCOL structure"
def smi(argv):
try:
interrupts = Interrupts( _cs )
except RuntimeError, msg:
print msg
return
def __init__(self):
BaseModule.__init__(self)
self.interrupts = Interrupts(self.cs)
self.is_check_memory = True
def run(self):
try:
interrupts = Interrupts(self.cs)
except RuntimeError, msg:
print msg
return
def run(self):
if len(self.argv) < 3:
print(SMICommand.__doc__)
return
try:
interrupts = Interrupts(self.cs)
except RuntimeError as msg:
print(msg)
return
op = self.argv[2]
t = time.time()
if 'count' == op:
self.logger.log("[CHIPSEC] SMI count:")
for tid in range(self.cs.msr.get_cpu_thread_count()):
smi_cnt = self.cs.read_register_field('MSR_SMI_COUNT',
'Count',
cpu_thread=tid)
self.logger.log(" CPU{:d}: {:d}".format(tid, smi_cnt))
elif 'smmc' == op:
if len(self.argv) < 8:
print(SMICommand.__doc__)
return
RTC_start = int(self.argv[3], 16)
RTC_end = int(self.argv[4], 16)
guid = self.argv[5]
payload_loc = int(self.argv[6], 16)
payload = self.argv[7]
if os.path.isfile(payload):
f = open(payload, 'rb')
payload = f.read()
f.close()
self.logger.log(
"Searching for \'smmc\' in range 0x{:x}-0x{:x}".format(
RTC_start, RTC_end))
# scan for SMM_CORE_PRIVATE_DATA smmc signature
smmc_loc = interrupts.find_smmc(RTC_start, RTC_end)
if smmc_loc == 0:
self.logger.log(" Couldn't find smmc signature")
return
self.logger.log(
"Found \'smmc\' structure at 0x{:x}".format(smmc_loc))
ReturnStatus = interrupts.send_smmc_SMI(smmc_loc, guid, payload,
payload_loc)
#TODO Translate ReturnStatus to EFI_STATUS enum
self.logger.log("ReturnStatus: {:x}".format(ReturnStatus))
else:
SMI_data_port_value = 0x0
if len(self.argv) > 4:
thread_id = int(self.argv[2], 16)
SMI_code_port_value = int(self.argv[3], 16)
SMI_data_port_value = int(self.argv[4], 16)
self.logger.log(
"[CHIPSEC] Sending SW SMI (code: 0x{:02X}, data: 0x{:02X}).."
.format(SMI_code_port_value, SMI_data_port_value))
if 5 == len(self.argv):
interrupts.send_SMI_APMC(SMI_code_port_value,
SMI_data_port_value)
elif 11 == len(self.argv):
_rax = int(self.argv[5], 16)
_rbx = int(self.argv[6], 16)
_rcx = int(self.argv[7], 16)
_rdx = int(self.argv[8], 16)
_rsi = int(self.argv[9], 16)
_rdi = int(self.argv[10], 16)
self.logger.log(
" RAX: 0x{:016X} (AX will be overwridden with values of SW SMI ports B2/B3)"
.format(_rax))
self.logger.log(" RBX: 0x{:016X}".format(_rbx))
self.logger.log(" RCX: 0x{:016X}".format(_rcx))
self.logger.log(
" RDX: 0x{:016X} (DX will be overwridden with 0x00B2)"
.format(_rdx))
self.logger.log(" RSI: 0x{:016X}".format(_rsi))
self.logger.log(" RDI: 0x{:016X}".format(_rdi))
ret = interrupts.send_SW_SMI(thread_id,
SMI_code_port_value,
SMI_data_port_value, _rax,
_rbx, _rcx, _rdx, _rsi, _rdi)
if not ret is None:
self.logger.log("Return values")
self.logger.log(" RAX: {:16X}".format(ret[1]))
self.logger.log(" RBX: {:16X}".format(ret[2]))
self.logger.log(" RCX: {:16X}".format(ret[3]))
self.logger.log(" RDX: {:16X}".format(ret[4]))
self.logger.log(" RSI: {:16X}".format(ret[5]))
self.logger.log(" RDI: {:16X}".format(ret[6]))
else:
print(SMICommand.__doc__)
else:
self.logger.error(
"unknown command-line option '{:32}'".format(op))
print(SMICommand.__doc__)
return
self.logger.log(
"[CHIPSEC] (smi) time elapsed {:.3f}".format(time.time() - t))
