Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » Embedded Development Branch (EDB) » EDB Home » Projects » DerStarke
Creating new Unlock files future firmwares
- Grab trunk of darkmatter and navigate to in/unlock dir
- Use SFIT to extract the PchSpiRuntime file (this file locks FVH through the PCH)
- Use the following command to parse the new firmware to find out which file is the PchSpiRuntime
- python3 -m sfit <firmware file>
- Locate the PchSpiRuntime file (GUID: c194c6ea-b68c-4981-b64b-9bd271474b20
- New MacBooks now have the lock in a file with GUID: 77693c87-a21a-441f-9cc6-054982cddbb7
- Extract the depex and efi files with the following command:
- python3 -m sfit <firmware file> <depex file id from prev listing> <output filename>
- python3 -m sfit <firmware file> <PE32 file id from prev listing> <output filename>
- Copy the depex and efi files to in/unlock/extracted
- Use the following command to parse the new firmware to find out which file is the PchSpiRuntime
- Use Ghidra to find where to subvert flash locking code
- Find the FlashLockingCode function
- Use previous version of an RE'd firmware for guidance
- The function should have the following flow (or similar)
- Get the EfiHobList (guid: 7739f24c-93d7-11d4-9a3a-0090273fc14d)
- Iterate through to find the value of BootMode
- If BootMode == 0x12 or BootMode == 0x20 keep the flash unlocked... else lock the flash
- Patch the FlashLocking Code in order to always keep the flash unlocked
- General idea is that there is usually a local variable that is also being check (default name of cVar1 by Ghidra)
- If the variable == 0, the code will flow in the same direction of not locking the flash
- The variable is initialized to 0, and only assigned a value in one spot.
- Find that MOV statement, and NOP the 2-3 bytes of that instruction (NOP is 0x90)
- Make modicications in a hex editor, and reload into Ghirda to make sure it has the desired disassembly and flow
- I have had zero luck making the changes inside Ghidra and using the export wizard
- Save the file in in/unlock
- Find the FlashLockingCode function
- Generate Dxe File from Efi using create_unlock.py
- Open create_unlock.py inside the in/
- Find the definition of PchSpiRuntimeFiles structure (~line number22)
- Add a new entry for the new PchSpiRuntime file
- Elements are [filename of patched file done in step 3, extracted depex from step 2, output dxe with standard compression, output dxe with lama compression]
- Run the python file and you should have both a standard and lama compressed Unlock file
- Integrate new file into DarkMatter source
- For Makefile
- Add all files to scripts/dxe_to_h.py
- For Loader.c
- Add #include for both .h files (std and lzma)
- Add new enum type MacModelNames
- Add new ImplantStruct PatchedFiles (make sure they align, ie, MacModelNames MBP_61 is the 0th element of PatchFiles)
- Add if case inside function PatchFirmware()
- For Makefile