Date: Fri, 27 Mar 2009 06:47:14 -0700 (PDT) From: Won De Erick <won.derick@yahoo.com> To: Ivan Voras <ivoras@freebsd.org>, Andriy Gapon <avg@icyb.net.ua> Cc: freebsd-hackers@freebsd.org Subject: Re: Switching to SMM with FreeBSD 6.2 onwards Message-ID: <492862.81876.qm@web45808.mail.sp1.yahoo.com>
next in thread | raw e-mail | index | archive | help
--- On Fri, 3/27/09, Andriy Gapon <avg@icyb.net.ua> wrote:=0A> on 27/03/200=
9 12:35 Ivan Voras said=0A> the following:=0A> > Takanori Watanabe wrote:=
=0A> >> In message <17314.10813.qm@web45811.mail.sp1.yahoo.com>,=0A> Won De=
Erick wrote:=0A> >>> Hi All,=0A> >>>=0A> >>> I'm not quite familiar with F=
reeBSD, but I=0A> >>> want to do the following in 6.2/7.1=0A> >>> . =0A> >>=
>=0A> >>>=A0 /* Raise IOPL to 3 to open all I/O ports=0A> >>> */=0A> >>>=
=A0 /* something like 'i386_iopl(3)' */=0A> >>>=A0 ...=0A> >> see=A0 i386_g=
et_ioperm(2) or io(4).=0A> >>=0A> >>>=A0 /* Open SMRAM access */=0A> >>>=A0=
outl(unsigned int port, unsigned long=0A> >>> int data);=0A> >>>=0A> >>>=
=0A> >>> Also, I appreciate comments on the following=0A> >>> wrapper:=0A> =
>>>=0A> >>> static inline outl(unsigned int port, unsigned=0A> >>> long int=
data)=0A> >>> {=0A> >>>=A0 asm("outl %0, %1" : : "a" (data), "dN"=0A> >>> =
(port));=0A> >>> }=0A> >>>=0A> =0A> Take a look at machine/cpufunc.h=0A=0A=
Oh I see. :)=0A=0A> =0A> >>> My goal is to switch the processor to SMM by=
=0A> >>> triggering SMI from userland.=0A> >>=0A> >> Probably this will wor=
k.=0A> >> So what do you want ask about that?=0A=0AIf it is possible, I sho=
uld want to write data to certain registers or portion of a memory where th=
e BIOS firmware or the BMC firmware could possibly detect it as 'reconfigur=
ation', and make significant log on SEL as "System Reconfigured". If someon=
e has a better idea, it is very much welcome. =0A=0A> > =0A> > One thing th=
at comes to my mind is this:=0A> > http://invisiblethingslab.com/resources/=
misc09/smm_cache_fun.pdf=0A=0AI will add that to the ff:=0A=0Ahttp://www.ss=
i.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf=0A=0AI'v=
e made the Exploit code found at the appendix runnable on FreeBSD 7.1 repla=
cing some of the unsupported functions, but I'm still finding ways how to v=
erify whether I've written successfully a data to the intended address or n=
ot. I've replaced '/dev/xf86 with '/dev/mem'. Then opened 'dev/io' instead =
of using 'i386_get_ioperm()'. Am I on the right track?=0A=0A> > =0A> > :)=
=0A> =0A> Yeah, and IDA Pro rocks too :-)=0A> =0A> =0A> -- =0A> Andriy Gapo=
n=0A=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?492862.81876.qm>