EFI Swiss Knife – An IDA plugin to improve (U)EFI reversing

Today I am finally releasing one of the EFI reversing tools I built when I was working on the SCBO post. Yesterday there were some tweets about IDA improving its support for EFI binaries (although I’m not sure it’s the same thing as in here) so I decided to finally release this one. You can find the source code https://github.com/gdbinit/EFISwissKnife. Tested with IDA 6.9 and IDA 6.95 OS X versions, might work in Windows with just paths modification. [Read More]

Apple EFI firmware passwords and the SCBO myth

My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password. The normal process workflow is to first contact Apple support. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. [Read More]

London and Asia EFI monsters tour!

Finally back home from China and Japan tour, so it’s time to finally release the updated slides about EFI Monsters. After Secuinside I updated them a bit, fixing stuff I wasn’t happy with and adding some new content. The updated version was first presented at 44CON London. I had serious reservations about going to the UK (not even in transit!) but Steve Lord and Adrian charm convinced me to give it a try. [Read More]

Reversing Prince Harming’s kiss of death

The suspend/resume vulnerability disclosed a few weeks ago (named Prince Harming by Katie Moussouris) turned out to be a zero day. While (I believe) its real world impact is small, it is nonetheless a critical vulnerability and (another) spectacular failure from Apple. It must be noticed that firmware issues are not Apple exclusive. For example, Gigabyte ships their UEFI with the flash always unlocked and other vendors also suffer from all kinds of firmware vulnerabilities. [Read More]