Re: Switching to SMM with FreeBSD 6.2 onwards

Fri, 27 Mar 2009 07:00:29 -0700 

--- On Fri, 3/27/09, Andriy Gapon <a...@icyb.net.ua> wrote:
> on 27/03/2009 12:35 Ivan Voras said
> the following:
> > Takanori Watanabe wrote:
> >> In message <17314.10813...@web45811.mail.sp1.yahoo.com>,
> Won De Erick wrote:
> >>> Hi All,
> >>>
> >>> I'm not quite familiar with FreeBSD, but I
> >>> want to do the following in 6.2/7.1
> >>> . 
> >>>
> >>>  /* Raise IOPL to 3 to open all I/O ports
> >>>  */
> >>>  /* something like 'i386_iopl(3)' */
> >>>  ...
> >> see  i386_get_ioperm(2) or io(4).
> >>
> >>>  /* Open SMRAM access */
> >>>  outl(unsigned int port, unsigned long
> >>>  int data);
> >>>
> >>>
> >>> Also, I appreciate comments on the following
> >>> wrapper:
> >>>
> >>> static inline outl(unsigned int port, unsigned
> >>> long int data)
> >>> {
> >>>  asm("outl %0, %1" : : "a" (data), "dN"
> >>>  (port));
> >>> }
> >>>
> 
> Take a look at machine/cpufunc.h

Oh I see. :)

> 
> >>> My goal is to switch the processor to SMM by
> >>> triggering SMI from userland.
> >>
> >> Probably this will work.
> >> So what do you want ask about that?

If it is possible, I should want to write data to certain registers or portion 
of a memory where the BIOS firmware or the BMC firmware could possibly detect 
it as 'reconfiguration', and make significant log on SEL as "System 
Reconfigured". If someone has a better idea, it is very much welcome. 

> > 
> > One thing that comes to my mind is this:
> > http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf

I will add that to the ff:

http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf

I've made the Exploit code found at the appendix runnable on FreeBSD 7.1 
replacing some of the unsupported functions, but I'm still finding ways how to 
verify whether I've written successfully a data to the intended address or not. 
I've replaced '/dev/xf86 with '/dev/mem'. Then opened 'dev/io' instead of using 
'i386_get_ioperm()'. Am I on the right track?

> > 
> > :)
> 
> Yeah, and IDA Pro rocks too :-)
> 
> 
> -- 
> Andriy Gapon





_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"

Reply via email to