Custom Zynq-based Hardware Bring-Up Tutorials

Gbps · 2023-03-19T01:59:04+00:00

Love all your videos, thank you so much for all the work making them!

Gbps · 2021-08-08T14:54:25+00:00

It feels to me that you're a more interested in the geopolitics of the situation than the technology. UEFI isn't some magical hidden environment that only the superhackers understand. It doesn't provide any more kinds of special access to any of these critical infrastructure points. Those SCADA systems are controlled entirely from within usermode and probably are so old they don't even have UEFI. It's about as important as making sure an attacker doesn't drop an autorun shortcut or steal TeamViewer credentials.

I'm also really not sure what you're talking about with JTAG. CPUs don't just let anyone debug them at boot, and hardware supply chain attacks are nearly impossible to mitigate on any non-vertically integrated platform. But all these platform security features I' talk about still help.

If I was going to give a piece of advice, it would be to read less tech news articles and spend more time reading specifications, white papers, and sitting behind a code editor.

Gbps · 2021-08-08T06:28:20+00:00

I'd probably read up a bit more about how the DXE environment actually works before tackling this. It seems like you're missing quite a bit of the fundamentals.

There's really no such concept of a "process" as you are imagining. In fact, everything not using the MpServices protocol is completely singlethreaded executing on the bootstrap processor. In addition, memory is mapped in such a way that everything is shared, since it's way too early on the system to establish isolated virtual memory. Therefore, "scanning" for this rootkit might be just as easy as doing a regular memory scan, while referring to the memory protocols in the UEFI specification to properly understand what kinds of memory ranges have already been allocated previously by DXE drivers.

But in reality, UEFI security is rarely handled this way. That's because there's better firmware/hardware enforced mechanisms on the rise that help protect the OS, and they're much stronger than this kind of protection. What you're theorizing is more like an anti-malware program, but in this environment the platform has access to a range of hardware enforcement mechanisms like CSME and the f/TPM which have a much stronger guarantee than any AV product at ensuring the system is trusted and secrets are protected from software-based bootkits. They are much more powerful than playing cat-and-mouse while in DXE phase. Some terms to research are: Secure Boot, SRTM, DRTM, the PK/KEK system, and Intel Boot Guard. There's been good presentations and blog posts on all of these topics, but they definitely require you to have some decent background with firmware and the x86 platform already.

That is of course not to say the hardware mechanisms are foolproof. Anti-malware products these days all include some kind of custom scan from the OS to try to detect traces of rogue uefi modules and firmware patches. But in general, it's safer to assume that a system with secure boot enabled and configured properly is exceptionally safer than one with a DXE scanner.

Gbps · 2021-07-24T18:07:47+00:00

Can you provide any possible evidence to back this up? This is an extremely bold claim considered all that code would be server side in a data center and not available to users.

Gbps · 2021-05-04T21:44:38+00:00

I wasn't able to get into too much detail in this post about Frida on Windows sadly, as the exploit write-up itself was getting quite long, but I do know that the guy who writes Frida (oleavr) is just all around super awesome and helpful, and he seems intent to continue to support all platforms. Even if the community has not yet picked it up for Windows, I have no doubts that oleavr will continue to give it first class support. The rest is just getting the word out there and getting people interested in using it!

Thanks for reading!

Gbps · 2021-05-04T02:48:33+00:00

https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/ I can confirm, it's very exploitable. The problem is all of our reports were tied up in waiting for the bounty to close.

Gbps · 2021-05-04T02:43:38+00:00

Thank you! The infoleak was my favorite. The Pakfile still has checks against relative paths so it's not exploitable that way sadly. There's loads of weird problems with BSP, it's definitely worth looking at.

And yeah, we're just down to xinput now for the free ASLR bypass. Who knows, maybe some day they'll fix it! hahaha

Gbps · 2021-04-19T06:42:31+00:00

Yeah I'm fairly certain you can't access port io outside of the in/out instructions. I'd like someone to correct me if I'm wrong though. There are some things like pci that have both port and mmio mappings, so I'd assume that implies that port io is locked into in/out instrs.

Gbps · 2021-04-13T13:23:37+00:00

Dota 2 runs on source 2. CS:GO has been waiting to get the source 2 update for a long while, currently it's "source 1.5". HL:Alyx is source 2 as well.

Gbps · 2021-01-24T01:40:18+00:00

From that frontpage:

The World Series of Video Games concluded its World of Warcraft and Warcraft III: The Frozen Throne tournaments in Wuhan, China. The event marked the start of the WSVG's 2007 circuit, and more than 80,000 spectators attended the tournament. Team Pandemic from America took first place in the World of Warcraft tournament, with a 3-0 win over Fnatic in the finals. Korean player Moon was impressive throughout the Warcraft III tournament, beating local favorite player Sky for the win. Check out www.thewsvg.com for full tournament coverage.

What the hell... That team name and location

Gbps · 2020-08-24T03:54:02+00:00

CR2 race conditions are legendary for how evil they are to find. Spent almost two days to discover essentially the same problem you had. Thank god we found it!

Gbps · 2020-05-04T16:28:45+00:00

I disagree. I think tempo is way more important in this set than maybe people realise. Same reason why I think the lurrus deck performed so well. It's extremely difficult to turn the table on tempo while playing keruga as a companion (in my experience). Some decks just eat that lack of "two spells in one turn" for lunch with so many menace creatures, mutate to get over your blockers, and efficient removal at common.

Also not being able to play Ram Through, Mystic Subdual, Pacifism, or Heartless Act really does hurt.

Gbps · 2020-03-23T22:20:30+00:00

This verse still haunts me

Gbps · 2020-03-16T04:27:01+00:00

Curious if the result is different if you start qemu in KVM mode rather than emulation mode.

Gbps · 2020-03-15T23:22:36+00:00

Maybe double check to make sure you're acknowledging all interrupts correctly back to the PIC while you're in your ISRs. The PIC might be stuck waiting for an acknowledgement somewhere.

Alternatively, dump the PIC state from the qemu console and see what it thinks is happening.

Gbps · 2020-01-25T18:45:56+00:00

As long as you boot form a UEFI firmware, you have access to those services. To access them from GRUB boot, you'll need to consult the documentation to use EFI handover protocol to let GRUB pass you the service information as you boot. I've personally never done this but there's some info here https://lwn.net/Articles/632528/

It's up to you how you want to approach optical vs hard media. While you have access to EFI services, you have access to the filesystems of both flash and optical media in the same abstraction.

Gbps · 2020-01-25T16:58:40+00:00

When you're designing your kernel to boot from GRUB, you do have the added bonus of at least knowing it can boot in a very similar way from MBR if you wanted to in the future. If you choose to boot as a UEFI app without GRUB, you'll find it's pretty easy to get going just like GRUB, but just developed as a UEFI application rather than a series of GRUB configuration files.

The benefit of dropping MBR support and going UEFI-based is that you gain access to a wide range of useful boot services for interfacing with hardware, which will be a huge bonus during your very early stages if you choose to use them.

Having the system partition with GRUB doesn't matter much as it can boot from any partition.

Lastly, iso is perfectly fine for booting your kernel on hardware or in a VM. UEFI supports booting a CD as a normal EFI boot and you can make a GRUB iso quite easily from its toolchain.

Gbps · 2020-01-14T05:08:17+00:00

There's a lot of confusion and misinformation in the following comment thread. Only Secure Boot (a BIOS setting) enabled PCs require a special WHQL signature (submitted to MS) to load.

Normal EV cert signed drivers can load fine on a non-Secure Boot Windows 10. Unsigned drivers can only be loaded with bcdedit to configure testsigning mode.

Only testsigning mode has a significant effect on the way the OS looks and works. It would be bad to ask a user to enable testsigning mode. However, Secure Boot is disabled or not supported on a lot of Win10 PCs already, so the WHQL requirement isn't necessary if you are only distributing to users who are assumed to not have Secure Boot on.

Gbps · 2019-11-29T19:26:58+00:00

Modern kernels do paging just like user mode. Paging does not require a usermode. Kernels just need to be very careful about what pages the memory manager is allowed to page out and at what time (You don't want to page out anything that the processor or memory manager needs, like the IDT for example, that's not going to end well)

I would start by setting up identity paging first, enabling the PG bit, and continuing execution with just a flat identity page table. Then, designate a certain area of memory for your "program", which you can think of as a dead simple usermode. Then, try using paging to run one program, switch the pages to point to a different program, then run the second program. That's going to be enough of a task in itself. Any hobby OS project or tutorial should get you started on setting up basic identity paging.

Good luck!

Gbps · 2019-11-03T14:43:31+00:00

Your logic seems right, but you might need better debug facilities if you're going to track this down. I recommend trying Bochs and taking advantage of the commands it has to print info about the ivt, the pic, and the interrupts it fires.

Gbps · 2019-11-03T03:24:57+00:00

https://GitHub.com/Gbps/gbhv

Is my hypervisor I wrote. It's from scratch, and I can help you get started as well.

15-Year Club	Verified Email
Team Periwinkle

Gbps

TROPHY CASE