A Compendium to UEFI Hacking

There are quite a few operating/execution environments running below or before an Operating System's kernel. Computer science calls protection domains "Rings" and an Operating system's kernel is called "Ring 0" or "Supervisor mode". Researchers have called the lower-level environments Ring -1 (Hypervisor mode), and Ring -3 ("system management mode"), and they are fairly apt-names. I like to bundle all of these into a scary-but-funny-and-fitting name subzero, dun dun dun!

Intel and the UEFI (Universal Extensible Firmware Interface) forum embody a really awesome subzero concept highlighted in the UEFI acronym-expansion. That is, applying standards to highly-privileged protection domains allows software engineers and vendors to take advantage of each other's development and security improvements. Never-the-less, standards and their implementation-specific variations attract security researches too!

Click to read more ...


Embedded Trust (P2): U-Boot Secured Boot

This post will function as a short walk through for installing and using a TPM on a BeagleBone to implement a Secured Boot (wooo...). I will use an example Secure Boot implementation called libsboot for U-Boot. Let's jump right in with a schematic for the (mostly) required additions to the BeagleBone.

Click to read more ...


Defcon 20 NFPC Round 4 - Easy Mode

This is an 'easy mode' guide to the NFPC at Defcon 20. Let's begin: starting at packet 253, there is a TCP/LPD session from to A quick scan of the reconstructed session reveals little:

Having never seen LPD traffic, we gave the RFC 1179 a quick read, lucky it's relatively short.

Click to read more ...


Embedded Trust (P1): Beginning to trust my BeagleBone

I plan to have a series of posts outlining my curiosity with embedded development and trust. Let's start with poking around where my (our) trust lies when deciding on a SoC for embedded development, using the BeagleBone [SRM] as an example. In this post we'll move trust from CircuitCO's (the Bone manufacture) included bootloaders, Angstrom Linux kernel, and Angstrom development environment to your own compiled bootloaders, kernel, and OS.

Click to read more ...


How To: DIY (Improved) Inexpensive Fog Screen

Last month we built an improved version of the DIY Fog Screen found here.

We call it "improved" since we managed to create a thinner sheet of fog, maintain the projection longer (a fog machine is bursty), and thicken the sheet. We use the same technique of creating a laminar flow. Instead of using a window fan we installed 10 120mm [17] computer fans with a variable speed controller [20] to optimize the flow, since we did not know the fog density.

Since the original article doesn't explain the steps / tools / resources required to create a DIY Fog Screen, we'd like to take the opportunity and provide a "how to". In a nut shell, the screen needs to distribute "fog machine"-fog from end-to-end, width-wise, and keep the fog flowing downward sandwiched between two flows of air.

Click to read more ...