BIOS Binary File Editing with Vim in Linux

I didn't realize it until just now that Vim actually has a quite neat binary file editing mode. Let's have a quick look into this mode. First, you have to start Vim and tell it explicitly that you want to edit a binary file. This is important because if you don't do it, the file is guaranteed to be tampered by Vim in a way that you don't expect it to. To do it, open the file by using the '-b' switch like this:

vim -b [file name]

For example let's have a look at a sample BIOS file:

pinczakko@opusera:~/temp/bios_reversing$ vim -b 8IPE775P.BIN

This is the result: Now, that doesn't look like a convenient way of editing a binary file. Therefore, let's convert it into a better looking file called the xxd file by using the following Vim command:

:%!xxd

This is what we got: At this point, you can edit the hex values in the middle column shown in the figure above. The drawback of Vim is the changes cannot be reflected immediately in the other columns. Assuming that you have finished editing the binary file, you should convert the xxd file back to its original binary form. This is accomplished with the following vim command:

:%!xxd -r

After that, you should save it back with the

:w

Vim command. The help that comes with Vim explain the details of the procedure in section 23.4, under section 23 (Editing Other Files). More experiments still need to be done to ensure that Vim is reliable enough for binary editing. But this is a very good starting point.

My BIOS Security Presentation on AI3 Meeting 2006

With all the fuss around BIOS rootkit in CanSecWest, I have to say that it's already a long known fact. In 2006 I presented the possibility in AI3 Meeting in ITB (Bandung Institute of Technology). These are the presentation contents: [+/-] Read Details

Fujitsu-Siemens BIOS File Structure

This is a quick post. Will be updated later. Just being here to remind me (haven't write it anywhere yet).

The Fujitsu-Siemens BIOS binary distributed in its website is not a plain BIOS binary which you can flash directly to their motherboard without using its propietary tool. The BIOS file structure is quite peculiar from other vendors. Here it is:

+--------------------------------+
| Some unidentified header (yet) |
+--------------------------------+
|   "real" BIOS binary           |
+--------------------------------+
| 1-byte 8-bit checksum          |
+--------------------------------+

In quick inspection, the header ends at offset 0x70 from the beginning of the BIOS file distributed by Fujitsu-Siemens. The particular BIOS I'm working on contains an altered AMI BIOS

A Gentle Introduction to BIOS File Structure

The BIOS File Structure in its purest form will look like this:

+---------------------------+
|        Bootblock          |
+---------------------------+
|Compressed BIOS components |
+---------------------------+

The bootblock code responsible for decompression of the compressed BIOS components and to do a very early platform initialization, just enough to make the BIOS decompression process to run flawlessly and to do BIOS recovery procedure in certain bad BIOS flash scenarios. Mind you that not all of BIOS bad flash scenario can be recovered.

As far as I know, BIOS from Award-Phoenix (and its older ancestors Award, Inc. and Phoenix Technologies), AMI BIOS Inc., and all other BIOS vendors use this BIOS file structure. This BIOS file structure maybe used in the binary file of BIOS distributed directly by hardware vendors. However, it's possible that the BIOS distributed by the vendor has been altered in some way in order to do some more sanity checks during the BIOS flashing process. In the latter case, the BIOS file format won't be exactly as shown above, but it will probably compressed, or given some particular information preprended, inserted, or appended into the BIOS binary file distribution.