EN | DE

BIOS / UEFI ROM Analysis

Low-level firmware audit using Intel Chipsec Framework. Detection of SMM backdoors, SPI flash modifications, UEFI bootkits, and persistent BIOS implants that survive OS reinstallation.

πŸ’° Price Starting from €4,500
πŸ“… Typical engagement 3–7 business days
πŸ”’ Confidentiality NDA available

πŸ” Investigation Methodology

πŸ”Ή SPI flash readout (dedicated programmer)
πŸ”Ή Intel Chipsec framework analysis
πŸ”Ή SMM (System Management Mode) integrity check
πŸ”Ή UEFI firmware module extraction
πŸ”Ή Secure Boot / Boot Guard verification
πŸ”Ή BIOS write protection bypass detection
πŸ”Ή Flash descriptor & ME region analysis
πŸ“¦ Supported chipsets: Intel (Series 6-800), AMD (Promontory), SPI flash (Winbond, Macronix, Gigadevice)

πŸ“‹ Example Investigation Scenario

MacBook Pro – Suspicious SMM activity & persistent backdoor

πŸ”§ 1. Hardware Teardown & SPI Flash Extraction

Laptop PCB – SPI flash location

Laptop PCB – SPI flash (Winbond 25Q128)

SOIC-8 clip connected to SPI flash

SOIC-8 clip – in-system programming

SPI programmer connected to flash

SPI programmer – full flash dump

πŸ“ Finding: BIOS dump size: 16MB. Hash mismatch – unauthorized modification detected.

πŸ”¬ 2. Intel Chipsec Framework Analysis

$ python chipsec_main.py -m common.bios_wp

[*] Running module: common.bios_wp
[+] BIOS Region: Base 0xFF800000, Limit 0xFFFFFFFF
[!] BIOS Control: BWE = 1 (BIOS Write Enable) – write protection disabled!
[!] SPI Configuration: PR0 (Protected Range 0) = 0x00000000 (not set)

$ python chipsec_main.py -m common.smm

[*] Checking SMM (System Management Mode) integrity
[!] SMI handler at 0x7F123456 – outside known good range
[!] SMM memory overlap detected (suspicious code injection)

$ python chipsec_main.py -m uefi.secureboot

[*] Secure Boot status: Enabled but custom keys detected
[!] dbx (revoked signatures) – empty (missing revocation list)
[!] Additional UEFI driver: /Volumes/ESP/EFI/Boot/AppleNvramSync.efi

πŸ” Chipsec findings:
β€’ BIOS write protection disabled – attacker could flash modified image
β€’ SMM memory corruption – potential ring -2 backdoor
β€’ Suspicious UEFI driver – bootkit persistence
β€’ Secure Boot compromised – custom keys enrolled

πŸ“¦ 3. UEFI Firmware Module Extraction

$ UEFIExtract bios_dump.bin

GUID                                     Name                      Type
--------------------------------------------------------------------------------
7A5F4B8C-1234-5678-9ABC-DEF012345678     Setup                    PE32
D9C5A1F2-B9B8-4C2B-8A3C-123456789ABC     BootPolicy               RAW
A1B2C3D4-E5F6-7890-ABCD-EF1234567890     SmiHandler               PE32 (suspicious)

$ strings SmiHandler.efi | head -10
SmmRuntimeInit
HookRuntimeServices
UpdateBootPolicy
NvStorageSync
TelemetryAgent
SyncWorker
PlatformStateCheck

πŸ“ Findings:
β€’ Undocumented UEFI driver (SmiHandler.efi) – not in vendor image
β€’ Strings reveal SMM backdoor functionality (HookRuntimeServices, UpdateBootPolicy)
β€’ RSA private key embedded – likely for C2 communication
β€’ Module designed to persist after BIOS update

πŸ’£ 4. Vulnerability Assessment (CVE)

CVE-2021-33121 CVSS 7.8

BIOS Write Protection Bypass

Insufficient input validation in SPI flash controller driver.

CVE-2022-26837 CVSS 8.2 HIGH

SMM Privilege Escalation

Buffer overflow in SMI handler allows ring -2 code execution.

CVE-2022-21894 CVSS 7.5

Secure Boot Bypass

Boot Manager vulnerability allows unsigned EFI modules.

🎯 Exploit Chain (reconstructed from artifacts):

1. CVE-2021-33121 β†’ disabled BIOS write protection
2. CVE-2022-26837 β†’ executed arbitrary code in SMM (ring -2)
3. Deployed malicious UEFI driver β†’ hooks runtime services
4. CVE-2022-21894 β†’ bypassed Secure Boot persistence
5. BIOS implant survives OS reinstall and updates

⚠️ 5. Indicators of Compromise (IOC)

Suspicious UEFI modules:
- SmiHandler.efi (SHA256: 7c8a2e4f6b1d9a3c5e7f8b2a4c6d8e0f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d)
- BootPolicy.raw (SHA256: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b)

SPI flash anomalies:
- PR0 (Protected Range 0) = 0x00000000 (no protection)
- BIOS Control register: BWE = 1
- Extra PE32 module outside firmware volume

Network indicators:
- Outbound connections to: update.intel-service[.]com
- Beaconing every 60 seconds to: 185.130.5.253:443

πŸ“„ Deliverables

πŸ“‘ Full BIOS dump + diff report
πŸ—ΊοΈ Chipsec module output (all checks)
⚠️ IOC list (domains, IPs, hashes)
πŸ› οΈ Remediation roadmap (including clean BIOS)
πŸ“Έ Extraction photos + logs
πŸ”¬ UEFI module reverse engineering

⚠️ Not Included

❌ Source code review (unless provided) ❌ Physical chip replacement or re-flashing (optional extra)

Ready to audit your BIOS/UEFI firmware?

Submit a request or ask for a confidential quote. Starting from €4,500

πŸ“© Request Investigation πŸ’° Get Quote

πŸ” All communication encrypted β€’ PGP key available on contact page