You are not logged in.
Hi,
I want to see if my motherboard is vulnerable to the logoFAIL exploit, a lot of motherboard manufacturers are being vague about new bios updates, and i saw some threads saying that my motherboard brand didn't even allow a custom image to be loaded. How can i test this for myself?
I don't wanna have to install plymouth, i'm using a unified kernel image, so would i have to modify that to include the picture somehow? Or could this be done with efibootmgr or some other tool?
Thank you.
Offline
You can copy the motherboard's splash image from /sys/firmware/acpi/bgrt and use that with a UKI, if that's what you mean.
I've not used Plymouth so I don't know how that works. You can disable the manufacturer logo with the nobgrt kernel parameter but that can't affect the firmware boot stage, you will need to check the firmware options otherwise.
Para todos todo, para nosotros nada
Offline
Well from my understanding, the firmware gets a splash image from the efi. This is how logofail works, by accessing the efi and loading an image into the firmware. My question is how would i load an image into the firmware, without using tools such as plymouth, to see if my motherboard supports loading custom images. If my motherboard doesn't allow loading custom images, that means that i'm safe from logofail.
Offline
What do you mean by "the efi"? I thought the image was stored in the UEFI firmware but that's just a supposition.
Anyway, I can't find a way to change the motherboard splash image from Linux and I've never owned a PC with a firmware option to do that.
Para todos todo, para nosotros nada
Offline
Plymouth seems to be a red herring here as that does something completely different. Plymouth doesn't affect the firmware logo - plymouth only takes affect much later in the boot process and shows a splash screen in place of the normal kernel messages.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
What do you mean by "the efi"? I thought the image was stored in the UEFI firmware but that's just a supposition.
The image is stored in the UEFI firmware after getting there somehow, i'm trying to figure out how the image gets in the UEFI firmware.
Anyway, I can't find a way to change the motherboard splash image
Thank you for your help anyway.
Plymouth seems to be a red herring here as that does something completely different. Plymouth doesn't affect the firmware logo - plymouth only takes affect much later in the boot process and shows a splash screen in place of the normal kernel messages.
Ah okay, that makes sense now.
Would it be possible to just write a bitmap image to "/sys/firmware/acpi/bgrt" ?
Offline
Would it be possible to just write a bitmap image to "/sys/firmware/acpi/bgrt" ?
That is the image. You can certainly retrieve (i.e., copy) the current image from there. However, I believe that may be a read-only interface.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
i'm trying to figure out how the image gets in the UEFI firmware
Presumably it was flashed onto the board ROM along with the proprietary operating system that runs on the UEFI firmware.
Last edited by Head_on_a_Stick (2024-07-24 14:22:10)
Para todos todo, para nosotros nada
Offline
proprietary operating system that runs on the UEFI firmware.
I'm running arch linux, or am i understanding you wrong?
But there must be a way to flash the image to the motherboard right? If an exploit like logoFAIL exists. I know microsoft windows tries to flash it's image to the motherboard.
Offline
I'm running arch linux, or am i understanding you wrong?
Arch linux is the OS that you installed. The there is also a uefi system "installed" by the manufacturer.
But there must be a way to flash the image to the motherboard right?
Yes, but that 1) doesn't mean it's easy, 2) doesn't mean it can be done from software, 3) may require a chip programmer connected to the main board or relevant nvram chip. (note I say "may" here as I'm not entirely sure these limitations all exist, but they all could).
I know microsoft windows tries to flash it's image to the motherboard.
It does? How do you know this? I've not used windows in a long time, but I've never seen a MS/Win logo replace a manufacturer logo screen. And why do you say "tries", is it - in your experience - successful or not?
Again, there may be a way to do this, but it would require writing to areas of the uefi nvram that are typically read-only. It seems that some uefi systems may have an option to expose this area as writable for certain software tools. But this would require 1) a uefi system that allows this, 2) toggling that setting to make the image writable, then 3) software designed to interact with that uefi system to write the image.
Your focus on this thread has been on that third part - but in your very first post you said the information you found indicates that your mobo brand doesn't meet the first criteria. So do you want to know if you're safe from this attack vector, or do you want to change the logo? Do you have a toggleable setting in your uefi / "BIOS" settings to make the image writable?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Yes, but that 1) doesn't mean it's easy, 2) doesn't mean it can be done from software, 3) may require a chip programmer connected to the main board or relevant nvram chip. (note I say "may" here as I'm not entirely sure these limitations all exist, but they all could).
If this whole thing is so difficult to do, then logofail wouldn't be this much of an issue as it is.
why do you say "tries"
Wrong wording, i've seen the logo replaced before.
Again, there may be a way to do this, but it would require writing to areas of the uefi nvram that are typically read-only. It seems that some uefi systems may have an option to expose this area as writable for certain software tools. But this would require 1) a uefi system that allows this, 2) toggling that setting to make the image writable, then 3) software designed to interact with that uefi system to write the image.
Again, logofail wouldn't be as big of an issue as it is, here's the POC by the research team that found it. The video describes that they're writing to NVRAM. https://www.youtube.com/watch?v=EufeOPe6eqk
So do you want to know if you're safe from this attack vector, or do you want to change the logo?
I want to know if i'm safe, by trying to change the image myself.
Do you have a toggleable setting in your uefi / "BIOS" settings to make the image writable?
No
Offline
If this whole thing is so difficult to do, then logofail wouldn't be this much of an issue as it is.
That's completely nonsensical. The fact that a company that specializes in firmware with highly educated programmers and engineers can demonstrate that a firmware vulnerability exists, doesn't mean it's easy to do.
So really you're asking here for forum members to help you implement an immoral and quite possibly illegal high-level computer attack. I gave you the benefit of the doubt up to this point that this wasn't really what the thread was, but it is. Such activities are not allowed on these forums.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
That's completely nonsensical. The fact that a company that specializes in firmware with highly educated programmers and engineers can demonstrate that a firmware vulnerability exists, doesn't mean it's easy to do.
I showed you that youtube video to demonstrate that people do think that this is a big deal. If you search up logofail, you will find many articles talking about the simplicity and danger of the attack.
So really you're asking here for forum members to help you implement an immoral and quite possibly illegal high-level computer attack. I gave you the benefit of the doubt up to this point that this wasn't really what the thread was, but it is. Such activities are not allowed on these forums.
Why do you think that? The image that you're writing to a motherboard still has to exploit the image libraries being used by the motherboard to display the image. I'm not asking anyone here to help me write a harmful file.
Offline
From reading https://i.blackhat.com/EU-23/Presentati … e_REV2.pdf I can see that some UEFI firmware implementations will load images from a fixed location on the ESP, the example given in the presentation was /EFI/OEM/Logo.jpg, other locations may be used by different implementations. Check your motherboard documentation for details.
Para todos todo, para nosotros nada
Offline
Hi,
I want to see if my motherboard is vulnerable to the logoFAIL exploit, a lot of motherboard manufacturers are being vague about new bios updates, and i saw some threads saying that my motherboard brand didn't even allow a custom image to be loaded. How can i test this for myself?
I don't wanna have to install plymouth, i'm using a unified kernel image, so would i have to modify that to include the picture somehow? Or could this be done with efibootmgr or some other tool?
Thank you.
Hi, also I searched about this topic for a better understanding of the LogoFAIL exploit.
Here https://www.binarly.io/advisories/brly-2023-006 I found some details about how some UEFI bios might load the splash image from the EFI partitions.
Basically it is "enough" to set some (U)EFI variables LBLDESP and LBLDVC with respectively the path of the image and its checksum. The details change between the different implementation.
Here https://www.binarly.io/blog/logofail-ex … -for-linux you can see the description about bootkitty. And if you look at the images there is a step where the attacker sets LBLDESP and LBLDVC uefi variables.
Offline