How do i change my boot logo like plymouth does?

masenko · 2024-07-20 08:13:13

Hi,

I want to see if my motherboard is vulnerable to the logoFAIL exploit, a lot of motherboard manufacturers are being vague about new bios updates, and i saw some threads saying that my motherboard brand didn't even allow a custom image to be loaded. How can i test this for myself?

I don't wanna have to install plymouth, i'm using a unified kernel image, so would i have to modify that to include the picture somehow? Or could this be done with efibootmgr or some other tool?

Thank you.

Head_on_a_Stick · 2024-07-20 16:22:34

You can copy the motherboard's splash image from /sys/firmware/acpi/bgrt and use that with a UKI, if that's what you mean.

I've not used Plymouth so I don't know how that works. You can disable the manufacturer logo with the nobgrt kernel parameter but that can't affect the firmware boot stage, you will need to check the firmware options otherwise.

masenko · 2024-07-22 09:15:40

Well from my understanding, the firmware gets a splash image from the efi. This is how logofail works, by accessing the efi and loading an image into the firmware. My question is how would i load an image into the firmware, without using tools such as plymouth, to see if my motherboard supports loading custom images. If my motherboard doesn't allow loading custom images, that means that i'm safe from logofail.

Head_on_a_Stick · 2024-07-22 13:15:11

What do you mean by "the efi"? I thought the image was stored in the UEFI firmware but that's just a supposition.

Anyway, I can't find a way to change the motherboard splash image from Linux and I've never owned a PC with a firmware option to do that.

Trilby · 2024-07-22 14:18:45

Plymouth seems to be a red herring here as that does something completely different. Plymouth doesn't affect the firmware logo - plymouth only takes affect much later in the boot process and shows a splash screen in place of the normal kernel messages.

masenko · 2024-07-23 08:14:34

Head_on_a_Stick wrote:

What do you mean by "the efi"? I thought the image was stored in the UEFI firmware but that's just a supposition.

The image is stored in the UEFI firmware after getting there somehow, i'm trying to figure out how the image gets in the UEFI firmware.

Head_on_a_Stick wrote:

Anyway, I can't find a way to change the motherboard splash image

Thank you for your help anyway.

Trilby wrote:

Plymouth seems to be a red herring here as that does something completely different. Plymouth doesn't affect the firmware logo - plymouth only takes affect much later in the boot process and shows a splash screen in place of the normal kernel messages.

Ah okay, that makes sense now.

Would it be possible to just write a bitmap image to "/sys/firmware/acpi/bgrt" ?

Trilby · 2024-07-23 13:12:13

masenko wrote:

Would it be possible to just write a bitmap image to "/sys/firmware/acpi/bgrt" ?

That is the image. You can certainly retrieve (i.e., copy) the current image from there. However, I believe that may be a read-only interface.

Head_on_a_Stick · 2024-07-24 14:21:46

masenko wrote:

i'm trying to figure out how the image gets in the UEFI firmware

Presumably it was flashed onto the board ROM along with the proprietary operating system that runs on the UEFI firmware.

Last edited by Head_on_a_Stick (2024-07-24 14:22:10)

masenko · 2024-07-25 09:51:53

Head_on_a_Stick wrote:

proprietary operating system that runs on the UEFI firmware.

I'm running arch linux, or am i understanding you wrong?

But there must be a way to flash the image to the motherboard right? If an exploit like logoFAIL exists. I know microsoft windows tries to flash it's image to the motherboard.

Trilby · 2024-07-25 12:24:55

masenko wrote:

I'm running arch linux, or am i understanding you wrong?

Arch linux is the OS that you installed. The there is also a uefi system "installed" by the manufacturer.

masenko wrote:

But there must be a way to flash the image to the motherboard right?

Yes, but that 1) doesn't mean it's easy, 2) doesn't mean it can be done from software, 3) may require a chip programmer connected to the main board or relevant nvram chip. (note I say "may" here as I'm not entirely sure these limitations all exist, but they all could).

masenko wrote:

I know microsoft windows tries to flash it's image to the motherboard.

It does? How do you know this? I've not used windows in a long time, but I've never seen a MS/Win logo replace a manufacturer logo screen. And why do you say "tries", is it - in your experience - successful or not?

Again, there may be a way to do this, but it would require writing to areas of the uefi nvram that are typically read-only. It seems that some uefi systems may have an option to expose this area as writable for certain software tools. But this would require 1) a uefi system that allows this, 2) toggling that setting to make the image writable, then 3) software designed to interact with that uefi system to write the image.

Your focus on this thread has been on that third part - but in your very first post you said the information you found indicates that your mobo brand doesn't meet the first criteria. So do you want to know if you're safe from this attack vector, or do you want to change the logo? Do you have a toggleable setting in your uefi / "BIOS" settings to make the image writable?

masenko · 2024-07-26 21:33:32

Trilby wrote:

Yes, but that 1) doesn't mean it's easy, 2) doesn't mean it can be done from software, 3) may require a chip programmer connected to the main board or relevant nvram chip. (note I say "may" here as I'm not entirely sure these limitations all exist, but they all could).

If this whole thing is so difficult to do, then logofail wouldn't be this much of an issue as it is.

Trilby wrote:

why do you say "tries"

Wrong wording, i've seen the logo replaced before.

Trilby wrote:

Again, there may be a way to do this, but it would require writing to areas of the uefi nvram that are typically read-only. It seems that some uefi systems may have an option to expose this area as writable for certain software tools. But this would require 1) a uefi system that allows this, 2) toggling that setting to make the image writable, then 3) software designed to interact with that uefi system to write the image.

Again, logofail wouldn't be as big of an issue as it is, here's the POC by the research team that found it. The video describes that they're writing to NVRAM. https://www.youtube.com/watch?v=EufeOPe6eqk

Trilby wrote:

So do you want to know if you're safe from this attack vector, or do you want to change the logo?

I want to know if i'm safe, by trying to change the image myself.

Trilby wrote:

Do you have a toggleable setting in your uefi / "BIOS" settings to make the image writable?

No

Trilby · 2024-07-26 21:56:30

masenko wrote:

If this whole thing is so difficult to do, then logofail wouldn't be this much of an issue as it is.

That's completely nonsensical. The fact that a company that specializes in firmware with highly educated programmers and engineers can demonstrate that a firmware vulnerability exists, doesn't mean it's easy to do.

So really you're asking here for forum members to help you implement an immoral and quite possibly illegal high-level computer attack. I gave you the benefit of the doubt up to this point that this wasn't really what the thread was, but it is. Such activities are not allowed on these forums.

masenko · 2024-07-28 07:55:06

Trilby wrote:

That's completely nonsensical. The fact that a company that specializes in firmware with highly educated programmers and engineers can demonstrate that a firmware vulnerability exists, doesn't mean it's easy to do.

I showed you that youtube video to demonstrate that people do think that this is a big deal. If you search up logofail, you will find many articles talking about the simplicity and danger of the attack.

Trilby wrote:

So really you're asking here for forum members to help you implement an immoral and quite possibly illegal high-level computer attack. I gave you the benefit of the doubt up to this point that this wasn't really what the thread was, but it is. Such activities are not allowed on these forums.

Why do you think that? The image that you're writing to a motherboard still has to exploit the image libraries being used by the motherboard to display the image. I'm not asking anyone here to help me write a harmful file.

Head_on_a_Stick · 2024-07-28 08:41:28

From reading https://i.blackhat.com/EU-23/Presentati … e_REV2.pdf I can see that some UEFI firmware implementations will load images from a fixed location on the ESP, the example given in the presentation was /EFI/OEM/Logo.jpg, other locations may be used by different implementations. Check your motherboard documentation for details.

Arch Linux

#1 2024-07-20 08:13:13

How do i change my boot logo like plymouth does?

#2 2024-07-20 16:22:34

Re: How do i change my boot logo like plymouth does?

#3 2024-07-22 09:15:40

Re: How do i change my boot logo like plymouth does?

#4 2024-07-22 13:15:11

Re: How do i change my boot logo like plymouth does?

#5 2024-07-22 14:18:45

Re: How do i change my boot logo like plymouth does?

#6 2024-07-23 08:14:34

Re: How do i change my boot logo like plymouth does?

#7 2024-07-23 13:12:13

Re: How do i change my boot logo like plymouth does?

#8 2024-07-24 14:21:46

Re: How do i change my boot logo like plymouth does?

#9 2024-07-25 09:51:53

Re: How do i change my boot logo like plymouth does?

#10 2024-07-25 12:24:55

Re: How do i change my boot logo like plymouth does?

#11 2024-07-26 21:33:32

Re: How do i change my boot logo like plymouth does?

#12 2024-07-26 21:56:30

Re: How do i change my boot logo like plymouth does?

#13 2024-07-28 07:55:06

Re: How do i change my boot logo like plymouth does?

#14 2024-07-28 08:41:28

Re: How do i change my boot logo like plymouth does?

Board footer