Finding Undocumented Intel Atom MSR’s in the Viliv S5 Through BIOS Reverse Engineering (Part 2: Doing this using GHIDRA)

On an old blog of mine, before I learned formatting, I made a post about searching for machine specific registers in the Viliv S5. For those not familiar, the only relevant information is that it’s a UMPC with an Intel Atom IA-32 Z515 processor. I ripped it’s bios using flashrom, I won’t be going over that process again, but I have linked the blogpost in the sources. It contains a link to a copy of that rom.

Back then I used Radare2 to analyze the binary. I wanted to celebrate the release of GHIDRA by replicating this analysis using the tool new tool suite!

I already have it installed, but I’ve linked the installation guide in the sources. I’m going to go ahead and jump right in!

GHIDRA works a bit differently than IDA Pro or Radare2. Instead of starting by loading a file, you’re required to create a new project.

You’ll need an existing project directory, as I do not think it is capable of creating directories. Fortunately I created one for this project.

Now I can import the bios.rom file. Since it’s not a PE, I’ll need to select the architecture and preferred disassembler. GHIDRA features a side by side compiler assembler, so this decision does matter.

I’m selecting x86 GCC for convenience, because I have no idea what this was actually compiled in. GCC seems like a good option.

So I select “OK” to import the file, and what happened next kind of worried me, because GHIDRA shouldn’t be communicating with the internet in any way.

Hmmmm… The source code isn’t open yet, so I’m a bit worried, especially since I downloaded this from the NSA’s website. Kinda suspicious since the source code isn’t available yet either. I’m going to have to check this out later. Anyway, for now it’s on with the analysis!

Edit: This is a known issue, not deliberate, the NSA left a web port open by accident. From what I’ve heard it will be fixed in later releases.

The little dragon opens the disassembler/decompiler.

Once I’m in this view, it lets me load the file from the project using “Open Program” in the “File” menu.

Now it gives me the choice to analyze the binary.

I’m going to go ahead and do that, selecting all of the default options.

The analysis is resource intensive and will likely take a bit, so I’ll come back to it when it’s done.

Unlike radare2, it found zero functions. Bit of a disadvantage in that regard. I don’t think IDA Pro found any functions on analysis of this same binary either, so it’s not a huge downside.

I’m just going to run the strategy I tried last time, searching for all wrmsr and rdmsr instructions. I could use the opcodes 0F30 and 0F32, but I do want to test whether it recognizes these instructions first, so I’m going to do a text search.

It didn’t find any, even though I know for a fact this particular program is lousy with wrmsr and rdmsr calls. IDA Pro had this same issue in it’s text search. Luckily they have a binary search option.

I’m trying out wrmsr (0f30) first, I’ll do rdmsr (0f30) next.

Hey! It found some! Unfortunately it was unable to disassemble any of the code near the function? I was unable to get this fixed no matter what I tried, so I’m giving up on this one for now. I know, however, that this program has the capability to analyze SH3 binaries, and I have Windows CE PE’s that it might work better with, so I’ll give it a go at those in the next article I publish. Until then!

Update: GHIDRA seems to have trouble finding WRMSR and RDMSR calls, even in PE’s. So far the most reliable tool for that purpose is still Radare2.

Sources:

Enjoys edev, cyber forensics, hardware hacking, and RE, former CACI BIT Systems intern, GREM, Security+