Hi Philipp,
On 05.08.2017 21:58, Philipp Stanner wrote:
Do we have any idea what exactly they do to update the firmware internally?
Well, I don't. Though, the flash chip is usually only partially protected (something like the upper 128KiB?). They probably only update the unprotected part or put an UEFI capsule (or something similar) into another part of the chip and update the protected part from within the firmware on the next boot.
The wiki says once coreboot is flashed you can flash it internally. I suppose this means the blockade protecting the flash can be switched of somehow, as the vendor's have to do it to install firmware-updates.
The upper most part of the chip is protected by a Protected Range Register (PRR). These PRRs are reset on each reboot. So the only chance to write to the protected region is during early boot before the firmware writes the PRR.
In case they do support updates to the protected region at all, it's likely that the code therein writes the PRR. So it's the update mecha- nism in the firmware that could be attacked (maybe it's just a check- sum, who knows?). You probably can't flash a whole coreboot image this way, but if you can make it write a modified firmware that doesn't set the PRR (or locks it to all zero early), you'd have won.
But first things first, we'd have to find out when the PRR is written and whether the protected region is updatable.
Nico