

Thunderstrike 2 OS X Firmware Attack Self-Replicates to Peripherals - moviuro
https://threatpost.com/thunderstrike-2-os-x-firmware-attack-self-replicates-to-peripherals/114124

======
revscat
How would one go about learning these things? I have no illusions that I will
be coming up with new exploits, but I am curious about the tools that are used
to find them. How do you write code that winds up on a Thunderbolt device? How
do you read from -- let alone write to -- EFI?

~~~
Sanddancer
Lots and lots of reading of lots and lots of sometimes obscure documentation.
For writing code that ends up on a thunderbolt device, you need to keep in
mind that other than the endpoint, thunderbolt devices are essentially PCIe
devices. So, a device with an easily writable firmware, like certain broadcom
chips that come with a lot of apple hardware [1] can be easily programmed to
suit the whims of the attacker. Regarding reading, and writing, there is a ton
of info that is kept on a partition on disk, actually, in the EFI system
partition [2]. Additionally, there are basic uefi development tools out there
that let you write your own uefi payloads [3]. Finally, take a look at
TianoCore for an Open reference implementation of UEFI, as it has a lot more
ins and outs as how to do all this [4].

[1]
[https://www.broadcom.com/collateral/pg/57785-PG105-R.pdf](https://www.broadcom.com/collateral/pg/57785-PG105-R.pdf)

[2]
[https://en.wikipedia.org/wiki/EFI_System_partition](https://en.wikipedia.org/wiki/EFI_System_partition)

[3] [https://github.com/rhinstaller/shim](https://github.com/rhinstaller/shim)

[4] [http://www.tianocore.org/](http://www.tianocore.org/)

