2

anyone know how to dump the vga firmware ? I have tried here but doesn't work. Anyone know how can I dump the vga bios or can try if the command at the link work for you ?

Thanks so much.

Lews
  • 166
  • 1
  • 9
  • 1
    That is the correct series of commands (assuming the correct PCI address). The problem is probably UEFI, if you boot UEFI with CSM it should work. – rfmodulator Oct 11 '20 at 01:17
  • OK I'll try..... – Lews Oct 11 '20 at 01:37
  • @rfmodulator doesn't work. It giveme the following error: **cat /sys/devices/pci0000:00/0000:00:02.0/rom > vbios.dump** **cat: '/sys/devices/pci0000:00/0000:00:02.0/rom': Input/output error** in the log: **kernel: i915 0000:00:02.0: Invalid PCI ROM header signature: expecting 0xaa55, got 0xffff** I rebooted and I changed the boot parameter in the bios from "legacy and uefi" to "only uefi" and I have enabled CSM – Lews Oct 11 '20 at 01:48
  • @rfmodulator pastebin ---> https://pastebin.com/xDKBS2ud – Lews Oct 11 '20 at 01:55
  • What is the output of `lsmod | grep i915`? – rfmodulator Oct 11 '20 at 02:02
  • @rfmodulator [pastebin](https://0bin.net/paste/DFUSAdsm#W9D4hAFdUCbLp5QhQzlLpikmYVoiCco5zMQe7OYIGdu) – Lews Oct 11 '20 at 02:06
  • Shutdown. Unplug all monitors. Plug a single monitor into the motherboard. Reboot with "legacy and uefi". – rfmodulator Oct 11 '20 at 02:11
  • @rfmodulator it's a laptop, and I have only its own monitor.. – Lews Oct 11 '20 at 02:13
  • Oh... okay, do you have a discrete GPU? Do you have a BIOS option to disable the discrete GPU? I believe the i915 must be the primary video card to get at the ROM. – rfmodulator Oct 11 '20 at 02:17
  • I'm not sure to know what is a discrete gpu, but I think no. It's an integrated gpu. It's an Intel [HD graphics 5500](https://laptoping.com/gpus/product/intel-hd-5500-graphics-reviews-and-specs/). I take some infos and I pasted [here](https://0bin.net/paste/1xtJ6TqZ#F5sRRH-aFb5Cb3zOuS3lHdvFZ0wDVJURoNOcWiMSKbV) – Lews Oct 11 '20 at 02:29
  • A discrete GPU is a second, "stand alone" video card. `lspci | grep VGA` if the HD 5500 is the only output, the you don't have a dGPU. So I have to ask, what is your end goal? – rfmodulator Oct 11 '20 at 02:35
  • 2
    I am absolutely sure I have a spyware, it seems to be format resistant. I have dumped the bios and checked with chipsec and it looks ok. Now I discovered that in the past some guys has created a [vga rootkit](https://www.coresecurity.com/sites/default/files/private-files/publications/2016/05/corelabs-ekoparty-2012-VGA_Persistent_Rootkit.pdf) then I want try to dump the vga firmware to compare it with a good one. When I bought this laptop few months ago I installed openbsd after that I connected it to my wifi and it crashed for 3 times in 2 hours. After that crash it hasn't been crashed again. – Lews Oct 11 '20 at 02:45
  • 2
    That's a neat presentation... Unfortunately I won't be able to help you with the video ROM... UEFI+Legacy, and the card as primary (only) should allow root to pull the ROM. You can search the "Invalid PCI ROM header" error. If network issues on OpenBSD, 3 times a month ago, is your only indicator of spyware, I think you're going to be okay. If you're *really* concerned, run Wireshark on your network, or investigate your router traffic... and put a piece of tape over your webcam. Good luck! – rfmodulator Oct 11 '20 at 03:02
  • ok thank you, now my only interest is dump the vga rom. Anyway thank you for your help. – Lews Oct 11 '20 at 03:07

3 Answers3

1
root@gonzo:/home/jasen# dd if=/dev/mem bs=64k skip=12 count=1 | strings | head
1+0 records in
1+0 records out
65536 bytes (66 kB, 64 KiB) copied, 8.9787e-05 s, 730 MB/s
K7400
VIDEO 
IBM VGA Compatible
P10/24/11
DPMIDl
3GV-N560OC-1GI/F32
Version 70.24.21.00.02 
Copyright (C) 1996-2011 NVIDIA Corp.
GF104B Board - 10400050

looks like a VGA ROM to me.

Jasen
  • 3,715
  • 13
  • 14
  • 1
    Does it work on EFI? – Oskar Skog Oct 11 '20 at 08:38
  • This will only work if the VGA ROM is mapped into this particular location. Which may be the case on your system, but not the case on Lew's system (otherwise he probably whould have already have seen it via `/sys/device/.../rom`). – dirkt Oct 11 '20 at 10:03
1

This is a great topic. Here follows now my way to get the vbios.rom under Kubuntu 20.04 LTS:

At first, I was unsure where I had to look for the rom file, fortunately there exist a command which finds and displays any rom file:

clemens@iMac-4:~$ find /sys/devices -name rom

This shows me then two files:

/sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/rom
/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/rom

But which is the right one? Also for this, there exist a nice command:

clemens@iMac-4:~$ lspci | grep 02:00.0
02:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 22)

That was the wrong one, this seem to be the rom of the Marvell network card. Another try...

clemens@iMac-4:~$ lspci | grep 01:00.0
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] RV530/M56-P [Mobility Radeon X1600]

Here we are! That's the video bios of the AMD/ATI Mobility Radeon X1600 GPU card!

So I executed the other two commands but with a somewhat more logical syntax, first:

clemens@iMac-4:~$ echo 1 | sudo tee /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/rom
1

That one just has showed me a "1", - nice. But the second one gives me then finally the vbios.rom file which landed directly in my user folder:

sudo cat /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/rom > vbios.rom

Final note, - will try this out also under Mac OS. Maybe this works also there. Update: This doesn't work on Mac OS because Mac OS doesn't supports the sysfs functionality.

Source:

reddit - dump vga bios

Colin Ian King - Using the PCI sysfs interface to dump the Video BIOS ROM

Clemens
  • 156
  • 4
  • ``` cat /sys/devices/pci0000:00/0000:00:02.0/rom >> vbios.rom cat: '/sys/devices/pci0000:00/0000:00:02.0/rom': Input/output error ``` – Lews Oct 01 '21 at 20:14
  • unfortunately does not work on ubuntu – Lews Oct 01 '21 at 20:14
  • Which kernel version you have? I am on **5.11.0-37-generic**. And it makes a difference if Linux is booted through native EFI or legacy CSM Bios emulation. At the corresponding machine, I booted through CSM and the dumping of the vBIOS worked fine. However, when I boot Linux though native EFI, I get also the "Input/output error" and in dmesg there is noted "invalid pci rom header signature expecting 0xaa55, got 0xa3a3". Maybe it helps if you start Ubuntu directly from EFI, I mean a "bare Linux kernel booting" through the EFISTUB feature. The kernel will be so even "closer" to the hardware. – Clemens Oct 03 '21 at 09:26
0

If you issue command to find your roms:

find /sys/devices -name rom

The result will be similar to this:

/sys/devices/pci0000:64/0000:64:00.0/0000:65:00.0/0000:66:08.0/0000:67:00.0/0000:68:00.0/0000:69:00.0/rom
/sys/devices/pci0000:64/0000:64:00.0/0000:65:00.0/0000:66:10.0/0000:6a:00.0/0000:6b:00.0/0000:6c:00.0/rom
/sys/devices/pci0000:16/0000:16:00.0/0000:17:00.0/0000:18:08.0/0000:19:00.0/0000:1a:10.0/0000:22:00.0/0000:23:00.0/0000:24:00.0/rom
/sys/devices/pci0000:16/0000:16:00.0/0000:17:00.0/0000:18:08.0/0000:19:00.0/0000:1a:04.0/0000:1b:00.0/rom

Let's say you want to copy the ROM from location 0000:24:00.0:

sudo su
setpci -s 0000:24:00.0 COMMAND=2:2 (manually manipulate the memory enable bit with setpci)
export PATH_TO_ROM=/sys/devices/pci0000:16/0000:16:00.0/0000:17:00.0/0000:18:08.0/0000:19:00.0/0000:1a:10.0/0000:22:00.0/0000:23:00.0/0000:24:00.0/rom
echo 1 > $PATH_TO_ROM
mkdir -p /var/lib/libvirt/vbios/
cat $PATH_TO_ROM > /var/lib/libvirt/vbios/gpu.rom
echo 0 > $PATH_TO_ROM
setpci -s 0000:24:00.0 COMMAND=0:2 (Clear memory enable bit with setpci)
exit
AdminBee
  • 21,637
  • 21
  • 47
  • 71
startergo
  • 1