Hacker News new | ask | show | jobs
by heinrichhartman 2272 days ago
Does anyone know how to circumvent UEFI?

When the CPU starts, it will start reading instructions from a hard-coded address on the memory bus / EPROM somewhere, right? How can I directly control these bytes?

I don't want some proprietary firmware sit between me and the CPU.

If it's not possible on hardware because "secure boot", or whatever, this should at least be possible in emulators like QEMU.

Does anyone know how to do that? ... or clear up my misconceptions? :)
9 comments
pjc50 2272 days ago
In QEMU it's dead simple, you have control of everything; I believe that it boots into https://github.com/qemu/qemu/tree/master/pc-bios

A physical machine will still, despite everything, start executing at FFFF:0000 in "real mode", and the code run there will be found in a physical EEPROM. Some of these are socketed (although this is less common these days). So you can get in there and fiddle with the pre-boot code.

See https://www.drdobbs.com/parallel/booting-an-intel-architectu...

There is no way round the Management Engine, a source of distress to some. Oh, and you won't have any DRAM until you've run the DRAM training and turned that on, the early BIOS gets to use the cache as a scratchpad instead. See https://blog.asset-intertech.com/test_data_out/2014/11/memor...

If you like bare metal work with decent processing power ARM is probably the place to start.

link
yjftsjthsd-h 2272 days ago
> In QEMU it's dead simple, you have control of everything; I believe that it boots into https://github.com/qemu/qemu/tree/master/pc-bios

Manpage currently claims, "QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs LGPL VGA BIOS." But it also looks like that's as easy to replace as passing `-bios` to qemu-system-

link
heinrichhartman 2272 days ago
That looks exactly what I was looking for. Thanks!
link
saagarjha 2272 days ago
Doesn't every ARM machine have its own initialization sequence?
link
XMPPwocky 2272 days ago
Yes, but if you can find a chip with public documentation, it's a well-defined initialization sequence.

I learned assembly on TI's AM335x "Sitara" series and it was great, mostly because of the BeagleBone- it has onboard JTAG-over-USB, meaning you can single-step your way through your bare-metal code, set breakpoints, etc.

link
Gibbon1 2272 days ago
Unsure about the high end ARM machines. But an ARM Cortex boot consists of loading the program counter and stack pointer from ROM and go.
link
pjc50 2272 days ago
Yes, that gets the CPU running - but for practical work you usually need to do some board-specific setup like configuring clocks and turning on the DRAM.
link
Gibbon1 2272 days ago
For an Cortex M0 the clocks default to something sane. And RAM is static. One of my projects the reset vector is just the address of init function written in C. That does nothing more than copy the data section from flash to ram and call _start()

There is a bunch of peripheral set up but it can be done from C.

link
monocasa 2272 days ago
They're all cortex cores these days, you mean the Cortex-M series.
link
kryptiskt 2272 days ago
Below UEFI is the BIOS, or the firmware formerly known as the BIOS. There is a project to make an open source firmware for PCs: https://www.coreboot.org. It works on a selection of newish motherboards.

You can't really start completely from scratch in an understandable way on Intel platforms, and it's iffy on ARM. Because setting up the DRAM requires some insane magic, where it doesn't really help if you can see the source.

link
izacus 2272 days ago
> Below UEFI is the BIOS, or the firmware formerly known as the BIOS. There is a project to make an open source firmware for PCs: https://www.coreboot.org. It works on a selection of newish motherboards.

This simply isn't true - while UEFI firmwares do offer BIOS emulation, there's no "BIOS" underneath them on most modern boards.

link
XMPPwocky 2272 days ago
They might mean the "meta-bootloader" which brings up all those UEFI capsules- afaik Intel's boot ROM doesn't, for example, parse PE headers.
link
wolfgke 2272 days ago
> Below UEFI is the BIOS, or the firmware formerly known as the BIOS.

Source?

As far as I am aware, UEFI is a replacement for BIOS.

link
Rusky 2272 days ago
I believe they're using BIOS in a more general sense. You're right that UEFI replaces the old BIOS APIs that bootloaders used, but there's still firmware (e.g. coreboot) below or part of its newer APIs.
link
duskwuff 2272 days ago
> I don't want some proprietary firmware sit between me and the CPU.

No, you do.

A significant part of what that firmware does is initializing low-level hardware, like the system's memory controller. Replicating that is probably well beyond your abilities.

link
Taniwha 2272 days ago
Seriously, it's not just a matter of poking a few registers - it involves doing a bunch of statistical measurements of memory errors to pick the correct thresholds on the data bus
link
duskwuff 2272 days ago
And it's rather hardware-specific. Even if you have a solution which works for your CPU / motherboard / RAM, changing any of those components is quite likely to make it stop working. (And lord help you if you want it to work across CPU manufacturers...)
link
some_random 2272 days ago
I mean, ideally it would be open-source and verifiable. But damn there's no way you're going to hackernews it in a weekend
link
guerby 2272 days ago
This RISC-V board has about zero closed source code in its boot sequence:

https://www.sifive.com/blog/an-open-source-release-of-the-fr...

link
stefan_ 2272 days ago
That is not really a thing anymore, most processors now have burned-in ROM from the vendor that they boot into first.

If you really want to understand and control a processor when it boots from nothing, you should look into a FPGA RISC-V development board.

link
korethr 2271 days ago
Go check out the Coreboot project. They're about as low-level and bare metal as you can get, because Coreboot is not running on the board firmware, it is the board firmware. And as an open source project, they document all the various things they have to do in order to initialize all the hardware on a board and have it ready to be used.

You are generally correct in your assumption: that once the CPU comes out of reset, it will reach for a particular memory address to begin execution. Some will directly begin execution from a fixed address. A sibling pjc50 comment mentions, on x86, the CPU will be in 16-bit real-mode and begin fetching instructions from FFFF:0000. Other architectures, work slightly differently. Motorola 68k fetch the first 4 bytes from 0x00000000, loads them into the program counter register, and then jumps there to begin execution.

As you saw, the child of a pjc50's comment explains how to pass your code directly to the beginning of the CPU's execution in QEMU. If you want to do this with actual metal, various classic chips of yore (z80, 6502, 68k, etc) and their documentation are relatively easy to get. A nice thing about those older CPUs, is that their memory interfaces are rather simple compared to today. You can wire up a very basic system with the CPU, an EPROM, an SRAM chip, and maybe a couple other chips as glue logic, all on a basic breadboard. And then you really can control those first bytes of executed code, on actual metal.

link
mkup 2272 days ago
Hardware initialization after power-up is HARD, here a high-level overview: https://depletionmode.com/uefi-boot.html
link
Wowfunhappy 2272 days ago
I really hate to be the downer here, but have you heard of Intel's Management Engine? :(
link
Koshkin 2272 days ago
Well that one runs on a separate (albeit embedded) CPU.
link
ngneer 2272 days ago
Great question. Things have gotten ridiculously complex. You might look into https://wiki.osdev.org/UEFI
link