Author: dayzerosec
Loader for AMD-SP or PSP firmware binaries.
Binary Ninja loader for AMD Secure Processor (SP) / Platform Security Processor (PSP) firmware binaries. It will try to load AGESA Bootloader (ABL) and Bootloader blobs and will setup the correct load addresses.
The ABL loader will also optionally annotate syscalls using the dictionary in ./data/syscalls.json.
To install this plugin, go to Binary Ninja's plugin directory (can be found by going to Tools -> "Open Plugin Folder"), and run the following command:
git clone https://github.com/dayzerosec/AMD-SP-Loader
Note you'll probably need to restart Binary Ninja for the plugin to load.
This loader is intended to be used with binaries extracted via PSPTool, as this loader will not extract firmware from UEFI or perform any decompression before loading.
Simply load an ABL*
or PSP_FW_BOOTLOADER_*
binary to use the loader. Your view name on the top left of the disassembly pane should have an AMD-SP
prefix. If your particular firmware blob doesn't load and/or loads at an incorrect address, please file an issue.
- Currently load addresses are static, perhaps this should be reworked to dynamically determine it via parsing entrypoint instructions?
- Add loaders for other firmwares
- SMU (xtensa)
- Trusted OS (tOS)
- Boot time trustlets
- Reverse and add more syscalls to the annotation dictionary
- Update args of existing syscalls
- Improve annotations to fix-up syscalls in HLIL
- The loaders make some assumptions on the load address and such, so its possible a particular binary differs and won't load properly (open an issue).
- Syscall annotations that are prefixed with a
_
are unofficial/guessed.
This plugin requires the following minimum version of Binary Ninja:
- release - 3.2.3814
- https://github.com/PSPReverse
- https://doc.coreboot.org/soc/amd/psp_integration.html
- https://github.com/sameershaik/coreboot_beagle-xM/blob/main/src/vendorcode/amd/fsp/cezanne/include/bl_uapp/bl_syscall_public.h
This plugin is released under a MIT license.
- PSPReverse for previous work and awesome resources.
- Carstein (inspiration and reference for syscall annotation via Syscaller.