/AMD-SP-Loader

Binja loader for AMD-SP or PSP firmware binaries.

Primary LanguagePythonMIT LicenseMIT

AMD-SP/PSP Loader

Author: dayzerosec

Loader for AMD-SP or PSP firmware binaries.

Description

Binary Ninja loader for AMD Secure Processor (SP) / Platform Security Processor (PSP) firmware binaries. It will try to load AGESA Bootloader (ABL) and Bootloader blobs and will setup the correct load addresses.

The ABL loader will also optionally annotate syscalls using the dictionary in ./data/syscalls.json.

Installation

To install this plugin, go to Binary Ninja's plugin directory (can be found by going to Tools -> "Open Plugin Folder"), and run the following command:

git clone https://github.com/dayzerosec/AMD-SP-Loader

Note you'll probably need to restart Binary Ninja for the plugin to load.

Usage

This loader is intended to be used with binaries extracted via PSPTool, as this loader will not extract firmware from UEFI or perform any decompression before loading.

Simply load an ABL* or PSP_FW_BOOTLOADER_* binary to use the loader. Your view name on the top left of the disassembly pane should have an AMD-SP prefix. If your particular firmware blob doesn't load and/or loads at an incorrect address, please file an issue.

Future Work / Places for Contribution

  • Currently load addresses are static, perhaps this should be reworked to dynamically determine it via parsing entrypoint instructions?
  • Add loaders for other firmwares
    • SMU (xtensa)
    • Trusted OS (tOS)
    • Boot time trustlets
  • Reverse and add more syscalls to the annotation dictionary
    • Update args of existing syscalls
  • Improve annotations to fix-up syscalls in HLIL

Notes

  • The loaders make some assumptions on the load address and such, so its possible a particular binary differs and won't load properly (open an issue).
  • Syscall annotations that are prefixed with a _ are unofficial/guessed.

Minimum Version

This plugin requires the following minimum version of Binary Ninja:

  • release - 3.2.3814

Resources

License

This plugin is released under a MIT license.

Thanks

  • PSPReverse for previous work and awesome resources.
  • Carstein (inspiration and reference for syscall annotation via Syscaller.