13

(aka) Is it possible to hack CPUID instruction or BIOS to make it show wrong CPU information?

Yesterday, I was having a chat with computer sales guy. He is little close to me. During the conversation he said that, A processor is not what it shows in bios. On inquiring further he said that they know a guy who can make a processor look like another. I didn't believe him. Then he said that for past few months they've been selling computers with Celeron processors by posing them as duo core. I was shocked! I started arguing with him about how its not possible. He simply gave a smile.

I've been racking my brain since then on how on the earth is it possible:

  1. He might be lying to me, I mean what ever he said is a lie. But I don't see any point on why he would do that.
  2. They are actually hacking the bios to show wrong information?
  3. They are hacking CPUID processor instruction to make it return wrong values. I think its impossible.
nealmcb
  • 20,544
  • 6
  • 69
  • 116
claws
  • 2,145
  • 5
  • 19
  • 22

4 Answers4

13

"Celeron" is a brand name which Intel has applied to dozens of distinct processor designs. In particular, a number of dual core processors have been sold under the name "Celeron" (which, in Intel-speak, means "cheaper and reduced", but not necessarily "mono-core"). So your sales guy may have sold many Celeron "posing" as dual core processors because they are dual core processors, so such posing is trivial.

That being said, if the sales guy just admits having swindled dozens of customers, then how what he says can really be considered as trustworthy ?

On a theoretical point of view, since the BIOS is the first thing which runs in the machine, there is little that can be done to fool it about the processor (unless adding an extra hardware piece between the processor and the motherboard, which looks very expensive and thus useless if the goal is to sell overpriced Celeron). More realistically, the BIOS itself could be altered: it is stored in Flash, not ROM, hence it can be changed with a software-only one-time operation. BIOS hacking is not especially difficult (it requires a bit of reverse-engineering, but there is nothing really protected there). A hacked BIOS could report a distinct processor from what is really installed.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    Especially with the more modern BIOS's - they are bigger, more fully featured, and present an increasing risk. BIOS trojans could be not far off. – Rory Alsop Apr 06 '11 at 16:40
  • Just needed few confirmations. Fooling(hacking) bios doesn't fool the OS right? and It also doesn't fool the 3rd party CPU identification utilities like CPUID. right? One way to fool everything is by hacking the `cpuid` instruction of processor. right? – claws Apr 06 '11 at 19:11
  • 4
    @claws: Fooling the OS is... a bit more difficult. But theoretically feasible. The OS uses the `cpuid` opcode. A hacked BIOS may setup an hypervisor which intercepts calls to `cpuid` by the OS itself, in effect running the OS on an emulated CPU. This is theoretically feasible and has been demonstrated in some cases (see Rook's answer). But that's quite higher level than simply displaying a fake BIOS screen. – Thomas Pornin Apr 06 '11 at 19:41
11

It's not impossible; Intel CPUs have had the ability to have new microcode uploaded into them for some time, and there are open source programs that can do so. If someone can then decipher the microcode, they could then produce modified microcode with a different CPUID string embedded in it. (It's supposed to have a checksum to prevent that, but I wouldn't be surprised to find the checksum is validated by the update utility and not the CPU itself.)

tttony
  • 133
  • 5
geekosaur
  • 226
  • 2
  • 3
  • 6
    The checksum(s) is (are) validated by the CPU itself. You can see the "update" utility source code in the Linux kernel: the update is blob is sent as is to the CPU, the kernel does not try to validate it in any way (and, indeed, the blob contents are totally opaque). However, such updates are "live", they must be done after each reset -- so it cannot fool the BIOS, which is the first piece of code to run. – Thomas Pornin Apr 06 '11 at 14:32
  • `http://www.urbanmyth.org/microcode/` -> not found :( – curiousguy Sep 09 '13 at 23:59
4

Using a rootkit someone can make their hardware appear as anything. The amount of memory available or processor speed/type can be easily influenced. This is very useful if you want to store data on the drive whiling hiding its disk usage. Hypervisor rootkits work on modern systems, you should check out the Stoned Bootkit.

The QEMU Virtual Machine can be used to emulate a wide verity of processor architectures. You can also specify your own a bios image to boot from. For instance a QEMU VM can use coreboot which is an open source bios.

rook
  • 46,916
  • 10
  • 92
  • 181
  • I see. Forgive my ignorance but I don't get how is it relevant to my question? – claws Apr 06 '11 at 06:49
  • @claws he could be fooling the kernel with a rootkit to make the hardware look like anything. Was this a fresh operating system? – rook Apr 06 '11 at 06:51
  • 1
    +1 But this false information is seen in the BIOS. I mean its the BIOS that's been fooled. If I got it correctly, you are describing a method in which OS is fooled. – claws Apr 06 '11 at 07:19
  • 2
    @claws A bios image could be modified and then reflashed. – rook Apr 06 '11 at 07:45
-2

Well, I think, if you crack the microcode of the CPU, well by the meaning of the word to modify the microcode, which is usually saved in a ROM mode, and this also varies from one CPU to another then consequently BIOS and OS are really taken for fools.

user30564
  • 1