Add content from: Framework 13. Press here to pwn

src/hardware-physical-access/physical-attacks.md

@@ -14,46 +14,107 @@ In cases where the BIOS password is unknown, entering it incorrectly **three tim
 
 For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
 
-`python chipsec_main.py -module exploits.secure.boot.pk`
+```bash
+python chipsec_main.py -module exploits.secure.boot.pk
+```
 
-### RAM Analysis and Cold Boot Attacks
+---
+
+## RAM Analysis and Cold Boot Attacks
 
 RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
 
-### Direct Memory Access (DMA) Attacks
+---
+
+## Direct Memory Access (DMA) Attacks
 
 **INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
 
-### Live CD/USB for System Access
+---
+
+## Live CD/USB for System Access
 
 Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
 
 **Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
 
-### Handling Windows Security Features
+---
 
-#### Boot and Recovery Shortcuts
+## Handling Windows Security Features
+
+### Boot and Recovery Shortcuts
 
 - **Supr**: Access BIOS settings.
 - **F8**: Enter Recovery mode.
 - Pressing **Shift** after the Windows banner can bypass autologon.
 
-#### BAD USB Devices
+### BAD USB Devices
 
 Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
 
-#### Volume Shadow Copy
+### Volume Shadow Copy
 
 Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
 
-### Bypassing BitLocker Encryption
+---
+
+## Bypassing BitLocker Encryption
 
 BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
 
-### Social Engineering for Recovery Key Addition
+---
+
+## Social Engineering for Recovery Key Addition
 
 A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
+
+---
+
+## Exploiting Chassis Intrusion / Maintenance Switches to Factory-Reset the BIOS
+
+Many modern laptops and small-form-factor desktops include a **chassis-intrusion switch** that is monitored by the Embedded Controller (EC) and the BIOS/UEFI firmware.  While the primary purpose of the switch is to raise an alert when a device is opened, vendors sometimes implement an **undocumented recovery shortcut** that is triggered when the switch is toggled in a specific pattern.
+
+### How the Attack Works
+
+1. The switch is wired to a **GPIO interrupt** on the EC.
+2. Firmware running on the EC keeps track of the **timing and number of presses**.
+3. When a hard-coded pattern is recognised, the EC invokes a *mainboard-reset* routine that **erases the contents of the system NVRAM/CMOS**.
+4. On next boot, the BIOS loads default values – **supervisor password, Secure Boot keys, and all custom configuration are cleared**.
+
+> Once Secure Boot is disabled and the firmware password is gone, the attacker can simply boot any external OS image and obtain unrestricted access to the internal drives.
+
+### Real-World Example – Framework 13 Laptop
+
+The recovery shortcut for the Framework 13 (11th/12th/13th-gen) is:
+
+```text
+Press intrusion switch  →  hold 2 s
+Release                 →  wait 2 s
+(repeat the press/release cycle 10× while the machine is powered)
+```
+
+After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM at the next reboot.  The whole procedure takes ~40 s and requires **nothing but a screwdriver**.
+
+### Generic Exploitation Procedure
+
+1. Power-on or suspend-resume the target so the EC is running.
+2. Remove the bottom cover to expose the intrusion/maintenance switch.
+3. Reproduce the vendor-specific toggle pattern (consult documentation, forums, or reverse-engineer the EC firmware).
+4. Re-assemble and reboot – firmware protections should be disabled.
+5. Boot a live USB (e.g. Kali Linux) and perform usual post-exploitation (credential dumping, data exfiltration, implanting malicious EFI binaries, etc.).
+
+### Detection & Mitigation
+
+* Log chassis-intrusion events in the OS management console and correlate with unexpected BIOS resets.
+* Employ **tamper-evident seals** on screws/covers to detect opening.
+* Keep devices in **physically controlled areas**; assume that physical access equals full compromise.
+* Where available, disable the vendor “maintenance switch reset” feature or require an additional cryptographic authorisation for NVRAM resets.
+
+---
+
+## References
+
+- [Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
+- [FrameWiki – Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset)
+
 {{#include ../banners/hacktricks-training.md}}
-
-
-