al3xtjames/ghidra-firmware-utils al3xtjames/ghidra-firmware-utils

  • Stars
    star
    398
  • Rank 108,325 (Top 3 %)
  • Language
    Java
  • License
    Other
  • Created over 5 years ago
  • Updated 7 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
al3xtjames/ghidra-firmware-utils
github

al3xtjames

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ghidra utilities for analyzing PC firmware

Ghidra Firmware Utilities

Various modules for Ghidra to assist with PC firmware reverse engineering. This was accepted as a coreboot project for GSoC 2019.

Features

PCI option ROM loader

  • Implements a FS loader for PCI option ROMs (handles hybrid ROMs with multiple images, e.g. legacy x86 + UEFI)
  • Loads UEFI executables from PCI option ROMs (including compressed images)
  • Defines the entry point function and various header data types for legacy x86 option ROMs

Firmware image loader

  • Implements a FS loader for Flash Map (FMAP) images and Intel Flash Descriptor (IFD) images (shows flash regions)
  • Implements a FS loader for Coreboot Filesystem (CBFS) images (displays included files and handles compression)
  • Implements a FS loader for UEFI firmware volumes and nested firmware filesystem (FFS) file/FFS section parsing

Terse Executable (TE) loader

  • Implements a binary loader for TE binaries (frequently used in UEFI PI)

UEFI helper script

  • Includes data type libraries for base UEFI types (taken from EDK2 MdePkg)
  • Fixes the signature of the entry point function
  • Defines known GUIDs in the binary's .data/.text segments
  • Locates and defines global copies of UEFI table pointers (gBS/gRT/gST/etc)

Building & Installation

JDK 11 (or newer) and Ghidra 10.1 (or newer) are required.

Ghidra's standard Gradle build system is used. Set the GHIDRA_INSTALL_DIR environment variable before building, or set it as a Gradle property (useful for building in an IDE):

Environment variable

$ export GHIDRA_INSTALL_DIR="/path/to/ghidra"
$ ./gradlew

Gradle property

echo GHIDRA_INSTALL_DIR=/path/to/ghidra > gradle.properties

The module ZIP will be output to dist/. Use File > Install Extensions and select the green plus to browse to the extension. Restart Ghidra when prompted.

For proper functionality, the plugin should be built with the same JRE used by your Ghidra installation. If you have multiple Java runtime environments installed, select the correct JRE by setting the JAVA_HOME environment variable before building.

Usage

PCI option ROM loader

Add a PCI option ROM to a Ghidra project. Legacy x86 option ROMs can be directly loaded for analysis. Ensure that the binary format is set to x86 PCI Option ROM, and import the binary.

UEFI option ROMs or option ROMs that contain more than one image should be imported using the filesystem loader. When prompted to select an import mode, select File system. The images contained within the option ROM will be displayed, and can be imported for analysis. Legacy x86 images will be handled the x86 PCI Option ROM loader, and UEFI images will be handled by the PE32 loader (compression is supported). Information for each image can be displayed by selecting Get Info in the right-click menu.

Firmware image loader

Add a supported firmware image to a Ghidra project. The firmware image loader supports Intel images with a Flash Descriptor, coreboot images with a FMAP/CBFS layout, and UEFI firmware volumes. The File system import mode can be used to view embedded files within the specified firmware image.

Note that some UEFI firmware images may store nested firmware volumes within freeform/raw files (or freeform/raw FFS sections). Such files can be imported as firmware volumes by selecting Open File System in the right-click menu for the specified freeform/raw file. If no nested firmware volume is found, an error message will be displayed (No file system provider for...).

UEFI helper script

The helper script is included in the plugin's ghidra_scripts directory, which should be automatically added to the list of script directories in Ghidra.

Run the UEFI helper script by selecting UEFIHelper.java in the Script Manager window (accessed from Window -> Script Manager).

To modify the UEFI data type library, modify the PRF template in data/gen_prf.sh as necessary and generate new PRF files. Open the generated PRF file in File -> Parse C Source. Build the updated data type library by selecting Parse to File.... Overwrite the original data type libraries in data and rebuild the plugin.

Related projects

These are some interesting projects related to UEFI reversing:

License

Apache 2.0, with some exceptions:

  • src/efidecompress/c/efidecompress.c: BSD

Credits

src/efidecompress/c/efidecompress.c is a lightly modified version of Decompress.c from uefi-firmware-parser (which itself is derived from the original in EDK2 BaseTools).

lib/xz-1.8.jar is taken from the XZ for Java project.

The IFD FS loader in src/main/java/firmware/ifd used the parser from UEFITool as a reference.

The GUID database in data/guids.csv is taken from UEFITool.

The UEFI data type libraries in data/uefi_*.gdt were generated with data/gen_prf.sh, which is partially based off the UEFI parser definition from a Ghidra pull request by wrffrz. These data type libraries use headers from EDK2 MdePkg.

GhidraVitaLoader by xerpi was used as a reference for some parts of the UEFI helper script.

More Repositories

1

clover-theme-minimal

A clean theme for the Clover UEFI bootloader
216
star
2

NoTouchID

Lilu plugin for disabling Touch ID support
C++
122
star
3

Gigabyte-GA-Z77X-macOS-Install

Support files for running macOS on Gigabyte 7 Series motherboards
Shell
101
star
4

PS3Dec

PS3Dec r5 source mirror
C
85
star
5

MacGen

Mac number generation tools
Shell
64
star
6

Clover

Clover UEFI bootloader (read-only git mirror + dead fork) — new upstream: https://github.com/CloverHackyColor/CloverBootloader
C
60
star
7

ThunderboltPkg

C
46
star
8

clover-theme-next-black

A clean theme for the Clover UEFI bootloader
45
star
9

clover-theme-oss

Mac-style theme (originally by lisai9093)
11
star
10

AtherosL1cEthernet

Qualcomm Atheros AR813x/815x driver for macOS by maolj & Shailua
C
9
star
11

radeon_bios_decode

Fork of radeon_bios_decode by bcc9 & Fl0r!an
C++
9
star
12

hack-acpi

Stripped DSDTs for running macOS on various motherboards
Shell
8
star
13

Forcex2Apic

UEFI driver to enable x2APIC (if the CPU supports it)
Rust
7
star
14

nds-rom-patcher

Patcher for OpenPatcher/DS Scene ROM Tool-style patches
Python
6
star
15

coreboot_mainboard_gigabyte_ga-z77x-ud5h

coreboot mainboard tree for Gigabyte GA-Z77X-UD5H
C
4
star
16

AppleSystemInfo

C
3
star
17

IO80211Family-Headers

Headers for IO80211Family
C
3
star
18

CXGBFixup

Lilu plugin to fix various issues with Chelsio's network driver for macOS
C++
2
star
19

caffeinate

Rust clone of caffeinate(8) from macOS for Linux
Rust
1
star
20

JPEG_Artifacts_Removal

Fork of https://huggingface.co/spaces/danielsapit/JPEG_Artifacts_Removal
Python
1
star
21

dell_xps_9560_fw

Firmware for Dell XPS 15 9560 (2017)
1
star