• Stars
    star
    700
  • Rank 64,671 (Top 2 %)
  • Language
    Python
  • License
    Other
  • Created almost 11 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc

UEFI Firmware Parser

https://travis-ci.org/theopolis/uefi-firmware-parser.svg?branch=master

The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.

Installation

This module is available through PyPi as uefi_firmware

$ sudo pip install uefi_firmware

To install from Github, checkout this repo and use:

$ sudo python ./setup.py install

Requirements

  • Python development headers, usually found in the python-dev package.
  • The compression/decompression features will use the python headers and gcc.

Usage

The simplest way to use the module to detect or parse firmware is through the AutoParser class.

import uefi_firmware
with open('/path/to/firmware.rom', 'r') as fh:
  file_content = fh.read()
parser = uefi_firmware.AutoParser(file_content)
if parser.type() != 'unknown':
  firmware = parser.parse()
  firmware.showinfo()

There are several classes within the uefi, pfs, me, and flash packages that accept file contents in their constructor. In all cases there are abstract methods implemented:

  • process() performs parsing work and returns a True or False
  • showinfo() print a hierarchy of information about the structure
  • dump() walk the hierarchy and write each to a file

Scripts

A Python script is installed uefi-firmware-parser

$ uefi-firmware-parser -h
usage: uefi-firmware-parser [-h] [-b] [--superbrute] [-q] [-o OUTPUT] [-O]
                            [-c] [-e] [-g GENERATE] [--test]
                            file [file ...]

Parse, and optionally output, details and data on UEFI-related firmware.

positional arguments:
  file                  The file(s) to work on

optional arguments:
  -h, --help            show this help message and exit
  -b, --brute           The input is a blob and may contain FV headers.
  --superbrute          The input is a blob and may contain any sort of
                        firmware object
  -q, --quiet           Do not show info.
  -o OUTPUT, --output OUTPUT
                        Dump firmware objects to this folder.
  -O, --outputfolder    Dump firmware objects to a folder based on filename
                        ${FILENAME}_output/
  -c, --echo            Echo the filename before parsing or extracting.
  -e, --extract         Extract all files/sections/volumes.
  -g GENERATE, --generate GENERATE
                        Generate a FDF, implies extraction (volumes only)
  --test                Test file parsing, output name/success.

To test a file or directory of files:

$ uefi-firmware-parser --test ~/firmware/*
~/firmware/970E32_1.40: UEFIFirmwareVolume
~/firmware/CO5975P.BIO: EFICapsule
~/firmware/me-03.obj: IntelME
~/firmware/O990-A03.exe: None
~/firmware/O990-A03.exe.hdr: DellPFS

If you need to parse and extract a large number of firmware files check out the -O option to auto-generate an output folder per file. If parsing and searching for internals in a shell the --echo option will print the input filename before parsing.

The firmware-type checker will decide how to best parse the file. If the --test option fails to identify the type, or calls it unknown, try to use the -b or --superbrute option. The later performs a byte-by-byte type checker.

$ uefi-firmware-parser --test ~/firmware/970E32_1.40
~/firmware/970E32_1.40: unknown
$ uefi-firmware-parser --superbrute ~/firmware/970E32_1.40
[...]

Features

  • UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
  • Intel PCH Flash Descriptors
  • Intel ME modules parsing (ME, TXE, etc)
  • Dell PFS (HDR) updates parsing
  • Tiano/EFI, and native LZMA (7z) [de]compression
  • Complete UEFI Firmware volume object hierarchy display
  • Firmware descriptor [re]generation using the parsed input volumes
  • Firmware File Section injection

GUID Injection

Injection or GUID replacement (no addition/subtraction yet) can be performed on sections within a UEFI firmware file, or on UEFI firmware files within a firmware filesystem.

$ python ./scripts/fv_injector.py -h
usage: fv_injector.py [-h] [-c] [-p] [-f] [--guid GUID] --injection INJECTION
                      [-o OUTPUT]
                      file

Search a file for UEFI firmware volumes, parse and output.

positional arguments:
  file                  The file to work on

optional arguments:
  -h, --help            show this help message and exit
  -c, --capsule         The input file is a firmware capsule.
  -p, --pfs             The input file is a Dell PFS.
  -f, --ff              Inject payload into firmware file.
  --guid GUID           GUID to replace (inject).
  --injection INJECTION
                        Pre-generated EFI file to inject.
  -o OUTPUT, --output OUTPUT
                        Name of the output file.

Note: when injecting into a firmware file the user will be prompted for which section to replace. At the moment this is not-yet-scriptable.

IDA Python support

There is an included script to generate additional GUID labels to import into IDA Python using Snare's plugins. Using the -g LABEL the script will generate a Python dictionary-formatted output. This project will try to keep up-to-date with popular vendor GUIDs automatically.

$ python ./scripts/uefi_guids.py -h
usage: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file

Output GUIDs for files, optionally write GUID structure file.

positional arguments:
  file                  The file to work on

optional arguments:
  -h, --help            show this help message and exit
  -c, --capsule         The input file is a firmware capsule, do not search.
  -b, --brute           The input file is a blob, search for firmware volume
                        headers.
  -d, --flash           The input file is a flash descriptor.
  -g GENERATE, --generate GENERATE
                        Generate a behemoth-style GUID output.
  -u, --unknowns        When generating also print unknowns.

Supported Vendors

This module has been tested on BIOS/UEFI/firmware updates from the following vendors. Not every update for every product will parse, some may required a-priori decompression or extraction from the distribution update mechanism (typically a PE).

  • ASRock
  • Dell
  • Gigabyte
  • Intel
  • Lenovo
  • HP
  • MSI
  • VMware
  • Apple
  • Qualcomm

More Repositories

1

build-anywhere

Scripts for building compilers that run anywhere, which build things that run anywhere
Shell
80
star
2

smc-fuzzer

Apple SMC (System Management Controller) API fuzzer
C++
68
star
3

uefi-spider

Crawl/download UEFI/BIOS updates from ISV/OEM distributors.
Python
66
star
4

subzero

Firmware analysis gone wild.
JavaScript
42
star
5

tpm-malcrypt

An example malicious payload controller and obfuscator assisted by TPM-protected keys
C++
38
star
6

sboot

Standalone libSboot for U-boot
C
22
star
7

tpm-i2c-atmel

Linux Kernel Driver for Atmel's AT97SC3204T I2C TPM (for Beaglebone)
C
17
star
8

u-boot-sboot

U-Boot with Atmel's I2C TPM, libTLCL, and libsboot (Secure Boot)
C
16
star
9

uefi-firmware-samples

Sample firmware for UEFI-firmware parsing
Python
15
star
10

RTFn-lite

A shell for Etherpad-lite to assist with cyber CTF team collaboration.
Python
12
star
11

u-boot

Tracking Denx Das u-boot with various trusted computing add-ons.
C
10
star
12

tpm2-examples

Several example uses of TPM2/TSS APIs.
C++
10
star
13

cuckoo-lite

A lite version of cuckoo-sandbox, with all dynamic/behavioral analysis removed.
Python
4
star
14

tpm-tools

tpm-tools mirror from TroSerS
Shell
3
star
15

DS1077L-linux

Helper program to set P/N (MUX/DIV) on a DS1077L oscillator within Linux.
C
3
star
16

BeagleBonePkg

EDK2 support for BeagleBone
C
2
star
17

SecurityPkg

The EDK II SecurityPkg with support for TPM devices that may not use registers or MMIO.
C
2
star
18

gelf

Virtual L1 via HTTP using Python, Websocks, and Javascript.
Python
2
star
19

fit-certificate-store

A Firmware Image Tree (FIT) certificate store generator for u-boot
Python
2
star
20

volafoxie

Volafoxie is a custom version of n0fate's volafox. Volafoxie intends to bring a volatility look/feel to the application, as well as provide a small playground for my volatile analysis learning. Definitely a WIP.
Python
2
star
21

simple-libfuzzer

Create a simple libFuzzer test harness
C++
1
star
22

theopolis_plugins

Testing Honeycomb plugins
Python
1
star
23

theopolis.github.io

Personal blog for Casual Hacking
Ruby
1
star
24

friendly-heartbleed

A friendly (non-malicious) way to check heartbleed-style vulnerabilities.
Python
1
star
25

azure-microk8s-test

This repo is for testing Azure and Microk8s
Shell
1
star