Uefi Firmware Parser - Parse Bios/Intel Me/Uefi Firmware Related Structures: Volumes, Filesystems, Files, Etc
The UEFI firmware parser is a unproblematic module in addition to laid upward of scripts for parsing, extracting, in addition to recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME in addition to other formats too. Please purpose the instance scripts for parsing tutorials.
Installation
This module is included inside PyPy equally uefi_firmware
$ sudo pip install uefi_firmware$ sudo python ./setup.py install- Python evolution headers, unremarkably constitute inwards the
python-devpackage. - The compression/decompression features volition purpose the python headers in addition to
gcc. pefileis optional, in addition to may live on used for additional parsing.
Usage
The simplest means to purpose the module to discover or parse firmware is through the
AutoParser class.import uefi_firmware alongside open('/path/to/firmware.rom', 'r') equally fh: file_content = fh.read() parser = uefi_firmware.AutoParser(file_content) if parser.type() != 'unknown': firmware = parser.parse() firmware.showinfo()process()performs parsing move in addition to returns aTrueorFalseshowinfo()impress a hierarchy of information nigh the structuredump()walk the hierarchy in addition to write each to a file
Scripts
H5N1 Python script is installed
uefi-firmware-parser$ uefi-firmware-parser -h usage: uefi-firmware-parser [-h] [-b] [--superbrute] [-q] [-o OUTPUT] [-O] [-c] [-e] [-g GENERATE] [--test] file [file ...] Parse, in addition to optionally output, details in addition to information on UEFI-related firmware. positional arguments: file The file(s) to hand optional arguments: -h, --help exhibit this assist message in addition to move out -b, --brute The input is a blob in addition to may comprise FV headers. --superbrute The input is a blob in addition to may comprise whatsoever variety of firmware object -q, --quiet Do non exhibit info. -o OUTPUT, --output OUTPUT Dump firmware objects to this folder. -O, --outputfolder Dump firmware objects to a folder based on filename ${FILENAME}_output/ -c, --echo Echo the filename earlier parsing or extracting. -e, --extract Extract all files/sections/volumes. -g GENERATE, --generate GENERATE Generate a FDF, implies extraction (volumes only) --test Test file parsing, output name/success.$ uefi-firmware-parser --test /firmware/* /firmware/970E32_1.40: UEFIFirmwareVolume /firmware/CO5975P.BIO: EFICapsule /firmware/me-03.obj: IntelME /firmware/O990-A03.exe: None /firmware/O990-A03.exe.hdr: DellPFS-O selection to auto-generate an output folder per file. If parsing in addition to searching for internals inwards a vanquish the --echo selection volition impress the input filename earlier parsing.The firmware-type checker volition create upward one's hear how to best parse the file. If the
--test selection fails to seat the type, or calls it unknown, endeavour to purpose the -b or --superbrute option. The subsequently performs a byte-by-byte type checker.$ uefi-firmware-parser --test /firmware/970E32_1.40 /firmware/970E32_1.40: unknown $ uefi-firmware-parser --superbrute /firmware/970E32_1.40 [...]- UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
- Intel PCH Flash Descriptors
- Intel ME modules parsing (ME, TXE, etc)
- Dell PFS (HDR) updates parsing
- Tiano/EFI, in addition to native LZMA (7z) [de]compression
- Complete UEFI Firmware book object hierarchy display
- Firmware descriptor [re]generation using the parsed input volumes
- Firmware File Section injection
Injection or GUID replacement (no addition/subtraction yet) tin terminate live on performed on sections inside a UEFI firmware file, or on UEFI firmware files inside a firmware filesystem.
$ python ./scripts/fv_injector.py -h usage: fv_injector.py [-h] [-c] [-p] [-f] [--guid GUID] --injection INJECTION [-o OUTPUT] file Search a file for UEFI firmware volumes, parse in addition to output. positional arguments: file The file to hand optional arguments: -h, --help exhibit this assist message in addition to move out -c, --capsule The input file is a firmware capsule. -p, --pfs The input file is a Dell PFS. -f, --ff Inject payload into firmware file. --guid GUID GUID to supervene upon (inject). --injection INJECTION Pre-generated EFI file to inject. -o OUTPUT, --output OUTPUT Name of the output file.IDA Python support
There is an included script to generate additional GUID labels to import into IDA Python using Snare's plugins. Using the
-g LABEL the script volition generate a Python dictionary-formatted output. This projection volition endeavour to pop off along up-to-date alongside pop vendor GUIDs automatically.$ python ./scripts/uefi_guids.py -h usage: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file Output GUIDs for files, optionally write GUID construction file. positional arguments: file The file to hand optional arguments: -h, --help exhibit this assist message in addition to move out -c, --capsule The input file is a firmware capsule, produce non search. -b, --brute The input file is a blob, search for firmware book headers. -d, --flash The input file is a flash descriptor. -g GENERATE, --generate GENERATE Generate a behemoth-style GUID output. -u, --unknowns When generating also impress unknowns.This module has been tested on BIOS/UEFI/firmware updates from the next vendors. Not every update for every production volition parse, about may required a-priori decompression or extraction from the distribution update machinery (typically a PE).
- ASRock
- Dell
- Gigabyte
- Intel
- Lenovo
- HP
- MSI
- VMware
- Apple
