tool mini-review: UEFI Firmware Parser

Here’s a short review of “UEFI Firmware Parser”, a UEFi security/diagnostic tool by Teddy ‘theopolis’ Reed.

“The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats. Features:
– UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
– Intel PCH Flash Descriptors
– Intel ME modules parsing (for ARC5)
– Dell PFS (HDR) updates parsing
– Tiano/EFI, and native LZMA (7z) [de]compression
– Complete UEFI Firmware volume object heirarchy display
– Firmware descriptor [re]generation using the parsed input volumes
– Firmware File Section injection”

This package is actually three tools, not just one: is a UEFI Firmware Parser, which searches a file for UEFI firmware volumes, there are two other tools/scripts. is another tool, which outputs GUIDs for files, optionally write GUID structure file, and will import GUID labels into IDA. is the GUID Injector, which replaces GUIDs on sections within a UEFI firmware file, or on UEFI firmware files within a firmware filesystem.

The tools are written in Python. It requires Python development headers, GCC, and the Python pefile library. To install, use the normal:

$ sudo python ./ install


$ python ./scripts/ -h
usage: [-h] [–type {VARIOUS_TYPES}]
[-b] [-q] [-o OUTPUT] [-e] [-g GENERATE] [–test]
file [file …]
-h, –help            show this help message and exit
–type {VARIOUS_TYPES} Parse files as a specific firmware type.
-b, –brute           The input is a blob and may contain FV headers.
-q, –quiet           Do not show info.
-o OUTPUT, –output OUTPUT Dump EFI Files to this folder.
-e, –extract         Extract all files/sections/volumes.
-g GENERATE, –generate GENERATE Generate a FDF, implies extraction
–test                Test file parsing, output name/success.

$ python ./scripts/ -h
usage: [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file
-h, –help            show this help message and exit
-c, –capsule         The input file is a firmware capsule, do not search.
-b, –brute           The input file is a blob, search for firmware volume headers.
-d, –flash           The input file is a flash descriptor.
-g GENERATE, –generate GENERATE  Generate a behemonth-style GUID output.
-u, –unknowns        When generating also print unknowns.

$ python ./scripts/ -h
usage: [-h] [-c] [-p] [-f] [–guid GUID] –injection INJECTION
-h, –help            show this help message and exit
-c, –capsule         The input file is a firmware capsule.
-p, –pfs             The input file is a Dell PFS.
-f, –ff              Inject payload into firmware file.
–guid GUID           GUID to replace (inject).
–injection INJECTION Pre-generated EFI file to inject.
-o OUTPUT, –output OUTPUT Name of the output file.

More Information:

One thought on “tool mini-review: UEFI Firmware Parser

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s