some recent CHIPSEC presentations

I’m not sure that I’ve pointed to all of the recent CHIPSEC presentations that’ve happened recently. I don’t know that I have a complete list. 😦 Here are two recent ones, maybe some more in below tweets.

Attacking hypervisors through hardware emulation

Exploring your system deeper

—–begin slideshare.net stuff—–

—–end slideshare.net stuff—–


CHIPSEC whitelist gets updated




There’s a relatively new GUI front-end to the command line-based CHIPSEC project, called CHISPEC_GUI. This GUI for chipsec 1.2.5 provides a fairly simple design but lets you select each module that you want to run. It is made with PyQt4. It is getting updated to Chipsec 1.3.0 with the appropriate module additions written into the GUI. It was originally written in Persian by Emad Helmi, and translated to English by Alex Floyd of PreOS-Security.

English version:

Forked from Persian version:


CHIPSEC 1.3.0 released

New/updated modules:
* tools.uefi.whitelist – The module can generate a list of EFI executables from (U)EFI firmware file or extracted from flash ROM, and then later check firmware image in flash ROM or file against this list of [expected/whitelisted] executables
* tools.uefi.blacklist – Improved search of blacklisted EFI binaries, added exclusion rules, enhanced blacklist.json config file
* tools.smm.rogue_mmio_bar – Experimental module that may help checking SMM firmware for MMIO BAR hijacking vulnerabilities described in “BARing the System: New vulnerabilities in Coreboot & UEFI based systems” (http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf) by Intel Advanced Threat Research team at RECon Brussels 2017
* tools.uefi.uefivar_fuzz – The module is fuzzing UEFI Variable interface. The module is using UEFI SetVariable interface to write new UEFI variables to SPI flash NVRAM with randomized name/attributes/GUID/data/size.

New/updated functionality:
* Debian packaging support
* Compiling in setup.py and automated loading of chipsec.kext kernel module on macOS
* Internal Graphics Device support including software DMA via Graphics Aperture
* Improved parsing andsearch within UEFI images including update capsules
* Export of extracted EFI firmware tree in JSON format
* Export of CHIPSEC results in JSON format via –json command-line argument
* EFI (de-)compression ported from uefi-firmware-parser project
* Decompression to macOS helper to parse Mac EFI firmware images
* Support of command-line arguments in chipsec_util.py
* SMI count command
* Improved platform dependent Flash descriptor parsing
* ReadWriteEverything helper to work with RWE driver
* map_io_space to improve SPI read performance on Linux
* Native (OS based) access PCI, port I/O and CPU MSR to Linux helper
* Improved chipsec_util.py unit testing

See full announcement for list of bugfixes.




CHIPSEC gets new MMIO BAR module

Experimental module that may help checking SMM firmware for MMIO BAR hijacking
vulnerabilities described in the following presentation:
`BARing the System: New vulnerabilities in Coreboot & UEFI based systems <http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf&gt;`_ by Intel Advanced Threat Research team at RECon Brussels 2017
  “chipsec_main -m tools.smm.rogue_mmio_bar [-a <smi_start:smi_end>,<b:d.f>]“
– “smi_start:smi_end“: range of SMI codes (written to IO port 0xB2)
– “b:d.f“: PCIe bus/device/function in b:d.f format (in hex)
    >>> chipsec_main.py -m tools.smm.rogue_mmio_bar -a 0x00:0x80
    >>> chipsec_main.py -m tools.smm.rogue_mmio_bar -a 0x00:0xFF,0:1C.0