Finnbarr releases UEFI-Utilities-2019

Finnbarr P. Murphy has been working on a collection of UEFI Utilities for Intel systems for multiple years. It is somewhat like a UEFI version of Norton Utilities for MS-DOS or SysInternals for Windows NT, multiple small command line tools that dump out low-level system information.

UEFI-Utilities was built with — I believe — GNU-EFI,and probably only had 32-bit binaries.

UEFI-Utilities-2016 is built against UDK2015. And I think may only have 32-bit binaries.

UEFI-Utilities-2018 is built against UDK2017. Includes X64 binaries.

The 2019 edition is now out:

UEFI-Utilities-2019 is built against UDK2018. Includes X64 binaries.

Some tools are only in one collection.  Also, you need to watch Finnbarr’s blog, as sometimes he does a blog post on a new (or revised tool) and sometimes the tool is only published in the blog, not in the UEFI Utilities. At least it seemed like that for one of his tools in the past….

Some tools are only in one collection…

Finbarr’s UEFI-Utilities-2018

Finbarr Murphy has updated UEFI Utilities again. Earlier it was GNU-EFI based, now it is EDK2 based, and uses VS2018.

Maybe not finished migrating yet, but there are more tools in the older version than this, so don’t ignore the old tools.

And sometimes it seems the latest tools are only available the HTML of recent blob posts, so look there as well:


ShowSLIC.efi: Access ACPI-based Windows SLIC License Key

FPMurphy has a new blog post with source to a new tool, and mentions plans for 3-4 new tools/year!

Those who follow my work in the UEFI Shell space are aware that I usually develop a number of new, and hopefully useful, UEFI shell utilities each year. This year, I plan to write three or four new utilities and enhance a number of existing utilities. This is the first of these new utilities. In this post, I describe the ShowSLIC utility. It is the first of my new utilities and came about from license and booting issues caused by a disk failure on a friend’s laptop that was running Windows 7. ShowSLIC is designed to enable you to retrieve SLIC (System License Internal Certificate) information from a UEFI-based Microsoft Windows PC or laptop. Such information is accessible (exposed) via the ACPI (Advanced Configuration and Power Interface) SLIP table.[…]

Looks like you have to scrape the source from the HTML blog post, not included in latest UEFI-Utilities, AFAICT:

Finnbarr on state of Intel ME hacking tools

Finbarr has a new article on Intel ME, in which he’s wondering if current tools are acquiring bitrot:

[…]It seems to me there is little ongoing work to enhance existing ME analysis tools such as me_unpack or the meloader IDA plugin to support ME firmware versions 9.5.X.X or later. Possible reasons for this state of affairs include the lack of available documentation for ME versions above 9, no ROMB-enabled ME firmware later the version 9 in the wild, or simply that the ME tool developers have moved on to other projects.

Also, this post pointed out an Intel ME web site I had not seen before:

It has an invalid HTTPS cert, and appears to have been last updated a few years ago.

PS: Also, if you are using Finnbarr’s UEFI-Utilities, note that he’s recently started including ThinkPwn as one of the binaries, so be careful how you deploy it. CHIPSEC blacklists ThinkPwn as one of handful of known UEFI malware modules.

ShowPCIx: UEFI tool to show PCI devices using PCI.IDS database



New UEFI RNG tool

Finnbarr P. Murphy has a new UEFI tool that checks your firmware for RNGs, and it sounds like he’s found some Lenovo Thinkpad errors with it:

[…] Here is a small UEFI shell utility that checks your firmware for available RNGs: […] I built the utility on a 64-bit Fedora 24 platform using GCC and UDK2015. I have not tried building a 32-bit utility nor have I build it using Visual Studio or other development frameworks – so do not be surprised if you have modify either the code or the build recipe in these cases. I tested the utility on a Lenovo T450 using firmware version JBET60WW (1.24) and was surprised to find that the firmware did not appear to support any RNGs as evidenced by the zero RNG algorithm count returned. However, by explicitly, testing for the default RNG if the count was zero, it was possible to determine that the T450 did in fact at least support the default RNG. Perhaps, I am not parsing the UEFI specification correctly but I would expect the RNG count returned by GetInfo to include the default RNG. Interestingly, when I build and load the UDK2015 test RNG DXE driver which contains a reference counter mode DRBG (Deterministic Random Bit Generator) conforming to NIST SP 800-90a, the algorithm count returned by GetInfo jumps to 2. This leads me to suspect that their is a bug in the firmware w.r.t. to the RNG protocol implementation. Please let me know if I am incorrect in my assumptions or observations.

Finnbarr on diagnosing Windows UEFI startup issues

Finnbarr has a new blog post, on diagnosing UEFI-centric issues with modern Windows systems, with lots of figures and screenshots and background information:

[…] I hope this detailed explanation of how Windows 10 boots on a UEFI-platform will help you keep your sanity the next time you boot and see a missing or corrupt BCD message. Remember to always configure your platform so that you can boot into a UEFI shell using the UEFI firmware-based boot manager and make a backup of your BCD store.

TPM2 ACPI table

Finnbarr P. Murphy has a new blog post about viewing the TPM2 ACPI table:

[…] Why two definitions for the same header? The current ACPI standard defines the table description header as follows: […]
I believe that the second definition is closer to the intent of the ACPI. For a more detailed look at the actual TPM2 support in the EDK2, read the Intel white paper entitled A Tour Beyond BIOS with the UEFI TPM2 Support in EDKII by Jiewen Yao and Vincent J. Zimmer. […]

FPMurphy’s UEFI Utilities has 2016 fork

Finnbarr P. Murphy has a set of UEFI Utilities on Github. He’s recently made two versions of it, UEFI-Utilities-2016:

Note that the code in this repository is quite old. Many of these utilitoes will only build against the GNU-EFI library and run under UEFI Shell v1.0. See my UEFI-Utilities-2016 repository for utilities that will build under UDK2015 and run under UEFI Shell v2.0.

Tools included:


FPMurphy on TPM access via UEFI

Finnbarr P. Murphy does not blog often, but each post is usually very well written, and often focused on using some UEFI Shell commands to do some specific task. In the current post, the topic is accessing TPM’s features from the UEFI Shell, and it is called “part 1”, with more to come!

“Why an I writing this series of posts? Because there are few published examples of working UEFI code that interacts with a TPM. Such example code is useful to security researchers and computer forensics practitioners.”