UEFITool is a Qt-based GUI tool that works on Mac/Windows/Linux. In addition to the main Qt-based GUI tool, the project also has a few other command line tools, UEFIExtract, UEFIFind, UEFIDump. And there are two codebases on Github, master and new-engine.
Some of the command line tools have been changing: UEFIDump was a tool that dumped info. UEFIDump is now gone, replaced by UEFIExtract with the “unpack” option (the “dump” option is related).
UEFIDump/UEFIExtract aside, UEFIFind is also useful to find information:
Nikolaj is learning Rust. He just rewrote one C tool to Rust:
Intel ID: INTEL-SA-00084
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Oct 06, 2017
This update improves protection against mitigates multiple vulnerabilities related to security features in Intel® NUC system firmware (BIOS). BIOS Administrator and User password bypass: Insufficient protection of password storage in system firmware for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attacker to bypass Administrator and User passwords via access to password storage. SPI Write Protection Bypass: Insecure platform configuration in system firmare for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows an attacker with physical presence to run arbitrary code via unauthorized firmware modification during BIOS Recovery. SMM Privilege Elevation: Insufficient input validation in system firmware for Intel® NUC systems allows local attacker to execute arbitrary code via manipulation of memory. Boot Guard Bypass: Incorrect policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to bypass enforcement of integrity protections via manipulation of firmware storage. Dangerous SPI Opcode Protections: Insufficient policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to violate integrity or availability of nonvolatile storage for firmware via specially crafted accesses to nonvolatile storage. Intel highly recommends that users update to the latest version. Intel would like to thank Nikolaj Schlaj for reporting CVE-2017-5700 and CVE-2017-5701 and working with us on coordinated disclosure. Intel would like to thank Embedi for reporting CVE-2017-5721 and CVE-2017-5722 and working with us on coordinated disclosure.[…]
Apple firmware security researcher Nikolaj Schlej has been working from Europe, and is now moving to the US.
Nice picture of the Xeno, Corey, and Nikolaj in the above tweet.
PFSExtractor v0.1.0 – extracts contents of Dell firmware update files in PFS format
Usage: PFSExtractor pfs_file.bin
William’s blog post on Nikolaj’s comments are more readable than below post:
Nikolaj has over a dozen tweets showcasing the interesting new features in the latest UEFI and ACPI specs. Click on the above Twitter URL to see the full set.
Nikolaj Schlej made a comment on the recent Snowden/AMD thread. The comment is on Twitter, so it is in multiple messages. I hope that AMD proves him wrong, AMD can change course, so can Intel, if they choose.
William has done another tool review, this time of Nikolaj’s CrScreenshotDxe tool. He does must longer blog posts on tool reviews than me, so it is always nice to see another review from him. 🙂
[…] “Nikolaj did us all a great service by posting this utility on Github. It was easy to integrate and worked flawlessly.” […]
WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!
As well, UEFITool has new maintainers, Alex and Dmytro!!
Nikolaj apparently never stops coding. 🙂 Changelog:
New feature release this time: added “Hex view…” action (Ctrl/Cmd + D) and dialog to preview the selected tree item without extracting it to FS. #56
Now the dialog is modal, but if anyone needs to open more than one, it can be implemented later. The feature uses QHexEdit2 library made by Simsys, big thanks.
Also see Nikolaj’s comments re: my last post, clarifying Qt usage in UEFITool, which my post was not clear on:
Nikolaj has been rewriting his suite of UEFI tools, so they are no longer dependent on the Qt framework, and uses his new engine “NE” tag. UEFITool (UT NE) no longer requires Qt. UEFIExtract (UE) no longer requires Qt. UEFIFind (UF) still requires Qt, and will be ported later. UEFIDump (UD) is a new tool! Described below. Extract of release notes:
UT NE A30 | UE 0.12.0 | UD 0.1.0
Almost no new features, but massive changes under the hood:
* engine (classes from /common) can now be build without Qt.
* added support for very rare Apple-specific images.
* fixed some quirks with report generation.
* UT and UE binaries rebuilt to include updated engine code.
* UEFIDump utility released, it’s a PoC analog of UEFIExtract, that generates the same report and dumps all leaf items into one .dump folder without hierarchy, “_%03d” suffix is added for duplicated items. The tool is an example of Qt-less engine usage.
* UEFIFind will be ported to non-Qt engine a bit later.
Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!
On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.
Also it appears he’s also released UEFITool NE alpha 25:
Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:
“NVRAM formats of UEFI-compatible firmwares”
It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.
If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.
Nikolaj is also looking for some NVRAM formats for testing:
Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.
* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state
Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!
Nikolaj Schlej has released a new version of UEFITool. This is an alpha of a big release, as it adds parsering for UI for all major NVRAM formats.
Please help out Nikolaj and test out this alpha release!
William Leara of Dell has a new blog post about Nikolaj Schlej’s new blog post analyzing Intel Quark’s BSP:
Another tip of the cap to Nikolaj Schlej, this time for an interesting article where he examined the Intel Quark Board Support Package (BSP) source code with the static source code analyzer PVS-Studio. The Intel Quark is an SoC used in embedded systems applications. For example, it runs the Intel Galileo family of development boards. Galileo is a small computer board comparable to the Arduino family of products, and is targeted to maker and educational customers. The BSP is a set of documentation and EDKII source code that allows a developer to build his own bootable firmware image for the Quark. Nikolaj discovered many serious problems, and I found it educational to read through them. This is helpful so that you can discover the typical mistakes people make in UEFI development, and also so that you won’t make the same mistakes yourself! […]