UEFIDump replaced by UEFIExtract with ‘unpack’ option

October 29, 2018 ~ hucktech ~ Leave a comment

UEFITool is a Qt-based GUI tool that works on Mac/Windows/Linux. In addition to the main Qt-based GUI tool, the project also has a few other command line tools, UEFIExtract, UEFIFind, UEFIDump. And there are two codebases on Github, master and new-engine.

Some of the command line tools have been changing: UEFIDump was a tool that dumped info. UEFIDump is now gone, replaced by UEFIExtract with the “unpack” option (the “dump” option is related).

https://github.com/LongSoft/UEFITool/blob/new_engine/UEFIExtract/uefiextract_main.cpp

UEFIDump/UEFIExtract aside, UEFIFind is also useful to find information:

https://github.com/LongSoft/UEFITool/blob/new_engine/UEFIFind/uefifind_main.cpp

PFSExtractor-RS: Rust port of PFSExtractor: extract contents of Dell BIOS update files in PFS format

April 12, 2018 ~ hucktech ~ Leave a comment

Nikolaj is learning Rust. He just rewrote one C tool to Rust:

A personal note from an experienced C programmer who also happens to be Rust noob-in-training: Rust is worth poking with a stick even if you won't ever use it in production, because it can show new approaches and methods that can be used later in less safe languages.

— Nikolaj Schlej (@NikolajSchlej) April 12, 2018

Here's my first meaningful thing in Rust, a rewrite of PFSExtractor with zlib support and better names for extracted image components.

Nom is pure fun, but it's still a long way for me to unlearn some bad habits from C and start writing in "real" Rust.https://t.co/TFBzVtBb2S pic.twitter.com/oP4i272ufI

— Nikolaj Schlej (@NikolajSchlej) April 12, 2018

https://github.com/LongSoft/PFSExtractor-RS

Universal-IFR-Extractor 0.3.1 released

November 6, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/NikolajSchlej/status/927277979222228992

https://github.com/LongSoft/Universal-IFR-Extractor/releases/tag/v0.3

https://github.com/LongSoft/Universal-IFR-Extractor/commits/master

Universal-IFR-Extractor

October 30, 2017October 30, 2017 ~ hucktech ~ 1 Comment

Nikolaj Schlej has a gork of Universal-IFR-Extractor. IFR is the UEFI forms language.

https://twitter.com/NikolajSchlej/status/924837830416785408?s=09

https://twitter.com/NikolajSchlej/status/924839077517582336

https://twitter.com/NikolajSchlej/status/924838214455529472

https://github.com/LongSoft/Universal-IFR-Extractor/releases/tag/v0.2

https://github.com/tomrus88/Universal-IFR-Extractor

Security updates for Intel NUC firmware (INTEL-SA-00084)

October 8, 2017 ~ hucktech ~ Leave a comment

Intel ID: INTEL-SA-00084
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Oct 06, 2017

This update improves protection against mitigates multiple vulnerabilities related to security features in Intel® NUC system firmware (BIOS). BIOS Administrator and User password bypass: Insufficient protection of password storage in system firmware for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attacker to bypass Administrator and User passwords via access to password storage. SPI Write Protection Bypass: Insecure platform configuration in system firmare for NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows an attacker with physical presence to run arbitrary code via unauthorized firmware modification during BIOS Recovery. SMM Privilege Elevation: Insufficient input validation in system firmware for Intel® NUC systems allows local attacker to execute arbitrary code via manipulation of memory. Boot Guard Bypass: Incorrect policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to bypass enforcement of integrity protections via manipulation of firmware storage. Dangerous SPI Opcode Protections: Insufficient policy enforcement in system firmware for Intel® NUC systems allows attacker with local or physical access to violate integrity or availability of nonvolatile storage for firmware via specially crafted accesses to nonvolatile storage. Intel highly recommends that users update to the latest version. Intel would like to thank Nikolaj Schlaj for reporting CVE-2017-5700 and CVE-2017-5701 and working with us on coordinated disclosure. Intel would like to thank Embedi for reporting CVE-2017-5721 and CVE-2017-5722 and working with us on coordinated disclosure.[…]

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00084&languageid=en-fr

Nikolaj moves to US

September 30, 2017 ~ hucktech ~ Leave a comment

Apple firmware security researcher Nikolaj Schlej has been working from Europe, and is now moving to the US.

Big thanks to @XenoKovah and @coreykal for meeting me in the US, ending my very busy day full of flights with *GREAT MURICA*-themed party. pic.twitter.com/laD86fj1GJ

— Nikolaj Schlej (@NikolajSchlej) September 30, 2017

Nice picture of the Xeno, Corey, and Nikolaj in the above tweet.

PFSExtractor: extractor for DellPFS firmware format

September 4, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/NikolajSchlej/status/904795284005376000

https://twitter.com/NikolajSchlej/status/904796175114653696

https://github.com/LongSoft/PFSExtractor

PFSExtractor v0.1.0 – extracts contents of Dell firmware update files in PFS format
Usage: PFSExtractor pfs_file.bin

Nikolaj on recent UEFI/ACPI spec updates

July 1, 2017July 4, 2017 ~ hucktech ~ Leave a comment

[[[UPDATE:
William’s blog post on Nikolaj’s comments are more readable than below post:
http://www.basicinputoutput.com/2017/07/uefi-27-courtesy-of-nikolaj.html
]]

Somehow missed PI 1.6, ACPI 6.2 and UEFI 2.7 release, reading them now.
Will tweet about the most interesting differences spotted.

— Nikolaj Schlej (@NikolajSchlej) July 1, 2017

Nikolaj has over a dozen tweets showcasing the interesting new features in the latest UEFI and ACPI specs. Click on the above Twitter URL to see the full set.

Nikolaj on AMD AGESA/PSP

March 4, 2017 ~ hucktech ~ Leave a comment

Nikolaj Schlej made a comment on the recent Snowden/AMD thread. The comment is on Twitter, so it is in multiple messages. I hope that AMD proves him wrong, AMD can change course, so can Intel, if they choose.

https://twitter.com/NikolajSchlej/status/837751682226405379

https://twitter.com/NikolajSchlej/status/837752203490308096

https://twitter.com/NikolajSchlej/status/837752948004388865

https://twitter.com/NikolajSchlej/status/837753773737000960

https://twitter.com/NikolajSchlej/status/837754171642286081

https://twitter.com/NikolajSchlej/status/837754489843109888

https://twitter.com/NikolajSchlej/status/837755046825713666

https://twitter.com/NikolajSchlej/status/837755976887468034

https://twitter.com/NikolajSchlej/status/837756570733793281

William reviews CrScreenshotDxe

August 23, 2016 ~ hucktech ~ 1 Comment

William has done another tool review, this time of Nikolaj’s CrScreenshotDxe tool. He does must longer blog posts on tool reviews than me, so it is always nice to see another review from him. 🙂

[…] “Nikolaj did us all a great service by posting this utility on Github. It was easy to integrate and worked flawlessly.” […]

http://www.basicinputoutput.com/2016/08/the-joy-of-crscreenshotdxe.html

https://github.com/LongSoft/CrScreenshotDxe

Forgot to add some examples of screenshots made by CrScreenshotDxe, here they are.https://t.co/BfXiQBd6mP pic.twitter.com/S63gL2SbtK

— Nikolaj Schlej (@NikolajSchlej) January 4, 2016

screenshot-taking UEFI DXE driver

Nikolaj joins Apple!!

August 5, 2016 ~ hucktech ~ Leave a comment

WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!

As well, UEFITool has new maintainers, Alex and Dmytro!!

Today is my first day at Apple.
I've joined the team of @XenoKovah and @coreykal to work on various low-level security topics.

— Nikolaj Schlej (@NikolajSchlej) August 5, 2016

UEFITool repo will be handed over to @d_olex and @matrosov, as they both know what to do with my poorly-coded stuff without me.

— Nikolaj Schlej (@NikolajSchlej) August 5, 2016

UEFITool NE A31.0 released

July 11, 2016 ~ hucktech ~ Leave a comment

UEFITool NE A31 released, long awaited "Hex Preview" is here.
Thanks to @IgorSkochinsky and @d_olex once again.https://t.co/3maakebf8g

— Nikolaj Schlej (@NikolajSchlej) July 10, 2016

Nikolaj apparently never stops coding. 🙂 Changelog:

New feature release this time: added “Hex view…” action (Ctrl/Cmd + D) and dialog to preview the selected tree item without extracting it to FS. #56

Now the dialog is modal, but if anyone needs to open more than one, it can be implemented later. The feature uses QHexEdit2 library made by Simsys, big thanks.
https://github.com/LongSoft/UEFITool/releases/tag/NE.A31.0
Also see Nikolaj’s comments re: my last post, clarifying Qt usage in UEFITool, which my post was not clear on:

UEFIDump created, UEFITool and UEFIExtract rewritten

UEFIDump created, UEFITool and UEFIExtract rewritten

July 9, 2016 ~ hucktech ~ 1 Comment

Nikolaj has been rewriting his suite of UEFI tools, so they are no longer dependent on the Qt framework, and uses his new engine “NE” tag. UEFITool (UT NE) no longer requires Qt. UEFIExtract (UE) no longer requires Qt. UEFIFind (UF) still requires Qt, and will be ported later. UEFIDump (UD) is a new tool! Described below. Extract of release notes:

UT NE A30 | UE 0.12.0 | UD 0.1.0
Almost no new features, but massive changes under the hood:
* engine (classes from /common) can now be build without Qt.
* added support for very rare Apple-specific images.
* fixed some quirks with report generation.
* UT and UE binaries rebuilt to include updated engine code.
* UEFIDump utility released, it’s a PoC analog of UEFIExtract, that generates the same report and dumps all leaf items into one .dump folder without hierarchy, “_%03d” suffix is added for duplicated items. The tool is an example of Qt-less engine usage.
* UEFIFind will be ported to non-Qt engine a bit later.

https://twitter.com/NikolajSchlej/status/751718569226952704
https://twitter.com/NikolajSchlej/status/751717273778458624

UT NE A30, UE 0.12.2 and new Qt-less UEFIDump 0.1.0 released.
Massive engine changes to support Qt-less build of it.https://t.co/5MdDBgcL1N

— Nikolaj Schlej (@NikolajSchlej) July 9, 2016

https://github.com/LongSoft/UEFITool/releases/tag/NE.A30
https://github.com/LongSoft/UEFITool/commits/new_engine
https://github.com/LongSoft/UEFITool/tree/new_engine
https://github.com/LongSoft/UEFITool

Nikolaj completes his 4-part NVRAM/UEFI blog series

April 20, 2016 ~ hucktech ~ Leave a comment

Nikolaj has completed (?) his 4-part blog series on NVRAM formats in UEFI. Part 4 is on AMI’s NVAR.

https://habrahabr.ru/post/281901/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281901%2F&sandbox=1

Here’s a pointer to the last edition:

Nikolaj on NVRAM formats, part 3

I think that UEFITool NE has another alpha released, with some UI changes.

Nikolaj on NVRAM formats, part 3

April 16, 2016 ~ hucktech ~ Leave a comment

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.https://t.co/8PYdCBSVq5

— Nikolaj Schlej (@NikolajSchlej) April 15, 2016

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

https://habrahabr.ru/post/281469/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281469%2F&sandbox=1

Nikolaj on NVRAM formats, volume 2

Also it appears he’s also released UEFITool NE alpha 25:
https://github.com/LongSoft/UEFITool/releases/tag/NE.A25

Nikolaj on NVRAM formats, volume 2

April 13, 2016 ~ hucktech ~ Leave a comment

Nikolaj has started a series of blog posts on NVRAM formats in UEFI:

First edition is here:

Nikolaj on UEFI NVRAM formats

The second edition is already out:

On NVRAM formats, part two: https://t.co/I5XMQHrLsq
This time it's about non-NVRAM data in NVRAM FVs.
Still in Russian, sorry about that. 🙂

— Nikolaj Schlej (@NikolajSchlej) April 11, 2016

https://habrahabr.ru/post/281412/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281412%2F&sandbox=1

Looking forward volume 3!

Nikolaj on UEFI NVRAM formats

April 11, 2016 ~ hucktech ~ Leave a comment

First part on NVRAM formats: https://t.co/otAfAzqoba
In Russian, but C structs and colored screenshots are self-descriptive enough, I hope.

— Nikolaj Schlej (@NikolajSchlej) April 10, 2016

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

https://habrahabr.ru/post/281242/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281242%2F&sandbox=1

Nikolaj is also looking for some NVRAM formats for testing:

Can someone send me a non-AMI UEFI image for IA64 arch?
There is a requirement of 8-byte aligned variables there, want to have a sample.

— Nikolaj Schlej (@NikolajSchlej) April 10, 2016

UEFITool NE Alpha24 released, seeking NVRAM testers

April 8, 2016 ~ hucktech ~ Leave a comment

UEFITool NE Alpha24 is out, NVRAM parsing is done, all formats known to me are now supported. Now go test! 😉https://t.co/3qDLCvQfBo

— Nikolaj Schlej (@NikolajSchlej) April 8, 2016

Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.

Changes:
* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state

Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!

https://github.com/LongSoft/UEFITool/releases/tag/NE.A24

UEFITool NE A32 released

March 30, 2016 ~ hucktech ~ Leave a comment

Nikolaj Schlej has released a new version of UEFITool. This is an alpha of a big release, as it adds parsering for UI for all major NVRAM formats.

Please help out Nikolaj and test out this alpha release!

UEFITool NE A23 released with VSS NVRAM support.
Please test it on your UEFI firmware, new GH issues appreciated.https://t.co/UDzt1ep8bQ

— Nikolaj Schlej (@NikolajSchlej) March 29, 2016

https://github.com/LongSoft/UEFITool/releases/tag/NE.A23

https://github.com/LongSoft/UEFITool

Nikolaj Schlej audits Intel Quark BSP

March 9, 2016 ~ hucktech ~ Leave a comment

Basic Input/Output: Nikolaj Schlej: Analyzing the Intel Galileo UEFI Source Code with PVS-Studio https://t.co/sNBujFconR @NikolajSchlej

— williamleara.eth (@WilliamLeara) March 8, 2016

@WilliamLeara Thanks. There is a translation of that post made by PVS-Studio authors: https://t.co/AiaTH5rgHT

— Nikolaj Schlej (@NikolajSchlej) March 8, 2016

William Leara of Dell has a new blog post about Nikolaj Schlej’s new blog post analyzing Intel Quark’s BSP:

Another tip of the cap to Nikolaj Schlej, this time for an interesting article where he examined the Intel Quark Board Support Package (BSP) source code with the static source code analyzer PVS-Studio. The Intel Quark is an SoC used in embedded systems applications. For example, it runs the Intel Galileo family of development boards. Galileo is a small computer board comparable to the Arduino family of products, and is targeted to maker and educational customers. The BSP is a set of documentation and EDKII source code that allows a developer to build his own bootable firmware image for the Quark. Nikolaj discovered many serious problems, and I found it educational to read through them. This is helpful so that you can discover the typical mistakes people make in UEFI development, and also so that you won’t make the same mistakes yourself! […]

http://www.basicinputoutput.com/2016/03/nikolaj-schlej-analyzing-intel-galileo.html
https://habrahabr.ru/post/258721/
http://www.viva64.com/en/b/0326/