Debug UEFI code by single-stepping your Coffee Lake-S hardware CPU

Teddy Reed of Facebook has a new blog post on using Intel DCI, UEFI Tool, Intel System Studio, and other tools:

TL;DR, if you have a newer CPU & chipset you can purchase a $15 off-the-shelf cable and single-step your hardware threads. The cable is a USB 3.0 debugging cable; and is similar to an ethernet crossover cable in the sense that the internal wiring is crossed. Be careful with this cable as unsupported machines will have undefined behavior due to the electronics of USB.

UEFIDump replaced by UEFIExtract with ‘unpack’ option

UEFITool is a Qt-based GUI tool that works on Mac/Windows/Linux. In addition to the main Qt-based GUI tool, the project also has a few other command line tools, UEFIExtract, UEFIFind, UEFIDump. And there are two codebases on Github, master and new-engine.

Some of the command line tools have been changing: UEFIDump was a tool that dumped info. UEFIDump is now gone, replaced by UEFIExtract with the “unpack” option (the “dump” option is related).

UEFIDump/UEFIExtract aside, UEFIFind is also useful to find information:


macOS EFI Unlocker V1.0 for VMware: allows non-server versions of MacOS to be run with VMWare

The macOS EFI Unlocker removes the check for server versions of Mac OS X verisons:

* 10.5 Leopard
* 10.6 Snow Leopard

allowing the non-server versions of Mac OS X to be run with VMware products. Later versions of Mac OS X and macOS
do not need the modified firmware due to Apple removing the restrictions imposed on 10.5 and 10.6.

EFI Unlocker 1 is designed for the following products:

* VMware Workstation and Player versions 14/15
* VMware Fusion versions 10/11

The checks for the server versions are done in VMware’s virtual EFI firmware and looks for a file called
ServerVersion.plist in the installation media and the installed OS. The patch modifies the firmware to check
for a file present on all versions of Mac OS X called SystemVersion.plist.

The patch uses a tool called UEFIPatch to make the modifications.

Please note you may need to use macOS Unlocker version 3 to run on non-Apple hardware.

VbiosFinder and rom-parser

VBiosFinder: extract a VBIOS from a BIOS update.

This tool attempts to extract a VBIOS from a bios update.

Dependencies include: UEFIDump and rom-parser.


UEFIDump, of course, is included with UEFITool. But rom-parser is new to me.

To view ROM contents:
usage: rom-parser [ROM file]

This program does not have support for reading the ROM from pci-sysfs, please do this manually in advance, ex:
cd /sys/bus/pci/devices/0000:01:00.0/
echo 1 > rom
cat rom > /tmp/image.rom
echo 0 > rom

Pass the resulting image file as the argument to this program.
To modify ROM conents:
usage: rom-fixer [ROM file]
Obtain ROM as above, program prompts for modifying ROM vendor and device IDs and invalid checksums.
IMPORTANT: rom-fixer will update the ROM file in place. Make a backup!

Embedi: UEFI BIOS holes. So much magic. Don’t come inside.

24 October, 2017
UEFI BIOS holes. So Much Magic. Don’t Come Inside.
In recent years, embedded software security has become a red-hot topic, attracting the attention of high profile security researchers from all around the globe. However, the quality of code is still far from perfect as long as its security is considered. For instance, the CVE-2017-5721 SMM Privilege Elevation vulnerability in the firmware could affect such scope of vendors like Acer, ASRock, ASUS, Dell, HP, GIGABYTE, Lenovo, MSI, Intel, and Fujitsu. This white paper is intended to describe how to detect a vulnerability in a motherboard firmware with the help of the following tools: Intel DAL, UEFITool, CHIPSEC, RWEverything, and how to bypass the patch that fixes this vulnerability.[…]

Alex blogs and updates UEFITool!

Double entry for Alex: he’s got a new blog post on Intel Boot Guard, plus he’s updated UEFITool!

“[…]Today I released a new build of UEFITool with visual validation of Intel Boot Guard coverage. The code pushed to the github repository. A standalone binary of UEFITool can be downloaded here.[…]”

View at


UEFITool updated to A40

I missed this. In mid-February, the ‘new engine’ branch of  UEFITool (and the other command line tools) were updated from A32 to A40.

*  Decoding of JEDEC chip IDs and LZMAF86 sections support added in A33
*  GoToOffset dialog (Ctrl+G) and CPU microcode info added in A35
*  Internal GUID database (override in runtime also possible) added in A40
*  Various bugfixes


Nikolaj joins Apple!!

WOW!!, Nikolaj joins Apple!! First they hired Legbacore, now Nikolaj!

As well, UEFITool has new maintainers, Alex and Dmytro!!

UEFITool NE A31.0 released

Nikolaj apparently never stops coding. 🙂 Changelog:

New feature release this time: added “Hex view…” action (Ctrl/Cmd + D) and dialog to preview the selected tree item without extracting it to FS. #56

Now the dialog is modal, but if anyone needs to open more than one, it can be implemented later. The feature uses QHexEdit2 library made by Simsys, big thanks.
Also see Nikolaj’s comments re: my last post, clarifying Qt usage in UEFITool, which my post was not clear on:

UEFIDump created, UEFITool and UEFIExtract rewritten

Nikolaj has been rewriting his suite of UEFI tools, so they are no longer dependent on the Qt framework, and uses his new engine “NE” tag. UEFITool (UT NE) no longer requires Qt. UEFIExtract (UE) no longer requires Qt. UEFIFind (UF) still requires Qt, and will be ported later. UEFIDump (UD) is a new tool! Described below. Extract of release notes:

UT NE A30 | UE 0.12.0 | UD 0.1.0
Almost no new features, but massive changes under the hood:
* engine (classes from /common) can now be build without Qt.
* added support for very rare Apple-specific images.
* fixed some quirks with report generation.
* UT and UE binaries rebuilt to include updated engine code.
* UEFIDump utility released, it’s a PoC analog of UEFIExtract, that generates the same report and dumps all leaf items into one .dump folder without hierarchy, “_%03d” suffix is added for duplicated items. The tool is an example of Qt-less engine usage.
* UEFIFind will be ported to non-Qt engine a bit later.

Nikolaj on NVRAM formats, part 3

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

Also it appears he’s also released UEFITool NE alpha 25:

Nikolaj on UEFI NVRAM formats

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

Nikolaj is also looking for some NVRAM formats for testing:

UEFITool NE Alpha24 released, seeking NVRAM testers

Nikolaj has updated UEFItool NE again, Alpha 24, with NVRAM support done, and is needing help to test it.

* parser for all NVRAM formats known to me, including AMI NVAR, TianoCore VSS (Normal, Authenticated, Apple CRC and _FDC), EVSA and Apple Fsys.
* built with Qt 5.6
* still no editing, because of builder code state

Please test NVRAM parsing, I’m waiting for new GitHub issues. If you know another NVRAM format, please add it to issue #43. Happy testing!

UEFITool NE A32 released

Nikolaj Schlej has released a new version of UEFITool. This is an alpha of a big release, as it adds parsering for UI for all major NVRAM formats.

Please help out Nikolaj and test out this alpha release!

William Leara reviews UEFI Tool

William Leara, a firmware engineer at Dell, has a new blog post on Nikolaj Schlej’s UEFI Tool. He shows how to use it, starting with using Intel’s Flash Programing Tool (FPT) to acquire a BIOS image. Lots of screenshots of the various menu UI components of this GUI tool.

“It is extremely useful for interrogating and manipulating the components of a UEFI BIOS image.  Download it and give it a test drive today!”

Full post:

UEFITool/UEFIExtract/UEFIFind updated

Nikolaj Schleg has updated UEFI Tool, and UEFI Extract and UEFI Find, with a fe new features and fixes:

*  improved parsing of Intel flash descriptor
* improved detection of Tiano/EFI 1.1 compression type
* added 2 UEFI capsule GUIDs used by Lenovo
* solved potential crash on very low memory available
* UEFIExtract and UEFIFind update to include the latest parser changes

Alpha version of new UEFITool 0.30.0_alpha19 released for early adopters, still no image editing possible in this release.