UEFItool 0.21.2 released

UT 0.21.2 (18 additions and 8 deletions)
– fixed a bug with tailed files extraction and replacing (#35)
– fixed a bug with wrong source of padding after all Intel image regions (#34)



UEFITool 0.21.0 released

Nikolaj Schlej has released  UEFITool v0.21.0.

Features improved Skylake support, among other things:
– added support for new Intel descriptor type, based on [this](http://review.coreboot.org/gitweb?p=coreboot.git;a=commit;h=1f7fd720c81755144423f2d4062c39cc651adc0a) coreboot commit, thanks to lordkag for issue #32
– solved a bug with incorrect volume free space item placement during volume replace, now works as expected
– solved an issue with incorrect Aptio capsule parsing introduced in 0.20.8


UEFITool 0.20.8 released

Nikolaj Schlej has released a new version of UEFITool:


159 additions and 61 deletions:

– data after the latest region of Intel image is in tree now
– added Intel, Lenovo and Toshiba-specific capsule GUIDs to the list of known GUIDs
– fixed bogus “File with invalid size” message while working on almost full volumes
– pressing Cancel on “Open in new window” dialog now works as expected

Nikolaj Schlej to speak on UEFI at ZeroNights

Nikolaj Schlej, firmware security researcher and creator of UEFITool, will be speaking at ZeroNights 2015 in November 25-26 in Moscow, Russia, his first security conference presentation! His presentation is called “UEFI: Fix it yourself”, and he’s one of a handful of people that can accomplish that. 🙂



UEFITool is useful, so I was looking into OZMTool, a fork of UEFITool, and was wondering what new features it has, what Ozmosis BIOSes were, and  how I might be able to use this tool.  For me, some of the additional features beyond UEFITool are interesting, but so far I don’t see them as being general-purpose, they require this OEM hw/fw target, so I am not sure that I can use OZMTool.

OZMTool was created to make the process of creating an Ozmosis patched BIOS easier. It is based on UEFITool (awesome application!) by CodeRush. It includes the following useful tools to help you in this process:

–dsdtextract    Extracts DSDT from BIOS
–dsdtinject    Injects DSDT into BIOS
–ozmupdate    Updates clean BIOS with files from old OZM-flavoured one
–ozmextract    Extracts Ozmosis files (ffs) from BIOS
–ozmcreate    Patches Original BIOS with Ozmosis
–kext2ffs    Converts kext-directories to FFS
–dsdt2bios    Injects (bigger) DSDT into AmiBoardInfo
–help, -h    Print usage (append command to print cmd-usage!)

See the full OSMTool readme for disclaimer.

OZMTool is a fork of UEFITool for us with Ozmosis BIOSes.

Repo which holds Ozmosis binary BIOSes from Hermit Crab Labs

Wow, strange history behind this tool. I’m not into the firmware modding community, so didn’t know most of this. Quo Computers is (was?) a kickstarted hardware project with custom BIOS (that requires OZMTool), a Tor darknet-hosted IBV, “Hermit Crab Labs“, that builds special BIOS to use with MacOSX and other OSes. Quo Computer was created by Rashantha De Silva. I’m not sure of the current status of this project. It appears to have been active starting around 2013. The quecomputer.com web site is currently down. Yet Rashantha appears to have logged into the Kickstart page as of last week (“Last login Aug 13 2015”). OZMTool appears to be last updated around 2014. Comments on the kickstart page may indicate some fraud, I’m not sure. There appears to be deeper history pre-Quo, but I’m not digging that far down, I’m just curious about the OZMTool’s features…

Some history behind this BIOS and tool:
http://www.techspot.com  /article/720-building-a-hackintosh/
http://www.techspot.com  /news/51835-projectq-motherboard-promises-to-boot-any-os-in-under-10-seconds.html

Kickstart link with space in it, so you can see the link, else WordPress just converts it to a video:
https://www.kickstarter.com   /projects/quo/projectq-run-any-os-the-unique-motherboard/comments

A few excerpts from the kickstart page and the Google web cache of the no-longer-available QuoComputer.com web site, some excerpts:

“509 backers pledged $189,451 to help bring this project to life.”

“Quo Computer: your computer. your configuration. your choice.”

“The first motherboard designed to run ANY Operating System {AOS(TM)} of your choice out of the box.”

projectQ – Run Any OS: The Unique Motherboard
The first motherboard designed to run any Operating System you choose out of the box.

Quo has stunned the computing world with the release of the unparalleled AOS motherboard. A world first, the Z77MX-QUO-AOS was built from the ground up to run any OS.  Fitted with premium components, we include custom software and UEFI that initiates the booting of an OS in under 10 seconds. Exclusive to QUO, the AOS motherboard provides system builders worldwide a platform specifically engineered to meet their needs. QUO’s AOS motherboard is the only one in the industry with Firewire 400 and 800 (1394A and 1394B).  The motherboard features Intel certified Thunderbolt, Intel LAN for high demand network sharing, and compatible audio in an expandable microATX form factor.  Our unrivaled AOS motherboard comes with a 3 year warranty.

Excerpts from the TechSpot stories:

The company said they have perfected the motherboard and have tested the BIOS / UEFI with developers in China, England, Romania and the US. The team plans to continue to support the BIOS / UEFI after release and will ship with a three year warranty. A pledge of $219 will guarantee you’ll be one of the first to own a projectQ motherboard. As of writing, 90 backers have pledged more than $26,000 of the $87,000 needed to get the board into production. The campaign runs until April 1, 2013 so there’s still plenty of time to make it happen. The first 100 pledges will receive the first batch of boards within six weeks, we’re told. The Z77MX-QUO-AOS motherboard, otherwise known as projectQ, is manufactured by Gigabyte as an exclusive OEM project. The Taiwanese manufacturer had quietly embraced the Hackintosh community months before with their own Z77 boards, which feature special code in their UEFI that made booting into OS X much easier. But projectQ goes a step further by using specific Mac compatible components for everything from audio to networking. The board even uses the same Texas Instruments IEEE-1394b OHCI Controller as the Mac Pro for Firewire 400/800 and packs two Thunderbolt ports for good measure — which the outgoing model notably lacks. Add a custom open-source BIOS and you have the workings for a zero effort Hackintosh. Or so is the goal.  Now, I’m not really sure what exactly is the back story here and Quo is not telling. The BIOS is credited to a group called HermitCrab Labs and hosted off the public web inside the Tor network. There’s no official affiliation between Quo and HermitCrab Labs — at least none that either party would openly admit to for obvious reasons — but it appears to be an integral part of the hassle-free Hackintosh promise. After you’ve flashed it onto your projectQ motherboard there’s no need for additional third party tools in order to install OS X. You’ll need to download a modified BIOS designed specifically for this board. After you’ve flashed it there’s no need for additional third party tools in order to install OS X.

Reminder: firmware talk/lab at July DC206 Meeting

This Sunday we’re having a class on using CHIPSEC and related firmware security tools:

One change of plans for the lab: I’ve been having problems getting LUV-live to boot on various machines, so don’t want to tie the lab to booting thumbdrives to use CHIPSEC.

So let’s use CHIPSEC installed natively on your laptop. So please bring a Intel UEFI-based laptop running Windows or Linux, where you can install CHIPSEC on it. (The CHIPSEC kernel driver is not a safe thing to keep loaded, see their warning.txt. Only load it when you are using CHIPSEC.) I’ll bring some scripts to make it easier to use CHIPSEC on Linux systems. Watch the Youtube video of DEFCON22 talk on CHIPSEC to see when/why to use some of it’s commands.

Or, instead of running CHIPSEC from w/i your installed OS, make your own LUV-live thumbdrive and see if it works on your system: if so, use CHIPSEC there.

Regardless, please don’t use your primary laptop, backup anything important, in case you brick the box.

The lab will be fairly free-form, people trying to use CHIPSEC on their system, hopefully to save a ROM and share with others, and to some analysis of the ROM using CHIPSEC, UEFITool, UEFI Firmware Parser. If you are willing to share some ROMs with the rest of the lab attendees, please try to bring a system with a CD-R/DVD-R burner. I’ll bring some blank discs. CHIPSEC and most of the below tools are Python-based, so install CPython 2.7x on your system. Install any of the below tools if you want to use these to examine ROMs:


UEFI Firmware Parser:

Copernicus’ BIOS Diff:

Most of these tools are Python-based, but UEFITool is a C++-based Qt GUI app. You need to get Qt Creator installed, open Qt Creator, open the UEFI Tools’s .pro file, then Build it. UEFITool builds on most platforms pretty painlessly. If you don’t want to install Qt on your system, you can download pre-built binaries of UEFITool for Windows and Mac OSX. For Linux, no binaries provided, you must build from source.

One potential direction for the lab is to look at Intel’s analysis of the Hacking Team’s UEFI malware, and how to use CHIPSEC and UEFITool, using the GUIDs and strings from the below analysis to see if you have Hacking Team bootkit.

Unfortunately, it looks like the PNWFHW (Pacific NorthWest FirmWare Hackers) stickers likely won’t arrive in time, probably next week, so no stickers this time, sorry.

Intel analysis of Hacking Team UEFI malware

UPDATE: IntelSecurity.com web site has changed, the ATR blog URL is broken. Updated URL:

A quick follow-up to the Hacking Team UEFI malware story. There’s been a lot of mainstream coverage on this news. I just found out about this blog entry by the Intel Advanced Threat Research (ATR) team:


It’s analysis of the malware is excellent, and worth reading. Unlike other news stories on Hacking Team, this blog shows you how to check if your system is infected. They used CHIPSEC[1] and UEFItool[2] to analyse this malware, two excellent tools for UEFI forensic analysis. Study this Intel blog post for a very topical example of how to use CHIPSEC to protect your system from bootkits.

[1] https://firmwaresecurity.com/2015/06/10/chipsec-v1-2-0-released/
[2] https://firmwaresecurity.com/2015/05/25/tool-mini-review-uefitool/

Hacking Tool should remind people that they don’t have a clue what modules are burned into their firmware. Many firmware solutions target enterprise sales, so they’re happy to have phone-home style technology in their systems, to track their assets. Malware authors can take advantage of these remote control features, like Hacking Team is doing. Windows OEMs generally screw up Windows with various bloatware; unlike with OS software, you cannot undo firmware bloatware, the OEM won’t permit you to rebuilt the firmware image (unless you have a Tunnel Mountain or MinnowBoard), and the OEM doesn’t provide standalone UEFI drivers/services so that you could rebuilt your firmware from coreboot.org and/or tianocore.org plus the delta of blobs (OEM/IHV drivers). Then, we could focus on reliability of the open source codebase and the handful of closed-source firmware drivers, instead of relying on the IBV/OEM to give us black-box fimware updates when they feel like it. OEMs: give us better firmware options!

tool mini-review: UEFITool

UEFITool is a UEFI firmware parsing tool, written by Nikolaj Schlej. UEFITool is a GUI tool for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes. The UI provides abilities to Extract, Insert, Replace, Remove, and Rebuild, and Search. Extracting and Replacing can be done either by just the body, or also include it’s header (GUID, size, attributes and other structure-related information). Inserting targets UEFI volumes and encapulation sections, and can be done before, after, or into. You can Search by hex patterns, a GUID, Unicode text, or ASCII text. The BSD-ish licensed open source tool is cross-platform, written in C++, using Qt v4 or v5, built using the Qt qmake utility.

More Information: