UEFI_RETool : A Tool For UEFI Firmware Reverse Engineering

UEFI_RETool is a tool for UEFI firmware reverse engineering.

UEFI firmware analysis with uefi_retool.py script

Usage

  • Copy ida_plugin/uefi_analyser.py script and ida_plugin/uefi_analyser directory to IDA plugins directory
  • Edit config.json file
    • PE_DIR is a directory that contains all executable images from the UEFI firmware
    • DUMP_DIR is a directory that contains all components from the firmware filesystem
    • LOGS_DIR is a directory for logs
    • IDA_PATH and IDA64_PATH are paths to IDA Pro executable files
  • Run pip install -r requirements.txt
  • Run python uefi_retool.py command to display the help message

Commands

python uefi_retool.py

Usage: uefi_retool.py [OPTIONS] COMMAND [ARGS]…

Options:
–help Show this message and exit.

Commands:
get-images Get executable images from UEFI firmware.
get-info Analyze the entire UEFI firmware.
get-pp Get a list of proprietary protocols in the UEFI firmware.

Get-Images

python uefi_retool.py get-images –help

Usage: uefi_retool.py get-images [OPTIONS] FIRMWARE_PATH
Get executable images from UEFI firmware. Images are stored in “modules”
directory.

Options:
–help Show this message and exit.

Example

python uefi_retool.py get-images test_fw/fw-tp-x1-carbon-5th.bin

Get-Info

python uefi_retool.py get-info –help

Usage: uefi_retool.py get-info [OPTIONS] FIRMWARE_PATH
Analyze the entire UEFI firmware. The analysis result is saved to .json
file.

Options:
-w, –workers INTEGER Number of workers (8 by default).
–help Show this message and exit.

Example:

python uefi_retool.py get-info -w 6 test_fw/fw-tp-x1-carbon-5th.bin

Get-PP

python uefi_retool.py get-pp –help

Usage: uefi_retool.py get-pp [OPTIONS] FIRMWARE_PATH
Get a list of proprietary protocols in the UEFI firmware. The result is
saved to .json file.

Options:
-w, –workers INTEGER Number of workers (8 by default).
–help Show this message and exit.

Example:

python uefi_retool.py get-pp -w 6 test_fw/fw-tp-x1-carbon-5th.bin

Additional Tools

  • tools/update_edk2_guids.py is a script that updates protocol GUIDs list from edk2 project

IDA plugin

IDA plugin for UEFI analysis

Analyser & Protocol explorer

Usage

  • Copy uefi_analyser and uefi_analyser.py to your %IDA_DIR%/plugins directory
  • Open the executable UEFI image in IDA and go to Edit -> Plugins -> UEFI analyser (alternatively, you can use the key combination Ctrl+Alt+U)

Example

  • Before analysis
  • After analysis
  • Protocol explorer window

Dependency Browser & Dependency Graph

Usage

  • Analyse the firmware using uefi_retool.py python uefi_retool.py get-info FIRMWARE_PATH
  • Load <LOGS_DIR>/<FIRMWARE_NAME>-all-info.json file to IDA (File -> UEFI_RETool...)
  • alternatively, you can use the key combination Ctrl+Alt+J)

Example

  • Dependency browser window
  • Dependency graph
Download
R K

Share
Published by
R K
Tags: FirmwareREToolReverse EngineeringUEFIUEFI_RETool
4 years ago

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

15 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

15 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago