Skip to content

Latest commit

 

History

History
139 lines (112 loc) · 6.15 KB

README.md

File metadata and controls

139 lines (112 loc) · 6.15 KB

Ghidra Firmware Utilities

Various modules for Ghidra to assist with PC firmware reverse engineering. This was accepted as a coreboot project for GSoC 2019.

Features

PCI option ROM loader

  • Implements a FS loader for PCI option ROMs (handles hybrid ROMs with multiple images, e.g. legacy x86 + UEFI)
  • Loads UEFI executables from PCI option ROMs (including compressed images)
  • Defines the entry point function and various header data types for legacy x86 option ROMs

Firmware image loader

  • Implements a FS loader for Flash Map (FMAP) images and Intel Flash Descriptor (IFD) images (shows flash regions)
  • Implements a FS loader for Coreboot Filesystem (CBFS) images (displays included files and handles compression)
  • Implements a FS loader for UEFI firmware volumes and nested firmware filesystem (FFS) file/FFS section parsing

Terse Executable (TE) loader

  • Implements a binary loader for TE binaries (frequently used in UEFI PI)

UEFI helper script

  • Includes data type libraries for base UEFI types (taken from EDK2 MdePkg)
  • Fixes the signature of the entry point function
  • Defines known GUIDs in the binary's .data/.text segments
  • Locates and defines global copies of UEFI table pointers (gBS/gRT/gST/etc)

Building & Installation

JDK 11 (or newer) and Ghidra 10.1 (or newer) are required.

Ghidra's standard Gradle build system is used. Set the GHIDRA_INSTALL_DIR environment variable before building, or set it as a Gradle property (useful for building in an IDE):

Environment variable

$ export GHIDRA_INSTALL_DIR="/path/to/ghidra"
$ ./gradlew

Gradle property

echo GHIDRA_INSTALL_DIR=/path/to/ghidra > gradle.properties

The module ZIP will be output to dist/. Use File > Install Extensions and select the green plus to browse to the extension. Restart Ghidra when prompted.

For proper functionality, the plugin should be built with the same JRE used by your Ghidra installation. If you have multiple Java runtime environments installed, select the correct JRE by setting the JAVA_HOME environment variable before building.

Usage

PCI option ROM loader

Add a PCI option ROM to a Ghidra project. Legacy x86 option ROMs can be directly loaded for analysis. Ensure that the binary format is set to x86 PCI Option ROM, and import the binary.

UEFI option ROMs or option ROMs that contain more than one image should be imported using the filesystem loader. When prompted to select an import mode, select File system. The images contained within the option ROM will be displayed, and can be imported for analysis. Legacy x86 images will be handled the x86 PCI Option ROM loader, and UEFI images will be handled by the PE32 loader (compression is supported). Information for each image can be displayed by selecting Get Info in the right-click menu.

Firmware image loader

Add a supported firmware image to a Ghidra project. The firmware image loader supports Intel images with a Flash Descriptor, coreboot images with a FMAP/CBFS layout, and UEFI firmware volumes. The File system import mode can be used to view embedded files within the specified firmware image.

Note that some UEFI firmware images may store nested firmware volumes within freeform/raw files (or freeform/raw FFS sections). Such files can be imported as firmware volumes by selecting Open File System in the right-click menu for the specified freeform/raw file. If no nested firmware volume is found, an error message will be displayed (No file system provider for...).

UEFI helper script

The helper script is included in the plugin's ghidra_scripts directory, which should be automatically added to the list of script directories in Ghidra.

Run the UEFI helper script by selecting UEFIHelper.java in the Script Manager window (accessed from Window -> Script Manager).

To modify the UEFI data type library, modify the PRF template in data/gen_prf.sh as necessary and generate new PRF files. Open the generated PRF file in File -> Parse C Source. Build the updated data type library by selecting Parse to File.... Overwrite the original data type libraries in data and rebuild the plugin.

Related projects

These are some interesting projects related to UEFI reversing:

License

Apache 2.0, with some exceptions:

  • src/efidecompress/c/efidecompress.c: BSD

Credits

src/efidecompress/c/efidecompress.c is a lightly modified version of Decompress.c from uefi-firmware-parser (which itself is derived from the original in EDK2 BaseTools).

lib/xz-1.8.jar is taken from the XZ for Java project.

The IFD FS loader in src/main/java/firmware/ifd used the parser from UEFITool as a reference.

The GUID database in data/guids.csv is taken from UEFITool.

The UEFI data type libraries in data/uefi_*.gdt were generated with data/gen_prf.sh, which is partially based off the UEFI parser definition from a Ghidra pull request by wrffrz. These data type libraries use headers from EDK2 MdePkg.

GhidraVitaLoader by xerpi was used as a reference for some parts of the UEFI helper script.