UEFI Firmware Parser – Parse BIOS/Intel ME/UEFI Firmware Related Structures: Volumes, FileSystems, Files, Etc

UEFI Firmware Parser - Parse BIOS/Intel ME/UEFI Firmware Related Structures: Volumes, FileSystems, Files, Etc

The UEFI firmware parser is a straightforward module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This contains parsing modules for BIOS, OptionROM, Intel ME and different codecs too. Please use the instance scripts for parsing tutorials.

This module is included within PyPy as

$ sudo pip set up uefi_firmware

To set up from Github, checkout this repo and use:

$ sudo python ./setup.py set up


  • Python growth headers, normally discovered within the python-dev package deal.
  • The compression/decompression options will use the python headers and gcc.
  • pefile is elective, and could also be used for added parsing.

The simplest way to use the module to detect or parse firmware is through the AutoParser class.

import uefi_firmware
with open('/path/to/firmware.rom', 'r') as fh:
  file_content = fh.read()
parser = uefi_firmware.AutoParser(file_content)
if parser.type() != 'unknown':
  firmware = parser.parse()

There are several classes within the uefi, pfs, me, and flash packages that accept file contents in their constructor. In all cases there are abstract methods implemented:

  • process() performs parsing work and returns a True or False
  • showinfo() print a hierarchy of information about the structure
  • dump() walk the hierarchy and write each to a file

A Python script is installed uefi-firmware-parser

$ uefi-firmware-parser -h
usage: uefi-firmware-parser [-h] [-b] [--superbrute] [-q] [-o OUTPUT] [-O]
                            [-c] [-e] [-g GENERATE] [--test]
                            file [file ...]

Parse, and optionally output, details and data on UEFI-related firmware.

positional arguments:
  file                  The file(s) to work on

optional arguments:
  -h, --help            show this help message and exit
  -b, --brute           The input is a blob and may contain FV headers.
  --superbrute          The input is a blob and may contain any sort of
                        firmware object
  -q, --quiet           Do not show info.
  -o OUTPUT, --output OUTPUT
                        Dump firmware objects to this folder.
  -O, --outputfolder    Dump firmware objects to a folder based on filename
  -c, --echo            Echo the filename before parsing or extracting.
  -e, --extract         Extract all files/sections/volumes.
  -g GENERATE, --generate GENERATE
                        Generate a FDF, implies extraction (volumes only)
  --test                Test file parsing, output name/success.

To test a file or directory of files:

$ uefi-firmware-parser --test ~/firmware/*
~/firmware/970E32_1.40: UEFIFirmwareVolume
~/firmware/CO5975P.BIO: EFICapsule
~/firmware/me-03.obj: IntelME
~/firmware/O990-A03.exe: None
~/firmware/O990-A03.exe.hdr: DellPFS

If you need to parse and extract a large number of firmware files check out the -O option to auto-generate an output folder per file. If parsing and searching for internals in a shell the --echo option will print the input filename before parsing.
The firmware-type
checker will determine find out how to finest parse the file. If the --test possibility fails to determine the kind, or calls it unknown, attempt to use the -b or --superbrute possibility. The later performs a byte-by-byte kind checker.

$ uefi-firmware-parser --test ~/firmware/970E32_1.40
~/firmware/970E32_1.40: unknown
$ uefi-firmware-parser --superbrute ~/firmware/970E32_1.40


  • UEFI Firmware Volumes, Capsules, FileMethods, Files, Sections parsing
  • Intel PCH Flash Descriptors
  • Intel ME modules parsing (ME, TXE, and many others)
  • Dell PFS (HDR) updates parsing
  • Tiano/EFI, and native LZMA (7z) [de]compression
  • Complete UEFI Firmware quantity object hierarchy show
  • Firmware descriptor [re]era utilizing the parsed enter volumes
  • Firmware File Section injection

GUID Injection
Injection or GUID alternative (no addition/subtraction but) could be carried out on sections inside a UEFI firmware file, or on UEFI firmware information inside a firmware filesystem.

$ python ./scripts/fv_injector.py -h
utilization: fv_injector.py [-h] [-c] [-p] [-f] [--guid GUID] --injection INJECTION
                      [-o OUTPUT]

Search a file for UEFI firmware volumes, parse and output.

positional arguments:
  file                  The file to work on

elective arguments:
  -h, --help            present this assist message and exit
  -c, --capsule         The enter file is a firmware capsule.
  -p, --pfs             The enter file is a Dell PFS.
  -f, --ff              Inject payload into firmware file.
  --guid GUID           GUID to interchange (inject).
  --injection INJECTION
                        Pre-generated EFI file to inject.
  -o OUTPUT, --output OUTPUT
                        Name of the output file.

Note: when injecting right into a firmware file the consumer shall be prompted for which part to interchange. At the second this isn’t-but-scriptable.
IDA Python help
There is an included script to generate extra GUID labels to import into IDA Python utilizing Snare’s plugins. Using the -g LABEL the script will generate a Python dictionary-formatted output. This mission will attempt to hold up-to-date with widespread vendor GUIDs robotically.

$ python ./scripts/uefi_guids.py -h
utilization: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file

Output GUIDs for information, optionally write GUID construction file.

positional arguments:
  file                  The file to work on

elective arguments:
  -h, --help            present this assist message and exit
  -c, --capsule         The enter file is a firmware capsule, don't search.
  -b, --brute           The enter file is a blob, seek for firmware quantity
  -d, --flash           The enter file is a flash descriptor.
  -g GENERATE, --generate GENERATE
                        Generate a behemoth-model GUID output.
  -u, --unknowns        When producing additionally print unknowns.

Supported Vendors
This module has been examined on BIOS/UEFI/firmware updates from the next distributors. Not each replace for each product will parse, some might required a-priori decompression or extraction from the distribution replace mechanism (usually a PE).

  • ASRock
  • Dell
  • Gigabyte
  • Intel
  • Lenovo
  • HP
  • MSI
  • VMware
  • Apple



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.