Giter Site home page Giter Site logo

ghidra-firmware-utils's Introduction

Ghidra Firmware Utilities

Various modules for Ghidra to assist with PC firmware reverse engineering. This was accepted as a coreboot project for GSoC 2019.

Features

PCI option ROM loader

  • Implements a FS loader for PCI option ROMs (handles hybrid ROMs with multiple images, e.g. legacy x86 + UEFI)
  • Loads UEFI executables from PCI option ROMs (including compressed images)
  • Defines the entry point function and various header data types for legacy x86 option ROMs

Firmware image loader

  • Implements a FS loader for Flash Map (FMAP) images and Intel Flash Descriptor (IFD) images (shows flash regions)
  • Implements a FS loader for Coreboot Filesystem (CBFS) images (displays included files and handles compression)
  • Implements a FS loader for UEFI firmware volumes and nested firmware filesystem (FFS) file/FFS section parsing

Terse Executable (TE) loader

  • Implements a binary loader for TE binaries (frequently used in UEFI PI)

UEFI helper script

  • Includes data type libraries for base UEFI types (taken from EDK2 MdePkg)
  • Fixes the signature of the entry point function
  • Defines known GUIDs in the binary's .data/.text segments
  • Locates and defines global copies of UEFI table pointers (gBS/gRT/gST/etc)

Building & Installation

JDK 11 (or newer) and Ghidra 10.1 (or newer) are required.

Ghidra's standard Gradle build system is used. Set the GHIDRA_INSTALL_DIR environment variable before building, or set it as a Gradle property (useful for building in an IDE):

Environment variable

$ export GHIDRA_INSTALL_DIR="/path/to/ghidra"
$ ./gradlew

Gradle property

echo GHIDRA_INSTALL_DIR=/path/to/ghidra > gradle.properties

The module ZIP will be output to dist/. Use File > Install Extensions and select the green plus to browse to the extension. Restart Ghidra when prompted.

For proper functionality, the plugin should be built with the same JRE used by your Ghidra installation. If you have multiple Java runtime environments installed, select the correct JRE by setting the JAVA_HOME environment variable before building.

Usage

PCI option ROM loader

Add a PCI option ROM to a Ghidra project. Legacy x86 option ROMs can be directly loaded for analysis. Ensure that the binary format is set to x86 PCI Option ROM, and import the binary.

UEFI option ROMs or option ROMs that contain more than one image should be imported using the filesystem loader. When prompted to select an import mode, select File system. The images contained within the option ROM will be displayed, and can be imported for analysis. Legacy x86 images will be handled the x86 PCI Option ROM loader, and UEFI images will be handled by the PE32 loader (compression is supported). Information for each image can be displayed by selecting Get Info in the right-click menu.

Firmware image loader

Add a supported firmware image to a Ghidra project. The firmware image loader supports Intel images with a Flash Descriptor, coreboot images with a FMAP/CBFS layout, and UEFI firmware volumes. The File system import mode can be used to view embedded files within the specified firmware image.

Note that some UEFI firmware images may store nested firmware volumes within freeform/raw files (or freeform/raw FFS sections). Such files can be imported as firmware volumes by selecting Open File System in the right-click menu for the specified freeform/raw file. If no nested firmware volume is found, an error message will be displayed (No file system provider for...).

UEFI helper script

The helper script is included in the plugin's ghidra_scripts directory, which should be automatically added to the list of script directories in Ghidra.

Run the UEFI helper script by selecting UEFIHelper.java in the Script Manager window (accessed from Window -> Script Manager).

To modify the UEFI data type library, modify the PRF template in data/gen_prf.sh as necessary and generate new PRF files. Open the generated PRF file in File -> Parse C Source. Build the updated data type library by selecting Parse to File.... Overwrite the original data type libraries in data and rebuild the plugin.

Related projects

These are some interesting projects related to UEFI reversing:

License

Apache 2.0, with some exceptions:

  • src/efidecompress/c/efidecompress.c: BSD

Credits

src/efidecompress/c/efidecompress.c is a lightly modified version of Decompress.c from uefi-firmware-parser (which itself is derived from the original in EDK2 BaseTools).

lib/xz-1.8.jar is taken from the XZ for Java project.

The IFD FS loader in src/main/java/firmware/ifd used the parser from UEFITool as a reference.

The GUID database in data/guids.csv is taken from UEFITool.

The UEFI data type libraries in data/uefi_*.gdt were generated with data/gen_prf.sh, which is partially based off the UEFI parser definition from a Ghidra pull request by wrffrz. These data type libraries use headers from EDK2 MdePkg.

GhidraVitaLoader by xerpi was used as a reference for some parts of the UEFI helper script.

ghidra-firmware-utils's People

Contributors

al3xtjames avatar antoniovazquezblanco avatar dev747368 avatar icomplainincomments avatar nstarke avatar rhythmx avatar shuffle2 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

fengjixuchui marcomafcorp c002 rob0tsunny louwangzhiyuy freemanzyq loppower amesianx kernux peterg75 rovel resonancellc maciejmacko robertdigital sqrdevl hotelzululima jhonglue hellobobo tuxinggougou nstarke startergo matry11 heyskywalker aswcenter acidburn0zzz miczyg1 dev747368 rhythmx imifos highbor silverbut shuffle2 jamestiotio flatz smx-smx crackercat ghidrapluginproject longjohncoder gmh5225 5l1v3r1 antoniovazquezblanco iratebadger n1kroks icomplainincomments

ghidra-firmware-utils's Issues

Ghidra 10.1 Support

Apparently two classes were removed from the Ghidra 10.1 Java API:

  • GFileSystemFactoryFull
  • GFileSystemProbeFull

Right now it is not possible to build against Ghidra 10.1.

I will look into solutions this week, but I am creating this issue now so I don't forget about it.

Does Not Work on Windows

On windows, trying to mount a uefi filesystem results in the following JNI exception:

'byte[] firmware.common.EFIDecompressor.nativeDecompress(byte[])'
java.lang.UnsatisfiedLinkError: 'byte[] firmware.common.EFIDecompressor.nativeDecompress(byte[])'
	at firmware.common.EFIDecompressor.nativeDecompress(Native Method)
	at firmware.common.EFIDecompressor.decompress(EFIDecompressor.java:51)
	at firmware.uefi_fv.FFSCompressedSection.<init>(FFSCompressedSection.java:82)
	at firmware.uefi_fv.FFSSectionFactory.parseSection(FFSSectionFactory.java:64)
	at firmware.uefi_fv.UEFIFFSFile.<init>(UEFIFFSFile.java:147)
	at firmware.uefi_fv.UEFIFirmwareVolumeHeader.<init>(UEFIFirmwareVolumeHeader.java:252)
	at firmware.uefi_fv.UEFIFirmwareVolumeFileSystem.mount(UEFIFirmwareVolumeFileSystem.java:54)
	at firmware.uefi_fv.UEFIFirmwareVolumeFileSystemFactory.create(UEFIFirmwareVolumeFileSystemFactory.java:47)
	at firmware.uefi_fv.UEFIFirmwareVolumeFileSystemFactory.create(UEFIFirmwareVolumeFileSystemFactory.java:29)
	at ghidra.formats.gfilesystem.factory.FileSystemFactoryMgr.mountUsingFactory(FileSystemFactoryMgr.java:176)
	at ghidra.formats.gfilesystem.factory.FileSystemFactoryMgr.probe(FileSystemFactoryMgr.java:360)
	at ghidra.formats.gfilesystem.FileSystemService.probeFileForFilesystem(FileSystemService.java:672)
	at ghidra.formats.gfilesystem.FileSystemService.probeFileForFilesystem(FileSystemService.java:611)
	at ghidra.plugins.fsbrowser.FileSystemBrowserPlugin.doOpenFilesystem(FileSystemBrowserPlugin.java:258)
	at ghidra.plugins.fsbrowser.FileSystemBrowserPlugin.lambda$openFileSystem$0(FileSystemBrowserPlugin.java:117)
	at ghidra.util.task.TaskLauncher$2.run(TaskLauncher.java:117)
	at ghidra.util.task.Task.monitoredRun(Task.java:124)
	at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:104)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
	at java.base/java.lang.Thread.run(Thread.java:832)

I hacked together a build.gradle file that will build a working version:

import org.apache.tools.ant.taskdefs.condition.Os

//----------------------START "DO NOT MODIFY" SECTION------------------------------
def ghidraInstallDir

if (System.env.GHIDRA_INSTALL_DIR) {
	ghidraInstallDir = System.env.GHIDRA_INSTALL_DIR
}
else if (project.hasProperty("GHIDRA_INSTALL_DIR")) {
	ghidraInstallDir = project.getProperty("GHIDRA_INSTALL_DIR")
}

if (ghidraInstallDir) {
	apply from: new File(ghidraInstallDir).getCanonicalPath() + "/support/buildExtension.gradle"
}
else {
	throw new GradleException("GHIDRA_INSTALL_DIR is not defined!")
}
//----------------------END "DO NOT MODIFY" SECTION-------------------------------

apply plugin: "c"
model {
	platforms {
        x64 {
            architecture "x86_64"
        }
    }
	toolChains {
		gcc(Gcc) {
			path "C:\\Program Files\\mingw-w64\\x86_64-8.1.0-posix-seh-rt_v6-rev0\\mingw64\\bin"
			eachPlatform {
				cCompiler.executable = "gcc.exe"
			}
		}
	}
	components {
		efidecompress(NativeLibrarySpec) {
			targetPlatform "x64"
			sources {
				c {
					source {
						srcDir "src/efidecompress/c"
						include "efidecompress.c"
					}
				}
			}

			binaries.all {
				cCompiler.args "-DCONFIG_JNI"
				if (targetPlatform.operatingSystem.macOsX) {
					cCompiler.args "-I", "${System.properties['java.home']}/include"
					cCompiler.args "-I", "${System.properties['java.home']}/include/darwin"
					cCompiler.args "-mmacosx-version-min=10.9"
					linker.args "-mmacosx-version-min=10.9"
				} else if (targetPlatform.operatingSystem.linux) {
					cCompiler.args "-I", "${System.properties['java.home']}/include"
					cCompiler.args "-I", "${System.properties['java.home']}/include/linux"
					cCompiler.args "-D_FILE_OFFSET_BITS=64"
				} else if (targetPlatform.operatingSystem.windows) {
					cCompiler.args "-I${System.properties['java.home']}\\include"
					cCompiler.args "-I${System.properties['java.home']}\\include\\win32"
					cCompiler.args "-D_JNI_IMPLEMENTATION_"
					linker.args "-Wl,--kill-at"
					linker.args "-shared"
				}
			}
		}
	}
}

repositories {
	mavenCentral()
}

configurations {
	toCopy
}

dependencies {
	toCopy group: "org.tukaani", name: "xz", version: "1.8"
}

task copyLibraries(type: Copy, dependsOn: "efidecompressSharedLibrary") {
	copy {
		from configurations.toCopy into "lib"
	}

	if (Os.isFamily(Os.FAMILY_MAC)) {
		from "$buildDir/libs/efidecompress/shared/libefidecompress.dylib" into "os/osx64"
	} else if (Os.isFamily(Os.FAMILY_UNIX)) {
		from "$buildDir/libs/efidecompress/shared/libefidecompress.so" into "os/linux64"
	} else if (Os.isFamily(Os.FAMILY_WINDOWS)) {
		from "$buildDir/libs/efidecompress/shared/efidecompress.dll" into "os/win64"
	}
}

buildExtension.dependsOn "copyLibraries"

task cleanLibraries(type: Delete) {
	delete fileTree("lib").matching {
		include "*.jar"
	}

	delete fileTree("os").matching {
		include "osx64/*.dylib"
		include "linux64/*.so"
		include "win64/*.dll"
	}
}

clean.dependsOn "cleanLibraries"

Now this hacked-together gradle file might build a working version for windows, but it almost certainly will not work for other operating systems. I'm not a good enough Java/Groovy/Gradle engineer to know how to refactor this to a form that can be committed to the repository, but it took me quite a bit of effort to figure out why the current master branch does not work so I wanted to share my work in case anyone else needs it.

FWIW, I documented what I found here:
https://nstarke.github.io/0047-ghidra-firmware-utils-adventure.html

ghidra api usage error

Code

BinaryReader reader = new BinaryReader(new ByteArrayProvider(blockBytes), true);
// ....
NTHeader ntHeader = new NTHeader(reader, ntHeaderOffset, PortableExecutable.SectionLayout.FILE, false, false);

should be changed to

FactoryBundledWithBinaryReader reader = new FactoryBundledWithBinaryReader(RethrowContinuesFactory.INSTANCE, new ByteArrayProvider(blockBytes), true);
// ...
NTHeader ntHeader = NTHeader.createNTHeader(reader, ntHeaderOffset, PortableExecutable.SectionLayout.FILE, false, false);

Tested in Ghidra 10.1.5

Exception when importing - AddressOverflowException: Address Overflow in add: ffffffe0 + 0x27

Also from batch importing the firmware bundle.

I think its in file /fw/MP51.fd/Volume 000 - EfiFirmwareFileSystemGuid/File 020 - 736eb068-8c01-47c5-964b-1c57bd5d4d64/ TE Image Section

2020-03-27 15:15:58 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MP51.fd/Volume 000 - EfiFirmwareFileSystemGuid/File 021 - S3ResumePei/ TE Image Section, 965 of 972

2020-03-27 15:15:58 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 000 - EfiFirmwareFileSystemGuid/File 021 - S3ResumePei/TE Image Section -----


2020-03-27 15:15:58 DEBUG (TELoader) Added .text section: 0xFFCB4ADC-0xFFCB4BBB

2020-03-27 15:15:58 DEBUG (TELoader) Added .data section: 0xFFCB4BBC-0xFFCB4BDC

2020-03-27 15:15:58 DEBUG (TELoader) Added .reloc section: 0xFFCB4BDC-0xFFCB4BEE

2020-03-27 15:15:58 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MP51.fd/Volume 000 - EfiFirmwareFileSystemGuid/File 020 - 736eb068-8c01-47c5-964b-1c57bd5d4d64/ TE Image Section, 966 of 972

2020-03-27 15:15:58 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 000 - EfiFirmwareFileSystemGuid/File 020 - 736eb068-8c01-47c5-964b-1c57bd5d4d64/TE Image Section -----


2020-03-27 15:15:58 DEBUG (TELoader) Added .text section: 0x100003F8-0x10000D1C

2020-03-27 15:15:58 DEBUG (TELoader) Added .rdata section: 0x10000D38-0x10000D43

2020-03-27 15:15:58 DEBUG (TELoader) Added .data section: 0x10000D58-0x100011F8

2020-03-27 15:15:58 DEBUG (TELoader) Added .reloc section: 0x100011F8-0x1000127A

2020-03-27 15:15:58 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MP51.fd/Volume 006 - EfiFirmwareFileSystemGuid/File 055 - SmmRelocatePei/ TE Image Section, 967 of 972

2020-03-27 15:15:58 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 006 - EfiFirmwareFileSystemGuid/File 055 - SmmRelocatePei/TE Image Section -----


2020-03-27 15:15:58 DEBUG (TELoader) Added .text section: 0xFFFFF300-0xFFFFF467

2020-03-27 15:15:58 DEBUG (TELoader) Added _TEXT_RE section: 0xFFFFF480-0xFFFFF4ED

2020-03-27 15:15:58 DEBUG (TELoader) Added _TEXT_PR section: 0xFFFFF500-0xFFFFFFD0

2020-03-27 15:15:58 ERROR (TELoader) Terse Executable (TE) Loader: Address Overflow in add: ffffffe0 + 0x27 ghidra.program.model.address.AddressOverflowException: Address Overflow in add: ffffffe0 + 0x27

at ghidra.program.model.address.AbstractAddressSpace.addNoWrap(AbstractAddressSpace.java:455)

at ghidra.program.model.address.GenericAddressSpace.addNoWrap(GenericAddressSpace.java:21)

at ghidra.program.model.address.GenericAddress.addNoWrap(GenericAddress.java:218)

at ghidra.program.database.mem.MemoryMapDB.checkRange(MemoryMapDB.java:1855)

at ghidra.program.database.mem.MemoryMapDB.createInitializedBlock(MemoryMapDB.java:514)

at ghidra.program.flatapi.FlatProgramAPI.createMemoryBlock(FlatProgramAPI.java:329)

at firmware.uefi_te.TELoader.load(TELoader.java:116)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:346)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)

at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:112)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportApp(ImportBatchTask.java:148)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportBatchGroup(ImportBatchTask.java:127)

at ghidra.plugins.importer.tasks.ImportBatchTask.doBatchImport(ImportBatchTask.java:116)

at ghidra.plugins.importer.tasks.ImportBatchTask.run(ImportBatchTask.java:91)

at ghidra.util.task.Task.monitoredRun(Task.java:126)

at ghidra.util.task.TaskRunner.lambda$startTaskThread$1(TaskRunner.java:94)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

at java.base/java.lang.Thread.run(Thread.java:834)


2020-03-27 15:15:59 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MP51.fd/Volume 008 - 04adeead-61ff-4d31-b6ba-64f8bf901f5a/File 002 - VolumeTopFile/ TE Image Section, 968 of 972

2020-03-27 15:15:59 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 008 - 04adeead-61ff-4d31-b6ba-64f8bf901f5a/File 002 - VolumeTopFile/TE Image Section -----


2020-03-27 15:15:59 DEBUG (TELoader) Added .text section: 0xFFFF02EC-0xFFFF07A3

2020-03-27 15:15:59 DEBUG (TELoader) Added .data section: 0xFFFF07AC-0xFFFF07CC

2020-03-27 15:15:59 DEBUG (TELoader) Added .reloc section: 0xFFFF07CC-0xFFFF07DE

2020-03-27 15:15:59 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MP51.fd/Volume 008 - 04adeead-61ff-4d31-b6ba-64f8bf901f5a/File 001 - 7da04c46-2e86-4a24-b50b-3e6c445d730f/ TE Image Section, 969 of 972

2020-03-27 15:15:59 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 008 - 04adeead-61ff-4d31-b6ba-64f8bf901f5a/File 001 - 7da04c46-2e86-4a24-b50b-3e6c445d730f/TE Image Section -----


2020-03-27 15:15:59 DEBUG (TELoader) Added .text section: 0xFFFFF320-0xFFFFF487

2020-03-27 15:15:59 DEBUG (TELoader) Added _TEXT_RE section: 0xFFFFF4A0-0xFFFFF50D

2020-03-27 15:15:59 DEBUG (TELoader) Added _TEXT_PR section: 0xFFFFF520-0xFFFFFFD0

2020-03-27 15:15:59 ERROR (TELoader) Terse Executable (TE) Loader: Address Overflow in add: ffffffe0 + 0x27 ghidra.program.model.address.AddressOverflowException: Address Overflow in add: ffffffe0 + 0x27

at ghidra.program.model.address.AbstractAddressSpace.addNoWrap(AbstractAddressSpace.java:455)

at ghidra.program.model.address.GenericAddressSpace.addNoWrap(GenericAddressSpace.java:21)

at ghidra.program.model.address.GenericAddress.addNoWrap(GenericAddress.java:218)

at ghidra.program.database.mem.MemoryMapDB.checkRange(MemoryMapDB.java:1855)

Exception when importing with legacyOptionROMLoader - IllegalArgumentException: number of array elements must be positive

I did a batch import of the bundle of firmware images you shared and got the following stack trace:

2020-03-27 15:12:48 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MBP101_00F6_B00.scap/Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 156 - b40f45e8-0f88-4fa2-8616-101d202df78e/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/ Raw Section, 5 of 972  
2020-03-27 15:12:48 INFO  (ImportBatchTask) Additional info:
----- Loading /Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 156 - b40f45e8-0f88-4fa2-8616-101d202df78e/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Raw Section -----

2020-03-27 15:12:48 ERROR (LegacyOptionROMLoader) x86 PCI Option ROM Loader: number of array elements must be positive, not 0 java.lang.IllegalArgumentException: number of array elements must be positive, not 0

at ghidra.program.model.data.ArrayDataType.(ArrayDataType.java:64)

at ghidra.program.model.data.ArrayDataType.(ArrayDataType.java:43)

at firmware.option_rom.DeviceList.toDataType(DeviceList.java:57)

at firmware.option_rom.LegacyOptionROMLoader.load(LegacyOptionROMLoader.java:87)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:346)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)

at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:112)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportApp(ImportBatchTask.java:148)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportBatchGroup(ImportBatchTask.java:127)

at ghidra.plugins.importer.tasks.ImportBatchTask.doBatchImport(ImportBatchTask.java:116)

at ghidra.plugins.importer.tasks.ImportBatchTask.run(ImportBatchTask.java:91)

at ghidra.util.task.Task.monitoredRun(Task.java:126)

at ghidra.util.task.TaskRunner.lambda$startTaskThread$1(TaskRunner.java:94)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

at java.base/java.lang.Thread.run(Thread.java:834)


2020-03-27 15:12:48 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MBP101_00F6_B00.scap/Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 158 - 26fa5a1d-5c3e-4070-a9b8-80826b1d7ce1/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/ Raw Section, 6 of 972

2020-03-27 15:12:48 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 158 - 26fa5a1d-5c3e-4070-a9b8-80826b1d7ce1/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Raw Section -----


2020-03-27 15:12:48 ERROR (LegacyOptionROMLoader) x86 PCI Option ROM Loader: number of array elements must be positive, not 0 java.lang.IllegalArgumentException: number of array elements must be positive, not 0

at ghidra.program.model.data.ArrayDataType.(ArrayDataType.java:64)

at ghidra.program.model.data.ArrayDataType.(ArrayDataType.java:43)

at firmware.option_rom.DeviceList.toDataType(DeviceList.java:57)

at firmware.option_rom.LegacyOptionROMLoader.load(LegacyOptionROMLoader.java:87)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:346)

at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)

at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:112)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportApp(ImportBatchTask.java:148)

at ghidra.plugins.importer.tasks.ImportBatchTask.doImportBatchGroup(ImportBatchTask.java:127)

at ghidra.plugins.importer.tasks.ImportBatchTask.doBatchImport(ImportBatchTask.java:116)

at ghidra.plugins.importer.tasks.ImportBatchTask.run(ImportBatchTask.java:91)

at ghidra.util.task.Task.monitoredRun(Task.java:126)

at ghidra.util.task.TaskRunner.lambda$startTaskThread$1(TaskRunner.java:94)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

at java.base/java.lang.Thread.run(Thread.java:834)


2020-03-27 15:12:48 INFO  (ImportBatchTask) Imported firmware_testing:/fw/MBP101_00F6_B00.scap/Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 157 - 1b033324-b30e-4f65-b35f-ef12eee91983/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/ Raw Section, 7 of 972

2020-03-27 15:12:48 INFO  (ImportBatchTask) Additional info:

----- Loading /Volume 000 - EfiFirmwareFileSystemGuid/File 004 - EfiUpdateDataFileGuid/Volume 000 - EfiFirmwareFileSystemGuid/File 000 - 77ad7fdb-df2a-4302-8898-c72e4cdbd0f4/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Firmware Volume Image Section/Volume 000 - EfiFirmwareFileSystemGuid/File 157 - 1b033324-b30e-4f65-b35f-ef12eee91983/Compressed Section/GUID-Defined Section - EfiCrc32GuidedSectionExtractionGuid/Raw Section -----

Out-of-bounds flash region when importing filesystem 

Out-of-bounds flash region
java.io.IOException: Out-of-bounds flash region
	at firmware.ifd.IntelFlashDescriptor.addRegion(IntelFlashDescriptor.java:297)
	at firmware.ifd.IntelFlashDescriptor.<init>(IntelFlashDescriptor.java:243)
	at firmware.ifd.IntelFlashFileSystem.mount(IntelFlashFileSystem.java:45)
	at firmware.ifd.IntelFlashFileSystemFactory.create(IntelFlashFileSystemFactory.java:47)
	at firmware.ifd.IntelFlashFileSystemFactory.create(IntelFlashFileSystemFactory.java:30)
	at ghidra.formats.gfilesystem.factory.FileSystemFactoryMgr.mountUsingFactory(FileSystemFactoryMgr.java:176)
	at ghidra.formats.gfilesystem.factory.FileSystemFactoryMgr.probe(FileSystemFactoryMgr.java:338)
	at ghidra.formats.gfilesystem.FileSystemService.probeFileForFilesystem(FileSystemService.java:679)
	at ghidra.formats.gfilesystem.FileSystemService.probeFileForFilesystem(FileSystemService.java:630)
	at ghidra.plugins.fsbrowser.FileSystemBrowserPlugin.doOpenFilesystem(FileSystemBrowserPlugin.java:231)
	at ghidra.plugins.fsbrowser.FileSystemBrowserPlugin.lambda$openFileSystem$0(FileSystemBrowserPlugin.java:118)
	at ghidra.util.task.TaskLauncher$2.run(TaskLauncher.java:117)
	at ghidra.util.task.Task.monitoredRun(Task.java:134)
	at ghidra.util.task.TaskRunner.lambda$startTaskThread$0(TaskRunner.java:106)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)

---------------------------------------------------
Build Date: 2022-May-21 0030 CEST
Ghidra Version: 10.1.4
Java Home: /usr/lib/jvm/java-18-openjdk
JVM Version: N/A 18.0.1.1
OS: Linux 5.18.10-artix1-1 amd64

$ file 7G1_0123.bin 
7G1_0123.bin: Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step

https://drive.google.com/file/d/1aS-yfqtqNPat7br6KKPT2NDDWbYwEFLA/view?usp=sharing

UEFIFirmwareVolumeHeader field sizes documentation

Is the size for "Reset Vector" in the "UEFI Firmware Volume Header" part of the javadoc incorrect?

It currently shows as 1, but the code in the ctor that reads the data is reading a 16 byte array into zeroVector.

Also, some of the magic constants sprinkled around (ie. position - 40) make sense if you are calculating the position of the start of the volume header if the size for that field is 16 and not 1.

JRE compatibility between ghidra und firmware utils

The ghidra client for shared projects works only with JREs up to JRE 11.

So if the firmware utils should be used for collaborative projects, one has to make sure to build it with the same JRE, that ghidra runs on (by setting JAVA_HOME environment variable for gradle).

Maybe this should be mentioned in the readme

Add enableRelaxedEndCondition support

XZ 1.9 introduced a new method to LZMAInputStream. When this method is called before any data from the stream is read, the absence of EOS doesn't trigger an exception.

UEFIHelper.java exception with position-independent PE32's

If a UEFI PE32 module is built position-independent, Ghidra loads it at 0x10000. When it searches for global assignments, it finds the SystemTable->BootServices, which in almost every case is somewhere before 0x10000 because it's based on the PE being loaded at 0. It then tries to apply a type before the base of the PE raising an exception that resembles the following:

> Error running script: UEFIHelper.java
ghidra.program.model.util.CodeUnitInsertionException: Insufficent memory at address 0000146c (length: 4 bytes)
        at ghidra.program.database.code.CodeManager.checkValidAddressRange(CodeManager.java:1916)
        ...
        UEFIHelper.defineData(UEFIHelper.java:138)
        ...

There is a simple workaround: upon loading the PE32 click the Memory Map and rebase the binary to 0x0. However, I think you can also address this in code by detecting if the PE32 is position-independent in UEFIHelper.java and rebase to 0x0 automatically, or add Ghidra's 0x10000 default base address to resolve the correct location of global variables.

Merge with Ghidra

Is there a plan to merge the project up to Ghidra? Would be great

UEFIHelper.java script error: java.lang.NullPointerException: Cannot invoke "ghidra.program.model.listing.Function.getParameters()" because "function" is null

I'm using JDK 21 with Ghidra 10.2.1 and I'm trying to analyze the bootx64.efi file from my machine's EFI partition.

When I run the script, it is able to locate the entrypoint, but then it throws the java.lang.NullPointerException: Cannot invoke "ghidra.program.model.listing.Function.getParameters()" because "function" is null exception.

I have also tried to reverse bootx64.efi using efiseek, but it won't make any changes. Could this bug happen due to analyzing a bootloader? If so, how to fix it?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.