Reversing - ISpillMyDrink/UEFI-Repair-Guide GitHub Wiki

A few notes on reverse engineering UEFI firmware. Don't expect much.

Software Setup

• Ghidra
• efiSeek
• Ghidra Firmware Utils

The FIT Pointer

TODO

The Reset Vector

All x86 processors start off executing from the so-called Reset Vector at address 0xFFFF:FFF0 (at least in theory). Let's have a look at what that actually means in the context of a modern UEFI image. We'll use UEFITool to locate the Reset Vector in the firmware image of an ASUS ROG Z370-I mainboard by scrolling down to the end of the image where we can find the "SEC core" containing the following "Raw section" body which UEFITool tells us would be mapped to address 0xFFFF:FFC0.

Disassembly of the opcodes at the Reset Vector yields the following result:

90                      nop
90                      nop
e9 3b fc 00 00          jmp    0xfc42
00 fc                   add    ah,bh
00 00                   add    BYTE PTR [eax],al
00 00                   add    BYTE PTR [eax],al
00 f0                   add    al,dh
ff                      .byte 0xff

As we can see one of the first instructions to run is a jump instruction to address 0xFFFF:FC42. UEFITool tells us that this address must be somewhere inside of the "TE image section" just before the Reset Vector.

Extracting the body of the TE image and disassembling it with Ghidra we see that the address 0xFFFF:FC42 is shortly after what Ghidra identifies as the TE image's module entry point.