search

PSPReverse / PSPTool

Display, extract, and manipulate PSP firmware inside UEFI images
GNU General Public License v3.0
612 stars 62 forks source link

readme

PSPTool

PSPTool is a Swiss Army knife for dealing with firmware of the AMD Secure Processor (ASP), formerly known as Platform Security Processor or PSP. It can parse, extract, and replace AMD firmware inside UEFI images as part of BIOS updates targeting AMD platforms.

It is based on reverse-engineering efforts of AMD's proprietary filesystem used to pack firmware blobs into UEFI Firmware Images. These are usually 16MB (or 8MB, or 32MB) in size and can be conveniently parsed by UEFITool. However, all binary blobs by AMD are located in padding volumes unparsable by UEFITool.

PSPTool favourably works with UEFI images as obtained through BIOS updates. If these updates are only available through Windows executables, tools like innoextract can help.

PSPTool was developed at TU Berlin in context of the following research:

Installation

You can either install PSPTool's latest release from PyPI,

pip3 install psptool

or install it freshly off GitHub:

git clone https://github.com/PSPReverse/PSPTool
cd PSPTool
pip3 install .

If you intend to make changes to the code and would like your installation to point to the latest changes, install it editable:

pip3 install -e .

Please note that the integration tests require ROM files from a private submodule (tests/integration/fixtures). If you would like to get access to these, contact us.

CLI Usage

PSPTool offers a range of features from the command line.

Example 1: List all firmware entries of a given BIOS ROM.

$ psptool Lenovo_Thinkpad_T495_r12uj35wd.iso
Click to expand output ``` +-----+----------+-----------+----------+--------------------------------+ | ROM | Addr | Size | FET | AGESA | +-----+----------+-----------+----------+--------------------------------+ | 0 | 0x24ab20 | 0x1000000 | 0x26ab20 | AGESA!V9 PicassoPI-FP5 1.0.0.3 | +-----+----------+-----------+----------+--------------------------------+ +--+-----------+----------+------+-------+---------------------+ | | Directory | Addr | Type | Magic | Secondary Directory | +--+-----------+----------+------+-------+---------------------+ | | 0 | 0x28bb20 | PSP | $PSP | 0x138000 | +--+-----------+----------+------+-------+---------------------+ +--+---+-------+----------+---------+---------------------------------+----------+------------+----------------------------+ | | | Entry | Address | Size | Type | Magic/ID | Version | Info | +--+---+-------+----------+---------+---------------------------------+----------+------------+----------------------------+ | | | 0 | 0x28bf20 | 0x240 | AMD_PUBLIC_KEY~0x0 | 60BB | 1 | | | | | 1 | 0x382f20 | 0xc300 | PSP_FW_BOOT_LOADER~0x1 | $PS1 | 0.8.2.59 | verified(60BB), encrypted | | | | 2 | 0x28c220 | 0xb300 | PSP_FW_RECOVERY_BOOT_LOADER~0x3 | $PS1 | 0.8.2.59 | verified(60BB), encrypted | | | | 3 | 0x297520 | 0x22770 | 0x208 | | 0.0.0.0 | compressed, verified(60BB) | | | | 4 | 0x2b9d20 | 0x71b0 | 0x212 | | 0.0.0.0 | compressed, verified(60BB) | | | | 5 | 0x2c0f20 | 0x20830 | PSP_SMU_FN_FIRMWARE~0x108 | | 0.0.0.0 | compressed, verified(60BB) | | | | 6 | 0x2e1820 | 0x5010 | !SMU_OFF_CHIP_FW_3~0x112 | | 0.0.0.0 | compressed, verified(60BB) | | | | 7 | 0x2e6920 | 0x10 | WRAPPED_IKEK~0x21 | | | | | | | 8 | 0x2e6b20 | 0x1000 | TOKEN_UNLOCK~0x22 | | | | | | | 9 | 0x2e7b20 | 0x1860 | 0x224 | $PS1 | A.2.3.27 | verified(60BB), encrypted | | | | 10 | 0x2e9420 | 0x1760 | 0x124 | $PS1 | A.2.3.1A | verified(60BB), encrypted | | | | 11 | 0x2eac20 | 0xdd0 | ABL0~0x30 | AW0B | 18.12.10.0 | compressed, verified(60BB) | | | | 12 | 0x2eba20 | 0xcbb0 | ABL1~0x31 | AW1B | 18.12.10.0 | compressed, verified(60BB) | | | | 13 | 0x2f8620 | 0x8dc0 | ABL2~0x32 | AW2B | 18.12.10.0 | compressed, verified(60BB) | | | | 14 | 0x301420 | 0xbb90 | ABL3~0x33 | AW3B | 18.12.10.0 | compressed, verified(60BB) | | | | 15 | 0x30d020 | 0xcca0 | ABL4~0x34 | AW4B | 18.12.10.0 | compressed, verified(60BB) | | | | 16 | 0x319d20 | 0xc910 | ABL5~0x35 | AW5B | 18.12.10.0 | compressed, verified(60BB) | | | | 17 | 0x326720 | 0x9ef0 | ABL6~0x36 | AW6B | 18.12.10.0 | compressed, verified(60BB) | | | | 18 | 0x330620 | 0xc710 | ABL7~0x37 | AW7B | 18.12.10.0 | compressed, verified(60BB) | | | | 19 | 0x382b20 | 0x400 | !PL2_SECONDARY_DIRECTORY~0x40 | | | | +--+---+-------+----------+---------+---------------------------------+----------+------------+----------------------------+ +--+-----------+----------+-----------+-------+---------------------+ | | Directory | Addr | Type | Magic | Secondary Directory | +--+-----------+----------+-----------+-------+---------------------+ | | 1 | 0x382b20 | secondary | $PL2 | -- | +--+-----------+----------+-----------+-------+---------------------+ +--+---+-------+----------+----------+-----------------------------+----------+------------+----------------------------+ | | | Entry | Address | Size | Type | Magic/ID | Version | Info | +--+---+-------+----------+----------+-----------------------------+----------+------------+----------------------------+ | | | 0 | 0x382f20 | 0xc300 | PSP_FW_BOOT_LOADER~0x1 | $PS1 | 0.8.2.59 | verified(60BB), encrypted | | | | 1 | 0x38f220 | 0x240 | AMD_PUBLIC_KEY~0x0 | 60BB | 1 | | | | | 2 | 0x38f520 | 0xf300 | PSP_FW_TRUSTED_OS~0x2 | $PS1 | 0.8.2.59 | verified(60BB), encrypted | | | | 3 | 0x26bb20 | 0x20000 | PSP_NV_DATA~0x4 | | | | | | | 4 | 0x39e820 | 0x22770 | 0x208 | | 0.0.0.0 | compressed, verified(60BB) | | | | 5 | 0x3c1020 | 0x340 | SEC_DBG_PUBLIC_KEY~0x9 | ED22 | 1 | verified(60BB) | | | | 6 | 0x24ab21 | 0x0 | SOFT_FUSE_CHAIN_01~0xb | | | | | | | 7 | 0x3c1420 | 0x11a50 | PSP_BOOT_TIME_TRUSTLETS~0xc | $PS1 | 0.7.0.1 | compressed, verified(60BB) | | | | 8 | 0x3d2f20 | 0x71b0 | 0x212 | | 0.0.0.0 | compressed, verified(60BB) | | | | 9 | 0x3da120 | 0x1930 | DEBUG_UNLOCK~0x13 | $PS1 | 0.8.2.59 | compressed, verified(60BB) | | | | 10 | 0x3dbb20 | 0x10 | WRAPPED_IKEK~0x21 | | | | | | | 11 | 0x3dcb20 | 0x1000 | TOKEN_UNLOCK~0x22 | | | | | | | 12 | 0x3ddb20 | 0x1860 | 0x224 | $PS1 | A.2.3.27 | verified(60BB), encrypted | | | | 13 | 0x3df420 | 0x1760 | 0x124 | $PS1 | A.2.3.1A | verified(60BB), encrypted | | | | 14 | 0x3e0c20 | 0x23e4 | 0x225 | | 4.2.1.1 | inline_keys(76E9) | | | | 15 | 0x3e3020 | 0x3b00 | 0x125 | | 3.2.2.1 | inline_keys(76E9) | | | | 16 | 0x3e6b20 | 0x18790 | DRIVER_ENTRIES~0x28 | $PS1 | 0.8.2.59 | verified(60BB), encrypted | | | | 17 | 0x3ff320 | 0x16e988 | 0x29 | | 1.20.8.1 | no_key | | | | 18 | 0x56dd20 | 0x3100 | S0I3_DRIVER~0x2d | $PS1 | 0.7.0.1 | verified(60BB) | | | | 19 | 0x570e20 | 0xdd0 | ABL0~0x30 | AW0B | 18.12.10.0 | compressed, verified(60BB) | | | | 20 | 0x571c20 | 0xcbb0 | ABL1~0x31 | AW1B | 18.12.10.0 | compressed, verified(60BB) | | | | 21 | 0x57e820 | 0x8dc0 | ABL2~0x32 | AW2B | 18.12.10.0 | compressed, verified(60BB) | | | | 22 | 0x587620 | 0xbb90 | ABL3~0x33 | AW3B | 18.12.10.0 | compressed, verified(60BB) | | | | 23 | 0x593220 | 0xcca0 | ABL4~0x34 | AW4B | 18.12.10.0 | compressed, verified(60BB) | | | | 24 | 0x59ff20 | 0xc910 | ABL5~0x35 | AW5B | 18.12.10.0 | compressed, verified(60BB) | | | | 25 | 0x5ac920 | 0x9ef0 | ABL6~0x36 | AW6B | 18.12.10.0 | compressed, verified(60BB) | | | | 26 | 0x5b6820 | 0xc710 | ABL7~0x37 | AW7B | 18.12.10.0 | compressed, verified(60BB) | | | | 27 | 0x5c3020 | 0x20830 | PSP_SMU_FN_FIRMWARE~0x108 | | 0.0.0.0 | compressed, verified(60BB) | | | | 28 | 0x5e3920 | 0x5010 | !SMU_OFF_CHIP_FW_3~0x112 | | 0.0.0.0 | compressed, verified(60BB) | +--+---+-------+----------+----------+-----------------------------+----------+------------+----------------------------+ +--+-----------+----------+------+-------+---------------------+ | | Directory | Addr | Type | Magic | Secondary Directory | +--+-----------+----------+------+-------+---------------------+ | | 2 | 0x34eb20 | BIOS | $BHD | 0x3ef000 | +--+-----------+----------+------+-------+---------------------+ +--+---+-------+-----------+---------+-------------------------------+----------+-----------+----------------------------+ | | | Entry | Address | Size | Type | Magic/ID | Version | Info | +--+---+-------+-----------+---------+-------------------------------+----------+-----------+----------------------------+ | | | 0 | 0x34ef20 | 0x340 | BIOS_PUBLIC_KEY~0x5 | 3FC7 | 1 | verified(60BB) | | | | 1 | 0x34fb20 | 0x2000 | FW_IMC~0x60 | | | | | | | 2 | 0x351b20 | 0x2000 | 0x100060 | | | | | | | 3 | 0x353b20 | 0x2000 | 0x200060 | | | | | | | 4 | 0x355b20 | 0x2000 | 0x300060 | | | | | | | 5 | 0x357b20 | 0x2000 | 0x400060 | | | | | | | 6 | 0x359b20 | 0x2000 | 0x500060 | | | | | | | 7 | 0x35bb20 | 0x2000 | 0x600060 | | | | | | | 8 | 0x35db20 | 0x2000 | 0x700060 | | | | | | | 9 | 0x35fb20 | 0x2000 | 0x68 | | | | | | | 10 | 0x361b20 | 0x2000 | 0x100068 | | | | | | | 11 | 0x363b20 | 0x2000 | 0x200068 | | | | | | | 12 | 0x365b20 | 0x2000 | 0x300068 | | | | | | | 13 | 0x367b20 | 0x2000 | 0x400068 | | | | | | | 14 | 0x369b20 | 0x2000 | 0x500068 | | | | | | | 15 | 0x36bb20 | 0x2000 | 0x600068 | | | | | | | 16 | 0x36db20 | 0x2000 | 0x700068 | | | | | | | 17 | 0x24ab20 | 0x0 | FW_GEC~0x61 | | | | | | | 18 | 0x117ab20 | 0xd0000 | BIOS | | | | | | | 19 | 0x36fb20 | 0x3c40 | 0x100064 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 20 | 0x373820 | 0x330 | 0x100065 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 21 | 0x373c20 | 0x4610 | 0x400064 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 22 | 0x378320 | 0x320 | 0x400065 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 23 | 0x378720 | 0x4830 | 0x1100064 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 24 | 0x37d020 | 0x370 | 0x1100065 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 25 | 0x37d420 | 0x47a0 | 0x1400064 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 26 | 0x381c20 | 0x340 | 0x1400065 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 27 | 0x639b20 | 0x400 | !BL2_SECONDARY_DIRECTORY~0x70 | | | | +--+---+-------+-----------+---------+-------------------------------+----------+-----------+----------------------------+ +--+-----------+----------+-----------+-------+---------------------+ | | Directory | Addr | Type | Magic | Secondary Directory | +--+-----------+----------+-----------+-------+---------------------+ | | 3 | 0x639b20 | secondary | $BL2 | -- | +--+-----------+----------+-----------+-------+---------------------+ +--+---+-------+-----------+---------+---------------------+----------+-----------+----------------------------+ | | | Entry | Address | Size | Type | Magic/ID | Version | Info | +--+---+-------+-----------+---------+---------------------+----------+-----------+----------------------------+ | | | 0 | 0x639f20 | 0x340 | BIOS_PUBLIC_KEY~0x5 | 3FC7 | 1 | verified(60BB) | | | | 1 | 0x63ab20 | 0x2000 | FW_IMC~0x60 | | | | | | | 2 | 0x63cb20 | 0x2000 | 0x100060 | | | | | | | 3 | 0x63eb20 | 0x2000 | 0x200060 | | | | | | | 4 | 0x640b20 | 0x2000 | 0x300060 | | | | | | | 5 | 0x642b20 | 0x2000 | 0x400060 | | | | | | | 6 | 0x644b20 | 0x2000 | 0x500060 | | | | | | | 7 | 0x646b20 | 0x2000 | 0x600060 | | | | | | | 8 | 0x648b20 | 0x2000 | 0x700060 | | | | | | | 9 | 0x64ab20 | 0x2000 | 0x68 | | | | | | | 10 | 0x64cb20 | 0x2000 | 0x100068 | | | | | | | 11 | 0x64eb20 | 0x2000 | 0x200068 | | | | | | | 12 | 0x650b20 | 0x2000 | 0x300068 | | | | | | | 13 | 0x652b20 | 0x2000 | 0x400068 | | | | | | | 14 | 0x654b20 | 0x2000 | 0x500068 | | | | | | | 15 | 0x656b20 | 0x2000 | 0x600068 | | | | | | | 16 | 0x658b20 | 0x2000 | 0x700068 | | | | | | | 17 | 0x24ab20 | 0x0 | FW_GEC~0x61 | | | | | | | 18 | 0x117ab20 | 0xd0000 | BIOS | | | | | | | 19 | 0x65ab20 | 0x10000 | FW_INVALID~0x63 | | | | | | | 20 | 0x66ab20 | 0x3c40 | 0x100064 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 21 | 0x66e820 | 0x330 | 0x100065 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 22 | 0x66ec20 | 0x4610 | 0x400064 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 23 | 0x673320 | 0x320 | 0x400065 | 0x05 | 0.0.A1.41 | compressed, verified(60BB) | | | | 24 | 0x673720 | 0x4830 | 0x1100064 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 25 | 0x678020 | 0x370 | 0x1100065 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 26 | 0x678420 | 0x47a0 | 0x1400064 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 27 | 0x67cc20 | 0x340 | 0x1400065 | 0x05 | 0.0.18.5 | compressed, verified(60BB) | | | | 28 | 0x67d020 | 0xc80 | 0x66 | | | | | | | 29 | 0x67dd20 | 0xc80 | 0x100066 | | | | | | | 30 | 0x67ea20 | 0xc80 | 0x200066 | | | | | | | 31 | 0x67f720 | 0x560 | 0x6a | | 0.0.0.0 | inline_keys(76E9) | +--+---+-------+-----------+---------+---------------------+----------+-----------+----------------------------+ ```

Example 2: Extract all unique firmware entries from a given BIOS ROM, uncompress compressed entries and convert public keys into PEM format.

$ psptool -Xunk ASUS_PRIME-A320M-A-ASUS-4801.CAP
Click to expand output ``` -rw-r--r-- 1 cwerling wheel 1.0K Nov 16 10:03 !BL2_SECONDARY_DIRECTORY~0x70 -rw-r--r-- 1 cwerling wheel 4.0K Nov 16 10:03 !FW_PSP_SMUSCS_2~0x15f -rw-r--r-- 1 cwerling wheel 1.0K Nov 16 10:03 !PL2_SECONDARY_DIRECTORY~0x40 -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 !PSP_MCLF_TRUSTLETS~0x14_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 !SMU_OFF_CHIP_FW_3~0x112_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 !SMU_OFF_CHIP_FW_3~0x112_0.2B.15.0 -rw-r--r-- 1 cwerling wheel 24K Nov 16 10:03 0x100064_0.0.A1.41 -rw-r--r-- 1 cwerling wheel 12K Nov 16 10:03 0x100065_0.0.A1.41 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x100066 -rw-r--r-- 1 cwerling wheel 32K Nov 16 10:03 0x1100064_0.0.10.1 -rw-r--r-- 1 cwerling wheel 32K Nov 16 10:03 0x1100064_0.0.18.5 -rw-r--r-- 1 cwerling wheel 16K Nov 16 10:03 0x1100065_0.0.10.1 -rw-r--r-- 1 cwerling wheel 16K Nov 16 10:03 0x1100065_0.0.18.5 -rw-r--r-- 1 cwerling wheel 5.6K Nov 16 10:03 0x124_A.2.3.1A -rw-r--r-- 1 cwerling wheel 15K Nov 16 10:03 0x125_3.2.2.1 -rw-r--r-- 1 cwerling wheel 32K Nov 16 10:03 0x1400064_0.0.10.1 -rw-r--r-- 1 cwerling wheel 32K Nov 16 10:03 0x1400064_0.0.18.5 -rw-r--r-- 1 cwerling wheel 16K Nov 16 10:03 0x1400065_0.0.10.1 -rw-r--r-- 1 cwerling wheel 16K Nov 16 10:03 0x1400065_0.0.18.5 -rw-r--r-- 1 cwerling wheel 8.0K Nov 16 10:03 0x200060 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x200066 -rw-r--r-- 1 cwerling wheel 8.0K Nov 16 10:03 0x200068 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 0x208_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 0x212_0.0.0.0 -rw-r--r-- 1 cwerling wheel 5.8K Nov 16 10:03 0x224_A.2.3.27 -rw-r--r-- 1 cwerling wheel 8.7K Nov 16 10:03 0x225_4.2.1.1 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 0x2a_0.2E.16.0 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x300066 -rw-r--r-- 1 cwerling wheel 24K Nov 16 10:03 0x400064_0.0.A1.41 -rw-r--r-- 1 cwerling wheel 12K Nov 16 10:03 0x400065_0.0.A1.41 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x400066 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x500066 -rw-r--r-- 1 cwerling wheel 3.1K Nov 16 10:03 0x66 -rw-r--r-- 1 cwerling wheel 4.0K Nov 16 10:03 0x67 -rw-r--r-- 1 cwerling wheel 8.0K Nov 16 10:03 0x68 -rw-r--r-- 1 cwerling wheel 1.1K Nov 16 10:03 0x6a_0.0.0.0 -rw-r--r-- 1 cwerling wheel 520B Nov 16 10:03 0x800068 -rw-r--r-- 1 cwerling wheel 416B Nov 16 10:03 ABL0~0x30_0.0.0.0 -rw-r--r-- 1 cwerling wheel 4.5K Nov 16 10:03 ABL0~0x30_18.12.12.30 -rw-r--r-- 1 cwerling wheel 4.5K Nov 16 10:03 ABL0~0x30_19.1.14.0 -rw-r--r-- 1 cwerling wheel 84K Nov 16 10:03 ABL1~0x31_18.12.12.30 -rw-r--r-- 1 cwerling wheel 90K Nov 16 10:03 ABL1~0x31_19.1.14.0 -rw-r--r-- 1 cwerling wheel 95K Nov 16 10:03 ABL2~0x32_18.12.12.30 -rw-r--r-- 1 cwerling wheel 101K Nov 16 10:03 ABL2~0x32_19.1.14.0 -rw-r--r-- 1 cwerling wheel 75K Nov 16 10:03 ABL3~0x33_18.12.12.30 -rw-r--r-- 1 cwerling wheel 81K Nov 16 10:03 ABL3~0x33_19.1.14.0 -rw-r--r-- 1 cwerling wheel 79K Nov 16 10:03 ABL4~0x34_18.12.12.30 -rw-r--r-- 1 cwerling wheel 99K Nov 16 10:03 ABL4~0x34_19.1.14.0 -rw-r--r-- 1 cwerling wheel 101K Nov 16 10:03 ABL5~0x35_18.12.12.30 -rw-r--r-- 1 cwerling wheel 88K Nov 16 10:03 ABL5~0x35_19.1.14.0 -rw-r--r-- 1 cwerling wheel 76K Nov 16 10:03 ABL6~0x36_18.12.12.30 -rw-r--r-- 1 cwerling wheel 69K Nov 16 10:03 ABL6~0x36_19.1.14.0 -rw-r--r-- 1 cwerling wheel 98K Nov 16 10:03 ABL7~0x37_19.1.14.0 -rw-r--r-- 1 cwerling wheel 451B Nov 16 10:03 AMD_PUBLIC_KEY~0x0 -rw-r--r-- 1 cwerling wheel 1.9M Nov 16 10:03 BIOS -rw-r--r-- 1 cwerling wheel 4.0K Nov 16 10:03 BIOS_RTM_FIRMWARE~0x6 -rw-r--r-- 1 cwerling wheel 7.9K Nov 16 10:03 DEBUG_UNLOCK~0x13_0.8.0.5E -rw-r--r-- 1 cwerling wheel 8.0K Nov 16 10:03 DEBUG_UNLOCK~0x13_0.9.0.6B -rw-r--r-- 1 cwerling wheel 8.8K Nov 16 10:03 DEBUG_UNLOCK~0x13_0.D.0.1A -rw-r--r-- 1 cwerling wheel 98K Nov 16 10:03 DRIVER_ENTRIES~0x28_0.8.0.5E -rw-r--r-- 1 cwerling wheel 82K Nov 16 10:03 DRIVER_ENTRIES~0x28_0.D.0.1A -rw-r--r-- 1 cwerling wheel 0B Nov 16 10:03 FW_GEC~0x61 -rw-r--r-- 1 cwerling wheel 8.0K Nov 16 10:03 FW_IMC~0x60 -rw-r--r-- 1 cwerling wheel 160K Nov 16 10:03 FW_INVALID~0x63 -rw-r--r-- 1 cwerling wheel 4.0K Nov 16 10:03 FW_PSP_SMUSCS~0x5f -rw-r--r-- 1 cwerling wheel 8.5K Nov 16 10:03 MP2_FW~0x25_3.18.0.1 -rw-r--r-- 1 cwerling wheel 800B Nov 16 10:03 OEM_PSP_FW_PUBLIC_KEY~0xa -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_AGESA_RESUME_FW~0x10_0.5.0.3E -rw-r--r-- 1 cwerling wheel 451B Nov 16 10:03 PSP_BOOT_TIME_TRUSTLETS_KEY~0xd -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_BOOT_TIME_TRUSTLETS~0xc_0.0.0.0 -rw-r--r-- 1 cwerling wheel 112K Nov 16 10:03 PSP_BOOT_TIME_TRUSTLETS~0xc_0.7.0.1 -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_FW_BOOT_LOADER~0x1_0.5.0.45 -rw-r--r-- 1 cwerling wheel 49K Nov 16 10:03 PSP_FW_BOOT_LOADER~0x1_0.8.0.5E -rw-r--r-- 1 cwerling wheel 41K Nov 16 10:03 PSP_FW_BOOT_LOADER~0x1_0.9.0.6B -rw-r--r-- 1 cwerling wheel 55K Nov 16 10:03 PSP_FW_BOOT_LOADER~0x1_0.D.0.1A -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_FW_RECOVERY_BOOT_LOADER~0x3_0.5.0.45 -rw-r--r-- 1 cwerling wheel 45K Nov 16 10:03 PSP_FW_RECOVERY_BOOT_LOADER~0x3_0.8.0.5E -rw-r--r-- 1 cwerling wheel 41K Nov 16 10:03 PSP_FW_RECOVERY_BOOT_LOADER~0x3_FF.9.0.6A -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_FW_TRUSTED_OS~0x2_0.5.0.45 -rw-r--r-- 1 cwerling wheel 61K Nov 16 10:03 PSP_FW_TRUSTED_OS~0x2_0.8.0.5E -rw-r--r-- 1 cwerling wheel 264K Nov 16 10:03 PSP_FW_TRUSTED_OS~0x2_0.9.0.6B -rw-r--r-- 1 cwerling wheel 60K Nov 16 10:03 PSP_FW_TRUSTED_OS~0x2_0.D.0.1A -rw-r--r-- 1 cwerling wheel 128K Nov 16 10:03 PSP_NV_DATA~0x4 -rw-r--r-- 1 cwerling wheel 12K Nov 16 10:03 PSP_S3_NV_DATA~0x1a -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 PSP_SMU_FN_FIRMWARE~0x108_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 PSP_SMU_FN_FIRMWARE~0x108_0.2B.15.0 -rw-r--r-- 1 cwerling wheel 800B Nov 16 10:03 SEC_DBG_PUBLIC_KEY~0x9 -rw-r--r-- 1 cwerling wheel 14K Nov 16 10:03 SEC_GASKET~0x24_11.3.0.8 -rw-r--r-- 1 cwerling wheel 6.7K Nov 16 10:03 SEC_GASKET~0x24_13.2.0.9 -rw-r--r-- 1 cwerling wheel 5.8K Nov 16 10:03 SEC_GASKET~0x24_A.2.3.27 -rw-r--r-- 1 cwerling wheel 256B Nov 16 10:03 SMU_OFFCHIP_FW~0x8_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 SMU_OFFCHIP_FW~0x8_0.19.54.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 SMU_OFFCHIP_FW~0x8_0.2E.16.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 SMU_OFF_CHIP_FW_2~0x12_0.0.0.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 SMU_OFF_CHIP_FW_2~0x12_0.19.54.0 -rw-r--r-- 1 cwerling wheel 256K Nov 16 10:03 SMU_OFF_CHIP_FW_2~0x12_0.2E.16.0 -rw-r--r-- 1 cwerling wheel 0B Nov 16 10:03 SOFT_FUSE_CHAIN_01~0xb -rw-r--r-- 1 cwerling wheel 4.0K Nov 16 10:03 TOKEN_UNLOCK~0x22 -rw-r--r-- 1 cwerling wheel 16B Nov 16 10:03 WRAPPED_IKEK~0x21 ```

Example 3: Extract the firmware entry from a given BIOS ROM at directory index 1 entry index 8 (PSP_BOOT_TIME_TRUSTLETS) and show strings of length 10.

$ psptool -X -d 1 -e 8 MSI_X399_E7B92AMS.130 | strings -n 10
Click to expand output ``` AMD_TL_UTIL: Hashing the message: %p AMD_TL_UTIL: ProcessCmd_Hash(), UTIL_ERR_INVALID_BUFFER, exit RSA: Calling tlApiRandomGenerateData RSA: Calling DbgUnlockRsaKeyGen RSA: Done Calling DbgUnlockRsaKeyGen DbgUnlockRsaKeyGen failed AMD_TL_UTIL: Deriving AES key AMD_TL_UTIL: ProcessCmd_Hmac(), UTIL_ERR_INVALID_BUFFER, exit AMD_TL_UTIL: Deriving HMAC key HMAC Signature Key for PSP Data saved in DRAM AMD_TL_UTIL: Computing HMAC of payload AMD_TL_UTIL: running AMD_TL_UTIL: invalid TCI TCI buffer: %p TCI buffer length: %p sizeof(tciMessage_t): %p AMD_TL_UTIL: waiting for notification RSA: Calling generateKeyPair and RSA signing RSA: Calling DbgUnlockKeyVerfiy AMD_TL_UTIL: Unknown command ID %d, ignore AMD_TL_UTIL: notify TLC h(`ahi`!h crAmd_ModExp aA failed, status = 0x%x crAmd_ModExp aB failed status = 0x%x crAmd_ModExp failed ret=0x%08x, exit Not Composite Subtract failed GDB failed RSAPrime value of total iteration j = %d tlApiCipherInit failed with ret=0x%97X, exit tlApiCipherUpdate failed with ret=0x%08X tlApiCipherDoFinal failed with ret=0x%08X Done Generating starting prime Calling GetRsaPrime DOne GetRsaPrime Value of P Value of Q Value of Modulus ((0x%04X)): Value of PrivateExponent (0x%04X): PRF_HASH_OTP starting crAmd_MessageDigestInitHwKey failed ret=0x%08x, exit tlApiMessageDigestDoFinal failed ret=0x%08x, exit RSA: Signing data RSA: tlApiSignatureInit failed with ret=%x Signature: RSA: signature data length: %d RSA: Verifying data RSA: tlApiSignatureVerify failed with ret=%x Rsa: tlApiSignatureVerify validity = %x AMD_TL_UTIL: ProcessCmd_Hash(), tlApiMessageDigestInit ret=0x%08X, exit AMD_TL_UTIL: processCmdSha256(), tlApiMessageDigestDoFinal ret=0x%08X, exit AMD_TL_UTIL: processCmd_Hmac(), crAmd_CipherInitWithHwKey ret=0x%08X, exit AMD_TL_UTIL: processCmd_Hmac(), tlApiCipherDoFinal ret=0x%08X, exit AMD_TL_UTIL: ProcessCmd_Hmac(), tlApiSignatureInit ret=0x%08X, exit AMD_TL_UTIL: ProcessCmd_Hmac(), tlApiSignatureSign ret=0x%08X, exit RSA: Init data for signing with TLAPI_SIG_RSA_SHA256_PSS type signature RSA: Init data for verifying with TLAPI_SIG_RSA_SHA256_PSS type signature !F(F0"r120 dAd8k:F02@ h(`ahi`!h ph,Fh`xhqh pG00pG\0pG VLWM ```(`h`0 NL(`h`0`p` #HpG"HD0pG!H"0pG h8C `*F1F F !%*.59WWWWWWI9?DW "qEGvxJJEEENPR EZ]_b]dh__jl ProcessCmd_TpmManufacture UnwrapDataFromNwd WrapDataForNwd ReadNvRecord ReadNvRecordMustSucceed WriteNvRecord ReadNvRecordOnInit AmdNv_Init AmdNv_Commit 2L_plat__GetEntropy _plat__NVEnable _plat__NvMemoryRead _plat__NvMemoryWrite _plat__NvMemoryClear _plat__NvMemoryMove This is not really a unique value. A real unique value should be generated by the platform. TPM2_ContextLoad TPM2_ContextSave ComputeContextProtectionKey TPM2_EvictControl TPM2_FlushContext TPM2_Import TPM2_Rewrap TPM2_PolicyTicket PolicyContextUpdate PolicySptCheckCondition TPM2_HierarchyChangeAuth TPM2_HierarchyControl TPM2_SetPrimaryPolicy TPM2_NV_Extend TPM2_Create TPM2_CreateLoaded SchemeChecks SensitiveToPrivate PrivateToSensitive SensitiveToDuplicate DuplicateToSensitive SecretToCredential TPM2_Shutdown TPM2_Startup Amd_Sha1Start Amd_Sha256Start Amd_Sha384Start Amd_Sha512Start Amd_ShaUpdate Amd_ShaFinal BnFromBytes BnPointTo2B CarryResolve BnUnsignedCmp BnShiftRight C_2_2_ECDH CryptEcc2PhaseKeyExchange CryptEccGetParameter CryptEccIsPointOnCurve CryptEccGenerateKey BnSignEcdsa CryptEccSign CryptEccValidateSignature CryptEccCommitCompute CryptHashCopyState CryptDigestUpdate CryptHashEnd CryptDigestUpdate2B CryptHmacEnd MillerRabin BnGeneratePrimeForRSA PrimeSieve PrimeSelectWithSieve DRBG_GetEntropy DRBG_Update DRBG_Reseed DRBG_SelfTest DRBG_InstantiateSeeded DRBG_Generate DRBG_Instantiate CryptRandMinMax OaepEncode OaepDecode RSASSA_Decode CryptRsaDecrypt CryptRsaSign CryptRsaValidateSignature CryptRsaGenerateKey CryptIncrementalSelfTest CryptSymmetricEncrypt CryptSymmetricDecrypt CryptXORObfuscation CryptSecretEncrypt CryptSecretDecrypt CryptParameterEncryption CryptParameterDecryption CryptCreateObject CryptGetSignHashAlg ParseHandleBuffer CommandDispatcher ExecuteCommand IncrementLockout IsAuthValueAvailable CheckAuthSession ParseSessionBuffer UpdateAuditDigest BuildResponseSession HierarchyGetProof HierarchyGetPrimarySeed HierarchyIsEnabled NvWriteNvListEnd NvRamGetIndex NvDeleteRAM NvReadNvIndexInfo NvGetIndexData NvWriteIndexData NvFlushHierarchy NvCapGetPersistent NvCapGetIndex NvUpdatePersistent ObjectIsSequence HandleToObject GetQualifiedName FlushObject ObjectFlushHierarchy ObjectCapGetLoaded GetSavedPcrPointer GetPcrPointer PCRChanged PCRComputeCurrentDigest PCRAllocate PCRCapGetHandles SessionIsLoaded SessionIsSaved SessionGet ContextIdSessionCreate SessionCreate SessionContextSave SessionContextLoad SessionFlush SessionResetPolicyData SessionCapGetLoaded SessionCapGetSaved TimeClockUpdate TimeSetAdjustRate GetClosestCommandIndex EntityGetLoadStatus EntityGetAuthValue EntityGetAuthPolicy EntityGetHierarchy Primary Object Creation ECDAA Commit PermanentCapGetHandles PermanentHandleGetPolicy MemoryGetActionInputBuffer MemoryGetActionOutputBuffer LocalityGetAttributes UINT8_Marshal UINT16_Marshal UINT32_Marshal UINT64_Marshal BYTE_Array_Marshal MemoryCopy2B MemoryConcat2B UnmarshalFail ```

Example 4: Visualize the certificate chain of all firmware elements:

$ psptool -t Lenovo_Thinkpad_T495_r12uj35wd.iso
Click to expand output ``` AMD +-PubkeyEntity(60BB, @38f224) | PubkeyEntity(60BB, @28bf24) | +-SignedEntity(@5e3920:5010) (verified=True) | +-SignedEntity(@673720:4830) (verified=True) | +-SignedEntity(@57e820:8dc0) (verified=True) | +-SignedEntity(@2f8620:8dc0) (verified=True) | +-SignedEntity(@2b9d20:71b0) (verified=True) | +-SignedEntity(@34ef20:340) (verified=True) | | +-PubkeyEntity(3FC7, @34ef24) | | | PubkeyEntity(3FC7, @639f24) | +-SignedEntity(@39e820:22770) (verified=True) | +-SignedEntity(@37d420:47a0) (verified=True) | +-SignedEntity(@678020:370) (verified=True) | +-SignedEntity(@3c1020:340) (verified=True) | | +-PubkeyEntity(ED22, @3c1024) | +-SignedEntity(@587620:bb90) (verified=True) | +-SignedEntity(@301420:bb90) (verified=True) | +-SignedEntity(@2c0f20:20830) (verified=True) | +-SignedEntity(@36fb20:3c40) (verified=True) | +-SignedEntity(@381c20:340) (verified=True) | +-SignedEntity(@3e6b20:18790) (verified=True) | +-SignedEntity(@678420:47a0) (verified=True) | +-SignedEntity(@3c1420:11a50) (verified=True) | +-SignedEntity(@593220:cca0) (verified=True) | +-SignedEntity(@639f20:340) (verified=True) | | +-PubkeyEntity(3FC7, @34ef24) | | | PubkeyEntity(3FC7, @639f24) | +-SignedEntity(@30d020:cca0) (verified=True) | +-SignedEntity(@2e1820:5010) (verified=True) | +-SignedEntity(@373820:330) (verified=True) | +-SignedEntity(@67cc20:340) (verified=True) | +-SignedEntity(@3d2f20:71b0) (verified=True) | +-SignedEntity(@59ff20:c910) (verified=True) | +-SignedEntity(@66ab20:3c40) (verified=True) | +-SignedEntity(@319d20:c910) (verified=True) | +-SignedEntity(@2e7b20:1860) (verified=True) | +-SignedEntity(@373c20:4610) (verified=True) | +-SignedEntity(@3e2cc4:340) (verified=True) | | +-PubkeyEntity(76E9, @3e67e4) | | | PubkeyEntity(76E9, @67f944) | | | PubkeyEntity(76E9, @3e2cc8) | | | +-SignedEntity(@67f720:560) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | +-SignedEntity(@56dd20:3100) (verified=True) | +-SignedEntity(@3da120:1930) (verified=True) | +-SignedEntity(@5ac920:9ef0) (verified=True) | +-SignedEntity(@66e820:330) (verified=True) | +-SignedEntity(@382f20:c300) (verified=True) | +-SignedEntity(@326720:9ef0) (verified=True) | +-SignedEntity(@2e9420:1760) (verified=True) | +-SignedEntity(@378320:320) (verified=True) | +-SignedEntity(@3e67e0:340) (verified=True) | | +-PubkeyEntity(76E9, @3e67e4) | | | PubkeyEntity(76E9, @67f944) | | | PubkeyEntity(76E9, @3e2cc8) | | | +-SignedEntity(@67f720:560) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e3020:3b00) (verified=False) | +-SignedEntity(@67f940:340) (verified=True) | | +-PubkeyEntity(76E9, @3e67e4) | | | PubkeyEntity(76E9, @67f944) | | | PubkeyEntity(76E9, @3e2cc8) | | | +-SignedEntity(@67f720:560) (verified=False) | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | | | PubkeyEntity(76E9, @67f944) | | | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | +-SignedEntity(@570e20:dd0) (verified=True) | +-SignedEntity(@3ddb20:1860) (verified=True) | +-SignedEntity(@5b6820:c710) (verified=True) | +-SignedEntity(@66ec20:4610) (verified=True) | +-SignedEntity(@28c220:b300) (verified=True) | +-SignedEntity(@330620:c710) (verified=True) | +-SignedEntity(@2eac20:dd0) (verified=True) | +-SignedEntity(@378720:4830) (verified=True) | +-SignedEntity(@38f520:f300) (verified=True) | +-SignedEntity(@571c20:cbb0) (verified=True) | +-SignedEntity(@3df420:1760) (verified=True) | +-SignedEntity(@5c3020:20830) (verified=True) | +-SignedEntity(@673320:320) (verified=True) | +-SignedEntity(@297520:22770) (verified=True) | +-SignedEntity(@2eba20:cbb0) (verified=True) | +-SignedEntity(@37d020:370) (verified=True) +-PubkeyEntity(76E9, @3e67e4) | PubkeyEntity(76E9, @67f944) | PubkeyEntity(76E9, @3e2cc8) | +-SignedEntity(@67f720:560) (verified=False) | | +-PubkeyEntity(76E9, @3e67e4) | | | PubkeyEntity(76E9, @67f944) | | | PubkeyEntity(76E9, @3e2cc8) | | | +-SignedEntity(@67f720:560) (verified=False) | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e3020:3b00) (verified=False) | +-SignedEntity(@3e0c20:23e4) (verified=False) | | +-PubkeyEntity(76E9, @3e67e4) | | | PubkeyEntity(76E9, @67f944) | | | PubkeyEntity(76E9, @3e2cc8) | | | +-SignedEntity(@67f720:560) (verified=False) | | | | +-PubkeyEntity(76E9, @3e67e4) | | | | | PubkeyEntity(76E9, @67f944) | | | | | PubkeyEntity(76E9, @3e2cc8) | | | | | +-SignedEntity(@67f720:560) (verified=False) | | | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | | | +-SignedEntity(@3e3020:3b00) (verified=False) | | | +-SignedEntity(@3e0c20:23e4) (verified=False) | | | +-SignedEntity(@3e3020:3b00) (verified=False) | +-SignedEntity(@3e3020:3b00) (verified=False) ```

General usage:

usage: psptool [-V | -E | -X | -R] [file]

Display, extract, and manipulate AMD PSP firmware inside BIOS ROMs.

positional arguments:
  file                 Binary file to be parsed for PSP firmware

optional arguments:
  -V, --version
  -E, --entries        Default: Parse and display PSP firmware entries.
                       [-n] [-j] [-t]

                       -n:      list unique entries only ordered by their offset
                       -j:      output in JSON format instead of tables
                       -t:      print tree of all signed entities and their certifying keys

  -X, --extract-entry  Extract one or more PSP firmware entries.
                       [[-r idx] -d idx [-e idx]] [-n] [-u] [-c] [-k] [-o outfile]

                       -r idx:  specifies rom_index (default: 0)
                       -d idx:  specifies directory_index (default: all directories)
                       -e idx:  specifies entry_index (default: all entries)
                       -n:      skip duplicate entries and extract unique entries only
                       -u:      uncompress compressed entries
                       -c:      try to decrypt entries
                       -k:      convert pubkeys into PEM format
                       -o file: specifies outfile/outdir (default: stdout/{file}_extracted)

  -R, --replace-entry  Copy a new entry (including header and signature) into the
                       ROM file and update metadata accordingly.
                       [-r idx] -d idx -e idx -s subfile -o outfile [-p file-stub] [-a pass]

                       -r idx:  specifies rom_index (default: 0)
                       -d idx:  specifies directory_index
                       -e idx:  specifies entry_index
                       -s file: specifies subfile (i.e. the new entry contents)
                       -o file: specifies outfile
                       -p file: specifies file-stub (e.g. 'keys/id') for the re-signing keys
                       -a pass: specifies password for the re-signing keys

Python Usage

PSPTool can be used as a Python module, e.g. in an interactive IPython session:

> from psptool import PSPTool
> psp = PSPTool.from_file('original_bios.bin')
> psp.blob.roms[0]
[Directory(address=0x77000, type=PSP_NEW, count=16),
 Directory(address=0x149000, type=secondary, count=20),
 Directory(address=0x117000, type=BHD, count=14),
 Directory(address=0x249000, type=secondary, count=17)]
> psp.ls_dir(0)
+---+-------+----------+---------+------+-----------------------------+-------+------------+-----------------------+
|   | Entry |  Address |    Size | Type |                   Type Name | Magic |    Version |             Signed by |
+---+-------+----------+---------+------+-----------------------------+-------+------------+-----------------------+
|   |     0 |  0x77400 |   0x240 |  0x0 |              AMD_PUBLIC_KEY |       |            |                       |
|   |     1 | 0x149400 | 0x10000 |  0x1 |          PSP_FW_BOOT_LOADER |  $PS1 |   0.7.0.52 |        AMD_PUBLIC_KEY |
|   |     2 |  0x77700 |  0xcf40 |  0x3 | PSP_FW_RECOVERY_BOOT_LOADER |  $PS1 |  FF.7.0.51 |        AMD_PUBLIC_KEY |
|   |     3 |  0x84700 | 0x1e550 |  0x8 |              SMU_OFFCHIP_FW |  SMUR |  4.19.64.0 |        AMD_PUBLIC_KEY |
|   |     4 |  0xa2d00 |   0x340 |  0xa |       OEM_PSP_FW_PUBLIC_KEY |       |            |                       |
|   |     5 |  0xa3100 |  0x3eb0 | 0x12 |           SMU_OFF_CHIP_FW_2 |  SMUR |  4.19.64.0 |        AMD_PUBLIC_KEY |
|   |     6 |  0xa7000 |    0x10 | 0x21 |                             |       |            |                       |
|   |     7 |  0xa7100 |   0xcc0 | 0x24 |                             |  $PS1 |   12.2.0.9 |        AMD_PUBLIC_KEY |
|   |     8 |  0xa7e00 |   0xc20 | 0x30 |                             |  0BAR | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |     9 |  0xa8b00 |  0xbc50 | 0x31 |          0x31~ABL_ARM_CODE~ |  AR1B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    10 |  0xb4800 |  0xb5c0 | 0x32 |                             |  AR2B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    11 |  0xbfe00 |  0xdb00 | 0x33 |                             |  AR3B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    12 |  0xcd900 |  0xefd0 | 0x34 |                             |  AR4B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    13 |  0xdc900 |  0xf020 | 0x35 |                             |  AR5B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    14 |  0xeba00 |  0xbd60 | 0x36 |                             |  AR6B | 17.9.18.12 | OEM_PSP_FW_PUBLIC_KEY |
|   |    15 | 0x149000 |   0x400 | 0x40 |    !PL2_SECONDARY_DIRECTORY |       |            |                       |
+---+-------+----------+---------+------+-----------------------------+-------+------------+-----------------------+
> psp.blob.roms[0].directories[0].entries[0]
PubkeyEntry(type=0x0, address=0x77400, size=0x240, len(references)=1)
> psp.blob.directories[0].entries[0].get_bytes()
b'\x01\x00\x00\x00\x1b\xb9\x87\xc3YIF\x06\xb1t\x94V\x01\xc9\xea[\x1b\xb9\x87\xc3YIF\x06\xb1t\x94V\x01\xc9\xea[\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
[...]
> my_stuff = [...]
> psp.blob.roms[0].directories[0].entries[1].move_buffer(0x60000, 0x1000)
> psp.blob.roms[0].set_bytes(0x60000, 0x1000, my_stuff)
> psp.to_file('my_modified_bios.bin')