search

theopolis / uefi-firmware-parser

Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc
Other
780 stars 156 forks source link

exception when bruteforcing Apple scap file #113

Open kambala-decapitator opened 1 year ago

kambala-decapitator commented 1 year ago

OS: macOS 12.6.1 Python version: 3.9.15 (from Homebrew) uefi-firmware-parser: from pip

> uefi-firmware-parser -b ~/Downloads/mbp/MBP61.scap
/usr/local/bin/uefi-firmware-parser:38: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if parser.type() is not 'unknown':
/usr/local/bin/uefi-firmware-parser:141: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if parser.type() is 'unknown':
Found volume magic at 0x50
Firmware Volume: 7a9354d9-0468-444a-81ce-0bf617d890df attr 0xffff8eff, rev 1, cksum 0xb5ca, size 0x410000 (4259840 bytes)
  Firmware Volume Blocks: (65, 0x10000)
...
      File 8: 1cead970-200d-49d4-b2a0-062e8a50a872 type 0x02, attr 0x40, state 0x07, size 0xc5 (197 bytes), (freeform)
        Section 0: type 0x01, size 0xad (173 bytes) (Compression section)
          Section 0: type 0x02, size 0x1020 (4128 bytes) (Guid Defined section)
            Guid-Defined: fc1bcdb0-7d31-49aa-936a-a4600d9dd083 offset= 0x1c attrs= 0x2 (AUTH_VALID)
              Section 0: type 0x19, size 0x1004 (4100 bytes) (Raw section)
%s%s chips 0x%02x, regions 0x%02x, masters 0x%02x, PCH straps 0x%02x, PROC straps 0x%02x, ICC entries 0x%02x
Traceback (most recent call last):
  File "/usr/local/bin/uefi-firmware-parser", line 133, in <module>
    brute_search_volumes(input_data)
  File "/usr/local/bin/uefi-firmware-parser", line 46, in brute_search_volumes
    parse_firmware_volume(data[index - 40:], name=index - 40)
  File "/usr/local/bin/uefi-firmware-parser", line 55, in parse_firmware_volume
    _process_show_extract(firmware_volume)
  File "/usr/local/bin/uefi-firmware-parser", line 18, in _process_show_extract
    parsed_object.showinfo('')
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 1258, in showinfo
    _ffs.showinfo(ts + " ")
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 1067, in showinfo
    firmware_file.showinfo(ts + ' ', index=i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 973, in showinfo
    blob.showinfo(ts + "  ", index=i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 1258, in showinfo
    _ffs.showinfo(ts + " ")
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 1067, in showinfo
    firmware_file.showinfo(ts + ' ', index=i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 982, in showinfo
    section.showinfo(ts + "  ", index=i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 765, in showinfo
    self.parsed_object.showinfo(ts + '  ')
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 451, in showinfo
    _object.showinfo(ts, i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 765, in showinfo
    self.parsed_object.showinfo(ts + '  ')
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 589, in showinfo
    section.showinfo("%s  " % ts, index=i)
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/uefi.py", line 765, in showinfo
    self.parsed_object.showinfo(ts + '  ')
  File "/usr/local/lib/python3.9/site-packages/uefi_firmware/flash.py", line 186, in showinfo
    print("%s%s chips 0x%02x, regions 0x%02x, masters 0x%02x, PCH straps 0x%02x, "
TypeError: unsupported operand type(s) for %: 'NoneType' and 'tuple'

UEFITool reports the following errors:

parseVolumeHeader: unknown file system E3B980A9-5FE3-48E5-9B92-2798385A9027
parseVolumeBody: unknown FFS version 0
parseVolumeNonUefiData: non-UEFI data found in volume's free space
performSecondPass: the last VTF appears inside compressed item, the image may be damaged
findNextStore: VSS store candidate at offset 48h skipped, has invalid size FFFFFFFFh

With Firmware.scap file there're no errors:

> uefi-firmware-parser -b ~/Downloads/mbp/Firmware.scap 
/usr/local/bin/uefi-firmware-parser:38: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if parser.type() is not 'unknown':
/usr/local/bin/uefi-firmware-parser:141: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if parser.type() is 'unknown':
Found volume magic at 0x50
Firmware Volume: 7a9354d9-0468-444a-81ce-0bf617d890df attr 0xffff8eff, rev 1, cksum 0x4ad3, size 0xf00000 (15728640 bytes)
  Firmware Volume Blocks: (240, 0x10000)
  File 0: c3e36d09-8294-4b97-a857-d5288fe33e28 type 0x02, attr 0x40, state 0x07, size 0x66 (102 bytes), (freeform)
    Section 0: type 0x19, size 0x4e (78 bytes) (Raw section)
  File 1: 32f2adf8-9310-4866-9ea7-215c8fa436ab type 0x02, attr 0x40, state 0x07, size 0xdcc8aa (14469290 bytes), (freeform)
    Section 0: type 0x19, size 0xdcc892 (14469266 bytes) (Raw section)