Reverse engineering EFI Bios

Many computer manufacturers rely on security through obscurity to hide the poorly designed security of their Bios/EFI infrastructure, which really only protects against no one. EFI format makes reversing particularly easy.

You can see the insides of your BIOS and understand it’s crypto inside your laptop/desktop by following something like this:

  1. Get the EFI BIOS distribution for your motherboard from the vendor site. Many vendors have BIOS packages available many old versions too.
  2. Extract the EFI code base from the bios distribution. Try a standard archive extractor or binwalk. In some cases you might need something like extract-hdr-from-exe
  3. Unpack EFI with UEFIExtract from the UEFITool
  4. You will get a list standard ELF files. Find the ones you need and feed them to a decompiler.

An interesting side effect of the EFI infrastructure is that you can craft an emulation environment and actually run these EFI’s inside it, with something like UEFIReverse, attach gdb and trace through the code.