GitHunt
AL

al3xtjames/ghidra-firmware-utils

Ghidra utilities for analyzing PC firmware

firmwareghidrareverse-engineeringuefi

Ghidra Firmware Utilities

Various modules for Ghidra to assist with PC firmware reverse engineering.
This was accepted as a coreboot project for GSoC 2019.

Features

PCI option ROM loader

  • Implements a FS loader for PCI option ROMs (handles hybrid ROMs with
    multiple images, e.g. legacy x86 + UEFI)
  • Loads UEFI executables from PCI option ROMs (including compressed images)
  • Defines the entry point function and various header data types for legacy
    x86 option ROMs

Firmware image loader

  • Implements a FS loader for Flash Map (FMAP) images and Intel Flash
    Descriptor (IFD) images (shows flash regions)
  • Implements a FS loader for Coreboot Filesystem (CBFS) images (displays
    included files and handles compression)
  • Implements a FS loader for UEFI firmware volumes and nested firmware
    filesystem (FFS) file/FFS section parsing

Terse Executable (TE) loader

  • Implements a binary loader for TE binaries (frequently used in UEFI PI)

UEFI helper script

  • Includes data type libraries for base UEFI types (taken from EDK2 MdePkg)
  • Fixes the signature of the entry point function
  • Defines known GUIDs in the binary's .data/.text segments
  • Locates and defines global copies of UEFI table pointers (gBS/gRT/gST/etc)

Building & Installation

JDK 21 (or newer) and Ghidra 12.0 (or newer) are required.

Ghidra's standard Gradle build system is used. Set the GHIDRA_INSTALL_DIR
environment variable before building, or set it as a Gradle property (useful
for building in an IDE):

Environment variable

$ export GHIDRA_INSTALL_DIR="/path/to/ghidra"
$ ./gradlew

Gradle property

echo GHIDRA_INSTALL_DIR=/path/to/ghidra > gradle.properties

Note

GHIDRA_INSTALL_DIR should point to the directory which contains
support/buildExtension.gradle. For example, users of the
Flathub package should use
/var/lib/flatpak/app/org.ghidra_sre.Ghidra/current/active/files/lib/ghidra.

The module ZIP will be output to dist/. Use File > Install Extensions and
select the green plus to browse to the extension. Restart Ghidra when prompted.

For proper functionality, the plugin should be built with the same JRE used
by your Ghidra installation. If you have multiple Java runtime environments
installed, select the correct JRE by setting the JAVA_HOME environment
variable before building.

Usage

PCI option ROM loader

Add a PCI option ROM to a Ghidra project. Legacy x86 option ROMs can be
directly loaded for analysis. Ensure that the binary format is set to
x86 PCI Option ROM, and import the binary.

UEFI option ROMs or option ROMs that contain more than one image should be
imported using the filesystem loader. When prompted to select an import mode,
select File system. The images contained within the option ROM will be
displayed, and can be imported for analysis. Legacy x86 images will be handled
the x86 PCI Option ROM loader, and UEFI images will be handled by the PE32
loader (compression is supported). Information for each image can be displayed
by selecting Get Info in the right-click menu.

Firmware image loader

Add a supported firmware image to a Ghidra project. The firmware image loader
supports Intel images with a Flash Descriptor, coreboot images with a FMAP/CBFS
layout, and UEFI firmware volumes. The File system import mode can be used
to view embedded files within the specified firmware image.

Note that some UEFI firmware images may store nested firmware volumes within
freeform/raw files (or freeform/raw FFS sections). Such files can be imported
as firmware volumes by selecting Open File System in the right-click menu
for the specified freeform/raw file. If no nested firmware volume is found, an
error message will be displayed (No file system provider for...).

UEFI helper script

The helper script is included in the plugin's ghidra_scripts directory, which
should be automatically added to the list of script directories in Ghidra.

Run the UEFI helper script by selecting UEFIHelper.java in the Script Manager
window (accessed from Window -> Script Manager).

To modify the UEFI data type library, modify the PRF template in
data/gen_prf.sh as necessary and generate new PRF files. Open the generated
PRF file in File -> Parse C Source. Build the updated data type library
by selecting Parse to File.... Overwrite the original data type libraries
in data and rebuild the plugin.

These are some interesting projects related to UEFI reversing:

License

Apache 2.0, with some exceptions:

  • src/efidecompress/c/efidecompress.c: BSD

Credits

src/efidecompress/c/efidecompress.c is a lightly modified version of
Decompress.c from uefi-firmware-parser (which itself is derived from
the original in EDK2 BaseTools).

The IFD FS loader in src/main/java/firmware/ifd used the parser from
UEFITool as a reference.

The GUID database in data/guids.csv is taken from UEFITool.

The UEFI data type libraries in data/uefi_*.gdt were generated with
data/gen_prf.sh, which is partially based off the UEFI parser definition
from a Ghidra pull request by wrffrz. These data type libraries use
headers from EDK2 MdePkg.

GhidraVitaLoader by xerpi was used as a reference for some parts of the
UEFI helper script.

Languages

Java88.4%C11.3%Shell0.3%
Other
Created May 27, 2019
Updated March 9, 2026