Marketplace
chipsec
Static analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. Decode firmware structure, detect known malware and rootkits (LoJax, ThinkPwn, HackingTeam, MosaicRegressor), generate EFI executable inventories with hashes, extract NVRAM variables, and parse SPI flash descriptors. Use when analyzing firmware .bin/.rom/.fd/.cap files offline without requiring hardware access.
$ 安裝
git clone https://github.com/BrownFineSecurity/iothackbot /tmp/iothackbot && cp -r /tmp/iothackbot/skills/chipsec ~/.claude/skills/iothackbot// tip: Run this command in your terminal to install the skill
SKILL.md
name: chipsec description: Static analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. Decode firmware structure, detect known malware and rootkits (LoJax, ThinkPwn, HackingTeam, MosaicRegressor), generate EFI executable inventories with hashes, extract NVRAM variables, and parse SPI flash descriptors. Use when analyzing firmware .bin/.rom/.fd/.cap files offline without requiring hardware access.
Chipsec - UEFI Firmware Static Analysis
You are helping the user perform static security analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. This skill focuses exclusively on offline analysis capabilities that do not require kernel driver access or root privileges.
Tool Overview
Chipsec is Intel's Platform Security Assessment Framework. For static analysis of firmware dumps, it provides:
- EFI executable inventory generation with cryptographic hashes
- Detection of known UEFI malware and vulnerabilities
- Firmware structure decoding and extraction
- NVRAM/UEFI variable extraction
- SPI flash descriptor parsing
- Baseline comparison for change detection
Prerequisites
One-Time Setup (Fix Logging Permission)
Chipsec requires a writable logs directory. Run once:
sudo mkdir -p /usr/lib/python3.13/site-packages/logs
sudo chmod 777 /usr/lib/python3.13/site-packages/logs
Verify Installation
chipsec_main --version
Core Commands
All static analysis commands use these flags:
-i: Ignore platform check (required for offline analysis)-n: No kernel driver (required for static analysis)
1. Malware and Vulnerability Scan (Primary Use)
Scan firmware for known threats including UEFI rootkits and SMM vulnerabilities:
chipsec_main -i -n -m tools.uefi.scan_blocked -a <firmware.bin>
Detected Threats:
| Threat | Description | Reference |
|---|---|---|
| HT_UEFI_Rootkit | HackingTeam commercial UEFI rootkit | McAfee ATR |
| MR_UEFI_Rootkit | MosaicRegressor APT UEFI implant | Kaspersky |
| LoJax | First UEFI rootkit found in the wild (Sednit/APT28) | ESET |
| ThinkPwn | SystemSmmRuntimeRt SMM code execution vulnerability | cr4.sh |
| FirmwareBleed | SMM Return Stack Buffer stuffing vulnerability | Binarly |
Example Output (Threat Found):
[!] match 'ThinkPwn.SystemSmmRuntimeRt'
GUID : {7c79ac8c-5e6c-4e3d-ba6f-c260ee7c172e}
[!] found EFI binary matching 'ThinkPwn'
MD5 : 59f5ba825911e7d0dffe06ee0d6d9828
SHA256: 7f0e16f244151e7bfa170b7def014f6a225c5af626c223567f36a8b19f95e3ab
WARNING: Blocked EFI binary found in the UEFI firmware image
2. Generate EFI Executable Inventory
Create a JSON manifest of all EFI modules with cryptographic hashes:
chipsec_main -i -n -m tools.uefi.scan_image -a generate <output.json> <firmware.bin>
Use Cases:
- Create baseline for change detection
- Inventory all DXE drivers, PEI modules, applications
- Generate hashes for threat intelligence lookup
Output Format (efilist.json):
{
"sha256_hash": {
"sha1": "...",
"guid": "EFD652CC-0E99-40F0-96C0-E08C089070FC",
"name": "S3Resume",
"type": "S_PE32"
}
}
3. Compare Against Baseline
Check firmware against a known-good inventory:
chipsec_main -i -n -m tools.uefi.scan_image -a check <baseline.json> <firmware.bin>
Use Cases:
- Detect unauthorized firmware modifications
- Verify firmware update integrity
- Incident response - compare compromised vs clean
4. Decode Firmware Structure
Extract and analyze firmware volumes, files, and sections:
chipsec_util -i -n uefi decode <firmware.bin>
Creates output directory containing:
firmware.bin.dir/
├── firmware_volumes/ # Extracted FV regions
├── efi_files/ # Individual EFI binaries
├── nvram/ # NVRAM variables (if found)
└── ...
5. Extract NVRAM Variables
NVRAM variables are extracted as part of the uefi decode command:
chipsec_util -i -n uefi decode <firmware.bin>
NVRAM output location:
firmware.bin.dir/
├── nvram_.nvram.lst # List of NVRAM variables
├── nvram/ # Extracted variable files (if present)
└── FV/ # Firmware volumes
View extracted variables:
cat firmware.bin.dir/nvram_.nvram.lst
Note: The standalone uefi nvram command requires driver access and cannot be used for static analysis. Use uefi decode instead, which extracts NVRAM as part of the full firmware decode process.
6. Parse SPI Flash Descriptor
Analyze SPI flash regions (requires platform hint):
chipsec_util -p <PLATFORM> spidesc <firmware.bin>
Common Platform Codes:
| Code | Platform |
|---|---|
| SNB | Sandy Bridge (2nd Gen Core) |
| IVB | Ivy Bridge (3rd Gen Core) |
| HSW | Haswell (4th Gen Core) |
| BDW | Broadwell (5th Gen Core) |
| SKL | Skylake (6th Gen Core) |
| KBL | Kaby Lake (7th Gen Core) |
| CFL | Coffee Lake (8th/9th Gen Core) |
| ICL | Ice Lake (10th Gen Core) |
| TGL | Tiger Lake (11th Gen Core) |
| ADL | Alder Lake (12th Gen Core) |
| RPL | Raptor Lake (13th Gen Core) |
Shows:
- Flash regions (Descriptor, BIOS, ME, GbE, PDR)
- Region base addresses and sizes
- Flash component information
- Master access permissions
Supported Firmware Formats
| Extension | Description |
|---|---|
.bin | Raw firmware/SPI flash dumps |
.rom | SPI flash ROM dumps |
.fd | UEFI Firmware Descriptor (OVMF, EDK2) |
.cap | UEFI Capsule update files |
.scap | Signed UEFI Capsule updates |
.fv | UEFI Firmware Volume |
.flash | Full flash dumps |
Workflows
Workflow 1: Standard Security Audit
Complete firmware security assessment:
TARGET="firmware.bin"
OUTPUT_DIR="./chipsec-analysis"
mkdir -p "$OUTPUT_DIR"
# Step 1: Scan for known threats (most important)
echo "[+] Scanning for known malware/vulnerabilities..."
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$TARGET" 2>&1 | tee "$OUTPUT_DIR/threat_scan.txt"
# Step 2: Generate EFI inventory
echo "[+] Generating EFI executable inventory..."
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$OUTPUT_DIR/efi_inventory.json" "$TARGET"
# Step 3: Decode firmware structure
echo "[+] Decoding firmware structure..."
chipsec_util -i -n uefi decode "$TARGET"
# Step 4: Check for NVRAM in decoded output
echo "[+] Checking for extracted NVRAM variables..."
cat "$TARGET.dir/nvram_.nvram.lst" 2>/dev/null || echo "No NVRAM variables extracted"
echo "[+] Analysis complete. Results in: $OUTPUT_DIR/"
echo "[+] Decoded firmware in: $TARGET.dir/"
Workflow 2: Malware Detection Focus
Quick check for known threats:
# Run blocklist scan
chipsec_main -i -n -m tools.uefi.scan_blocked -a firmware.bin 2>&1 | tee scan_results.txt
# Check for any matches
echo "[+] Checking for threat matches..."
grep -E "match|found|WARNING" scan_results.txt
# If threats found, get details
grep -A10 "found EFI binary matching" scan_results.txt
Workflow 3: Firmware Update Verification
Compare before/after firmware update:
# Before update - create baseline
chipsec_main -i -n -m tools.uefi.scan_image -a generate baseline_before.json firmware_original.bin
# After update - compare
chipsec_main -i -n -m tools.uefi.scan_image -a check baseline_before.json firmware_updated.bin
# Also generate new inventory for diff analysis
chipsec_main -i -n -m tools.uefi.scan_image -a generate baseline_after.json firmware_updated.bin
# Compare inventories
diff baseline_before.json baseline_after.json
Workflow 4: Incident Response
Analyze potentially compromised firmware:
SUSPECT="compromised_dump.bin"
KNOWN_GOOD="golden_image.bin"
OUTPUT_DIR="./ir-analysis"
mkdir -p "$OUTPUT_DIR"
# 1. Immediate threat scan
echo "[!] Scanning for known implants..."
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$SUSPECT" 2>&1 | tee "$OUTPUT_DIR/threat_scan.txt"
# 2. Generate inventory of suspect firmware
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$OUTPUT_DIR/suspect_inventory.json" "$SUSPECT"
# 3. If golden image available, compare
if [ -f "$KNOWN_GOOD" ]; then
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$OUTPUT_DIR/golden_inventory.json" "$KNOWN_GOOD"
echo "[+] Comparing against known-good baseline..."
chipsec_main -i -n -m tools.uefi.scan_image -a check "$OUTPUT_DIR/golden_inventory.json" "$SUSPECT"
fi
# 4. Full decode for manual analysis
chipsec_util -i -n uefi decode "$SUSPECT"
echo "[+] IR analysis complete. Review: $OUTPUT_DIR/"
Workflow 5: IoT Device Firmware Analysis
Analyze firmware extracted from IoT device:
# After extracting firmware with ffind or binwalk
IOT_FIRMWARE="extracted_firmware.bin"
# Quick threat check
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$IOT_FIRMWARE"
# Generate inventory for documentation
chipsec_main -i -n -m tools.uefi.scan_image -a generate iot_efi_list.json "$IOT_FIRMWARE"
# Extract structure for deeper analysis
chipsec_util -i -n uefi decode "$IOT_FIRMWARE"
# NVRAM variables extracted as part of decode - check output
cat "$IOT_FIRMWARE.dir/nvram_.nvram.lst" 2>/dev/null
Output Interpretation
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All checks passed, no issues found |
| 2 | Security issues detected (FAILED tests) |
| 16 | Module execution errors |
| 128 | Module not applicable |
Result States
| State | Meaning | Action |
|---|---|---|
| PASSED | No known threats detected | Document and proceed |
| WARNING | Potential issue found | Investigate further |
| FAILED | Security vulnerability confirmed | Remediate immediately |
| NOT APPLICABLE | Test couldn't run | Check firmware format |
Interpreting Threat Matches
When scan_blocked finds a match:
[!] match 'ThinkPwn.SystemSmmRuntimeRt'
GUID : {7c79ac8c-5e6c-4e3d-ba6f-c260ee7c172e}
regexp: bytes '...' at offset 1184h
[!] found EFI binary matching 'ThinkPwn'
MD5 : 59f5ba825911e7d0dffe06ee0d6d9828
SHA1 : 4979bc7660fcf3ab5562ef2e1c4c45097ecb615e
SHA256: 7f0e16f244151e7bfa170b7def014f6a225c5af626c223567f36a8b19f95e3ab
Key Information:
- Threat Name: Which known threat was matched
- GUID: Unique identifier of the affected EFI module
- Hashes: For further threat intelligence lookup
- Offset: Location in binary where pattern matched
Integration with IoTHackBot Tools
With ffind (Firmware Extraction)
# Find firmware files in extracted filesystem
ffind /path/to/extracted -a
# Analyze found UEFI firmware
chipsec_main -i -n -m tools.uefi.scan_blocked -a found_firmware.bin
With binwalk (Pre-processing)
# Extract firmware components first
binwalk -e firmware_package.bin
# Find and analyze UEFI images
find _firmware_package.bin.extracted -name "*.fd" -o -name "*.rom" | while read fw; do
echo "[+] Analyzing: $fw"
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$fw"
done
Troubleshooting
Permission Denied on Logs
PermissionError: [Errno 13] Permission denied: '/usr/lib/python3.13/site-packages/logs/...'
Solution:
sudo mkdir -p /usr/lib/python3.13/site-packages/logs
sudo chmod 777 /usr/lib/python3.13/site-packages/logs
Module Not Found
ERROR: No module named 'chipsec.modules.tools.uefi.scan_blocked'
Solution: Verify chipsec installation:
pip show chipsec
pip install --upgrade chipsec
Invalid Firmware Format
[CHIPSEC] Found 0 EFI executables in UEFI firmware image
Possible Causes:
- File is not valid UEFI firmware
- File is encrypted or compressed
- File needs pre-processing (binwalk extraction)
Diagnosis:
file firmware.bin
binwalk firmware.bin
Platform Required for spidesc
ERROR: This module requires a configuration to be loaded.
Solution: Specify platform with -p:
chipsec_util -p SKL spidesc firmware.bin
NVRAM Not Extracted
If nvram_.nvram.lst is empty or shows an error after decode:
Possible Causes:
- Firmware doesn't contain standard NVRAM format
- NVRAM region is encrypted or compressed
- Non-standard vendor format
Alternative Analysis:
# Search for variable-like patterns in decoded output
grep -r "Setup\|Boot\|SecureBoot" firmware.bin.dir/
# Use binwalk to find NVRAM signatures
binwalk -R "\x06\x00\x00\x00" firmware.bin
Best Practices
1. Always Run Threat Scan First
The blocklist scan is quick and catches known threats:
chipsec_main -i -n -m tools.uefi.scan_blocked -a firmware.bin
2. Generate Inventory for Every Firmware
Create baselines for future comparison:
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$(basename firmware.bin .bin)_inventory.json" firmware.bin
3. Save All Output
Redirect output for documentation:
chipsec_main -i -n -m tools.uefi.scan_blocked -a firmware.bin 2>&1 | tee analysis_$(date +%Y%m%d).txt
4. Verify Firmware Format First
Before running chipsec:
file firmware.bin
binwalk firmware.bin | head -20
5. Use Organized Output Directories
mkdir -p analysis/{threats,inventories,decoded,nvram}
6. Cross-Reference with Other Tools
- UEFITool: Visual firmware structure analysis
- binwalk: Entropy analysis and extraction
- strings: Quick secrets/URL discovery
Command Reference
Quick Reference Table
| Task | Command |
|---|---|
| Scan for malware | chipsec_main -i -n -m tools.uefi.scan_blocked -a <fw> |
| Generate inventory | chipsec_main -i -n -m tools.uefi.scan_image -a generate <out.json> <fw> |
| Compare baseline | chipsec_main -i -n -m tools.uefi.scan_image -a check <base.json> <fw> |
| Decode structure + NVRAM | chipsec_util -i -n uefi decode <fw> |
| Parse SPI descriptor | chipsec_util -p <PLAT> spidesc <fw> |
Flag Reference
| Flag | Purpose |
|---|---|
-i | Ignore platform check (required for offline) |
-n | No kernel driver (required for static analysis) |
-m | Specify module to run |
-a | Module arguments |
-p | Specify platform (for spidesc) |
-j | JSON output file |
Security and Ethics
IMPORTANT: Only analyze firmware you own or have explicit authorization to analyze.
- Respect intellectual property and licensing
- Follow responsible disclosure for vulnerabilities found
- Document all analysis activities
- Be aware that some firmware may contain proprietary code
- Use findings for defensive security purposes only
Success Criteria
A successful chipsec static analysis includes:
- Threat scan completed (PASSED or findings documented)
- EFI inventory JSON generated with module hashes
- Firmware structure decoded (if applicable)
- NVRAM variables extracted (if present)
- All findings documented with:
- Threat name and severity
- Affected module GUID and hashes
- Recommendations for remediation
- Output files organized and saved for reporting
Repository
BrownFineSecurity
Author
BrownFineSecurity/iothackbot/skills/chipsec
468
Stars
83
Forks
Updated5d ago
Added6d ago