14

I have a DELL machine that use Phoenix SecureCore Tiano as its UEFI/BIOS However, it is totally not configurable as its UEFI shell & menus are hidden in BIOS Setup.

I'm wondering if there were tools that can modify the UEFI settings(such as Boot Items) in user mode? such as "efibootmgr" in linux.

btw, because it is not configurable, I think the boot process is in legacy mode so that's to say OSes can not detect the UEFI exist, am i right?

so, that's the paradox: I must be boot in non-legacy mode to enable UEFI tools to modify boot items in user mode? but I must enable UEFI tools to modify boot items first to enable non-legacy boot?

Hennes
  • 64,768
  • 7
  • 111
  • 168
marstone
  • 241
  • 1
  • 2
  • 5
  • 1
    just found that efi vars stored in nvram, maybe this link helps: https://wikileaks.org/ciav7p1/cms/page_26968084.html – marstone Apr 13 '19 at 03:07

6 Answers6

3

EFI implementations must provide some way to control the boot mode (EFI vs. BIOS), except of course for EFI-only implementations without BIOS support. Too often, though, the firmware gives the user little or no explicit control of the matter; instead, the firmware attempts to infer the correct boot mode based on the state of the hard disk -- for instance, it might use EFI mode if a GPT is detected and BIOS mode if an MBR is found; or it might use EFI mode if an EFI System Partition (ESP) is found and BIOS mode if not. You may be able to find a clue about what your firmware is doing by reading the manual. If not, you'll just have to experiment.

When booting removable media, the rules may be different, but you can often give it a kick in the right direction by providing just one boot mode. This may require re-mastering a CD or (more easily) carefully selecting a CD. If you're trying to force an EFI-mode boot, my rEFInd, and in particular its bootable CD version, may be helpful; it boots only in EFI mode, and as configured, it will act as a boot manager for other EFI-based boots, but not for BIOS-mode boots.

Rod Smith
  • 31
  • 1
  • thanks! when i partition my hd in MBR mode, it works as expected. however, if i use GPT mode, no matter there is an ESP or not, it just won't boot and gives this error: "Operation System not Found". The error message /w syntax error, is surely from the BIOS itself after I reverse engineered the BIOS rom (not from any bootloader or boot record), so I just can not get the boot control to be passed in GPT mode. – marstone May 29 '12 at 01:49
  • Some EFI-based systems will only boot in BIOS mode if they detect an MBR partition with its "boot" (aka "active") flag set. On a GPT disk, this requires setting that flag on the 0xEE protective partition in the MBR. You can use a tool like Linux's fdisk to do this (use the "a" option). Do *not* use parted, GParted, or other libparted-based tools to do this; on a GPT disk, they give you no control over what's in the *MBR*, and the "boot flag" will be applied to a *GPT* partition, with the meaning being that it sets the type code to that of an EFI System Partition (ESP). – Rod Smith Jun 01 '12 at 04:50
1

Michael Niehaus recently released a powershell module for modifying UEFI variables on Windows.

It provides the following functions:

  • Get-UEFIVariable
  • Set-UEFIVariable
  • Set-LHSTokenPrivilege
  • Get-UEFISecureBootCerts
silico-biomancer
  • 448
  • 3
  • 11
1

I've just bought a Dell XPS 17 (l702x) and I'm interested in multi-booting a variety of OSes. If what I've understood is correct, the Dell has some form of locked-down Phoenix SecureCore Tiano UEFI 'BIOS'. From what I've read, UEFI isn't directly usable (possibly via a hidden menu etc., which might require a BIOS mod).

It does seem possible to use/access a Phoenix compatible EFI shell, using the open-source (BSD) TianoCore edk2/ShellPkg (source) and edk2/ShellBinPkg (binary) packages (GIT Repo).

I recommend the newer ShellBinPkg, using the "full shell" profile of UEFI Shell 2.0 (supports the most commands). You can also rebuild a custom shell using the ShellPkg (build standalone or include it in the OVMF package to generate a x64 version) - Inclusion of UEFI shell in Linux distro iso.

The [U]EFI shell binary is compiled to run independent of the firmware. This can be tested by putting the shell on a FAT32 file system (USB stick, hard drive partition), renamed as /efi/boot/bootx64.efi and then booting to it, from your [UEFI] BIOS.

Help text for the shell is accessed by typing help utilname. Just using help produces a list of all available shell commands.

Note: If you are unable to launch UEFI Shell from the firmware directly, create a FAT32 USB pen drive with Shell.efi copied as (USB)/efi/boot/bootx64.efi . This USB should come up in the firmware boot menu. Launching this option will launch the UEFI Shell for you. - Arch Linux's take on UEFI

Pro Backup
  • 519
  • 1
  • 7
  • 23
Big Rich
  • 113
  • 5
  • that's great. i bought the same model l702x ;-) i'll try it tomorrow! the hidden menu is still unlockable as far as i know. btw, do u have compiled bootx64.efi and have tested on your xps yet? – marstone Jul 22 '12 at 16:50
  • ShellBinPkg is a UEFI shell pre-compiled binary, you're supposed to be able just have to rename it and put in the right directory. I tried it, and it didn't work for me, but I don't believe it's the only shell that's available (I'm new to this, also). [This post](https://bbs.archlinux.org/viewtopic.php?pid=1023962#p1023962) seems to offer a shell download which should work with Phoenix SecureCore Tiano (See the.ridikulus.rat->cfr conversation). Let us know how you get on. – Big Rich Jul 23 '12 at 16:57
  • I tried put the efi file from the above post to /efi/boot/bootx64.efi, however, my usb disk booted to grub normally(it is bootable already); then i formatted my u-disk to HDD mode, and i got the error "Remove disks or other media ...". I then took a hex search for this string sector by sector in my u-disk, it did not exist. the message must from L702x's Tiano BIOS. anything wrong for my operations? – marstone Jul 25 '12 at 14:25
  • @marstone, sorry man, but I'm a newbie myself when it comes to this UEFI stuff (I'm just OK with my Google-fu ;-) ). Been occupied elsewhere, as soon as I get some time I'll try this myself and let you know how I get on. Cheers, Rich. – Big Rich Jul 26 '12 at 20:15
  • Although Dell has now released a UEFI enabled bios ([A19](http://ftp1.dell.com/folder00950751m/1/)), 'capitankasar' over at [notebookreview](http://forum.notebookreview.com/dell-xps-studio-xps/641688-l702x-modded-gpu-bios-15.html) posted 2x modded A18 bioses ([uefi](http://www.mediafire.com/?zxwopxs7gwpiuph), [uefi+nvida gpu](http://www.mediafire.com/?pbqp2iycmn0mpya)), they address UEFI, NVidia GPU overclocking and fan speeds etc. (some of these features may also exist in the official Dell release, I haven't confirmed this myself). As always, use at your own risk ;-) – Big Rich Nov 08 '12 at 11:56
  • thanks you for your info! i'am following 'kasar''s thread in bios-mods.com, they also made a a19 mod that works great for me. with uefi boot enabled, i can boot uefi with extern shell.efi in usb stick. – marstone Nov 12 '12 at 01:11
0

In my experiments, I concluded as follows:

If you wish to use an U/EFI multi-boot USB key, you MUST:

  1. clear all partitions/wipe drive entirely;
  2. convert it to GPT;
  3. create a primary partition and format it as Fat32;
  4. make a dir called EFI (not case sensitive) in the root of the drive;
  5. create a subdir in previous dir called boot (not case sensitive, too)
  6. put your desired .efi file in there and rename it to match the system's architecture: bootx64.efi if x64, bootia32.efi if x86 or bootaa64.efi if ARM64.

Tried it in a Dell Inspiron 5437 touchscreen and worked perfectly.

One last thing: if the .efi file isn't signed with Microsoft's digital signature, must disable only secure boot mode under fw settings. Leave the UEFI boot and fast boot mode enabled.

For tests, find multi-boot key of your OEM machine before to install it permanently and select uefi: <your usb key> from the presented list.

Overmind
  • 9,924
  • 4
  • 25
  • 38
Thiago Postio
  • 1
0

I just release my utility if anyone is interested. It edits UEFI variable in windows.

https://gist.github.com/Zibri/19f9838ffd12349bb2c6c3afddc9388f/

Updated on 25/02/2020 to version 1.2.
No internet connection needed.
Virus total reports 6 (false positives) over 96 because the code is obfuscated.

Zibri
  • 265
  • 2
  • 8
  • IT IS NOT. The program is compressend and protected and some antiviruses give a false positive. It's no virus. – Zibri Sep 08 '18 at 11:07
  • For flaggers: This program gets a somewhat [alarming detection at Virustotal](https://www.virustotal.com/gui/file/0f5ea8d979638b92ad5be166492ac7d1f93552805d69ce0ac5b4c8b08b5bfd93/detection) but it appears to be generic detection and "potentially unwanted program" detections. It is possible that due to what this program does it has made it's way into malware suites but until someone can offer direct evidence that this is actual malware then the answer is fine for now. – Mokubai Dec 07 '19 at 08:55
  • I didn't release the source code and made it difficult to reverse engineer only to "delay" or "limit" exactly the proliferating of malware based on my "simple" code. I am thinking of releasing the source, it is no secret, I just didn't want to be the main cause of future uefi based malware. – Zibri Dec 16 '19 at 14:28
  • Edit: updated today to version 1.1. – Zibri Jan 19 '20 at 22:23
  • Updated to version 1.2 – Zibri Feb 25 '20 at 14:28
  • @Mokubai I honestly wouldn't run this binary. I don't know why but it does seem to access `googleapis.com`, uses URL shorteners and connects as a browser to websites. I don't know why (the PayPal Link is embedded directly), and I cannot say this is malicious, but it *does* seem sketchy. And lol @ the deobfuscation 0:-) – ljrk Jul 21 '20 at 15:34
  • @larkey it's not sketchy nor malicious. you are free not to use it. I am a very public person and I would never post "scams". Just search "zibri ziphone" on youtube or "zibri forbes" or "zibri cnet". The program is 100% safe. Period. – Zibri Jul 23 '20 at 07:45
  • as usual, no good deed goes unpinished. This is what I get when I release something for free. Google apis where only for statistics and where even removed. By the way. – Zibri Jul 23 '20 at 07:46
  • @Zibri This is no "punishment" (in what way did you get something negative out of this?), neither do I say that it's necessarily scam. But it *is* dubious. Yes, I can decide to not run it but others might not be able to look into this as detailed, hence I posted the comment. Saying "this is no malware, it's just obfuscated" from an authority (mod of this site) is questionable IMHO. – ljrk Jul 23 '20 at 10:12
  • @Zibri regardless, I think your objective to stop people from exploiting "what you've found" is ill-guided as tools like chipsec do calls to similar Nt APIs and are already publicly available, not speaking of efitools for Linux systems which does the same thing. – ljrk Jul 23 '20 at 10:14
  • @larkey I know. Linux world is different and with differently skilled people. But in windows world a lot of script kiddies just put together things by taking code here and there. There is no secret in my program I just wanted to make it more difficult to exploit directly. Then it is possible, for sure, but if you are able to disable the obfuscation then you are skilled enough to do the same in many other ways. Got it? – Zibri Jul 26 '20 at 20:29
  • 1
    @Zibri Yes, I understand but a) Windows code like that exists already (chipsec) and b) inevitably this will get "exploited", and, given this isn't anything new, no playing on time will help. But all this reasoning is off-topic for this site, I disagree, but that's not the point. The point is that I don't think we should make people run possibly-sketchy obfuscated code as admin. Yours can be legit but others might not. Saying "yeah, AV thinks it's a virus" is... not helping either. Arguably this will lead to more exploited users. – ljrk Jul 26 '20 at 21:52
  • 1
    @Zibri Anyhow, I want people to make their decision based on more information than "someone on SO said this is fine despite all alarm bells ringing". That's why I provided a first look into the binary that I did after work. It's not complete but it says "this binary *might* as well be worse than it seems". And I think people should know this when making their decision. – ljrk Jul 26 '20 at 21:54
  • @ljrk this is pure speculation and not information. PROVE that it does something wrong or just stfu. – Zibri Aug 19 '20 at 23:53
  • 1
    @Zibri Speculation is saying "this is malicious" but also saying "this is *not* malicious". I'm doing neither, I'm saying that it uses sketchy techniques and I'm questioning the legitimacy of the obfuscation. Users can now make their own decision whether to use your program or not, also given your reactions to my comment. – ljrk Aug 20 '20 at 10:59
0

Editing EFI vars from LINUX CLI:

As stated in this other answer, the simple procedure to modify UEFI variables is to use a bootable USB with Linux (like ArchLinux ISO), and simply navigate to EFIvars as a normal system directory (cd /sys/firmware/efi/efivars/), where you can:

  • remove them (with rm),
  • create new ones (with printf)
  • or even disable file immutability (with chattr)
DavidTaubmann
  • 180
  • 1
  • 6