Wednesday, August 22, 2018

Instructions on how to dump your firmware

Hi folks,

A number of people have asked me how they can participate in firmware gathering, and the short answer is, "Dump your firmware, and upload it to us, at".

As you might expect, the actual answer is a little longer, so here are the instructions for firmware dumping...

On a Mac running High Sierra, it's easy, because there is a built-in command, eficheck. Here are the steps:

1) Open up a terminal

2) This command saves system's EFI firmware, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --save -b YourFilenameOfChoice.bin

3) This command overwrites EFI variables portions, scrubbing any privacy-sensitive bits, enabling the image to be shared for analysis, type:

sudo /usr/libexec/firmwarecheckers/eficheck/eficheck --cleanup -b YourFilenameOfChoice.bin

4) upload firmware.bin to

Windows is trickier. There are a number of ways, but currently, the easiest seems to be these steps:

Either, (a) download your own version of ChipSec from, read the manual, and make your own zips, or (b) Download a version of ChipSec and an EFI shell from my DropBox (my EFI shell is set for an x86 machine)

and unzip each of those into the root of the thumb drive, and then:
(1) Boot your computer into BIOS, and turn off secure boot
(2) Boot into the thumb drive. This should bring up an EFI shell, that looks a lot like old MsDOS, but is neither Dos nor a Linux shell. It brings up a command prompt that says, “Shell>”
(5) You need to get into the root directory of the thumb drive, by typing FS0:
(I have seen machines where the thumb drive came up as FS1:, and even FS2:, but generally, it’s FS0:)
(6) You should then be able to do a Dir or LS, and see the Chipsec directory, and an EFI directory.
(7) Change directory to chipsec ... cd \chipsec
(8) type: python spi dump filename.bin
(9) type: exit

That should allow you to boot back into BIOS, and turn secure boot back on, and then boot to your OS, and upload the captured file to

Be sure to put your email into the webpage, because some analyses take a while, and your email will allow us to send it to you, when it is complete.

Thanks in advance for your help

No comments: