{"id":20051839,"url":"https://github.com/platform-system-interface/ems","last_synced_at":"2025-09-20T11:32:23.364Z","repository":{"id":214002998,"uuid":"735462082","full_name":"platform-system-interface/ems","owner":"platform-system-interface","description":"EFI memory scanner","archived":false,"fork":false,"pushed_at":"2024-01-17T21:15:37.000Z","size":13,"stargazers_count":11,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-13T12:06:03.377Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/platform-system-interface.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-12-25T02:58:06.000Z","updated_at":"2024-11-08T00:14:55.000Z","dependencies_parsed_at":"2023-12-30T00:34:53.294Z","dependency_job_id":"7aafa5f3-1586-4a68-94af-53a1a0ae1d50","html_url":"https://github.com/platform-system-interface/ems","commit_stats":null,"previous_names":["platform-system-interface/ems"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/platform-system-interface%2Fems","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/platform-system-interface%2Fems/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/platform-system-interface%2Fems/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/platform-system-interface%2Fems/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/platform-system-interface","download_url":"https://codeload.github.com/platform-system-interface/ems/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233660123,"owners_count":18710025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T12:06:24.679Z","updated_at":"2025-09-20T11:32:22.995Z","avatar_url":"https://github.com/platform-system-interface.png","language":"Rust","readme":"# EFI Memory Scanner\n\n**NOTE: This utility is work in progress.**\n\nScan for memory data structures as known from UEFI PI firmware, i.e.,\n[EDK2](https://github.com/tianocore/edk2) and derivatives.\n\nYou can access EFI memory e.g. using a Linux kernel with full access to\n`/dev/mem`.\n\n## Build\n\nRun `make` to build a statically linked release binary.\n\nTo run the command directly with arguments, you need to explicitly pass\n`--target x86_64-unknown-linux-gnu` and put arguments behind a `--`:\n\n```sh\ncargo run --release --target x86_64-unknown-linux-gnu -- -f memdump\n```\n\n## Strategy\n\nInvoke `ems --file /dev/mem` to locate occurrences of known EFI data\nstructures, via their tags and also by providing a custom `--pattern`.\nUse the `--offset` and `--limit` arguments to narrow down the search.\nIt is recommended to get a copy of that memory for offline analysis.\n\nFor example, a Lenovo ThinkPad X270's EFI memory starts at `0xb56e4000`.\nThat is the first address where an EFI memory \"pool head\" is found.\nDumping it with [u-root](https://u-root.org)'s `dd`:\n\n```sh\ndd if=/dev/mem bs=4096 skip=0xb56e4 count=43292 of=/tmp/memdump\n```\n\nThe above example will dump about 190 MB.\nPut the resulting file on a USB drive or copy it over network to continue.\n\nRerun `ems` with `--file` again, passing the path to your copy.\n\n## Linux\n\nYou will need a kernel with specific settings to fully access `/dev/mem`.\nTo build your own, copy the file `linux_ems_defconfig` to your Linux tree in\nthe config directory as `arch/x86/configs/ems_defconfig`. For non-x86\narchitectures, adjust as necessary.\n\nThe configuration expects an initramfs. Pick your own or get one from\n\u003chttps://github.com/linuxboot/u-root-builder\u003e as you like. Add the `ems` command\nto your custom initramfs or load it through your preferred mechanism later.\n\nBuild the kernel with the defconfig:\n\n```sh\nmake ems_defconfig\nmake -j8\n```\n\nThe resulting `arch/x86/boot/bzImage` is a PE32 binary that you can put on a FAT\npartition on a GPT partitioned USB drive at `EFI/BOOT/BOOTX64.EFI`.\n\n## TODO\n\n- [ ] reconstruct the memory to access the data\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplatform-system-interface%2Fems","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fplatform-system-interface%2Fems","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fplatform-system-interface%2Fems/lists"}