Last active
April 24, 2021 17:38
-
-
Save startergo/56d3770b7f78dd1591790c69753f846c to your computer and use it in GitHub Desktop.
Test NVRAM for MemoryConfigs, xml, Microsoft Certificates and BluetoothControllerInfo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Macschrauber April, 24th 2021 | |
if [ -z "$1" ] | |
then | |
echo test_nvram 4-24-2021 by Macschrauber | |
echo Utility for quick analyzing Mac Firmware dumps or nvram streams | |
echo No argument supplied | |
echo usage: test_nvram dump.bin | |
exit | |
fi | |
echo 'scanning: '$1 | |
myfile=$1 | |
filesize=$(wc -c < "$1") | |
file_4MB=false | |
file_2MB=false | |
file_nvramvol=false | |
nowhere=/dev/null | |
#check for 4MB Rom (Mac Pro 4,1 and 5,1) | |
if ((filesize==4194304)) | |
then file_4MB=true | |
fi | |
#check for 2MB Rom (Mac Pro 3,1) | |
if ((filesize==2097152)) | |
then file_2MB=true | |
fi | |
#check for nvram.vol | |
if ((filesize==196608)) | |
then file_nvramvol=true | |
fi | |
if $file_4MB | |
then dd if="$1" skip=0x120048 bs=1 of="/tmp/VSS_Store1+2.bin" count=0x1FF70 >& $nowhere | |
if grep -c "\$VSS" "/tmp/VSS_Store1+2.bin" >& $nowhere # is it $VSS ? | |
then myfile="/tmp/VSS_Store1+2.bin" | |
fi | |
fi | |
if $file_2MB | |
then dd if="$1" skip=0x190048 bs=1 of="/tmp/VSS_Store.bin" count=0xFFB8 >& $nowhere | |
if grep -c "\$VSS" "/tmp/VSS_Store.bin" >& $nowhere # is it $VSS ? | |
then myfile="/tmp/VSS_Store.bin" | |
fi | |
fi | |
# so what to do with this Stream(s) | |
# 1st count MemoryConfigs | |
MemoryConfigs=$(xxd -p "$myfile" | tr -d '\n' | grep -o '8c4d0065006d006f007200790043006f006e0066' | wc -l) | |
if (($MemoryConfigs < 20)) | |
then echo $MemoryConfigs' Memory Configs (ok)' | |
else | |
echo $MemoryConfigs' Memory Configs (take care)' | |
fi | |
# ------------------------ | |
# 2nd count xml | |
xmls=$(grep -c "xml version" "$myfile") | |
if (($xmls<3)) | |
then echo $xmls' xml (ok)' | |
else | |
echo $xmls' xml (not ok!)' | |
fi | |
# ------------------------ | |
# 3rd count Microsoft Windows Secure Boot Variable Signer | |
certs=$(grep -c "Microsoft Windows Secure Boot Variable Signer" "$myfile") | |
let certs=$certs/3 | |
if ((certs==0)) | |
then echo $certs' Microsoft Certificates (ok)' | |
else | |
echo $certs' Microsoft Certificates (very bad)' | |
fi | |
# ------------------------ | |
# 4th count BluetoothActiveControllerInfo | |
BluetoothActiveControllerInfos=$(xxd -p "$myfile" | tr -d '\n' | grep -o '62006c007500650074006f006f007400680041006300740069007600650043006f006e00740072006f006c006c006500720049006e0066006f' | wc -l) | |
if (($BluetoothActiveControllerInfos < 3)) | |
then echo $BluetoothActiveControllerInfos' BluetoothActiveControllerInfos (ok)' | |
else | |
echo $BluetoothActiveControllerInfos' BluetoothActiveControllerInfos (not ok)' | |
fi | |
# ------------------------ | |
# 5th count BluetoothInternalInfo | |
BluetoothInternalControllerInfos=$(xxd -p "$myfile" | tr -d '\n' | grep -o '62006c007500650074006f006f007400680049006e007400650072006e0061006c0043006f006e00740072006f006c006c006500720049006e0066006f' | wc -l) | |
if (($BluetoothInternalControllerInfos < 3)) | |
then echo $BluetoothInternalControllerInfos' BluetoothInternalControllerInfos (ok)' | |
else | |
echo $BluetoothInternalControllerInfos' BluetoothInternalControllerInfos (not ok)' | |
fi | |
# ------------------------ | |
# 6th count Free Space for 4.1/5.1 Rom | |
if $file_4MB # extract 1st $VSS Stream | |
then dd if="$1" skip=0x120048 bs=1 of="/tmp/VSS_Store1.bin" count=0xFFB8 >& $nowhere | |
if grep -c "\$VSS" "/tmp/VSS_Store1.bin" >& $nowhere | |
then | |
FFs=$(xxd -p "/tmp/VSS_Store1.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF | |
FFs=$(expr 64 \* $FFs) | |
echo $FFs 'Bytes free space of 65464' | |
fi | |
rm -f /tmp/VSS_Store1.bin | |
fi | |
# ------------------------ | |
# 7th count Free Space for 3.1 Rom | |
if $file_2MB # it has just 1 $VSS Stream | |
then | |
if grep -c "\$VSS" "/tmp/VSS_Store.bin" >& $nowhere | |
then | |
FFs=$(xxd -p "/tmp/VSS_Store.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF | |
FFs=$(expr 64 \* $FFs) | |
echo $FFs 'Bytes free space of 65464' | |
fi | |
fi | |
# ------------------------ | |
# 8th count Free Space for 4.1/5.1 nvram.vol | |
if $file_nvramvol # extract 1st $VSS Stream | |
then dd if="$1" bs=1 of="/tmp/VSS_Store1.bin" count=0xFFB8 >& $nowhere | |
if grep -c "\$VSS" "/tmp/VSS_Store1.bin" >& $nowhere | |
then | |
FFs=$(xxd -p "/tmp/VSS_Store1.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF | |
FFs=$(expr 64 \* $FFs) | |
echo $FFs 'Bytes free space of 65464' | |
fi | |
fi | |
# ------------------------ | |
# clean up | |
if $file_2MB | |
then | |
rm -f /tmp/VSS_Store.bin | |
fi | |
if $file_4MB | |
then | |
rm -f /tmp/VSS_Store1+2.bin | |
fi | |
if $file_nvramvol | |
then | |
rm -f /tmp/VSS_Store1.bin | |
fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
curl -L https://gist.githubusercontent.com/startergo/56d3770b7f78dd1591790c69753f846c/raw -o ~/Downloads/test_nvram