CHIPSEC module that exploits UEFI boot script table vulnerability
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


CHIPSEC module that exploits UEFI boot script table vulnerability.

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check 
original white paper:

More detailed exploit description:


1) Download and install CHIPSEC (

2) Download and install Capstone engine incl. Python bindings (

3) Install nasm (apt-get install nasm).

4) Copy into the chipsec/source/tool/chipsec/modules.

5) Run module:
   # cd chipsec/source/tool/chipsec
   # python --module boot_script_table 


* is a proof of concept code for Linux operating system that uses software 
DMA attack to read or write SMRAM contents.

* program uses DMA attack to defeat BIOS_CNTL flash write protection
with SMI entries patching.

To learn more about these two programs please read my other blog post:


Exploitation of this vulnerability is very hardware-specific because it depends on
boot script table format and location.

Exploit was tested with following hardware:  

* Intel DQ77KB motherboard (Q77 chipset)

* Apple MacBook Pro 10,2 (late 2012, QM77 chipset)

* Lenovo ThinkPad laptops (tested on x220, x230 and others)

Running this code on any other hardware may lead to unexpected problems.


* Windows support (current implementation uses rtcwake Linux shell command).

* More decent boot script table decoding and dumping (incl. vendor-specific opcodes).

* SPI protected ranges dumping and checking.

Written by:
Dmytro Oleksiuk (aka Cr4sh)