#!/bin/sh # Macschrauber April, 24th 2021 if [ -z "$1" ] then echo test_nvram 4-24-2021 by Macschrauber echo Utility for quick analyzing Mac Firmware dumps or nvram streams echo No argument supplied echo usage: test_nvram dump.bin exit fi echo 'scanning: '$1 myfile=$1 filesize=$(wc -c < "$1") file_4MB=false file_2MB=false file_nvramvol=false nowhere=/dev/null #check for 4MB Rom (Mac Pro 4,1 and 5,1) if ((filesize==4194304)) then file_4MB=true fi #check for 2MB Rom (Mac Pro 3,1) if ((filesize==2097152)) then file_2MB=true fi #check for nvram.vol if ((filesize==196608)) then file_nvramvol=true fi if $file_4MB then dd if="$1" skip=0x120048 bs=1 of="/tmp/VSS_Store1+2.bin" count=0x1FF70 >& $nowhere if grep -c "\$VSS" "/tmp/VSS_Store1+2.bin" >& $nowhere # is it $VSS ? then myfile="/tmp/VSS_Store1+2.bin" fi fi if $file_2MB then dd if="$1" skip=0x190048 bs=1 of="/tmp/VSS_Store.bin" count=0xFFB8 >& $nowhere if grep -c "\$VSS" "/tmp/VSS_Store.bin" >& $nowhere # is it $VSS ? then myfile="/tmp/VSS_Store.bin" fi fi # so what to do with this Stream(s) # 1st count MemoryConfigs MemoryConfigs=$(xxd -p "$myfile" | tr -d '\n' | grep -o '8c4d0065006d006f007200790043006f006e0066' | wc -l) if (($MemoryConfigs < 20)) then echo $MemoryConfigs' Memory Configs (ok)' else echo $MemoryConfigs' Memory Configs (take care)' fi # ------------------------ # 2nd count xml xmls=$(grep -c "xml version" "$myfile") if (($xmls<3)) then echo $xmls' xml (ok)' else echo $xmls' xml (not ok!)' fi # ------------------------ # 3rd count Microsoft Windows Secure Boot Variable Signer certs=$(grep -c "Microsoft Windows Secure Boot Variable Signer" "$myfile") let certs=$certs/3 if ((certs==0)) then echo $certs' Microsoft Certificates (ok)' else echo $certs' Microsoft Certificates (very bad)' fi # ------------------------ # 4th count BluetoothActiveControllerInfo BluetoothActiveControllerInfos=$(xxd -p "$myfile" | tr -d '\n' | grep -o '62006c007500650074006f006f007400680041006300740069007600650043006f006e00740072006f006c006c006500720049006e0066006f' | wc -l) if (($BluetoothActiveControllerInfos < 3)) then echo $BluetoothActiveControllerInfos' BluetoothActiveControllerInfos (ok)' else echo $BluetoothActiveControllerInfos' BluetoothActiveControllerInfos (not ok)' fi # ------------------------ # 5th count BluetoothInternalInfo BluetoothInternalControllerInfos=$(xxd -p "$myfile" | tr -d '\n' | grep -o '62006c007500650074006f006f007400680049006e007400650072006e0061006c0043006f006e00740072006f006c006c006500720049006e0066006f' | wc -l) if (($BluetoothInternalControllerInfos < 3)) then echo $BluetoothInternalControllerInfos' BluetoothInternalControllerInfos (ok)' else echo $BluetoothInternalControllerInfos' BluetoothInternalControllerInfos (not ok)' fi # ------------------------ # 6th count Free Space for 4.1/5.1 Rom if $file_4MB # extract 1st $VSS Stream then dd if="$1" skip=0x120048 bs=1 of="/tmp/VSS_Store1.bin" count=0xFFB8 >& $nowhere if grep -c "\$VSS" "/tmp/VSS_Store1.bin" >& $nowhere then FFs=$(xxd -p "/tmp/VSS_Store1.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF FFs=$(expr 64 \* $FFs) echo $FFs 'Bytes free space of 65464' fi rm -f /tmp/VSS_Store1.bin fi # ------------------------ # 7th count Free Space for 3.1 Rom if $file_2MB # it has just 1 $VSS Stream then if grep -c "\$VSS" "/tmp/VSS_Store.bin" >& $nowhere then FFs=$(xxd -p "/tmp/VSS_Store.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF FFs=$(expr 64 \* $FFs) echo $FFs 'Bytes free space of 65464' fi fi # ------------------------ # 8th count Free Space for 4.1/5.1 nvram.vol if $file_nvramvol # extract 1st $VSS Stream then dd if="$1" bs=1 of="/tmp/VSS_Store1.bin" count=0xFFB8 >& $nowhere if grep -c "\$VSS" "/tmp/VSS_Store1.bin" >& $nowhere then FFs=$(xxd -p "/tmp/VSS_Store1.bin" | tr -d '\n' | grep -o 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' | wc -l) # 64 x 0xFF FFs=$(expr 64 \* $FFs) echo $FFs 'Bytes free space of 65464' fi fi # ------------------------ # clean up if $file_2MB then rm -f /tmp/VSS_Store.bin fi if $file_4MB then rm -f /tmp/VSS_Store1+2.bin fi if $file_nvramvol then rm -f /tmp/VSS_Store1.bin fi