Skip to content

Instantly share code, notes, and snippets.

@lodestone
Forked from joevt/gfxutil.sh
Created October 26, 2021 17:59
Show Gist options
  • Save lodestone/970977774f5618b0728f968c874909de to your computer and use it in GitHub Desktop.
Save lodestone/970977774f5618b0728f968c874909de to your computer and use it in GitHub Desktop.
macOS nvram boot variables, device properties, EFI device paths
#!/bin/bash
# joevt Oct 11, 2021
# https://forums.macrumors.com/threads/documentation-on-all-parameters-for-nvram.2239034/post-28518123
gfxutilcmd=~/Downloads/gfxutil/gfxutil
if [[ ! -f $gfxutilcmd ]]; then
gfxutilcmd=~/Downloads/gfxutil
fi
if [[ ! -f $gfxutilcmd ]]; then
gfxutilcmd="/Volumes/Work/Programming/EFIProjects/gfxutil/joevt-gfxutil/DerivedData/gfxutil/Build/Products/Debug/gfxutil"
fi
alias gfxutil='"$gfxutilcmd"'
directblesscmd="/Volumes/Work/Programming/XcodeProjects/bless/bless-204.40.27 joevt/DerivedData/bless/Build/Products/Debug/bless"
usedirectbless=0
if [[ -d /System/Library/PrivateFrameworks/APFS.framework/Versions/A/APFS ]]; then
if [[ ! -f "$directbless" ]]; then
echo "# Download and build bless from https://github.com/joevt/bless , then update the path of directbless defined in DiskUtil.sh"
else
usedirectbless=1
fi
fi
if ((usedirectbless)); then
directbless=$directblesscmd
alias directbless='"$directbless"'
else
directbless=bless
alias directbless=bless
fi
pipestatus=( ) # to clear an error in ShellCheck
nvramp () {
local thename="$1"
local thedata="" # must declare local separately for $? to get the error
thedata="$(nvram "$thename")"
local theerr=$?
printf "$(sed -E '/^'"$thename"'./s///;s/\\/\\\\/g;s/%/\\x/g' <<< "$thedata")"
return $theerr
}
efiguid=8BE4DF61-93CA-11D2-AA0D-00E098032B8C
bootvar () {
local pathonly=0
if [[ $1 == '-p' ]]; then
pathonly=1
shift
fi
local thebootvar=$1
local thebytes=""
thebytes="$(nvramp $efiguid:"$thebootvar" | xxd -p -c 99999; echo "${pipestatus[1]}${PIPESTATUS[0]}")"
# typedef struct _EFI_LOAD_OPTION
local theerr=""
theerr=$(sed -n \$p <<< "$thebytes")
if (( ! theerr )); then
thebytes=$(sed \$d <<< "$thebytes")
local theAttributes=$((0x${thebytes:6:2}${thebytes:4:2}${thebytes:2:2}${thebytes:0:2}))
# 0x00000001 LOAD_OPTION_ACTIVE
# 0x00000002 LOAD_OPTION_FORCE_RECONNECT
# 0x00000008 LOAD_OPTION_HIDDEN
# 0x00001F00 LOAD_OPTION_CATEGORY
# 0x00000000 LOAD_OPTION_CATEGORY_BOOT
# 0x00000100 LOAD_OPTION_CATEGORY_APP
local theFilePathListLength=$((0x${thebytes:10:2}${thebytes:8:2}))
local theDescription=""
theDescription=$(xxd -p -r <<< "${thebytes:12}" | iconv -f UTF-16LE -t UTF-8 | tr '\0' '\n' | sed -n -E '1p' | tr -d '\n')
local theoffset=$(( 6 + (${#theDescription}+1) * 2 ))
local theFilePathList=${thebytes:$theoffset * 2:$theFilePathListLength*2}
((theoffset += theFilePathListLength))
local theOptionalData=${thebytes:$theoffset * 2}
local theOptionalDatastring=""
theOptionalDatastring=$(xxd -p -r <<< "${theOptionalData}" | iconv -f UTF-16LE -t UTF-8 | tr '\0' '\n' | sed -n -E '1p' | tr -d '\n')
if (( pathonly )); then
echo "$theFilePathList"
else
printf "%s %s \"%s\"" "$thebootvar" "$theAttributes" "$theDescription"
local parts=0
while [[ -n $theFilePathList ]]; do
(( parts++ ))
local thepath=""
local pathbytes=""
thepath=$(gfxutil "$theFilePathList")
(( parts == 1 )) && printf " "
printf "\"%s\"" "$thepath"
pathbytes=$(gfxutil "$thepath")
if [[ $theFilePathList =~ $pathbytes ]]; then
theFilePathList=${theFilePathList:${#pathbytes}}
else
printf " # Device path %s does not match %s" "$pathbytes" "$theFilePathList"
theFilePathList=""
fi
done
[[ -n $theOptionalData ]] && printf " \"%s\"" "$theOptionalDatastring"
echo
[[ -n $theOptionalData ]] && {
printf "%s\n" "$theOptionalData" | xxd -p -r | xxd -o "$theoffset" -g $((${#theOptionalData}/2)) -c $((${#theOptionalData}/2)) | perl -pe "s/^([0-9A-Fa-f]+: )([0-9A-Fa-f]+) (.*)/ \1\2\n \1\3/"
}
fi
fi
return "$theerr"
}
setnvramhex () {
sudo nvram "$1=$(sed -E 's/(..)/%\1/g' <<< "${2}")"
}
setbootvar () {
local thebootvar=$1
local theAttributes=$2
local theDescription=$3
local theFilePathList=$4
local theOptionalData=$5
local theAttributesBytes=""
theAttributesBytes=$(printf "%08x" "$theAttributes")
local theDescriptionBytes=""
theDescriptionBytes=$(printf "%s\0" "$theDescription" | iconv -f UTF-8 -t UTF-16LE | xxd -p -c 999999)
local theFilePathListBytes=""
local thepat='^([a-z0-9]{2})*7fff0400$'
if [[ $theFilePathList =~ $thepat ]]; then
theFilePathListBytes="$theFilePathList"
elif [[ -e $theFilePathList ]]; then
theFilePathListBytes=$(getefipath "$theFilePathList")
else
theFilePathListBytes=$(gfxutil "$theFilePathList")
fi
local theFilePathListLength=$((${#theFilePathListBytes} / 2))
local theFilePathListLengthBytes=0
theFilePathListLengthBytes=$(printf "%04x" $theFilePathListLength)
local thebytes="${theAttributesBytes:6:2}${theAttributesBytes:4:2}${theAttributesBytes:2:2}${theAttributesBytes:0:2}${theFilePathListLengthBytes:2:2}${theFilePathListLengthBytes:0:2}${theDescriptionBytes}${theFilePathListBytes}${theOptionalData}"
setnvramhex "${efiguid}:${thebootvar}" "${thebytes}"
}
setbootorder () {
IFS=''
local thestring="$*"
sudo nvram "${efiguid}:BootOrder=$(sed -E "s/[Bb]oot//g;s/(..)(..)/%\2%\1/g" <<< "$thestring")"
}
setdriverorder () {
IFS=''
local thestring="$*"
sudo nvram "${efiguid}:DriverOrder=$(sed -E "s/[Dd]river//g;s/(..)(..)/%\2%\1/g" <<< "$thestring")"
}
dumpallbootvars () {
local theboot=""
for theboot in Current Next; do
local BootWhat=""
BootWhat=$(nvramp $efiguid:Boot$theboot 2> /dev/null | xxd -u -p -c 99999 | sed -E 's/(..)(..)/Boot\2\1/g')
echo "Boot$theboot: $BootWhat"
done
local Timeout=""
Timeout=$((0x$(nvramp $efiguid:Timeout 2> /dev/null | xxd -u -p -c 99999 | sed -E 's/(..)(..)/\2\1/g')))
echo "Timeout: ${Timeout}s"
echo
local needlinefeed=0
local theType=""
for theType in Boot Driver; do
local BootOrder=""
BootOrder=$(nvramp $efiguid:${theType}Order 2> /dev/null | xxd -u -p -c 99999 | sed -E 's/(..)(..)/'"${theType}"'\2\1 /g;/ $/s///')
echo "${theType}Order: $BootOrder"
IFS=$' '
for theboot in $(echo "$BootOrder"); do
bootvar "$theboot" 2> /dev/null
done
#echo "Search loop"
IFS=$'\n'
local lowboot=-1
local boot=""
for boot in $( {
eval "$(nvramp $efiguid:${theType}Order 2> /dev/null | xxd -u -p -c 99999 | sed -E 's/(..)(..)/echo ''$''((0x\2\1 + 1)):1;echo ''$''((0x\2\1 - 1)):-1;/g')"; echo 0:1; echo 127:-1; echo 128:1; echo $((0xFFFF)):-1
} | sort -u -t : -k 1n,2n
) ; do
#echo "checking range $boot"
local inc="${boot#*:}"
local boot=$((${boot%:*}))
local first=1
while ((1)); do
#echo " checking boot:$boot inc:$inc lowboot:$lowboot"
thebootvar=${theType}$(printf "%04X" $boot)
[[ $BootOrder != *"$thebootvar"* ]] || break
((boot > lowboot)) || break
((inc > 0)) && ((lowboot = boot))
if ((first)); then
if ((needlinefeed)); then
printf ", "
else
printf "#Searching: "
fi
printf "%s" "$thebootvar($inc)"
needlinefeed=1
first=0
fi
local bootinfo=""
bootinfo="$(bootvar "$thebootvar" 2> /dev/null)"
local theerr=$?
if ((theerr)); then
break
fi
if ((needlinefeed)); then
echo
needlinefeed=0
fi
printf "%s\n" "$bootinfo"
((boot+=inc))
done
((inc < 0)) && ((lowboot = boot))
done
if ((needlinefeed)); then
echo
needlinefeed=0
fi
echo
done
}
getefipath () {
# Takes a path to a file or directory or volume and outputs the EFI device path in hex.
# Note: Overwrites BootNext
local thefile="$1"
# First, get current boot vars
local BootOrderValue=""
BootOrderValue=$(nvramp $efiguid:BootOrder 2> /dev/null | xxd -u -p -c 99999)
local BootOrder=""
BootOrder=$(sed -E 's/(..)(..)/Boot\2\1 /g;/ $/s///' <<< "$BootOrderValue")
eval "$(sed -E 's/(..)(..)/local Boot\2\1=$(nvramp '"$efiguid"':Boot\2\1 2> \/dev\/null | xxd -u -p -c 99999) ; /g' <<< "$BootOrderValue")"
# We won't try to preserve BootNext - that would require preserving efi-boot-next-data
#local BootNextValue=""
#local BootNextName=""
#BootNextValue=$(nvramp $efiguid:BootNext 2> /dev/null | xxd -u -p -c 99999)
#BootNextName="Boot${BootNextValue:2:2}${BootNextValue:0:2}"
# Use bless to convert file path to EFI device path - this affects BootNext and one of the boot vars
if ( sudo "$directbless" --mount "$thefile" --file "$thefile" --nextonly --setBoot ); then
local thebootvar=""
thebootvar=$(nvramp $efiguid:BootNext 2> /dev/null | xxd -u -p -c 99999 | sed -E 's/(..)(..)/Boot\2\1/g')
local thepath=""
thepath=$(bootvar -p "$thebootvar" 2> /dev/null)
local theerr=$?
if (( theerr == 0 )); then
# if one of the existing boot vars was affected, then restore it
if [[ $BootOrder =~ $thebootvar ]]; then
setnvramhex "$efiguid:$thebootvar" "$(eval 'echo $'"${thebootvar}")"
fi
# output the result
printf "%s" "$thepath"
else
echo "# BootNext:$thebootvar not set" 1>&2
return 1
fi
# cleanup BootNext
sudo nvram -d $efiguid:BootNext
sudo nvram -d efi-boot-next-data
else
echo '# Bless failed' 1>&2
return 1
fi
return 0
}
dumpallioregefipaths () {
eval "$(
(ioreg -lw0 -p IODeviceTree; ioreg -lw0) | perl -e '
$thepath=""; while (<>) {
if ( /^([ |]*)\+\-o (.+) </ ) { $indent = (length $1) / 2; $name = $2; $thepath =~ s|^((/[^/]*){$indent}).*|$1/$name| }
if ( /^[ |]*"([^"]+)" = <(.*7fff0400.*)>/i ) { print $thepath . "/" . $1 . " = <" . $2 . ">\n" }
}
' | sed -E '/device-properties/d;/(.*) = <(.*)>/s//printf "%s = " "\1"; gfxutil \2 | cat; echo/'
)"
}
ioregp () {
ioreg -n "$2" -w0 -p "$1" -k "$3" | sed -nE 's/^[ |]+"'"$3"'" = <(.*)>/\1/p' | xxd -p -r
}
getdeviceprops () {
ioreg -rw0 -p IODeviceTree -n efi | grep device-properties | sed 's/.*<//;s/>.*//;' | xxd -p -r
}
getaaplpathprops () {
# Get device properties from nvram AAPL,PathProperties0000,0001,etc.
# (max 768 per nvram var)
i=0
while (( 1 )); do
thevar="4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:AAPL,PathProperties$(printf "%04X" $i)"
theval="$(nvram "$thevar" 2> /dev/null)"
[[ -z $theval ]] && break
printf "$(printf "%s" "$theval" | sed -E '/^'"$thevar"'./s///;s/\\/\\\\/g;s/%/\\x/g')"
((i++))
done
}
setaaplpathprops () {
local thefile="$1"
local theproperties=""
theproperties=$(xxd -p -c 99999 "$1")
local thevar=0
while ((1)); do
local thepart=${theproperties:$thevar*768*2:768*2}
local thename=""
thename="4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:AAPL,PathProperties"$(printf "%04X" thevar)
if [[ -n $thepart ]]; then
sudo nvram "${thename}=$(sed -E 's/(..)/%\1/g' <<< "${thepart}")"
elif nvram "${thename}" > /dev/null 2>&1; then
sudo nvram -d "$thename"
else
break
fi
((thevar++))
done
}
getpanic () {
# Get device properties from nvram AAPL,PanicInfo000K,000M,etc.
# (max 768 per nvram var)
i=0
while (( 1 )); do
thevar="AAPL,PanicInfo000$(printf "%02x" $((0x$(printf 'K' | xxd -p) + i)) | xxd -p -r)"
theval="$(nvram "$thevar" 2> /dev/null)"
[[ -z $theval ]] && break
printf "$(printf "%s" "$theval" | sed -E '/^'"$thevar"'./s///;s/\\/\\\\/g;s/%/\\x/g')"
((i++))
done
}
getpanic2 () {
# Get device properties from nvram aapl,panic-info
# (max 768 per nvram var)
i=0
while (( 1 )); do
thevar="aapl,panic-info"
theval="$(nvram "$thevar" 2> /dev/null)"
[[ -z $theval ]] && break
printf "$(printf "%s" "$theval" | sed -E '/^'$thevar'./s///;s/\\/\\\\/g;s/%/\\x/g')"
((i++))
break
done
}
testbit () {
local isset=$1
local fbits=$(($2))
local fmask=$(($3))
local fbit=$(($4))
local fname=$5
if [[ $isset = "printset" ]]; then
if ((fbit & fbits)); then
printf "%s" "$fname"
if ((!(fbit & fmask))); then
printf "(error: mask is 0)"
fi
printf "\n"
fi
elif [[ $isset = "printunset" ]]; then
if ((!(fbit & fbits))); then
if (((fbit & fmask))); then
printf "not %s" "$fname"
printf "\n"
fi
fi
elif [[ $isset = "printignored" ]]; then
if ((!(fbit & fmask))); then
printf "ignore %s" "$fname"
printf "\n"
fi
fi
}
binary () {
local thenum="$1"
local numbits="$2"
local binary=""
binary=$(echo "obase=2;ibase=10;$(($thenum))"|bc)
printf "%${numbits}s" "${binary}" | tr ' ' '0'
}
parseflags () {
local fbits=$(($1))
local fmask=$(($2))
local numbits=$(($3))
local numhex=$(((numbits + 3) / 4))
printf "=========================================================================\n"
if ((numbits > 32)); then
echo ExtendedFirmwareFeatures
else
echo FirmwareFeatures
fi
printf "features:%0${numhex}X %s\n" $fbits "$(binary $fbits $numbits)"
if [[ -z $2 ]]; then
fmask=$fbits
else
printf " mask:%0${numhex}X %s\n" $fmask "$(binary $fmask $numbits)"
fi
local isset=""
for isset in printset printunset printignored; do
testbit $isset $fbits $fmask 0x00000001 SUPPORTS_CSM_LEGACY_MODE
testbit $isset $fbits $fmask 0x00000002 SUPPORTS_CD_DRIVE_BOOT
testbit $isset $fbits $fmask 0x00000004 SUPPORTS_TARGET_DISK_MODE
testbit $isset $fbits $fmask 0x00000008 UNKNOWN_BIT3
testbit $isset $fbits $fmask 0x00000010 SUPPORTS_NET_BOOT
testbit $isset $fbits $fmask 0x00000020 SUPPORTS_SLING_SHOT
testbit $isset $fbits $fmask 0x00000040 UNKNOWN_BIT6
testbit $isset $fbits $fmask 0x00000080 UNKNOWN_BIT7
testbit $isset $fbits $fmask 0x00000100 SUPPORTS_WIRELESS
testbit $isset $fbits $fmask 0x00000200 UNKNOWN_BIT9
testbit $isset $fbits $fmask 0x00000400 PLATFORM_SECURITY_POLICY_01
testbit $isset $fbits $fmask 0x00000800 PLATFORM_SECURITY_POLICY_02
testbit $isset $fbits $fmask 0x00001000 SUPPORTS_TRB
testbit $isset $fbits $fmask 0x00002000 UNKNOWN_BIT13
testbit $isset $fbits $fmask 0x00004000 SUPPORTS_HIGH_SPEED_USB
testbit $isset $fbits $fmask 0x00008000 UNKNOWN_BIT15
testbit $isset $fbits $fmask 0x00010000 UNKNOWN_BIT16
testbit $isset $fbits $fmask 0x00020000 DISABLE_USB_SUBSTITUTE_WORKAROUND
testbit $isset $fbits $fmask 0x00040000 UNKNOWN_BIT18
testbit $isset $fbits $fmask 0x00080000 SUPPORTS_APFS
testbit $isset $fbits $fmask 0x00100000 SUPPORTS_APFS_EXTRA
testbit $isset $fbits $fmask 0x00200000 UNKNOWN_BIT21
testbit $isset $fbits $fmask 0x00400000 SUPPORTS_TRBX
testbit $isset $fbits $fmask 0x00800000 UNKNOWN_BIT23
testbit $isset $fbits $fmask 0x01000000 SUPPORTS_PLATFORM_SECURITY_POLICY
testbit $isset $fbits $fmask 0x02000000 SUPPORTS_EXTENDED_FEATURES
testbit $isset $fbits $fmask 0x04000000 UNKNOWN_BIT26
testbit $isset $fbits $fmask 0x08000000 UNKNOWN_BIT27
testbit $isset $fbits $fmask 0x10000000 DISABLE_MBA_S4_WORKAROUND
testbit $isset $fbits $fmask 0x20000000 SUPPORTS_UEFI_WINDOWS_BOOT
testbit $isset $fbits $fmask 0x40000000 UNKNOWN_BIT30
testbit $isset $fbits $fmask 0x80000000 DISABLE_BOOTSCRIPT_WORKAROUND
testbit $isset $fbits $fmask 0x800000000 SUPPORTS_LARGE_BASESYSTEM
done
}
showfirmwarefeatures () {
local ExtendedFirmwareFeatures=""
ExtendedFirmwareFeatures=$(nvramp 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ExtendedFirmwareFeatures 2> /dev/null | xxd -g 8 -e | sed -E '/^[^:]+: +([^ ]+).*/s//0x\1/')
local ExtendedFirmwareFeaturesMask=""
ExtendedFirmwareFeaturesMask=$(nvramp 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ExtendedFirmwareFeaturesMask 2> /dev/null | xxd -g 8 -e | sed -E '/^[^:]+: +([^ ]+).*/s//0x\1/')
if [[ -n $ExtendedFirmwareFeatures ]]; then
parseflags "$ExtendedFirmwareFeatures" "$ExtendedFirmwareFeaturesMask" 36
fi
local FirmwareFeatures=""
FirmwareFeatures=$(nvramp 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:FirmwareFeatures 2> /dev/null | xxd -g 8 -e | sed -E '/^[^:]+: +([^ ]+).*/s//0x\1/')
local FirmwareFeaturesMask=""
FirmwareFeaturesMask=$(nvramp 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:FirmwareFeaturesMask 2> /dev/null | xxd -g 8 -e | sed -E '/^[^:]+: +([^ ]+).*/s//0x\1/')
if [[ -n $FirmwareFeatures ]]; then
parseflags "$FirmwareFeatures" "$FirmwareFeaturesMask" 32
fi
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment