2011-06-05

Extracting and using a modified VMWare Player BIOS or UEFI firmware

(updated 2016.05.17 for VMWare UEFI firmware extraction)

One day or another, you may want to play with BIOS/UEFI firmware modification. But before jumping into physical motherboard flash alteration, where the consequences of a mishap can be difficult to salvage, experimenting with the BIOS/UEFI in a virtual environment sounds like a sound first step. You have of course the opportunity to do so using bochs, however the ubiquitous nature and ease of use of the (freely available) VMware Player can turn the latter in a much better candidate for the job if you don't really care about the extra features that bochs brings in. This post details how one can extract the BIOS/UEFI firmwares used by the VMWare Player, and how to setup the player to use a modified one.
  1. Download and install VMware Player. The current version of VMware Player is 12, and the download can be obtained from this page (freely, but after e-mail registration). Binaries are available for Windows and Linux, in both 32 and 64 bit versions.
  2. Extract the BIOS from the VMware executables by following the instructions below:

    • Windows: Download and install 7-zip (which any reasonable Windows user should have installed anyway). Then navigate to your VMware Player installation directory and locate the vmware-vmx.exe application (notice the -vmx here). It should reside in the same directory for 32 bit, or in the x64\ directory for 64 bit. Open it in 7-Zip and go to the .rsrc\BINRES\ directory.
      For the BIOS (internally called bios440, as it emulates an intel 440BX chipset), you need to look for a file exactly 524 288 bytes (512 KB) in size. On current versions, there should be only one, called '6006'. This is the BIOS file we are after, so just extract it to a directory of your choice.
      For the UEFI firmware, you should look for a file that is 2 097 152 bytes (2 MB) in size. Because VMWare can emulate both 32 and 64-bit platforms, you will find that there exists 2 of these. At the time of writing this article, just know that '6020' is the IA32 UEFI firmware and '6021' is the X64 UEFI firmware.
    • Linux: From a terminal, navigate to the directory vmware-vmx binary resides (default is /usr/lib/vmware/bin. Issue the following set of commands (copied from the Arch Linux VMware page):
      $ objcopy /usr/lib/vmware/bin/vmware-vmx -O binary -j bios440 --set-section-flags bios440=a bios440.rom.Z
      $ perl -e 'use Compress::Zlib; my $v; read STDIN, $v, '$(stat -c%s "./bios440.rom.Z")'; $v = uncompress($v); print $v;' < bios440.rom.Z > bios440.rom
      Remember that you can always use objdump -h to find the various sections before using objcopy, in case the BIOS is no longer called bios440.rom
  3. Edit the BIOS or UEFI firmware as you see fit. Note that the BIOS VMware uses is of type Phoenix.
    If you are on Windows, you can download a full version of Phoenix Bios Editor Pro v2.1.0.0 from Intel under the name BIOS Logo Change Utility (or simply search for "Phoenix" on the Intel Download Center). If you install this tool on Vista or later, you will have to run Phoenix Bios Editor Pro as Administrator, and possibly in a 32 bit environment, for it to work.
  4. Once your BIOS/UEFI file is modified according to your needs, locate the Virtual Machine you plan to test your firmware with and copy your modified file into its directory. Then, edit the .vmx file to add one of these lines, according to the type of platform you want to run.
    • For BIOS, you only need to add:
      bios440.filename = "bios440.rom"
    • For 32-bit UEFI, you will need to have something like:
      firmware = "efi"
      efi32.filename = "efi32.rom"
    • For 64-bit UEFI, you will need:
      firmware = "efi"
      efi32.filename = "efi64.rom"
  5. Run the image, and it should use your modified firmware. If you have simply modded the original BIOS using Phoenix Bios Editor, a good way to confirm that the VM is using your custom BIOS is to change the 'Quiet Boot Logo' section, which contains the VMware logos you see during BIOS execution.
Also note that, as pointed out on this page, if you are usingVMWare Fusion, you may actually be able to extract the various embedded binaries using the -e switch (the page linked also provides a list of all the binaries you can extract). Sadly however, this switch doesn't apply for VMWare Player on Windows...

11 comments:

  1. This will come in handy as I'm migrating to the 4.x line soon. Thanks!

    ReplyDelete
  2. Hi. I changed the DMI information (Vendor, Serial Number) and saved the BIOS but still the BIOS Serial Number shown in the VM is the one created by Vmware. Any idea ?

    I can't find a way to have the Serial Number of the VM set the physical machine value (displayed by dmidecode -t1).
    With Virtualbox I managed to have it working easily (DmiSystemSerial parameter).
    Any idea ?
    I've the following vmx extra parameters :
    bios440.filename = "bios440-new.rom"
    SMBIOS.reflectHost = "TRUE"
    SMBIOS.useShortSerialNumber = "True"

    ReplyDelete
  3. That's something I never tried, and of course, since the hardware is emulated, VMWare are free to pick the data from the BIOS, or override it with their own value. I'm afraid I can't help you there...

    ReplyDelete
  4. Hi.
    I had done modification of "v_m_w_a_r_e_-_v_m_x.e_x_e" (x32 or x64) to change vendor's string in SMBIOS serial number. Try to find the string "VMware-s%" in the file and change it.

    ReplyDelete
    Replies
    1. please, give the details. I can not find out how to change the serial number

      Delete
    2. Look, you must use any HEX editor to find string "VMware-s%" in v_m_w_a_r_e__v_m_x_.exe (32/64 bit version). After the string has been found - make the change in HEX editor, for example "MYware-s%".

      Delete
    3. And VMware's UUID can be changed via: "uuid.bios = " parameter it the .vmx configuration file.

      Delete
    4. @Aristarkh, this worked perfectly as long as the string you replace with matches the number of bytes exactly (I personally removed the entire %s). Thanks so much for the tip! It sucks this is stored in the vmware-vmx executable itself.

      Delete
  5. I follow the instruction: using 7zip to extract rom 512KB. Then, using Phoenix editor to change bios info. In sub windows "DMI string", there are lines: "Serial Number" "System Serial Number" "Chassis Serial Number". I have tried to modify all. But Serial Number of Virtual Machine is still auto-generated.
    Please, help! Thanks so much!

    ReplyDelete
  6. > 3. Edit the BIOS as you see fit.

    If you are on Windows, you should use msinfo32 command and any binary editor instead of a Phoenix Bios Editor.

    --
    @echo off
    if exist %SystemRoot%\System32\msinfo32.exe (
    %SystemRoot%\System32\msinfo32.exe
    ) else (
    rem Windows XP
    "%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe"
    )
    --

    Windows XP:
    Get the Value of the Item "System Manufacturer" as the text string with msinfo32 command.
    Search the BIOS file for the first string area storing "VMware, Inc." with any binary editor.
    Edit this string area in the BIOS file for the text string + \0 + complementary 1 byte checksum.

    (Example)

    Before:
    addrs: V_ M_ w_ a_ r_ e_ ,_ __ I_ n_ c_ ._ \0 __ __ __ __ __ __ __ __ __ __ __ __ __ \0
    72799: 56 4D 77 61 72 65 2C 20 49 6E 63 2E 00 FF FF FF FF FF FF FF FF FF FF FF FF FF 00

    After:
    72799: 48 65 77 6C 65 74 74 2D 50 61 63 6B 61 72 64 00 22 FF FF FF FF FF FF FF FF FF 00

    Notes:
    0x00 (\0) is the string terminator.
    0x22 is a complementary 1 byte checksum of this string area.
    0xFF is a padding.

    ReplyDelete