corna / me_cleaner

Tool for partial deblobbing of Intel ME/TXE firmware images
GNU General Public License v3.0
4.51k stars 279 forks source link

Interesting issue, Dell bios updating on Latitude 7450 #267

Open czeej opened 5 years ago

czeej commented 5 years ago

The dell bios managed to update remotely, I had disabled the Network stack on intel ME. (removed it) after the bios updated the laptop wouldn't boot up without crashing. (screen would glitch and have artifact) I thought maybe it overheated with the visual que it looked like hardware damage. Untill after I re-seated the ram. It booted up fine. Noticed now the bios is at a different version. That's how it is, just a warning to you dell users.

I have absolute software on here, but I know computrace doesn't work in linux. I e-mailed the guys there and they disabled it for me. Need windows on the pc for it to run and contact server though.

I may re image it and re flash ME. I feel replacing the Wifi card to one that does not require non-free firmware would maybe prevent this issue in the future untill I manually flash my Bios.

It was A02 and had changed to A04. I know it's an old version but I was surprised to say the least the Bios updated. Oh and I may have to check the ME firmware again when i get time, I think it is modified with a unrecognized hash. (could be a bad dump. seems corrupt, can't get two dumps to be the same when I had everything set up)

Anyone else using dell notice the same thing? soft disable ME can lead to bios updates? I think Dell would not be happy if someone managed to decompile it. Edit: i've managed to dump the other bios but I don't think they are not consistent no ME region is present.

Btw Corna + team, you guys are godlike.

Ps; Lesson learnt change your wifi cards to something free non-intel.

benjamindoron commented 5 years ago

If it updated from A02 to A04, this might simply be LVFS - Linux Vendor Firmware Service (https://fwupd.org/).

czeej commented 4 years ago

I have my doubts, I was only using free software and did not add in non-free repos.

This happened and I could not boot screen would be buggy ext. Only got a boot after re-seating ram. After I re-seated ram, bios was updated. It was near similar E7450 laptops as well Although I have no idea what happened. I can flash bios with Dells built in tools, but just changed bios version back to A01, and then to A03.

Also to be noted I have Audio issues, network card is a 7265. require iwlwifi non-free drivers to work.

I come back now because I see people modifying their ME regions on skylake, however having issues on this laptop getting dumps.

I will get message chip is not detected in flash rom. Second attempt it will find it. It will alternate between found and not found. with non of the dumps matching. Worried writing a new dump will brick it.

mostav02 commented 4 years ago

It's somehow scary after reading your post. I had already other weird behaviors on this laptop, but well, will not going to describe them now because it may be unconfirmed paranoid stuff.

Is there any possibility you can try to provide more details on the circumstances when BIOS was automatically updated or you could do any further investigation on what happened? I have never experienced this issue, however I have a newer BIOS version.

I googled and didn't find anything that mention automatic BIOS updates without user consent on when running Linux without UEFI. However, apparently there are some users who report automatic updates when on Windows 10, but I think it's only Win10 related.

I found an ath9k-compatible M.2 (NGFF, A+E keyed) wifi card on Ebay which doesn't require non-free blobs, works perfectly on this laptop.

If it updated from A02 to A04, this might simply be LVFS - Linux Vendor Firmware Service (https://fwupd.org/).

I didn't find any BIOS updates for E7450 on fwupd.org, must be something else.

czeej commented 4 years ago

I'd like to hear your unconfirmed Paranoid stuff. Maybe you could e-mail me? I had also some odd behaviour. Although, my home was un-encrypted. While my root was.. But an Issue I have not encountered before but maybe due to the fact I didn't encrypt home :-1: Although, again I had a few reasons to be paranoid. Maybe we had similar things popping up in our home directories ;) Sticky keys popup on Xfce, but no effect on my typing ? Also, I'd turn it on. It would turn off. then Turn it off again and it would start the boot process. So, I don;t know.

Yes, maybe it's only scary from a dell perspective but reading around the internet there doesn't seem to be a way for it to happen remotely besides windows10 that I know of. Just never had it update before I flashed it. Maybe totally un-related though.

Yes, it did update.. However, I probably dual booting at the time to run Inteli CAD at school. I guess that slipped my memory! I don't think there really is much to worry about. I think your right about windows doing the updating.

If I remember maybe the failed booting I set the laptop down a little fast on a hard counter and the ram might of been only half seated. So it booted but visuals were green tinted and would crash at slim login screen. Re-seating would fix it. I think that was just me being paranoid. ^_^ I do mess with windows to close it but I usually try not to break updates and turn off driver updates in GP.

Although, that's good you got a free wifi card :). I feel dell bios does have capabilities. They are enterprise choice usually, Yeah, got my memory jogging forgot I was dual booting for CAD I had 30 gb or so partitioned for windows and CAD. Sorry to spread paranoia.

But the Absolute Software was enabled.. Computrace fueling my paranoia. But I had contacted them by email gave them my Service tag and they told me they would disable it about when I made this post a year ago. It's still enabled in bios, but I emailed them recently about two weeks ago. Plugged in a windows install wired to modem for 4 days. They told me it made no calls to them. So it re-assured me they did disable it. Although Bios is still greyed out. So I am less paranoid now after talking directly with the guys at Absolute . lspci shows no trace of ime, so that is good sign.

As for Dell, I'm sure bios is not all that bad, ( i did manage to get a dump of some Dell bios although, you can just download them however, they usually are packaged in an exe) although I know on older bios they need DOS to update. And Mr.Robot didn't help with the E corp symbolism. Anyway. A free wifi card should harden your system. Less non-free blobs the better :v: . Also, maybe changing Ime password before soft disable might help I don't know.

This topic maybe should be closed, However, I still have the issue of not being able to get a good dump of the image anymore :) which I have opened a second topic about. I think maybe it's ok to be little paranoid, but it's maybe OK to relax a bit as well. Please forgive my ranting, I guess it was probably a windows updating the bios. Although, Oddly enough A04 was much older then the most recent revision.

czeej commented 4 years ago

Hey, interesting my email is jsoip@tuta.io. I have had similar intrusions running a free operating system (Mostly minus the wifi driver) (My git hub account is registered to outlook which is not encrypted or anything so) Installed on bare metal. I believe this latitude 7450 might be a nasty one. My host name from the start was quite suiting I believe 😉


From: mostav02 notifications@github.com Sent: March 23, 2020 7:59 PM To: corna/me_cleaner me_cleaner@noreply.github.com Cc: czeej jessie_pucci@hotmail.com; Author author@noreply.github.com Subject: Re: [corna/me_cleaner] Interesting issue, Dell bios updating on Latitude 7450 (#267)

In your case, since you disclosed some details about your usage and there was Windows OS involved, I believe it was caused by Windows exactly. In my case, while it could be called paranoia, I still believe my machine was intruded by some agency without my consent. The only attack vector I could find in my case is IME, since it provides Full Network manageability with KVM functionality on its own. I use a diskless configuration on this laptop where the Linux OS loads from a removable media in a toram mode, thus all the system binaries are always read-only, so there is very low probability of a local infection. What actually happens from time to time is my private unread chats are being read without my consent. Sometimes I just leave the laptop while doing other stuff and when I get back to it there are new private messages that I never had read are marked as read... I work in the infosec area for a long time and used all my experience to inspect the system and haven't found any sign of malware. It could be a bug in the chat software but I doubt, since it's a known and stable FOSS program. Yes I could email you if you drop your email address.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/corna/me_cleaner/issues/267#issuecomment-602963141, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIMNXRMXLDWLPEVPQQPIOWDRJAHZ7ANCNFSM4HBSCRNA.