corna / me_cleaner

Tool for partial deblobbing of Intel ME/TXE firmware images
GNU General Public License v3.0
4.51k stars 279 forks source link

Zbook 15 G1 a no go? #292

Open ing0th opened 5 years ago

ing0th commented 5 years ago

Running me_cleaner 1.2 on a pure ME 9.1.45.3000 firmware binary:

ME/TXE image detected Found FPT header at 0x10 Found 28 partition(s) Found FTPR header: FTPR partition spans from 0x160000 to 0x210000 ME/TXE firmware version 9.1.45.3000 (generation 2) Public key match: Intel ME, firmware versions 9.0.x.x, 9.1.x.x Reading partitions list... PSVN (0x00000bc0 - 0x000000c00, 0x00000040 total bytes): removed FOVD (0x00000c00 - 0x000001000, 0x00000400 total bytes): removed MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed EFFS (0x00003000 - 0x0000df000, 0x000dc000 total bytes): removed BIAL (NVRAM partition, no data, 0x0000add3 total bytes): nothing to remove BIEL (NVRAM partition, no data, 0x00003522 total bytes): nothing to remove BIIS (NVRAM partition, no data, 0x00036000 total bytes): nothing to remove NVCL (NVRAM partition, no data, 0x000069c9 total bytes): nothing to remove NVCM (NVRAM partition, no data, 0x0000439b total bytes): nothing to remove NVCP (NVRAM partition, no data, 0x0000a445 total bytes): nothing to remove NVHM (NVRAM partition, no data, 0x00000058 total bytes): nothing to remove NVJC (NVRAM partition, no data, 0x00003da0 total bytes): nothing to remove NVKR (NVRAM partition, no data, 0x00005fb4 total bytes): nothing to remove NVNF (NVRAM partition, no data, 0x0000175f total bytes): nothing to remove NVOS (NVRAM partition, no data, 0x0003a34d total bytes): nothing to remove NVSH (NVRAM partition, no data, 0x000022c0 total bytes): nothing to remove NVSM (NVRAM partition, no data, 0x00001de8 total bytes): nothing to remove NVTD (NVRAM partition, no data, 0x00001feb total bytes): nothing to remove NVUK (NVRAM partition, no data, 0x00008940 total bytes): nothing to remove PLDM (NVRAM partition, no data, 0x000043c5 total bytes): nothing to remove TMNN (NVRAM partition, no data, 0x000001a6 total bytes): nothing to remove GLUT (0x000df000 - 0x0000e8000, 0x00009000 total bytes): removed LOCL (0x000e8000 - 0x0000ec000, 0x00004000 total bytes): removed WCOD (0x000ec000 - 0x000160000, 0x00074000 total bytes): removed FTPR (0x00160000 - 0x000210000, 0x000b0000 total bytes): NOT removed NFTP (0x00210000 - 0x00048a000, 0x0027a000 total bytes): removed MDMV (0x0048a000 - 0x0004ca000, 0x00040000 total bytes): removed Removing partition entries in FPT... Removing EFFS presence flag... Correcting checksum (0xd9)... Reading FTPR modules list... UPDATE (LZMA , 0x1c6487 - 0x1c66b1 ): removed ROMP (Huffman, fragmented data, ~1 KiB ): NOT removed, essential BUP (Huffman, fragmented data, ~70 KiB ): NOT removed, essential KERNEL (Huffman, fragmented data, ~226 KiB ): removed POLICY (Huffman, fragmented data, ~99 KiB ): removed ClsPriv (LZMA , 0x1c66b1 - 0x1c6a8a ): removed SESSMGR (LZMA , 0x1c6a8a - 0x1d2413 ): removed SESSMGR_PRIV (LZMA , 0x1d2413 - 0x1d7d03 ): removed HOSTCOMM (LZMA , 0x1d7d03 - 0x1e0035 ): removed TDT (LZMA , 0x1e0035 - 0x1e53fa ): removed FPF (LZMA , 0x1e53fa - 0x1e6ef9 ): removed The ME minimum size should be 1560576 bytes (0x17d000 bytes) Checking the FTPR RSA signature... VALID Done! Good luck!

Everything seems to check out, but it errors out with:

Error 8771: Invalid File

when trying to flash, just as with another ZB15 owner: https://github.com/corna/me_cleaner/issues/144

Ran ME Analyzer python script on the modded binary and it gives me this:

**╔══════════════════════════════════════════╗ ║ ME Analyzer v1.94.0 r173 ║ ╚══════════════════════════════════════════╝

╔═════════════════════════════════════════╗ ║ me(modded).bin (1/1) ║ ╟─────────────────────────┬───────────────╢ ║ Family │ ME ║ ╟─────────────────────────┼───────────────╢ ║ Version │ 9.1.45.3000 ║ ╟─────────────────────────┼───────────────╢ ║ Release │ Production ║ ╟─────────────────────────┼───────────────╢ ║ Type │ Region, Stock ║ ╟─────────────────────────┼───────────────╢ ║ SKU │ 5MB ║ ╟─────────────────────────┼───────────────╢ ║ Security Version Number │ 1 ║ ╟─────────────────────────┼───────────────╢ ║ Version Control Number │ 17 ║ ╟─────────────────────────┼───────────────╢ ║ Production Version │ Yes ║ ╟─────────────────────────┼───────────────╢ ║ Date │ 2018-06-13 ║ ╟─────────────────────────┼───────────────╢ ║ Size │ 0x210000 ║ ╟─────────────────────────┼───────────────╢ ║ Chipset Support │ LPT/WPT ║ ╟─────────────────────────┼───────────────╢ ║ Latest │ Yes ║ ╚═════════════════════════╧═══════════════╝

Warning: File size exceeds firmware, data in padding!**

Here's the untouched binary:

**╔═════════════════════════════════════════╗

║ me.bin (1/1) ║ ╟─────────────────────────┬───────────────╢ ║ Family │ ME ║ ╟─────────────────────────┼───────────────╢ ║ Version │ 9.1.45.3000 ║ ╟─────────────────────────┼───────────────╢ ║ Release │ Production ║ ╟─────────────────────────┼───────────────╢ ║ Type │ Region, Stock ║ ╟─────────────────────────┼───────────────╢ ║ SKU │ 5MB ║ ╟─────────────────────────┼───────────────╢ ║ Security Version Number │ 1 ║ ╟─────────────────────────┼───────────────╢ ║ Version Control Number │ 17 ║ ╟─────────────────────────┼───────────────╢ ║ Production Version │ Yes ║ ╟─────────────────────────┼───────────────╢ ║ Date │ 2018-06-13 ║ ╟─────────────────────────┼───────────────╢ ║ Size │ 0x8D2000 ║ ╟─────────────────────────┼───────────────╢ ║ Chipset Support │ LPT/WPT ║ ╟─────────────────────────┼───────────────╢ ║ Latest │ Yes ║ ╚═════════════════════════╧═══════════════╝**

I did a side by side of both binaries in HxD and I'm stumped. Everything looks okay. Is this just a problem with the 9 series fwupdate tool or the way me_cleaner pads the data it's extracted? I can see MEA is reading the modded file as being smaller which means its ignoring the padding, but then the FWUpdate tool says the filesize exceeds the firmware??

Is there any way to get past this or are ZB 15 owners stuck with the hardware spi flashing route?

Any chance of a AltMeDisable bit setting option for ME-less BIOs binaries?