search

corna / me_cleaner

Tool for partial deblobbing of Intel ME/TXE firmware images
GNU General Public License v3.0
4.43k stars 275 forks source link

Dell Latitude E7450 potential bios EC change, unable to reflash safely. #321

Open czeej opened 4 years ago

czeej commented 4 years ago

Every dump I get now tells me ME is corrupted or missing, they are not identical between two dumps as well. Although I only did soft disable with blacklisting the network stack. did not change descriptor regions which is the reason I came back to try to flash it again.

note lspci does not register any ME region when booted in.

However, now I can't seem to get a valid dump. It is telling me specific memory regions are bad.

I never used descriptor modifier on ME cleaner either which I believe I should have done.

Sticky keys seems to like to activate (at least I get the xfce popup with no noticeable effect on my typing..) for no apparent reason as well. It was not removed as it wont boot or modified. Only partition I could get was ME network stack but I believe dell has it's own and without the descriptor region modified I'm afraid it's no good.

Can't seem to get valid dumps anymore. Not sure why this is, anyone more experienced able to help me trouble shoot?

update: I tried a USB programmer. ch341a. My pi is getting overcurrent warnings. which is odd. I was able to read some other spi using this programmer and write without such warnings. (maybe my laptop is dying?) I was reading some things on flashrom's documentation about some bios and bloc protection. Which flashrom did give me warnings of block protection, I'm thinking something in dell bios flipped or hardware is acting up. I did do a bios update, through dells utility. This may be the cause. Although, I did have it update by itself before without me doing so with dells utility.

see here https://github.com/corna/me_cleaner/issues/267

mostav02 commented 4 years ago

I have never tried dumping this laptop in-circuit, but had a friend unsoldering and dumping 2 chips off-circuit for me via an external programmer called BeeProg+ (we dumped 4MB and 8MB chips)

The dumps were correct but we made them before August 2017, so there was no -s flag in me_cleaner and HAP&AltMeDisable undiscovered, and since vPro-enabled laptops (including E7450) have Boot Guard enabled, using old versions of me_cleaner before August 2017 would always fail, which what exactly happened back on the date during our attempt - the laptop was turning on and turning off instantly (typical BG-enabled BIOS behavior).

I would have liked to try flashing it again with -s which would only modify the FD without touching ME region, but unfortunately I have no external programmer to do so right now, nor my friend is reachable anymore.

However I will drop these dumps here in case they may help to debug yours and other problems. The 8MB one is a correct one, I don't know what 4MB chip is for, but it was a nearest chip so we dumped it too, just in case. The BIOS on this one is A13.

Dell_E7450.A13.spi_dumps.zip

Hope it may help in some way. Maybe you can compare your dumps against those and make some conclusions.

czeej commented 4 years ago

If you try again I recommend removing the Descriptor region. As attempt to prevent the Dell bios from interacting with the ME kernel. I am only speculating and no nothing of what is going on under the hood. However, for me to be able to remove the network partition and still have successful boot and the presence of Root certificates in older Dell bios tells me the Dell bios may have it's own network stack. (Or Coreboot documentation mentioning NIC boards have their own firmware) Making the Intel ME network stack redundant anywho.

Again, thanks for the dump I could provide my successful dumps however, Now I cannot get two matching dumps. The External programmer/ Just Raspi SPI to bread board is not working on this laptop. Some kind of block protection or real corruption in the eeprom. Again, external programmer is giving me over current warnings. Potential corruption or hardware issues. All dumps were in circuit but as you know you must remove battery to get under the hood anyways. I usually like to hit the power button as well a few times without battery to discharge extra electrons. However, I may of skipped that step a few times.

I feel de-soldering and putting a new pre flashed winbond on would be a potential solution. However, as far as I'm concerned the laptop is not comfortable to use for me at the current moment. Thanks for the comment. Potentially virtualization features in bios are enabling some boot guard but as it turns out it is actually disabled atm. I'm not sure what would be causing specific memory addresses to be consistently giving me warnings on dumps.

These probably wont help anyone, Original will be below. Can't get matching sums or anything They are bad reads and cannot get consistent readings and cannot write in this condition. Other Eeprom reads are working fine. Also, to be noted when I wrote to the flash chip I take a dump to double verify it is the same as what I put in. With time and usage passing I cannot get a good dump anymore from this flash chip. baddumps.zip

GoodSums.zip You will see original FW inside this one, one of the modified is what wrote to the chip. Pretty sure one of these booted. I had a simple soft disable but started seeing if I could get a boot with something removed and sure enough the nftp could be removed and get a boot. However, I can't verify the current image anymore so no idea what is going on in there now. These probably wont help anyone but maybe show you what I did. I hadn't modified the image any more than white listing most of the modules and removing the NFTP FTPR module. and got a good boot whitelist.zip

What I should of done was maybe also use descriptor tag although it maybe is too late now ^^. Unfortunately, me sharing this hopefully helps some others.

PS: I maybe ruined the signing by removing NFTP, however. This doesn't explain why the signing is not consistent between new reads. There maybe be something wrong, my external programmer is giving me over current warnings and cannot even get a dump. So maybe there is a hardware issue more so then a firmware one.

mostav02 commented 4 years ago

Potentially virtualization features in bios are enabling some boot guard but as it turns out it is actually disabled atm.

Generally all of those models are BG enabled and have both Measured Boot and Verified Boot enabled, such as on mine. I got 2 of those laptops bought in different countries and both of them are BG MB&VB enabled. It's actually very weird that you had BG disabled on E7450 and maybe it was a possible source of your suspicious problems.

Today I've got an external programmer and reconfirmed that this laptop won't power on once you modify the BIOS or ME region. The only possible way of deactivating ME here is by enabling the AltMeDisable bit, which actually works pretty fine as I've just did and tested it.

Anyway, what's good is I've figured out that it's possible to disable ME on E7450 without using an external programmer! I know it would be not interesting to you since you got rid of the laptop, but I will just leave it here still so anyone wouldn't need to incur the same problems as we had.

What is needed: a screwdriver, a USB mouse&keyboard and this laptop running Windows 7 (unfortunately there is no Intel's FPT for Linux).

pteONWM (backup image link)

In this case we only need to dump, modify and flash the Flash Descriptor.

The output may look like this upon flashing:

C:\fucknsa\Intel ME System Tools v10.0 r7\Flash Programming Tool\WIN64>fptw64.exe -DESC -F dumpedAndModifiedFD.bin Intel (R) Flash Programming Tool. Version: 10.0.30.1054 Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.

Platform: Intel(R) Premium Express Chipset Reading HSFSTS register... Flash Descriptor: Valid --- Flash Devices Found --- W25Q64BV ID:0xEF4017 Size: 8192KB (65536Kb) W25Q32BV ID:0xEF4016 Size: 4096KB (32768Kb)

PDR Region does not exist.

  • Reading Flash [0x001000] 4KB of 4KB - 100% complete.
  • Erasing Flash Block [0x001000] - 100% complete.
  • Programming Flash [0x001000] 4KB of 4KB - 100% complete.
  • Verifying Flash [0x001000] 4KB of 4KB - 100% complete. RESULT: The data is identical.

FPT Operation Passed

After rebooting you will not see the ME interface anymore anywhere.

_offtopic: I've noticed that the BIOS in E7450 has a lot of cool hidden options, would be good to know how to enable them - E7450 BIOS SetupPrep UEFI IFR extracted.txt_

czeej commented 4 years ago

Also to be noted for other I may of run into Signing issues either because I removed the NFTP partition. Which all partitions are signed so maybe it messed up the signature by removing the stack. It boots without it. I did soft disable but wanted to remove as much as I could. OR I had a short circuit and. I had my raspi hard reset when connecting the clip. This was the only board this had happened on. However, it was reading fine after that it was only with continued use that when I wanted to re-dump I couldn't

Anyway. that is a cool discovery. wonder how you found out that shorting the Real Tek smd. Would allow you to get a dump.. Odd you'd think the two wouldn't be related ;)

mostav02 commented 4 years ago

wonder how you found out that shorting the Real Tek smd. Would allow you to get a dump..

There: http://forum.notebookreview.com/threads/guide-dell-precision-m6800-m4800-sbios-mod.788481/#post-10204348 It's mentioned as "HDA_SDO" jumper or "Flash Descriptor Security Override" in some original sources such as: https://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf (page 78) https://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf (page 91) https://github.com/ptresearch/me-disablement/blob/master/How%20to%20become%20the%20sole%20owner%20of%20your%20PC.pdf (slide 17) http://www.corus.pro/pilotes/CorusX/X37/XP/ME/SPI%20Programming%20Guide.pdf https://libreboot.org/docs/hardware/gm45_remove_me.html This seems to be an universal method of enabling a security override on most Intel platform that use the High Definition Audio codec. It unlocks all the ROM regions.

By the way, I've dumped the full 12MB ROM from 2 chips (W25Q64 as 8MB + W25Q32 as 4MB) and noticed that they work as a stripped storage (kind of raid0). I've made some binary comparison between the dumps I had made with ext. programmer and those I made now via FPT. Basically when you get the dump of one of them you get the incomplete info, that's why I was unsure what was the purpose of 4MB one before I discovered FPT these days.

The best way of flashing and reading them is internally because it keeps the data consistent. However, in this case we only need FD which is first 4kb of W25Q64 (8MB).

czeej commented 4 years ago

I'm also curious what the 32 flash was in 4Mb storage. That one definitely had read protections/ block protection even while using an external programmer. I assumed it was part of the dell bios potentially where computrace is stored. If it is raid reminds me of anouther Dell implementation where they had a single spi chip with two chip numbers coming up. It was as if the spi had two partitions in raid. With two separate ME regions ( I assumed it was an integrity check or something) . Either that or Flash rom didn't know what chip but when I specified what chip both got identical dumps. I wrote to both just to be sure. It had 16 Mb of storage though. It booted with soft disable as well. ( I'll upload it when I get the back up maybe Igor or someone with more experience and knowledge, could analyze it better then I could. )

Flashrom has verify features. External programmers usually work quite well, and backups are easy. But in circuit on laptops can be tricky and your method seems quite nice aside from needing to boot windows. Thanks for the input.

Also with the Flash Image tools can you effectively change manufacture settings? I am aware you can change bios with ME disabled or removed on some Dell. If you remove the ME partitions, the Bios update will hang though. I've manged to update with FreeDos though.

How is your boot behaviour? Does it boot first time after hitting the power? I had to hit it twice from a cold start. It would turn on then off. Than back on again and boot. (this is unfortunate as I know I cannot remove the ME kernel..)

Also, is it true in Gen 6 and later there is ME region living inside the CPU? That slide from Positive Technologies. Seems to diagram that. (PTresearch) from your link. However, as I understand ME is stored in the Flash Region not in CPU.

Offtopic: In windows I have disabled certain triggers modifying binary. I am sure someone found the variable by modifying settings they could switch and reading what they changing in the binary. Then knowing what section to flip to turn enable to disable. But that sounds like time consuming guess work.

Edit: I might of messed up a Mosfet. Might be why I am getting over current warnings. I may have been a bit of a dunce and clipped onto a mosfet that I mistook for an 8 pin Spi flash. Could be all it was. Still am somewhat inexperienced in these matters. So my guess is probably not very good :) Was just digging around to see if I could dump this computrace module in the Bios and maybe dig through it.