search

corna / me_cleaner

Tool for partial deblobbing of Intel ME/TXE firmware images
GNU General Public License v3.0
4.43k stars 275 forks source link

Recreating FULL 12Mb ROM image from Lenovo downloaded, neutered+deactivated xx30 ME exe #327

Closed tlaurion closed 3 months ago

tlaurion commented 4 years ago

Hello there,

Attempting to bridge the legal gap/inertia in creating full 12mb reproducible Heads ROM images.

I realized recently that:


  - This shows some inconsistencies, resulting in the full ROM not containing a vaild GBe region, since the result as if Gbe region was not included.

- ifdtool -d on the extracted ifd.bin shows the same result as when asking a dump on the whole generated coreboot.rom on this [commit](https://github.com/osresearch/heads/pull/703/commits/4fd74740893fc1025c1a718455e7808bdaaedc46)

Resulting [full ROM image](https://app.circleci.com/pipelines/github/tlaurion/heads/153/workflows/3fe93e61-df55-4316-a07d-eb3fbfa28e25/jobs/163/steps) is still resulting in e1000e not probing ethernet card correctly while me_cleaner still complains when ran against downloaded ROM regions being invalid. Any insight?
tlaurion commented 4 years ago

@corna: any insight playing with the CI produced coreboot.rom?

tlaurion commented 4 years ago

@corna: actually this output shows that coreboot doesnt integrate gbe.bin at all in coreboot.

tlaurion commented 4 years ago

@corna: I was able to inject Gbe with last commit which results in a full functional rom, with of course, a static MAC being hardcoded in the GBe.bin

Could we fix that by randomizing it? Could me_cleaner extract Gbe + me + ifd, minimizing what is linked to a host computer (remove IFD OEM host related information in IFD, generalizing it) and randomize Gbe mac address? Would you be interested in being funded to do such work? The ME update.exe contains full ME, preextracted IFD and Gbe from a preexisting rom works but should be anonymized.

The last coreboot.rom artifact still gives the same result when trying to reapply me_cleaner on it, even though ROM is completely functional including Gbe blob:

user@x230-external-flash:~/heads$ python ~/me_cleaner/me_cleaner.py -r -t -d -O out.bin -D blobs/xx30/x230-ifd.bin -M blobs/xx30/me.bin build/x230-external-flash/coreboot.rom
Full image detected
Found FPT header at 0x3010
Found 1 partition(s)
Found FTPR header: FTPR partition spans from 0xd00 to 0xcad00
ME/TXE firmware version 8.1.72.3002 (generation 2)
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
The AltMeDisable bit is SET
Reading partitions list...
 FTPR (      no data here      , 0x000ca000 total bytes): nothing to remove
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xee)...
Reading FTPR modules list...
 UPDATE           (LZMA   , 0x04d208 - 0x04d3c6       ): Traceback (most recent call last):
  File "/home/user/me_cleaner/me_cleaner.py", line 859, in <module>
    args.keep_modules)
  File "/home/user/me_cleaner/me_cleaner.py", line 373, in check_and_remove_modules
    end_addr = remove_modules(f, mod_headers, offset, me_end)
  File "/home/user/me_cleaner/me_cleaner.py", line 182, in remove_modules
    f.fill_range(offset, end, b"\xff")
  File "/home/user/me_cleaner/me_cleaner.py", line 101, in fill_range
    raise OutOfRegionException()
__main__.OutOfRegionException

I guess there is some misaligments between IFD and real regions, but can't spot it. @PatrickRudolph

tlaurion commented 4 years ago

@corna : updates here following official Intel doc:

I did a quick search and found the gbe area documented for

    Intel 6 Series Chipsets

in the datasheet:

    Intel® 82579 Gigabit Ethernet PHY

Chapter LAN NVM Format and Contents.

It's using an A/B partition scheme where only 128bytes are checksummed, but way less are actually used.
tlaurion commented 3 months ago

Gbe generated I and included in maximized roms for a while. Closing