diff --git a/blobs/xx20/download_parse_me.sh b/blobs/xx20/download_parse_me.sh new file mode 100755 index 00000000..ff6bee9f --- /dev/null +++ b/blobs/xx20/download_parse_me.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +FINAL_ME_BIN_SHA256SUM="1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 $BLOBDIR/me.bin" +ME_EXE_SHA256SUM="48f18d49f3c7c79fa549a980f14688bc27c18645f64d9b6827a15ef5c547d210 83rf46ww.exe" +ME7_5M_UPD_PRODUCTION_SHA256SUM="760b0776b99ba94f56121d67c1f1226c77f48bd3b0799e1357a51842c79d3d36 app/ME7_5M_UPD_Production.bin" + + +echo "### Creating temp dir" +extractdir=$(mktemp -d) +cd "$extractdir" + +echo "### Downloading https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe..." +wget https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe || ( echo "ERROR: wget not found" && exit 1 ) +echo "### Verifying expected hash of 83rf46ww.exe" +echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 ) + + +echo "### Extracting 83rf46ww.exe..." +innoextract -I app/ME7_5M_UPD_Production.bin 83rf46ww.exe || ( echo "Failed calling innoextract. Tool installed on host?" && exit 1) +echo "### Verifying expected hash of app/ME7_5M_UPD_Production.bin" +echo "$ME7_5M_UPD_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 ) + + +echo "###Generating neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " +python3 "$BLOBDIR/me7_update_parser.py" -O "$BLOBDIR/me.bin" app/ME7_5M_UPD_Production.bin || ( echo "Failed to generate ME binary..." && exit 1 ) + +echo "### Verifying expected hash of me.bin" +echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 ) + + +echo "###Cleaning up..." +cd - +rm -r "$extractdir" diff --git a/blobs/xx20/gbe.bin b/blobs/xx20/gbe.bin new file mode 100644 index 00000000..0c9dfa1d Binary files /dev/null and b/blobs/xx20/gbe.bin differ diff --git a/blobs/xx20/hashes.txt b/blobs/xx20/hashes.txt new file mode 100644 index 00000000..7700aa20 --- /dev/null +++ b/blobs/xx20/hashes.txt @@ -0,0 +1,3 @@ +9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin +907dfd580b4a680712bb4ee526f266c37a455196541d85702986532728f1eee9 ifd.bin +1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 me.bin diff --git a/blobs/xx20/ifd.bin b/blobs/xx20/ifd.bin new file mode 100644 index 00000000..6ab44929 Binary files /dev/null and b/blobs/xx20/ifd.bin differ diff --git a/blobs/xx20/layout.txt b/blobs/xx20/layout.txt new file mode 100644 index 00000000..bbd90962 --- /dev/null +++ b/blobs/xx20/layout.txt @@ -0,0 +1,4 @@ +00000000:00000fff fd +00018000:007fffff bios +00003000:00017fff me +00001000:00002fff gbe diff --git a/blobs/xx20/me7_update_parser.py b/blobs/xx20/me7_update_parser.py new file mode 100644 index 00000000..8f201c26 --- /dev/null +++ b/blobs/xx20/me7_update_parser.py @@ -0,0 +1,616 @@ +#!/usr/bin/python + +"""ME7 Update binary parser.""" + +# Copyright (C) 2020 Tom Hiller +# Copyright (C) 2016-2018 Nicola Corna +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +# Based on the amazing me_cleaner, https://github.com/corna/me_cleaner, parses +# the required signed partition from an ME update file to generate a valid +# flashable ME binary. +# +# This was written for Heads ROM, https://github.com/osresearch/heads +# to allow continuous integration reproducible builds for Lenovo xx20 models +# (X220, T420, T520, etc). +# +# A full model list can be found: +# https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.txt + + +from struct import pack, unpack +from typing import List +import argparse +import sys +import hashlib +import binascii +import os.path + +############################################################################# + +FTPR_END = 0x76000 +MINIFIED_FTPR_OFFSET = 0x400 # offset start of Factory Partition (FTPR) +ORIG_FTPR_OFFSET = 0xCC000 +PARTITION_HEADER_OFFSET = 0x30 # size of partition header + +DEFAULT_OUTPUT_FILE_NAME = "flashregion_2_intel_me.bin" + +############################################################################# + + +class EntryFlags: + """EntryFlag bitmap values.""" + + ExclBlockUse = 8192 + WOPDisable = 4096 + Logical = 2048 + Execute = 1024 + Write = 512 + Read = 256 + DirectAccess = 128 + Type = 64 + + +def generateHeader() -> bytes: + """Generate Header.""" + ROM_BYPASS_INSTR_0 = binascii.unhexlify("2020800F") + ROM_BYPASS_INSTR_1 = binascii.unhexlify("40000010") + ROM_BYPASS_INSTR_2 = pack(" bytes: + """Partition table entry.""" + ENTRY_NAME = binascii.unhexlify("46545052") + ENTRY_OWNER = binascii.unhexlify("FFFFFFFF") # "None" + ENTRY_OFFSET = binascii.unhexlify("00040000") + ENTRY_LENGTH = binascii.unhexlify("00600700") + ENTRY_START_TOKENS = pack(" bytes: + """Copy data of a given size from FTPR starting from offset.""" + offset_end = offset + size + return self.ftpr[offset:offset_end] + + def unpack_next_int(self, offset: int) -> int: + """Sugar syntax for unpacking a little-endian UINT at offset.""" + return self.unpack_val(self.slice(offset, 4)) + + def unpack_val(self, data: bytes) -> int: + """Sugar syntax for unpacking a little-endian unsigned integer.""" + return unpack(" str: + """Decode bytes into ASCII.""" + return data.rstrip(b"\x00").decode("ascii") + + def clear_ftpr_data(self, start: int, end: int) -> None: + """Replace values in range with 0xFF.""" + empty_data = bytes() + + for i in range(0, end - start): + empty_data += b"\xff" + self.write_ftpr_data(start, empty_data) + + def write_ftpr_data(self, start: int, data: bytes) -> None: + """Replace data in FTPR starting at a given offset.""" + end = len(data) + start + + new_partition = self.ftpr[:start] + new_partition += data + + if end != FTPR_END: + new_partition += self.ftpr[end:] + + self.ftpr = new_partition + + ###################################################################### + # FTPR cleanig/checking functions + ###################################################################### + def get_chunks_offsets(self, llut: bytes): + """Calculate Chunk offsets from LLUT.""" + chunk_count = self.unpack_val(llut[0x04:0x08]) + huffman_stream_end = sum(unpack(" int: + """Relocate partition.""" + new_offset = MINIFIED_FTPR_OFFSET + name = self.bytes_to_ascii(self.slice(PARTITION_HEADER_OFFSET, 4)) + + old_offset, partition_size = unpack( + "> 4) & 7 == 0x01: + llut_start = self.unpack_val(mod_header[0x38:0x3C]) + llut_start += old_offset + break + + if self.mod_headers and llut_start != 0: + # Bytes 0x9:0xb of the LLUT (bytes 0x1:0x3 of the AddrBase) are + # added to the SpiBase (bytes 0xc:0x10 of the LLUT) to compute the + # final start of the LLUT. Since AddrBase is not modifiable, we can + # act only on SpiBase and here we compute the minimum allowed + # new_offset. + llut_start_corr = unpack(" int: + """Remove modules.""" + unremovable_huff_chunks = [] + chunks_offsets = [] + base = 0 + chunk_size = 0 + end_addr = 0 + + for mod_header in self.mod_headers: + name = self.bytes_to_ascii(mod_header[0x04:0x14]) + offset = self.unpack_val(mod_header[0x38:0x3C]) + size = self.unpack_val(mod_header[0x40:0x44]) + flags = self.unpack_val(mod_header[0x50:0x54]) + comp_type = (flags >> 4) & 7 + comp_type_name = self.COMPRESSION_TYPE_NAME[comp_type] + + print(" {:<16} ({:<7}, ".format(name, comp_type_name), end="") + + # If compresion type uncompressed or LZMA + if comp_type == 0x00 or comp_type == 0x02: + offset_end = offset + size + range_msg = "0x{:06x} - 0x{:06x} ): " + print(range_msg.format(offset, offset_end), end="") + + if name in self.UNREMOVABLE_MODULES: + end_addr = max(end_addr, offset + size) + print("NOT removed, essential") + else: + offset_end = min(offset + size, FTPR_END) + self.clear_ftpr_data(offset, offset_end) + print("removed") + + # Else if compression type huffman + elif comp_type == 0x01: + if not chunks_offsets: + # Check if Local Look Up Table (LLUT) is present + if self.slice(offset, 4) == b"LLUT": + llut = self.slice(offset, 0x40) + + chunk_count = self.unpack_val(llut[0x4:0x8]) + base = self.unpack_val(llut[0x8:0xC]) + 0x10000000 + chunk_size = self.unpack_val(llut[0x30:0x34]) + + llut = self.slice(offset, (chunk_count * 4) + 0x40) + + # calculate offsets of chunks from LLUT + chunks_offsets = self.get_chunks_offsets(llut) + else: + no_llut_msg = "Huffman modules found," + no_llut_msg += "but LLUT is not present." + sys.exit(no_llut_msg) + + module_base = self.unpack_val(mod_header[0x34:0x38]) + module_size = self.unpack_val(mod_header[0x3C:0x40]) + first_chunk_num = (module_base - base) // chunk_size + last_chunk_num = first_chunk_num + module_size // chunk_size + huff_size = 0 + + chunk_length = last_chunk_num + 1 + for chunk in chunks_offsets[first_chunk_num:chunk_length]: + huff_size += chunk[1] - chunk[0] + + size_in_kiB = "~" + str(int(round(huff_size / 1024))) + " KiB" + print( + "fragmented data, {:<9}): ".format(size_in_kiB), + end="", + ) + + # Check if module is in the unremovable list + if name in self.UNREMOVABLE_MODULES: + print("NOT removed, essential") + + # add to list of unremovable chunks + for x in chunks_offsets[first_chunk_num:chunk_length]: + if x[0] != 0: + unremovable_huff_chunks.append(x) + else: + print("removed") + + # Else unknown compression type + else: + unkwn_comp_msg = " 0x{:06x} - 0x{:06x}): " + unkwn_comp_msg += "unknown compression, skipping" + print(unkwn_comp_msg.format(offset, offset + size), end="") + + if chunks_offsets: + removable_huff_chunks = [] + + for chunk in chunks_offsets: + # if chunk is not in a unremovable chunk, it must be removable + if all( + not ( + unremovable_chk[0] <= chunk[0] < unremovable_chk[1] + or unremovable_chk[0] < chunk[1] <= unremovable_chk[1] + ) + for unremovable_chk in unremovable_huff_chunks + ): + removable_huff_chunks.append(chunk) + + for removable_chunk in removable_huff_chunks: + if removable_chunk[1] > removable_chunk[0]: + chunk_start = removable_chunk[0] - ORIG_FTPR_OFFSET + chunk_end = removable_chunk[1] - ORIG_FTPR_OFFSET + self.clear_ftpr_data(chunk_start, chunk_end) + + end_addr = max( + end_addr, max(unremovable_huff_chunks, key=lambda x: x[1])[1] + ) + end_addr -= ORIG_FTPR_OFFSET + + return end_addr + + def find_mod_header_size(self) -> None: + """Find module header size.""" + self.mod_header_size = 0 + data = self.slice(0x290, 0x84) + + # check header size + if data[0x0:0x4] == b"$MME": + if data[0x60:0x64] == b"$MME" or self.num_modules == 1: + self.mod_header_size = 0x60 + elif data[0x80:0x84] == b"$MME": + self.mod_header_size = 0x80 + + def find_mod_headers(self) -> None: + """Find module headers.""" + data = self.slice(0x290, self.mod_header_size * self.num_modules) + + for i in range(0, self.num_modules): + header_start = i * self.mod_header_size + header_end = (i + 1) * self.mod_header_size + self.mod_headers.append(data[header_start:header_end]) + + def resize_partition(self, end_addr: int) -> None: + """Resize partition.""" + spared_blocks = 4 + if end_addr > 0: + end_addr = (end_addr // 0x1000 + 1) * 0x1000 + end_addr += spared_blocks * 0x1000 + + # partition header not added yet + # remove trailing data the same size as the header. + end_addr -= MINIFIED_FTPR_OFFSET + + me_size_msg = "The ME minimum size should be {0} " + me_size_msg += "bytes ({0:#x} bytes)" + print(me_size_msg.format(end_addr)) + print("Truncating file at {:#x}...".format(end_addr)) + self.ftpr = self.ftpr[:end_addr] + + def check_and_clean_ftpr(self) -> None: + """Check and clean FTPR (factory partition).""" + self.num_modules = self.unpack_next_int(0x20) + self.find_mod_header_size() + + if self.mod_header_size != 0: + self.find_mod_headers() + + # ensure all of the headers begin with b'$MME' + if all(hdr.startswith(b"$MME") for hdr in self.mod_headers): + end_addr = self.remove_modules() + new_offset = self.relocate_partition() + end_addr += new_offset + + self.resize_partition(end_addr) + + # flip bit + # XXX: I have no idea why this works and passes RSA signiture + self.write_ftpr_data(0x39, b"\x00") + else: + sys.exit( + "Found less modules than expected in the FTPR " + "partition; skipping modules removal and exiting." + ) + else: + sys.exit( + "Can't find the module header size; skipping modules" + "removal and exiting." + ) + + +########################################################################## + + +def check_partition_signature(f, offset) -> bool: + """check_partition_signature copied/shamelessly stolen from me_cleaner.""" + f.seek(offset) + header = f.read(0x80) + modulus = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + public_exponent = unpack(" None: + """Generate ME blob.""" + print("Starting ME 7.x Update parser.") + + orig_f = open(input_file, "rb") + cleaned_ftpr = clean_ftpr(orig_f.read(FTPR_END)) + orig_f.close() + + fo = open(output_file, "wb") + fo.write(generateHeader()) + fo.write(generateFtpPartition()) + fo.write(cleaned_ftpr.ftpr) + fo.close() + + +def verify_output(output_file: str) -> None: + """Verify Generated ME file.""" + file_verifiy = open(output_file, "rb") + + if check_partition_signature(file_verifiy, MINIFIED_FTPR_OFFSET): + print(output_file + " is VALID") + file_verifiy.close() + else: + print(output_file + " is INVALID!!") + file_verifiy.close() + sys.exit("The FTPR partition signature is not valid.") + + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="Tool to remove as much code " + "as possible from Intel ME/TXE 7.x firmware " + "update and create paratition for a flashable ME parition." + ) + + +parser.add_argument("file", help="ME/TXE image or full dump") +parser.add_argument( + "-O", + "--output", + metavar="output_file", + help="save " + "save file name other than the default '" + DEFAULT_OUTPUT_FILE_NAME + "'", +) + +args = parser.parse_args() + +output_file_name = DEFAULT_OUTPUT_FILE_NAME if not args.output else args.output + +# Check if output file exists, ask to overwrite or exit +if os.path.isfile(output_file_name): + input_msg = output_file_name + input_msg += " exists. Do you want to overwrite? [y/N]: " + if not str(input(input_msg)).lower().startswith("y"): + sys.exit("Not overwriting file. Exiting.") + +generate_me_blob(args.file, output_file_name) +verify_output(output_file_name) diff --git a/blobs/xx20/readme.md b/blobs/xx20/readme.md new file mode 100644 index 00000000..001ed5c5 --- /dev/null +++ b/blobs/xx20/readme.md @@ -0,0 +1,59 @@ +To build for X220 we need to have the following files in this folder: +* `me.bin` - ME binary that has been stripped and truncated with me7_update_parser +* `gbe.bin` - Network card blob from the original firmware +* `ifd.bin` - Flash layout file has been provided as text + +The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x220/downloads/driver-list/component?name=Chipset + +This provides latest ME version 7.1.91.3272, for which only the BUP region will be kept as non-removable: +Here is what Lenovo provides as a Summary of Changes: +<7.1.91.3272> (83RF46WW) +- (Fix) Fixed CVE-2017-5689: Escalation of privilege vulnerability in Intel(R) + Active Management Technology (AMT), Intel(R) Standard Manageability + (ISM), and Intel(R) Small Business Technology. + + +1.0:Automatically extract and neuter me update then add partition table to me.bin +download_parse_me.sh : Downloads latest ME update from lenovo verify checksum, extract ME, neuters ME, add partition table relocate and trim it and place it into me.bin + +sha256sum: +1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 blobs/xx20/me.bin + + +1.1: Manually generating blobs +-------------------- +Manually generate me.bin: +You can arrive to the same result of the following me.bin by doing the following manually: +wget https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.exe && innoextract 83rf46ww.exe && python3 blobs/xx20/me7_update_parser.py -O blobs/xx20/me.bin app/ME7_5M_UPD_Production.bin + +sha256sums: +48f18d49f3c7c79fa549a980f14688bc27c18645f64d9b6827a15ef5c547d210 83rf46ww.exe +760b0776b99ba94f56121d67c1f1226c77f48bd3b0799e1357a51842c79d3d36 app/ME7_5M_UPD_Production.bin +1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 blobs/xx20/me.bin + +ifd.bin is from an X220 and already ME partition resided to the new minimized size. The layout.txt has these updated sized and can be used with ifdtool to modify partition if needed. + +sha256sum: +c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin + +ls -al blobs/xx20/*.bin +-rw-r--r-- 1 tom users 8192 Nov 23 18:40 gbe.bin +-rw-r--r-- 1 tom users 4096 Nov 23 18:58 ifd.bin +-rw-r--r-- 1 tom users 86016 Nov 26 17:04 me.bin + +Manually regenerate gbe.bin: +blobs/x220/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510 +And then by following those instructions: +# Use this target to generate GbE for X220/x230 +gen-gbe-82579LM: + cd build/coreboot-4.8.1/util/bincfg/ + make + ./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin + # duplicate binary as per spec + cat gbe1.bin gbe1.bin > ../../../../blobs/xx20/gbe.bin + rm -f gbe1.bin + cd - + +sha256sum: +9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 blobs/xx20/gbe.bin +------------------------