Project

General

Profile

Actions
Copy link

Support #588

open

Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump

Added by Walter Sonius 28 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
userspace utilities
Target version:
none
Start date:
03/31/2025
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Affected OS:

Description

Running the deguard ./generatedelta.py on the flashrom dumped rom from a Dell Optiplex 5040 SFF (0T7D40 A00, Q170 chipset, ME 11.8.92.4222) 1.22 BIOS results in the following AssertionError:

./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff
Traceback (most recent call last):
  File "/home/neon/deguard/./generatedelta.py", line 55, in <module>
    mfs = MFS(me.entry_data("MFS"))
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 43, in __init__
    page = MFSPage(self.data[page * self.PAGE_SIZE:(page + 1) * self.PAGE_SIZE], page) # Load page
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 164, in __init__
    self.chunks[chunk] = MFSChunk(data, chunk_id)
                         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 273, in __init__
    assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError

This "AssertionError" can be skipped by using "Filip Lewiński" filipleple patch on lib/mfs.py:

-            assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
+            print(f"Chunk ID: {self.chunk_id}, Data: {self.data.hex()[:100]}, Expected CRC: {self.crc}, Calculated CRC: {MFS.Crc16(self.data + struct.pack('<H', self.chunk_id))}")
+            # assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
+            if (self.crc != MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))):
+                print ("Invalid CRC!!!\n")

It now lists the following 52 CRC invalid errors, but will create a delta folder structure like the example optiplex 3050 although it misses the ptt folder and some other files differ:

./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff | grep "CRC: 0,"

Chunk ID: 9662, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40051
Chunk ID: 9668, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31713
Chunk ID: 9669, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 18640
Chunk ID: 8173, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 20614
Chunk ID: 8174, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1493
Chunk ID: 8175, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 14052
Chunk ID: 8176, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 9641
Chunk ID: 8177, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 5784
Chunk ID: 8178, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 17355
Chunk ID: 8179, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 28922
Chunk ID: 8180, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 59757
Chunk ID: 8181, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55900
Chunk ID: 8182, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 36623
Chunk ID: 8183, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48190
Chunk ID: 8184, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 44032
Chunk ID: 8185, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40753
Chunk ID: 8186, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 51810
Chunk ID: 8187, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 63827
Chunk ID: 8188, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 24772
Chunk ID: 8189, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 21493
Chunk ID: 8190, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1702
Chunk ID: 8191, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 13719
Chunk ID: 8192, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 61908
Chunk ID: 8193, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49893
Chunk ID: 8194, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38838
Chunk ID: 8195, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42119
Chunk ID: 8196, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15632
Chunk ID: 8197, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3617
Chunk ID: 8198, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 23410
Chunk ID: 8199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 26691
Chunk ID: 8200, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 30845
Chunk ID: 8201, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 19276
Chunk ID: 8202, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 7711
Chunk ID: 8203, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 11566
Chunk ID: 8204, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 46265
Chunk ID: 8205, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 34696
Chunk ID: 8206, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 53979
Chunk ID: 8207, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 57834
Chunk ID: 8208, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 62119
Chunk ID: 8209, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49558
Chunk ID: 8210, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38085
Chunk ID: 8211, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42996
Chunk ID: 8212, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15971
Chunk ID: 8213, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3410
Chunk ID: 8214, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 22529
Chunk ID: 8215, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 27440
Chunk ID: 8216, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31502
Chunk ID: 10199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3459
Chunk ID: 6000, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48953
Chunk ID: 6001, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 35848
Chunk ID: 6002, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55643
Chunk ID: 6003, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 60010

A tree view of the new delta folder:

data/delta/dell5040sff/
└── home
    ├── amt
    │   ├── rtfd
    │   │   ├── acl
    │   │   │   ├── tnf0
    │   │   │   ├── tnf1
    │   │   │   └── tnf2
    │   │   ├── amt.wol
    │   │   ├── hshStr.crt19
    │   │   ├── hshStr.crt23
    │   │   ├── hshStr.crt24
    │   │   ├── hshStr.crt25
    │   │   └── hshStr.crt26
    │   └── skip_rtfd
    │       └── uim.policy
    ├── bup
    │   ├── bup_sku
    │   │   ├── emu_fuse_map
    │   │   ├── fuse_ip_base
    │   │   └── plat_n_sku
    │   ├── invokemebx
    │   └── mbp
    ├── fwupdate
    │   ├── fwuavgerase
    │   ├── fwuavgwrite
    │   └── fwuoemid
    ├── gpio
    │   └── csme_pins
    ├── icc
    │   ├── dynregs
    │   ├── header
    │   ├── namestr
    │   ├── prof0
    │   ├── prof1
    │   ├── prof2
    │   ├── prof3
    │   ├── prof4
    │   ├── prof5
    │   └── prof6
    ├── mca
    │   ├── eom
    │   └── ish_policy
    ├── mctp
    │   └── device_ports
    ├── pavp
    │   ├── hdcp_ports
    │   └── lspcon_port
    ├── policy
    │   ├── Bist
    │   │   └── auto_config
    │   ├── cfgmgr
    │   │   └── cfg_rules
    │   ├── hci
    │   │   ├── sysintid1
    │   │   ├── sysintid2
    │   │   └── sysintid3
    │   └── pwdmgr
    │       └── segreto
    └── secureboot
        ├── bootpolres
        ├── bootpoltype
        ├── enfpolicy
        ├── kmid
        └── pubkeyhash

Diffing this compared to the example delta 3050 folder:

diff -bur optiplex_3050 optiplex_5040_sff_strip
Binary files optiplex_3050/home/bup/bup_sku/emu_fuse_map and optiplex_5040_sff_strip/home/bup/bup_sku/emu_fuse_map differ
Binary files optiplex_3050/home/bup/bup_sku/plat_n_sku and optiplex_5040_sff_strip/home/bup/bup_sku/plat_n_sku differ
Only in optiplex_5040_sff_strip/home/bup: invokemebx
Binary files optiplex_3050/home/bup/mbp and optiplex_5040_sff_strip/home/bup/mbp differ
Binary files optiplex_3050/home/icc/dynregs and optiplex_5040_sff_strip/home/icc/dynregs differ
Binary files optiplex_3050/home/icc/prof0 and optiplex_5040_sff_strip/home/icc/prof0 differ
Only in optiplex_3050/home/icc: prof10
Only in optiplex_3050/home/icc: prof7
Only in optiplex_3050/home/icc: prof8
Only in optiplex_3050/home/icc: prof9
Only in optiplex_5040_sff_strip/home/policy: Bist
Binary files optiplex_3050/home/policy/cfgmgr/cfg_rules and optiplex_5040_sff_strip/home/policy/cfgmgr/cfg_rules differ
diff -bur optiplex_3050/home/policy/hci/sysintid1 optiplex_5040_sff_strip/home/policy/hci/sysintid1
--- optiplex_3050/home/policy/hci/sysintid1     2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid1   2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-�n$�
\ No newline at end of file
+_��
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid2 optiplex_5040_sff_strip/home/policy/hci/sysintid2
--- optiplex_3050/home/policy/hci/sysintid2     2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid2   2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-��t`
\ No newline at end of file
+����
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid3 optiplex_5040_sff_strip/home/policy/hci/sysintid3
--- optiplex_3050/home/policy/hci/sysintid3     2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid3   2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-Ȯ�
\ No newline at end of file
+�a<
\ No newline at end of file
diff -bur optiplex_3050/home/policy/pwdmgr/segreto optiplex_5040_sff_strip/home/policy/pwdmgr/segreto
--- optiplex_3050/home/policy/pwdmgr/segreto    2025-03-31 15:36:47.221784637 +0200
+++ optiplex_5040_sff_strip/home/policy/pwdmgr/segreto  2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-��к
\ No newline at end of file
+�"�H
\ No newline at end of file

After deleting (strip) the secureboot and amt,fwupd,pavp folders it will generate a 2M consumer ME image when using finalimage.py.

./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 -pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin

When enabling the HAP bit on the original IFD and replacing the ME with the downgraded and deguarded ME should complete the manual.

Is it correct to replace the current corporate ME firmware around ~7MB from the original image with this 2MB donor consumer variant, will it be similar like the Optiplex 3050 from the example or should I find a older vulnerable corporate ME firmware?

Which file(s) of this dump may I distribute / upload to this ticket license wise to improve debugging?

Using the service mode jumper on this Dell Optiplex 5040 SFF I was able to fully read and write the whole firmware even the ME regions (checksum checked it). Anyone else experience or success using a 'ch341a_spi' or 'raspberry spi' doing in-situ flash recover on this particular Dell or similar in case I need it?

https://www.dell.com/support/product-details/en-uk/product/optiplex-5040-sff/drivers

No data to display

Actions
Copy link

Also available in: Atom PDF