Actions
Support #588
openDeguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump
Start date:
03/31/2025
Due date:
% Done:
0%
Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Affected OS:
Description
Running the deguard ./generatedelta.py on the flashrom dumped rom from a Dell Optiplex 5040 SFF (0T7D40 A00, Q170 chipset, ME 11.8.92.4222) 1.22 BIOS results in the following AssertionError:
./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff
Traceback (most recent call last):
File "/home/neon/deguard/./generatedelta.py", line 55, in <module>
mfs = MFS(me.entry_data("MFS"))
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/neon/deguard/lib/mfs.py", line 43, in __init__
page = MFSPage(self.data[page * self.PAGE_SIZE:(page + 1) * self.PAGE_SIZE], page) # Load page
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/neon/deguard/lib/mfs.py", line 164, in __init__
self.chunks[chunk] = MFSChunk(data, chunk_id)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/neon/deguard/lib/mfs.py", line 273, in __init__
assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError
This "AssertionError" can be skipped by using "Filip Lewiński" filipleple patch on lib/mfs.py:
- assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
+ print(f"Chunk ID: {self.chunk_id}, Data: {self.data.hex()[:100]}, Expected CRC: {self.crc}, Calculated CRC: {MFS.Crc16(self.data + struct.pack('<H', self.chunk_id))}")
+ # assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
+ if (self.crc != MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))):
+ print ("Invalid CRC!!!\n")
It now lists the following 52 CRC invalid errors, but will create a delta folder structure like the example optiplex 3050 although it misses the ptt folder and some other files differ:
./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff | grep "CRC: 0,"
Chunk ID: 9662, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40051
Chunk ID: 9668, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31713
Chunk ID: 9669, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 18640
Chunk ID: 8173, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 20614
Chunk ID: 8174, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1493
Chunk ID: 8175, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 14052
Chunk ID: 8176, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 9641
Chunk ID: 8177, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 5784
Chunk ID: 8178, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 17355
Chunk ID: 8179, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 28922
Chunk ID: 8180, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 59757
Chunk ID: 8181, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55900
Chunk ID: 8182, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 36623
Chunk ID: 8183, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48190
Chunk ID: 8184, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 44032
Chunk ID: 8185, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40753
Chunk ID: 8186, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 51810
Chunk ID: 8187, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 63827
Chunk ID: 8188, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 24772
Chunk ID: 8189, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 21493
Chunk ID: 8190, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1702
Chunk ID: 8191, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 13719
Chunk ID: 8192, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 61908
Chunk ID: 8193, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49893
Chunk ID: 8194, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38838
Chunk ID: 8195, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42119
Chunk ID: 8196, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15632
Chunk ID: 8197, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3617
Chunk ID: 8198, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 23410
Chunk ID: 8199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 26691
Chunk ID: 8200, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 30845
Chunk ID: 8201, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 19276
Chunk ID: 8202, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 7711
Chunk ID: 8203, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 11566
Chunk ID: 8204, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 46265
Chunk ID: 8205, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 34696
Chunk ID: 8206, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 53979
Chunk ID: 8207, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 57834
Chunk ID: 8208, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 62119
Chunk ID: 8209, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49558
Chunk ID: 8210, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38085
Chunk ID: 8211, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42996
Chunk ID: 8212, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15971
Chunk ID: 8213, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3410
Chunk ID: 8214, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 22529
Chunk ID: 8215, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 27440
Chunk ID: 8216, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31502
Chunk ID: 10199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3459
Chunk ID: 6000, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48953
Chunk ID: 6001, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 35848
Chunk ID: 6002, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55643
Chunk ID: 6003, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 60010
A tree view of the new delta folder:
data/delta/dell5040sff/
└── home
├── amt
│ ├── rtfd
│ │ ├── acl
│ │ │ ├── tnf0
│ │ │ ├── tnf1
│ │ │ └── tnf2
│ │ ├── amt.wol
│ │ ├── hshStr.crt19
│ │ ├── hshStr.crt23
│ │ ├── hshStr.crt24
│ │ ├── hshStr.crt25
│ │ └── hshStr.crt26
│ └── skip_rtfd
│ └── uim.policy
├── bup
│ ├── bup_sku
│ │ ├── emu_fuse_map
│ │ ├── fuse_ip_base
│ │ └── plat_n_sku
│ ├── invokemebx
│ └── mbp
├── fwupdate
│ ├── fwuavgerase
│ ├── fwuavgwrite
│ └── fwuoemid
├── gpio
│ └── csme_pins
├── icc
│ ├── dynregs
│ ├── header
│ ├── namestr
│ ├── prof0
│ ├── prof1
│ ├── prof2
│ ├── prof3
│ ├── prof4
│ ├── prof5
│ └── prof6
├── mca
│ ├── eom
│ └── ish_policy
├── mctp
│ └── device_ports
├── pavp
│ ├── hdcp_ports
│ └── lspcon_port
├── policy
│ ├── Bist
│ │ └── auto_config
│ ├── cfgmgr
│ │ └── cfg_rules
│ ├── hci
│ │ ├── sysintid1
│ │ ├── sysintid2
│ │ └── sysintid3
│ └── pwdmgr
│ └── segreto
└── secureboot
├── bootpolres
├── bootpoltype
├── enfpolicy
├── kmid
└── pubkeyhash
Diffing this compared to the example delta 3050 folder:
diff -bur optiplex_3050 optiplex_5040_sff_strip
Binary files optiplex_3050/home/bup/bup_sku/emu_fuse_map and optiplex_5040_sff_strip/home/bup/bup_sku/emu_fuse_map differ
Binary files optiplex_3050/home/bup/bup_sku/plat_n_sku and optiplex_5040_sff_strip/home/bup/bup_sku/plat_n_sku differ
Only in optiplex_5040_sff_strip/home/bup: invokemebx
Binary files optiplex_3050/home/bup/mbp and optiplex_5040_sff_strip/home/bup/mbp differ
Binary files optiplex_3050/home/icc/dynregs and optiplex_5040_sff_strip/home/icc/dynregs differ
Binary files optiplex_3050/home/icc/prof0 and optiplex_5040_sff_strip/home/icc/prof0 differ
Only in optiplex_3050/home/icc: prof10
Only in optiplex_3050/home/icc: prof7
Only in optiplex_3050/home/icc: prof8
Only in optiplex_3050/home/icc: prof9
Only in optiplex_5040_sff_strip/home/policy: Bist
Binary files optiplex_3050/home/policy/cfgmgr/cfg_rules and optiplex_5040_sff_strip/home/policy/cfgmgr/cfg_rules differ
diff -bur optiplex_3050/home/policy/hci/sysintid1 optiplex_5040_sff_strip/home/policy/hci/sysintid1
--- optiplex_3050/home/policy/hci/sysintid1 2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid1 2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-�n$�
\ No newline at end of file
+_��
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid2 optiplex_5040_sff_strip/home/policy/hci/sysintid2
--- optiplex_3050/home/policy/hci/sysintid2 2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid2 2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-��t`
\ No newline at end of file
+����
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid3 optiplex_5040_sff_strip/home/policy/hci/sysintid3
--- optiplex_3050/home/policy/hci/sysintid3 2025-03-31 15:36:47.220784635 +0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid3 2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-Ȯ�
\ No newline at end of file
+�a<
\ No newline at end of file
diff -bur optiplex_3050/home/policy/pwdmgr/segreto optiplex_5040_sff_strip/home/policy/pwdmgr/segreto
--- optiplex_3050/home/policy/pwdmgr/segreto 2025-03-31 15:36:47.221784637 +0200
+++ optiplex_5040_sff_strip/home/policy/pwdmgr/segreto 2025-03-31 16:01:29.335254012 +0200
@@ -1 +1 @@
-��к
\ No newline at end of file
+�"�H
\ No newline at end of file
After deleting (strip) the secureboot and amt,fwupd,pavp folders it will generate a 2M consumer ME image when using finalimage.py.
./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 -pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin
When enabling the HAP bit on the original IFD and replacing the ME with the downgraded and deguarded ME should complete the manual.
Is it correct to replace the current corporate ME firmware around ~7MB from the original image with this 2MB donor consumer variant, will it be similar like the Optiplex 3050 from the example or should I find a older vulnerable corporate ME firmware?
Which file(s) of this dump may I distribute / upload to this ticket license wise to improve debugging?
Using the service mode jumper on this Dell Optiplex 5040 SFF I was able to fully read and write the whole firmware even the ME regions (checksum checked it). Anyone else experience or success using a 'ch341a_spi' or 'raspberry spi' doing in-situ flash recover on this particular Dell or similar in case I need it?
https://www.dell.com/support/product-details/en-uk/product/optiplex-5040-sff/drivers
Updated by Walter Sonius 21 days ago · Edited
SUCCESS? To answer my own questions and possible resolve this issue:
This "possible" deguarded Dell Optiplex 5040 SFF still boots after (internal)flashing this modified rom!
Without a ME device because of HAP bit set I'm not able to check if ME was downgraded successful but even though the ME service mode Jumper is not set on the motherboard the KDE neon security reports HSI-2 now looks the same as if the ME service mode jumper was set:
HSI-2
IOMMU: Enabled
Platform debugging: Locked
TPM PCR0 reconstruction: Valid
Intel BootGuard: Not supported <----------------------- ;-)
Before deguarded firmware flashing, the original OEM firmware listed these options if ME service mode jumper was not set(normal state):
HSI-2
Intel BootGuard ACM protected: Valid
Intel BootGuard: Enabled
Intel BootGuard OTP fuse: Valid
Intel BootGuard verfied boot: Valid
IOMMU: Enabled
Platform debugging: Locked
TPM PCR0 reconstruction: Valid
Although the invalid crc checks (see earlier workaround), removing suggested secureboot amt fwupd pavp folders, missing ptt folder and some differing files these following commands were used.
./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 --pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin
ifdtool dell_optiplex_5040_sff_bios122.rom -i me:5040sff_patched_me.bin
ifdtool dell_optiplex_5040_sff_bios122.rom.new -M 1 -p sklkbl
sudo flashrom -p internal -w dell_optiplex_5040_sff_bios122.rom.new.new
Internal flashrom programming just needed -p internal but for external insitu recovery specifying a chipset was needed -c "GD25B128B/GD25Q128B".
External insitu SOIC8 SPI flashrom recovery with this Dell Optiplex 5040 SFF was fine with a ch341a programmer (3,3v mod) by just using the power of the USB programmer and have no AC mains connected to the motherboard (CPU, RAM CMOS-battery all still inserted). Not sure if setting the ME service mode jumper was needed.
Updated by Walter Sonius 21 days ago
Think the "deguard" was indeed successful for this Dell Optiplex 5040 SFF since it boots some part of coreboot using the Dell Optiplex 3050 micro port:
[NOTE ] coreboot-25.03-324-geffd1ffdad73-dirty Mon Apr 28 05:44:45 UTC 2025 x86_32.
[DEBUG] CPU: Intel(R) Core(TM) i3-6100T CPU @ 3.20GHz
[DEBUG] CPU: ID 506e3, Skylake H R0, ucode: 000000ef
[DEBUG] CPU: AES supported, TXT NOT supported, VT supported
[DEBUG] MCH: device id 190f (rev 07) is Skylake-S (2 Core)
[DEBUG] PCH: device id a146 (rev 31) is Q170
[DEBUG] IGD: device id 1912 (rev 06) is Skylake DT GT2
[WARN ] PMC: Duplicate GPE DW register values detected; using default GPE route frr
[DEBUG] FMAP: Found "FLASH" version 1.1 at 0x750000.
[DEBUG] FMAP: base = 0x0 size = 0x1000000 #areas = 8
[DEBUG] FMAP: area COREBOOT found @ 750200 (9108992 bytes)
[INFO ] CBFS: mcache @0xfef04e00 built for 16 files, used 0x364 of 0x4000 bytes
[INFO ] CBFS: Found 'fallback/romstage' @0x9d1c0 size 0xd0f0 in mcache @0xfef04e8c
[DEBUG] BS: bootblock times (exec / console): total (unknown) / 87 ms
[NOTE ] coreboot-25.03-324-geffd1ffdad73-dirty Mon Apr 28 05:44:45 UTC 2025 x86_32.
[WARN ] HECI: CSE device 16.0 is disabled
[DEBUG] pm1_sts: 0900 pm1_en: 0000 pm1_cnt: 00001c00
[DEBUG] gpe0_sts[0]: 00000000 gpe0_en[0]: 00000000
[DEBUG] gpe0_sts[1]: 00000000 gpe0_en[1]: 00000000
[DEBUG] gpe0_sts[2]: 00000000 gpe0_en[2]: 00000000
[DEBUG] gpe0_sts[3]: 00000000 gpe0_en[3]: 00000000
[DEBUG] TCO_STS: 0000 0001
[DEBUG] GEN_PMCON: d0050200 00003008
[DEBUG] GBLRST_CAUSE: 00000002 00000000
[DEBUG] prev_sleep_state 0 (S0)
[DEBUG] FMAP: area COREBOOT found @ 750200 (9108992 bytes)
[INFO ] CBFS: Found 'fspm.bin' @0xcddc0 size 0x63000 in mcache @0xfef0503c
[DEBUG] FMAP: area RW_MRC_CACHE found @ 700000 (65536 bytes)
[NOTE ] MRC: no data in 'RW_MRC_CACHE'
[DEBUG] SPD @ 0x50
[INFO ] SPD: module type is DDR3
[INFO ] SPD: module part number is HMT41GU6MFR8C-PB
[INFO ] SPD: banks 8, ranks 2, rows 16, columns 10, density 4096 Mb
[INFO ] SPD: device width 8 bits, bus width 64 bits
[INFO ] SPD: module size is 8192 MB (per channel)
[DEBUG] SPD @ 0x52
[INFO ] SPD: module type is DDR3
[INFO ] SPD: module part number is HMT41GU6MFR8C-PB
[INFO ] SPD: banks 8, ranks 2, rows 16, columns 10, density 4096 Mb
[INFO ] SPD: device width 8 bits, bus width 64 bits
[INFO ] SPD: module size is 8192 MB (per channel)
[EMERG] FspMemoryInit error, status=0x80000007
It gives the same "[EMERG] FspMemoryInit error, status=0x80000007" error on multiple types of RAM or CPU "skylake, kabylake and coffeelake" but will open a new support ticket for this Dell Optiplex 5040 SFF port since they are not really the same.
Close this ticket to resolved?
Updated by Mate Kukri 15 days ago
Okay this is great that deguard worked on the 5040. Regarding the DDR3 issue machine, I am going to respond on the other ticket #594
Actions