[coreboot - Support #588] (New) Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump
Issue #588 has been reported by Walter Sonius.
---------------------------------------- Support #588: Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump https://ticket.coreboot.org/issues/588
* Author: Walter Sonius * Status: New * Priority: Normal * Category: userspace utilities * Target version: none * Start date: 2025-03-31 ---------------------------------------- Running the deguard `./generatedelta.py` on the flashrom dumped rom from a Dell Optiplex 5040 SFF (0T7D40 A00, Q170 chipset, ME 11.8.92.4222) 1.22 BIOS results in the following AssertionError:
``` ./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff Traceback (most recent call last): File "/home/neon/deguard/./generatedelta.py", line 55, in <module> mfs = MFS(me.entry_data("MFS")) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 43, in __init__ page = MFSPage(self.data[page * self.PAGE_SIZE:(page + 1) * self.PAGE_SIZE], page) # Load page ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 164, in __init__ self.chunks[chunk] = MFSChunk(data, chunk_id) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 273, in __init__ assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AssertionError
```
This "AssertionError" can be skipped by using "Filip Lewiński" [filipleple patch](https://codeberg.org/libreboot/deguard/issues/1) on `lib/mfs.py`:
``` - assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) + print(f"Chunk ID: {self.chunk_id}, Data: {self.data.hex()[:100]}, Expected CRC: {self.crc}, Calculated CRC: {MFS.Crc16(self.data + struct.pack('<H', self.chunk_id))}") + # assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) + if (self.crc != MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))): + print ("Invalid CRC!!!\n") ```
It now lists the following 52 CRC invalid errors, but will create a delta folder structure like the example optiplex 3050 although it misses the `ptt` folder and some other files differ: ``` ./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff | grep "CRC: 0,"
Chunk ID: 9662, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40051 Chunk ID: 9668, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31713 Chunk ID: 9669, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 18640 Chunk ID: 8173, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 20614 Chunk ID: 8174, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1493 Chunk ID: 8175, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 14052 Chunk ID: 8176, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 9641 Chunk ID: 8177, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 5784 Chunk ID: 8178, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 17355 Chunk ID: 8179, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 28922 Chunk ID: 8180, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 59757 Chunk ID: 8181, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55900 Chunk ID: 8182, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 36623 Chunk ID: 8183, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48190 Chunk ID: 8184, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 44032 Chunk ID: 8185, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40753 Chunk ID: 8186, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 51810 Chunk ID: 8187, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 63827 Chunk ID: 8188, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 24772 Chunk ID: 8189, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 21493 Chunk ID: 8190, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1702 Chunk ID: 8191, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 13719 Chunk ID: 8192, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 61908 Chunk ID: 8193, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49893 Chunk ID: 8194, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38838 Chunk ID: 8195, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42119 Chunk ID: 8196, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15632 Chunk ID: 8197, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3617 Chunk ID: 8198, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 23410 Chunk ID: 8199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 26691 Chunk ID: 8200, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 30845 Chunk ID: 8201, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 19276 Chunk ID: 8202, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 7711 Chunk ID: 8203, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 11566 Chunk ID: 8204, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 46265 Chunk ID: 8205, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 34696 Chunk ID: 8206, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 53979 Chunk ID: 8207, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 57834 Chunk ID: 8208, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 62119 Chunk ID: 8209, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49558 Chunk ID: 8210, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38085 Chunk ID: 8211, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42996 Chunk ID: 8212, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15971 Chunk ID: 8213, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3410 Chunk ID: 8214, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 22529 Chunk ID: 8215, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 27440 Chunk ID: 8216, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31502 Chunk ID: 10199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3459 Chunk ID: 6000, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48953 Chunk ID: 6001, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 35848 Chunk ID: 6002, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55643 Chunk ID: 6003, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 60010
``` A tree view of the new delta folder: ``` data/delta/dell5040sff/ └── home ├── amt │ ├── rtfd │ │ ├── acl │ │ │ ├── tnf0 │ │ │ ├── tnf1 │ │ │ └── tnf2 │ │ ├── amt.wol │ │ ├── hshStr.crt19 │ │ ├── hshStr.crt23 │ │ ├── hshStr.crt24 │ │ ├── hshStr.crt25 │ │ └── hshStr.crt26 │ └── skip_rtfd │ └── uim.policy ├── bup │ ├── bup_sku │ │ ├── emu_fuse_map │ │ ├── fuse_ip_base │ │ └── plat_n_sku │ ├── invokemebx │ └── mbp ├── fwupdate │ ├── fwuavgerase │ ├── fwuavgwrite │ └── fwuoemid ├── gpio │ └── csme_pins ├── icc │ ├── dynregs │ ├── header │ ├── namestr │ ├── prof0 │ ├── prof1 │ ├── prof2 │ ├── prof3 │ ├── prof4 │ ├── prof5 │ └── prof6 ├── mca │ ├── eom │ └── ish_policy ├── mctp │ └── device_ports ├── pavp │ ├── hdcp_ports │ └── lspcon_port ├── policy │ ├── Bist │ │ └── auto_config │ ├── cfgmgr │ │ └── cfg_rules │ ├── hci │ │ ├── sysintid1 │ │ ├── sysintid2 │ │ └── sysintid3 │ └── pwdmgr │ └── segreto └── secureboot ├── bootpolres ├── bootpoltype ├── enfpolicy ├── kmid └── pubkeyhash ```
Diffing this compared to the example delta 3050 folder: ``` diff -bur optiplex_3050 optiplex_5040_sff_strip Binary files optiplex_3050/home/bup/bup_sku/emu_fuse_map and optiplex_5040_sff_strip/home/bup/bup_sku/emu_fuse_map differ Binary files optiplex_3050/home/bup/bup_sku/plat_n_sku and optiplex_5040_sff_strip/home/bup/bup_sku/plat_n_sku differ Only in optiplex_5040_sff_strip/home/bup: invokemebx Binary files optiplex_3050/home/bup/mbp and optiplex_5040_sff_strip/home/bup/mbp differ Binary files optiplex_3050/home/icc/dynregs and optiplex_5040_sff_strip/home/icc/dynregs differ Binary files optiplex_3050/home/icc/prof0 and optiplex_5040_sff_strip/home/icc/prof0 differ Only in optiplex_3050/home/icc: prof10 Only in optiplex_3050/home/icc: prof7 Only in optiplex_3050/home/icc: prof8 Only in optiplex_3050/home/icc: prof9 Only in optiplex_5040_sff_strip/home/policy: Bist Binary files optiplex_3050/home/policy/cfgmgr/cfg_rules and optiplex_5040_sff_strip/home/policy/cfgmgr/cfg_rules differ diff -bur optiplex_3050/home/policy/hci/sysintid1 optiplex_5040_sff_strip/home/policy/hci/sysintid1 --- optiplex_3050/home/policy/hci/sysintid1 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid1 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -�n$� \ No newline at end of file +_�� \ No newline at end of file diff -bur optiplex_3050/home/policy/hci/sysintid2 optiplex_5040_sff_strip/home/policy/hci/sysintid2 --- optiplex_3050/home/policy/hci/sysintid2 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid2 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -��t` \ No newline at end of file +���� \ No newline at end of file diff -bur optiplex_3050/home/policy/hci/sysintid3 optiplex_5040_sff_strip/home/policy/hci/sysintid3 --- optiplex_3050/home/policy/hci/sysintid3 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid3 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -Ȯ� \ No newline at end of file +�a< \ No newline at end of file diff -bur optiplex_3050/home/policy/pwdmgr/segreto optiplex_5040_sff_strip/home/policy/pwdmgr/segreto --- optiplex_3050/home/policy/pwdmgr/segreto 2025-03-31 15:36:47.221784637 +0200 +++ optiplex_5040_sff_strip/home/policy/pwdmgr/segreto 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -��к \ No newline at end of file +�"�H \ No newline at end of file ```
After deleting (strip) the `secureboot` and `amt,fwupd,pavp` folders it will generate a 2M consumer ME image when using `finalimage.py`.
`./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 -pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin`
When enabling the HAP bit on the original IFD and replacing the ME with the downgraded and deguarded ME should complete the manual.
Is it correct to replace the current corporate ME firmware around ~7MB from the original image with this 2MB donor consumer variant, will it be similar like the Optiplex 3050 from the example or should I find a older vulnerable corporate ME firmware?
Which file(s) of this dump may I distribute / upload to this ticket license wise to improve debugging?
Using the service mode jumper on this Dell Optiplex 5040 SFF I was able to fully read and write the whole firmware even the ME regions (checksum checked it). Anyone else experience or success using a 'ch341a_spi' or 'raspberry spi' doing in-situ flash recover on this particular Dell or similar in case I need it?
https://www.dell.com/support/product-details/en-uk/product/optiplex-5040-sff...
Issue #588 has been updated by Walter Sonius.
SUCCESS? To answer my own questions and possible resolve this issue:
This "possible" deguarded Dell Optiplex 5040 SFF still boots after (internal)flashing this modified rom!
Without a ME device because of HAP bit set I'm not able to check if ME was downgraded successful but even though the ME service mode Jumper is not set on the motherboard the KDE neon security reports HSI-2 now looks the same as if the ME service mode jumper was set:
``` HSI-2 IOMMU: Enabled Platform debugging: Locked TPM PCR0 reconstruction: Valid Intel BootGuard: Not supported <----------------------- ;-)
```
Before deguarded firmware flashing, the original OEM firmware listed these options if ME service mode jumper was not set(normal state):
``` HSI-2 Intel BootGuard ACM protected: Valid Intel BootGuard: Enabled Intel BootGuard OTP fuse: Valid Intel BootGuard verfied boot: Valid IOMMU: Enabled Platform debugging: Locked TPM PCR0 reconstruction: Valid
```
Although the invalid crc checks (see earlier workaround), removing suggested `secureboot amt fwupd pavp` folders, missing `ptt` folder and some differing files these following commands were used.
```
./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 --pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin
ifdtool dell_optiplex_5040_sff_bios122.rom -i me:5040sff_patched_me.bin ifdtool dell_optiplex_5040_sff_bios122.rom.new -M 1 -p sklkbl
sudo flashrom -p internal -w dell_optiplex_5040_sff_bios122.rom.new
```
Internal flashrom programming just needed `-p internal` but for external insitu recovery specifying a chipset was needed `-c "GD25B128B/GD25Q128B"`.
External insitu SOIC8 SPI flashrom recovery with this Dell Optiplex 5040 SFF was fine with a ch341a programmer (3,3v mod) by just using the power of the USB programmer and have no AC mains connected to the motherboard (CPU, RAM CMOS-battery all still inserted). Not sure if setting the ME service mode jumper was needed.
---------------------------------------- Support #588: Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump https://ticket.coreboot.org/issues/588#change-2080
* Author: Walter Sonius * Status: New * Priority: Normal * Category: userspace utilities * Target version: none * Start date: 2025-03-31 ---------------------------------------- Running the deguard `./generatedelta.py` on the flashrom dumped rom from a Dell Optiplex 5040 SFF (0T7D40 A00, Q170 chipset, ME 11.8.92.4222) 1.22 BIOS results in the following AssertionError:
``` ./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff Traceback (most recent call last): File "/home/neon/deguard/./generatedelta.py", line 55, in <module> mfs = MFS(me.entry_data("MFS")) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 43, in __init__ page = MFSPage(self.data[page * self.PAGE_SIZE:(page + 1) * self.PAGE_SIZE], page) # Load page ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 164, in __init__ self.chunks[chunk] = MFSChunk(data, chunk_id) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/neon/deguard/lib/mfs.py", line 273, in __init__ assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AssertionError
```
This "AssertionError" can be skipped by using "Filip Lewiński" [filipleple patch](https://codeberg.org/libreboot/deguard/issues/1) on `lib/mfs.py`:
``` - assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) + print(f"Chunk ID: {self.chunk_id}, Data: {self.data.hex()[:100]}, Expected CRC: {self.crc}, Calculated CRC: {MFS.Crc16(self.data + struct.pack('<H', self.chunk_id))}") + # assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id)) + if (self.crc != MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))): + print ("Invalid CRC!!!\n") ```
It now lists the following 52 CRC invalid errors, but will create a delta folder structure like the example optiplex 3050 although it misses the `ptt` folder and some other files differ: ``` ./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output data/delta/dell5040sff | grep "CRC: 0,"
Chunk ID: 9662, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40051 Chunk ID: 9668, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31713 Chunk ID: 9669, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 18640 Chunk ID: 8173, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 20614 Chunk ID: 8174, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1493 Chunk ID: 8175, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 14052 Chunk ID: 8176, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 9641 Chunk ID: 8177, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 5784 Chunk ID: 8178, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 17355 Chunk ID: 8179, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 28922 Chunk ID: 8180, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 59757 Chunk ID: 8181, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55900 Chunk ID: 8182, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 36623 Chunk ID: 8183, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48190 Chunk ID: 8184, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 44032 Chunk ID: 8185, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 40753 Chunk ID: 8186, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 51810 Chunk ID: 8187, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 63827 Chunk ID: 8188, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 24772 Chunk ID: 8189, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 21493 Chunk ID: 8190, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 1702 Chunk ID: 8191, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 13719 Chunk ID: 8192, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 61908 Chunk ID: 8193, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49893 Chunk ID: 8194, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38838 Chunk ID: 8195, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42119 Chunk ID: 8196, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15632 Chunk ID: 8197, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3617 Chunk ID: 8198, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 23410 Chunk ID: 8199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 26691 Chunk ID: 8200, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 30845 Chunk ID: 8201, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 19276 Chunk ID: 8202, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 7711 Chunk ID: 8203, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 11566 Chunk ID: 8204, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 46265 Chunk ID: 8205, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 34696 Chunk ID: 8206, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 53979 Chunk ID: 8207, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 57834 Chunk ID: 8208, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 62119 Chunk ID: 8209, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 49558 Chunk ID: 8210, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 38085 Chunk ID: 8211, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 42996 Chunk ID: 8212, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 15971 Chunk ID: 8213, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3410 Chunk ID: 8214, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 22529 Chunk ID: 8215, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 27440 Chunk ID: 8216, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 31502 Chunk ID: 10199, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 3459 Chunk ID: 6000, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 48953 Chunk ID: 6001, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 35848 Chunk ID: 6002, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 55643 Chunk ID: 6003, Data: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000, Expected CRC: 0, Calculated CRC: 60010
``` A tree view of the new delta folder: ``` data/delta/dell5040sff/ └── home ├── amt │ ├── rtfd │ │ ├── acl │ │ │ ├── tnf0 │ │ │ ├── tnf1 │ │ │ └── tnf2 │ │ ├── amt.wol │ │ ├── hshStr.crt19 │ │ ├── hshStr.crt23 │ │ ├── hshStr.crt24 │ │ ├── hshStr.crt25 │ │ └── hshStr.crt26 │ └── skip_rtfd │ └── uim.policy ├── bup │ ├── bup_sku │ │ ├── emu_fuse_map │ │ ├── fuse_ip_base │ │ └── plat_n_sku │ ├── invokemebx │ └── mbp ├── fwupdate │ ├── fwuavgerase │ ├── fwuavgwrite │ └── fwuoemid ├── gpio │ └── csme_pins ├── icc │ ├── dynregs │ ├── header │ ├── namestr │ ├── prof0 │ ├── prof1 │ ├── prof2 │ ├── prof3 │ ├── prof4 │ ├── prof5 │ └── prof6 ├── mca │ ├── eom │ └── ish_policy ├── mctp │ └── device_ports ├── pavp │ ├── hdcp_ports │ └── lspcon_port ├── policy │ ├── Bist │ │ └── auto_config │ ├── cfgmgr │ │ └── cfg_rules │ ├── hci │ │ ├── sysintid1 │ │ ├── sysintid2 │ │ └── sysintid3 │ └── pwdmgr │ └── segreto └── secureboot ├── bootpolres ├── bootpoltype ├── enfpolicy ├── kmid └── pubkeyhash ```
Diffing this compared to the example delta 3050 folder: ``` diff -bur optiplex_3050 optiplex_5040_sff_strip Binary files optiplex_3050/home/bup/bup_sku/emu_fuse_map and optiplex_5040_sff_strip/home/bup/bup_sku/emu_fuse_map differ Binary files optiplex_3050/home/bup/bup_sku/plat_n_sku and optiplex_5040_sff_strip/home/bup/bup_sku/plat_n_sku differ Only in optiplex_5040_sff_strip/home/bup: invokemebx Binary files optiplex_3050/home/bup/mbp and optiplex_5040_sff_strip/home/bup/mbp differ Binary files optiplex_3050/home/icc/dynregs and optiplex_5040_sff_strip/home/icc/dynregs differ Binary files optiplex_3050/home/icc/prof0 and optiplex_5040_sff_strip/home/icc/prof0 differ Only in optiplex_3050/home/icc: prof10 Only in optiplex_3050/home/icc: prof7 Only in optiplex_3050/home/icc: prof8 Only in optiplex_3050/home/icc: prof9 Only in optiplex_5040_sff_strip/home/policy: Bist Binary files optiplex_3050/home/policy/cfgmgr/cfg_rules and optiplex_5040_sff_strip/home/policy/cfgmgr/cfg_rules differ diff -bur optiplex_3050/home/policy/hci/sysintid1 optiplex_5040_sff_strip/home/policy/hci/sysintid1 --- optiplex_3050/home/policy/hci/sysintid1 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid1 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -�n$� \ No newline at end of file +_�� \ No newline at end of file diff -bur optiplex_3050/home/policy/hci/sysintid2 optiplex_5040_sff_strip/home/policy/hci/sysintid2 --- optiplex_3050/home/policy/hci/sysintid2 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid2 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -��t` \ No newline at end of file +���� \ No newline at end of file diff -bur optiplex_3050/home/policy/hci/sysintid3 optiplex_5040_sff_strip/home/policy/hci/sysintid3 --- optiplex_3050/home/policy/hci/sysintid3 2025-03-31 15:36:47.220784635 +0200 +++ optiplex_5040_sff_strip/home/policy/hci/sysintid3 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -Ȯ� \ No newline at end of file +�a< \ No newline at end of file diff -bur optiplex_3050/home/policy/pwdmgr/segreto optiplex_5040_sff_strip/home/policy/pwdmgr/segreto --- optiplex_3050/home/policy/pwdmgr/segreto 2025-03-31 15:36:47.221784637 +0200 +++ optiplex_5040_sff_strip/home/policy/pwdmgr/segreto 2025-03-31 16:01:29.335254012 +0200 @@ -1 +1 @@ -��к \ No newline at end of file +�"�H \ No newline at end of file ```
After deleting (strip) the `secureboot` and `amt,fwupd,pavp` folders it will generate a 2M consumer ME image when using `finalimage.py`.
`./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 -pch H --sku 2M --fake-fpfs data/fpfs/zero --input external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin`
When enabling the HAP bit on the original IFD and replacing the ME with the downgraded and deguarded ME should complete the manual.
Is it correct to replace the current corporate ME firmware around ~7MB from the original image with this 2MB donor consumer variant, will it be similar like the Optiplex 3050 from the example or should I find a older vulnerable corporate ME firmware?
Which file(s) of this dump may I distribute / upload to this ticket license wise to improve debugging?
Using the service mode jumper on this Dell Optiplex 5040 SFF I was able to fully read and write the whole firmware even the ME regions (checksum checked it). Anyone else experience or success using a 'ch341a_spi' or 'raspberry spi' doing in-situ flash recover on this particular Dell or similar in case I need it?
https://www.dell.com/support/product-details/en-uk/product/optiplex-5040-sff...
-
Walter Sonius