diff --git a/Cargo.lock b/Cargo.lock index f9b7092..04b5a65 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -148,6 +148,21 @@ dependencies = [ "libc", ] +[[package]] +name = "crc" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eb8a2a1cd12ab0d987a5d5e825195d372001a4094a0376319d5a0ad71c1ba0d" +dependencies = [ + "crc-catalog", +] + +[[package]] +name = "crc-catalog" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5" + [[package]] name = "crypto-common" version = "0.1.7" @@ -219,6 +234,7 @@ version = "0.1.2" dependencies = [ "bitfield-struct", "clap", + "crc", "env_logger", "log", "md5", diff --git a/Cargo.toml b/Cargo.toml index 1a1af1e..4c77707 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,10 +24,12 @@ unwrap_used = "deny" clap = { version = "4.5.48", features = ["derive"] } env_logger = "0.11.8" log = "0.4.28" + +crc = "3.4.0" md5 = "0.8.0" -num-bigint = "0.4.6" sha2 = "0.10.9" +num-bigint = "0.4.6" phf = { version = "0.13.1", default-features = false, features = ["macros"] } phf_macros = "0.13.1" strum = { version = "0.27.2", features = ["derive"] } diff --git a/docs/knowledge.md b/docs/knowledge.md index d5203b5..fcd0bae 100644 --- a/docs/knowledge.md +++ b/docs/knowledge.md @@ -26,6 +26,10 @@ Note that the public information mainly focuses on host processor firmware. - [TXE MFS exploit PoC](https://github.com/ptresearch/IntelTXE-PoC) - [ME disablement](https://github.com/ptresearch/me-disablement) - [many other repositories](https://github.com/ptresearch?tab=repositories) +- earlier commmunity research + - [xvilka's attempts with r2](http://xvilka.me/h2hc2014-reversing-firmware-radare-slides.pdf) + - [community wiki of people who wanted custom ME firmware](https://web.archive.org/web/20170930114403/http://me.bios.io/Main_Page) + - [analysis of ME v6-10 Huffman algorithm](https://web.archive.org/web/20160428074432/https://io.netgarage.org/me/) ## Research diff --git a/docs/platforms.md b/docs/platforms.md index 406fc7d..72404f3 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -47,6 +47,31 @@ generation and specific platforms a certain firmware version range. For example, Lenovo ThinkPad X270 laptops came with 6th/7th gen Intel Core processors, which means 3rd generation ME hardware and version 11.x.x.x ME firmware. +The following table is not necessarily correct nor complete, based on rough +findings and notes on Wikipedia[^26]. + +| Year | Microarchitecture | Chipset series | Generation | ME version | +| ---- | ----------------- | -------------- | ---------- | ---------- | +| 2015 | Broadwell | | 5th | 11.x.x.x | +| | Skylake | 100[^22] | 6th | 11.x.x.x | +| 2016 | | | | | +| 2017 | Kaby Lake | 200[^23] | 7th | 11.5.x.x | +| | Coffee Lake | | 8th | 12.x.x.x | +| 2018 | Coffee Lake | 300[^24] | 9th | 12.x.x.x | +| 2019 | | | | | +| 2020 | Comet Lake | 400[^25] | 10th | 14.x.x.x | +| 2021 | Rocket Lake | | 11th | 15.x.x.x | +| 2022 | Alder Lake | | 12th | 15.x.x.x | +| 2023 | Raptor Lake | | 13th | 15.x.x.x | +| | Raptor Lake | | 14th | 15.x.x.x | +| 2024 | Arrow Lake | | Series 2 | 15.x.x.x | + +[^22]: +[^23]: +[^24]: +[^25]: +[^26]: + ## Processor names Intel publicly documents how to interpret procesor names[^12] and what their @@ -65,6 +90,7 @@ suffixes mean[^13]. | HAP | High-Assurance Platform | | {I,M,P}CH | {I/O,Memory,Platform} Controller Hub[^9] | | IFD | Intel Flash Descriptor | +| LMS | Local Manageability Service[^21] | | PTT | Platform Trust Technology | | RBE | ROM Boot Extensions (part of ME firmware) | | SPS | Server Platform Services | @@ -99,3 +125,4 @@ The following abbreviations have a second meaning: [^18]: [^19]: [^20]: +[^21]: diff --git a/scripts/testall.sh b/scripts/testall.sh index 620507b..fecc587 100755 --- a/scripts/testall.sh +++ b/scripts/testall.sh @@ -20,6 +20,8 @@ cargo run --release -- me clean -b MFS -O x230_clean_b_MFS.rom ./fixtures/x230.r cargo run --release -- me clean -w EFFS -O x230_clean_w_EFFS.rom ./fixtures/x230.rom #me_cleaner -b EFFS -O ./fixtures/x230_cleaned_b_EFFS.rom ./fixtures/x230.rom cargo run --release -- me clean -b EFFS -O x230_clean_b_EFFS.rom ./fixtures/x230.rom +#me_cleaner -b EFFS -O ./fixtures/x230_cleaned_b_EFFS.rom -M ./fixtures/x230_cleaned_b_EFFS_me.bin ./fixtures/x230.rom +cargo run --release -- me clean -b EFFS -O x230_clean_b_EFFS.rom -M x230_clean_b_EFFS_me.bin ./fixtures/x230.rom #me_cleaner -O ./fixtures/x270_cleaned_simple.rom ./fixtures/x270.rom cargo run --release -- me clean -O x270_clean.rom ./fixtures/x270.rom @@ -41,6 +43,10 @@ cargo run --release -- me clean -b MFS -O x270_clean_b_MFS.rom ./fixtures/x270.r cargo run --release -- me clean -w EFFS -O x270_clean_w_EFFS.rom ./fixtures/x270.rom #me_cleaner -b EFFS -O ./fixtures/x270_cleaned_b_EFFS.rom ./fixtures/x270.rom cargo run --release -- me clean -b EFFS -O x270_clean_b_EFFS.rom ./fixtures/x270.rom +#me_cleaner -b EFFS -O ./fixtures/x270_cleaned_b_EFFS.rom -M ./fixtures/x270_cleaned_b_EFFS_me.bin ./fixtures/x270.rom +cargo run --release -- me clean -b EFFS -O x270_clean_b_EFFS.rom -M x270_clean_b_EFFS_me.bin ./fixtures/x270.rom +me_cleaner -b EFFS -O ./fixtures/x270_cleaned_b_EFFS.rom -t -M ./fixtures/x270_cleaned_b_EFFS_me_t.bin ./fixtures/x270.rom +cargo run --release -- me clean -b EFFS -O x270_clean_b_EFFS.rom -t -M x270_clean_b_EFFS_me_t.bin ./fixtures/x270.rom ./scripts/bdiffstat x230_clean.rom fixtures/x230_cleaned_simple.rom ./scripts/bdiffstat x230_clean_k.rom fixtures/x230_cleaned_k.rom