New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Sleeping Pill] funny sidequest ... race condition? #64

Open
mereportertmp12432 opened this Issue Sep 9, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@mereportertmp12432

mereportertmp12432 commented Sep 9, 2017

hi, i have a pansonic cf19mk6 with qm77 chipset and this is the story of how I was able to corrupt - and hopefully disable - my ME using fwupdlcl and the integrated programmer, so it may inspire future "research" (e.g. a one-click mecleaner.exe would be like totally friggin awesome).

me config

Local FWUpdate: Enabled
BIOS Config Lock: Enabled
Host Read Access to ME: Disabled
Host Write Access to ME: Disabled

behaviour for fwupdlcl with me_cleaned ME.bin

https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin
C:\UpdateMeFirmware\Data801>FWUpdLcl64.exe
-oemid D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "MEREG-muchdisable.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation. All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]
FW Update: [ 15% (Stage: 4 of 19) (-)]
Error 8741: FW Update Failed.
Error 8707: Firmware update failed due to an internal error

partially update OEM stock ME.bin

https://filebin.ca/3ZoqtxiQEx5m/ME.bin
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "ME.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation. All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]
FW Update: [ 35% (Stage: 13 of 19) (-)]

HIBERNATE, after being in Stage13 for 2-3 seconds ... last seen "50%" and Stage 14/19

^C Update: [ 0% (Stage: 0 of 19) (|)])]

RESUME, now see 0%, program hangs, so ctrl-c && hijack session with me_cleaned ME.bin

https://filebin.ca/3ZorKoSiEbI2/MEREG-muchdisable.bin
C:\UpdateMeFirmware\Data801>FWUpdLcl.exe -oemid D6B09D64-DA23-49A9-8888-F663BE603389 -allowsv -f "MEREG-muchdisable.bin"
Intel (R) Firmware Update Utility Version: 8.1.40.1456
Copyright (C) 2007 - 2013, Intel Corporation. All rights reserved.
Communication Mode: MEI
Checking firmware parameters...
Warning: Do not exit the process or power off the machine before the firmware update process ends.
Sending the update image to FW for verification: [ COMPLETE ]
FW Update: [ 35% (Stage: 13 of 19) (-)]

it directly jumps to Stage 13 35% ... cool?

FW Update: [ 100% (Stage: 19 of 19) (-)]
FW Update is complete and a reboot will run the new FW.

results

other oem strings @ panasonic pcinfo http://picpaste.com/diff-pcinfo.png
PRE-BOOT and other ME-Name @ meinfo http://picpaste.com/diff-meinfo.png
Recovery state and two wiped registers @ http://picpaste.com/diff-intelmetool.png
fwupdlcl -fwver shows version, but -save and -f just hang
memanuf reports some error
ctrl-p reports "FW Status Recovery Error" and then just boots
no issues so far, doesnt powercycle after 30 min or anything. seems good to me, especially the "pre-boot" thingy ... but what the heck do i know

@mereportertmp12432

This comment has been minimized.

Show comment
Hide comment
@mereportertmp12432

mereportertmp12432 Sep 10, 2017

any suggestions for one of those hipster vulnerability names?
i'll throw "UpDateME" and "Sleeper Hold" in the room for starters.

EDIT: Decided to call it "Sleeping Pill" as a homage to the much much more sophisticated Blue and Red Pills.
(Hi Joanna: Thx for Qubes! btw, needs better screensaver protection, just a gut feeling)

mereportertmp12432 commented Sep 10, 2017

any suggestions for one of those hipster vulnerability names?
i'll throw "UpDateME" and "Sleeper Hold" in the room for starters.

EDIT: Decided to call it "Sleeping Pill" as a homage to the much much more sophisticated Blue and Red Pills.
(Hi Joanna: Thx for Qubes! btw, needs better screensaver protection, just a gut feeling)

@archfan

This comment has been minimized.

Show comment
Hide comment
@archfan

archfan Sep 10, 2017

any suggestions for one of those hipster vulnerability names?
Hodl me tight.

archfan commented Sep 10, 2017

any suggestions for one of those hipster vulnerability names?
Hodl me tight.

@mereportertmp12432 mereportertmp12432 changed the title from funny sidequest ... race condition? to [Sleeping Pill] funny sidequest ... race condition? Sep 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment