|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +# These variables are all for the deguard tool. |
| 4 | +# They would need to be changed if using the tool for other devices like the T480s or with a different ME version... |
| 5 | +ME_delta="thinkpad_t480s" |
| 6 | +ME_version="11.6.0.1126" |
| 7 | +ME_sku="2M" |
| 8 | +ME_pch="LP" |
| 9 | + |
| 10 | +# Thunderbolt firmware offset in bytes to pad to 1M |
| 11 | +TBFW_SIZE=1048575 |
| 12 | + |
| 13 | +# Integrity checks for the vendor provided ME blob... |
| 14 | +ME_DOWNLOAD_HASH="ddfbc51430699e0dfcb24a60bcb5b6e5481b325ebecf1ac177e069013189e4b0" |
| 15 | +# ...and the cleaned and deguarded version from that blob. |
| 16 | +DEGUARDED_ME_BIN_HASH="7bc47ed1ead1d72a135e7adff207ae8ddddc56d81128d9d6a8061ad04685c73b" |
| 17 | +# Integrity checks for the vendor provided Thunderbolt blob... |
| 18 | +TB_DOWNLOAD_HASH="090d0085af4a20bcdfba8a75f1bce735ff80afbfea968bbe276a80a0c4c18706" |
| 19 | +# ...and the padded and flashable version from that blob. |
| 20 | +TB_BIN_HASH="b53e4670327e076ef879b2abef0efd9aade20da88d0c0976921b9f32378c0119" |
| 21 | + |
| 22 | + |
| 23 | +function usage() { |
| 24 | + echo -n \ |
| 25 | + "Usage: $(basename "$0") -m <me_cleaner>(optional) path_to_output_directory |
| 26 | +Download Intel ME firmware from Dell, neutralize and shrink keeping the MFS. |
| 27 | +Download Thunderbolt firmware from Lenovo and pad it for flashing externally. |
| 28 | +" |
| 29 | +} |
| 30 | + |
| 31 | +function chk_sha256sum() { |
| 32 | + sha256_hash="$1" |
| 33 | + filename="$2" |
| 34 | + echo "$sha256_hash" "$filename" "$(pwd)" |
| 35 | + sha256sum "$filename" |
| 36 | + if ! echo "${sha256_hash} ${filename}" | sha256sum --check; then |
| 37 | + echo "ERROR: SHA256 checksum for ${filename} doesn't match." |
| 38 | + exit 1 |
| 39 | + fi |
| 40 | +} |
| 41 | + |
| 42 | +function chk_exists_and_matches() { |
| 43 | + if [[ -f "$1" ]]; then |
| 44 | + if echo "${2} ${1}" | sha256sum --check; then |
| 45 | + echo "SKIPPING: SHA256 checksum for $1 matches." |
| 46 | + [[ "$3" = ME ]] && me_exists="y" |
| 47 | + [[ "$3" = TB ]] && tb_exists="y" |
| 48 | + fi |
| 49 | + echo "$1 exists but checksum doesn't match. Continuing..." |
| 50 | + fi |
| 51 | +} |
| 52 | + |
| 53 | +function download_and_clean() { |
| 54 | + me_cleaner="$(realpath "${1}")" |
| 55 | + me_output="$(realpath "${2}")" |
| 56 | + |
| 57 | + # Download and unpack the Dell installer into a temporary directory and |
| 58 | + # extract the deguardable Intel ME blob. |
| 59 | + pushd "$(mktemp -d)" || exit |
| 60 | + |
| 61 | + # Download the installer that contains the ME blob |
| 62 | + me_installer_filename="Inspiron_5468_1.3.0.exe" |
| 63 | + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" |
| 64 | + curl -A "$user_agent" -s -O "https://dl.dell.com/FOLDER04573471M/1/${me_installer_filename}" |
| 65 | + chk_sha256sum "$ME_DOWNLOAD_HASH" "$me_installer_filename" |
| 66 | + |
| 67 | + # Download the tool to unpack Dell's installer and unpack the ME blob. |
| 68 | + git clone https://github.com/platomav/BIOSUtilities |
| 69 | + git -C BIOSUtilities checkout ef50b75ae115ae8162fa8b0a7b8c42b1d2db894b |
| 70 | + |
| 71 | + python "BIOSUtilities/Dell_PFS_Extract.py" "${me_installer_filename}" -e || exit |
| 72 | + |
| 73 | + extracted_me_filename="1 Inspiron_5468_1.3.0 -- 3 Intel Management Engine (Non-VPro) Update v${ME_version}.bin" |
| 74 | + |
| 75 | + # Deactivate, partially neuter and shrink Intel ME. Note that this doesn't include |
| 76 | + # --soft-disable to set the "ME Disable" or "ME Disable B" (e.g., |
| 77 | + # High Assurance Program) bits, as they are defined within the Flash |
| 78 | + # Descriptor. |
| 79 | + # However, the HAP bit must be enabled to make the deguarded ME work. We only clean the ME in this function. |
| 80 | + # For ME 11.x this means we must keep the rbe, bup, kernel and syslib modules. |
| 81 | + # https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F#me-versions-from-11x-skylake-1 |
| 82 | + # Furthermore, deguard requires keeping the MFS, the HAP bit set, and we cannot relocate the FTPR partition. |
| 83 | + # Some more general info on shrinking: |
| 84 | + # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot |
| 85 | + |
| 86 | + # MFS is needed for deguard so we whitelist it here and also do not relocate the FTPR partition |
| 87 | + python "$me_cleaner" --whitelist MFS -t -O "$me_output" "${me_installer_filename}_extracted/Firmware/${extracted_me_filename}" |
| 88 | + rm -rf ./* |
| 89 | + popd || exit |
| 90 | +} |
| 91 | + |
| 92 | +function deguard() { |
| 93 | + me_input="$(realpath "${1}")" |
| 94 | + me_output="$(realpath "${2}")" |
| 95 | + |
| 96 | + # Download the deguard tool into a temporary directory and apply the patch to the cleaned ME blob. |
| 97 | + pushd "$(mktemp -d)" || exit |
| 98 | + git clone https://github.com/coreboot/deguard |
| 99 | + pushd deguard || exit |
| 100 | + git checkout 0ed3e4ff824fc42f71ee22907d0594ded38ba7b2 |
| 101 | + |
| 102 | + python ./finalimage.py \ |
| 103 | + --delta "data/delta/$ME_delta" \ |
| 104 | + --version "$ME_version" \ |
| 105 | + --pch "$ME_pch" \ |
| 106 | + --sku "$ME_sku" \ |
| 107 | + --fake-fpfs data/fpfs/zero \ |
| 108 | + --input "$me_input" \ |
| 109 | + --output "$me_output" |
| 110 | + |
| 111 | + popd || exit |
| 112 | + #Cleanup |
| 113 | + rm -rf ./* |
| 114 | + popd || exit |
| 115 | +} |
| 116 | + |
| 117 | +function download_and_pad_tb() { |
| 118 | + tb_output="$(realpath "${1}")" |
| 119 | + |
| 120 | + # Download and unpack the Lenovo installer into a temporary directory and |
| 121 | + # extract the TB blob. |
| 122 | + pushd "$(mktemp -d)" || exit |
| 123 | + |
| 124 | + # Download the installer that contains the T480s TB blob |
| 125 | + tb_installer_filename=""n22th11w.exe"" |
| 126 | + user_agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0" |
| 127 | + curl -A "$user_agent" -s -O "https://download.lenovo.com/pccbbs/mobiles/${tb_installer_filename}" |
| 128 | + chk_sha256sum "$TB_DOWNLOAD_HASH" "$tb_installer_filename" |
| 129 | + |
| 130 | + # https://www.reddit.com/r/thinkpad/comments/9rnimi/ladies_and_gentlemen_i_present_to_you_the/ |
| 131 | + innoextract n22th11w.exe -d . |
| 132 | + mv ./code\$GetExtractPath\$/TBT.bin tb.bin |
| 133 | + # pad with zeros |
| 134 | + dd if=/dev/zero of=tb.bin bs=1 seek="$TBFW_SIZE" count=1 |
| 135 | + mv "tb.bin" "$tb_output" |
| 136 | + |
| 137 | + rm -rf ./* |
| 138 | + popd || exit |
| 139 | +} |
| 140 | + |
| 141 | +function usage_err() { |
| 142 | + echo "$1" |
| 143 | + usage |
| 144 | + exit 1 |
| 145 | +} |
| 146 | + |
| 147 | +function parse_params() { |
| 148 | + while getopts ":m:" opt; do |
| 149 | + case $opt in |
| 150 | + m) |
| 151 | + if [[ -x "$OPTARG" ]]; then |
| 152 | + me_cleaner="$OPTARG" |
| 153 | + fi |
| 154 | + ;; |
| 155 | + ?) |
| 156 | + usage_err "Invalid Option: -$OPTARG" |
| 157 | + ;; |
| 158 | + esac |
| 159 | + done |
| 160 | + |
| 161 | + if [[ -z "${me_cleaner}" ]]; then |
| 162 | + if [[ -z "${COREBOOT_DIR}" ]]; then |
| 163 | + usage_err "ERROR: me_cleaner.py not found. Set path with -m parameter or define the COREBOOT_DIR variable." |
| 164 | + else |
| 165 | + me_cleaner="${COREBOOT_DIR}/util/me_cleaner/me_cleaner.py" |
| 166 | + fi |
| 167 | + fi |
| 168 | + echo "Using me_cleaner from ${me_cleaner}" |
| 169 | + |
| 170 | + shift $(($OPTIND - 1)) |
| 171 | + output_dir="$(realpath "${1:-./}")" |
| 172 | + if [[ ! -d "${output_dir}" ]]; then |
| 173 | + usage_err "No valid output dir found" |
| 174 | + fi |
| 175 | + me_cleaned="${output_dir}/me_cleaned.bin" |
| 176 | + me_deguarded="${output_dir}/t480s_me.bin" |
| 177 | + tb_flashable="${output_dir}/t480s_tb.bin" |
| 178 | + echo "Writing cleaned and deguarded ME to ${me_deguarded}" |
| 179 | + echo "Writing flashable TB to ${tb_flashable}" |
| 180 | +} |
| 181 | + |
| 182 | +if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then |
| 183 | + if [[ "${1:-}" == "--help" ]]; then |
| 184 | + usage |
| 185 | + exit 0 |
| 186 | + fi |
| 187 | + |
| 188 | + parse_params "$@" |
| 189 | + chk_exists_and_matches "$me_deguarded" "$DEGUARDED_ME_BIN_HASH" ME |
| 190 | + chk_exists_and_matches "$tb_flashable" "$TB_BIN_HASH" TB |
| 191 | + |
| 192 | + if [[ -z "$me_exists" ]]; then |
| 193 | + download_and_clean "$me_cleaner" "$me_cleaned" |
| 194 | + deguard "$me_cleaned" "$me_deguarded" |
| 195 | + rm -f "$me_cleaned" |
| 196 | + fi |
| 197 | + |
| 198 | + if [[ -z "$tb_exists" ]]; then |
| 199 | + download_and_pad_tb "$tb_flashable" |
| 200 | + fi |
| 201 | + |
| 202 | + chk_sha256sum "$DEGUARDED_ME_BIN_HASH" "$me_deguarded" |
| 203 | + chk_sha256sum "$TB_BIN_HASH" "$tb_flashable" |
| 204 | +fi |
0 commit comments