[coreboot] [coreboot - Support #588] Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump

Walter Sonius Mon, 28 Apr 2025 08:52:18 -0700

Issue #588 has been updated by Walter Sonius.


Think the "deguard" was indeed successful for this Dell Optiplex 5040 SFF since 
it boots some part of coreboot using the Dell Optiplex 3050 micro port:

```
[NOTE ]  coreboot-25.03-324-geffd1ffdad73-dirty Mon Apr 28 05:44:45 UTC 2025 
x86_32.
[DEBUG]  CPU: Intel(R) Core(TM) i3-6100T CPU @ 3.20GHz
[DEBUG]  CPU: ID 506e3, Skylake H R0, ucode: 000000ef
[DEBUG]  CPU: AES supported, TXT NOT supported, VT supported
[DEBUG]  MCH: device id 190f (rev 07) is Skylake-S (2 Core)
[DEBUG]  PCH: device id a146 (rev 31) is Q170
[DEBUG]  IGD: device id 1912 (rev 06) is Skylake DT GT2
[WARN ]  PMC: Duplicate GPE DW register values detected; using default GPE 
route frr
[DEBUG]  FMAP: Found "FLASH" version 1.1 at 0x750000.
[DEBUG]  FMAP: base = 0x0 size = 0x1000000 #areas = 8
[DEBUG]  FMAP: area COREBOOT found @ 750200 (9108992 bytes)
[INFO ]  CBFS: mcache @0xfef04e00 built for 16 files, used 0x364 of 0x4000 bytes
[INFO ]  CBFS: Found 'fallback/romstage' @0x9d1c0 size 0xd0f0 in mcache 
@0xfef04e8c
[DEBUG]  BS: bootblock times (exec / console): total (unknown) / 87 ms


[NOTE ]  coreboot-25.03-324-geffd1ffdad73-dirty Mon Apr 28 05:44:45 UTC 2025 
x86_32.
[WARN ]  HECI: CSE device 16.0 is disabled
[DEBUG]  pm1_sts: 0900 pm1_en: 0000 pm1_cnt: 00001c00
[DEBUG]  gpe0_sts[0]: 00000000 gpe0_en[0]: 00000000
[DEBUG]  gpe0_sts[1]: 00000000 gpe0_en[1]: 00000000
[DEBUG]  gpe0_sts[2]: 00000000 gpe0_en[2]: 00000000
[DEBUG]  gpe0_sts[3]: 00000000 gpe0_en[3]: 00000000
[DEBUG]  TCO_STS:   0000 0001
[DEBUG]  GEN_PMCON: d0050200 00003008
[DEBUG]  GBLRST_CAUSE: 00000002 00000000
[DEBUG]  prev_sleep_state 0 (S0)
[DEBUG]  FMAP: area COREBOOT found @ 750200 (9108992 bytes)
[INFO ]  CBFS: Found 'fspm.bin' @0xcddc0 size 0x63000 in mcache @0xfef0503c
[DEBUG]  FMAP: area RW_MRC_CACHE found @ 700000 (65536 bytes)
[NOTE ]  MRC: no data in 'RW_MRC_CACHE'
[DEBUG]  SPD @ 0x50
[INFO ]  SPD: module type is DDR3
[INFO ]  SPD: module part number is HMT41GU6MFR8C-PB  
[INFO ]  SPD: banks 8, ranks 2, rows 16, columns 10, density 4096 Mb
[INFO ]  SPD: device width 8 bits, bus width 64 bits
[INFO ]  SPD: module size is 8192 MB (per channel)
[DEBUG]  SPD @ 0x52
[INFO ]  SPD: module type is DDR3
[INFO ]  SPD: module part number is HMT41GU6MFR8C-PB  
[INFO ]  SPD: banks 8, ranks 2, rows 16, columns 10, density 4096 Mb
[INFO ]  SPD: device width 8 bits, bus width 64 bits
[INFO ]  SPD: module size is 8192 MB (per channel)
[EMERG]  FspMemoryInit error, status=0x80000007
```

It gives the same "[EMERG]  FspMemoryInit error, status=0x80000007" error on 
multiple types of RAM or CPU "skylake, kabylake and coffeelake" but will open a 
new support ticket for this Dell Optiplex 5040 SFF port since they are not 
really the same.

Close this ticket to resolved?

----------------------------------------
Support #588: Deguard AssertionError using ./generatedelta.py on Dell Optiplex 
5040 SFF (0T7D40) full rom dump
https://ticket.coreboot.org/issues/588#change-2081

* Author: Walter Sonius
* Status: New
* Priority: Normal
* Category: userspace utilities
* Target version: none
* Start date: 2025-03-31
----------------------------------------
Running the deguard `./generatedelta.py` on the flashrom dumped rom from a Dell 
Optiplex 5040 SFF (0T7D40 A00, Q170 chipset, ME 11.8.92.4222) 1.22 BIOS  
results in the following AssertionError:

```
./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output 
data/delta/dell5040sff
Traceback (most recent call last):
  File "/home/neon/deguard/./generatedelta.py", line 55, in <module>
    mfs = MFS(me.entry_data("MFS"))
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 43, in __init__
    page = MFSPage(self.data[page * self.PAGE_SIZE:(page + 1) * 
self.PAGE_SIZE], page) # Load page
           
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 164, in __init__
    self.chunks[chunk] = MFSChunk(data, chunk_id)
                         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/neon/deguard/lib/mfs.py", line 273, in __init__
    assert self.crc == MFS.Crc16(self.data + struct.pack("<H", self.chunk_id))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError

```

This "AssertionError" can be skipped by using "Filip Lewiński" [filipleple 
patch](https://codeberg.org/libreboot/deguard/issues/1) on `lib/mfs.py`:

```
-            assert self.crc == MFS.Crc16(self.data + struct.pack("<H", 
self.chunk_id))
+            print(f"Chunk ID: {self.chunk_id}, Data: {self.data.hex()[:100]}, 
Expected CRC: {self.crc}, Calculated CRC: {MFS.Crc16(self.data + 
struct.pack('<H', self.chunk_id))}")
+            # assert self.crc == MFS.Crc16(self.data + struct.pack("<H", 
self.chunk_id))
+            if (self.crc != MFS.Crc16(self.data + struct.pack("<H", 
self.chunk_id))):
+                print ("Invalid CRC!!!\n")
```

It now lists the following 52 CRC invalid errors, but will create a delta 
folder structure like the example optiplex 3050 although it misses the `ptt` 
folder and some other files differ:
```
./generatedelta.py --input dell_optiplex_5040_sff_bios122.rom --output 
data/delta/dell5040sff | grep "CRC: 0,"

Chunk ID: 9662, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 40051
Chunk ID: 9668, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 31713
Chunk ID: 9669, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 18640
Chunk ID: 8173, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 20614
Chunk ID: 8174, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 1493
Chunk ID: 8175, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 14052
Chunk ID: 8176, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 9641
Chunk ID: 8177, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 5784
Chunk ID: 8178, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 17355
Chunk ID: 8179, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 28922
Chunk ID: 8180, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 59757
Chunk ID: 8181, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 55900
Chunk ID: 8182, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 36623
Chunk ID: 8183, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 48190
Chunk ID: 8184, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 44032
Chunk ID: 8185, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 40753
Chunk ID: 8186, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 51810
Chunk ID: 8187, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 63827
Chunk ID: 8188, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 24772
Chunk ID: 8189, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 21493
Chunk ID: 8190, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 1702
Chunk ID: 8191, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 13719
Chunk ID: 8192, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 61908
Chunk ID: 8193, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 49893
Chunk ID: 8194, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 38838
Chunk ID: 8195, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 42119
Chunk ID: 8196, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 15632
Chunk ID: 8197, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 3617
Chunk ID: 8198, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 23410
Chunk ID: 8199, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 26691
Chunk ID: 8200, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 30845
Chunk ID: 8201, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 19276
Chunk ID: 8202, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 7711
Chunk ID: 8203, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 11566
Chunk ID: 8204, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 46265
Chunk ID: 8205, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 34696
Chunk ID: 8206, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 53979
Chunk ID: 8207, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 57834
Chunk ID: 8208, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 62119
Chunk ID: 8209, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 49558
Chunk ID: 8210, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 38085
Chunk ID: 8211, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 42996
Chunk ID: 8212, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 15971
Chunk ID: 8213, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 3410
Chunk ID: 8214, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 22529
Chunk ID: 8215, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 27440
Chunk ID: 8216, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 31502
Chunk ID: 10199, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 3459
Chunk ID: 6000, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 48953
Chunk ID: 6001, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 35848
Chunk ID: 6002, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 55643
Chunk ID: 6003, Data: 
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
 Expected CRC: 0, Calculated CRC: 60010

```
A tree view of the new delta folder:
```
data/delta/dell5040sff/
└── home
    ├── amt
    │   ├── rtfd
    │   │   ├── acl
    │   │   │   ├── tnf0
    │   │   │   ├── tnf1
    │   │   │   └── tnf2
    │   │   ├── amt.wol
    │   │   ├── hshStr.crt19
    │   │   ├── hshStr.crt23
    │   │   ├── hshStr.crt24
    │   │   ├── hshStr.crt25
    │   │   └── hshStr.crt26
    │   └── skip_rtfd
    │       └── uim.policy
    ├── bup
    │   ├── bup_sku
    │   │   ├── emu_fuse_map
    │   │   ├── fuse_ip_base
    │   │   └── plat_n_sku
    │   ├── invokemebx
    │   └── mbp
    ├── fwupdate
    │   ├── fwuavgerase
    │   ├── fwuavgwrite
    │   └── fwuoemid
    ├── gpio
    │   └── csme_pins
    ├── icc
    │   ├── dynregs
    │   ├── header
    │   ├── namestr
    │   ├── prof0
    │   ├── prof1
    │   ├── prof2
    │   ├── prof3
    │   ├── prof4
    │   ├── prof5
    │   └── prof6
    ├── mca
    │   ├── eom
    │   └── ish_policy
    ├── mctp
    │   └── device_ports
    ├── pavp
    │   ├── hdcp_ports
    │   └── lspcon_port
    ├── policy
    │   ├── Bist
    │   │   └── auto_config
    │   ├── cfgmgr
    │   │   └── cfg_rules
    │   ├── hci
    │   │   ├── sysintid1
    │   │   ├── sysintid2
    │   │   └── sysintid3
    │   └── pwdmgr
    │       └── segreto
    └── secureboot
        ├── bootpolres
        ├── bootpoltype
        ├── enfpolicy
        ├── kmid
        └── pubkeyhash
```

Diffing this compared to the example delta 3050 folder:
```
diff -bur optiplex_3050 optiplex_5040_sff_strip
Binary files optiplex_3050/home/bup/bup_sku/emu_fuse_map and 
optiplex_5040_sff_strip/home/bup/bup_sku/emu_fuse_map differ
Binary files optiplex_3050/home/bup/bup_sku/plat_n_sku and 
optiplex_5040_sff_strip/home/bup/bup_sku/plat_n_sku differ
Only in optiplex_5040_sff_strip/home/bup: invokemebx
Binary files optiplex_3050/home/bup/mbp and 
optiplex_5040_sff_strip/home/bup/mbp differ
Binary files optiplex_3050/home/icc/dynregs and 
optiplex_5040_sff_strip/home/icc/dynregs differ
Binary files optiplex_3050/home/icc/prof0 and 
optiplex_5040_sff_strip/home/icc/prof0 differ
Only in optiplex_3050/home/icc: prof10
Only in optiplex_3050/home/icc: prof7
Only in optiplex_3050/home/icc: prof8
Only in optiplex_3050/home/icc: prof9
Only in optiplex_5040_sff_strip/home/policy: Bist
Binary files optiplex_3050/home/policy/cfgmgr/cfg_rules and 
optiplex_5040_sff_strip/home/policy/cfgmgr/cfg_rules differ
diff -bur optiplex_3050/home/policy/hci/sysintid1 
optiplex_5040_sff_strip/home/policy/hci/sysintid1
--- optiplex_3050/home/policy/hci/sysintid1     2025-03-31 15:36:47.220784635 
+0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid1   2025-03-31 
16:01:29.335254012 +0200
@@ -1 +1 @@
-�n$�
\ No newline at end of file
+_��
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid2 
optiplex_5040_sff_strip/home/policy/hci/sysintid2
--- optiplex_3050/home/policy/hci/sysintid2     2025-03-31 15:36:47.220784635 
+0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid2   2025-03-31 
16:01:29.335254012 +0200
@@ -1 +1 @@
-��t`
\ No newline at end of file
+����
\ No newline at end of file
diff -bur optiplex_3050/home/policy/hci/sysintid3 
optiplex_5040_sff_strip/home/policy/hci/sysintid3
--- optiplex_3050/home/policy/hci/sysintid3     2025-03-31 15:36:47.220784635 
+0200
+++ optiplex_5040_sff_strip/home/policy/hci/sysintid3   2025-03-31 
16:01:29.335254012 +0200
@@ -1 +1 @@
-Ȯ�
\ No newline at end of file
+�a<
\ No newline at end of file
diff -bur optiplex_3050/home/policy/pwdmgr/segreto 
optiplex_5040_sff_strip/home/policy/pwdmgr/segreto
--- optiplex_3050/home/policy/pwdmgr/segreto    2025-03-31 15:36:47.221784637 
+0200
+++ optiplex_5040_sff_strip/home/policy/pwdmgr/segreto  2025-03-31 
16:01:29.335254012 +0200
@@ -1 +1 @@
-��к
\ No newline at end of file
+�"�H
\ No newline at end of file
```

After deleting (strip) the `secureboot` and `amt,fwupd,pavp` folders it will 
generate a 2M consumer ME image when using `finalimage.py`. 

`./finalimage.py --delta data/delta/dell5040sff --version 11.6.0.1126 -pch H 
--sku 2M --fake-fpfs data/fpfs/zero --input 
external/asrock_h110_me_11.6.0.1126.bin --output 5040sff_patched_me.bin`

When enabling the HAP bit on the original IFD and replacing the ME with the 
downgraded and deguarded ME should complete the manual.

Is it correct to replace the current corporate ME firmware around ~7MB from the 
original image with this 2MB donor consumer variant, will it be similar like 
the Optiplex 3050 from the example or should I find a older vulnerable 
corporate ME firmware?

Which file(s) of this dump may I distribute / upload to this ticket license 
wise to improve debugging?

Using the service mode jumper on this Dell Optiplex 5040 SFF I was able to 
fully read and write the whole firmware even the ME regions (checksum checked 
it). Anyone else experience or success using a 'ch341a_spi' or 'raspberry spi' 
doing in-situ flash recover on this particular Dell or similar in case I need 
it?

https://www.dell.com/support/product-details/en-uk/product/optiplex-5040-sff/drivers




-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
https://ticket.coreboot.org/my/account
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] [coreboot - Support #588] Deguard AssertionError using ./generatedelta.py on Dell Optiplex 5040 SFF (0T7D40) full rom dump

Reply via email to