koldfront

Updating Intel ME on a Lenovo Carbon X1 3rd gen #commandline #computers #hardware #security

No doubt to Andrew S. Tanenbaum's great joy recent news have revealed that many Intel processors run a version of Minix on some kind of extra "security" core.

Unfortunately it seems to be full of holes.

After downloading and running a tool from Intel to check whether my system was vulnerable, Intel-SA-00086 Detection Tool , and getting the unfortunate message:

  Based on the analysis performed by this tool: This system is vulnerable.
  Explanation:
  The detected version of the Intel(R) Management Engine firmware
    is considered vulnerable for INTEL-SA-00086.
    Contact your system manufacturer for support and remediation of this system.

I started looking for how to update the faulty code in my processor.

I found a description on how somebody updated their Lenovo X1 Carbon 5th gen, Solved: Re: X1 Carbon 5th gen on Linux: How to update Intel Management Engine 11.8 Firmware??, which was basically a couple of amendments to another guide: Updating Intel Management Engine firmware on a Lenovo without a Windows Install, which was written for a Gen 4.

Here is what I did to upgrade my Lenovo X1 Carbon 3rd gen running Debian unstable:

• Start downloading a Windows 10 32-bit English ISO from Microsoft: Download Windows 10 Disc Image (ISO File). It takes a while (3.3GB).
• Download the two updates from Lenovo, Intel Management Engine Firmware 10.0 for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rg48w.exe (4.5MB) and Intel Management Engine 11.0 Software for Windows 10 (64-bit), 8.1 (64-bit) - ThinkPad - n10rc02w.exe (89MB)
• To extract the content of the two .exe files from Lenovo, install the Debian packages innoextract and cabextract, and then run innoextract n10rg48w.exe and innoextract n10rc02w.exe. This creates a new folder app.
• In the new app folder, run cabextract SetupME.exe, which, among other folders creates one called HECI_REL, which you will be using later. Put the app folder into a new folder: mkdir winpe_overlay; mv app winpe_overlay/
• Now, to make a bootable USB-stick with some kind of Windows-recovery thing on it, you need to install the Debian package wimtools. Wait until the Windows 10 iso has finished downloading, and then mount it: sudo mount -o loop,ro Win10_1709_English_x32.iso /mnt
• You can now create the image for the USB stick, by running mkwinpeimg -W /mnt/ -O winpe_overlay disk.img
• Write the disk.img to your USB stick, using dd if=disk.img bs=128K of=/dev/sdX (where X is the letter of your USB stick, b in my case), and boot he computer from it. If you haven't already, turn Secure Boot off, Legacy BIOS on.
• Once booted into the Windows command line recovery thing, you need to run these commands:

          cd \
          cd app\HECI_REL\win10
          drvload heci.inf
          cd \
          cd app
          MEUpdate.cmd

  Wait for the command to finish. For me it complained about Shutdown.exe not being available at the end, so I just typed exit, and that was enough to reboot the machine.

Running the detection tool now says:

  INTEL-SA-00086 Detection Tool
  Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.146
Scan date: 2017-12-09 16:59:33 GMT
*** Host Computer Information ***
Name: tullinup
Manufacturer: LENOVO
Model: 20BSCTO1WW
Processor Name: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz
OS Version: debian buster/sid  (4.14.0-1-amd64)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 10.0.56.3002
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
Intel Security Advisory Intel-SA-00086 at the following link:
https://www.intel.com/sa-00086-support

Yay.