diff options
Diffstat (limited to 'util/me7_update_parser')
-rwxr-xr-x | util/me7_update_parser/me7_update_parser.py | 616 |
1 files changed, 616 insertions, 0 deletions
diff --git a/util/me7_update_parser/me7_update_parser.py b/util/me7_update_parser/me7_update_parser.py new file mode 100755 index 00000000..e3e91413 --- /dev/null +++ b/util/me7_update_parser/me7_update_parser.py @@ -0,0 +1,616 @@ +#!/usr/bin/env python3 + +"""ME7 Update binary parser.""" + +# Copyright (C) 2020 Tom Hiller <thrilleratplay@gmail.com> +# Copyright (C) 2016-2018 Nicola Corna <nicola@corna.info> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +# Based on the amazing me_cleaner, https://github.com/corna/me_cleaner, parses +# the required signed partition from an ME update file to generate a valid +# flashable ME binary. +# +# This was written for Heads ROM, https://github.com/osresearch/heads +# to allow continuous integration reproducible builds for Lenovo xx20 models +# (X220, T420, T520, etc). +# +# A full model list can be found: +# https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/83rf46ww.txt + + +from struct import pack, unpack +from typing import List +import argparse +import sys +import hashlib +import binascii +import os.path + +############################################################################# + +FTPR_END = 0x76000 +MINIFIED_FTPR_OFFSET = 0x400 # offset start of Factory Partition (FTPR) +ORIG_FTPR_OFFSET = 0xCC000 +PARTITION_HEADER_OFFSET = 0x30 # size of partition header + +DEFAULT_OUTPUT_FILE_NAME = "flashregion_2_intel_me.bin" + +############################################################################# + + +class EntryFlags: + """EntryFlag bitmap values.""" + + ExclBlockUse = 8192 + WOPDisable = 4096 + Logical = 2048 + Execute = 1024 + Write = 512 + Read = 256 + DirectAccess = 128 + Type = 64 + + +def generateHeader() -> bytes: + """Generate Header.""" + ROM_BYPASS_INSTR_0 = binascii.unhexlify("2020800F") + ROM_BYPASS_INSTR_1 = binascii.unhexlify("40000010") + ROM_BYPASS_INSTR_2 = pack("<I", 0) + ROM_BYPASS_INSTR_3 = pack("<I", 0) + + # $FPT Partition table header + HEADER_TAG = "$FPT".encode() + HEADER_NUM_PARTITIONS = pack("<I", 1) + HEADER_VERSION = b"\x20" # version 2.0 + HEADER_ENTRY_TYPE = b"\x10" + HEADER_LENGTH = b"\x30" + HEADER_CHECKSUM = pack("<B", 0) + HEADER_FLASH_CYCLE_LIFE = pack("<H", 7) + HEADER_FLASH_CYCLE_LIMIT = pack("<H", 100) + HEADER_UMA_SIZE = pack("<H", 32) + HEADER_FLAGS = binascii.unhexlify("000000FCFFFF") + HEADER_FITMAJOR = pack("<H", 0) + HEADER_FITMINOR = pack("<H", 0) + HEADER_FITHOTFIX = pack("<H", 0) + HEADER_FITBUILD = pack("<H", 0) + + FTPR_header_layout = bytearray( + ROM_BYPASS_INSTR_0 + + ROM_BYPASS_INSTR_1 + + ROM_BYPASS_INSTR_2 + + ROM_BYPASS_INSTR_3 + + HEADER_TAG + + HEADER_NUM_PARTITIONS + + HEADER_VERSION + + HEADER_ENTRY_TYPE + + HEADER_LENGTH + + HEADER_CHECKSUM + + HEADER_FLASH_CYCLE_LIFE + + HEADER_FLASH_CYCLE_LIMIT + + HEADER_UMA_SIZE + + HEADER_FLAGS + + HEADER_FITMAJOR + + HEADER_FITMINOR + + HEADER_FITHOTFIX + + HEADER_FITBUILD + ) + + # Update checksum + FTPR_header_layout[27] = (0x100 - sum(FTPR_header_layout) & 0xFF) & 0xFF + + return FTPR_header_layout + + +def generateFtpPartition() -> bytes: + """Partition table entry.""" + ENTRY_NAME = binascii.unhexlify("46545052") + ENTRY_OWNER = binascii.unhexlify("FFFFFFFF") # "None" + ENTRY_OFFSET = binascii.unhexlify("00040000") + ENTRY_LENGTH = binascii.unhexlify("00600700") + ENTRY_START_TOKENS = pack("<I", 1) + ENTRY_MAX_TOKENS = pack("<I", 1) + ENTRY_SCRATCH_SECTORS = pack("<I", 0) + ENTRY_FLAGS = pack( + "<I", + ( + EntryFlags.ExclBlockUse + + EntryFlags.Execute + + EntryFlags.Write + + EntryFlags.Read + + EntryFlags.DirectAccess + ), + ) + + partition = ( + ENTRY_NAME + + ENTRY_OWNER + + ENTRY_OFFSET + + ENTRY_LENGTH + + ENTRY_START_TOKENS + + ENTRY_MAX_TOKENS + + ENTRY_SCRATCH_SECTORS + + ENTRY_FLAGS + ) + + # offset of the partition - length of partition entry -length of header + pad_len = MINIFIED_FTPR_OFFSET - (len(partition) + PARTITION_HEADER_OFFSET) + padding = b"" + + for i in range(0, pad_len): + padding += b"\xFF" + + return partition + padding + + +############################################################################ + + +class OutOfRegionException(Exception): + """Out of Region Exception.""" + + pass + + +class clean_ftpr: + """Clean Factory Parition (FTPR).""" + + UNREMOVABLE_MODULES = ("ROMP", "BUP") + COMPRESSION_TYPE_NAME = ("uncomp.", "Huffman", "LZMA") + + def __init__(self, ftpr: bytes): + """Init.""" + self.orig_ftpr = ftpr + self.ftpr = ftpr + self.mod_headers: List[bytes] = [] + self.check_and_clean_ftpr() + + ##################################################################### + # tilities + ##################################################################### + def slice(self, offset: int, size: int) -> bytes: + """Copy data of a given size from FTPR starting from offset.""" + offset_end = offset + size + return self.ftpr[offset:offset_end] + + def unpack_next_int(self, offset: int) -> int: + """Sugar syntax for unpacking a little-endian UINT at offset.""" + return self.unpack_val(self.slice(offset, 4)) + + def unpack_val(self, data: bytes) -> int: + """Sugar syntax for unpacking a little-endian unsigned integer.""" + return unpack("<I", data)[0] + + def bytes_to_ascii(self, data: bytes) -> str: + """Decode bytes into ASCII.""" + return data.rstrip(b"\x00").decode("ascii") + + def clear_ftpr_data(self, start: int, end: int) -> None: + """Replace values in range with 0xFF.""" + empty_data = bytes() + + for i in range(0, end - start): + empty_data += b"\xff" + self.write_ftpr_data(start, empty_data) + + def write_ftpr_data(self, start: int, data: bytes) -> None: + """Replace data in FTPR starting at a given offset.""" + end = len(data) + start + + new_partition = self.ftpr[:start] + new_partition += data + + if end != FTPR_END: + new_partition += self.ftpr[end:] + + self.ftpr = new_partition + + ###################################################################### + # FTPR cleanig/checking functions + ###################################################################### + def get_chunks_offsets(self, llut: bytes): + """Calculate Chunk offsets from LLUT.""" + chunk_count = self.unpack_val(llut[0x04:0x08]) + huffman_stream_end = sum(unpack("<II", llut[0x10:0x18])) + nonzero_offsets = [huffman_stream_end] + offsets = [] + + for i in range(0, chunk_count): + llut_start = 0x40 + (i * 4) + llut_end = 0x44 + (i * 4) + + chunk = llut[llut_start:llut_end] + offset = 0 + + if chunk[3] != 0x80: + offset = self.unpack_val(chunk[0:3] + b"\x00") + + offsets.append([offset, 0]) + + if offset != 0: + nonzero_offsets.append(offset) + + nonzero_offsets.sort() + + for i in offsets: + if i[0] != 0: + i[1] = nonzero_offsets[nonzero_offsets.index(i[0]) + 1] + + return offsets + + def relocate_partition(self) -> int: + """Relocate partition.""" + new_offset = MINIFIED_FTPR_OFFSET + name = self.bytes_to_ascii(self.slice(PARTITION_HEADER_OFFSET, 4)) + + old_offset, partition_size = unpack( + "<II", self.slice(PARTITION_HEADER_OFFSET + 0x8, 0x8) + ) + + llut_start = 0 + for mod_header in self.mod_headers: + if (self.unpack_val(mod_header[0x50:0x54]) >> 4) & 7 == 0x01: + llut_start = self.unpack_val(mod_header[0x38:0x3C]) + llut_start += old_offset + break + + if self.mod_headers and llut_start != 0: + # Bytes 0x9:0xb of the LLUT (bytes 0x1:0x3 of the AddrBase) are + # added to the SpiBase (bytes 0xc:0x10 of the LLUT) to compute the + # final start of the LLUT. Since AddrBase is not modifiable, we can + # act only on SpiBase and here we compute the minimum allowed + # new_offset. + llut_start_corr = unpack("<H", self.slice(llut_start + 0x9, 2))[0] + new_offset = max( + new_offset, llut_start_corr - llut_start - 0x40 + old_offset + ) + new_offset = ((new_offset + 0x1F) // 0x20) * 0x20 + offset_diff = new_offset - old_offset + + print( + "Relocating {} from {:#x} - {:#x} to {:#x} - {:#x}...".format( + name, + old_offset, + old_offset + partition_size, + new_offset, + new_offset + partition_size, + ) + ) + + print(" Adjusting FPT entry...") + self.write_ftpr_data( + PARTITION_HEADER_OFFSET + 0x08, + pack("<I", new_offset), + ) + + if self.mod_headers: + if llut_start != 0: + if self.slice(llut_start, 4) == b"LLUT": + print(" Adjusting LUT start offset...") + llut_offset = pack( + "<I", llut_start + offset_diff + 0x40 - llut_start_corr + ) + self.write_ftpr_data(llut_start + 0x0C, llut_offset) + + print(" Adjusting Huffman start offset...") + old_huff_offset = self.unpack_next_int(llut_start + 0x14) + ftpr_offset_diff = MINIFIED_FTPR_OFFSET - ORIG_FTPR_OFFSET + self.write_ftpr_data( + llut_start + 0x14, + pack("<I", old_huff_offset + ftpr_offset_diff), + ) + + print(" Adjusting chunks offsets...") + chunk_count = self.unpack_next_int(llut_start + 0x4) + offset = llut_start + 0x40 + offset_end = chunk_count * 4 + chunks = bytearray(self.slice(offset, offset_end)) + + for i in range(0, offset_end, 4): + i_plus_3 = i + 3 + + if chunks[i_plus_3] != 0x80: + chunks[i:i_plus_3] = pack( + "<I", + self.unpack_val(chunks[i:i_plus_3] + b"\x00") + + (MINIFIED_FTPR_OFFSET - ORIG_FTPR_OFFSET), + )[0:3] + self.write_ftpr_data(offset, bytes(chunks)) + else: + sys.exit("Huffman modules present but no LLUT found!") + else: + print(" No Huffman modules found") + + print(" Moving data...") + partition_size = min(partition_size, FTPR_END - old_offset) + + if ( + old_offset + partition_size <= FTPR_END + and new_offset + partition_size <= FTPR_END + ): + for i in range(0, partition_size, 4096): + block_length = min(partition_size - i, 4096) + block = self.slice(old_offset + i, block_length) + self.clear_ftpr_data(old_offset + i, len(block)) + + self.write_ftpr_data(new_offset + i, block) + else: + raise OutOfRegionException() + + return new_offset + + def remove_modules(self) -> int: + """Remove modules.""" + unremovable_huff_chunks = [] + chunks_offsets = [] + base = 0 + chunk_size = 0 + end_addr = 0 + + for mod_header in self.mod_headers: + name = self.bytes_to_ascii(mod_header[0x04:0x14]) + offset = self.unpack_val(mod_header[0x38:0x3C]) + size = self.unpack_val(mod_header[0x40:0x44]) + flags = self.unpack_val(mod_header[0x50:0x54]) + comp_type = (flags >> 4) & 7 + comp_type_name = self.COMPRESSION_TYPE_NAME[comp_type] + + print(" {:<16} ({:<7}, ".format(name, comp_type_name), end="") + + # If compresion type uncompressed or LZMA + if comp_type == 0x00 or comp_type == 0x02: + offset_end = offset + size + range_msg = "0x{:06x} - 0x{:06x} ): " + print(range_msg.format(offset, offset_end), end="") + + if name in self.UNREMOVABLE_MODULES: + end_addr = max(end_addr, offset + size) + print("NOT removed, essential") + else: + offset_end = min(offset + size, FTPR_END) + self.clear_ftpr_data(offset, offset_end) + print("removed") + + # Else if compression type huffman + elif comp_type == 0x01: + if not chunks_offsets: + # Check if Local Look Up Table (LLUT) is present + if self.slice(offset, 4) == b"LLUT": + llut = self.slice(offset, 0x40) + + chunk_count = self.unpack_val(llut[0x4:0x8]) + base = self.unpack_val(llut[0x8:0xC]) + 0x10000000 + chunk_size = self.unpack_val(llut[0x30:0x34]) + + llut = self.slice(offset, (chunk_count * 4) + 0x40) + + # calculate offsets of chunks from LLUT + chunks_offsets = self.get_chunks_offsets(llut) + else: + no_llut_msg = "Huffman modules found," + no_llut_msg += "but LLUT is not present." + sys.exit(no_llut_msg) + + module_base = self.unpack_val(mod_header[0x34:0x38]) + module_size = self.unpack_val(mod_header[0x3C:0x40]) + first_chunk_num = (module_base - base) // chunk_size + last_chunk_num = first_chunk_num + module_size // chunk_size + huff_size = 0 + + chunk_length = last_chunk_num + 1 + for chunk in chunks_offsets[first_chunk_num:chunk_length]: + huff_size += chunk[1] - chunk[0] + + size_in_kiB = "~" + str(int(round(huff_size / 1024))) + " KiB" + print( + "fragmented data, {:<9}): ".format(size_in_kiB), + end="", + ) + + # Check if module is in the unremovable list + if name in self.UNREMOVABLE_MODULES: + print("NOT removed, essential") + + # add to list of unremovable chunks + for x in chunks_offsets[first_chunk_num:chunk_length]: + if x[0] != 0: + unremovable_huff_chunks.append(x) + else: + print("removed") + + # Else unknown compression type + else: + unkwn_comp_msg = " 0x{:06x} - 0x{:06x}): " + unkwn_comp_msg += "unknown compression, skipping" + print(unkwn_comp_msg.format(offset, offset + size), end="") + + if chunks_offsets: + removable_huff_chunks = [] + + for chunk in chunks_offsets: + # if chunk is not in a unremovable chunk, it must be removable + if all( + not ( + unremovable_chk[0] <= chunk[0] < unremovable_chk[1] + or unremovable_chk[0] < chunk[1] <= unremovable_chk[1] + ) + for unremovable_chk in unremovable_huff_chunks + ): + removable_huff_chunks.append(chunk) + + for removable_chunk in removable_huff_chunks: + if removable_chunk[1] > removable_chunk[0]: + chunk_start = removable_chunk[0] - ORIG_FTPR_OFFSET + chunk_end = removable_chunk[1] - ORIG_FTPR_OFFSET + self.clear_ftpr_data(chunk_start, chunk_end) + + end_addr = max( + end_addr, max(unremovable_huff_chunks, key=lambda x: x[1])[1] + ) + end_addr -= ORIG_FTPR_OFFSET + + return end_addr + + def find_mod_header_size(self) -> None: + """Find module header size.""" + self.mod_header_size = 0 + data = self.slice(0x290, 0x84) + + # check header size + if data[0x0:0x4] == b"$MME": + if data[0x60:0x64] == b"$MME" or self.num_modules == 1: + self.mod_header_size = 0x60 + elif data[0x80:0x84] == b"$MME": + self.mod_header_size = 0x80 + + def find_mod_headers(self) -> None: + """Find module headers.""" + data = self.slice(0x290, self.mod_header_size * self.num_modules) + + for i in range(0, self.num_modules): + header_start = i * self.mod_header_size + header_end = (i + 1) * self.mod_header_size + self.mod_headers.append(data[header_start:header_end]) + + def resize_partition(self, end_addr: int) -> None: + """Resize partition.""" + spared_blocks = 4 + if end_addr > 0: + end_addr = (end_addr // 0x1000 + 1) * 0x1000 + end_addr += spared_blocks * 0x1000 + + # partition header not added yet + # remove trailing data the same size as the header. + end_addr -= MINIFIED_FTPR_OFFSET + + me_size_msg = "The ME minimum size should be {0} " + me_size_msg += "bytes ({0:#x} bytes)" + print(me_size_msg.format(end_addr)) + print("Truncating file at {:#x}...".format(end_addr)) + self.ftpr = self.ftpr[:end_addr] + + def check_and_clean_ftpr(self) -> None: + """Check and clean FTPR (factory partition).""" + self.num_modules = self.unpack_next_int(0x20) + self.find_mod_header_size() + + if self.mod_header_size != 0: + self.find_mod_headers() + + # ensure all of the headers begin with b'$MME' + if all(hdr.startswith(b"$MME") for hdr in self.mod_headers): + end_addr = self.remove_modules() + new_offset = self.relocate_partition() + end_addr += new_offset + + self.resize_partition(end_addr) + + # flip bit + # XXX: I have no idea why this works and passes RSA signiture + self.write_ftpr_data(0x39, b"\x00") + else: + sys.exit( + "Found less modules than expected in the FTPR " + "partition; skipping modules removal and exiting." + ) + else: + sys.exit( + "Can't find the module header size; skipping modules" + "removal and exiting." + ) + + +########################################################################## + + +def check_partition_signature(f, offset) -> bool: + """check_partition_signature copied/shamelessly stolen from me_cleaner.""" + f.seek(offset) + header = f.read(0x80) + modulus = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + public_exponent = unpack("<I", f.read(4))[0] + signature = int(binascii.hexlify(f.read(0x100)[::-1]), 16) + + header_len = unpack("<I", header[0x4:0x8])[0] * 4 + manifest_len = unpack("<I", header[0x18:0x1C])[0] * 4 + f.seek(offset + header_len) + + sha256 = hashlib.sha256() + sha256.update(header) + tmp = f.read(manifest_len - header_len) + sha256.update(tmp) + + decrypted_sig = pow(signature, public_exponent, modulus) + return "{:#x}".format(decrypted_sig).endswith(sha256.hexdigest()) # FIXME + + +########################################################################## + + +def generate_me_blob(input_file: str, output_file: str) -> None: + """Generate ME blob.""" + print("Starting ME 7.x Update parser.") + + orig_f = open(input_file, "rb") + cleaned_ftpr = clean_ftpr(orig_f.read(FTPR_END)) + orig_f.close() + + fo = open(output_file, "wb") + fo.write(generateHeader()) + fo.write(generateFtpPartition()) + fo.write(cleaned_ftpr.ftpr) + fo.close() + + +def verify_output(output_file: str) -> None: + """Verify Generated ME file.""" + file_verifiy = open(output_file, "rb") + + if check_partition_signature(file_verifiy, MINIFIED_FTPR_OFFSET): + print(output_file + " is VALID") + file_verifiy.close() + else: + print(output_file + " is INVALID!!") + file_verifiy.close() + sys.exit("The FTPR partition signature is not valid.") + + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="Tool to remove as much code " + "as possible from Intel ME/TXE 7.x firmware " + "update and create paratition for a flashable ME parition." + ) + + +parser.add_argument("file", help="ME/TXE image or full dump") +parser.add_argument( + "-O", + "--output", + metavar="output_file", + help="save " + "save file name other than the default '" + DEFAULT_OUTPUT_FILE_NAME + "'", +) + +args = parser.parse_args() + +output_file_name = DEFAULT_OUTPUT_FILE_NAME if not args.output else args.output + +# Check if output file exists, ask to overwrite or exit +if os.path.isfile(output_file_name): + input_msg = output_file_name + input_msg += " exists. Do you want to overwrite? [y/N]: " + if not str(input(input_msg)).lower().startswith("y"): + sys.exit("Not overwriting file. Exiting.") + +generate_me_blob(args.file, output_file_name) +verify_output(output_file_name) |