PCI ID '0x1578' has no known signatures. #3
Comments
|
Thanks for the question. It looks like your attached firmware is the patched version. To better answer your question, could you please post the original dump? |
|
Hi Bjorn - This is the original dump I did try patching although the SL remains at SL1
Appreciate a mechanism to force SL0 |
|
Hi Chris, Thanks for the original dump and info. Your report has been a very good use case for me to add several new features, including:
Meanwhile, it also let me squash a bug in signature matching (fd43917). I don't have access to a DSL6540 on NVM 25, but PR #4 tracks adding support for this particular configuration. The signatures in 341f22f are based on my analysis of the same model on a different NVM. I'd say there's a fair chance patching will work, so please let me know whether this works for you. Before going into the steps to test -- I've noticed your image is not a full dump, but is missing the "scratch pad" section where host-initiated firmware updates are temporarily stored. It looks like you haven't updated the host controller firmware before. This should not be a particular issue when it comes to patching, so you may safely ignore the related warning. To test, first clone the branch: Parse and patch the image: |
|
Hi Bjorn - Glad this is of some help. I've repeated the steps you mentioned with has lead to another interesting issue. Whilst I think we have now patched the PC controller, the Thunderbolt dock firmware has SL1 set (https://pcsupport.lenovo.com/gb/en/products/accessory/docks/thinkpad-thunderbolt-3-dock/40ac/40ac0135dk/zbk01v1u/downloads/driver-list/ I've attached the firmware for you investigation as parsing works but patching fails; Lenovo_ThinkPad_Thunderbolt3Dock_AR_EP_4C_C0_rev44_W_Ti_v138_SEC6_sign.zip 2020-11-01 09:48:14,143 - WARNING - File size in between 229376 and 1048576 bytes. Possible causes:
2020-11-01 09:48:38,942 - WARNING - File size in between 229376 and 1048576 bytes. Possible causes:
Error while processing firmware image: PCI ID supported, but no patch pattern available for this SL signature. Aborting |
|
Hi Chris,
That's great. Could you post a screenshot of the same Thunderbolt "Details" screen you posted earlier, after flashing the patched firmware? Then I can make sure everything else also checks out, and merge PR #4 into master.
The short answer to your second question: SL state in Thunderbolt devices won't be an issue. The Thunderbolt host controller in your laptop/PC dictates the current SL state, that is, the SL you've chosen in your BIOS (or patched into controller firmware using tcfp :-)). If the "Details" screen above says SL0, and any TB devices indeed connect immediately, you're all set. The long answer: The Lenovo Thunderbolt dock features an Alpine Ridge controller. The interesting thing is that some of this generation's models are capable of running in both host (laptop/PC) and endpoint (device) mode. This means AR firmware has sections intended to store configuration parameters for both modes. As you can probably guess, though, only one mode can be active at any one time. For this reason, it is customary that vendors wipe the inactive section -- as this is device controller firmware, I'm rather surprised to see Lenovo left this bit in there. So, to sum it up, tcfp reports SL1 because that's what it parsed from the (inactive) host mode section. If you were to hypothetically flash the dock's firmware onto a host controller SPI flash (and enabled host mode), this means it would enable SL1 ;-). If you're interested, you can find more technical details in my recent Black Hat talk:
|
|
Hi Bjorn - unfortunately nothing has changed in the Thunderbolt "Details" screen after applying the patched firmware (TBT). The report is still SL1. I'm wondering if we do need to patch the Thunderbolt dock instead? |
|
Hi Chris, I just had another look at your original dump in #3 (comment), and it seems like more sections are missing than I originally noticed. Just to verify, can you share how you made the dump? Specifically,
Thunderbolt devices should not affect the SL state of the laptop. If they do, that would have been a very bad security design. (I realize Thunderspy doesn't exactly speak in Intel's favor, but their design was not that bad ;-)). That said, Thunderbolt controllers are full of proprietary mysteries. Feel free to patch the Thunderbolt dock firmware -- happy to hear what you find. For this procedure, note that you will need to make a full dump using a SPI programmer. The firmware you linked in #3 (comment) is in an incremental firmware update, and so while tcfp will parse it correctly, it cannot be used for patching. |
|
Got any updates? I'd be happy to analyze this further for you, but I'll need more info at this point. |
|
Hi Bjorn - I'm unsure how to progress this as I don't have an SPI programmer. (Ultimately I just want to be able to set the level to SL0 so the system will boot rather than freeze). Of note, there is a new firmware for the dock that has been published this month - https://support.lenovo.com/gb/en/downloads/ds506115-firmware-update-tool-for-windows-10-64-bit-thinkpad-thunderbolt-3-dock-40ac |
|
Hi Chris,
I see. That explains the firmware image identifying as an update.
Just to verify, do you mean:
If it's case 1:
If it's case 2 or 3:
While I think chances are small this would solve the issue, it should be (relatively) safe to apply this firmware update. Feel free to try. |
|
Hi Chris, Got any updates? It would be good to know what's causing the issue you're seeing -- your findings may be valuable to other users, too. |
|
Hi Bjorn - the Windows 10 update has resolved the issue with the freezing post the login screen. I'm unable to perform the full firmware dump but I'm open to how we can do this? |
Fails to identify on a Lenovo P70 with the following information and wanting to patch a Lenovo Thunderbolt 3 dock (Model=AC)
DeviceInstanceId PCI\VEN_8086&DEV_1578&SUBSYS_11112222&REV_00\5&2B3F6D8&0&0000E4
Please find the attached TBT.bin file for your perusal.
Q: Is the patching actually successful i.e. would applying the patched firmware work ?
TBT.zip
2020-10-26 09:09:30,743 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL1
When patching;
2020-10-26 09:10:19,582 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL1
2020-10-26 09:10:19,590 - WARNING - PCI ID unsupported, but current SL detected through heuristics. Patching may fail.
Image patched successfully.
chrisd@edmund:tcfp > ab-python3 tcfp.py parse TBT.bin
2020-10-26 09:11:30,163 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL0
The text was updated successfully, but these errors were encountered: