Page 1 of 1

Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Tue Sep 10, 2019 8:45 pm
by TPFanatic
https://github.com/hamishcoleman/thinkpad-ec
hamish coleman wrote:As the result of CVE-2019-6171, it looks like newer Lenovo firmware update files are adding a digital signature. If you upgrade to a version using this, you will not be able to patch your EC.

Code: Select all

laptop 	last good 	 	 	 	  	first locked version
t430 	t430 BIOS 2.81 (G1ETC1WW) EC 1.13 (G1HT35WW) 	t430 BIOS 2.82 (G1ETC2WW) EC 1.14 (G1HT36WW)
Basically, any BIOS update package where the changelog mentions CVE-2019-6171 will have this lockdown.

Lenovo is tracking their response to this CVE at: https://support.lenovo.com/gb/en/solutions/len-27764

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Tue Sep 10, 2019 10:15 pm
by ajkula66
Wow someone had a lot of time on their hands addressing this on a 6-7 year old generation of laptops.

:roll: :roll: :roll:

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Tue Sep 10, 2019 11:43 pm
by dr_st
Wow, it actually looks like they are not addressing any real vulnerability. They actually specifically wanted to remove the ability to update the EC firmware. That's the entire point of these updates.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Wed Sep 11, 2019 12:03 am
by ajkula66
dr_st wrote:
Tue Sep 10, 2019 11:43 pm
Wow, it actually looks like they are not addressing any real vulnerability. They actually specifically wanted to remove the ability to update the EC firmware. That's the entire point of these updates.
Are you surprised ?

Removing *real* vulnerabilities was never too high on Lenovo's list of priorities. Not that other manufacturers were more diligent.

This is just...IDK...ridiculous? Childish?

I'm having difficulty describing their move and that doesn't happen very often.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Wed Sep 11, 2019 1:06 am
by RealBlackStuff
They may not have intended to stop the Classic Keyboard swap, but rather the original-battery-check removal.
Either way, Lenono proves once more that they are a bunch of arseonists!

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Wed Sep 11, 2019 4:02 am
by dr_st
In any case, it's not a big deal, since no one needs to be updating BIOS on such old systems anyways. However, it's an important warning for people against accidental upgrades.

What happens if you accidentally upgraded, though? I believe there are methods to force downgrade Thinkpad BIOS even from versions that are designed to prevent it.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Fri Sep 13, 2019 7:02 am
by TinkerMan
so what models are concerned about this ?

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Fri Sep 13, 2019 7:29 am
by RealBlackStuff
Guess you did not read the Lenovo link in the first post...

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Sun Sep 15, 2019 3:37 am
by TinkerMan
RealBlackStuff wrote:
Fri Sep 13, 2019 7:29 am
Guess you did not read the Lenovo link in the first post...
i did, but I didnt understand one yota, the info on the link says something about allowing newer thinkpads to use the old 7 key row, but the comments here talk about a new bios blocking this action, hence my confusion.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Tue Sep 17, 2019 2:28 am
by thelash
I have been using lenovo vantage for system updates on my T430, and - yes a bit naive - installed t430 BIOS 2.82 (G1ETC2WW) EC 1.14 (G1HT36WW), the first locked bios in hamishcoleman's article. Intending to install the 7 row keyboard one day, I find that Lenovo don't want me too. How is that going to hurt them? So, finding under 'security' in my bios that 'prevent rollback' or something like that is disabled, I downloaded an earlier bios from Lenovo.com and it flashed without a hitch. Seemed too simple - wonder how long before Lenovo blocks rollbacks in their earnest quest to save us from ourselves?

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Tue Sep 17, 2019 4:41 am
by RealBlackStuff
As long as you don't (unnecessarily) update your BIOS (and don't get misled/waylaid by unwanted Micro$haft/Vantage/System updates), you will be spared from that Lenono evil.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Mon Dec 23, 2019 5:36 pm
by czubaka
Hello,

I know that this post is a bit old now but I've just faced a problem with updating my t430s... its about step 6 in Hamish guide

If it will always download the original file from Lenovo does it mean... it will be this locked newest bios ?
If yes so how can I change this 6th step to make it work with 2.75 img file that I've downloaded manually ? (it's the latest unlocked bios for t430s) I will be grateful for help because I am kinda noob with linux :/
Using the name chosen in the previous step, make the fully patched image for this laptop (this will download the original file from Lenovo and patch it):

make patched.x230.img

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Wed Dec 25, 2019 3:19 pm
by moofish2842
The reason this works is that, to my understanding, the current BIOS is what blocks the flash, not what you are updating to. Thus, if you are not on the newest version that blocks flashing, then flashing the newest modified version can’t be blocked because it is handled by the non-blocking BIOS. Sorry if that was a bad explanation, but basically you can go ahead and flash this update, however you will have to roll back in order to perform the modified flash again e.g. reverting to a modern keyboard.

Re: Warning: Digital Signature in NEW Lenovo Embedded Controllers prevents Classic Keyboard, Battery WL Firmware mods

Posted: Thu Dec 26, 2019 6:12 pm
by czubaka
Hm I'm not sure... I'have t430s with 2.75 bios (and EC 1.14) when I run this "make" command I think it will try to download the newest bios (2.82 with EC 1.15 that is locked) so I think I should modify this make file and force it to use img file with 2.75 bios that I downloaded before instead of trying to download the newest verrsion...

But I don't know how :/

BTW
I'm using FHD kit and it works perfectly. My T430s has got wonderful 1900x1050 IPS screen :D