Sunday, October 24, 2021

Setting up the Raspberry PI as a Pi-hole ad blocker

This is documents how I made the raspberrypi4 that my girlfriend got me as a gift into a DNS based adblocker over a split tunnel VPN with tailscale

This will enables me to set up any devices I want (for free, up to 20 with tailscale) and have DNS based ad-blocking no matter what network I'm connected to, including on my cell phone.


Edit

Tailscale already had this as it's own post. Somehow I didn't see it. https://tailscale.com/kb/1114/pi-hole/


Setting up my raspbery pi:

I don't know if I have a mini hdmi to normal hdmi cable and didn't feel like looking, so I set it up headless, or unplugging my keyboard and mouse either.

I used the instructions here: https://www.youtube.com/watch?v=ntaXWS8Lk34

I set the access using the ssh password access through the ctrl+shift+x setting menu in the "raspberry pi imager". I tried setting up using an ssh key first, but did something wrong.

Then I plugged in the sd card, ethernet cable, and then powered it on. I nmapped [ sudo nmap -sS -T5 -p22 192.168.0.0/24 ] my /24 network to see what my router had assigned it. The raspberry pi shows up as Raspberry pi in nmap, which is awfully handy. It takes up to 2 minutes to fully power on, run SSH and have the service listening and able to respond to nmap, so don't be worried if you don't see it initially.


I connected to the IP that was assigned using the pi@ user : ssh pi@192.168.0.xxx . I then set my local router to statically assign that IP instead of DHCP, which would break it's eventual use as a DNS server.


I then installed pi-hole: https://github.com/pi-hole/pi-hole/#one-step-automated-install:

curl -sSL https://install.pi-hole.net | bash

I accepted most of the defaults and turned on the admin interface.


Installing tailscale:

I blindly installed tailscale following the directions here for the raspberry pi: https://tailscale.com/download/linux/rpi
 

I was getting an error: 


identifier is 10406 and the job result is failed.
pi@rpi:~ $ sudo tailscale up
failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)

systemctl status tailscaled.service
● tailscaled.service - Tailscale node agent
Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-10-18 16:11:28 PDT; 7s ago
Docs: https://tailscale.com/kb/
Process: 16161 ExecStartPre=/usr/sbin/tailscaled --cleanup (code=exited, status=0/SUCCESS)
Process: 16174 ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS (code=exited, status=1/FAILURE)
Process: 16193 ExecStopPost=/usr/sbin/tailscaled --cleanup (code=exited, status=0/SUCCESS)
Main PID: 16174 (code=exited, status=1/FAILURE)

Oct 18 16:11:28 rpi systemd[1]: tailscaled.service: Service RestartSec=100ms expired, scheduling restart.
Oct 18 16:11:28 rpi systemd[1]: tailscaled.service: Scheduled restart job, restart counter is at 5.
Oct 18 16:11:28 rpi systemd[1]: Stopped Tailscale node agent.
Oct 18 16:11:28 rpi systemd[1]: tailscaled.service: Start request repeated too quickly.
Oct 18 16:11:28 rpi systemd[1]: tailscaled.service: Failed with result 'exit-code'.
Oct 18 16:11:28 rpi systemd[1]: Failed to start Tailscale node agent.

Resolving the error

I was done working for the day and went back to it the next weekend and ran it again. It just worked, so maybe it will "just work" for you, too, or wait some timeout period and try again if you hit this error.

My resources and testing out the config

I followed steps here: https://luther.io/tailscale/raspberry-pi/pi-hole/tailscale-pi-hole/

Don't forget to scroll down and click "save" on the pihole dns settings, or you'll get dns errors when visiting virtually anything. 

After turning on tailscale to set my pihole as the DNS server I tested this out by taking my phone off of the local wifi, making sure tailscale was enabled, and visited cnn.com. No ads.


Further

I set pihole to autoupdate using cron:

crontab -e

Then, using the editor of choice (for me, vim) I added this line to the bottom:

0 4 * * * pihole -up


Thanks

I hope you enjoyed this post. If you have any questions, feel free to message me on twitter at @fiasco_averted

Sunday, January 24, 2021

Answering questions on twitter for fun - First Answer

Following up on my last post, here's the first one I want to answer:

-------------

https://twitter.com/tony_bridges_el/status/1353468708358926340

"My current bugbear is MS' Shielded VMs. I understand the marketing, but I don't understand on a technical level how they prevent introspection by the hardware/fabric owners. 

Part of a larger topic of securing secrets in untrusted environments."

-------------

TL;DR, go to the summary at the bottom of this post.

I haven't heard of this as an offering before, but this sounds like some of the awesome difficult to inspect/detect malware ideas a friend of mine had a while ago and gave a "don't share this" presentation on. Time to see if that's the case.

First link, from 2019: https://techcommunity.microsoft.com/t5/data-center-security/what-are-shielded-vms-in-windows-server-2016-hyper-v/ba-p/372179

Best link so far (1hr, 10min): https://sec.ch9.ms/ch9/fa49/1fbd93dd-250d-47d1-a420-02cf2234fa49/BRK3124_mid.mp4

The first gives it an introduction, but doesn't tell me if they're encrypting memory. The second is long and goes into great detail, but doesn't break down process/cpu resource segmentation. Re: ram, I remember researching cold boot attacks when they came out and worrying about hardware attestation/security at a longer engagement I was on when I was at iSEC Partners.

So let's compare this to normal VM infra:

Normal VM infra: 

1. VM server downloads/has access to storage VHD/virtual disk and reads the config, sends it to iron that has a shim to talk to VM server and runs it.

A. VHD isn't encrypted, anyone with physical access to iron can copy the disk or pull it out while running, and have the sdata from it.

B Can maybe do a cold boot attack on the ram, although ecc ram dissipates data faster, you can do the swap quickly enough with the right equipment/budget.

C. Assuming bypassable or lacking attestation on the vm management to the iron that's getting the VHD, you can also run everything as emulated/with a debugger, although emulating the speed of iron seems like it would side-channel leak that something is going on by being slower than normal. On low workloads or without looking at that frequently/closely, that could very well go undetected.

The point of Shielded VMs are to reduce trust in the people running the data center, to give you a chance at believing that maybe "the cloud" isn't just "someone else's computer" Let's break down how shielded VMs do that and I'll see what else may be possible that they're not doing/that I didn't read thoroughly enough. I'm happy to make changes in my posts on any inaccuracies, I'm rushing through public documentation and relying on a few years old knowledge re this, but this was just before they came out, so the tech was the same then.

Shielded VMs: 

Main docs: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node

  1. Introduce a new service: Host Guardian Service (HGS)
A. This runs attestation on hosts that the VM server wishes to run a shielded vm on. It won't approve a host to run a shielded vm unless attestation passes.

Attestation has a few parts:

a. Secure boot: I assume it's configurable, but the TPM, which is/should be a physical chip, (but is available as a virtual TPM that hyper-v offers, but I don't know much about). This chip is separate from the cpu and runs crypto operations separate from the CPU(s).

As the machine boots, the TPM has a key baked into it by the manufacturer. It uses this to compute a chain of hashes (PCR) on (OEM/sysadmin) approved software/first boot software that should all be matched by the booting parts of the system (this is before windows starts and is hardware/bios/ueif level). 

If the parts running and sending their code through the CPU don't add up, then the TPM sees that one or more hashes don't match and says, "You shall not pass" It's the beginning of this blog post:  https://oofhours.com/2019/07/09/tpm-attestation-what-can-possibly-go-wrong/
More general Secure Boot info: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

Installing some new hardware or updating bios without putting the secure boot process into a new "learning mode" is a great way to be locked out of your machine.

Ok, watching this: https://sec.ch9.ms/ch9/fa49/1fbd93dd-250d-47d1-a420-02cf2234fa49/BRK3124_mid.mp4 at ~45min it goes in to how HGS adds more to the measured boot/secure boot process. the HGS takes each PCR (hash in the chain) and asks the TPM to sign each part and confirms those signatures with it's known TPM public key, so we have hardware based confirmation from a crypto chip designed to be difficult to get in to that confirms that the boot happened with the expected hardware and firmware. This should prevent a replay attack where a mitm false TPM sends the "secure boot happened" message to the HGS.

b.  To attest to remote things, the TPM signs something (a certificate) that the Host Guardian Service presents. If the sig can be proven by the public key the HGS has already from the client host TPM, then it can be proven that it both poassed Secure/Measured Boot and that the TPM has not been tampered with in non-large-number-of-dollars and team of skilled people ways (decapping/electron microscope, possibly other unknown-to-me ways)

B. If these two things are passed, then the HGS allows the chosen guarded host to be used. It also sends the decryption key to the guarded host to decrypt the shielded VM. These keys only work for a time period (let's say 8 ours). I didn't dig into how it time-boxes these.

This means that we now have trusted hardware running a vm that is encrypted on it's disk. Cpu level debuggers aren't running because we confirmed that booting is secure. The HDD/SDD and other peripherals are what was expected as well. Unapproved firmware is shut out too because of secure boot. 

So the iron has a measured boot and secure boot with a physical TPM. This is used to get a VM image and the key to decrypt it for a time period. vTPM in the VM/hyper-v then can runs to attest to the booting of the VM itself. I didn't dig into these specifics on virtualized TPMs either.

What about memory? Is that encrypted?

Not that I can tell. No one encrypts memory because as far as I'm aware, the CPU loss is abysmal. The secure enclave/vms (below) does protect that from being read by other CPU processes in other VMs and/or other privilege levels.

What about CPU cores, if there's a malicious VM also running on the same hardware, can that jump cores if it there's a VM breakout? 

Probably not/it's more difficult. I understand the gist of intel's SGX. This is a chip enforced segregation of CPU (and possibly memory) that would prevent even someone running debugging software from reading a process that's been granted SGX apportioned resources. It basically walls off part of the CPU and ram for processing. I don't know yet if this is what VSM is doing (and if that is used in shielded vms, but there's a captured syscall mentioning SGX that I only see mentioned on google in two places: https://github.com/ionescu007/SimpleVisor and https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm . In this video, they talk about VSM using Isolated User mode and Secure Kernel in "trustlets" ~11min mark: https://sec.ch9.ms/ch9/c198/dbc5b17b-7ba3-4701-93a0-57ebd9d5c198/introductiontoshieldedvirtualmachines_mid.mp4

"Secure enclave" is a term used in reference to what SGX creates as a walled area of the CPU for processing. The diagram (last referrence of SGX, at the top of pg5) (PDF) https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/sogeti-security-white-paper.pdf 

More details about SGX: https://blog.quarkslab.com/overview-of-intel-sgx-part-1-sgx-internals.html


What about administration? 

They offer making a separate forest, but let's be real, most won't. This mostly opens you up to normal AD priv-esc issues, which I think you should worry about a lot more than about some Azure employee copying your disks. 

This will help though: "HGS comes with Just Enough Administration (JEA) roles built in to help you manage it more securely. JEA helps by allowing you to delegate admin tasks to non-admin users, meaning the people who manage HGS policies need not actually be admins of the entire machine or domain." https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-manage-hgs

I really like their advice on setting this up. Follow it and your AD risks are much lower.

Random selection of other good security stuff Shielded VMs do:

  • Disable a bunch of remote protocols for admin stuff: Guest file copy IC, registry hive injection, vmconnect, powershell direct, remotefx, some WMI calls, some KVPs (dunno what that is).
  • Remove some virtual devices: serial, debug, hid, input mgr, rdp encoder, synthetic keyboard/mouse/video/rdp.

Summary

This offers you the ability to stop people who don't already have access to the running VM (end users) and VM admins from accessing the contents of a running VM. You enforce trusting the hardware with physical TPM attestation. You store your VHDs encrypted and revoke keys that have been given to VM servers after a time period. This prevents server admins and fabric admins from being able to run/access your shielded VMs/their data. Someone gets your SSD/HDD? They don't get your data, even if it's running on the machine because it's encrypted. Someone changes hardware on the server to gain access? It won't be attested for in secure/measured boot. Most physical attacks are covered. 

Another VM resident on the same metal breaks out of the VM? VMS and the equivalent (same?) to intelSGX stops the CPU from being told to read the secure enclave processing resources given to the Shielded VM. I'm not 100% sure on the 100% validity of this statement, but it's my intuition that this is correct. If anyone can confirm/deny this, please comment below, or in the twitter thread. I'll try to check it for the next week at least.

The only thing I see this missing is cold boot attacks, but I don't know how reliable those are now-days and haven't done one since 2013.

Shielded VMs first prove that the hardware/firmware expected to be running on the server you think you're talking to is before delivering the shielded vm (VHD) and additionally cut out a number of potential attack points from your VM infrastructure/fabric.

Answering questions from Twitter for fun

There is a great thread on twitter right now that got me thinking:

https://twitter.com/varcharr/status/1353440987180359680 "What's an infosec skill or concept that you've heard about but don't quite understand?"

I was reading through this and think I have the answers to a few of these questions. I'll try to do a succinct answer to them. This will not be short, but I think I can answer a few of the thread's "unknowns". 

My next at least two posts will be answering these questions. The ones I'm picking so far are:

------EDIT: Others answered this first one well enough. I'm not feeling up to whiteboarding this (the part that's missing).--------------------
https://twitter.com/TinkerSec/status/1353451835378593793

"SSH Tunneling.
Hell, I do it all the time. Have my most used commands and flags in my runbooks, readily accessible.
Still don’t fully understand it."

 --------------------

https://twitter.com/tony_bridges_el/status/1353468708358926340

"My current bugbear is MS' Shielded VMs. I understand the marketing, but I don't understand on a technical level how they prevent introspection by the hardware/fabric owners. 

Part of a larger topic of securing secrets in untrusted environments."

--------------------


I'll add more if I end up answering more. Will be linking to this and the related posts in the thread under my twitter handle: fiasco4297

Tuesday, February 12, 2019

Upgrading Qubes to latest fedora 29 template on an old (4.0), but not turned on in months laptop

I had qubes-os 4.0 on a laptop I hadn't turned on in months. It was still running fedora-26.

I wanted to update directly to the latest template (fedora-29). A direct in-place upgrade (26->29) isn't recommended by fedora, but totally worked and even says it should work in the Qubes upgrade docs.

Summary

 

I only did two things different than the stock standard directions in these three docs:
https://www.qubes-os.org/doc/templates/
https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/
https://www.qubes-os.org/doc/disposablevm-customization/
  1. The following command errored, saying I was missing rpmfusion gpg keys. I added them successfully and the upgrade completed.
    sudo dnf --releasever=29 --best --allowerasing distro-sync
  2. I am using two template vms so I have a more-trusted standard fedora-29 vm with less installed software exposed in my sys-* vms.
The Qubes documentation is excellent and I saw even more this time around re-reading them while making this blog post. If you have more questions, the mailing list is very helpful and searchable here: https://groups.google.com/forum/#!forum/qubes-users

The purpose of this blog post is to document my step by step process for this upgrade so I can use it as a reference and others can learn what I learned. I'm sure some things can be more efficient and automated, but I'm first learning the GUIs provided. I'm not opposed to cli, just trying to understand the different mangement features provided by qubes.

Upgrading


I wanted to try in this less stressful environment, so I chose this laptop, since I don't need it for my day-to-day work and I wanted to compare and contrast in-place upgrades with downloading a brand new template.

First, I upgraded dom0

> sudo qubes-dom0-upgrade

This got me to: Kernel 4.14.74, xen 4.8.4, and still Qubes 4.0.

I then rebooted because I like rebooting a lot to make sure I am exactly where I expect to be, nothing pending.

I installed fedora-29 two different ways

 

Method 1: Install the new template:

I followed directions here: https://www.qubes-os.org/doc/templates/
> sudo qubes-dom0-update qubes-template-fedora-29

This was super easy. I tested by creating and launching a vm from this template using the gui "Create Qubes vm" launcher item and manually choosing the "fedora-29" VM template. Success. I updated it internally by booting the terminal in the qubesvm and running "sudo dnf update".

Note: I just realized I don't know if I type update or upgrade usually, and it turns out that it's the same command, but update is a deprecated alias for upgrad according to "man dnf".

Method 2: I upgraded my template VM for fedora-26 in-place

I used the same instructions here: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/

Notes and one error I encountered and fixed in my process:

I named my template fedora-29-1 because I didn't want the simultaneous download of the fedora-29 template that dom0 was doing to have any naming issues/errors.
I encountered an error upgrading that stated I didn't have fedora29 rpmfusion free and nonfree signing keys imported. I checked /etc/pki/rpm-gpg and sure enough, they were missing, it automatically added fedora 25-28, but ignored fedora29, strangely enough.

I imported the keys with the following commands:
  • [user@fedora-29-1 rpm-gpg]$ sudo rpm --import 'https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-29'
  • [user@fedora-29-1 rpm-gpg]$ sudo rpm --import 'https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-29'
As mentioned might be a necessity in the link, I did need to add disk space after downloading all the files. I got this message after restarting my template upgrade command:
Error Summary
-------------
Disk Requirements:
At least 904MB more space needed on the / filesystem.
I tried copying over the cache folder so I wouldn't have to waste another 20+ minutes waiting for 1.4GB of files to download, but I was unable to get the cache to copy. If someone knows how to copy the cache with a lot of cached downloads, let me know. ** I recommend adding disk space pre-emptively, because it if you've installed much, the stock VM probably doesn't have space for the in-place upgrade. ** It takes an extra 30 seconds up front and saves 10-30 minutes later.

Summary: The documentation is great for this. I recommend preemptively adding the disk-cache. Then import the rpm-fusion keys before upgrading.

So far we haven't changed anything that we're relying on. I love the segmentation of Qubes that allows us to install a new template and upgrade a cloned template in-place, and have nothing I was relying on risked because of this. The segmentation is awesome. Now we switch VMs to the new templates

Qubes Template Manager is AWESOME 

 

Q icon> System Tools > Qubes Template Manager
https://www.qubes-os.org/doc/templates/#how-to-switch-templates-40
It makes switching to a different/new template effortless.
I did have to shutdown some VMs in order to switch them over.
I also rebooted a couple times because I wanted to make sure everything was working properly.

My don't-put-all-my-eggs-in-one-basket sequence that worked:  

First: A spot check

I spot-checked both templates by creating a new-vm from those templates and tested out network connectivity by opening firefox to a new page. I upgrade the templates a well and tested out VLC in the 29-1 template since it should still be installed. All worked. Great.

Second: Move over easy VMs


  • Spot check one VM that has persistence. I use a VM that had some files in Downloads that were still there in the migrated AppVM with the new Fedora-29-1 template and I confirmed in the CLI that cat /etc/fedora-release as 29.
  • Do the rest of the vms besides sys-* and disposible-vms.
  • Reboot

Third: Move sys-* after a reboot

  • I'm cautions/still learning how restart services and had trouble letting Qubes Manager let me kill sys-network. I decided to reboot and then update the sys-* vms.
  • I booted, shut down anything that had automatically started, and then I was able to shutdown/kill the sys-* vms to update their template.
  • I rebooted again to get the full start scripts running in the right order because that seemed like less work than doing it manually and this fells like a fuller-test if they work.

Disposable VMs need a bit extra work:

This link shows the few commands for updating and includes deletion.
https://www.qubes-os.org/doc/disposablevm-customization/

I consciously chose fedora-29-1 for the dvm-29-1 and not the clean, fedora-29 vm because I wanted VLC and a few other disposable applications that I don't want in my sys-vms.

I did end up with two launcher items/VMs for different disposable VMs. I deleted the old one following directions in the link above.

Notes on what I did differently than stock-standard:

I'm running two templates, the upgraded-in-place one (fedora-29-1) and the downloaded fedora-29 template. Anything involving sys-* or display-mgmt vms I set to fedora-29. For things that need installed software, I used fedora-29-1.
Eventually I might get minimal and/or disposible VMs working for these. I wasn't able to get a minimal VM working for network or firewall on my latest attempt. I haven't given up yet though.

I set personal use (work/personal/untrusted/etc) vms to fedora-29-1 because that has extra packages installed that I want to stay around.

Saturday, June 30, 2018

Brain dumping multiple subjects for future reference

Good write up about cookie security. One of the clearest I've seen on thevarious cookie flags.: https://www.wst.space/cookies-samesite-secure-httponly/

Ideas for startup administration: 

  • OSX admin: Fleetsmith
  • Logging/infra analytics: OSquery/Kolide
  • Password storage and sharing: Lastpass
  • Email: Gmail (preferrable ot office365, since the lowest versions of o365 don't allow 2FA and fleetsmith/kolide prefer gmail integration for auth)
  • 2FA solution (because google-authenticator doesn't allow backups:
    • Initially (free): Authy
    • Later on, for all their integrations and yubikey/ease of use: DUO

Goals for security admins:

  • Involve users minimally in setup and configuration of security products.
  • Make sec infra as invisible as possible.
  • Don't require 100 different passwords. Try to limit it to 3ish. 
  • Log from the get-go: https://medium.com/starting-up-security/starting-up-security-87839ab21bae
In general, this writeup is way better than I could have done it: https://medium.com/starting-up-security/starting-up-security-87839ab21bae

Everything Ryan writes here is pretty great: https://magoo.github.io/Blockchain-Graveyard/advice/



Thursday, September 3, 2015

EFI/UEFI and OSX link dump

Firmware/EFI and Kernel/OS level issues link dump:

long running bug (fixed?)
http://newosxbook.com/articles/PST2.html

twitter account for osx/efi security person: https://twitter.com/osxreverser

OSX kernel mem leak: https://github.com/ud2/advisories/tree/master/osx/cve-2015-3780
malicious ntfs image dos: https://github.com/ud2/advisories/tree/master/osx/cve-2015-5763

read osx physical memory, including bios, kernel, and possibly smm: https://github.com/gdbinit/readphysmem
exploit using this info: https://github.com/gdbinit/diagnostic_service2

info aobut twpn: http://blog.qwertyoruiop.com/?p=69
twpn: https://github.com/kpwn/tpwn

OSX rootkit detection and prevention:

Rootpipe: https://twitter.com/diodesign/status/630553369078149120
http://www.opensource.apple.com/source/gdb/gdb-1705/src/gdb/macosx/macosx-nat-dyld.c
https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Patrick%20Wardle/
updated preso from defcon: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Patrick%20Wardle%20-%20UPDATED/

thunderstrike 2: https://trmm.net/Thunderstrike2_details
http://legbacore.com/Research_files/ts2-blackhat.pdf

somehting about pwning ios devices, firmware, something something:
https://github.com/planetbeing/xpwn
lightweight version: https://github.com/sektioneins/xpwntool-lite

tons of good resources on this site: https://reverse.put.as/2015/08/07/writing-bad-lamware-for-os-x/
their github: https://github.com/Gdbinit/
https://reverse.put.as/archives/


EFI:
EDK II visual studio stuff https://github.com/ionescu007/VisualUefi
thread about said tool: https://twitter.com/aionescu/status/632594173414129664


https://github.com/LongSoft/UEFITool
UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images.
It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.

hypervisor stuff:
https://twitter.com/adulau/status/631366664265842688 - small enough to bypass and interfere with patchguard https://github.com/tandasat/Sushi

trustzone fuzzer: https://github.com/laginimaineb/fuzz_zone

bootloader walkthrough: http://www.cs.dartmouth.edu/~bx/blog/2015/09/03/a-toure-of-bootloading.html


Friday, July 10, 2015

Updating the bios on a Lenovo Thinkpad T440s

I like not having to worry about web pages flipping adjacent bits in memory (http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html), so I wanted to update my bios. I didn't want to use the Windows update utility (not running windows) or Lenovo crapware system update center that's on windows, so I went the route of the bootable USB.

From a Ubuntu system running FDE on a Lenovo Thinkpad 440s, I did the following:
Downloaded this: http://support.lenovo.com/us/en/downloads/ds035967
More or less followed directions here: http://www.lenzg.net/archives/358-Updating-the-BIOS-on-my-ThinkPad-T440-without-Windows-or-a-DVD-Drive.html

If you do have windows and don't want to shut down, here's how to query your Lenovo Bios version number using powershell (should work on any version of powershell, definitely 2.0+):
(Get-WmiObject -class "Win32_bios" -namespace "root\CIMV2" -computername ".").SMBIOSBIOSVersion

Here's how to query if you're on ubuntu (and probably other linuxes):
$ sudo dmidecode -s bios-version

Unlike the tutorial linked above, my steps for creating the bootable USB are a little simpler, mostly because the tool, "geteltorito" is installed by default in Ubuntu.

How to update:
Step 1: Create the bootable USB:
**Note, this assumes your usb is /dev/sdb1

$ geteltorito -o bios.img gjuj13us.iso
$ sudo dd if=bios.img of=/dev/sdb1

Done, USB should now be bootable.

Updating the Bios with the bootable USB
Then I shutdown, crossed my fingers, and booted from the USB (f12 brings up the boot media selection menu while booting if you haven't disabled that in Bios).

If you don't care about details and just want to finish, select #2, next, Y, yes, yea, sure, do the thing, reboot without removing media, wait for flashing to happen, remove bootable usb, reboot, done.

Detailed version:

When the usb loads, I have three options:

1. Read this first. This actually is pretty darn confusing and didn't really make sense the instructions are in Engrish, or were written by a drunk person.

2. "update system program". This does what I'm here for.
<Y>, yes, I want to continue

Don't remove USB, press <Enter>

System reboots into USB again

Flashing takes about a minute or two, then reboots. I removed the flash drive while it was counting down and it rebooted happily into my disk encryption prompt, then into my OS.

Option 3 was to manually change your serial number. I didn't have a need for this as far as I'm aware. I kind of want to make it "SKYNET" though.

Next
I'm going to enable boot protection, TXTmode, and security auditing on Bios and other strings and then will post an update on updating the bios when all that complication is added to the process. My next bios update should be considerably more complicated.

Let me know if anyone had issues with this method. Your bios image may be different than mine if your computer is not the T440s.