harryitguy
New Member
Hi Martin,
A friend purchased a laptop on Amazon that claimed it was new. Although I did all my forensics remotely (and thus cannot open the laptop to inspect it), I did research this Lenovo MTM 21HH0041US (T16 gen 2 laptop) and very thoroughly on the Lenovo support site (via serial number and parts), spoke with multiple Lenovo support engineers, looked at the Lenovo PSREF, ran Passmark benchmarks, and of course used HWINFO64 (V7.68-5300).
There are some unverified assumptions I have to make to prove to myself if this is a rogue system board and rogue BIOS without physically inspecting it.
[1] There are Lenovo tools to re-flash the MTM, serial number, and system brand ID. For example, see [1] ).
[2] The BIOS version is correct for this MTM at N3QET39W (1.39 ) but I am guessing even this can be hacked and I discuss that below.
[3] I believe the merchant resealed the laptop as new and upgraded the SSD to a 2TB Kingston (bulk price of this circa 2021 SSD is $35 -- and removed the higher performing 512GB SSD) and placed a 16GB Kingston RAM part that is DDR4-2666 while the soldered RAM is 16GB DDR5-4800. The Kingston RAM is Kingston 9905790-047.A00G and is not listed on the Kingston web site (nor does Kingston return my calls at this time) but is mentioned in ref [2].
[4] Micron/Crucial phone support and PC magazine (see ref [3]) both state you cannot operate both DDR4 and DDR5 on the same system board. So, I have to assume the laptop is dressing up a component to state it is something other than what it really is. In any case, even if we could run both DDR4 and DDR5 we have slowed down the speed to the smaller of 2666 (DDR4) and 4800 (DDR5).
Since I cannot open up the laptop to look at components and serial numbers etched thereon (I assume even these can be faked), I was wondering how one can tell programmatically what is really there? So, there is my question, finally! I will try to answer it myself but wonder what your thoughts are -- you always mention (in the HWINFO64 forum) the SMBIOS DMI and how it is used to feed the BIOS and may be unreliably programmed at the factory. Understood. As a by-the-way, I am learning from Wikipedia (see refs [4], [5]) that SMBIOS and DMI are two different things and function independently. That's just semantics -- I get your point in all those forum responses about where the RAM info is gotten from.
Another question I asked myself is if I download the same BIOS and re-flash it, will this remove false information or is the component information somewhere else. In this forum you mention many times how the information is in the SMBIOS DMI (whatever that is) which is static and filled in by the BIOS. Where is it programmed into? Perhaps it has to be programmed at the factory or with special tools that access an EEPROM component and can thus be faked and/or bypassed (see BIOS hacking in [7], [8] )?
Or does the BIOS do an inquiry of all the hardware to enumerate it for SMBIOS? If so, a rogue "hacked" BIOS firmware (see [7]) could ignore these values and hardwire the values in it's own memory -- re-flashing the BIOS won't necessarily do that a BIOS re-flash may only flash the parts of the code needed and not everything such as pre-programmed ROM or EEPROM (see [9]). It gets worse: according to ref [10], the compromised BIOS might run a lightweight hypervisor (virtual machine) that will (prior to loading the OS ) present a clean firmware image if the OS ever asks for it, while still being compromised. The author suggests something that is impractical for most of us: "...So from the actual machine, there is no reliable way to check if the firmware is malicious. You can however do so from another machine by unsoldering the ROM or flash chip that holds the firmware, putting it in an appropriate reader and reading it from a known good machine (but not executing it, just merely reading) and comparing to a known good image such as one provided by the mainboard manufacturer."
In summary, how and from where exactly do you get the information programmatically?
Thanks,
Harry
REFERENCES
[1] https://support.lenovo.com/us/en/so...-of-system-bios-menu-thinkcentre-thinkstation
[2] https://www.compuram.biz/memory_module/kingston/9905700-047-a00g.htm
[3] https://www.pcmag.com/news/what-is-...d-to-know-about-the-latest-pc-memory-standard
[4] https://en.wikipedia.org/wiki/Desktop_Management_Interface
[5] https://www.dmtf.org/standards/dmi/
[6] https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
[7] https://cybercx.com.au/blog/bypassing-bios-password/
[8] https://diysecuritytips.com/can-a-bios-be-hacked/
[9] https://flylib.com/books/en/1.444.1.152/1/
[10] https://security.stackexchange.com/questions/97474/how-do-you-know-if-the-bios-has-been-compromised
A friend purchased a laptop on Amazon that claimed it was new. Although I did all my forensics remotely (and thus cannot open the laptop to inspect it), I did research this Lenovo MTM 21HH0041US (T16 gen 2 laptop) and very thoroughly on the Lenovo support site (via serial number and parts), spoke with multiple Lenovo support engineers, looked at the Lenovo PSREF, ran Passmark benchmarks, and of course used HWINFO64 (V7.68-5300).
There are some unverified assumptions I have to make to prove to myself if this is a rogue system board and rogue BIOS without physically inspecting it.
[1] There are Lenovo tools to re-flash the MTM, serial number, and system brand ID. For example, see [1] ).
[2] The BIOS version is correct for this MTM at N3QET39W (1.39 ) but I am guessing even this can be hacked and I discuss that below.
[3] I believe the merchant resealed the laptop as new and upgraded the SSD to a 2TB Kingston (bulk price of this circa 2021 SSD is $35 -- and removed the higher performing 512GB SSD) and placed a 16GB Kingston RAM part that is DDR4-2666 while the soldered RAM is 16GB DDR5-4800. The Kingston RAM is Kingston 9905790-047.A00G and is not listed on the Kingston web site (nor does Kingston return my calls at this time) but is mentioned in ref [2].
[4] Micron/Crucial phone support and PC magazine (see ref [3]) both state you cannot operate both DDR4 and DDR5 on the same system board. So, I have to assume the laptop is dressing up a component to state it is something other than what it really is. In any case, even if we could run both DDR4 and DDR5 we have slowed down the speed to the smaller of 2666 (DDR4) and 4800 (DDR5).
Since I cannot open up the laptop to look at components and serial numbers etched thereon (I assume even these can be faked), I was wondering how one can tell programmatically what is really there? So, there is my question, finally! I will try to answer it myself but wonder what your thoughts are -- you always mention (in the HWINFO64 forum) the SMBIOS DMI and how it is used to feed the BIOS and may be unreliably programmed at the factory. Understood. As a by-the-way, I am learning from Wikipedia (see refs [4], [5]) that SMBIOS and DMI are two different things and function independently. That's just semantics -- I get your point in all those forum responses about where the RAM info is gotten from.
Another question I asked myself is if I download the same BIOS and re-flash it, will this remove false information or is the component information somewhere else. In this forum you mention many times how the information is in the SMBIOS DMI (whatever that is) which is static and filled in by the BIOS. Where is it programmed into? Perhaps it has to be programmed at the factory or with special tools that access an EEPROM component and can thus be faked and/or bypassed (see BIOS hacking in [7], [8] )?
Or does the BIOS do an inquiry of all the hardware to enumerate it for SMBIOS? If so, a rogue "hacked" BIOS firmware (see [7]) could ignore these values and hardwire the values in it's own memory -- re-flashing the BIOS won't necessarily do that a BIOS re-flash may only flash the parts of the code needed and not everything such as pre-programmed ROM or EEPROM (see [9]). It gets worse: according to ref [10], the compromised BIOS might run a lightweight hypervisor (virtual machine) that will (prior to loading the OS ) present a clean firmware image if the OS ever asks for it, while still being compromised. The author suggests something that is impractical for most of us: "...So from the actual machine, there is no reliable way to check if the firmware is malicious. You can however do so from another machine by unsoldering the ROM or flash chip that holds the firmware, putting it in an appropriate reader and reading it from a known good machine (but not executing it, just merely reading) and comparing to a known good image such as one provided by the mainboard manufacturer."
In summary, how and from where exactly do you get the information programmatically?
Thanks,
Harry
REFERENCES
[1] https://support.lenovo.com/us/en/so...-of-system-bios-menu-thinkcentre-thinkstation
[2] https://www.compuram.biz/memory_module/kingston/9905700-047-a00g.htm
[3] https://www.pcmag.com/news/what-is-...d-to-know-about-the-latest-pc-memory-standard
[4] https://en.wikipedia.org/wiki/Desktop_Management_Interface
[5] https://www.dmtf.org/standards/dmi/
[6] https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
[7] https://cybercx.com.au/blog/bypassing-bios-password/
[8] https://diysecuritytips.com/can-a-bios-be-hacked/
[9] https://flylib.com/books/en/1.444.1.152/1/
[10] https://security.stackexchange.com/questions/97474/how-do-you-know-if-the-bios-has-been-compromised