HWINFO64 summary source

harryitguy

New Member
Hi Martin,

hwinfo-ram.JPG

A friend purchased a laptop on Amazon that claimed it was new. Although I did all my forensics remotely (and thus cannot open the laptop to inspect it), I did research this Lenovo MTM 21HH0041US (T16 gen 2 laptop) and very thoroughly on the Lenovo support site (via serial number and parts), spoke with multiple Lenovo support engineers, looked at the Lenovo PSREF, ran Passmark benchmarks, and of course used HWINFO64 (V7.68-5300).

There are some unverified assumptions I have to make to prove to myself if this is a rogue system board and rogue BIOS without physically inspecting it.

[1] There are Lenovo tools to re-flash the MTM, serial number, and system brand ID. For example, see [1] ).

[2] The BIOS version is correct for this MTM at N3QET39W (1.39 ) but I am guessing even this can be hacked and I discuss that below.

[3] I believe the merchant resealed the laptop as new and upgraded the SSD to a 2TB Kingston (bulk price of this circa 2021 SSD is $35 -- and removed the higher performing 512GB SSD) and placed a 16GB Kingston RAM part that is DDR4-2666 while the soldered RAM is 16GB DDR5-4800. The Kingston RAM is Kingston 9905790-047.A00G and is not listed on the Kingston web site (nor does Kingston return my calls at this time) but is mentioned in ref [2].

[4] Micron/Crucial phone support and PC magazine (see ref [3]) both state you cannot operate both DDR4 and DDR5 on the same system board. So, I have to assume the laptop is dressing up a component to state it is something other than what it really is. In any case, even if we could run both DDR4 and DDR5 we have slowed down the speed to the smaller of 2666 (DDR4) and 4800 (DDR5).

Since I cannot open up the laptop to look at components and serial numbers etched thereon (I assume even these can be faked), I was wondering how one can tell programmatically what is really there? So, there is my question, finally! I will try to answer it myself but wonder what your thoughts are -- you always mention (in the HWINFO64 forum) the SMBIOS DMI and how it is used to feed the BIOS and may be unreliably programmed at the factory. Understood. As a by-the-way, I am learning from Wikipedia (see refs [4], [5]) that SMBIOS and DMI are two different things and function independently. That's just semantics -- I get your point in all those forum responses about where the RAM info is gotten from.

Another question I asked myself is if I download the same BIOS and re-flash it, will this remove false information or is the component information somewhere else. In this forum you mention many times how the information is in the SMBIOS DMI (whatever that is) which is static and filled in by the BIOS. Where is it programmed into? Perhaps it has to be programmed at the factory or with special tools that access an EEPROM component and can thus be faked and/or bypassed (see BIOS hacking in [7], [8] )?

Or does the BIOS do an inquiry of all the hardware to enumerate it for SMBIOS? If so, a rogue "hacked" BIOS firmware (see [7]) could ignore these values and hardwire the values in it's own memory -- re-flashing the BIOS won't necessarily do that a BIOS re-flash may only flash the parts of the code needed and not everything such as pre-programmed ROM or EEPROM (see [9]). It gets worse: according to ref [10], the compromised BIOS might run a lightweight hypervisor (virtual machine) that will (prior to loading the OS ) present a clean firmware image if the OS ever asks for it, while still being compromised. The author suggests something that is impractical for most of us: "...So from the actual machine, there is no reliable way to check if the firmware is malicious. You can however do so from another machine by unsoldering the ROM or flash chip that holds the firmware, putting it in an appropriate reader and reading it from a known good machine (but not executing it, just merely reading) and comparing to a known good image such as one provided by the mainboard manufacturer."

In summary, how and from where exactly do you get the information programmatically?

Thanks,

Harry

REFERENCES
[1] https://support.lenovo.com/us/en/so...-of-system-bios-menu-thinkcentre-thinkstation
[2] https://www.compuram.biz/memory_module/kingston/9905700-047-a00g.htm
[3] https://www.pcmag.com/news/what-is-...d-to-know-about-the-latest-pc-memory-standard
[4] https://en.wikipedia.org/wiki/Desktop_Management_Interface
[5] https://www.dmtf.org/standards/dmi/
[6] https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
[7] https://cybercx.com.au/blog/bypassing-bios-password/
[8] https://diysecuritytips.com/can-a-bios-be-hacked/
[9] https://flylib.com/books/en/1.444.1.152/1/
[10] https://security.stackexchange.com/questions/97474/how-do-you-know-if-the-bios-has-been-compromised
 
Your theory of someone changing soldered memory chips with SO-DIMM modules of a completely different generation is, mildly said, crazy.
Such work would require effort exceeding the benefit by far.
The memory modules you see in HWiNFO are detected directly by querying the DIMM SPDs and it's not possible to run both generations side-by-side.
Moreover, DDR5 modules are of a substantially different design which requires totally different mainboard layout and different components. DDR5 has on-DIMM VRs (PMIC) while DDR4 requires the DIMM VRs on mainboard. It would be much easier to exchange the entire mainboard.
The BIOS builds SMBIOS information during runtime based on pre-defined values like serial number stored in different non-volatile memory, and information detected during boot.
 
Hi Martin,

I think you misunderstood my theory -- I was not suggesting anyone would change the socketed RAM -- I was just saying perhaps they put in a different system board (recall I am not physically in front of the laptop to open it up) such that it has slower 16GB soldered DDR4 and then they added the 16GB Kingston 9905790-047.A00G which is also DDR4 (and hence compatible). But to make it look like the correct system board, they would need to reprogram the system board EEPROM) and BIOS to lie to you and anyone else using SMBIOS or DMI regarding what was in the hardware. This "theory' is based on the fact that the picture I presented showed both DDR4 (off board 16GB Kingston 9905790-047.A00G) and DDR5 (socketed RAM) populated. Which as we both are saying, is not a valid configuration.

[A] I believe it is easy enough to put in a cheaper system board and program it to lie (via DMI, SMBIOS) about it's hardware. Note I never suggested removing the socketed RAM. My research supports that. I am just pointing out how HWINFO64 (along with running benchmarks) can help lead to that conclusion when the laptop is not in front of you. Malware hunters and DFIR engineers call this abductive logic :-). I present a theory and look for holes in it or a better theory. I stand behind my theory at this point.

Worse, you have to wonder what else might be on the system board as ref [11] suggests.

Another clue about the integrity of such purchases on Amazon is that the customer, upon initial power-up observed Lenovo doing "Ram training", which was new to me while speaking with the customer on the phone. Ram training occurring is described as "doing some initialization, resistance and voltages calibrations, and the clock training, using the calibration data previously acquired -- everything is done to ensure, that the data traveling between the CPU and ram, is synchronized for all ram slots occupied, at the desired memory speed." (see ref [12] and details in refs [13] and [14] for those interested). For me, it is an indication that the merchant did not even do a burn-in-test to get past the memory training which would precede the Windows setup.

[C] I notice you put a picture of AORUS in the image below (showing DDR4 and DDR5 in the same computer). I have no idea where you got this from but if it is correct, it is saying this may be a Gigabyte system board. I believe AORUS Intel Alder Lake-P PCH is a system board that normally holds a 12th generation Intel CPU but the Lenovo serial number and Amazon merchant and HWINFO64 say it is a 13th gen i7-1355U CPU. Another interesting discrepancy.

hwinfo-DDR4 and DDR5.JPG

Regards,

"Crazy" Harry :)

REFERENCES
[11] https://hackaday.com/2018/10/04/mal...-motherboards-supplied-to-numerous-companies/
[12] https://www.overclock.net/threads/what-is-memory-training.1795165/
[13] https://www.micron.com/-/media/client/global/documents/products/technical-note/dram/tn46_08.pdf
[14] https://www.systemverilog.io/design/ddr4-initialization-and-calibration/
 
The AORUS logo is a promotion and shown on all boards regardless of brand. It will soon be changed to be shown only on GIGABYTE boards.
Kingston 9905790-047.A00G should be a DDR5 module.
 
Back
Top