Bad LZMA[0x36B3C] header abf8bdd808494a6669137d843e82d6fa25

[Piker-Alpha]

This is what I get on macOS:

./unME11.py ME_region.rgn
     rbe: plain
  kernel: plain
  syslib: plain
     bup: plain
      pm: data
     vfs: data
 evtdisp: data
 loadmgr: data
  busdrv: data
    gpio: data
    prtc: data
  policy: data
  crypto: data
    heci: data
 storage: data
   pmdrv: data
 maestro: data
     fpf: data
     hci: data
fwupdate: data
     vdm: data
mca_boot: data
 mca_srv: data
  hotham: data
Module pavp is encrypted
Bad LZMA[0x36B3C] header abf8bdd808494a6669137d843e82d6fa25
-hash pavp: [lzma]
 ish_bup: plain
    rosm: data
   sigma: data
     cls: data
     icc: data
     tcb: data
   smbus: data

The ME_region.rgn was extracted from a iMac18,3 firmware with UEFITool.

You can use:

efiver.py -m 10.13.2

to download the latest Apple firmware files.

[platomav]

@Piker-Alpha

At CSME 11.5 and up, NFTP > Pavp module is Encrypted so its SHA-256 LZMA hash cannot be verified.

By the way, have you tried MEAnalyzer (-unp86, -bug86) by any chance?

Your efiver tool is very interesting, especially for someone with no Mac who wants to check Apple's EFI updates for Engine firmware. Maybe I can convince you to check any new Apple EFI updates you find via MEA to see if something is new?

[Piker-Alpha]

@platomav

That means password protected, right? If so, then that password has to be available somewhere to decrypt it.

About MEAnalyzer. No, but I will have a go with it and see what it does on macOS High Sierra 10.13.2 (the latest DeveloperSeed)

About EFIver.py. The current version will only run on macOS, but I have good news. I started to work on a portable version that should eventually run on Windows and Linux.

[platomav]

@Piker-Alpha

It is encrypted, logically with an asymmetric key-pair (RSA). Possibly with the same Private Key used to create each Code (FTPR, NFTP etc) Module's RSA Signature. Could be a different key-pair though as that deal with Netflix works only for 200-series & later. No matter what though, the Private Key is stored inside the CPU or PCH (probably the latter) so there is nowhere for us to find it as that would beat the whole purpose.

I asked you about MEA so that you could test its "-unp86 -bug86" parameters on that firmware in question. Nice news about EFIver, I'll revisit it once it can work outside of macOS. ;)

[Piker-Alpha]

MEA.py works on macOS High Sierra 10.13.2 and the result is a 49KB document with data. No idea what to do with it though. Here's the output without options:

-------[ ME Analyzer v1.33.0 r104 ]-------

File:     IM183_0151_B00.fd (1/1)

Family:   CSE ME
Version:  11.6.14.1219
Release:  Production
Type:     Region, Extracted
FD:       Locked
SKU:      Slim H
Rev:      D0
SVN:      1
VCN:      173
LBG:      No
PV:       Yes
Date:     2017-01-12
FIT Ver:  11.6.10.1196
FIT SKU:  PCH-H Q170
Size:     0x124000
Platform: SPT/KBP
Latest:   No

The other one is too long to post here. Also not the place I guess.

[platomav]

There is a misunderstanding here. I assumed that you opened this issue because you wanted to unpack that CSME region. But I think you wanted to test if unME11 works under macOS. Instead, my goal was to understand if the "issue" is specific to unME11 or to that CSME firmware. MEA -unp86 is also a CSE firmware unpacker and -bug86 can pause in case of errors. The output doesn't need to be posted here of course but since it didn't show any error & pause, it's clearly an "issue" with unME11. However, as I explained above, that message is normal/expected based on how that tool works. Thus, there is no problem to solve. 😉

[Piker-Alpha]

I hoped that unME11 would decrypt and unpack the PAVP module which is possible but very difficult – there's a book from a (former?) Intel engineer and he said that it is possible (key is fused in the PCH).