bjornruytenberg / tcfp Goto Github PK
View Code? Open in Web Editor NEWThunderbolt Controller Firmware Patcher.
Home Page: https://thunderspy.io
License: Other
Thunderbolt Controller Firmware Patcher.
Home Page: https://thunderspy.io
License: Other
Fails to identify on a Lenovo P70 with the following information and wanting to patch a Lenovo Thunderbolt 3 dock (Model=AC)
DeviceInstanceId PCI\VEN_8086&DEV_1578&SUBSYS_11112222&REV_00\5&2B3F6D8&0&0000E4
Please find the attached TBT.bin file for your perusal.
Q: Is the patching actually successful i.e. would applying the patched firmware work ?
TBT.zip
2020-10-26 09:09:30,743 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL1
When patching;
2020-10-26 09:10:19,582 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL1
2020-10-26 09:10:19,590 - WARNING - PCI ID unsupported, but current SL detected through heuristics. Patching may fail.
Image patched successfully.
chrisd@edmund:tcfp > ab-python3 tcfp.py parse TBT.bin
2020-10-26 09:11:30,163 - WARNING - PCI ID '0x1578' has no known signatures. Ignoring PCI ID and trying all patterns instead.
Vendor ID : 0x109
PCI ID : 0x1578
PCI Device Name : DSL6540 Thunderbolt 3 Bridge [Alpine Ridge 4C 2015]
Model ID : 0x7070
NVM version : 25 (0x19)
Vendor : Lenovo
Device : Payton1 P70
Security Level : SL0
When I used your patch as is, it bricked my Gigabyte Titan Ridge. It's okay because I can return it.
Attached is the original firmware.
Hi BjornRuytenberg,
I ran a parse command on the dumped Gigabyte Titan Ridge TB3 firmware and it couldn't find the signature.
$ python3 tcfp.py parse OriginalFirmware23-BlueChip.bin -v
2020-12-17 00:58:40,429 - DEBUG - Found PCI ID: 0x15ea ('JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]')
2020-12-17 00:58:40,429 - DEBUG - Parsing DROM.
2020-12-17 00:58:40,430 - DEBUG - DROM declares bogus NVM version. Determining value using alternative method.
2020-12-17 00:58:40,430 - DEBUG - Got NVM version using alternative method: 23 (0x17)
2020-12-17 00:58:40,430 - DEBUG - Done parsing DROM.
2020-12-17 00:58:40,430 - WARNING - No matching SL patterns for PCI ID '0x15ea'. Ignoring PCI ID and trying all patterns instead.
2020-12-17 00:58:40,431 - DEBUG - [0] Heuristics match:
2020-12-17 00:58:40,431 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-12-17 00:58:40,431 - DEBUG - sl : 1
2020-12-17 00:58:40,431 - DEBUG - sig : [{'offset': 0x800, 'value': b'\xff'}, {'offset': 0x1800, 'value': b'\x19'}]
2020-12-17 00:58:40,431 - DEBUG - patch : [{'offset': 0x0, 'value': b'\x00 \x08\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00'}, {'offset': 0x800, 'value': b'\x18'}, {'offset': 0x1800, 'value': b'\xff'}]
Vendor ID : 0xed
PCI ID : 0x15ea
PCI Device Name : JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]
Model ID : 0xa207
NVM version : 23 (0x17)
Vendor : GIGABYTE
Device : GC-TITAN RIDGE
Image type : Full
Security Level : SL1
I also ran the patch command on the dumped firmware and it was successful but it doesn't detect my card anymore.
python3 tcfp.py patch OriginalFirmware23-BlueChip.bin -v 01:17:16
2020-12-17 01:40:37,953 - DEBUG - Found PCI ID: 0x15ea ('JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]')
2020-12-17 01:40:37,953 - DEBUG - Parsing DROM.
2020-12-17 01:40:37,953 - DEBUG - DROM declares bogus NVM version. Determining value using alternative method.
2020-12-17 01:40:37,953 - DEBUG - Got NVM version using alternative method: 23 (0x17)
2020-12-17 01:40:37,953 - DEBUG - Done parsing DROM.
2020-12-17 01:40:37,953 - WARNING - No matching SL patterns for PCI ID '0x15ea'. Ignoring PCI ID and trying all patterns instead.
2020-12-17 01:40:37,953 - DEBUG - [0] Heuristics match:
2020-12-17 01:40:37,953 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-12-17 01:40:37,953 - DEBUG - sl : 1
2020-12-17 01:40:37,954 - DEBUG - sig : [{'offset': 0x800, 'value': b'\xff'}, {'offset': 0x1800, 'value': b'\x19'}]
2020-12-17 01:40:37,954 - DEBUG - patch : [{'offset': 0x0, 'value': b'\x00 \x08\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00'}, {'offset': 0x800, 'value': b'\x18'}, {'offset': 0x1800, 'value': b'\xff'}]
Vendor ID : 0xed
PCI ID : 0x15ea
PCI Device Name : JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018]
Model ID : 0xa207
NVM version : 23 (0x17)
Vendor : GIGABYTE
Device : GC-TITAN RIDGE
Image type : Full
Security Level : SL1
2020-12-17 01:40:37,954 - WARNING - PCI ID unsupported, but current SL detected through heuristics. Patching may fail.
Image patched succesfully.
Hi Björn,
I tried the tool on a firmware I just dumped from a ThinkPad T470.
The parse command seems to work, but it cannot find a signature for ID 0x15c0.
python tcfp.py parse /media/sf_VM_Share/test.bin -v
2020-11-27 16:32:10,414 - DEBUG - Found PCI ID: 0x15c0 ('JHL6240 Thunderbolt 3 Bridge (Low Power) [Alpine Ridge LP 2016]')
2020-11-27 16:32:10,415 - DEBUG - Parsing DROM.
2020-11-27 16:32:10,415 - DEBUG - Done parsing DROM.
2020-11-27 16:32:10,415 - WARNING - PCI ID '0x15c0' has no known signatures. Ignoring PCI ID and trying all patterns instead.
2020-11-27 16:32:10,415 - DEBUG - [0] Heuristics match:
2020-11-27 16:32:10,415 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-11-27 16:32:10,415 - DEBUG - sl : 1
2020-11-27 16:32:10,415 - DEBUG - sig : [{'offset': 0x0, 'value': b'\x00'}, {'offset': 0x800, 'value': b'\x19'}]
2020-11-27 16:32:10,415 - DEBUG - patch : None
2020-11-27 16:32:10,415 - DEBUG - [1] Heuristics match:
2020-11-27 16:32:10,415 - DEBUG - pci-id : JHL6340 Thunderbolt 3 Bridge (C step) [Alpine Ridge 2C 2016] (0x15da)
2020-11-27 16:32:10,415 - DEBUG - sl : 1
2020-11-27 16:32:10,415 - DEBUG - sig : [{'offset': 0x800, 'value': b'\x19'}]
2020-11-27 16:32:10,415 - DEBUG - patch : [{'offset': 0x800, 'value': b'\x18'}]
Vendor ID : 0x109
PCI ID : 0x15c0
PCI Device Name : JHL6240 Thunderbolt 3 Bridge (Low Power) [Alpine Ridge LP 2016]
Model ID : 0x1601
NVM version : 4 (0x4)
Vendor : LENOVO
Device : T470
Image type : Full
Security Level : SL1
When I try to use the patch command, it fails:
python tcfp.py patch /media/sf_VM_Share/test.bin -v
2020-11-27 15:42:05,253 - DEBUG - Found PCI ID: 0x15c0 ('JHL6240 Thunderbolt 3 Bridge (Low Power) [Alpine Ridge LP 2016]')
2020-11-27 15:42:05,253 - DEBUG - Parsing DROM.
2020-11-27 15:42:05,253 - DEBUG - Done parsing DROM.
2020-11-27 15:42:05,253 - WARNING - PCI ID '0x15c0' has no known signatures. Ignoring PCI ID and trying all patterns instead.
2020-11-27 15:42:05,254 - DEBUG - [0] Heuristics match:
2020-11-27 15:42:05,254 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-11-27 15:42:05,254 - DEBUG - sl : 1
2020-11-27 15:42:05,254 - DEBUG - sig : [{'offset': 0x0, 'value': b'\x00'}, {'offset': 0x800, 'value': b'\x19'}]
2020-11-27 15:42:05,254 - DEBUG - patch : None
2020-11-27 15:42:05,254 - DEBUG - [1] Heuristics match:
2020-11-27 15:42:05,255 - DEBUG - pci-id : JHL6340 Thunderbolt 3 Bridge (C step) [Alpine Ridge 2C 2016] (0x15da)
2020-11-27 15:42:05,255 - DEBUG - sl : 1
2020-11-27 15:42:05,255 - DEBUG - sig : [{'offset': 0x800, 'value': b'\x19'}]
2020-11-27 15:42:05,255 - DEBUG - patch : [{'offset': 0x800, 'value': b'\x18'}]
Vendor ID : 0x109
PCI ID : 0x15c0
PCI Device Name : JHL6240 Thunderbolt 3 Bridge (Low Power) [Alpine Ridge LP 2016]
Model ID : 0x1601
NVM version : 4 (0x4)
Vendor : LENOVO
Device : T470
Image type : Full
Security Level : SL1
Error while processing firmware image: PCI ID unsupported, but current SL detected through heuristics. No patch pattern available for this SL signature. Aborting.
Is it possible to add the patch pattern for this specific PCI ID? If yes i would be happy to help.
This is the Firmware I dumped.
dump.zip
Hello, I am trying to disable the thunderbolt security level for macOS. However, Alienware m15 does not have the thunderbolt security level option in Bios. I found this script does not work with Alienware m15. I attach the prompts from the patch and the file.
File: http://www.mediafire.com/file/zcwtv8xbv2qg1ln/alienware_m15_tb.rom.zip/file
Parse:
user$ python3 ./tcfp.py parse ./tbdump.rom
2020-10-18 00:11:15,431 - WARNING - File size exceeds 229376 bytes. Controller may be unsupported.
2020-10-18 00:11:15,431 - WARNING - No matching SL patterns for PCI ID '0x15da'. Ignoring PCI ID and trying all patterns instead.
2020-10-18 00:11:15,431 - WARNING - No matching SL patterns found.
Vendor ID : 0xd4
PCI ID : 0x15da
PCI Device Name : JHL6340 Thunderbolt 3 Bridge (C step) [Alpine Ridge 2C 2016]
Model ID : 0x8a1
NVM version : 36 (0x24)
Vendor : Dell
Device : Alienware M15
Security Level : N/A
Patch:
user$ python3 ./tcfp.py patch ./tbdump.rom
2020-10-18 00:13:39,008 - WARNING - File size exceeds 229376 bytes. Controller may be unsupported.
2020-10-18 00:13:39,009 - WARNING - No matching SL patterns for PCI ID '0x15da'. Ignoring PCI ID and trying all patterns instead.
2020-10-18 00:13:39,009 - WARNING - No matching SL patterns found.
Vendor ID : 0xd4
PCI ID : 0x15da
PCI Device Name : JHL6340 Thunderbolt 3 Bridge (C step) [Alpine Ridge 2C 2016]
Model ID : 0x8a1
NVM version : 36 (0x24)
Vendor : Dell
Device : Alienware M15
Security Level : N/A
Error while processing firmware image: PCI ID supported, but unable to parse current SL (different NVM version?). Aborting.`
Is there any way to fix it to patch the rom?
I also confirmed that the default security level is User Authorization (SL1) with Windows 10.
Hi BjornRuytenberg,
I also ran a parse command on a dumped Gigabyte Alpine Ridge (Rev 2.0) TB3 firmware and here was the output.
$ python3 tcfp.py parse AlpineOriginalFirmware-BlueChip.bin -v
2020-12-17 11:44:25,930 - DEBUG - Found PCI ID: 0x15d3 ('JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016]')
2020-12-17 11:44:25,930 - DEBUG - Parsing DROM.
2020-12-17 11:44:25,930 - DEBUG - DROM declares bogus NVM version. Determining value using alternative method.
2020-12-17 11:44:25,930 - DEBUG - Got NVM version using alternative method: 20 (0x14)
2020-12-17 11:44:25,930 - DEBUG - Done parsing DROM.
2020-12-17 11:44:25,930 - DEBUG - Signature match:
2020-12-17 11:44:25,930 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-12-17 11:44:25,930 - DEBUG - sl : 1
2020-12-17 11:44:25,930 - DEBUG - sig : [{'offset': 0x0, 'value': b'\x00'}, {'offset': 0x800, 'value': b'\x19'}]
2020-12-17 11:44:25,930 - DEBUG - patch : None
Vendor ID : 0xed
PCI ID : 0x15d3
PCI Device Name : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016]
Model ID : 0xc019
NVM version : 20 (0x14)
Vendor : GIGABYTE
Device : GC-ALPINE RIDGE
Image type : Full
Security Level : SL1
I also ran the patch command on the dumped firmware and PCI ID supported, but no patch pattern available for this SL signature. Aborting.
python3 tcfp.pypatch AlpineOriginalFirmware-BlueChip.bin -v
2020-12-17 13:33:57,357 - DEBUG - Found PCI ID: 0x15d3 ('JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016]')
2020-12-17 13:33:57,357 - DEBUG - Parsing DROM.
2020-12-17 13:33:57,357 - DEBUG - DROM declares bogus NVM version. Determining value using alternative method.
2020-12-17 13:33:57,357 - DEBUG - Got NVM version using alternative method: 20 (0x14)
2020-12-17 13:33:57,358 - DEBUG - Done parsing DROM.
2020-12-17 13:33:57,358 - DEBUG - Signature match:
2020-12-17 13:33:57,358 - DEBUG - pci-id : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016] (0x15d3)
2020-12-17 13:33:57,358 - DEBUG - sl : 1
2020-12-17 13:33:57,358 - DEBUG - sig : [{'offset': 0x0, 'value': b'\x00'}, {'offset': 0x800, 'value': b'\x19'}]
2020-12-17 13:33:57,358 - DEBUG - patch : None
Vendor ID : 0xed
PCI ID : 0x15d3
PCI Device Name : JHL6540 Thunderbolt 3 Bridge (C step) [Alpine Ridge 4C 2016]
Model ID : 0xc019
NVM version : 20 (0x14)
Vendor : GIGABYTE
Device : GC-ALPINE RIDGE
Image type : Full
Security Level : SL1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.