Is recovery from: '0x17 RW firmware version rollback detected.' possible?

[DennisLfromGA]

We've run into this a few times now in Chromebook Central and haven't had any success to date.

The OP has tried to do a full recovery with the current recovery image but it fails with 'an unexpected error has occurred'.

When pressed for more details they get the message: "recovery_reason: 0x17 RW firmware version rollback detected."

I think this indicates a firmware version mismatch between what's on their Chromebook and the recovery image, I'm not 100% sure, though.

I don't know how this came about exactly, possibly a modified 'testing' Chromebook firmware version or a Developer mode tweak with the write-protect screw removed/defeated ???

I was wondering if there is a way to tell what kernel version is being supplied with the current recovery image for a particular device?

That might help pinpoint a firmware version mismatch much quicker and easier when they show us the recovery screen results from the 'tab' key similar to the below -

The recovery.conf file only lists the file name with the Chrome OS version, similar to: chromeos_8350.68.0_squawks_recovery_stable-channel_mp.bin

If there was a way to grab the firmware version from the recovery image that would help in these scenarios.

I guess the real question though is, is there any way to force the recovery in verified boot mode when the firmware versions don't match.

I think the TPM is designed to prevent this 'rollback' but I don't know if it can or even should be overridden.

I don't know much about all the details of this so my questions may be way off the mark, if so, sorry.

-DennisL

[Shawn N]

On Thu, Jan 19, 2017 at 9:02 AM, DennisLfromGA <denny.l...@gmail.com> wrote:

We've run into this a few times now in Chromebook Central and haven't had any success to date.

The OP has tried to do a full recovery with the current recovery image but it fails with 'an unexpected error has occurred'.

When pressed for more details they get the message: "recovery_reason: 0x17 RW firmware version rollback detected."

I think this indicates a firmware version mismatch between what's on their Chromebook and the recovery image, I'm not 100% sure, though.

I believe this means you previously booted a RW FW with key ver. 5 (0x00050001 >> 16), and now you're trying to boot a RW FW with key ver. < 5. So, verified boot treats this as a possible rollback attack.

 

I don't know how this came about exactly, possibly a modified 'testing' Chromebook firmware version or a Developer mode tweak with the write-protect screw removed/defeated ???

Most likely an old recovery image was used to rollback to an RW FW which has a lesser key ver. Please make sure you're using the latest and greatest recovery image available for your board.

 

I was wondering if there is a way to tell what kernel version is being supplied with the current recovery image for a particular device?

That might help pinpoint a firmware version mismatch much quicker and easier when they show us the recovery screen results from the 'tab' key similar to the below -

The recovery.conf file only lists the file name with the Chrome OS version, similar to: chromeos_8350.68.0_squawks_recovery_stable-channel_mp.bin

If there was a way to grab the firmware version from the recovery image that would help in these scenarios.

You need to grab the FW updater script from that .bin (you can use src/platform/factory/setup/mount_partition.sh in the chroot), then extract bios.bin from the FW updater script (/mount/usr/sbin/chromeos-firmwareupdate --sb_extract <extract_path>), then run the extracted bios.bin through futility (sources in vboot_reference repo):

$ futility verify ./bios.bin

...

Key block:               VBLOCK_A

  Signature:             valid

  Size:                  0x8b8

  Flags:                 7  !DEV DEV !REC

  Data key algorithm:    8 RSA4096 SHA512

  Data key version:      5

... 

My bios.bin was extracted from the latest dev. channel squawks recovery image - " Data key version:      5". So if you actually install this FW on that machine, you shouldn't run into the same error.

I guess the real question though is, is there any way to force the recovery in verified boot mode when the firmware versions don't match.

I think the TPM is designed to prevent this 'rollback' but I don't know if it can or even should be overridden.

You can enable GBB_FLAG_DISABLE_FW_ROLLBACK_CHECK / 0x20 to ignore this rollback check entirely. Eg. through set_gbb_flags.sh on your device. I suggest not to do this on your machine, unless you don't care about security.

Also two things about this machine seem sketchy:

1. HWID is "SQUAWKS TEST A-A" - this is the default HWID. It looks like the VPD was wiped out at some point.

2. GBB flags 0x140 are currently set. These are flags we normally use during automated FW testing, I don't know why anyone else would ever want to set those flags.

 

I don't know much about all the details of this so my questions may be way off the mark, if so, sorry.

-DennisL

--
--
Chromium OS discuss mailing list: chromium-os-discuss@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

[DennisLfromGA]

Shawn,

Thanx very much for the explanation and information.

I should have been clear that the image I posted was not the subject device, just one I found for an example.
Sorry for the misinformation.

DennisL

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org

[Shawn N]

On Thu, Jan 19, 2017 at 1:10 PM, DennisLfromGA <denny.l...@gmail.com> wrote:

Shawn,

Thanx very much for the explanation and information.

I should have been clear that the image I posted was not the subject device, just one I found for an example.
Sorry for the misinformation.

No problem, the general advice for fixing this is -- "download + install a newer recovery image".

 

--
--
Chromium OS discuss mailing list: chromium-os-discuss@chromium.org

[DennisLfromGA]

Thanx so much for the advice, I'll pass it on.

The original OP has since left Chromebook Central since the mere mention of Developer mode gets them shooed away.
It would have been nice to have gotten a picture of their fwver and kernver though, maybe they'll show up on crouton central, a site we often refer them to.

DennisL