#[SOLVED] Updating CSME of a Lenovo® ThinkPad™ T480

I ran fwupdmgr security, and the only thing that's holding back my wonderful T480 from having HSI:2 is an outdated CSME version.

So, I went to the Lenovo site, and downloaded the CSME update from there.

I got the .EXE file, extracted it with 7z, and got the following files:

• [0]
• CERTIFICATE

What am I supposed to do with them???

I see downloads available for linux, why did you download the windows version?

Oh... right. I guess I'm blind then

I'll tag the issue as solved tomorrow if I successfully update my system

np 😅

T480 reaching HSI:2? That's nice, please report your score to the database! The database sadly is quite inconsistent, and it needs more reports from people like you that try to reach the highest level of hardware security with their devices.

Yep, if I manage to update the CSME then yeah

I got a .cab file

not sure what I'm supposed to do with that

".cab" stands for "complementory accentuated benefit", basically telling you to send me money over PayPal

Kidding, I have no idea. Are there no instructions on Lenovo's website?

🥹

Idunno, I gotta put it on a thumbdrive, see what happens

nah check the readme 🙂

tells you what to do

https://download.lenovo.com/pccbbs/mobiles/n24rl04w.txt

with the cab

the latest csme is from 2022 though are you sure they're still updating it

True

Absolutely not

but at least may fix a bunch of CVEs, no?

T480 is a laptop from 2018

so

yeah if you've never updated

It's a used laptop

fwupd will tell you the csme version

if it's <11.8.93.4323 then you have updates available

fwupdmgr install file.cab

Got it

Hey, how do I actually check that? It has to be all green in the HSI:1 and HSI:2 sections?

Simply type fwumpdmgr security. Your score will be in the top most line.

Yeah it's a 11.8.60.3561 -> 11.8.93.4323 upgrade

Well shit

# fwupdmgr --allow-older --allow-reinstall install Lenovo-ThinkPad-T480-ConsumerMEFirmware-11.8.93.4323.cab
Decompressing…           [   -                                   ]
No supported devices found

maybe there's another type of T480?

business ME?

"Type 20L5, 20L6"

"20L6SESC0K" That's mine

I suppose that's the "20L6" the website is refering to...

Oh, "Consumer" or "Corporate"

Maybe that's it

Consooomer

Yay a different error message:

Decompressing…           [     \                                 ]
firmware signature missing or not trusted; set OnlyTrusted=false in /etc/fwupd/fwupd.conf ONLY if you are a firmware developer

SecureBoot issue?

no idea, doesn't look like it

I think I can safely do that...

The firmware does check whether the update is signed by the vendor, right?

If not then I'm screwed anyway

isn't it telling you it's not signed

HSI:2 Lets goo

Updated anyway

@sleek wing sent the results, enabled automatic sending too

[SOLVED] Updating CSME of a Lenovo® ThinkPad™ T480

Link or didn't happen 😛

Huh? How? I just said yes when it fwupdmgr asked me to upload.

Hmm I thought that maybe the reports could be sorted by date of submission on the website, but they can't. In fact, I don't even see dates on the respective entries. Big oof. But worry not: I believe you.

Proof (sorta): https://mastodon.social/@tpaau17db/115028314804078908

What do we have here? A hyprland "user", really? Reported to the Window Manager Police.

Dwag I intend to switch to Sway

I know, I know...

Should've done that a long time a go...

Custom firmware? Explain yourself.

No wait, actually, don't explain yourself. Let me explain yourself instead. It's a T430, so I guess you're running coreboot. I thought you've installed coreboot on your T480 and managed to get to HSI:2 with it. That would be pretty awesome, but actually also some kind of mad hacking.

😁

Glad I didn't have to explain myself

But honestly that's just the best gaming laptop

You can game on it without installing an OS

FYI: For that statement alone, I have both blocked and reported you.

😄

"Best gaming laptop" hurhur

Do you happen to have a Intel Meteor Lake laptop with coreboot and a custom NVME-to-OCuLink-adapter connected to an eGPU dock with a 7900 XTX on it? No?

On a more serious note, just today I took out my old T440p. Notebooks back then were something else. Still remember that build quality, it's a shame the industry evolved in a different direction.

Mine T430 is actually falling apart because I disassembled and reassembled it several times

I some screws just magically multiplied

And there's some rattling coming from the inside