Hi, Ram Reddy wrote: > https://drive.google.com/file/d/1Zd6iufVRsfIu-qzC-tJx4FEvCOESOz4_/view?usp=sharing
I downloaded the tarball and compared the original FAT filesystem with the various modified filesystem images. -------------------------------------------------------------------------- In Legion7iG5-*_modified.esp the suspect lost its ID card at the crime scene: At byte 39072 (0x98a0) the changes go from 0-bytes to the text "LENOVO". At byte 9711680 (0x943040) i see a change from 0-bytes to "BIOS". Diffing the result of "find" on the mounted unmodified.esp filesystem and Legion7iG5-*_modified.esp shows that a new branch of directoriies with a new file is in each of the modified filesystems: > ./efi/Lenovo > ./efi/Lenovo/BIOS > ./efi/Lenovo/BIOS/SelfHealing.fd The file is empty. -------------------------------------------------------------------------- In ThinkpadX1CarbonG5-0_modified.esp there is no company name to see in the changed bytes. I see UTF-16 strings "mation", "System", and "Volum\000me". ASCII texts "SYSTEM~1", "WPSETT~1DAT". The latter might possibly be "WPSettings.dat", which causes questions in the internet. Most plausible seems an answer in the course of https://answers.microsoft.com/en-us/insider/forum/all/whats-wpsettingsdat-generated-by/e11bca97-8c76-4662-8897-774ea3d5691a "The WPSettings.dat file is generated by the Storage Service (StorSvc). It seems that WPSettings.dat means the data files of Windows Phone's Store Settings saved on the drives, [...]" Diffing the result of "find" on the mounted unmodified.esp filesystem and ThinkpadX1CarbonG5-0_modified.esp shows that a new directory with a new file is in the modified filesystem: ./System Volume Information ./System Volume Information/WPSettings.dat The file has 12 bytes of binary salad: Hex: 0c 00 00 00 2e 42 6b 82 5d 88 0e c5 Char: . B k ] Dec: 12 0 0 0 46 66 107 130 93 136 14 197 -------------------------------------------------------------------------- While it makes some sense to me that Lenovo Legion BIOS adds some Lenovo stuff to the EFI System Partition, i really wonder why Lenovo Thinkpad BIOS adds a Microsoft directory and file. Whatever, i'd say that the software in the ISO and especially Debian Installer are not suspicious to create directories with such names. Have a nice day :) Thomas
