Evidence WinXP "security updates" may break Linux

**Harry Kuhman** · 05-11-2003, 09:57 PM

Originally Posted by Ironi

I have two working DP83815 cards (and only a broken installation of Windows 98 on the box along with Debian). If you guys can figure out what EEPROM settings you need, I'll gladly post them.

I'm interested in this XP "security update" issue too. I have XP on my desktop (SiS900 onboard NIC), but I've disabled auto-updates and haven't updated it.

Ironi,

Sorry for the delay in getting back to you, I had mentioned here that I was going to be tied up for a while. I'm back now and will have more time to dedicate to this issue.

I'll respond to your post, then post what else I have in a separate post. There is a tool called natsemi-diag at http://www.scyld.com/diag/ that seems to access the information I need. You would need to download it and compile it (which involves remounting the HD that Knoppix opens in read only mode). Compile instructions are at the end of the file, compiles with Knoppix fine. Then run it from a shell with the sudo command:
"sudo natsemi-diag -ee". Sometimes I need the full path rather than the simple name, some times I do not; I'm enough of a Linux newbie that I don't know why yet, but if you give the full path for the name it should work. The -ee switch seems to be the information I need, but I wouldn't mind having the information that is given out with the -aa and the -mm switches too.

Thanks much for your help.

**Harry Kuhman** · 05-11-2003, 10:04 PM

Originally Posted by Junior G.

I configured my NICs using the Knoppix Tool under the KDE menu (KDE Menu/Knopix/Network & Internet/Network Card Configuration) and then tried connecting to the Internet - you should have seen my face when I saw www.google.com open up in Konqueror!!.

Junior,

Thanks. This is interesting. I didn't have to configure my NIC at all; it just worked fine after booting the CD. But then stopped after I ran the "security update".

There seem to be a lot of subtle differences in NIC configuration, though, so this isn't really a big surprise. I'm hard pressed to understand why anything would be different after installing Knoppix to hard disk, please let us know if you learn any more.

**Harry Kuhman** · 05-11-2003, 10:23 PM

I had hoped to be able to post the results of a test someone with some software tools for watching the nic eeprom was going to do, but don't have any information on that yet. Will post when I get it.

I did test Knoppix on another friend's system. I expected it to fail as he is running Xp will all of the current updates, but he was able to connect to the Internet with Knoppix just fine! However, he has a NIC that I haven't tracked down any information on yet, so it could well be that his chip set doesn't even do eeprom configuration. Again, will post if I find out more.

By the way, a follow-up to a question that aay asked about which nics have eeprom: Apparently all do, as it has become the way of choice for manufacturers to store the unique MAC address into a mass produced nic. That is not to say that all also use the eeprom to store configuration information, but as it is there for the MAC address, many if not most seem to take advantage of it for this too.

There is a new release of Knoppix available dated 3-May-03. This release has a new software tool called ethtool. I have not yet fully learned what this tool can tell me, but running "sudo ethtool eth0" from a shell I see that my misbehaving nic seems to now be configured as a half duplex 10 mbps nic with negotiation turned off. This in itself would not be enough to keep it for connecting to my Linksys switch (I've used the switch with some old half duplex 10 mbps cards and it works fine) but it certainly isn't the way the card should be configured; another confirmation that the configuration information has been changed.

Here's something strange to report: I have also tried a Knoppix based distribution called Morphix (the Game version, 0.3-5.iso) and , as expected, it couldn't connect to the switch or the 'net either. However, my "sudo mii-tool -r" and "netcardconfig" trick does NOT seem to work with Morphix as it does with Knoppix to get the network back up. I don't yet understand this and it seems very strange since Morphix is said to be Knoppix based. IF anyone has more insight on this it would be welcome.

**Ironi** · 05-16-2003, 12:21 PM

Hey Harry, we seem to have a latency problem.

I forgot to check back sooner - sorry. Here's the relevant portion of the EEPROM of my two NetGear FA311 cards (National Semiconductor Corporation DP83815 (MacPhyter)).

Edited to remove (what I think is a) MAC address... 'x' is not a valid hexadecimal value.

Common to both cards:

Code:

   Rx filter index 6 is 0000
   Rx filter index 8 is 0000
   Rx filter index 10 is 0000
   Rx filter index 12 is 0000
   Rx filter index 14 is 0000
 EEPROM address length 6.
EEPROM contents:
   0x000:  1385 f311 0b34 41f3 0000 0000 0000 8xx0
   0x008:  xxxx xxxx 1915 xxxx ffff ffff ffff ffff
   0x010:  ffff ffff ffff ffff ffff ffff ffff ffff
   0x018:  ffff ffff ffff ffff ffff ffff ffff ffff
   0x020:  ffff ffff ffff ffff ffff ffff ffff ffff
   0x028:  ffff ffff ffff ffff ffff ffff ffff ffff
   0x030:  ffff ffff ffff ffff ffff ffff ffff ffff
   0x038:  ffff ffff ffff ffff ffff ffff ffff ffff
Decoded EEPROM contents:
  PCI Subsystem IDs -- Vendor 0x1385, Device 0xf311.
  PCI timer settings -- minimum grant 11, maximum latency 52.
  Wake-On-LAN password 00:00:00:00:00:00.

MAC precedes 1915; checksum is immediately after 1915. I'm not sure what '8xx0' (xx = different on both cards) is on line 0x000 - part of the MAC maybe?

Hope that helps.

**Harry Kuhman** · 05-16-2003, 05:40 PM

Ironi,

Thanks, I'll try to see how that matches up with my eeprom later today. I do see one thing different; my eeprom has some of the bytes near the end filled in (non-ff values), But as I only looked at it after the M$ "update", that could well be something that M$ did too.

I'm still trying to get a hard and fast confirmation that M$ security updates change these values. Interested in sacrificing one of your cards for the cause (since you now have the original settings you should be able to reset them if need be)? If you're running XP then I would suggest just taking all updates and see if the eeprom is changed. If Win98 then Striker2002 posted a link to the update that he thinks is at least one source of the problem in the 4th message in this topic.

**Harry Kuhman** · 05-17-2003, 03:15 AM

Ironi,

I've had a chance to compare my eeprom setting with yours, so far the information isn't very telling:
The first two items, the Vendor and Device ID's are, naturally, different. This was expected, even though they use the same chip, so no clues here. The next two blocks, 0b34 and 41f3 match, as do the three sets of 0000. Not sure how you figured out that the mac address follows; my contents don't directly match my mac address anywhere in all of that data, but I guess it could be scrambeled for some strange reason. Since the natsemi-diag does determine the mac address, it must know how to descramble it and exactly where it is stored. Guess my next step is to pick through the code to determine if or if not this is really the mac address. I'll post back either way when I know. That leaves the block of data you have as 1915. I have a 1905 there. This single bit could be the difference, but I have doubts; will need to determine what it is trying to do to configure the chip, but at least it gives me something to focus on.

Other feedback on this topic seems to have died down. I believe that while it seems extremely likely that the M$ "security update" is the cause of this problem, it's far from proved. More feedback from anyone and everyone that has anything to contribute to this would still be very welcome.

**Ironi** · 05-18-2003, 08:23 PM

Originally Posted by Harry Kuhman

Ironi,
I'm still trying to get a hard and fast confirmation that M$ security updates change these values. Interested in sacrificing one of your cards for the cause (since you now have the original settings you should be able to reset them if need be)?

Perhaps, if I knew how to restore the original EEPROM settings.

If you're running XP then I would suggest just taking all updates and see if the eeprom is changed. If Win98 then Striker2002 posted a link to the update that he thinks is at least one source of the problem in the 4th message in this topic.

I've got Windows 98 on the box, but it's broken (won't even boot)... I suppose I could install XP, but I don't really want to.

**Harry Kuhman** · 05-18-2003, 11:36 PM

Originally Posted by Ironi

Perhaps, if I knew how to restore the original EEPROM settings.

Well, first of all let me say clearly that I have not done this yet myself (I haven't figured out yet exactly what the setting should be in my HP notebook NIC). But the same place you got the diag that you used to read the rom, http://www.scyld.com/diag/index.html, says that -w (or in same cases -w -w ) can be used to write the values back to the eeprom. -w is listed as an option "implimented in all diagnostic programs". I'm not certain of the exact syntax of this command, but the factor stopping me from resolving it is that I don't yet have a full pre-update set of values.

If you're looking at a built-in nic in a notebook, then I would say use caution rather than experimenting. But if (I thought this was the case) your nics are separate cards, then the worst that should happen is a card could get changed. NIC cards are cheap (for example, you can get one free after rebate this week at OfficeMax, so you're just out sales tax and a stamp). Between that and the likelyhood that the setting can be recorded and restorded should make it worth doing to prove if the update is really the source of the problem (and if something else is changing these NICs rather than M$ "security updates" we really need to know that.

**stevethayne** · 05-24-2003, 03:49 PM

More fuel to the fire...the spare network card I had been successfully using for Knoppix, and retained for Knoppix only, I had to start using for XP. (long story...I messed up my XP settings somehow - can't reinstall the original network card.) Had refused any security updates from XP, as far as I know. But this spare card now no longer works for Knoppix. Interesting. Surely Microsoft can't be actively modifying the eeproms of all cards, or all that have accessed the net through Knoppix, to stop them accessing the web. Looks I'm becoming one of those weird conspiracy theorists....which way Roswell people....?!

**stevethayne** · 05-25-2003, 09:30 PM

This is a continuation of the previous post for me really - just to say that Morphix now connects me to the net fine, whereas the Knoppix cd that did last night, did not this am, with no intervening use of anything else - tried it again after switching off the modem. Anyway, selfishly, I have a net connection with Linux, so am happy - but still curious as to what the issues are.