New LG Gram 17

Discussion in 'LG' started by vvb8890, Jan 16, 2019.

  1. hfm

    hfm Notebook Prophet

    Reputations:
    1,888
    Messages:
    4,333
    Likes Received:
    2,034
    Trophy Points:
    231

    If you have the Intel RST driver installed try uninstalling that.
     
  2. jDally987

    jDally987 Newbie

    Reputations:
    0
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    6
    Thanks, it feels like forever since I posted that but, a lot has happened lol. Seems the thread's dead-ish now which sucks, because man have I torn into this PC.

    First, real quick side note about intel RST... I was just now looking through their Optane page, and apparently our i7-8565u and its board/chipset (CNL PCH-LP (U) Premium SKU...?) - at least that's what I'm seeing on my R.AAS7U1 (2019 model) under Platform Information in the advanced bios settings - are capable of supporting Optane?
    [​IMG]


    [​IMG]

    I don't actually know much at all about optane but I've heard it's the bees knees.
    What's more is I think maybe the RST driver causes so much grief ONLY because, LG might've misconfigured our BIOS settings.

    That would also explain my interrupts problem. I think the ACPI settings are just not optimized right, and thus no matter RST driver installed or not, (I always get them with or without the driver, even on a clean install of windows; ~5k context switches/sec) the OS is constantly pinging the driver interface or whatever and one of them responds by sending a ton of interrupts.

    If that's indeed the case, it would make sense because I have a theory that a lot of the settings under these crazy tricked-out unlocked bios options were left at weird defaults, basically I suspect LG might've definitely gotten lazy and dropped the ball on tuning everything correctly before shipping these laptops.
    There's evidence of that if you look at certain other stuff, like a lot of Thunderbolt settings "disabled", and a bunch of the other various intel platform settings.
    The best example might be in the Intel Advanced Menu > PCH-IO config > Serialio Configuration. In there I see I2C0, I2C3, and SPI1 being the only ones "enabled", and if you go to each of those controllers' settings near the bottom, it looks like intel suggests I2C0 to be the Touchpad by default for that serialio port, but in its Settings it's "Disabled". wtf?

    I'm only slowly learning what all these options do through hectic google searching but my best guess is that LG must be using those 3 as just dummy controllers, because in the help pane for each controller's enabled/disabled setting, it says certain ones depend on each other - I2C0 depends on I2C1,2,and 3; and apparently UART0 "cannot be disabled when its child device is enabled, which it uses the CNVi bluetooth device (bth0) as an example.

    It looks to me almost like they wanted to keep UART0 in play for some reason, which necessitated keeping its other codependent controllers on, and then they're just routing the touchpad/fingerprint/other input devices assigned to those controllers to the CPU some other way? And then just blocked whatever i/o they would've been sending?



    ..............Which, brings us to the final thing I wanted to put out there and get all your opinions on. Is there some kind of inherent security vulnerability that LG left wide open by leaving one of these bios options at their default?

    Because it turns out I was right, in a way..... I DID have a virus, or at least some kind of malware type thing, and holy CRAP is it an absolute nightmare. I've been messing around and digging into the settings of every computer I got my hands on since I was basically a year old, and I've never wasted so much time & frustration on troubleshooting something "weird" going on in my machine, as I have in these past almost 2 (!) weeks -__________-

    Besides the interrupts, I noticed some odd "signs" of something weird in Windows, but they were random and non-correlated and I couldn't pin down a single root source that pointed towards legit malware pretty much the whole time. It was just little anomalies like the Modified Date of C:\Windows\system32 files not matching each other; opening .exe and .mui files in notepad would reveal calls to .rdata and EFI resources that just looked like they shouldn't be there in the Pen & Tablet service's directory, to name one example (in program files\common files).... stuff like that. I was seriously starting to wonder if I'd gone off the deep end and looking for something that wasn't there but I was convinced was an attacker remoting into my PC somehow.

    Well it actually was. I talked to some security people once I narrowed down the processes & services that were clearly amiss, and they told me it's apparently an old malware technique, and notoriously hard to either detect OR get rid of: using the WMI (windows management instrumentation) to remotely take over a regular win10 PC and set it up as if it were an Active Directory client (like you'd do with the computers on a corporate WAN if you were the company's IT guy), and then lock down Group Policy to prevent the user from making changes to their own system themselves. From there I guess you're able to do whatever you want, collect keystrokes, manipulate their network connections and make the system remotely download more goodies from your own servers, etc etc. Looking in the event logs, there were a lot of log categories turned off/missing entirely and permissions set to restrict my own access to them (as an Administrator on my own machine), clueing me in to the fact that they were almost definitely hiding their own tracks as they went along too.

    Anyway.......... I still haven't figured out what the hell I can even do about it lol, because worst of all this thing seems to replicate itself onto any new Windows install USB's I make with the media creation tool, and instantly takes over any blank USB's I plug in, making autorun.inf's in hidden folders with invalid characters in their path names (like colons especially "D:\System Volume Information\:\autorun.inf:"), as I found out with some of the file monitoring NirSoft utilities.
    It's a freaking monster. I think I might try just getting a friend to make a (hopefully) 100% clean windows USB for me and drop it off at my house, that's literally the only thing left to try, because I've exhausted every other option I can think of to wipe my drives and do a clean reinstall without the malicious files setting themselves up from the very beginning. And yeah I've probably done 6-8 reinstalls in the past couple weeks, across my Gram and 2 different Thinkpads I had sitting around/in storage.. nothing's worked so far. Always end up with WMIprvSE.exe running along with sketchy looking rundll32.exe processes and COM Host Provider services to go with them.


    But to get back to the Gram specifically, I've been trying to nail down where this could've started, and I think it has something to do with all the kernel debugging settings in the bios. It looks like "Legacy UART0" is set to handle any kernel debugging output, although consent for debugging looks to be Disabled so maybe another setting or combination of settings in the other menus, like serialio.
    I did notice crucially that in the windows setup logs it has some stuff right at the beginning where it's loading the bluetooth drivers (bth0.inf or something) that look inconsistent with the rest of the driver setup, and if that has anything to do with the "child item" (bth0) being enabled along with Connectivity (CNVi), and that it says that being enabled makes UART0 *unable* to be *disabled* - well maybe UART0 is being forced on despite what it says under the actual kernel debugging settings, and it happily broadcasts our kernel's activities the moment you boot up, (oh and there is a Network Kernel Debugging driver sitting there in Device Manager.... so displaying kernel debug info over any bluetooth/wifi/wired networks) at which point attackers sniffing for the right ports can get the info they need to worm their way into Windows and make you their obedient little WMI client machine.

    It took me a lot of yelling and lack of sleep to put all this together, I know it sounds probably downright freaking insane, but I took dump logs, screenshots, file copies, the whole 9 yards to prove it, if anyone's interested.

    Whoever it is that currently owns my entire Gram via this WMI attack has done a great job of making me hilariously paranoid lately, lol, but I need some input from everyone else here; check your Group Policy editor, sort the administrative templates by Managed or Unmanaged, are almost all of them showing up as managed? If so you might have the same problem as me and not even know it.

    Either way, I'd really like to get some real clarification on what all these bios settings do exactly, what they SHOULD be set to by default to avoid some kind of catastrophic and easily-preventable security hole that might've resulted from LG shipping a broken bios setup, and why all of them were left like that, and the bios so thoroughly unlocked in the first place. (and I'm not complaining about it being unlocked, btw... I didn't even know manufacturers had access to this many options and I'm loving the idea of tweaking all of them myself to potentially let my computer run better than they might've been able to do themselves. BUT - I'd really at least like to have the assurance that running the laptop with everything default isn't horribly compromised and leaving me open to needless personal info leaks right out of the gates)
     
  3. palatkik

    palatkik Notebook Consultant

    Reputations:
    23
    Messages:
    205
    Likes Received:
    5
    Trophy Points:
    31
    Anyone using this laptop in hot environments? I'm in 38C 80% humidity most days this time of year and finding the CPU gets hot, the area above the F8-F10 keys is too hot to touch really. Can this cause damage long term do you guys think? Maybe I should take the back off and give it a clean I suppose, could be some dust adding to the issue. If I run Speccy it says the CPUs are about 65-70C.
     
    Last edited: May 23, 2020
  4. hfm

    hfm Notebook Prophet

    Reputations:
    1,888
    Messages:
    4,333
    Likes Received:
    2,034
    Trophy Points:
    231
    Shouldn't hurt anything. CPU can run at 90 with no issues, it's within spec.
     
  5. hfm

    hfm Notebook Prophet

    Reputations:
    1,888
    Messages:
    4,333
    Likes Received:
    2,034
    Trophy Points:
    231
    That's a lot... I can maybe comment on a couple things

    Optane
    We don't have optane enabled memory/storage on this unit, it's useless here, and would not help it achieve anything further anyway. The default microsoft AHCI driver is plenty capable, and in my case Intel's driver was causing performance issues. As soon as I uninstalled that driver my problems disappeared.

    Malware
    If you haven't found any specific malware, how do you know you are/were infected with malware? System32 file modified dates being different is not generally an issue unless you've found evidence of files that are known to only legitimately have a specific date. You aren't going to discover anything useful opening binaries in notepad I don't think. There are a lot of processes that run under svchost and utilize rundll32, one on my machine happens to be nvidia stuff. Have you used Process Explorer to try to get better info about your process trees to see what is utilizing rundll32 to load a library? Download it here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer and use the 64-bit executable.

    Also
    This is typical as well, you don't want your user to have this type of access generally, can you specifically tell me which things you are talking about? Usually windows will throw a User Access Control dialog at you so you can confirm that you want to do something with an escalated privilege. Think of it as an analogue to sudo on a unix-like OS.


    Configs
    Just picking an example. Just because a Thunderbolt settings are set to disabled for instance doesn't mean that is a wrong configuration setting. I'm using an eGPU over TB3 and it works fantastically at whatever defaults LG used. I don't think there's a more strenuous TB peripheral than that.

    It seems like you're digging into a lot of things and not quite understanding exactly what they mean and inferring or perhaps being told erroneously that they should be configured a certain way but that isn't universally true. Something being disabled isn't specifically a bad thing depending on what it is, and context is very important there.
     
    Last edited: May 24, 2020
    JRE84 likes this.
  6. palatkik

    palatkik Notebook Consultant

    Reputations:
    23
    Messages:
    205
    Likes Received:
    5
    Trophy Points:
    31
    OK, thanks for feedback - appreciated.

    The outdoor temperatures have cooled off to a more reasonable 34C these days and the LG17 is running much cooler and just fine.

    On another note I use Win10 Home mostly that the LG came with and even today the update says ver 2004 is not yet ready for my device and to wait.
     
  7. wsd11

    wsd11 Newbie

    Reputations:
    0
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    6
    Hi all. I've had a Gram 15 (15Z980) for a few months now and love it! The amount they've packed in to such a lightweight laptop is really impressive. Excellent screen too.

    Anyway have finally gotten around to buying an eGPU for it (a Gigabyte Aorus Box GTX1070), and am having real problems with the Thunderbolt 3 aspect. The eGPU doesn't work when I plug it in, I just get a "limited functionality" message. I can't find any reference to a Thunderbolt controller in device manager even with the eGPU plugged in. I thought I'd solved it when I went into the secret BIOS and found Thunderbolt disabled, however after enabling it it's still not working. I've downloaded the LG Control Centre and it doesn't show any drivers relating to Thunderbolt. It's like this laptop doesn't have Thunderbolt, but I know it should do! Were there any 980 model Grams without Thunderbolt? Have tried the eGPU with a friend's HP Elitebook and it worked immediately...

    Btw have been reading this thread for a while, great to see some really useful information being shared by the community! Have found little to no information on the Gram elsewhere on the web. Keep it up :)
     
  8. skipper63

    skipper63 Notebook Guru

    Reputations:
    3
    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    15
    Most of the Gram 15 did not have Thunderbolt except of the full loaded version, i7, 16g and 2x512 SSD. Some of the lesser versions were without Thunderbolt. I had to go for the full version to get Thunderbolt. I use Akitio Node Pro with an RTX2080 and works perfectly, some issues in only the beginning with the NVIDIA drivers. I checked at the BIOS, I have the 15Z980-R.AAS9U1
     
    Last edited: Jun 12, 2020
    wsd11 likes this.
  9. hfm

    hfm Notebook Prophet

    Reputations:
    1,888
    Messages:
    4,333
    Likes Received:
    2,034
    Trophy Points:
    231
    Which exact model Gram 15 is it? There are sub-models of the 15Z980.

    I would look something like this in AIDA64
    upload_2020-6-12_18-58-38.png


    Also should just be listed as Thunderbolt controller under System in Device Manager
    upload_2020-6-12_18-59-42.png
     
    wsd11 likes this.
  10. wsd11

    wsd11 Newbie

    Reputations:
    0
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    6
    Thanks very much for the info guys, in all my research I had never seen it mentioned that only the i7 model had TB3. Mine's the i5 8250U version (256GB SSD/8GB RAM) and doesn't have any reference to Thunderbolt controller in Device Manager or AIDA64, so safe to conclude it doesn't have TB3 after all.

    Bit of a shame as that was one of the main selling points originally. Ah well.
     
    hfm likes this.
Loading...

Share This Page