Can't install Fedora from USB flash drive. The media check is complete, the result is: FAIL

Hello.

I just can’t properly install Fedora Kinoite and I don’t understand why.

I downloaded ISO from official site, checked signatures, checked SHA sums (probably rechecked 10 times already). Everything is OK.
Then I wrote ISO to USB flash drive using “dd” method, everything was fine.
But when I’m trying to install Fedora from USB it always gives me an error (after checking 100%) “The media check is complete, the result is: FAIL.”.
Since I don’t want to install new system from potentially compromised media, I tried many times more, with absolutely same results. I tried different completely new USB drive. Nothing changed.
I tried to write with Fedora Media Writer. No problem with writing, but absolutely the same error when trying to install.
I searched for solutions, found that such problems are not so rare, but people mainly blame Windows for accessing USB drive. But I use Ubuntu, auto-mount is disabled.

I tried to compare ISO with what is written on the flash drive, and this is the result I get consistently:

sudo cmp -n stat -c '%s' Fedora-Kinoite-ostree-x86_64-40-1.14.iso Fedora-Kinoite-ostree-x86_64-40-1.14.iso /dev/sdb

Fedora-Kinoite-ostree-x86_64-40-1.14.iso /dev/sdb differ: byte 4167659525, line 16177707

Any ideas how to solve this? Besides from not checking media at all, I would prefer not to ignore the possibility of malfunction.

You will need to skip the check.

The problem is that if you ever plug in the USB memory device in a running WIndows system, the contents of the USB device will be modified making the check fail.

The problem is that I don’t use Windows in any form, I make bootable USB in Ubuntu, and PC trying to boot it don’t have any OS, just clear NVME.

I don’t get at what point it gets modified and why it’s always 1 byte, if I understand check results correctly.

The iso contains 3 partitions

fdisk -l Fedora-Kinoite-ostree-x86_64-40-1.14.iso

Disk Fedora-Kinoite-ostree-x86_64-40-1.14.iso: 3,89 GiB, 4181080064 bytes, 8166172 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: CD3C786C-03B3-42DF-BE93-7B917BA38EE6

Device                                      Start     End Sectors  Size Type
Fedora-Kinoite-ostree-x86_64-40-1.14.iso1      64 8139955 8139892  3,9G Microsoft basic data
Fedora-Kinoite-ostree-x86_64-40-1.14.iso2 8139956 8165507   25552 12,5M EFI System
Fedora-Kinoite-ostree-x86_64-40-1.14.iso3 8165508 8166107     600  300K Microsoft basic data

The second partition starts at byte offset 4167657472 == 8139956 * 512

The diff is at byte offset 4167659525, that is 2053 bytes into the fat file system, and also beyond the iso9660 file system in the first partition.

In conclusion, the first partition is intact and not modified, and that is where the install image is found.

The second partition may have been mounted at some point and perhaps not unmounted properly, or perhaps something else. If the system automounts USB devices, it might be a good idea to turn that off.

1 Like

So now I understand that it gets modified when it inserted into target PC.
Because if I check USB after writing ISO on it, everything is OK. If I remove it and insert again into the machine running Ubuntu everything is still OK.
After I connect it to the target machine, even without starting media check, then remove and check media in Ubuntu, it gives me the same modification at the same place.

So it is probably happens at the BIOS level. I tried to turn off everything that possible, including secure boot - no luck.

Not an automount issue for sure.

I understand that this change probably won’t deeply affect new installation. But for some reason it gets modified.
I’m afraid that it might be BIOS malware or something similar.

Download page says

We take security seriously
Once you have downloaded an image, be sure to verify it for both security and integrity.
By calculating the image’s checksum on your own computer and comparing it to the original checksum, you can verify the image has not been tampered with or corrupted.

And I take this problem seriously and can’t just let it go, without proper explanation at least.

If the change is at the second partition, which is marked as EFI System, then it is possibly target PC EFI related issue.
Unfortunately, I don’t have Legacy Mode in BIOS.
Still not sure that this is normal situation.

There are various reasons why this could happen, including faulty hardware, firmware, and software.

You can try to isolate the issue as much as possible by using another live media like GParted Live or another PC not affected by this issue to create a Fedora live media.

Then reboot the problematic PC, navigate to BIOS/EFI, attach the Fedora live media, and boot it directly from BIOS/EFI to avoid involving the currently installed system.

If you do cmp with -l option you can also see the byte values (in octal) at the place where you get a difference. By default cmp stops at the first difference.

another PC not affected by this issue to create a Fedora live media

Definitely not the PC used to create media problem.

attach the Fedora live media, and try to boot it directly from BIOS/EFI to avoid involving the currently installed system

No installed system at all, and no option to boot directly from BIOS/EFI.
But after I tried to insert USB flash when BIOS menu was opened, and then checked media at the other machine, it got different already.

I used cmp with -l option. Should I share the result, is it of any use for someone? Because it is way above my expertise to understand what these bytes actually mean.

Anyway:

Summary

4167659525 0 377
4167659526 0 377
4167671793 0 377
4167671794 0 377
4167671795 0 377
4167671796 0 377
4167673861 0 377
4167673862 0 377
4167686129 0 377
4167686130 0 377
4167686131 0 377
4167686132 0 377
4167688236 20 60
4167688243 216 13
4167688244 130 131
4167688247 163 115
4167688248 265 136
4167688249 216 13
4167688250 130 131
4167704577 0 56
4167704578 0 40
4167704579 0 40
4167704580 0 40
4167704581 0 40
4167704582 0 40
4167704583 0 40
4167704584 0 40
4167704585 0 40
4167704586 0 40
4167704587 0 40
4167704588 0 20
4167704591 0 115
4167704592 0 136
4167704593 0 13
4167704594 0 131
4167704595 0 13
4167704596 0 131
4167704599 0 115
4167704600 0 136
4167704601 0 13
4167704602 0 131
4167704603 0 2
4167704609 0 56
4167704610 0 56
4167704611 0 40
4167704612 0 40
4167704613 0 40
4167704614 0 40
4167704615 0 40
4167704616 0 40
4167704617 0 40
4167704618 0 40
4167704619 0 40
4167704620 0 20
4167704622 0 46
4167704623 0 115
4167704624 0 136
4167704625 0 13
4167704626 0 131
4167704627 0 13
4167704628 0 131
4167704631 0 115
4167704632 0 136
4167704633 0 13
4167704634 0 131
4167704635 0 3
4167704641 0 102
4167704642 0 111
4167704643 0 117
4167704644 0 123
4167704645 0 40
4167704646 0 40
4167704647 0 40
4167704648 0 40
4167704649 0 40
4167704650 0 40
4167704651 0 40
4167704652 0 60
4167704653 0 10
4167704655 0 115
4167704656 0 136
4167704657 0 13
4167704658 0 131
4167704659 0 13
4167704660 0 131
4167704663 0 115
4167704664 0 136
4167704665 0 13
4167704666 0 131
4167704667 0 370
4167704668 0 27
4167706721 0 104
4167706722 0 105
4167706723 0 114
4167706724 0 114
4167706725 0 40
4167706726 0 40
4167706727 0 40
4167706728 0 40
4167706729 0 40
4167706730 0 40
4167706731 0 40
4167706732 0 60
4167706733 0 10
4167706735 0 115
4167706736 0 136
4167706737 0 13
4167706738 0 131
4167706739 0 13
4167706740 0 131
4167706743 0 115
4167706744 0 136
4167706745 0 13
4167706746 0 131
4167706747 0 2
4180267009 0 56
4180267010 0 40
4180267011 0 40
4180267012 0 40
4180267013 0 40
4180267014 0 40
4180267015 0 40
4180267016 0 40
4180267017 0 40
4180267018 0 40
4180267019 0 40
4180267020 0 20
4180267023 0 115
4180267024 0 136
4180267025 0 13
4180267026 0 131
4180267027 0 13
4180267028 0 131
4180267031 0 115
4180267032 0 136
4180267033 0 13
4180267034 0 131
4180267035 0 370
4180267036 0 27
4180267041 0 56
4180267042 0 56
4180267043 0 40
4180267044 0 40
4180267045 0 40
4180267046 0 40
4180267047 0 40
4180267048 0 40
4180267049 0 40
4180267050 0 40
4180267051 0 40
4180267052 0 20
4180267055 0 115
4180267056 0 136
4180267057 0 13
4180267058 0 131
4180267059 0 13
4180267060 0 131
4180267063 0 115
4180267064 0 136
4180267065 0 13
4180267066 0 131
4180267067 0 2
4180267073 0 122
4180267074 0 105
4180267075 0 103
4180267076 0 117
4180267077 0 126
4180267078 0 105
4180267079 0 122
4180267080 0 131
4180267081 0 40
4180267082 0 40
4180267083 0 40
4180267084 0 60
4180267085 0 10
4180267087 0 115
4180267088 0 136
4180267089 0 13
4180267090 0 131
4180267091 0 13
4180267092 0 131
4180267095 0 115
4180267096 0 136
4180267097 0 13
4180267098 0 131
4180267099 0 371
4180267100 0 27
4180269057 0 56
4180269058 0 40
4180269059 0 40
4180269060 0 40
4180269061 0 40
4180269062 0 40
4180269063 0 40
4180269064 0 40
4180269065 0 40
4180269066 0 40
4180269067 0 40
4180269068 0 20
4180269071 0 115
4180269072 0 136
4180269073 0 13
4180269074 0 131
4180269075 0 13
4180269076 0 131
4180269079 0 115
4180269080 0 136
4180269081 0 13
4180269082 0 131
4180269083 0 371
4180269084 0 27
4180269089 0 56
4180269090 0 56
4180269091 0 40
4180269092 0 40
4180269093 0 40
4180269094 0 40
4180269095 0 40
4180269096 0 40
4180269097 0 40
4180269098 0 40
4180269099 0 40
4180269100 0 20
4180269103 0 115
4180269104 0 136
4180269105 0 13
4180269106 0 131
4180269107 0 13
4180269108 0 131
4180269111 0 115
4180269112 0 136
4180269113 0 13
4180269114 0 131
4180269115 0 370
4180269116 0 27

If possible, try to upgrade or reflash the BIOS/EFI firmware and reset its settings.

Over the years, many low level vulnerabilities have been discovered such as Spectre, Meltdown, Sinkclose, etc., so I wouldn’t be surprised if some of them could be utilized to install a persistent firmware level malware.

One more possibility is faulty RAM.

Also try using other Fedora images such as netinstall or server, but remember to keep the chain of trust in its general sense at each step.

I’m the type of person who believes that everything is compromised and backdoors everywhere, but actually this time I’m not sure that this is the case.
It is too stupid, for such a low level malware, to be detected at basic auto md5 hash check.

So, I tried to write random 5gb file on the same USB and then inserted it in the target PC, with BIOS menu opened, and even tried to boot from it. No changes detected with cmp after this.

Then I tried to write Ubuntu ISO on that USB, and it changed after I booted it (just install menu) on the target PC. And again, changes are in the region of the EFI partition, cmp -l shows slightly different bytes change, but somewhat similar to what I posted earlier.

Is it realistically possible to decipher what exactly changes knowing these bytes positions?

Probably it’s just something related to BIOS and EFI relations, but possibility of malware is still concerning.

What I see from the cmp listing I see

  • The fat table has been modified in a few places suggesting some file was added or removed.

  • The word “Dell” was found and the word “Recovery” was found in a different place.

Do you seem some new files when mounting the vfat file system?
The contents should be

drwxr-xr-x. 3 root root    2048 Apr 15 00:43 EFI
drwxr-xr-x. 3 root root    2048 Apr 15 00:43 EFI/BOOT
-rwxr-xr-x. 1 root root    1351 Apr 15 00:43 EFI/BOOT/BOOT.conf
-rwxr-xr-x. 1 root root  747681 Mar 19 01:00 EFI/BOOT/BOOTIA32.EFI
-rwxr-xr-x. 1 root root  949424 Mar 19 01:00 EFI/BOOT/BOOTX64.EFI
drwxr-xr-x. 2 root root    2048 Apr 15 00:43 EFI/BOOT/fonts
-rwxr-xr-x. 1 root root 2394108 Feb  7  2024 EFI/BOOT/fonts/unicode.pf2
-rwxr-xr-x. 1 root root    1351 Apr 15 00:43 EFI/BOOT/grub.cfg
-rwxr-xr-x. 1 root root 2960704 Feb  7  2024 EFI/BOOT/grubia32.efi
-rwxr-xr-x. 1 root root 3968320 Feb  7  2024 EFI/BOOT/grubx64.efi
-rwxr-xr-x. 1 root root  673992 Mar 19 01:00 EFI/BOOT/mmia32.efi
-rwxr-xr-x. 1 root root  848080 Mar 19 01:00 EFI/BOOT/mmx64.efi
1 Like

Well… I tried again, this time “cmp -l” gave slightly different results.

Then I mounted ANACONDA partition from USB and found that at /ANACONDA/EFI/ besides BOOT folder there is /dell/bios/recovery folder, which is empty.

Looks like this is how it tries to find BIOS recovery files on any connected USB drive and it can’t be disabled.

And I just found that BIOS is made by some Chinese company. When I press F1 there are a lot of typos.

Oh wow, Dell, oh wow. Should have bought an Acer.

The low level persistent malware case is solved.

The only thing I don’t understand now is why it shows different bytes with “cmp -l” this time, if it’s always just some empty folders.

1 Like

It all depends on where the directory is located in the file system. That reflects on the FAT table which holds the pointers to the disk blocks of the directory.

I believe it should be located in the very same place all the time. Maybe it is related to the creation date or something.

Anyway, now I can skip media check without losing inner peace.

Thank you all a lot!