Lenovo X230 and Lenovo X220 keyboard bios hack part 2

A glipse about what is going on with Lenovo BIOSes

I am not interested in the PC BIOS part itself since I can use coreboot but I wanted to know what is available.

http://www.endeer.cz/bios.tools/

http://forums.mydigitallife.info/threads/659-LENOVO-%28IBM%29-Bioses-especially-Thinkpad-Previous-requests/page39
but the file L_PROCESS_TOOLS_NEW_STRUCTURE.rar is nowhere to be found 😦

Note: Carefull with the BIOS versions, the old ones don’t allow to go back to and old version (without using external hardware)
http://support.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x230/downloads/DS029188

– If the UEFI BIOS has been updated to version 2.56 or higher, it is no longer
able to roll back to the version before 2.56 for degrading security function.

This makes sense after reading this scary paper (and the ones referenced on it) http://www.legbacore.com/Research_files/2015_ShmooCon_BIOSBugs.pdf
Media coverage:
http://www.extremetech.com/computing/133773-rakshasa-the-hardware-backdoor-that-china-could-embed-in-every-computer

I’ve absolutely no idea compared to those guys but I’ll still try to change the keyboard.

The embedded firmware part I am interested in is this one
http://www.thinkwiki.org/wiki/Embedded_Controller_Firmware

If bios backdoors were not enough, there are also “Backdooring Embedded Controllers – rpw”
http://rpw.io/slides/rpw-27c3-thmbec.pdf
Video: http://media.ccc.de/browse/congress/2010/27c3-4174-en-the_hidden_nemesis.html

At least is in a place you can expect, not like this one
https://media.blackhat.com/bh-us-11/Miller/BH_US_11_Miller_Battery_Firmware_Public_WP.pdf

I took some interesting advice from the first one

* The microcontroller is Powered when laptop has power (laptop may be turned off)
* IDA Pro Advanced has support for the H8S (I’ve yet to see which MCU does it use. Update: it uses a 8051 variant. I’ve put the datasheet at the end of this blog entry)
* There is commented code for an old model. It doesn’t say where but I found it here:

http://forum.thinkpads.com/viewtopic.php?t=20958
http://www.thinkwiki.org/wiki/Renesas_H8S/2161BV

It seems there was some software support for the EC on thinkpads but it doesn’t work on gen3 processors (Ivy Bridge boards)
http://thinkwiki.org/wiki/tp_smapi

x230 iker ~ $ sudo dmidecode

BIOS Information
Vendor: LENOVO
Version: G2ET95WW (2.55 ) <— I can still upload old bioses but it would be easy to hack my bios in bad ways.
Release Date: 07/09/2013
Address: 0xE0000
Runtime Size: 128 kB
ROM Size: 12288 kB
Characteristics:
PCI is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
EDD is supported
3.5″/720 kB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 2.55
Firmware Revision: 1.12

Handle 0x0042, DMI type 140, 15 bytes
OEM-specific Type
Header and Data:
8C 0F 42 00 4C 45 4E 4F 56 4F 0B 07 01 01 02
Strings:
G2HT33WW
04/29/2013

x230 iker ~ $ sudo superiotool -d
superiotool r6637
Found SMSC FDC37N972 (id=0x0b, rev=0x03) at 0x4e
Register dump:
idx 02 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
val 00 0b 03 00 00 04 00 00 00 3a 00 00 00 00 00 00 00
def 00 0b 00 00 00 04 04 NA NA 00 00 00 00 00 00 00 00
LDN 0x00 (Floppy)
idx 30 60 61 70 74 f0 f1 f2 f3 f4 f5
val 00 00 00 00 00 00 00 00 00 00 00
def 00 03 f0 06 02 0e 00 ff RR 00 00
LDN 0x01 (Power management (PM1))
idx 30 60 61
val 01 00 00
def 00 00 00
LDN 0x03 (Parallel port)
idx 30 60 61 70 74 f0 f1
val 00 00 00 00 00 00 00
def 00 00 00 00 04 3c 00
LDN 0x04 (COM1)
idx 30 60 61 70 f0
val 00 00 00 00 00
def 00 00 00 00 00
LDN 0x05 (COM2)
idx 30 60 61 62 63 70 74 f0 f1 f2 f7 f8
val 00 00 00 00 00 00 00 00 00 00 00 00
def 00 00 00 00 00 00 04 00 02 03 00 00
LDN 0x06 (Real-time clock (RTC))
idx 30 60 61 62 63 70 f0 f1
val 00 00 00 00 00 00 00 00
def 00 00 70 00 74 00 00 NA
LDN 0x07 (Keyboard)
idx 30 60 61 70 72 f0
val 00 00 00 00 00 00
def 00 00 00 00 00 00
LDN 0x08 (Embedded controller (EC))
idx 30 60 61
val 00 00 00
def 00 00 62
LDN 0x09 (Mailbox)
idx 30 60 61
val 00 00 00
def 00 00 00

Datasheet for the SMSC FDC37N972:
http://pdf1.alldatasheet.es/datasheet-pdf/view/94303/SMSC/FDC37N972.html

UPDATE: the Dasher-2 (Lenovo x230) datasheet names the EC MEC1619 and it includes an ARC 625D microcontroller instead of a 8051. I’ve not reversed the code for the embedded controller but it should not be hard to distinguish a 8051 (like the one inside the SMSC and the ARC like the one inside the MEC1619). Now both embedded controllers are sold by Microchip to Lenovo so the Dasher-2 might have changed the Embedded microcontroller during its lifetime but not once shipped because the firmwares should be different and they’re not. Conclussion: I’ve no idea about anything but it can be known with this data.

http://www.microchip.com/wwwproducts/Devices.aspx?product=MEC1619

http://www.microchip.com/pagehandler/en-us/technology/smsc_legacy/home.html

https://www.microchip.com/investor/Pressrelease/MCHP%20and%20SMSC%20Announce%20the%20Acquisition%20of%20SMSC%20by%20MCHP.050212.pdf

http://www.brokerforum.com/components-parts/SMSC/FDC37-eT-en.jsa

http://www.datasheets360.com/part/detail/fdc37n972-208tqfp/-3756309638589124755/

Microchip acquired SMSC in August 2012. Microchip is investing heavily in the technology to continue the proud history of leadership in integrated circuit products for computing applications.

I also found this very interesting. It details how the mailboxes work on a 8051 SMSC superio controller:

https://sites.google.com/site/armadae500linux/documentation

https://www.bio.ifi.lmu.de/~steiner/linux/m300bl.c

http://datasheet.eeworld.com.cn/pdf/SMSC/15895_FDC37N972.pdf

http://www.linofee.org/~jel/irda/patches/smc-ircc.c.patch

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s