Hi all Coreboot folks,
I'm a first year graduate student in CS, been hanging around on #coreboot IRC (Libera.Chat server) and was thinking if it was possible or not to port Coreboot to a Thinkpad T495 (AMD Ryzen 7 3700U PRO) [1] manufactured in May 2019, I successfully dumped the BIOS using flashrom internally, see `flashrom_info.log` and 'flashrom_info.err.log`.
It is unclear if there is any AMD protection that does the same as Intel BootGuard on Ryzen 3rd gen (there is for sure this [2] since the 1st gen of Ryzen which is the equivalent to Intel Management Engine).
AMD has a whitepaper stating that from Ryzen 5000s mobile generation [3], AMD PSB (Platform Secure Boot) is activated, and it looks like kind of the same as Intel BootGuard if I'm not mistaken here.
I know so far that the BIOS SPI chip is operating at 1.8v, and is a Winbond flash chip "W25Q128.W" (16384 kB, SPI), will be useful in case I need to externally flash the SPI ROM to unbrick the laptop.
I still have to : - Test whether there is a protection that checks if the firmware was changed or not by patching the original bios ROM, I was told for this to change a copyright string or changing the logo : - it is a gif file and has a sha2-256 signature in its properties, which isn't the sha256sum of the file. - I've attached the `identify -verbose logo.gif` output) and trying to boot could allow checking for any tamper protection on the ROM flash (bricking intentionally the device if there is). - Understand if the EC RAM is something I can make out of or not (so far there is a lot of FF and 00 in it, the last line shows the version of the embedded firmware), so far I'm not too sure I can make sense of it right now. - Get the model of the EC and try to find datasheets online.
I have at my disposal: - A kind of cheap 16 channel logic analyzer [4] with a software available on Linux/Windows with a few decoders for most known serial protocols such as SMBUS, I2C, SPI and more. - Raspberry Pi 3 model B+ (will be used as an external programmer, but I still need to find out how I could pull down the power to 1.8v since the VCC is 3.3v). - SOIC clip 8 pins (will be delivered to me in 2 weeks), I took the best one from this guide [5]. - A cheap multimeter with basic probes, capable of continuity test. And possibly more such as FPGAs by going to hackerspaces in my vicinity.
I have built Coreboot for qemu with the Seabios payload as the documentation for GSoC recommended, see coreboot-serial.log output attached as a text file.
In the case where there is indeed a protection, maybe a solution could be found by using a flash emulator (spispy ?) [6] but I need more details on this.
I am also aware that a complete port will not be feasible under the time period of GSoC hence I need to know what should be the basics that needs to be covered for a Coreboot port to be considered minimally working first ? USB should work ? Charging is made using a USB-C port, this might be partly handled by the EC Embedded Controller.
Finally, if nothing could be done on this Thinkpad because it is too recent, I also have an older Intel Thinkpad a T450, that has Intel BootGuard but that I'm looking try to port Coreboot to it too, using a flash emulator and possibly this attack [7].
Thanks for the time taken to read this lengthy mail, I hope the goal of this mail is clear.
Kind regards, Lahfa Samy
Links: ------ [1] https://psref.lenovo.com/syspool/Sys/PDF/ThinkPad/ThinkPad_T495/ThinkPad_T49... [2] https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor [3] https://www.amd.com/system/files/documents/amd-security-white-paper.pdf [4] https://sigrok.org/wiki/Kingst_LA2016 [5] http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate [6] https://github.com/osresearch/spispy [7] https://trmm.net/Sleep_attack/