[coreboot] Thinkpad ECs (H8)

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Fri Jul 24 22:16:16 CEST 2015


Hi,

I just learned about (and watched) a presentation[1] that is about
backdooring the Thinkpad ECs.

This information might help with the task of writing a free software EC
firmware[2].

The information is also very useful to get a better ideas of the
threats due to having a non-free EC firmware.
I for instance missed the EC ThinkLight issue, when thinking about the
security of i945 Lenovo laptops:
-> The EC code is non-free
-> There is a long wire that goes from the EC to the ThinkLight (That's
   a potential antenna, according to the talk the Thinkpad EC
   microcontrollers speed is around 10Mhz so it seems doable)
-> Since The i945 Thinkpads are often bought second hand, a broken EC
   light isn't suspicious if you don't know about this issue.

The talk contains a link to an EC firmware dumper[3]. Unfortunately
after cloning the it, the git repository contained no code at all.
Maybe Ralf-Philipp could comment on that?

In the QA, it is also said that it's possible to talk directly to the
EC hardware to dump the fimrware (and not the EC firmware), from the
computer. The IO addresses he's mentioning look like EC addresses.

I then wonder if it's also possible to flash it in the same way.
In that case the fimrware should better be able to power on the
computer, else some sort of external flashing/recovery would be needed
(as it is for coreboot).

The talk also contained a link to the original firmware "commented
assembly".
I've no idea if it's safe to look at it, but it's better not to do it
until we know for sure that's it's legally safe.
The SFLC (Software Freedom Law Center) might help with that.
The people who looks at it might be prevented from writing legal free
software firmware for such EC if they do, so beware.

The talk also mention that the H8(The Thinkpad EC) have good
documentation.

References:
-----------
[1] 27c3-4174-en-the_hidden_nemesis.webm
[2] http://blogs.coreboot.org/blog/tag/h8s/
[3] http://coderpunks.org/ecdumper

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20150724/f97c5d3a/attachment.sig>


More information about the coreboot mailing list