✧✦Catherine✦✧Feb 27

heyyyyyy. check this out

i bought one of those chinese motherboards which get the UEFI package from American Megatrends and then enable options with the guiding principle of "YES."

check out how many juicy bits it has

you can turn the memory scrambler on and off! it even tells you the seed it has on, i think, this specific boot?

Show threadJoshua Wise
@whitequark if you want this type of bios in mobile form factor, https://tpart.net , too. I bugged the ODM on wechat to give me a datasheet for the EC and a pinout for the EC debug header but sadly did not manage to get a schematic for how the EC GPIOs are hooked up
TP Art – ThinkPad is a work of art!

Feb 27 at 9:18pmWeb
Show thread✧✦Catherine✦✧Feb 27
@joshua do you have a BSDL? if yes and you can access JTAG, I have a #GlasgowInterfaceExplorer applet for you that will tell you this in a single touch of a probe
Show threadJoshua WiseFeb 27
@whitequark I have the pinout for the debug header, not the rest of the GPIOs. the debug header exposes user-accessible SMBus, but with a hardware monitor circuit where if you send it the right pattern of toggles it'll go 'oh, ok, my bad' and turn off the user-accessible SMBus and put it into backdoor reprogramming mode, and I have in fact gotten this working using something like https://github.com/c0d3z3r0/i2ite
Show threadJoshua WiseFeb 27
@whitequark I am not entirely excited about the concept of boundary scan brute forcing each GPIO on the board, lest I Find Out. I think probably static and/or dynamic analysis of the EC FW is going to be a better bet
Show threadCraig BishopFeb 28
@whitequark @joshua would the applet show pin state changes live with a pin number? I ask because I need to reverse the pinout on all these FMC headers. I wasn’t looking forward to doing it with OpenOCD…
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua yes, just touch the pin with a probe and it tells you exactly which ball name it is (it parses BSDL)
Show threadCraig BishopFeb 28
@whitequark @joshua I already liked my interface explorer, but this could make it my bff
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua I have fully working code for this, just need to clean it up and push a PR
Show threadCraig BishopFeb 28

@whitequark @joshua it doesn’t modify output state right? I imagine the probe is through a resistor to the VDD rail?

For an FPGA with a bunch of VCCO rails, might have to find the right level to use…

Show thread✧✦Catherine✦✧Feb 28

@craigjb @joshua it uses the built-in 10k pullups (to Vio/GND) to avoid more than microamp-level currents passing through anything, and at that current I assume nothing should ever break except to ESD or something

this will not give you the state of anything with a pullup so the other option is to pulse a pin for a few ns, which is usually also well tolerated

Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua (i mean, it's more complicated, modern electronics often has very high, 100k+ pullups/pulldowns which don't bother this technique too much, but i assume you know that)
Show threadCraig BishopFeb 28

@whitequark @joshua That’s clever using the internal pull-up! I’ve only done it the hard way with an external pull-up on a probe with… OpenOCD. It’s not the most fun thing to do.

Did you write a BSDL parser for it? I guess someone in the python ecosytem likely already did…

Show threadCraig BishopFeb 28
@whitequark @joshua I guess for this you really only need the last section of the BSDL anyway. A regex would probably be sufficient…
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua oh no, nonono. I parse a lot more than that, and I do it in a relatively spec-compliant manner, at least as much as feasible for a 500-line parser... it has a lexer and a handwritten LL(1) parser and everything
Show thread✧✦Catherine✦✧Feb 28

@craigjb @joshua I found one or two but they have upset me with the way they are written so I wrote one from scratch https://github.com/GlasgowEmbedded/glasgow/blob/main/software/glasgow/protocol/bsdl.py

this one is also upsetting but it's nicer for this application and has 0 dependencies

glasgow/software/glasgow/protocol/bsdl.py at main · GlasgowEmbedded/glasgow

Scots Army Knife for electronics. Contribute to GlasgowEmbedded/glasgow development by creating an account on GitHub.

GitHub
Show threadCraig BishopFeb 28

@whitequark @joshua ooo, proper tokenization and lexing. My BSDL regex scripts make me look like a lazy slob over here 😂

I’m not sure I’ve looked forward to a Glasgow PR as much as this yet! Multi applet support on CLI was up there, but this beats it.

Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua yeah! I think this is something relatively few people need but when you do need it, it is several lifesavers worth of functionality. I am actually not aware of any comparable tool that exists currently at all
Show threadCraig BishopFeb 28

@whitequark @joshua Agree! What will the applet be called?

There was a tool like this from years ago, something like “TopJTAG”. But it’s windows-only proprietary abandonware I think.

Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua glasgow run jtag-bsdl-probe or something like that
Show threadCraig BishopFeb 28

@whitequark @joshua the actual website is lost to history, but I found this. It didn’t show you the pin name on probe, so not purpose built like the upcoming Glasgow applet. But it would let you visually see which pin flips when you probe. It was… functional.

https://atlis.etesters.com/product/1757CA69-1422-08DF-AAB0-0C7B93FDDDDB/jtag-boundary-scan-circuit-debugging-software/

JTAG / Boundary-Scan Circuit Debugging Software

View product information for JTAG / Boundary-Scan Circuit Debugging Software.

Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua remind me sometime next week if I don't come around to doing it
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua here's a demo
Show threadJonasMar 2
@whitequark
Ok this is really neat
@craigjb @joshua
Show threadPepperMar 2
@whitequark @craigjb @joshua I think I know what's going on, but still, that seems magical
Show thread✧✦Catherine✦✧Mar 2

@pepper @craigjb @joshua it really is!

(i'm sending a pseudorandom waveform into a pin and then correlating it with everything in BSDL)

Show threadPepperMar 2
@whitequark @craigjb @joshua so slightly less magic than I was thinking, but more mathematically fun, I was thinking that that probe was not connected to anything, and you were somehow doing capacitive touch over JTAG
Show thread✧✦Catherine✦✧Mar 2
@pepper @craigjb @joshua that could also be made to work, however it would be much less stable & involve sending potentially destructive voltage down unknown components so i would not do that
Show threadJoshua WiseMar 2
@whitequark @pepper @craigjb the other variant of this trick that I learned from @furan is that he loads a PLD with a bitstream that puts a UART on every pin, and spits out every pin's name over that UART, and then you take your favorite UART and touch it to each pad on the board and see what comes out. this is obviously much trickier to do with boundary scan because async serial is timing-sensitive and boundary scan is traditionally quite slow (and also, it requires driving pins as outputs, which is somewhat more dangerous), but it is a cool analogous trick to have in your back pocket
Show thread✧✦Catherine✦✧Mar 2

@joshua @craigjb @pepper @furan you don't really need to do this async; you can use either a self-synchronizing encoding or (if your JTAG adapter and the receiver are in the same device) just use DR update as your USART clock

I'm aware of the trick (I think maybe florent came up with it? at least I thought so, it's a little too obvious probably for only a single person to originate it) but not using it because I don't want to drive any pins hard

Show threadIan HanschenMar 2
@whitequark @joshua @craigjb @pepper I think we all come up with it when we go “its a programmable device maybe I can automate the probing” - first time I did it was ~2010.
Show threadIan HanschenMar 2
@joshua @craigjb @pepper @whitequark lol I shared this literally last night
Show threadJoshua WiseMar 2
@furan @craigjb @pepper @whitequark well I'll be! I looked on Mastodon to see and because I thought I remembered that, but then I thought I dreamt it or something. what baud rate did you achieve over boundary scan?