✧✦Catherine✦✧Feb 27

heyyyyyy. check this out

i bought one of those chinese motherboards which get the UEFI package from American Megatrends and then enable options with the guiding principle of "YES."

check out how many juicy bits it has

you can turn the memory scrambler on and off! it even tells you the seed it has on, i think, this specific boot?

Show threadJoshua WiseFeb 27
@whitequark if you want this type of bios in mobile form factor, https://tpart.net , too. I bugged the ODM on wechat to give me a datasheet for the EC and a pinout for the EC debug header but sadly did not manage to get a schematic for how the EC GPIOs are hooked up
TP Art – ThinkPad is a work of art!

Show thread✧✦Catherine✦✧Feb 27
@joshua do you have a BSDL? if yes and you can access JTAG, I have a #GlasgowInterfaceExplorer applet for you that will tell you this in a single touch of a probe
Show threadJoshua WiseFeb 27
@whitequark I have the pinout for the debug header, not the rest of the GPIOs. the debug header exposes user-accessible SMBus, but with a hardware monitor circuit where if you send it the right pattern of toggles it'll go 'oh, ok, my bad' and turn off the user-accessible SMBus and put it into backdoor reprogramming mode, and I have in fact gotten this working using something like https://github.com/c0d3z3r0/i2ite
Show threadJoshua Wise
@whitequark I am not entirely excited about the concept of boundary scan brute forcing each GPIO on the board, lest I Find Out. I think probably static and/or dynamic analysis of the EC FW is going to be a better bet
Feb 27 at 11:28pmWeb