✧✦Catherine✦✧Feb 27

heyyyyyy. check this out

i bought one of those chinese motherboards which get the UEFI package from American Megatrends and then enable options with the guiding principle of "YES."

check out how many juicy bits it has

you can turn the memory scrambler on and off! it even tells you the seed it has on, i think, this specific boot?

Show threadJoshua WiseFeb 27
@whitequark if you want this type of bios in mobile form factor, https://tpart.net , too. I bugged the ODM on wechat to give me a datasheet for the EC and a pinout for the EC debug header but sadly did not manage to get a schematic for how the EC GPIOs are hooked up
TP Art – ThinkPad is a work of art!

Show thread✧✦Catherine✦✧Feb 27
@joshua do you have a BSDL? if yes and you can access JTAG, I have a #GlasgowInterfaceExplorer applet for you that will tell you this in a single touch of a probe
Show threadCraig BishopFeb 28
@whitequark @joshua would the applet show pin state changes live with a pin number? I ask because I need to reverse the pinout on all these FMC headers. I wasn’t looking forward to doing it with OpenOCD…
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua yes, just touch the pin with a probe and it tells you exactly which ball name it is (it parses BSDL)
Show thread✧✦Catherine✦✧Feb 28
@craigjb @joshua here's a demo
Show threadPepperMar 2
@whitequark @craigjb @joshua I think I know what's going on, but still, that seems magical
Show thread✧✦Catherine✦✧

@pepper @craigjb @joshua it really is!

(i'm sending a pseudorandom waveform into a pin and then correlating it with everything in BSDL)

Mar 2 at 3:40pmWeb
Show threadPepperMar 2
@whitequark @craigjb @joshua so slightly less magic than I was thinking, but more mathematically fun, I was thinking that that probe was not connected to anything, and you were somehow doing capacitive touch over JTAG
Show thread✧✦Catherine✦✧Mar 2
@pepper @craigjb @joshua that could also be made to work, however it would be much less stable & involve sending potentially destructive voltage down unknown components so i would not do that
Show threadJoshua WiseMar 2
@whitequark @pepper @craigjb the other variant of this trick that I learned from @furan is that he loads a PLD with a bitstream that puts a UART on every pin, and spits out every pin's name over that UART, and then you take your favorite UART and touch it to each pad on the board and see what comes out. this is obviously much trickier to do with boundary scan because async serial is timing-sensitive and boundary scan is traditionally quite slow (and also, it requires driving pins as outputs, which is somewhat more dangerous), but it is a cool analogous trick to have in your back pocket
Show thread✧✦Catherine✦✧Mar 2

@joshua @craigjb @pepper @furan you don't really need to do this async; you can use either a self-synchronizing encoding or (if your JTAG adapter and the receiver are in the same device) just use DR update as your USART clock

I'm aware of the trick (I think maybe florent came up with it? at least I thought so, it's a little too obvious probably for only a single person to originate it) but not using it because I don't want to drive any pins hard

Show threadIan HanschenMar 2
@whitequark @joshua @craigjb @pepper I think we all come up with it when we go “its a programmable device maybe I can automate the probing” - first time I did it was ~2010.
Show threadIan HanschenMar 2
@joshua @craigjb @pepper @whitequark lol I shared this literally last night
Show threadJoshua WiseMar 2
@furan @craigjb @pepper @whitequark well I'll be! I looked on Mastodon to see and because I thought I remembered that, but then I thought I dreamt it or something. what baud rate did you achieve over boundary scan?