I also want to give a shout-out to WatchGuard for publishing actual hardware specifications for their devices instead of being like most vendors and just saying nebulous things like "supports up to 200 clients and up to 450Mbit VPN"
Hal 9000
@hal9000@infosec.exchange
- 49 Followers
- 5 Following
- 47 Posts
I void warranties and ask companies for their GPL source code. Currently clean on OPSEC.
And none of these devices have mini-PCIe/M.2 PCIe available, so upgrade options are limited.
Although I will say the T20 specification is wrong, ECC is not present:
Detected UDIMM Fixed DDR4 on board
1.9 GiB (DDR4, 32-bit, CL=11, ECC off)
The T40 also not (though it was never claimed):
Detected UDIMM Fixed DDR4 on board
3.9 GiB (DDR4, 32-bit, CL=11, ECC off)
And, pleasant surprise, the T80 does have ECC enabled (and it isn't stated in the specs):
Detected UDIMM Fixed DDR on board
3.9 GiB (DDR4, 64-bit, CL=11, ECC on)
Next up (for now) is the Poly Studio P009 4K HD USB Video Conference System (2201-85308-001).
It's a fancy conference room camera/sound bar based on the TurboX S626 SOM (Qualcomm Snapdragon 626). Which... apparently also works as a USB-C webcam?
https://fccid.io/M72-P009/Internal-Photos/Internal-photos-4177031.pdf
If you squint real hard at the FCC photos, you can see a DEBUG header and a USB BOOT button. No idea if secure boot is enabled, but I suspect it would be given Qualcomm and all these vendors seem to enjoy locking their stuff down (as one does).
The Cisco TTC7-23 (Conference Webex Room Kit) and TTC50-21 (Webex Room 55) are also based on the NVidia TX1, and are also cheap AF!
https://fccid.io/LDK7-23-2377/Internal-Photos/Internal-Photos-3287133.pdf
https://fccid.io/LDK07251456/Internal-Photos/Internal-Photos-3290400.pdf
Cisco has as security advisory out on the TX1 where they claim to have permanently disabled RCM: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180620-nvidia-tx1-rom.html
Kind sus, considering all the other vendors with a TX1 (like Nintendo) would have just done the same thing, but who knows, maybe Cisco didn't properly burn the efuses at the factory and could still update them in the field to disable RCM, all I could find about this was an Nvidia thread from years ago with information that isn't totally clear: https://forums.developer.nvidia.com/t/how-to-block-rcm-mode-and-jtag-by-enabling-bits-in-fuse-blob/110622
BTW there is also a big Altera Arria 10 FPGA on the TTC50-21, if that's of interest to anyone.
Poly/Polycom Pano 4K Content Sharing Device (2201-29400-001). FCC photos show it's based on the NVidia TX1!
https://fccid.io/M72-PANO/Internal-Photos/Internal-Photos-3273480
Poly datasheet mentions:
"Security
• Secure Boot
• Signed Software"
But, but, it's the TX1, known for Fusée Gelée.
Sure, the TX1 is old now, but these devices are dirt cheap, under $20
I don't have time, money, or significant other approval to buy all these cool things and tear them down so I'm going to throw some info up here in the hopes that someone with access to e-waste will come across them and do something cool.
In no particular order:
Literally unusable.
According to the postmarketOS docs, the Samsung Galaxy S8 (dream) should boot. Sadly, it gets this far and then something bad happens in userland and booting stops.
Very annoying to try and debug with ~100 lines of dmesg-ramoops from TWRP. Apparently UART exists but scraping solder mask and then micro soldering is required.
Dear Fediverse, anyone has experience dumping LPC bus and can help a noob? I am having (I think) a layer 7 problem.
https://github.com/stacksmashing/LPCClocklessAnalyzer seems to crash almost immediately after the capture begins. Am I doing something obviously wrong or is it time to attach gdb and cry deeply into some C++ code?
thebestnom