swiftgeek: hl`: especially when you think about reselling the device
hl`: yes, exactly. i'm talking about the use of owner-controlled TPMs to secure against other parties.
swiftgeek: hl`: but OTP root of trust is not a solution either
asciilifeform: and i am definitely not interested in iron that protects against ~my~, the owner's, physical attack.
swiftgeek: hl`: you don't need physical attack there really
swiftgeek: otherwise it can be pretty easily replayed
asciilifeform: over in the civilized world, we http://trilema.com/2013/how-to-airgap-a-practical-guide/ our crypto.
swiftgeek: hl`: not exactly that case either
hl`: not really trustworthy if they have non-free firmware on them, but theoretically they have a use case
hl`: no, TPMs _can_ be used to secure your own stuff if _you_ control them
swiftgeek: then everything would need to be implemented properly in SoC
asciilifeform: why the FUCK would you want 'open' manacles ?
asciilifeform: j2 at least has the virtue of being small, and fitting in ice40 fpga.
swiftgeek: sure but they will chip into contributing to toolchain
asciilifeform: other than as fpga softcore -- where ?
asciilifeform: fabrication, is the rub.
asciilifeform: swiftgeek: the typical x86 pc 'infineon' etc tpm, cannot do such interesting things as overriding bios write protect, accessing microphone, etc
swiftgeek: so if somebody has separate module they are left vulnerable
swiftgeek: asciilifeform: ditto for any other TPM
asciilifeform: ( afaik strictly via the console, but this remains to be determined )
asciilifeform: i can also 'replace the card' by switching off its power rail via ec and inserting usb nic dongle.
a111: Logged on 2018-06-11 20:09 asciilifeform: swiftgeek: my specific interest is to get arbitrary code exec on the device.
asciilifeform: swiftgeek: understand, i have a quite specific aim in re this machine, outlined in http://btcbase.org/log/2018-06-11#1822866 . i do not particularly care re the irrelevant details, e.g. the shape of the antennae in m2, or the exact diameters of the screw holes, etc.
swiftgeek: yeah another one of those modular certification
swiftgeek: asciilifeform: i can tell at the very least it doesn't look like anything ROHM would make (the chip)
swiftgeek: while it's illegal dump, you have to deal with it nevertheless
swiftgeek: it's kinda like neighbouring country dumping some trash in forest of other country
asciilifeform: hl`: please read the chan logs and make use of the search, before asking q, http://btcbase.org/log/
swiftgeek: but don't actually treat them like that
a111: Logged on 2018-06-11 19:57 asciilifeform: swiftgeek: given your introduction ( http://btcbase.org/log/2018-06-11#1822589 ) i assume you may be interested in verifying fact that cr50 is not a subfunctionality of the ordinary (i.e. kept in winbond spi ) bootrom or the EC controller ('nuvoton' arm , visible in right hand of photo ). this is very simple to do:
asciilifeform: at any rate i encourage folx who think that i dreamed it all, to build the snake ( i posted schem ) and do the exact experiment suggested earlier in http://btcbase.org/log/2018-06-11#1822821 .
swiftgeek: i didn't know they have actually made it finally
asciilifeform: ( their chan's )
swiftgeek: gagarine is the machine
asciilifeform: see the june 9 log.
asciilifeform: the fella in #rockchip-linux ?
asciilifeform: not to mention that i do not have the 'servo' device, nor see anything to be won from building it ( it gives access to the consoles, which i already have, and spi, which i already have via soldered probes, and that's it. )
swiftgeek: libreboot thinkpad doesn't have it easy, neither BSDLs nor XOR test chains are described for our montevina targets
asciilifeform: a chinese shop could, for instance, mount the http://www.loper-os.org/pub/c101pa_dbg.jpg ( 'google servo' ) connector, on to the vacant pads. BUT this does not give me anything that i do not already have via the 'suzyq'.
a111: Logged on 2018-06-08 17:15 asciilifeform: i was able to flash in the https://gsdview.appspot.com/chromeos-localmirror/distfiles/cr50.r0.0.10.w0.3.4.tbz2 image ; it supports a few moar commands, including 'rma open' returned-to-factory unlocker thing. but result was , unsurprisingly, 'with notes from hitler only' : http://www.loper-os.org/pub/c101pa/c101pa_unlock_nodice.txt
asciilifeform: so far my only clue that h1 actually runs the given fw , is that i was able to flash in a vendor update : http://btcbase.org/log/2018-06-08#1821699 and ended up with a slightly different, in the ways suggested by the src, console
asciilifeform: but i have no way to verify the truth of what he said, aside from noticing that there is 0 discussion anywhere on the net, aside from #trilema and my www, of the h1.
asciilifeform: according to amstan , the fella claiming to be a designer of c101pa , everything connected with cr50 is deeply trade secret, and shared with no one outside of google.
swiftgeek: otherwise you are literally reversing open source code to figure out something that is presented clearly and for sure in boardview/schematics
asciilifeform: everything else, is off-the-shelf
asciilifeform: well yes, the schem
asciilifeform: i have already identified all of the major components
asciilifeform: fwiw i don't have any use for anything short of the schem
asciilifeform: and it ain't there.
swiftgeek: they are
asciilifeform: the schem, for instance, is not given to repair contractors. or i would already have found it.
swiftgeek: asciilifeform: i would bake cookies and bring them some xd
swiftgeek: then just bring cookies and whatnot
asciilifeform: but you will not find these in usa.
asciilifeform: yes in china there are repair shops that lift bga etc.
asciilifeform: not much use ( it is not difficult to open, and the c100pa published disassembly applies to this one, the screws are in same places )
asciilifeform: repair guide only shows you how to get the box open, really
swiftgeek: asciilifeform: repair guide is something that asus supplies for their devices
asciilifeform: swiftgeek: here, btw, is the factory boot rom (crippled coreboot) from that winbond : http://loper-os.org/pub/c101pa/factory_rom.bin
swiftgeek: they are doing this shitty naming on purpose
swiftgeek: yeah then judging from c201pa entry
swiftgeek: anyway back to the name
a111: Logged on 2018-06-11 15:46 asciilifeform: one interesting observation, is that the update mechanism lets you flash in arbitrary crapola into 'rw' section ( it simply won't jump to it if it doesn't pass rsa(sha256(payload)) ) . so theoretically could put a nop sled there, ending with jump into the magic half of unlock routine. and then expose the thing to beta/gamma, and perhaps in a few months it will Do The Right Thing
asciilifeform: if i can exploitably crash the thing , my job is done
asciilifeform: at any rate, my current approach will be to do some fuzzing of the cr50 console and slave spi interfaces
swiftgeek: oh wait that's another filing lol
asciilifeform: which is what the designer was banking on when he put in the false metallization layers etc.
asciilifeform: the way it usually ends, is that we learn something useful just in time for the device to go out of print.
|\n: imaginary, just in theory, can it be some ST72264G2
asciilifeform: i, for instance, would like to know which fpga was their starting point. and where its factory test pads are.
swiftgeek: but it would be clearly marked on the die as well
swiftgeek: asciilifeform: possible theories of what PMH7 is were pretty wild till we realized it's TC200G
swiftgeek: asciilifeform: sure but not looking can double the work
asciilifeform: rather than, say, to fill photo album with pretty pics.
asciilifeform: swiftgeek: my specific interest is to get arbitrary code exec on the device.
swiftgeek: the point is to see something in it
asciilifeform: the sad bit is that it is many yrs of labour, to go from even a high quality die shot, to functionality
asciilifeform: swiftgeek: look in the src, it incorporates tpm
swiftgeek: but if they are bunch of dicks then first visible layer will be just metal blocking chip from the view
asciilifeform: given as it is a tpm/drm crock of shit, i fully expect false metal masks and the other joys of 'tamper resistence'
swiftgeek: asciilifeform: they are marked usualy on die
swiftgeek: asciilifeform: then i would really recommend finding dead one and sending chip to zeptobars
asciilifeform: the latter , you can get root shell on, on stock machine if it is in dev mode
asciilifeform: and cpu uart ( from the rk3399 ) on /dev/ttyUSB2
asciilifeform: in fact , if you are so fond of lifting bga, lift the cpu , the spi rom, and the ec, and you will find that you still get the /tty/USB0 shell
asciilifeform: it runs on the h1 device pictured in h1.jpg.
swiftgeek: welp that's interesting and if it spews out a lot of uart then it's most likely running on some core
asciilifeform: or the EC
asciilifeform: and it does not rely on the cpu (referred to as 'AP' in google's srcs)
asciilifeform: you will observe that you are still able to communicate with the machine
asciilifeform: disable the spi boot rom using the method shown in http://www.loper-os.org/?p=2382 article. then insert the 'suzyq' debug cable, shown in http://www.loper-os.org/?p=2415 ;
asciilifeform: swiftgeek: given your introduction ( http://btcbase.org/log/2018-06-11#1822589 ) i assume you may be interested in verifying fact that cr50 is not a subfunctionality of the ordinary (i.e. kept in winbond spi ) bootrom or the EC controller ('nuvoton' arm , visible in right hand of photo ). this is very simple to do:
swiftgeek: compal made them afair xD
swiftgeek: (compal alone makes the best boards for debugging /repair)
swiftgeek: and afair end result was worst aspect of them both combined
asciilifeform: at any rate i am not presently concerned with the 80211 card
swiftgeek: and fix them
asciilifeform: like anatomical practice on corpses, the approach has its obvious limits
asciilifeform: swiftgeek: if you end up doing it, plz consider publishing the procedure
swiftgeek: and it kinda depends on thermal mass in that area
asciilifeform: prolly would need ir preheater for the underside ?
asciilifeform: how would you go about lifting it without ending up reflowing the internals?
asciilifeform: yep looks like the same footprint
asciilifeform: ( or the plain usb3 )
asciilifeform: swiftgeek: you can infer exact dimension from the usbc jack
swiftgeek: i can't guess dimensions properly so let's assume it's the same as with c201pa
asciilifeform: the module is soldered on
swiftgeek: asciilifeform: great then you can replace it !
asciilifeform: swiftgeek: the wifi ? on this one ? seems to be on pci bus
asciilifeform: but in theory you can plug in usb wifi etc
asciilifeform: wifi is soldered down on these
asciilifeform: ( according to amstan , a fella from #linux-rockchip who introduced himself as one of the designers, but is rather tight-lipped )
a111: Logged on 2018-06-11 15:41 asciilifeform: for completeness, http://www.loper-os.org/pub/c101pa/mb_top.jpg + http://www.loper-os.org/pub/c101pa/mb_btm.jpg ( apologies for the sad photos, they came out of a flatbed, evidently not ideal tool for this job )
asciilifeform: swiftgeek: here's a flatbed scan of the board, http://btcbase.org/log/2018-06-11#1822396
asciilifeform: the c101pa itself was introduced in '17
swiftgeek: sure but they are not using old stock
asciilifeform: ( it's the bootloader fw, btw )
swiftgeek: from this pic, what's the newest date code ?
asciilifeform: ( i cannot rule out the possibility that it was built in cooperation with, or at the facility of , infineon; it is stamped 'TWN' so this is at least theoretically hinted )
asciilifeform: google baked it as a replacement for the infineon.
asciilifeform: swiftgeek: to complete the picture, my initial interest in cr50 was in the debug functionality; the thing can override #WP signal and rewrite the EC and boot roms , via usb snake. so it'd be quite convenient to have access. however the factory firmware locks it.
asciilifeform: thus far i know nothing about it aside from the update/reflash mechanism (it is done via the ec)
asciilifeform: swiftgeek: i actually started with attempt to port generic coreboot to c101pa, and ended up finding the cr50 by accident
asciilifeform: swiftgeek: if you are a thinkpad aficionado, there is a patched x60 bios in the logs, iirc 2015
swiftgeek: T line belongs to USI till T400/500, then lenovo took over
asciilifeform: swiftgeek: i definitely noticed the change.
swiftgeek: as if there was some noticeable change xD
asciilifeform: |\n: best suspicion thus far is that it is a 'hardcopy fpga' (cheap, relatively, method for getting chip baked, they apply a custom metallization mask to a stock crystal)
asciilifeform: ( i do not yet know what is in the 201pa )
swiftgeek: asciilifeform: sure it is , it's the best way
deedbot: http://qntra.net/2018/06/israeli-knesset-quietly-disqualifies-equality-bill-maintain-the-jewish-majority-even-if-it-violates-rights/ << Qntra - Israeli Knesset Quietly Disqualifies Equality Bill: Maintain The Jewish Majority Even If It Violates Rights
swiftgeek: asciilifeform: if somebody will end up with dead c201pa in eu then hopefully i will get it for teardown if they remember
asciilifeform: ( if you simply lift it, there'll be no signals, board doesn't come up )
asciilifeform: and get a trace of all of the signals
|\n: in terms of labour there are many people who would lift it and reflow for 5-10 usd per operation, even here in russia, but epoxy will ruin such perfect model =)
asciilifeform: soldering however many balls are under it, to bodge wires, and attaching logic analyzer etc, is the headache
asciilifeform: yes anybody can lift bga ( tricky to do without cracking the board, but doable if you are patient )
asciilifeform: sticking point is to solder to the balls
asciilifeform: that's not the sticking point
swiftgeek: they are cheap
asciilifeform: swiftgeek: if you'd like to take a c101pa and deball the bga and try this, and post article, i promise to read
asciilifeform: and as soon as we start doing it, they'll start pouring epoxy, and then cost goes up yet again
asciilifeform: google's src already contains everything you need, in theory, to make a hypothetical benign replacement for cr50
swiftgeek: asciilifeform: the point is to take some lessons from that 1 unit
asciilifeform: sure, but i want 1000+ units, rather than 1 elaborately handcrafted.
asciilifeform: swiftgeek: asciilifeform's orig plan was to sell cleansed c101pa machines. if this said cleansing requires lifting a bga, and attaching a manufactured replacement , we will be talking about considerably different cost than if the machines can be cleansed in 10min via software, via debug snake.
swiftgeek: asciilifeform: after that once you have confirmed model of black box and from then you can figure out something way more efficient
asciilifeform: but conceivably you could , at some expense, come up with a pad-for-pad substitute, and lift the thing, then solder to the balls
asciilifeform: so far we know that it handles the power button signal; the reset magic combo on the kbd; and the 3.3v rail bringup. it also handles the usb debug functionality that you get with the cable linked earlier
asciilifeform: swiftgeek: see https://chromium.googlesource.com/chromiumos/platform/ec/+/master/board/cr50/gpio.inc ( what is known of the pin functions )
asciilifeform: they moved power supply init into it
asciilifeform: if these are found, and found to work, it is likely to be the shortest path to proper jailbreak
asciilifeform: swiftgeek: in re cr50, i am specifically interested in whatever factory test pads exist , with which the thing may be filled up with initial fw on manufacture
asciilifeform: ( the cr50 rom is ~not~ kept in the winbond spi rom where the boot loader ( google's crippled coreboot ) lives )
asciilifeform: all i've been able to find is that 1) it is an arm cortex-m , prolly licensed 2) started life as fpga ( see google's src, comments repeatedly refer to earlier vers as 'fpga' , then , later, 'g-chip' )
swiftgeek: and sent it to zeptobars or what they were called
swiftgeek: asciilifeform: also decap the damn chip
asciilifeform: swiftgeek: even simple xray would give you basic info, such as the number of balls in the bga, and possibly the routes of the test pads (it ain't a very crowded pcb)
swiftgeek: also if you somehow damage C201PA irrecoverably please don't trash them
asciilifeform: swiftgeek: if you want to talk to the cr50 in your unit, all you need is the simple cable in http://www.loper-os.org/?p=2415 article
a111: Logged on 2018-06-11 15:35 asciilifeform: http://www.loper-os.org/pub/c101pa/h1.jpg << observe, cr50 has buncha test pads. i bet half a dozen of these, are used for factory fillup.
|\n: good shout, sure i got my miserable excuses, since i'm not media person, i constantly attempt to tell about such things to people who show interest, but the scales are as miserable as my excuses hah
asciilifeform: the english people are clinically retarded. let's try the civilized world, how about.
asciilifeform: |\n: i noticed today that there is 0 discussion of cr50/h1 in ru net
|\n: so i doubt theres anything remarkable i could tell about myself heh
trinque: cool, there are several russian speakers present
|\n: trinque, i'm just a dude that sometimes hears of phuctor and things that include links to the blog, i like what i see, cool pals discuss it, i'd like to track more of it, whatever it is
trinque: one might, say, introduce himself, like even my cat does when he walks into the room
asciilifeform: |\n: ideally, you go and register gpg key with deedbot. then , let's say i rate you, and then you can speak whenever you have something to say.
|\n: what is the normal channel "flow", meaning how would i even ask a question if i got one
trinque: this assuming for the moment that such things aren't immediate and reliable signs the speaker's an idiot
apt-get: I'm more interested in that kind of persona rather than adopting an identity meant to be recognized
apt-get: the reason I keep using this nick is because it's quite handy to have personal info drowned out in a sea of noise when someone tries to look it up
asciilifeform: and then get yerself a proper nick, and register gpg key with deedbot , and become a person
asciilifeform: apt-get: use the search box to find subjects that interest you
asciilifeform: beats the shit out of plain lurking
asciilifeform: apt-get: i recommend to read the logs
BingoBoingo: asciilifeform: I can ask. Is the PCB already in Uruguay?
mircea_popescu off to the dungeosn. bbl!
asciilifeform: prolly there was a spicier ver. with bullocks, whole orchestra.
mircea_popescu: not where i lived, either. but in the shitplain of southern romania ? very fucking needed.
asciilifeform: aha! them
mircea_popescu: asciilifeform, i recall it too. i was fucking there! the motorola "cell phones" you could maim someone with, and the inductor computers, and so on.
asciilifeform: thing went in the boot , display on long cable , hanging somewhere near gearshift
mircea_popescu: in the immortal words of barry fitzgerald, "let a good piece of machinery earn its fuel"
mircea_popescu: car's got what 3 ? 400 HP under the hood ? let it work.
asciilifeform: ( btw another reason c101pa would be a spiffy orc lappy -- it's got no fans/ducts )
a111: Logged on 2018-01-31 13:56 mp_en_viaje: in other "thanks goodness computer means programmable machine", i have here this hp elitebook. it has the backlight permanently welded to "retina cancer". the "function" key bs works for everything else EXCEPT setting the brightness, fn-f9 does 0.
mircea_popescu: but eg why should i throw out http://btcbase.org/log/2018-01-31#1778739 ? even if it's used once in a month, you fixed it for me, it's going in the tmsr museum
asciilifeform: ( often there'll be half a kg of dirt in the ductwork, but thing will still work, after a fashion )
asciilifeform: why shouldn't they work.
mircea_popescu: no, they all work.
asciilifeform: aa then makes sense
asciilifeform: qualifier, then?
mircea_popescu: it's how it worked in the 90s, right, you went to a new kid's house, had no computer could not be friends, evidently underclass only good to shine your shoes.
mircea_popescu: anyway. i'm starting to think i'll simply add a "owns desktop" disqualifier to the list.
mircea_popescu: bitch... a phone is a computer in the sense your slit's a cock.
mircea_popescu: none of the girls own a desktop, you realize this ?
asciilifeform: 'killer micro' was colonized by microshit, and almost immediately began the march towards death, 'how do we keep plebes from copying gamez', culminating in today's boxen.
mircea_popescu: much like the killer micro was forgotten almost immediately once the handheld tivos were carted in qty.
asciilifeform: the calculators, bk0010 ( tiny little pdp clone ! ), etc. is a sunken atlantis. it was all forgotten almost immediately when imported pc was carted in in qty
mircea_popescu: whole consumerist thing only really started in earnest after the soviets went away.
asciilifeform: all these calculators came with full schems btw
mircea_popescu: the new soviets, however, are expected to hold it in hand -- the machine's all chinesium.
mircea_popescu: this is the fundamental difference -- in the original soviet, the little soviets were expected to plug selves into machine. which, while in a deeply feminine sort of way, is nevertheless somehow satisfying.
asciilifeform: 'land the capsule'
asciilifeform: it is sorta hilarious how a good 50-60% of the popular (they were hand-copied, and machine had no nonvolatile memory, you had to throw in the proggy each time you flipped the power on ) gamez, were based on the very soviet-flavoured diff. eqn. models the factory manual suggested
mircea_popescu: truth of the marketplace is that a cent of power was always worth millions of beauty.
mircea_popescu: asciilifeform, makes power, rather than beauty.
mircea_popescu: somehow all the "opponents" never managed to FUCKING SAY THIS, the only actual, valid argument.
a111: Logged on 2017-11-09 16:38 asciilifeform: ben_vulpes: mircea_popescu earlier suggested , 'boltzmann distrib' of coffee speck velocities, almost certainly has high end that grinds pieces of your vessel into the output
mircea_popescu: this, incidentally, is the true problem with nuclear reactors : exactly like the coffee grinder (see http://btcbase.org/log/2017-11-09#1735165 ), the probability of runaway is almost never 0.
asciilifeform: ( and there were astonishing oddities of other kinds, for this humble machine, e.g. a 'tetris' where, lacking a graphical display, you had to instead pick a numeric column where the piece drops, and give another number representing rotation, and keep whole thing in yer head... )
asciilifeform: so the hilarious bit, is that folx wrote variations on the theme, 'sim whore', 'bordello'
asciilifeform: one of these was 'reactor control' , with realistic constants, you had to ramp up reactor, control the rods and the sodium pump etc, object was to get max power but avoid meltdown
asciilifeform: but as the '90s marched on, the thing did not, apparently, immediately fade away and die ( troo comps remained expensive, rare, until '93-'94ish ); so folx continued to write and circulate samizdat gamez : http://lordbss.pp.ru/pmk.html
asciilifeform: rid paper, to work the labyrinths, tank battles, etc ) ;
asciilifeform: here's a historical lul that mircea_popescu might find stimulating. asciilifeform ( and his brother, and a whole generation of folx ) grew up with a certain orc '100 bytes of ram, but hey it's fucking programmable' little box, http://www.alfredklomp.com/technology/mk-61 . and the Official b00k for it ( http://publ.lib.ru/ARCHIVES/G/GAYSHTUT_Aleksandr_Grigor'evich/_Gayshtut_A.G..html ) had various games (typically you had to draw on g
mircea_popescu: (and for the gandalfs in the peanut gallery : streetwalking is ~hard~. short of infantryman during war, streetwalker has the hardest, most biodemanding job there is. which is why i respect them a lot more than i respect githikipedia contributors)
mircea_popescu: and the results are never good.