asciilifeform: fwiw the only nonstandard chip is the h1.

asciilifeform: well yes, the schem

asciilifeform: i have already identified all of the major components

asciilifeform: fwiw i don't have any use for anything short of the schem

asciilifeform: last i saw.

asciilifeform: and it ain't there.

asciilifeform: right

asciilifeform: the schem, for instance, is not given to repair contractors. or i would already have found it.

asciilifeform: srsly, try walking into repair with chromebook. 'we can reset this for you for $50', lol

asciilifeform: board-swapping monkeys.

asciilifeform: i don't see this as a productive line of probing

asciilifeform: that was |\n

asciilifeform: nope

asciilifeform: but you will not find these in usa.

asciilifeform: yes in china there are repair shops that lift bga etc.

asciilifeform: ( i do it right here with 10min of work )

asciilifeform: lol what does 'repair shop' do aside from swapping mb

asciilifeform: but sure.

asciilifeform: i have a pretty good idea of the power sequencing, from reading the ec and cr50 srcs

asciilifeform: aa

asciilifeform: so i'm not sure what you expect to find in a vendor repair book

asciilifeform: there is nothing usefully removable on the mb, aside from the heat sink

asciilifeform: not much use ( it is not difficult to open, and the c100pa published disassembly applies to this one, the screws are in same places )

asciilifeform: repair guide only shows you how to get the box open, really

asciilifeform: you can extract strings from it, and see which bob rev etc

asciilifeform: swiftgeek: here, btw, is the factory boot rom (crippled coreboot) from that winbond : http://loper-os.org/pub/c101pa/factory_rom.bin

asciilifeform: to be fair, it's a pretty recent box.

asciilifeform: c101pa finds various retailers, and, if you dig persistently, asciilifeform's www, and that's currently more or less it.

asciilifeform: there is very little to be had in the search results, other than the src repo itself

asciilifeform: you will find the string in the boot rom fw also

asciilifeform: September 1, 2017 Asus Chromebook Flip C101PA Bob rk3399 etc

asciilifeform: https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices << see vendor's chart.

asciilifeform: dev version of same, was 'gru'

asciilifeform: google's product code is 'bob'

asciilifeform: what do you mean by 'name' ?

asciilifeform: see also http://btcbase.org/log/2018-06-11#1822402 . ☝︎

asciilifeform: if i can exploitably crash the thing , my job is done

asciilifeform: at any rate, my current approach will be to do some fuzzing of the cr50 console and slave spi interfaces

asciilifeform: sure

asciilifeform: which is what the designer was banking on when he put in the false metallization layers etc.

asciilifeform: the way it usually ends, is that we learn something useful just in time for the device to go out of print.

asciilifeform: swiftgeek: you know how this usually ends, right ?

asciilifeform: loper_os_cr50: hello ?

asciilifeform: but this is still in progress.

asciilifeform: swiftgeek: even more ideally, would learn this without waiting for decaps.

asciilifeform: !!up loper_os_cr50

asciilifeform: ideally

asciilifeform: !!up swiftgeek

asciilifeform: and whether there is any mechanism to inhibit them

asciilifeform: i, for instance, would like to know which fpga was their starting point. and where its factory test pads are.

asciilifeform: swiftgeek: out of curiosity, what would you look for in a die shot ?

asciilifeform: rather than, say, to fill photo album with pretty pics.

asciilifeform: swiftgeek: my specific interest is to get arbitrary code exec on the device. ☟︎

asciilifeform: it so happens that i know how decapping etc is done.

asciilifeform: the sad bit is that it is many yrs of labour, to go from even a high quality die shot, to functionality

asciilifeform: i.e. 100% replacement of the old infineon they formerly used

asciilifeform: swiftgeek: look in the src, it incorporates tpm

asciilifeform: given as it is a tpm/drm crock of shit, i fully expect false metal masks and the other joys of 'tamper resistence'

asciilifeform: lol i was not speaking of timing xtal

asciilifeform: sorry, ru world terminology

asciilifeform: i mean, asic die.

asciilifeform: not clock crystal, lol

asciilifeform: i'd luvv to be proven wrong on this subj

asciilifeform: got example of a successful public reversing of any recent (i.e. post-1995) crystal ?

asciilifeform: swiftgeek: i intend to send a unit to zeptobars in near future. i do not however expect any interesting result, afaik no 22nm or similar density device has ever been publicly reversed

asciilifeform: the latter , you can get root shell on, on stock machine if it is in dev mode

asciilifeform: and cpu uart ( from the rk3399 ) on /dev/ttyUSB2

asciilifeform: btw you will get EC uart on /dev/ttyUSB1

asciilifeform: !!up |\n

asciilifeform: in fact , if you are so fond of lifting bga, lift the cpu , the spi rom, and the ec, and you will find that you still get the /tty/USB0 shell

asciilifeform: it runs on the h1 device pictured in h1.jpg.

asciilifeform: or the EC

asciilifeform: and it does not rely on the cpu (referred to as 'AP' in google's srcs)

asciilifeform: because you are talking to cr50, which is active at all times, even when 'off'

asciilifeform: you will observe that you are still able to communicate with the machine

asciilifeform: disable the spi boot rom using the method shown in http://www.loper-os.org/?p=2382 article. then insert the 'suzyq' debug cable, shown in http://www.loper-os.org/?p=2415 ;

asciilifeform: swiftgeek: given your introduction ( http://btcbase.org/log/2018-06-11#1822589 ) i assume you may be interested in verifying fact that cr50 is not a subfunctionality of the ordinary (i.e. kept in winbond spi ) bootrom or the EC controller ('nuvoton' arm , visible in right hand of photo ). this is very simple to do: ☝︎☟︎☟︎

asciilifeform: https://osmocom.org/projects/baseband/wiki/MotorolaC123 << these ?

asciilifeform: hence investigation of c101pa and similar

asciilifeform: currently i am not very interested in intel iron

asciilifeform: ( its rail is controlled via EC )

asciilifeform: thus far i know how to cut power to it, and this suffices for my purpose ☟︎

asciilifeform: at any rate i am not presently concerned with the 80211 card

asciilifeform: ( waste pcb won't tell you that you have not reflowed/mutilated/stress-fractured something )

asciilifeform: like anatomical practice on corpses, the approach has its obvious limits

asciilifeform: swiftgeek: if you end up doing it, plz consider publishing the procedure

asciilifeform: aha

asciilifeform: prolly would need ir preheater for the underside ?

asciilifeform: how would you go about lifting it without ending up reflowing the internals?

asciilifeform: yep looks like the same footprint

asciilifeform: ( or the plain usb3 )

asciilifeform: swiftgeek: you can infer exact dimension from the usbc jack

asciilifeform: the module is soldered on

asciilifeform: there's no socket on the pcb

asciilifeform: with reballing etc. lol.

asciilifeform: swiftgeek: the wifi ? on this one ? seems to be on pci bus

asciilifeform: but in theory you can plug in usb wifi etc

asciilifeform: wifi is soldered down on these

asciilifeform: ( according to amstan , a fella from #linux-rockchip who introduced himself as one of the designers, but is rather tight-lipped )

asciilifeform: also apparently was known as 'gru' in early in-house versions