asciilifeform: btw the #linux-rockchip d00d is definitely caught nao in telling a fib : 1) yes there is not one, but two magic keys (1 for flash updates, other for factory unlocker routine) and yes all deployed units can be popped via either
asciilifeform: https://archive.li/ZtbxL << clue re origin of 'h1'. seems like they took a 'metallization mask' fpga, a la early asicminer crapola, and run licensed cortex-m3 core .
asciilifeform: reminiscent of old-time gsm carriers and their crippled handsets
asciilifeform: http://btcbase.org/log/2018-06-08#1821694 << i actually had that box. the mechanism is clever but i suspect that it wears out ( my unit, to be fair, did not last long enuff for the kbd clockwork to wear out, mobo died 1st )☝︎
asciilifeform: phf: if you are able to build the usb snake -- lemme know which cr50 turd ver is in your box☟︎
asciilifeform: far upstack, re the 'cr50' thread -- asciilifeform woke up today and realized that we can simply cut #wp track on spi rom ( naturally after filling it with e.g. uboot )
asciilifeform: ( massive tank of a box, 32G, 8core thing, multiple drive slots, kg power brick, etc . but still sad and shallow, vs x60, not even speaking of troo desktop, kbd )
asciilifeform: mircea_popescu: i can't properly damn it, not having suffered with it with own skin
asciilifeform: i sat down to do this some yrs ago, then decided that life is too short
asciilifeform: spyked: reusing parts from existing lappy is possible, tho tricky, you would have to reverse engineer the kbd matrix, buy its weirdo connector somewhere , make kbd scan controller, etc.
asciilifeform: i was actually in line to buy the box myself, for something like a year, turn finally came but by that time i got to see the photos / reviews
asciilifeform: spyked: i could be wrong re the blobs, but iirc there is no fully open loader for a53
asciilifeform: don't encourage the 'i can peddle liquishit parts that would've been spat on in china street markets decade ago , if i stamp Open on the box!' hucksters.
asciilifeform: ( which is less painful than if nothing could be shat into it to begin with )
asciilifeform: if can find , e.g., overflow, then can have whatever payload waiting there to be jumped into.
asciilifeform: potentially we find a hole in this process.
asciilifeform: so far i did find how to disable #wp signal on the h1 ( it tracks the battery-triggered #wp ). the way updater works, it permits flashing in any old turd, and it goes in a temp slot, which only on next boot gets ecc-sigchecked
asciilifeform: this is to count only the onboard (i.e. excluding usb)
asciilifeform: there seem to be 4 onboard busses in the thing; ram ( just cpu and dram ) ; pci ( occupied by 80211 chip , you prolly could safely pull it out, even sits on conveniently protruding bit of pcb ) ; spi ( connects to : cpu; boot rom; ec ; 'h1' ) ; i2c ( connects to cpu ; 'h1' ; voltage regs ) .
asciilifeform: ( given as x86 cpu does not know how to speak spi/lpc/etc )
asciilifeform: on x86 boxen, southbridge usually sits directly between cpu and bios rom
asciilifeform: ( i.e. 'h1' does not sit , as far as i can tell, between cpu and bootrom , but rather sits on the bus )
asciilifeform: fwiw the boot rom reads from linux's ordinary spi driver, in userland
asciilifeform: i suspect the thing exists mainly to 1) help 'law enforce' folx pry passwords from unwilling patient's box 2) persistence nest for assorted usgologies installed via pwned userland
asciilifeform: but i've not found a remote trigger for it. (dun mean there isn't one)
asciilifeform: mircea_popescu: it can rewrite the boot rom, is what i know for certain so far
asciilifeform: upstack, before i start to fall asleep -- what do we wanna do in re the c101 ? march on with curing the 'ordinary' boot rom, and then sit on the thing pending a successful break of the cr50 booby ? shelf whole thing ? which'll it be
