log☇︎
93600+ entries in 0.053s
swiftgeek: so likeliness of it leaking on its own is tiny
asciilifeform: fwiw i don't have any use for anything short of the schem
swiftgeek: what i mean is that chromebooks aren't popular in china
asciilifeform: and it ain't there.
asciilifeform: the schem, for instance, is not given to repair contractors. or i would already have found it.
swiftgeek: asciilifeform: i would bake cookies and bring them some xd
asciilifeform: srsly, try walking into repair with chromebook. 'we can reset this for you for $50', lol
swiftgeek: you need to at least check some points c'mon
swiftgeek: (at the end of their shift)
asciilifeform: i don't see this as a productive line of probing
swiftgeek: it never hurts trying
swiftgeek: i thought you were in russia
asciilifeform: but you will not find these in usa.
asciilifeform: yes in china there are repair shops that lift bga etc.
asciilifeform: i have a pretty good idea of the power sequencing, from reading the ec and cr50 srcs
swiftgeek: just board shots from 2 sides with few testpoints, block diagram and power sequencing / tree
asciilifeform: so i'm not sure what you expect to find in a vendor repair book
asciilifeform: there is nothing usefully removable on the mb, aside from the heat sink
asciilifeform: not much use ( it is not difficult to open, and the c100pa published disassembly applies to this one, the screws are in same places )
swiftgeek: it doesn't show that at all xD
asciilifeform: repair guide only shows you how to get the box open, really
swiftgeek: it's just a block diagram and power sequencing / tree
swiftgeek: asciilifeform: repair guide is something that asus supplies for their devices
asciilifeform: swiftgeek: here, btw, is the factory boot rom (crippled coreboot) from that winbond : http://loper-os.org/pub/c101pa/factory_rom.bin
swiftgeek: it should appear about now for that device
asciilifeform: c101pa finds various retailers, and, if you dig persistently, asciilifeform's www, and that's currently more or less it.
swiftgeek: they are doing this shitty naming on purpose
asciilifeform: there is very little to be had in the search results, other than the src repo itself
asciilifeform: you will find the string in the boot rom fw also
swiftgeek: yeah then judging from c201pa entry
swiftgeek: it's often close to coreboot name
swiftgeek: asciilifeform: do you know what is the name of the board yet or not ?
swiftgeek: anyway back to the name
a111: Logged on 2018-06-11 15:46 asciilifeform: one interesting observation, is that the update mechanism lets you flash in arbitrary crapola into 'rw' section ( it simply won't jump to it if it doesn't pass rsa(sha256(payload)) ) . so theoretically could put a nop sled there, ending with jump into the magic half of unlock routine. and then expose the thing to beta/gamma, and perhaps in a few months it will Do The Right Thing
asciilifeform: if i can exploitably crash the thing , my job is done
asciilifeform: at any rate, my current approach will be to do some fuzzing of the cr50 console and slave spi interfaces
swiftgeek: oh wait that's another filing lol
asciilifeform: which is what the designer was banking on when he put in the false metallization layers etc.
swiftgeek: asciilifeform: remember that recent AMD chipset from amdflaws?
asciilifeform: the way it usually ends, is that we learn something useful just in time for the device to go out of print.
|\n: imaginary, just in theory, can it be some ST72264G2
swiftgeek: asciilifeform: just like via matched their to what asmedia stole from them
asciilifeform: swiftgeek: you know how this usually ends, right ?
swiftgeek: eventually somebody will match it to factory
asciilifeform: but this is still in progress.
asciilifeform: swiftgeek: even more ideally, would learn this without waiting for decaps.
swiftgeek: + you can take some educated guesses
swiftgeek: yep and all that you will learn from photo of zeptobars
asciilifeform: and whether there is any mechanism to inhibit them
asciilifeform: i, for instance, would like to know which fpga was their starting point. and where its factory test pads are.
swiftgeek: but it would be clearly marked on the die as well
swiftgeek: asciilifeform: possible theories of what PMH7 is were pretty wild till we realized it's TC200G
swiftgeek: asciilifeform: sure but not looking can double the work
asciilifeform: rather than, say, to fill photo album with pretty pics.
asciilifeform: swiftgeek: my specific interest is to get arbitrary code exec on the device. ☟︎
swiftgeek: the point is to see something in it
asciilifeform: it so happens that i know how decapping etc is done.
asciilifeform: the sad bit is that it is many yrs of labour, to go from even a high quality die shot, to functionality
swiftgeek: sigh i think i lost video about removing layers xD
swiftgeek: then yeah inform zeptobars about the need to remove metal layers
asciilifeform: i.e. 100% replacement of the old infineon they formerly used
asciilifeform: swiftgeek: look in the src, it incorporates tpm
swiftgeek: or do you just call it that
swiftgeek: asciilifeform: is it TPM for real?
swiftgeek: but if they are bunch of dicks then first visible layer will be just metal blocking chip from the view
asciilifeform: given as it is a tpm/drm crock of shit, i fully expect false metal masks and the other joys of 'tamper resistence'
swiftgeek: hopefully layers won't need to be removed
asciilifeform: lol i was not speaking of timing xtal
swiftgeek: no need to reverse really, just look at it
swiftgeek: asciilifeform: they are marked usualy on die
asciilifeform: sorry, ru world terminology
swiftgeek: xtal? who reverses that? :D
asciilifeform: i'd luvv to be proven wrong on this subj
swiftgeek: asciilifeform: why would you expect that llol
asciilifeform: swiftgeek: i intend to send a unit to zeptobars in near future. i do not however expect any interesting result, afaik no 22nm or similar density device has ever been publicly reversed
swiftgeek: asciilifeform: then i would really recommend finding dead one and sending chip to zeptobars
asciilifeform: and cpu uart ( from the rk3399 ) on /dev/ttyUSB2
asciilifeform: in fact , if you are so fond of lifting bga, lift the cpu , the spi rom, and the ec, and you will find that you still get the /tty/USB0 shell
asciilifeform: it runs on the h1 device pictured in h1.jpg.
swiftgeek: welp that's interesting and if it spews out a lot of uart then it's most likely running on some core
asciilifeform: or the EC
asciilifeform: and it does not rely on the cpu (referred to as 'AP' in google's srcs)
asciilifeform: because you are talking to cr50, which is active at all times, even when 'off'
asciilifeform: you will observe that you are still able to communicate with the machine
asciilifeform: disable the spi boot rom using the method shown in http://www.loper-os.org/?p=2382 article. then insert the 'suzyq' debug cable, shown in http://www.loper-os.org/?p=2415 ;
asciilifeform: swiftgeek: given your introduction ( http://btcbase.org/log/2018-06-11#1822589 ) i assume you may be interested in verifying fact that cr50 is not a subfunctionality of the ordinary (i.e. kept in winbond spi ) bootrom or the EC controller ('nuvoton' arm , visible in right hand of photo ). this is very simple to do: ☝︎☟︎☟︎
asciilifeform: https://osmocom.org/projects/baseband/wiki/MotorolaC123 << these ?
swiftgeek: compal made them afair xD
swiftgeek: remember osmocombb moto things?
swiftgeek: asciilifeform: well compal makes tons of things xD
swiftgeek: (compal alone makes the best boards for debugging /repair)
swiftgeek: and afair end result was worst aspect of them both combined
swiftgeek: (X series till x230 afair)
asciilifeform: thus far i know how to cut power to it, and this suffices for my purpose ☟︎
swiftgeek: wistron thinkpads are pretty decent when it comes to repair
asciilifeform: at any rate i am not presently concerned with the 80211 card
swiftgeek: and fix them
swiftgeek: except that level up is grab pile of e-waste
asciilifeform: ( waste pcb won't tell you that you have not reflowed/mutilated/stress-fractured something )
asciilifeform: like anatomical practice on corpses, the approach has its obvious limits