10:35 <purdeaandrei[m]> Alright, I figured this out. I checked the program counter, and reading it repeatedly I got two addresses: 0x10d4 and 0x10d6. I put the firmware into ghidra, and found it's an infinite loop that happens after a checksum comparison:

10:36 <purdeaandrei[m]> So interesting observations about the algorithm: the 32-bit sum + the checksum must equal 0

10:37 <purdeaandrei[m]> And the checksum seems to be calculated in blocks of up to 32 kilobytes (0x8000), so there's a 32-bit checksum for each 32 kilobytes of data

10:37 <purdeaandrei[m]> And MOST INTERESTING, the checksums are located starting flash address 0x3fc00

10:37 <purdeaandrei[m]> this is beyond the 192KiB of embedded flash that the mec1663 is supposed to have.

10:38 <purdeaandrei[m]> so they I got an idea, I modified the size of the flash in glasgow, and I flashed a 256KiB random number filled file into the flash and read it back, and it was all there!

10:40 <purdeaandrei[m]> Not sure what to make of it, maybe the short datasheet for the mec1633 is wrong, maybe the lenovo thinkshield branded version of the mec1633 is different, I don't know

10:43 <purdeaandrei[m]> interestingly when extracting the EC firmware from the matching bios release installer, the actual EC firmware size there is 192KiB, so the flashing application must be aware of this checksum, and so it must calculate it itself when flashing it

10:44 <purdeaandrei[m]> * is 192KiB (plus a 32-byte header before everything), so

10:44 <purdeaandrei[m]> * is 192KiB (plus a 32-byte header before everything), so, * flashing it. And the header doesn't contain the checksum.

10:44 <purdeaandrei[m]> Another interesting thing is that when extracting the EC firmware from a newer version bios installer I actually get a 256KiB file, which contains the correct checksum!

10:46 <purdeaandrei[m]> And yes, there is more code in it than 192KiB, so the newer EC firmwares really make use of the extra flash available, not just for storing a checksum

10:50 <purdeaandrei[m]> I think one of the reasons that so many people where having problems in the past was that some of those repair programmers don't read or write the full 256KiB.

10:50 <purdeaandrei[m]> I did notice before that some posts mention file sizes other than 192KiB, but I always thought that it was just a quirk of some repair-programmer

10:51 <galibert[m]> it's a weird variant of security through obscurity

10:52 <purdeaandrei[m]> that would imply it was intentional, not sure I can argue it was.

10:53 <purdeaandrei[m]> And by the way none of the security features of the mec1633 are enabled, they didn't even try to lock down anything through jtag

10:53 <galibert[m]> probably just an upgraded version

11:00 <purdeaandrei[m]> @Catherine thanks for the review I'll get the comments handled in the weekend, also I need to think about what to do about the flash size. If I should try to auto-detect MEC1633 variant. But who knows maybe there's other MECs that have the wrong memory size in their datasheets.

11:01 <galibert[m]> possibly they went for 256k and couldn't make it reliable at first

11:01 <purdeaandrei[m]> for the github code change suggestions do you prefer I commit it in the github ui, and leave it as it is, or should I squash them into existing commits?

11:06 <purdeaandrei[m]> it's interesting that not only is the short pdf datasheet saying 192KiB, it's also the website: https://www.microchip.com/en-us/product/MEC1633

11:06 <purdeaandrei[m]> But again maybe it's just the thinkshield branded ones that have 256KiB

11:07 <purdeaandrei[m]> It's possible they were planning to sell cheaper versions by fusing the top 64KiB inaccessible

11:08 <purdeaandrei[m]> but maybe lenovo asked to not do that and they didn't bother to change the name

11:09 <purdeaandrei[m]> you can buy mec1633 from digikey and other distributors

11:09 <purdeaandrei[m]> it's possible those are truly 192KiB

11:15 <purdeaandrei[m]> s/they/then/

13:03 <whitequark[cis]> <purdeaandrei[m]> "for the github code change..." <- squash into existing commits

20:22 <zevlag[m]> Sell the same product at 2 prices. An "individual" and a "commercial" price. Folks can then choose which applies to them and their use case.

20:33 <esden[m]> Yeah I got that recommendation from a few people. I was not aware that there are certain places that will not buy tools that are under a certain price threshold because: "if it does not cost a lot it will not be up to our standards" or whatever reasons.

22:44 <tpw_rules> it would be nice if it were not binding though...