GNUmoon2 has quit [Remote host closed the connection]
GNUmoon2 has joined #glasgow
jstein has quit [Ping timeout: 264 seconds]
ar-jan_ has quit [Ping timeout: 240 seconds]
crzwdjk has joined #glasgow
icb has quit [Ping timeout: 256 seconds]
icb has joined #glasgow
notgull has quit [Ping timeout: 255 seconds]
redstarcomrade has joined #glasgow
redstarcomrade has quit [Changing host]
redstarcomrade has joined #glasgow
joerg is now known as Guest5999
Guest5999 has quit [Killed (copper.libera.chat (Nickname regained by services))]
joerg has joined #glasgow
redstarcomrade has quit [Read error: Connection reset by peer]
cr1901 has quit [Ping timeout: 245 seconds]
cr1901 has joined #glasgow
notgull has joined #glasgow
redstarcomrade has joined #glasgow
redstarcomrade has quit [Changing host]
redstarcomrade has joined #glasgow
notgull has quit [Ping timeout: 245 seconds]
viciouswinkle[m] has quit [Quit: Idle timeout reached: 172800s]
redstarcomrade has quit [Read error: Connection reset by peer]
siriusfox_ has joined #glasgow
siriusfox has quit [Ping timeout: 276 seconds]
ar-jan has joined #glasgow
jstein has joined #glasgow
<purdeaandrei[m]>
Alright, I figured this out. I checked the program counter, and reading it repeatedly I got two addresses: 0x10d4 and 0x10d6. I put the firmware into ghidra, and found it's an infinite loop that happens after a checksum comparison:
<purdeaandrei[m]>
So interesting observations about the algorithm: the 32-bit sum + the checksum must equal 0
<purdeaandrei[m]>
And the checksum seems to be calculated in blocks of up to 32 kilobytes (0x8000), so there's a 32-bit checksum for each 32 kilobytes of data
<purdeaandrei[m]>
And MOST INTERESTING, the checksums are located starting flash address 0x3fc00
<purdeaandrei[m]>
this is beyond the 192KiB of embedded flash that the mec1663 is supposed to have.
<purdeaandrei[m]>
so they I got an idea, I modified the size of the flash in glasgow, and I flashed a 256KiB random number filled file into the flash and read it back, and it was all there!
<purdeaandrei[m]>
Not sure what to make of it, maybe the short datasheet for the mec1633 is wrong, maybe the lenovo thinkshield branded version of the mec1633 is different, I don't know
<purdeaandrei[m]>
interestingly when extracting the EC firmware from the matching bios release installer, the actual EC firmware size there is 192KiB, so the flashing application must be aware of this checksum, and so it must calculate it itself when flashing it
<purdeaandrei[m]>
* is 192KiB (plus a 32-byte header before everything), so
<purdeaandrei[m]>
* is 192KiB (plus a 32-byte header before everything), so, * flashing it. And the header doesn't contain the checksum.
<purdeaandrei[m]>
Another interesting thing is that when extracting the EC firmware from a newer version bios installer I actually get a 256KiB file, which contains the correct checksum!
<purdeaandrei[m]>
And yes, there is more code in it than 192KiB, so the newer EC firmwares really make use of the extra flash available, not just for storing a checksum
<purdeaandrei[m]>
I think one of the reasons that so many people where having problems in the past was that some of those repair programmers don't read or write the full 256KiB.
<purdeaandrei[m]>
I did notice before that some posts mention file sizes other than 192KiB, but I always thought that it was just a quirk of some repair-programmer
<galibert[m]>
it's a weird variant of security through obscurity
<purdeaandrei[m]>
that would imply it was intentional, not sure I can argue it was.
<purdeaandrei[m]>
And by the way none of the security features of the mec1633 are enabled, they didn't even try to lock down anything through jtag
<galibert[m]>
probably just an upgraded version
<purdeaandrei[m]>
@Catherine thanks for the review I'll get the comments handled in the weekend, also I need to think about what to do about the flash size. If I should try to auto-detect MEC1633 variant. But who knows maybe there's other MECs that have the wrong memory size in their datasheets.
<galibert[m]>
possibly they went for 256k and couldn't make it reliable at first
<purdeaandrei[m]>
for the github code change suggestions do you prefer I commit it in the github ui, and leave it as it is, or should I squash them into existing commits?
<purdeaandrei[m]>
But again maybe it's just the thinkshield branded ones that have 256KiB
<purdeaandrei[m]>
It's possible they were planning to sell cheaper versions by fusing the top 64KiB inaccessible
<purdeaandrei[m]>
but maybe lenovo asked to not do that and they didn't bother to change the name
<purdeaandrei[m]>
you can buy mec1633 from digikey and other distributors
<purdeaandrei[m]>
it's possible those are truly 192KiB
<purdeaandrei[m]>
s/they/then/
<whitequark[cis]>
<purdeaandrei[m]> "for the github code change..." <- squash into existing commits
GNUmoon2 has quit [Ping timeout: 240 seconds]
GNUmoon2 has joined #glasgow
ar-jan has quit [Ping timeout: 264 seconds]
ar-jan has joined #glasgow
ar-jan has quit [Ping timeout: 260 seconds]
ar-jan has joined #glasgow
redstarcomrade has joined #glasgow
redstarcomrade has quit [Read error: Connection reset by peer]
grazianom[m] has quit [Quit: Idle timeout reached: 172800s]
nemanjan00[m] has quit [Quit: Idle timeout reached: 172800s]
esden[m] has quit [Quit: Idle timeout reached: 172800s]
helene has quit [Read error: Connection reset by peer]
helene has joined #glasgow
feuerrot has quit [Ping timeout: 276 seconds]
FireFly has quit [Ping timeout: 260 seconds]
FireFly has joined #glasgow
feuerrot has joined #glasgow
RaYmAn has quit [Read error: Connection reset by peer]
RaYmAn has joined #glasgow
Guest60 has joined #glasgow
Guest60 has left #glasgow [#glasgow]
modchatbot[m] has quit [Quit: Idle timeout reached: 172800s]
bvernoux has joined #glasgow
zevlag[m] has joined #glasgow
<zevlag[m]>
Sell the same product at 2 prices. An "individual" and a "commercial" price. Folks can then choose which applies to them and their use case.
esden[m] has joined #glasgow
<esden[m]>
Yeah I got that recommendation from a few people. I was not aware that there are certain places that will not buy tools that are under a certain price threshold because: "if it does not cost a lot it will not be up to our standards" or whatever reasons.
Eli2| has quit [Quit: Ex-Chat]
Eli2 has joined #glasgow
notgull has joined #glasgow
notgull has quit [Ping timeout: 256 seconds]
FireFly has quit [Ping timeout: 260 seconds]
FireFly has joined #glasgow
<tpw_rules>
it would be nice if it were not binding though...