$20 mini PC (Dolby controller) with unknown firmware password

[autoturk]

as usual: repasting seems to have helped quite a bit. Now the fan doesn't turn on unless I'm running sysbench.

EDIT: Nevermind. After a sys bench session the fan turned on and now won't turn off despite the temperatures dropping. It seems to respond to temperature events to a certain point, after which it just keeps running.

I think I figured out what might be going on: It seems there are hidden bios settings that suggest that the EC is responsible for fan control, and if the EC thinks that the OS is hung (because it doesn't receive the proper signal from the OS), then it defaults to a particular percentage. See the "screenshot" (excuse the picture of a screen -- I was in a rush).

For the time being I'm going to:

1. Disconnect the fan and run some stress tests. This is a laptop CPU and this heatsink is much beefier than typical laptop CPUs, so maybe it might be good enough running passively. I've been running `stress-ng` for the better part of an hour and it's up to 70* C so far with no sign of throttling.
2. Try to modify the BIOS "Optimal" setting for the hung OS fan speed and reflash.

 

[nexox]

I was thinking how to make patching as easy as possible. I would like to try to make a universal binary patch which can be applied to each individual extracted BIOS. That should just be the difference between my original BIOS and the first patched BIOS. Anybody has experience with doing this? There are plenty of potential options out there but it is hard to figure out where to start.

I plan to take a look at this today or tomorrow, as soon as I can drag a spare monitor over close enough, removing the password should be trivial, but I haven't looked at the changes you made for secure boot.

 

[ru me]

Bios Mods -The Best BIOS Update and Modification Source: AMI BIOS Recovery

www.bios-mods.com

There's a bios recovery option, I wonder if this will work instead of using the programmers.

Still doesn't fix the password problem, I don't imagine.

Your particular example seems to be quite old, but there usually are BIOS recovery options. Did you try this option? If we can truly reflash the BIOS, that could be helpful. However, this would probably trigger a (NVRAM?) reset from the EC which restores the password. I guess only way to find out is to try.

 

[ru me]

Your particular example seems to be quite old, but there usually are BIOS recovery options. Did you try this option? If we can truly reflash the BIOS, that could be helpful. However, this would probably trigger a (NVRAM?) reset from the EC which restores the password. I guess only way to find out is to try.

Oh, wouldn't you need the BIOS from the device itself? Or would you just rewrite part of the BIOS? If so which parts?

 

[nexox]

I'm still working on the secure boot thing, but this command will remove the bios password, using the bbe utility from: bbe - binary block editor

cat dolby_bios_stock.bin | bbe -o dolby_bios_nopass.bin -e 's/3P\xa1y(d\xde\x2e\xb4\xd4E D\xb7\xbd\xef\xc8&\xe4\xd5/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/'

 

[ru me]

Oh, wouldn't you need the BIOS from the device itself? Or would you just rewrite part of the BIOS? If so which parts?

I'm still working on the secure boot thing, but this command will remove the bios password, using the bbe utility from: bbe - binary block editor

cat dolby_bios_stock.bin | bbe -o dolby_bios_nopass.bin -e 's/3P\xa1y(d\xde\x2e\xb4\xd4E D\xb7\xbd\xef\xc8&\xe4\xd5/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/'

Yes, it could be scripted. I was more thinking of using something based on bdiff.

BDiff: Binary Diff & Patch Utilities for Windows Command Line | Open Source | 32 bit

BDiff / BPatch Windows console applications for producing text & binary patch files and applying binary patches. Open source. Source converted from C to Delphi Pascal.

delphidabbler.com

 

[RolloZ170]

UEFIPatch

 

[nexox]

Yes, it could be scripted. I was more thinking of using something based on bdiff.

I tried bsdiff, it segfaulted because apparently 16MB is far too large, qbdiff (GitHub - kspalaiologos/qbdiff: building and applying patches to binary files) worked but created a 2.8kB patch for a 20B change, which makes it very hard to tell what it's actually doing to the file.

 

[RolloZ170]

I tried bsdiff, it segfaulted because apparently 16MB is far too large

dolby BIOS 16mb
0..FFF flashdescr.
1000..9FFFFF ME region (initialized)
A00000..FFFFFF BIOS (6mb)

 

[autoturk]

so the EC is an IT8528 but the linux driver it seems highly dependent on the firmware associated with it. Somebody who has more linux knowledge than me: can you extract the driver from the eMMC and maybe get some details on what might be going on?

 

[nexox]

UEFIPatch

I just tried that out, but from what I can tell the UEFITool old_engine branch can't process NVRAM data and the new_engine branch can't patch. There's not much in the way of debug output from UEFIPatch, though, and it looked annoying to add, so perhaps I'm just doing something wrong and can't tell what.

For reference, here's the patch.txt I came up with:

# Replace 20 byte password hash with nulls:
CEF5B9A3-476D-497F-9FDC-E98143E0422C 19 P:3350A1792864dE2EB4D4452044B7BDEFC826E4D5:0000000000000000000000000000000000000000

 

[tp1]

so the EC is an IT8528 but the linux driver it seems highly dependent on the firmware associated with it. Somebody who has more linux knowledge than me: can you extract the driver from the eMMC and maybe get some details on what might be going on?

there is also a TI MSP430 micro-controller on board. Either, being initialized by the bios/EC or by the OS in the eMMC. What does a lspci and lsusb show under linux? thx

 

[tp1]

There is also a JLPC port which I think is a LPC bus interface to the IT8528.

 

[autoturk]

there is also a TI MSP430 micro-controller on board. Either, being initialized by the bios/EC or by the OS in the eMMC. What does a lspci and lsusb show under linux? thx

Here you go. You didn't ask but I also included a superiotool run which shows the ITE chip. It also shows as Aspeed AST2400 (IPMI?!) which doesn't seem right.

https://file.io/ngJp9StyM4T4

 

[tp1]

@autoturk It says the file has been deleted? thx

 

[autoturk]

@autoturk It says the file has been deleted? thx

try this: dolby_logs - Google Drive

 

[ru me]

I was trying to use the unlocked bios to come up with a binary patch and failed. The AMI utility is very handy but it seems to do more than single bit changes. When I combined parts of different BIOS versions I typically ended up with corrupted ME and other stuff slightly broken. As long as we have to open the units anyway for flashing I guess I can live with the current state.

 

[RolloZ170]

The AMI utility is very handy but it seems to do more than single bit changes

some NVAR(failsafe) are in compressed files. one flag changes hundrets of bytes.

 

[jode]

pull cover to the front, put a screwdriver in this holes helps.
remove the nut on the power connector, and a bunch of screws under the foam later. not required to remove cover.

Is there a non-destructive way to remove the foam to get to the screws? My efforts so far have not been successful

 

[RolloZ170]

Is there a non-destructive way to remove the foam to get to the screws? My efforts so far have not been successful

this is intentional. loss of warranty