I've searched throughout the net and haven't seen any writeup of anyone doing this or attempting to do it. I've read however that the topton and other sellers on aliexpress are those that also supply the hardware to protectli. That said has anyone flashed coreboot to one of these devices....I'm wondering if the Flashli script - How to Use Flashli - Protectli might also work on the aliexpress boxes?
Flash Coreboot to Aliexpress / Topton appliance....Protectli's Flashli script?
- Thread starter reatr698
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
"Flashli will allow a VP series vault that has coreboot (UEFI) to be flashed to AMI. If any unit besides the VP series runs in UEFI mode Flashli will not work."
It seems locked to their machines.
I have been looking at their guide to build coreboot in past weeks and have not seen anything unique to their hardware. It Should be possible to make a rom for the topton boxes we are making. But I have not taken the time to just go for it.
It seems locked to their machines.
I have been looking at their guide to build coreboot in past weeks and have not seen anything unique to their hardware. It Should be possible to make a rom for the topton boxes we are making. But I have not taken the time to just go for it.
I didn't really understand that statement on their page. It seems that nearly all of their devices can switch between AMI and coreboot based on the chart but I guess what this is saying is that only the VP ones running in UEFI will the script work for.
I have a topton on the way based on the blog posts here on STH but there seems to be some discussion on the general interwebs about using these devices with unknown firmware. I did buy a barebones one so I'll be puttting in my own storage and memory.
Which topton did you buy? From the protectli github It seems you need... coreboot, and the Intel blobs unique per gen/system... and that's it.
If there is not a flashing tool that supports crossflashing for our topton units, it may require a clip-on CH341a flash
coreboot Build Guide – Protectli Knowledge Base
protectli.com
Keep in mind that practically all commercially sold x86 hardware comes with unknown and opaque firmwares in many places. If anything, the Chinese ODMs just use whatever generic AMI/Insyde stuff they can get their hands on; if something scary is going on in the firmware, that would probably happen as a loaded module (since you'd need source access to do it in the AMI base for example - other injections would alter the signature and as a result the Intel CPU's bootrom would reject it).
There are mostly 2 categories:
- Only a few scary blobs + Coreboot
- All scary blobs
And those categories come from pretty much all vendors, including Dell, HP, SuperMicro etc. They are also all compiled in Taiwan and China, so not much of a difference there, and they are flashed initially in China (and Taiwan) as well.
As for why we (me too!) would still want coreboot: it's just so much faster and useful for us than some EDK2 derived IBV thing. The scary blobs still remain (bootrom, embedded controller, USB firmware etc.) but at least it boots fast and the OS can interact with it.
A while back the previous generation (Qotom based) SBCs got some attention on the coreboot mailing list since there was some pretty closely compatible hardware already in-tree, but I don't think it ever finished. Most of the mobile SoC have the best chance since Google uses those in their Chromebooks too, and Google uses coreboot, meaning the CPU+PCH combinations are well-supported.
There are mostly 2 categories:
- Only a few scary blobs + Coreboot
- All scary blobs
And those categories come from pretty much all vendors, including Dell, HP, SuperMicro etc. They are also all compiled in Taiwan and China, so not much of a difference there, and they are flashed initially in China (and Taiwan) as well.
As for why we (me too!) would still want coreboot: it's just so much faster and useful for us than some EDK2 derived IBV thing. The scary blobs still remain (bootrom, embedded controller, USB firmware etc.) but at least it boots fast and the OS can interact with it.
A while back the previous generation (Qotom based) SBCs got some attention on the coreboot mailing list since there was some pretty closely compatible hardware already in-tree, but I don't think it ever finished. Most of the mobile SoC have the best chance since Google uses those in their Chromebooks too, and Google uses coreboot, meaning the CPU+PCH combinations are well-supported.
The benefit of Coreboot is not just flashing a known firmware, but having an update path for security patches. Most of the "backdoors" in IOT devices flooding in from Aliexpress are not intentional placements but simply lax or non-existent security principles. These are function first, security third devices.
HPE's UEFI team and ILO team are in Houston and do not give source to the factories. I do not know the workings of the others.
Security is time delay, not absolute, and its about minimizing vectors but often is paranoid about the possible not just the probable.
HPE's UEFI team and ILO team are in Houston and do not give source to the factories. I do not know the workings of the others.
Security is time delay, not absolute, and its about minimizing vectors but often is paranoid about the possible not just the probable.
So what I'm hearing you say is that there's likely no more risk to a aliexpress mini pc like Topton than there is in any other connected computing device, be it a PC from Dell, HP, the netgear switches I have, the standard homeowner wifi router, down to the IoT devices....correct?
If so this is why I bought the Topton in the first place - coreboot seems like a nice to have, but in the grand scheme of things it's no more of a security risk than any of these other things - not like I know where/how those firmwares are from and they certainly aren't open source.
Yep, because even if you get something with the sticker of some well-known brand on it, it's still going to have plenty of moments along the way where malicious behaviour could be introduced. Even if HP builds their firmware in Houston, there is nothing stopping someone from adding a firmware module after the fact. The only thing that would prevent that (in the case of HP) would be adding signatures for each release in the EC they use for SureStart, but ironically, coreboot and me_cleaner research has shown that SureStart tends to either only look for header integrity, or can be easily disabled by blanking its own SPI flash.
There are some other (non-technical) factors, mainly because a big name brand in the western world has a reputation to uphold:
- This can greatly influence the level of quality assurance, integrity checks and contractual rules made with companies like Foxconn, Quanta and Compal
- The level of support is very different, since customer satisfaction might influence future purchases
- The laws are different and can affect companies directly, but if you want to sue a company in China, good luck getting anything out of that
All off this still doesn't guarantee much since you'd have to lock down a supply chain end-to-end, and for almost nobody that is simply not worth the 100x price increase. And even for those who do go for that, it still can go wrong (i.e. military contracts where parts turn out to be straight from China but it was specified and paid for to be 100% US domestic). It also sometimes goes wrong even if it's just for consumer gear; i.e. some flash vendor getting infected with malware which caused an entire run of consumer devices to come pre-loaded with some sort of virus (I think that was iPods and it only happened when connected to a PC in disk mode).
On the flip side there is the problem for the manufacturer: doing the extra work to load up some malware modules in the firmware, the logistics to make sure the right malware goes to the right target (or get the target data out of a 100% infected device pool which is even harder) or the problem of doing that for multiple revisions, multiple models and multiple products... it's almost never worth it unless you are a military target. It's much easier to just preload some infected OS, and that's why that is what happens far more often. And as such, I would recommend never using a pre-installed OS. That also includes pre-installed windows on laptops for example, since those windows images have gotten infected every now and then causing entire ranges of devices to be delivered with malware.
Considering manufacturers seem to have enough trouble on their hands setting the correct power envelope on devices, I doubt malicious DXEs in the firmware is the first problem we have.
There is something else, and that is also what @Patriot mentioned: coreboot gives you a way forward and that goes for many hardware vendors. This is a bit of a bonus as well since coreboot can be made to 'do less' which means there isn't much to be gained from different versions, and at the same time the stuff that it does do you can update all day long since as long as your device is in-tree it will be built on every release to test for breakage. Security-wise, having less 'value added' nonsense in the firmware is a positive thing considering it makes the attack surface smaller.
As for how trustworthy devices are: I'd say that a server manufacturer in the retail world would be getting the most damage from shipping malware in their devices, on a shared 1st place with companies like Google, Microsoft and Apple. Then the next step down is any consumer electronics mass producer like HP (not HPE) and Dell's consumer line, Asus etc. But considering they load up the desktop OS they ship with so much malware by default (i.e. touchpad drivers that log every keystroke for some reason, or compromised CAs in the root store so they MITM all your web traffic), they are pretty much on the same level as a pre-installed aliexpress firewall special. Just wipe it if it comes with any software and then run your own stuff. And if someone is able to add "install coreboot" to that list for more devices, that's better for everyone. Keep in mind that ironically the ability to install coreboot also means that someone else with access to your device can also install coreboot, but a compromised version, and you'd never find out. (unless we add PKI in the mix and do rom dumps periodically - root of trust is hard!)
If anyone does figure out how to build it, I am prepared to test on my i3-N305 which is arriving next week 
Where did you find this info? I'm happy to take a look and see what I can do.
I am missing the bits from intel required for my jasperlake, they have it working on a similar but not the same J6412If anyone does figure out how to build it, I am prepared to test on my i3-N305 which is arriving next week
Where did you find this info? I'm happy to take a look and see what I can do.
#@Q$%
GitHub - intel/FSP: Intel(R) Firmware Support Package (FSP)
Intel(R) Firmware Support Package (FSP). Contribute to intel/FSP development by creating an account on GitHub.
github.com
coreboot Build Guide – Protectli Knowledge Base
protectli.com
You can build for yours, and I can just blind flash Elkhart lake and hope it works... lol.
Last edited:
Please see my post here: https://forums.servethehome.com/ind...xxx-quad-nic-router.39685/page-14#post-381477I am missing the bits from intel required for my jasperlake, they have it working on a similar but not the same J6412
#@Q$%
They have a FSP for Alderlake but not for Jasperlake now...
GitHub - intel/FSP: Intel(R) Firmware Support Package (FSP)
Intel(R) Firmware Support Package (FSP). Contribute to intel/FSP development by creating an account on GitHub.
coreboot Build Guide – Protectli Knowledge Base
You can build for yours, and I can just blind flash Elkhart lake and hope it works... lol.
I'm not sure I have all the required parts... e.g. blobs for VBIOS, and Coreboot does not have CWWK listed in their list of mainboards so I wouldn't even know which mainboard to choose
I don't understand why they have released FSP for Alder Lake but not Jasper Lake... *facepalm*
I need the sh*tty ME firmware so I'll try extract that from the BIOS image CWWK provided...
You might be able to get that from protectl as its the same platform for the 2420 or w/e is their elkhart one
They don't distribute it due to legal reason and I'm not sure where they even got it from
iirc you still need a tiny bit of ME in the firmware to stop the watchdog timer or the CPU will reset the system in a few minutes.