H*ck Embedded Controller in MSI Laptop

Discussion in 'Gaming (Software and Graphics Cards)' started by Ruins, Jan 14, 2021 at 3:10 AM.

?

Which EC device on your board?

  1. ENE KB3930

    100.0%
  2. ENE KB9012

    0 vote(s)
    0.0%
  3. ENE (Other)

    0 vote(s)
    0.0%
  4. ITC (Any)

    0 vote(s)
    0.0%
  1. Ruins

    Ruins Newbie

    Reputations:
    15
    Messages:
    6
    Likes Received:
    5
    Trophy Points:
    6
    Hi, Gamers!
    I create this post for asking help for hacking EC, cause it's very hard for only one.
    (Sorry in advance, my english may be very bad sometimes, i can use translator)

    First of all We need collect all information about Embedded Controller.

    1. Embedded Controller is part of SCI(System Control Interface) and ACPI(Advanced Configuration and Power Interface)
    2. But in MSI laptor it's ignore anything from specs and often override any behavior of Tables and Intermediate languages
    3. EC connect via LPC to Nothern Bridge and mapped to I/O space, it mean EC influence on PCH/Chipset
    4. Chipset/PCH(Platform Contoller Hub) - has public documentation

    Proccessor use only I/O operation( in, out for x86) and know nothing about LPC, SCI, PCI directly.
    First time any device need map registers to PCH I/O space during initialization of device. Or during initialization of system using tables in BIOS(PCI common).

    IO operation need more privileges then usual program. In Windows it can be Driver or Service, which working in Ring0/Kernel mode.

    IO ports may work in two mode:
    1. Direct/Legacy IO
      • it not use contigious registers as memory space, it use one register for select address and second register to put data. Here can be third register - command, this report how data usage
        (for example: read command - reading internal memory, query - this rise interrupt by index in Data register)
      • After putting data it need wait for device clock to handle and write response, execution thread stop and processor work idle.
    2. MMIO Memory mapped IO
      • it use ram as buffer betwean proccessor and IO device. Program work with memory space as usual RAM and can write packets of data, whick will be handle by device without blocking thread.

    Ok. it's mainly for all EC's, time to check your specific device.
    Guaranteed method - disasemble your laptop and find controller

    it looks like this:
    [​IMG] [​IMG]
    [​IMG]

    In my case: it's ENE KB3930 0F B1
    [​IMG]


    General spec:


    The ENE KB3930 is a highly customized embedded controller (EC)
    for notebook platforms
    ❟❟
    • The embedded controller contains industrial standard 8051 microprocessor
    • Provides function of i8042 keyboard controller basically.
    • KB3930 is embedded LPC interface used to communicate with Host.
    • The EC firmware and system BIOS will co-exist in single SPI Flash.
    • PS/2 interface, Keyboard matrix encoder, PWM controller, A/D converter, D/A converter, Fan controller, SMBus controller, GPIO controller, PECI controller, one wire master, SPI controller, voltage comparator and extended interface (ENE Serial Bus)
    Nice, We have all needed.

    Proccesor i8051 - general part of it.
    Memory:

    • ROM - General firmware storage, that located on SPI Flash and contain all image of EC
      • ( 64kb image, 59kb - usage for Rom, external memory space )
      • Code storage
      • co-exists with BIOS in single flash
    • XRam - external Ram memory used cause internal ram is limit, located on EC chip as local storage which not reset without power supply.
      • ( 4kb - external memory space )
      • Data storage
    • Ram - internal Ram used as usual proccesor's ram, standart for i8051
      • 128 bytes GPR(General-Purpose Registers)
        • 4 BANK's
          • R0-R7 registers
        • 128 bit - Bit-Adressable memory
        • 80 bytes - ram memory
      • 128 bytes GPRa specific for KB3930 (additional)
        • (0x80 - 0xFF)
        • (only indirect addressing)
      • 128 bytes SFR(Special Function Registers
        • (0x80 - 0xFF)
    Processor registers:
    • General (byte)
      • A - Accumulator
      • B - additional general-purpouse register
      • R0-R7 - GPR's
    • DPTR - Data Pointer (word)
      • DPH - High Part (byte)
      • DPL - Low Part (byte)
    • PSW - Processor Status Word (flags)
      • P - Parity Flag
      • − - user difinable
      • O - Overflow
      • RS0 - Register Select
      • RS1 - Register Select
      • F0 - user difinable
      • AC - Auxiliary Carry
      • CY - Carry
    • PC - Program Counter (word)
    • SP - Stack Pointer (word)
    Fine, now We overview whole memory space:
    [​IMG]
    These functional regions in external ram contain configuration registers in the majority and command/data R/W ports.

    Most intersting parts are XRam, LPC and EC:
    1. XRam - only way to save data betwen system restarts
    2. LPC - only real bus which EC connected to platform and it configure all accesable features to other I/O subsystems
    3. EC - handle all thermal and power behavior
    All chip I/O from LPC section
    [​IMG]

    In our case with KB3930 , LPC can mapping XRam by internal function like as BIOS memory mapping
    LPC memory decode range
    [​IMG]

    That's Great, time to Disassemble...
     
  2. hacktrix2006

    hacktrix2006 Hold My Vodka, I going to kill my GPU

    Reputations:
    480
    Messages:
    1,586
    Likes Received:
    933
    Trophy Points:
    131
    @Ruins as great of an thread as this is, with all this lovely information even if your able to disassemble we are still going to have the issue with signing the firmware thus i see that peoples laptops will be bricked. Its way most are using RWEverything to patch the EC firmware live rather then hacking the firmware with a greater chance of bricking the laptop.

    However i will follow this thread to see how far you get and wish you all the best of luck.
     
    joluke and JRE84 like this.
  3. JRE84

    JRE84 Notebook Deity

    Reputations:
    402
    Messages:
    1,637
    Likes Received:
    841
    Trophy Points:
    131
    westcoast chiming in, old alias of the first to crack wep on windows via packet injection without backtrack...this is a tall task I wish you all the best and good luck I have nothing more to say..
     
  4. joluke

    joluke Notebook Deity

    Reputations:
    820
    Messages:
    1,581
    Likes Received:
    938
    Trophy Points:
    131
    Here to follow this. Best of luck guys
     
  5. Ruins

    Ruins Newbie

    Reputations:
    15
    Messages:
    6
    Likes Received:
    5
    Trophy Points:
    6
    TY guys, i can dissaseble it, but i need help with reviewing of the documentation, cause sometimes English break my brain and i can miss an important detail or possible way to hack. Also mb someone has addtional information about checksumm, flashing or any additional info. MB anyone has SPI flash programmer, to safely flash test BIOS, cause in any ways first thing stopped me is looks like:
    Code:
    pop DPH ;high dptr part
    pop DPL ; low dptr part
    mov A, R7
    jmp @A + DPTR ;jump to address A+DPTR
    but R7 and stack not writed in function or interupt before, it mean it used indirect handle for interupt, also it can be kind of protection. I need patch code for save this registers before jumping then read saved adresses from host and only after it i will disaseble code by these adresses
     
  6. Raidriar

    Raidriar ლ(ಠ益ಠლ)

    Reputations:
    1,625
    Messages:
    5,726
    Likes Received:
    4,186
    Trophy Points:
    431
    Would be useful to do this to Razer Blade. I have extracted the EC image from one of their updaters, if only I knew how to modify their fan tables.
     
  7. Ruins

    Ruins Newbie

    Reputations:
    15
    Messages:
    6
    Likes Received:
    5
    Trophy Points:
    6
    Hi H*ckers,
    Time to know about Assembly.

    Assebly is mix of Data&Code.

    Binary data: Binary value consist of bytes which consist of bits: 1 and 0, its in combinations generic many uniq variants. And nothing else, only uniq variants meaning. And only code knows what to do with it. Data used by code, and when we change code we can change meaning of data. For example, we can have alghoritm with static coefficients but we need reading only X from memory, and if we change X in memory, we not change alghoritm/formula. Or data can represent as integer value directly which we can use in arithmetic operations and also this integer value can mean index of symbolic table of ASCII and if Code reading it as symbols, it convert indexes to addresses of texture for drawing on screen but if we want compare ASCII symbols we can compare only indexes, cause pixels of texture not valueble - nothing changed for text meaning if changed pixels of symbol/glyph.

    Note about binary value: bit may be turned on/off, and it value 1/0 - in logic it calling Flag, values: set/clear - nice, we can use it as flag to sign enable or disable features. Oh.. may be we can use multiple bits? - yes we can. One bit has two variants, when we addition one bit else, we get two bits with two variants. It is like fields for Digits, we can use it as different numbers or as one number. In decimal system one Digit can contain 10 values, what happend when we add so one Digit? how many variants of two digit values in decimal system? its 10 variants of 10 variants = its 100 variants, and maximum number 99, what happend when we add so one digit? its already 10 variants of 10 variants of 10 variants uniq numbers. With every digit we muliply all previous variants by 10. And it is competely work for binary digits, but one digit can contain only two values and after addition each digit we doubled all previous variants.

    End formule: 2 ^ Bits = range.
    (example: 2 ^ 1 = 2, 2 * 2 = 4 = 2 ^ 2, 4 * 2 = 8 = 2 ^ 3 )

    But Numbers in most cases starting from 0 and any number need one variant for 0.
    Formule to set number which is power of two: 2 ^ ( Power - 1) - Set Bit in position (Power - 1)

    Bit Field [start:end] - it variable that begin by offset from processor word/variable (byte, word, dword)

    Sometimes when we use multiple bits as depended we no restricted use all variants and in some cases we use bits as combinations and no use all bits in some variants: 00/01/11b but not use 10b value, in some programs it may throw exeption but usual it ignored and reserved for future usage.

    Whole memory present as continuous space of bytes with step in one byte: 0-0xFFFF, also only Code knows address and size of variable needed to read from memory. It wanna read one byte as one variable or it may wanna read two bytes as one variable.

    Nice, and last thing about binary arithmetic - Flags. Oh, it is not bit that use as storage in memory, but it also one bit that using during code/instruction processing. For example we can add two values 11 and 10 but result - 101 has more digits then size of data variable, and we need handle it in diffirent way. It called Carry flag, but this flag isn't part of variable in memory, it flag only in processor register.

    Ok we have all what we needed to change registers values
    1) Firstly find address on memory map
    [​IMG]
    It is 0xFE90

    2)Find Registers of this section
    [​IMG]
    It is page - 92

    [​IMG]

    3) Find register offset - 0x90
    4) find bank column use it as first part of address
    0xFE & 0x90 = 0xFE90

    5) Find field adress - [7-6]
    6) Find possible values - 00/01
    Now you can write needed value to these bits.

    It is ALL, now We changed register value in firmware Assembly
    Perfect, it all was Data, but wtf is Code if all assebly is bytes of bits? Ok... time to open this secre...
     
  8. Ruins

    Ruins Newbie

    Reputations:
    15
    Messages:
    6
    Likes Received:
    5
    Trophy Points:
    6
    Think now you can try to do it.
     

Share This Page