четверг, 19 января 2017 г., 18:31:35 UTC+3 пользователь Asterysk написал: > On Thursday, 19 January 2017 17:28:12 UTC+4, qmast...@gmail.com wrote: > > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com > > написал: > > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > > > > As always physical access is a checkmate situation, you need to not > > > > > be > > > > > an idiot and don't leave your stuff in overseas hotel rooms or not > > > > > have > > > > > secure locks on your door. > > > > > > > > Unless USB port seals (e.g. > > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in > > > > place as soon as the laptop is removed from the manufacturers box it is > > > > impossible to know whether someone has installed a device that has in > > > > turn infected firmware. A similar situation for any DMA access ports > > > > (Thunderbolt etc) > > > > > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > > > infected with firmware malware) and reset it to a known safe starting > > > > point. Coreboot seems to handle the BIOS (thank you for clarification > > > > that it completely rewrite legacy and UEFI). Replacing the HD with a > > > > new SSD should handle that firmware attack vector. That leaves the > > > > other EEPROMS. > > > > > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, > > > > I should see what other EEPROMs I can reflash. > > > > > > > > Apart from the obvious RAM and SSD upgrade and possible putting > > > > switches on peripherals, are there any other hardware mods you can > > > > suggest for the G505S. > > > > > > > > Having sorted out the hardware, I am then going to be looking to use > > > > Qubes to protect against any attempts to reflash through Malware and > > > > after thats done, I'll be looking for ways to detect that any attack is > > > > being attempted. > > > > > > > > All in all I think I've got about a years work ahead ! > > > > > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > > > drive, web camera ; Maybe also a small board with LS-9901P part number > > > (dont confuse with LA-9901P), see its' google pictures online - and > > > according to G505S laptop's LA-A091P motherboard datasheet (which also > > > contains a datasheet for laptop's smaller boards) this board has a > > > Realtek chip for card reader. By the way, you could either find out what > > > lines of flex cable the card reader is using, and install a custom jumper > > > on them ; or maybe get a flex cable with the same number of pins / same > > > pitch between them , find (from datasheet?) what lines that lonely USB > > > port is using to get to Bolton-M3 FCH, get a USB female header and solder > > > a custom adapter which adds only a USB port to laptop (so no card reader > > > chip). Probably the hardest thing to do is to disconnect a web camera - > > > you will need to tear down a screen which is quite risky. BTW screen also > > > contains the internal reprogrammable memory (e.g. for storing EDID), and > > > a malicious firmware could cause screen to transfer information through > > > electromagnetic impulses (TEMPEST? - > > > http://www.surasoft.com/articles/tempest.php ) > > > > > > Actually it is possible to remove a motherboard with CPU, CPU Fan, > > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a > > > custom power button adapter with huge convenient buttons!) and create a > > > custom case for all this stuff. If you are lucky you could find someone > > > selling a used G505S with broken screen for very cheap price, and do > > > that. This way you avoid webcam, screen, dvd drive, touchpad, card reader > > > chip, and internal keyboard (see below why) > > > > > > Maybe don't need to seal the USB ports yet: it not just seriously > > > reducing the usability of this laptop, but also makes it impossible to > > > connect a USB keyboard. Maybe you would prefer that, when you type, your > > > keystrokes are going through external keyboard's USB controller, rather > > > than through laptop's Embedded Controller KB9012 which has a closed > > > source firmware and controls PS/2-like laptop's internal keyboard. You > > > could make your own open hardware USB keyboard with open source firmware, > > > and using it will be slightly safer (and slightly less convenient) than > > > laptop's internal one > > > > > > Also, another possible hardware mod (not related to security) - instead > > > of DVD drive you could install a fan for extra cooling, see > > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > > > . Although dont know if it worth it, because some really great external > > > USB coolers are available - > > > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html > > > > Please read a message above... If we are talking about the motherboard, > > main board of this laptop : aside from 4MB BIOS flash chip and 128KB EC > > KB9012's internal memory, I am not aware about any other "EEPROMs" on this > > board which could be reflashed and how to reflash them. Well, there is > > probably a CMOS memory somewhere, but I dont know where it is located and > > dont know how to access (nvramcui payload gives an opportunity to change > > some values, but doesn't have a feature to show the full dump) . If you > > could notice new memories, or know how to read/write CMOS memory and where > > its located, please tell ! > > > > Full summary of what I did to my G505S to this moment: > > > > 1) Erase a BIOS chip and flash it with coreboot - > > http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . > > For a BIOS image you could either: > > > > *) build your own - it will be slightly newer, but without some goodies > > like KolibriOS and FILO bootloader, plus some of my small improvements like > > a newer version of tetris TINT payload (fixes two buffer overflows), > > enabled USB keyboard for some payloads, and (probably??) improved discrete > > GPU handling? <--- rarely play computer games, so didnt had a chance to > > test yet, so cant notice the difference > > > > *) get my BIOS image from here, from an archive attached to forum post > > (SHA1 checksums provided in post) - > > http://board.kolibrios.org/viewtopic.php?t=3446 , could use google > > translate. Everything what I did while building a coreboot, all the > > modifications to coreboot's source code, all the steps are completely > > described in a great detail under spoilers. Sorry for that inconvenience, > > honestly I tried to commit my changes to coreboot - tried to contribute and > > also to avoid the need of manual work the next time I clone the latest > > version of their official repository -- but it is so hard to get your > > commit accepted, and gerrit is very inconvenient, I tried several times and > > no luck, only wasted a lot of time! Proof of my painful experiences - > > https://review.coreboot.org/#/c/17439/ , > > https://review.coreboot.org/#/c/17505/ , > > https://review.coreboot.org/#/c/17506/ , > > https://review.coreboot.org/#/c/17507/ > > > > Small advantage of my build is that (almost) all the parts of it have been > > done on this laptop with open source BIOS and under free-as-in-freedom > > Trisquel GNU/Linux OS (the only part which was done on another computer is > > a FILO bootloader, it failed to compile under Trisquel x86_64 OS , so I had > > to use my old laptop with Xubuntu 16.04.1 i386 - by the way its' 10 years > > old BIOS contains a Computrace tracking malware - > > https://www.absolute.com/en/about/persistence - although it has never been > > activated on this old laptop and in any case doesn't work with Linux, if > > you are more worried than me - this coreboot archive also contains a > > version without FILO) > > > > If you choose to flash my coreboot build, please tell when you have > > prepared all the necessary tools for flashing, I can quickly put the latest > > KolibriOS daily build to coreboot BIOS image and share it with you. > > KolibriOS has lots of great features, also could create RamDisks and manage > > them, beautiful! > > > > 2) Erase KB9012 internal memory and flash it with a "clean" KB9012 > > firmware, without serial numbers and other personally identifying info - > > http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate . Where > > I got this "clean" KB9012 firmware? Extracted it from the latest 3.0 BIOS > > update by Lenovo - open their WinVALGC300.bin in hex editor, found > > $_IFLASH_EC_IMG_ near 424020 Hex offset, then - starting with 424020 Hex > > offset, cut 128KB (131072 bytes) into a new file - that is EC firmware now. > > You could either repeat it all by yourself, or download a clean image from > > here - https://www.datafilehost.com/d/d9e9758c (SHA1 should be = > > 56c0bc9e89bc95ae0195caaf32b32f2abefc9d9e , unselect "download with secure > > manager" (if you see it) below a grey Download button before clicking > > > > 3) Replace pre-installed broadcom wifi adapter (which requires proprietary > > closed source drivers) with Atheros AR9462 which has open source drivers, > > 2.4GHz, 5.0GHz and Bluetooth - costs less than $10 at AliExpress or eBay . > > The only downside that it becomes slightly more difficult to connect the > > antenna wires to this card, because of that additional metal rectangular > > (will need to spend a couple of minutes to carefully align the wires to fit > > them properly) > > > > 4) Replace pre-installed thermal paste (which is similar to a tooth paste > > XD) with Gelid GC-Extreme <--- probably the greatest non conductive thermal > > paste, and almost as good as liquid metal from those comparison tables I've > > seen online > > > > 5) Install 16 GB of 1600MHz SODIMM DDR3 (or DDR3L 1.35V low voltage) RAM > > with low quick timings for the best Qubes experience - should be CL9 > > timings; avoid CL11 because it sucks (1600MHz of CL11 is almost the same as > > 1333MHz CL9) . Costs about $100 but you better get this RAM upgrade as soon > > as possible: the supplies of these "gamer's DDR3 laptop RAM" are running > > out while the manufacturers are switching their high end offers to DDR4, > > and after some time you will not be able to find 16GB RAM upgrade with good > > frequency/timings (I am sure because the same stuff happened to DDR2) > > > > From 1600MHz CL9 SO-DIMMs, I think there are three possible cases of CL9 > > timings: 9-9-9-24 Crucial Ballistix Sport, Patriot Viper, Corsair Vengeance > > (failed memtest so returned, maybe Corsair has a higher failure rate) ; > > 9-9-9-27 Kingston HyperX ; 9-9-9-28 G.SKILL Ripjaws . It is the best if you > > get those with 9-9-9-24, but could be difficult because Kingston flooded a > > market with their 9-9-9-27 which cost slightly cheaper but also slightly > > slower. G.SKILL is the worst, dont know why these guys From all these, > > Patriot Viper is probably the best because it has two aluminium > > heatspreaders , while Crucial Ballistix Sport - only one heatspreader, and > > I think that Kingston just using "aluminium stickers" not a real > > heatspreader. BTW any of those heatspreaders are quite thin (maybe extra > > 1mm) , so no installation problems > > > > P.S. also keep in mind that after Qubes 3.2 installation you will need to > > repair MBR because its corrupted out-of-the-box (probably everyone is using > > UEFI computers with Qubes, and nobody have noticed this bug) - more > > information here > > https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ > > Everything ordered, managed to get the Patriot Viper and Atheros Wifi on > Amazon at reasonable prices. The rest is Aliexpress and with shipping came to > $92 (I typically went for the higher end options desribed in the PDF). > > I will pop an SSD in the G505S and install Qubes, thanks for the link about > MBR issue. Probably next week if I get a chance. The Coreboot flash will have > to be late February but I am definitely going to do it. I've been brushing up > on my Assembler so its a good project from that perspective. What I would > like to do is modify Coreboot so that I can set a canary for the boot, > something that probes a switch during boot and if the switch isn't pressed it > toggles one of the LED's, that way I know if someone else has booted it. I am > favouring Bad USB protection over Anti Evil Maid so having this canary would > maybe give me both.
I think that you will not encounter MBR issue if you are using closed source "official" UEFI BIOS - because it is UEFI and so your Qubes should install GPT instead of MBR . But you could have other problems: e.g. I dont know if IOMMU is enabled in "official" BIOS - even if it is enabled, its implementation might be incorrect... Also last time I remember - "official" BIOS works bad with Linux, could not even install Ubuntu to this laptop until I made empty 1GB at the beginning of hard drive and changed boot order Yes, I order everything from AliExpress because: 1) want to save up as much as possible and AliExpress usually has the lowest prices (partially because higher supply, partially because no Paypal extra fees included, partially because Chinese government subsidies their shipping so they could sell some items for $0.5 with free international shipping and still manage to earn some profit) 2) no Paypal - there are many reasons to hate it, but here is an additional: it wants to share the list of person's purchases with a government, e.g. in my country it started to ask government ID of customers, and accounts which didn't provide it - were blocked and all funds are frozen 3) AliExpress has a better customers protection than eBay/Paypal, also at eBay purchases you can open a dispute only during 45 days since the order, while at AliExpress you could ask the seller to extend the order's protection as much as you want For me the shipping is about 1 month on average, maybe much faster for you if your country has a good logistics, but here is a problem - there will be a Chinese New Year big holidays soon, some packages which would not be quick enough to leave a country before 28th January could be stuck there for a while. Thats probably why they are showing this long delivery time What is a CPU in your G505S ? E.g. if it is A8, you could upgrade it to A10-5750M, just search for "5750M" at AliExpress (just make sure to look at the photo, because some sellers put 5750M in title while another CPU is displayed. Everywhere should be 5750M, both on photo and in description) . 1 week ago it costed $55, now it costs $61 cheapest price, but I think they will eventually decrease their price because A10 of previous generation could be found for $40, so maybe in a couple of years I will order a spare CPU ;) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/958d2ed2-06f3-45f2-bf4f-bec40b9a3acd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
