On Thursday, January 19, 2017 at 7:28:12 AM UTC-6, qma ster wrote: > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь [email protected] > написал: > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > > On Thursday, 19 January 2017 03:04:32 UTC+4, [email protected] wrote: > > > > As always physical access is a checkmate situation, you need to not be > > > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > > > secure locks on your door. > > > > > > Unless USB port seals (e.g. > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place > > > as soon as the laptop is removed from the manufacturers box it is > > > impossible to know whether someone has installed a device that has in > > > turn infected firmware. A similar situation for any DMA access ports > > > (Thunderbolt etc) > > > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > > infected with firmware malware) and reset it to a known safe starting > > > point. Coreboot seems to handle the BIOS (thank you for clarification > > > that it completely rewrite legacy and UEFI). Replacing the HD with a new > > > SSD should handle that firmware attack vector. That leaves the other > > > EEPROMS. > > > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > > > should see what other EEPROMs I can reflash. > > > > > > Apart from the obvious RAM and SSD upgrade and possible putting switches > > > on peripherals, are there any other hardware mods you can suggest for the > > > G505S. > > > > > > Having sorted out the hardware, I am then going to be looking to use > > > Qubes to protect against any attempts to reflash through Malware and > > > after thats done, I'll be looking for ways to detect that any attack is > > > being attempted. > > > > > > All in all I think I've got about a years work ahead ! > > > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > > drive, web camera ; Maybe also a small board with LS-9901P part number > > (dont confuse with LA-9901P), see its' google pictures online - and > > according to G505S laptop's LA-A091P motherboard datasheet (which also > > contains a datasheet for laptop's smaller boards) this board has a Realtek > > chip for card reader. By the way, you could either find out what lines of > > flex cable the card reader is using, and install a custom jumper on them ; > > or maybe get a flex cable with the same number of pins / same pitch between > > them , find (from datasheet?) what lines that lonely USB port is using to > > get to Bolton-M3 FCH, get a USB female header and solder a custom adapter > > which adds only a USB port to laptop (so no card reader chip). Probably the > > hardest thing to do is to disconnect a web camera - you will need to tear > > down a screen which is quite risky. BTW screen also contains the internal > > reprogrammable memory (e.g. for storing EDID), and a malicious firmware > > could cause screen to transfer information through electromagnetic impulses > > (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) > > > > Actually it is possible to remove a motherboard with CPU, CPU Fan, > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a > > custom power button adapter with huge convenient buttons!) and create a > > custom case for all this stuff. If you are lucky you could find someone > > selling a used G505S with broken screen for very cheap price, and do that. > > This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, > > and internal keyboard (see below why) > > > > Maybe don't need to seal the USB ports yet: it not just seriously reducing > > the usability of this laptop, but also makes it impossible to connect a USB > > keyboard. Maybe you would prefer that, when you type, your keystrokes are > > going through external keyboard's USB controller, rather than through > > laptop's Embedded Controller KB9012 which has a closed source firmware and > > controls PS/2-like laptop's internal keyboard. You could make your own open > > hardware USB keyboard with open source firmware, and using it will be > > slightly safer (and slightly less convenient) than laptop's internal one > > > > Also, another possible hardware mod (not related to security) - instead of > > DVD drive you could install a fan for extra cooling, see > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > > . Although dont know if it worth it, because some really great external > > USB coolers are available - > > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html > > Please read a message above... If we are talking about the motherboard, main > board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's > internal memory, I am not aware about any other "EEPROMs" on this board which > could be reflashed and how to reflash them. Well, there is probably a CMOS > memory somewhere, but I dont know where it is located and dont know how to > access (nvramcui payload gives an opportunity to change some values, but > doesn't have a feature to show the full dump) . If you could notice new > memories, or know how to read/write CMOS memory and where its located, please > tell ! > > Full summary of what I did to my G505S to this moment: > > 1) Erase a BIOS chip and flash it with coreboot - > http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . > For a BIOS image you could either: > > *) build your own - it will be slightly newer, but without some goodies like > KolibriOS and FILO bootloader, plus some of my small improvements like a > newer version of tetris TINT payload (fixes two buffer overflows), enabled > USB keyboard for some payloads, and (probably??) improved discrete GPU > handling? <--- rarely play computer games, so didnt had a chance to test yet, > so cant notice the difference > > *) get my BIOS image from here, from an archive attached to forum post (SHA1 > checksums provided in post) - http://board.kolibrios.org/viewtopic.php?t=3446 > , could use google translate. Everything what I did while building a > coreboot, all the modifications to coreboot's source code, all the steps are > completely described in a great detail under spoilers. Sorry for that > inconvenience, honestly I tried to commit my changes to coreboot - tried to > contribute and also to avoid the need of manual work the next time I clone > the latest version of their official repository -- but it is so hard to get > your commit accepted, and gerrit is very inconvenient, I tried several times > and no luck, only wasted a lot of time! Proof of my painful experiences - > https://review.coreboot.org/#/c/17439/ , > https://review.coreboot.org/#/c/17505/ , > https://review.coreboot.org/#/c/17506/ , > https://review.coreboot.org/#/c/17507/ > > Small advantage of my build is that (almost) all the parts of it have been > done on this laptop with open source BIOS and under free-as-in-freedom > Trisquel GNU/Linux OS (the only part which was done on another computer is a > FILO bootloader, it failed to compile under Trisquel x86_64 OS , so I had to > use my old laptop with Xubuntu 16.04.1 i386 - by the way its' 10 years old > BIOS contains a Computrace tracking malware - > https://www.absolute.com/en/about/persistence - although it has never been > activated on this old laptop and in any case doesn't work with Linux, if you > are more worried than me - this coreboot archive also contains a version > without FILO) > > If you choose to flash my coreboot build, please tell when you have prepared > all the necessary tools for flashing, I can quickly put the latest KolibriOS > daily build to coreboot BIOS image and share it with you. KolibriOS has lots > of great features, also could create RamDisks and manage them, beautiful! > > 2) Erase KB9012 internal memory and flash it with a "clean" KB9012 firmware, > without serial numbers and other personally identifying info - > http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate . Where I > got this "clean" KB9012 firmware? Extracted it from the latest 3.0 BIOS > update by Lenovo - open their WinVALGC300.bin in hex editor, found > $_IFLASH_EC_IMG_ near 424020 Hex offset, then - starting with 424020 Hex > offset, cut 128KB (131072 bytes) into a new file - that is EC firmware now. > You could either repeat it all by yourself, or download a clean image from > here - https://www.datafilehost.com/d/d9e9758c (SHA1 should be = > 56c0bc9e89bc95ae0195caaf32b32f2abefc9d9e , unselect "download with secure > manager" (if you see it) below a grey Download button before clicking > > 3) Replace pre-installed broadcom wifi adapter (which requires proprietary > closed source drivers) with Atheros AR9462 which has open source drivers, > 2.4GHz, 5.0GHz and Bluetooth - costs less than $10 at AliExpress or eBay . > The only downside that it becomes slightly more difficult to connect the > antenna wires to this card, because of that additional metal rectangular > (will need to spend a couple of minutes to carefully align the wires to fit > them properly) > Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi card?
> 4) Replace pre-installed thermal paste (which is similar to a tooth paste XD) > with Gelid GC-Extreme <--- probably the greatest non conductive thermal > paste, and almost as good as liquid metal from those comparison tables I've > seen online > > 5) Install 16 GB of 1600MHz SODIMM DDR3 (or DDR3L 1.35V low voltage) RAM with > low quick timings for the best Qubes experience - should be CL9 timings; > avoid CL11 because it sucks (1600MHz of CL11 is almost the same as 1333MHz > CL9) . Costs about $100 but you better get this RAM upgrade as soon as > possible: the supplies of these "gamer's DDR3 laptop RAM" are running out > while the manufacturers are switching their high end offers to DDR4, and > after some time you will not be able to find 16GB RAM upgrade with good > frequency/timings (I am sure because the same stuff happened to DDR2) > > From 1600MHz CL9 SO-DIMMs, I think there are three possible cases of CL9 > timings: 9-9-9-24 Crucial Ballistix Sport, Patriot Viper, Corsair Vengeance > (failed memtest so returned, maybe Corsair has a higher failure rate) ; > 9-9-9-27 Kingston HyperX ; 9-9-9-28 G.SKILL Ripjaws . It is the best if you > get those with 9-9-9-24, but could be difficult because Kingston flooded a > market with their 9-9-9-27 which cost slightly cheaper but also slightly > slower. G.SKILL is the worst, dont know why these guys From all these, > Patriot Viper is probably the best because it has two aluminium heatspreaders > , while Crucial Ballistix Sport - only one heatspreader, and I think that > Kingston just using "aluminium stickers" not a real heatspreader. BTW any of > those heatspreaders are quite thin (maybe extra 1mm) , so no installation > problems > Would 1866MHz @ CL10 be as good/better? > P.S. also keep in mind that after Qubes 3.2 installation you will need to > repair MBR because its corrupted out-of-the-box (probably everyone is using > UEFI computers with Qubes, and nobody have noticed this bug) - more > information here > https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ I just ordered a G505S and several of these upgrades and I'm excited to try flashing coreboot and getting Qubes going on it. Thanks for all the tips/help. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0458e40d-0957-4873-aa2c-47104f4cb6de%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
