Goodbios
| Projects | |
|---|---|
| Participants | |
| Skills | Soldering, Software, hardware |
| Status | Active |
| Niche | Other |
| Purpose | Fun |
A commodity laptop is analyzed to identify exposed attack surfaces and is then secured on both the hardware and the firmware level against permanent modifications by malicious software as well as quick drive-by hardware attacks by evil maids, ensuring that the machine always powers up to a known good state and significantly raising the bar for an attacker who wants to use the machine against its owner.
I bought an Thinkpad x60s in order to harden it against people trying to backdoor the machine when i'm shorter than 20 minutes away from my laptop. This page will document what I have done and how you can do the same thing and not brick your system!
WARNING - THERE IS A POSSIBILITY YOU MIGHT BRICK YOUR MACHINE!
Needed:
- Thinkpad x60(s) (got it)
- Soldering iron (got it)
- Coreboot(Proprietary blobs) or Libreboot(non proprietary blobs) (software to download) (got it)
- http://www.tme.eu/en/details/pom-5250/test-clips/pomona/5250/ (nathan)
- Buspirate
Salvaged:
- Modem card.
- WIFI card
- Motherboard Speaker
TODO:
- Unsolder microphone
- SuperIO chip (remove pins starting with D) http://datasheet.seekic.com/PdfFile/PC8/PC87382_PC87382VBH.pdf (this is super hard)
- Flash chip with coreboot
- Unsolder ethernet port (this disables Intel/AMT)
Components
- http://www.hmcelectronics.com/product/Pomona/5250
- http://enterpoint.co.uk/products/modules/ft4232-module/
- https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb (wifi adapter)
- https://www.thinkpenguin.com/gnu-linux/penguin-usb-20-hi-speed-10100-fast-ethernet-network-adapter (usb ethernet adapter)
Documentation
- http://libreboot.org/docs/howtos/x60_security.html
- https://blog.patternsinthevoid.net/replacing-a-thinkpad-x60-bootflash-chip.html
- http://www.coreboot.org/Thinkpad_X60s
- http://libreboot.org/docs/index.html#config_x60
- https://noisebridge.net/wiki/X60
Hardening Libreboot
While Libreboot is a fantastic project, I really wish it would be shipped with some options disabled in Coreboot and Grub2. I hope to contribute some patches in the near future to make this possible.
Coming to an git repo near you someday.