Difference between revisions of "Goodbios"

From Technologia Incognita
Jump to: navigation, search
m
 
(7 intermediate revisions by 2 users not shown)
Line 11: Line 11:
 
I bought an Thinkpad x60s in order to harden it against people trying to backdoor the machine when i'm shorter than 20 minutes away from my laptop. This page will document what I have done and how you can do the same thing and not brick your system!
 
I bought an Thinkpad x60s in order to harden it against people trying to backdoor the machine when i'm shorter than 20 minutes away from my laptop. This page will document what I have done and how you can do the same thing and not brick your system!
  
WARNING - THERE IS A POSSIBILITY YOU MIGHT BRICK YOUR MACHINE!
+
''' WARNING - THERE IS A POSSIBILITY YOU MIGHT BRICK YOUR MACHINE! '''
  
 
''' Needed: '''
 
''' Needed: '''
 
* Thinkpad x60(s) (got it)
 
* Thinkpad x60(s) (got it)
 
* Soldering iron (got it)
 
* Soldering iron (got it)
* Coreboot (software to download) (got it)
+
* Coreboot(Proprietary blobs) or Libreboot(non proprietary blobs) (software to download) (got it)
* ft4232-based spi programmer (nathan)
+
* http://www.tme.eu/en/details/pom-5250/test-clips/pomona/5250/ (nathan)
 +
* Buspirate
  
 
''' Salvaged: '''
 
''' Salvaged: '''
Line 26: Line 27:
 
''' TODO: '''
 
''' TODO: '''
 
* Unsolder microphone
 
* Unsolder microphone
* SuperIO chip (remove pins starting with D) http://datasheet.seekic.com/PdfFile/PC8/PC87382_PC87382VBH.pdf
+
* SuperIO chip (remove pins starting with D) http://datasheet.seekic.com/PdfFile/PC8/PC87382_PC87382VBH.pdf (this is super hard)
 
* Flash chip with coreboot
 
* Flash chip with coreboot
 +
* Unsolder ethernet port (this disables Intel/AMT)
 +
 +
''' Components '''
 +
* http://www.hmcelectronics.com/product/Pomona/5250
 +
* http://enterpoint.co.uk/products/modules/ft4232-module/
 +
* https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb (wifi adapter)
 +
* https://www.thinkpenguin.com/gnu-linux/penguin-usb-20-hi-speed-10100-fast-ethernet-network-adapter (usb ethernet adapter)
 +
 +
''' Documentation '''
 +
* http://libreboot.org/docs/howtos/x60_security.html
 +
* https://blog.patternsinthevoid.net/replacing-a-thinkpad-x60-bootflash-chip.html
 +
* http://www.coreboot.org/Thinkpad_X60s
 +
* http://libreboot.org/docs/index.html#config_x60
 +
* https://noisebridge.net/wiki/X60
 +
 +
--------
 +
 +
''' Hardening Libreboot '''
 +
 +
While Libreboot is a fantastic project, I really wish it would be shipped with some options disabled in Coreboot and Grub2. I hope to contribute some patches in the near future to make this possible.
 +
 +
Coming to an git repo near you someday.

Latest revision as of 12:58, 16 February 2017

Projects
Participants
Skills Soldering, Software, hardware
Status Active
Niche Other
Purpose Fun

Idea: http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html

A commodity laptop is analyzed to identify exposed attack surfaces and is then secured on both the hardware and the firmware level against permanent modifications by malicious software as well as quick drive-by hardware attacks by evil maids, ensuring that the machine always powers up to a known good state and significantly raising the bar for an attacker who wants to use the machine against its owner.

I bought an Thinkpad x60s in order to harden it against people trying to backdoor the machine when i'm shorter than 20 minutes away from my laptop. This page will document what I have done and how you can do the same thing and not brick your system!

WARNING - THERE IS A POSSIBILITY YOU MIGHT BRICK YOUR MACHINE!

Needed:

Salvaged:

  • Modem card.
  • WIFI card
  • Motherboard Speaker

TODO:

Components

Documentation


Hardening Libreboot

While Libreboot is a fantastic project, I really wish it would be shipped with some options disabled in Coreboot and Grub2. I hope to contribute some patches in the near future to make this possible.

Coming to an git repo near you someday.