EC Hacking: You have a microcontroller on your laptop

Recently, I stumbled up to a cool write-up [DHowett], About re-programming a framework laptop’s embedded controller (EC). He showed us how to reuse the Caps Lock LED, instead indicating the status of the F1-F12 key level – also known as “Fn lock”, also known as AKA, “your F1 key currently acts as F1, or it controls the volume”. He takes us by adding custom code to the EC firmware of your laptop and integrating it properly into various EC routines.

The EC that the framework uses is a MEC1521 chip from Microchip, and earlier this year, they opened source the firmware for it. Now, there is a repository of microcontroller code that you can manually compile and flash with your framework laptop’s motherboard. In a comment section from HackerNews, a framework representative speculated that you could add GPIO to a framework motherboard by hacking EC firmware.

Wait … microcontroller code? GPIO? This brings us to the question – what is EC? For starters, it’s just a microcontroller. You can find an EC on every x86 computer, including laptops, to manage the low-level functions of your computer, such as power management, keyboard, touchpad, battery, and more. In Apple Land, you know them as SMC but their functionality is the same.

Why aren’t we reprogramming our EC for so long? It is also a necessary question, and I will tell you all about it

What is the job of the EC?

EC controls a whole bunch of devices on your laptop. Not devices connected to USB, LVDS / eDP or PCIe, as they fall within the scope of the chipset. Instead, these are devices like power switches, charger chips, and various current monitors, since they need to work properly even when the chipset and CPU are off. But of course, it’s not just power management – there’s a lot more to a laptop that requires your GPIOs.

From EEE PC 701 schematic to section, shows EC connections and even some unused functions such as additional button connections
EC of an EEE PC 701. It even has some extra hints for the media buttons that were left on the hardware!

Usually, something that you want to control with a digitalWrite Or using a monitor digitalRead, Measure with an ADC, or talk using I2C – these are things handled by the EC. Thus, the EC reads the condition of the battery and the voltage of the charger, operates the fan with PWM and measures the temperature from different sensors. A laptop keyboard is a key matrix, and the EC scans that matrix and processes key presses, forwarding key events to chipsets that read your OS. Whether your touchpad is PS / 2 or I2C, the EC manages it and also releases it to the OS.

The power button on your laptop is directly connected to the EC. As a result, your EC is powered first; And if you have no response to the power button of a broken laptop, it means that the EC cannot do its power management work for any reason. In fact, if you examine the recently published reduced schematics of the framework laptop, you will see that the EC has its own separate power rail coming directly from the battery.

How does it talk to the chipset? For nearly two decades, ECs have been using LPC buses – a four-bit wide bus that is similar to QSPI. In addition to EC, it has only recently been used by TPMs. LPC uses frequencies from 25MHz to 100MHz. That way, if you want to put a logic analyzer on your LPC signal and capture some packets, your typical cheap 25Msps LA won’t do that, but an off-the-shelf FPGA board or a way to quickly LA will work wonders, and there’s an LPC Pretty paper for manipulating and extracting keys from TPM using an FPGA.

The LPC is almost two decades old, and is a direct successor to the ISA bus – in fact, in some laptop schematics since 2003 you will find EC connected via ISA instead, but that’s all outside of the LPC. However, recent ECs talk about eSPI instead, a qSPI-like interface that replaces LPC, and the framework EC talks about ESPI.

Of course, firmware is involved

Each EC has firmware and each laptop (and desktop and server!) Has an EC. EC firmware is almost always off-source. For example, EC firmware is one of the binary blobs that we miss when talking about proprietary components in our computer. Often, the EC firmware is stored on the same SPI flash chip as the BIOS – other times, there is a separate external or on-chip flash, in this case, you usually have a UART bootloader through which you can reflash your EC. It all depends on your specific manufacturer and model of EC.

Often, your EC is built into something like ARM or 8051 architecture, other times it’s more obscure like CompactRISC. Generally speaking, you will get a maximum of one binary blob for your EC’s firmware. At times, when Google entered the laptop business, a team of their engineers probably said “enough” and open-source their EC code – creating a framework for their own EC firmware. Last year, System76 also unveiled their EC code. Unfortunately, the situation is dire for other laptop manufacturers.

Can your EC get backdoor? Not likely – it’s harder to modify and update the EC firmware than to do the same thing with BIOS images. Now, can you change the behavior of your EC? This is at least technically possible, and I would argue that you should always be able to do it.

So, what about hacking?

Of course, with every subsystem of a laptop, you’ll find a subgroup of ThinkPad enthusiasts who have already dug deep and used it to pull off some fun and useful things. EC is one such aspect, and they certainly have something to offer – reprogramming keyboard layouts and removing battery locks. With the help of keyboard layouts, they’ve managed to get older (and apparently more advanced) keyboards to work with newer laptops, with a tutorial talking about how you need to insert certain pins and a very convenient way to flash changes.

The battery component is more important, however – you often can’t live with a subper keyboard, even presumably on other otherwise-Starler ThinkPads. The problem is checking the “genuine” battery on the EC, which does not allow you to charge the battery (or even work from it) if it does not pass. It’s not just limited to third-party battery options, if it sounds like it – such checks prohibit the use of Lenovo batteries that were only for a different type of ThinkPad, but otherwise perfectly suited mechanically, electrically and electronically.

There is a video on how ThinkPad EC hacking has been uncovered and I recommend you check it out to see what’s going on. Now, Lenovo doesn’t like that people are switching keyboards and enabling the use of third-party batteries that Lenovo themselves have stopped selling ‘genuine’ replicas. So, at some point, they decided to shut down one of the most comfortable ways to update the EC firmware and release a BIOS update mentioning “security improvements”. The relevant CVE states:

A vulnerability has been reported in various BIOS versions of older ThinkPad systems that could give the user the ability to update embedded controllers with unsigned firmware with administrative convenience or physical access.

If you ask me, this description bonkers. The phrase basically means “laptop owners can flash EC firmware not approved by Lenovo”. I wonder what the cause is and what the possible justification might be, but in the end, whatever the cause, it is a confusion from what I believe. That is, it should be possible to update the EC firmware on your laptop, and Lenovo has discontinued a user-friendly way to do so.

Also, of course, not all manufacturers respect your repair rights in the case of EC. As an example, for almost a decade now, Dell has been shipping their laptops to EC with encrypted firmware, with keys embedded inside EC. This has been a particular problem for Dell laptop repairs, as the EC dies every time. When you can buy a blank EC and reflow it to Dell’s dead body, it will not have decryption keys that flash in the EC at the Dell factory, and therefore will not run Dell’s encrypted firmware. The changes are off the table here – even if your laptop breaks down, it’s not possible to find a suitable replacement source for EC, even though the chips are plentiful.

What can you do now

There are now three manufacturers that have open source firmware for ECs – Google, System76 and Framework. What can you do with this firmware, though? As with any unused area of ​​hacking, it will take time to realize its full potential. Remapping is not the only thing – you can apply an 80% battery charge limit for cell longevity if your laptop manufacturer doesn’t provide you with one, add extra layers to your laptop keyboard without the need for OS support, maybe change your fan curve or, indeed, , You can add some GPIO inside your laptop for your heart’s desired sensors or buttons.

You can also fix bugs that are constantly cropped in ECs and can be quite annoying to deal with – imagine the keyboard keys getting stuck every moment, seemingly randomly, and that’s exactly what happens when you have an EC bug. Bug fixes or improvements, just like any firmware we have currently shut down, we won’t see great hacks starting tomorrow, but there are definitely great things on the horizon for EC hacking.

Leave a Reply

Your email address will not be published.