-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unclear how to make use of this #6
Comments
Oh yeah, I was indeed a bit vague in the post. I think I must have at least used 3 revisions to avoid false positives. If you compare them, you will notice 2 different bytes at offset 0x4a. Then I tried a bunch of crc checksum algorithm. For example, here is the full command and its output for revisions 28, 30 and 31:
As explained in the post, this is only one of many solutions that end (inclusive) at |
First dump i downloaded was for 15ISK. Probably not suitable. |
Ah right, of course not. Those are different, and it most likely is not within the checksummed region.
In the IT8586E it might be a bit different from the IT8528. If the signature (which is 16 bytes in length) stays the same across revisions that have significant changes, that could probably mean that there is no such checksum. |
Also, have you tried using the I2EC interface? That may be safer to try first instead of overwriting the flash. |
Haven't tried I2EC. I have no problems with bricking it. I already desoldered EC fw chip to read it's content. Comparing the fw versions looks like there really is no checksum, at least not in header. Maybe you can take a look at these and confirm yourself |
Had a look at them biodiff and delsum and did not find anything resembling a checksum either. |
While looking for more examples of EC modifications i found someone who modified some sort of minibook EC to fix fan problem. It has IT8987 and also no checksum. |
Not sure about what happened in the patch, there's a random byte out of the build time taken out (and the random byte increases are most likely because of insertions changing all the addresses). For the structure: From this commit, It seems like the registers of the it8528 are mostly similar to the ones of the it8502, so the it8502 datasheet (I couldn't find the it8528 one online) would be a good start to see what address the firmware needs to poke to change the settings. |
i'm closing this issue since this is technically not a delsum issue, but if you have further questions, feel free to ask in this issue |
i usually use ghidra, and there you can deal with baking using overlays. i'm not sure if there is an equivalent IDA feature since i don't use it. also, i would think mbx_bat could also contain the relevant options and i suspect mbx_pmc might refer to the 0x62/0x66 io port interface (since they are called PMC data input register/PMC command registers and so on in the datasheet) |
tried ghidra, appears to be a lot more advanced than ida. disassembled first two blocks, but i've yet to figure out how to do the other two. on this system there are 5 PMC channels reported in super io (HE tool). no idea if that is correct |
In your article about IT8586E reversing, the checksum calculation procedure is unclear.
You say poly is 0x8005. I downloaded two EC dumps for the 15IKB device, one is actual dump, other is extracted from BIOS update file.
The delsum tool seems to work fine as i get same results with it as with windows HxD editor.
However, inputting 0x8005 and all other parameters as you suggest i end up with checksum that does not exist anywhere in EC dump.
Can you explain this part better? Is the checksum location in dump known and does it need to be cleared to FF before calculating checksum?
The text was updated successfully, but these errors were encountered: