Close

Different I2C devices with different power states

A project log for Hacking a Supervisor Password - With a Beagle Bone

I found myself being intrigued with the low level safety features of my X201. I experimented with the I2C bus and it got interesting...

timo-birnscheinTimo Birnschein 02/21/2021 at 22:030 Comments

Laptop powered off with power supply plugged in after complete power off with battery out and power supply disconnect:

debian@beaglebone:/var/lib/cloud9$ i2cdetect -r -y 2
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- 44 -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- 54 55 56 57 -- -- -- -- 5c -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

 Laptop powered on, waiting before bios with power supply plugged in:

debian@beaglebone:/var/lib/cloud9$ i2cdetect -r -y 2
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- 08 -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: 30 31 -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- 44 -- -- -- -- -- -- -- -- -- -- --
50: 50 51 -- -- 54 55 56 57 -- -- -- -- 5c -- -- --
60: -- 61 -- -- -- -- -- -- -- 69 -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Powered up and booted to Ubuntu

debian@beaglebone:/var/lib/cloud9$ i2cdetect -r -y 2
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- 08 -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: 30 31 -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- 44 -- -- -- -- -- -- -- -- -- -- --
50: 50 51 -- -- -- -- -- -- -- -- -- -- 5c -- -- --
60: -- 61 -- -- -- -- -- -- -- 69 -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

As can be seen, the 24RF08 chip is now hidden and there, cannot be accessed from the system. I know that the Lenovo Maintenance Disk (yeah, a floppy disk) can write to it. That would mean that Ubuntu or the booting system removes access to the eeprom during boot.

I wonder, though, 0x5C is still there! Maybe the access flags have changed after boot? They do auto-reset after power cycle. Let's take a look!

Shutdown: 

debian@beaglebone:/var/lib/cloud9$ i2cdump -y 2 0x5c
No size specified (using byte-data access)
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: ae ae bf bf af af 8f 8f ff ff 7e ff ff ff ff 10    ????????..~....?
10: 26 07 5b 6d d1 00 84 c2 55 60 20 1f ff ff ff 7f    &?[m?.??U` ?...?

Sitting at Ubuntu login:

debian@beaglebone:/var/lib/cloud9$ i2cdump -y 2 0x5c
No size specified (using byte-data access)
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: ae ae 3f 3f 2f 2f 0c 8f 7f ff 7e ff ff ff ff 10    ????//???.~....?
10: 26 07 5b 6d d1 00 84 c2 55 60 20 1f ff ff ff 7f    &?[m?.??U` ?...?

Very interesting indeed! You see the two addresses that can be read from 0x5c. The second line at 0x10 is the ID field used for RFID asset tags and it seems unchanged. There is no reason to change it during boot.

But 0x00 to 0x0F changed a lot! Let's look at the details.

Decoded the above, I can't see why the addresses of 0x54, 0x55, 0x56, and 0x57 would not show in the i2c device scan but what can be seen is that SB6 == b0 and PB6 == b00. This definitely prevents anyone from writing to this section of the EEPROM - here is where the supervisor password is stored. SP6 == b0 prevents one from changing PB6 to something like b11.

To explain this better: The EEPROM is divided into eight blocks of 128 bytes. Each device address contains two blocks. Hence, 0x57 has two blocks and SB6 signifies the first block of the two, where the supervisor password is stored. So looking at byte 6 in the first line, we see 0x0c == b0000 1100 -> Can't change the bits in PB and PB is set to no access at all.

In addition, the SBx can only be written to '0' and not to '1' making it impossible to change their state via software after the booting OS or bios set them to '0'.

But still, why can't I see those addresses on the bus anymore...? 

Discussions