EC Hacking: Your Laptop Has A Microcontroller

EC Hacking: Your Laptop Has A Microcontroller

Recently, I stumbled upon a cool write-up by [DHowett], about reprogramming a Framework laptop’s Embedded Controller (EC). He shows us how to reuse the Caps Lock LED, instead making it indicate the F1-F12 key layer state – also known as “Fn lock”, AKA, “Does your F1 key currently work as F1, or does it regulate volume”. He walks us through adding custom code to your laptop’s EC firmware and integrate it properly into the various routines the EC runs.

The EC that the Framework uses is a MEC1521 chip from Microchip, and earlier this year, they open-sourced the firmware for it. Now, there’s a repository of microcontroller code that you can compile yourself, and flash your Framework laptop’s motherboard with. In a comment section of HackerNews, a Framework representative has speculated that you could add GPIOs to a Framework motherboard through EC firmware hacking.

Wait… Microcontroller code? GPIOs? This brings us to the question – what is the EC, really? To start with, it’s just a microcontroller. You can find an EC in every x86 computer, including laptops, managing your computer’s lower-level functions like power management, keyboard, touchpad, battery and a slew of other things. In Apple land, you might know them as SMC, but their function is the same.

Why have we not been reprogramming our ECs all this time? That’s a warranted question, too, and I will tell you all about it.

What’s The EC’s Job?

The EC controls a whole bunch of devices in your laptop. Not devices connected to USB, LVDS/eDP or PCIe, because those would fall within the purview of the chipset. Instead, these are devices like power switches, the charger chip, and various current monitors, since these have to work correctly even when the chipset and CPU are powered off. But of course, it’s not just power management – there’s a whole lot of things in a laptop you need GPIOs for.

EC Hacking: Your Laptop Has A Microcontroller
The EC of a EEE PC 701. This one even has some extra signals for media buttons that were left out in hardware!

Generally, anything that you’d control with a digitalWrite or monitor using a digitalRead, measure through an ADC, or talk to using I2C – these are things handled by the EC. Thus, the EC reads battery state and charger voltages, drives the fans with PWM and takes temperature measurements from various sensors. The laptop keyboard is a key matrix, and the EC scans that matrix and processes key presses, forwarding the key events to the chipset that your OS then reads. Whether your touchpad is PS/2 or I2C, the EC handles it and exposes it to the OS, too.

Your laptop’s power button is connected directly to the EC. As a result, your EC is the first thing to get powered on; and if a broken laptop of yours has no reaction to the power button, it means the EC can’t do its power management job for whatever reason. In fact, if you check Framework laptop’s recently published reduced schematics, you’ll see that the EC has it own separate power rail coming directly from the battery.

How does it even talk to the chipset? For about two decades, ECs have been using the LPC bus – a four-bit wide bus superficially resembling qSPI. Apart from ECs, it’s only really been used by TPMs in the recent times. LPC uses frequencies from 25MHz to 100MHz. Thus, if you want to put a logic analyzer to your LPC signals and capture some packets, your typical cheapo 25Msps LA won’t do, but an off-the-shelf FPGA board or a way faster LA will work wonders, and there’s a pretty cool paper using LPC manipulation and an FPGA to extract keys from TPMs.

LPC is about two decades old, and is a direct successor to the ISA bus – in fact, in some laptop schematics from 2003 you’ll find the EC connected through ISA instead, but it’s all LPC beyond that. However, recent ECs talk eSPI instead, a qSPI-like interface meant to replace LPC, and the Framework EC talks eSPI, too.

Of Course, There’s Firmware Involved

Every EC has firmware, and every laptop (and desktop, and server!) has an EC. The EC firmware is nearly always closed-source. As such, the EC firmware is one of the binary blobs we tend to miss when talking about proprietary parts inside our computers. Often, the EC firmware is stored on the same SPI flash chip as the BIOS – other times, there’s a separate external or on-chip flash, in which case, you typically have an UART bootloader you can reflash your EC through. All of that depends on which specific manufacturer and model of the EC you have.

Often, your EC is built on something like ARM or 8051 architecture, other times it’s something more obscure like CompactRISC. The common thing is – at most, you’ll get a binary blob when it comes to your EC’s firmware. At some point, when Google got into laptop business, a group of their engineers presumably said “enough”, and open-sourced their EC code – which is what Framework has been building on when it comes to their own EC firmware. Last year, System76 opened up their EC code, too. Unfortunately, the situation remains dire for other laptop manufacturers.

Could your EC get backdoored? Not likely – it tends to be harder to modify and update EC firmware than it is to do the same with BIOS images. Now, could you yourself modify your EC’s behavior? It’s at least technically possible, and I’d argue that you should have always been able to do that.

So, What About Hacking?

Of course, with every subsystem of a laptop, you’ll find a subgroup of Thinkpad enthusiasts that have already dug deep and used it to pull off some fun and useful things. The EC is one such aspect, and they sure have something to offer – reprogramming keyboard layouts and removing battery locks, mainly. With keyboard layouts, they’ve managed to make older (and apparently more superior) keyboards work with newer laptops, with a tutorial talking about how specifically you need to insulate certain pins, and a super convenient way to flash the changes.

The battery part is more vital, however – you can more often than not live with a subpar keyboard, even on supposedly otherwise-stellar ThinkPads. The problem is the “genuine” battery check in the EC, which doesn’t let you charge (or even operate from) the battery if it doesn’t pass. This isn’t just limited the third-party battery options, in case that’s what it sounds like – such checks also prohibit use of Lenovo batteries that were just meant for a different kind of Thinkpad, but otherwise mechanically, electrically and electronically perfectly suitable.

There’s a video on how ThinkPad EC hacking unfolded, and I recommend you check that one out to see what’s up. Now, Lenovo didn’t seem to like that people were swapping keyboards and enabling use of third-party batteries that Lenovo themselves stopped selling ‘genuine’ counterparts for anymore. So, at some point, they decided to close one of the most comfortable ways for EC firmware updating, and release a BIOS update citing “security improvements”. The relevant CVE says this:

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

If you ask me, this description is bonkers. This sentence essentially means “the laptop’s owner can flash EC firmware not approved by Lenovo”. I do wonder what led to it and what the possible justification might be, but in the end, whatever the reason, it’s a distraction from what I believe. That is, updating the EC firmware on one’s own laptop should be possible, and Lenovo closed a user-friendly way to do just that.

Also, without doubt, not all manufacturers respect your right to repair when it comes to ECs. As an example, for almost a decade now, Dell has been shipping their laptops with ECs that have encrypted firmware, keys fused inside the EC. This has been a particular problem for Dell laptop repair, as EC die every now and then. While you can buy a blank EC and reflow it in place of the Dell’s dead one, it won’t have the decryption keys Dell flashes into the EC at the factory, and therefore won’t run Dell’s encrypted firmware. Modifications are off the table here – it’s not even possible to source a fitting replacement for the EC when your laptop is broken, even though the chips themselves are abundant.

What Can You Do Now?

Now there’s three manufacturers that have open source firmware for ECs – Google, System76 and Framework. What could you do with this firmware, though? As with any underutilized area of hacking, it will take time to realize its full potential. Remapping keys is not the only thing – you could implement a 80{ad04e458d8a67bb381461aa5bab353250a5c3a294cd93826b3ec944a191540bb} battery charge limit for cell longevity if your laptop’s manufacturer didn’t provide you with one, add extra layers to your laptop keyboard without any need for OS support, maybe tweak your fan curves. Or, indeed, you could add some GPIOs inside your laptop, for whatever sensors or buttons your heart desires.

You can also fix bugs, which crop up in ECs every now and then, and can be quite annoying to deal with – imagine keyboard keys getting stuck every now and then, seemingly randomly, and that’s exactly what happens when you have an EC bug. Bug fixes or improvements, just like with any firmware currently closed to us, we won’t see a slew of cool hacks starting tomorrow, but there are definitely cool things on the horizon when it comes to EC hacking.

EC Hacking: Your Laptop Has a Microcontroller

Selling Homes to Digital Natives Previous post Selling Homes to Digital Natives
Meta Reportedly Halts Development of 9 Dual-Camera Smartwatch Next post Meta Reportedly Halts Development of $349 Dual-Camera Smartwatch