Tag Archives: intel

2.5Gbit Ethernet for TinyMiniMicro labs

Leave a reply

2.5Gbit Ethernet is finally at an affordable price, but modern platforms do not offer much in the way of upgrade paths. Desktop PC motherboards typically dedicate all PCIe lanes to graphics or NVMe, leaving you with tough choices to make if you want to upgrade your network card. The situation is even worse for small form factor and embedded devices.

Or so I thought, until I discovered an M.2 A+E key 2.5Gbit Ethernet card based on the Realtek RTL8125B.

This tiny M.2 2230 card can be installed in the M.2 WiFi slot present on many motherboards. If you were not already using WiFi, this means you have a “free” upgrade path to 2.5Gbit Ethernet, without sacrificing any higher bandwidth PCIe slots. Better still, M.2 A+E keyed slots are commonly available in the “TinyMiniMicro” segment of small-form-factor PCs. This allows you to install 2.5Gbit networking in the Asus PN50, or an HP T640 thin client. You can also find mini-PCIe to M.2 A+E adapters, allowing you to install the NIC in a device that predates M.2.

Also attractive is the price, I bought two for 15.70€/piece (including VAT and shipping) from AliExpress. This is only a small premium over what a full-size PCIe card with an RTL8125B costs (typically around 13€).

02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller (rev 05)
        Subsystem: Realtek Semiconductor Co., Ltd. Device 0123
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx+
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 50
        IOMMU group: 8
        Region 0: I/O ports at e000 [size=256]
        Region 2: Memory at fe910000 (64-bit, non-prefetchable) [size=64K]
        Region 4: Memory at fe920000 (64-bit, non-prefetchable) [size=16K]
        Expansion ROM at fe900000 [disabled] [size=64K]
        Capabilities: [40] Power Management version 3
                Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
                Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [50] MSI: Enable- Count=1/1 Maskable+ 64bit+
                Address: 0000000000000000  Data: 0000
                Masking: 00000000  Pending: 00000000
        Capabilities: [70] Express (v2) Endpoint, MSI 01
                DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <512ns, L1 <64us
                        ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 0W
                DevCtl: CorrErr+ NonFatalErr+ FatalErr+ UnsupReq+
                        RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop-
                        MaxPayload 128 bytes, MaxReadReq 4096 bytes
                DevSta: CorrErr+ NonFatalErr- FatalErr- UnsupReq+ AuxPwr+ TransPend-
                LnkCap: Port #0, Speed 5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s unlimited, L1 <64us
                        ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, Disabled- CommClk+
                        ExtSynch- ClockPM+ AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 5GT/s, Width x1
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
                DevCap2: Completion Timeout: Range ABCD, TimeoutDis+ NROPrPrP- LTR+
                         10BitTagComp- 10BitTagReq- OBFF Via message/WAKE#, ExtFmt- EETLPPrefix-
                         EmergencyPowerReduction Not Supported, EmergencyPowerReductionInit-
                         FRS- TPHComp+ ExtTPHComp-
                         AtomicOpsCap: 32bit- 64bit- 128bitCAS-
                DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis- LTR- 10BitTagReq- OBFF Disabled,
                         AtomicOpsCtl: ReqEn-
                LnkCap2: Supported Link Speeds: 2.5-5GT/s, Crosslink- Retimer- 2Retimers- DRS-
                LnkCtl2: Target Link Speed: 5GT/s, EnterCompliance- SpeedDis-
                         Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
                         Compliance Preset/De-emphasis: -6dB de-emphasis, 0dB preshoot
                LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete- EqualizationPhase1-
                         EqualizationPhase2- EqualizationPhase3- LinkEqualizationRequest-
                         Retimer- 2Retimers- CrosslinkRes: unsupported
        Capabilities: [b0] MSI-X: Enable+ Count=32 Masked-
                Vector table: BAR=4 offset=00000000
                PBA: BAR=4 offset=00000800
        Capabilities: [d0] Vital Product Data
                Not readable
        Capabilities: [100 v2] Advanced Error Reporting
                UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
                CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
                CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
                AERCap: First Error Pointer: 00, ECRCGenCap+ ECRCGenEn- ECRCChkCap+ ECRCChkEn-
                        MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
                HeaderLog: 00000000 00000000 00000000 00000000
        Capabilities: [148 v1] Virtual Channel
                Caps:   LPEVC=0 RefClk=100ns PATEntryBits=1
                Arb:    Fixed- WRR32- WRR64- WRR128-
                Ctrl:   ArbSelect=Fixed
                Status: InProgress-
                VC0:    Caps:   PATOffset=00 MaxTimeSlots=1 RejSnoopTrans-
                        Arb:    Fixed- WRR32- WRR64- WRR128- TWRR128- WRR256-
                        Ctrl:   Enable+ ID=0 ArbSelect=Fixed TC/VC=01
                        Status: NegoPending- InProgress-
        Capabilities: [168 v1] Device Serial Number 01-00-00-00-68-4c-e0-00
        Capabilities: [178 v1] Transaction Processing Hints
                No steering table available
        Capabilities: [204 v1] Latency Tolerance Reporting
                Max snoop latency: 0ns
                Max no snoop latency: 0ns
        Capabilities: [20c v1] L1 PM Substates
                L1SubCap: PCI-PM_L1.2+ PCI-PM_L1.1+ ASPM_L1.2+ ASPM_L1.1+ L1_PM_Substates+
                          PortCommonModeRestoreTime=150us PortTPowerOnTime=150us
                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
                           T_CommonMode=0us LTR1.2_Threshold=306176ns
                L1SubCtl2: T_PwrOn=150us
        Capabilities: [21c v1] Vendor Specific Information: ID=0002 Rev=4 Len=100 
        Kernel driver in use: r8169

iperf3 testing shows that we can achieve consistent results over 2.4Gbit/s between the RTL8125 (M.2 A+E) installed in an HP T640, and the RTL8156 (Framework USB-C module).

Accepted connection from 192.168.10.2, port 45494
[  5] local 192.168.10.1 port 5000 connected to 192.168.10.2 port 45496
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   294 MBytes  2.47 Gbits/sec
[  5]   1.00-2.00   sec   295 MBytes  2.48 Gbits/sec
[  5]   2.00-3.00   sec   295 MBytes  2.47 Gbits/sec
[  5]   3.00-4.00   sec   295 MBytes  2.48 Gbits/sec
[  5]   4.00-5.00   sec   295 MBytes  2.47 Gbits/sec
[  5]   5.00-6.00   sec   295 MBytes  2.47 Gbits/sec
[  5]   6.00-7.00   sec   295 MBytes  2.48 Gbits/sec
[  5]   7.00-8.00   sec   295 MBytes  2.47 Gbits/sec
[  5]   8.00-9.00   sec   295 MBytes  2.48 Gbits/sec
[  5]   9.00-10.00  sec   295 MBytes  2.47 Gbits/sec
[  5]  10.00-10.00  sec   568 KBytes  2.40 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  2.88 GBytes  2.47 Gbits/sec                  receiver

Owners of the lesser powered thin clients should take note: the HP T530 (AMD GX-215JJ) can only manage around 1.6Gbit speeds in iperf3 testing.

You do not typically associate Dupont wires and high bandwidth being a good match, but somehow it works.

Realtek still has a bad reputation in some corners, so for those interested there are also sellers offering the Intel I225-V 2.5Gbit in M.2 B+M 2242 form factor.

The chip revision is SLMNG (B3) which from internet lore seems to be the revision where all the show-stopping bugs at link speeds above 1000M were resolved. I did not notice any instability in my iperf3 testing, the adapter was able to reliably maintain 2.45Gbit/s.

02:00.0 Ethernet controller: Intel Corporation Ethernet Controller I225-V (rev 03)
	Subsystem: Intel Corporation Device 0000
	Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx+
	Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- SERR- <PERR- INTx-
	Latency: 0, Cache Line Size: 64 bytes
	Interrupt: pin A routed to IRQ 50
	IOMMU group: 8
	Region 0: Memory at fe700000 (32-bit, non-prefetchable) [size=1M]
	Region 3: Memory at fe800000 (32-bit, non-prefetchable) [size=16K]
	Expansion ROM at fe600000 [disabled] [size=1M]
	Capabilities: [40] Power Management version 3
		Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
		Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=1 PME-
	Capabilities: [50] MSI: Enable- Count=1/1 Maskable+ 64bit+
		Address: 0000000000000000  Data: 0000
		Masking: 00000000  Pending: 00000000
	Capabilities: [70] MSI-X: Enable+ Count=5 Masked-
		Vector table: BAR=3 offset=00000000
		PBA: BAR=3 offset=00002000
	Capabilities: [a0] Express (v2) Endpoint, MSI 00
		DevCap:	MaxPayload 512 bytes, PhantFunc 0, Latency L0s <512ns, L1 <64us
			ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset+ SlotPowerLimit 0W
		DevCtl:	CorrErr+ NonFatalErr+ FatalErr+ UnsupReq+
			RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop+ FLReset-
			MaxPayload 128 bytes, MaxReadReq 512 bytes
		DevSta:	CorrErr+ NonFatalErr- FatalErr- UnsupReq+ AuxPwr+ TransPend-
		LnkCap:	Port #3, Speed 5GT/s, Width x1, ASPM L1, Exit Latency L1 <4us
			ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
		LnkCtl:	ASPM Disabled; RCB 64 bytes, Disabled- CommClk+
			ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
		LnkSta:	Speed 5GT/s, Width x1
			TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
		DevCap2: Completion Timeout: Range ABCD, TimeoutDis+ NROPrPrP- LTR+
			 10BitTagComp- 10BitTagReq- OBFF Not Supported, ExtFmt- EETLPPrefix-
			 EmergencyPowerReduction Not Supported, EmergencyPowerReductionInit-
			 FRS- TPHComp- ExtTPHComp-
			 AtomicOpsCap: 32bit- 64bit- 128bitCAS-
		DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis- LTR- 10BitTagReq- OBFF Disabled,
			 AtomicOpsCtl: ReqEn-
		LnkCtl2: Target Link Speed: 5GT/s, EnterCompliance- SpeedDis-
			 Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
			 Compliance Preset/De-emphasis: -6dB de-emphasis, 0dB preshoot
		LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete- EqualizationPhase1-
			 EqualizationPhase2- EqualizationPhase3- LinkEqualizationRequest-
			 Retimer- 2Retimers- CrosslinkRes: unsupported
	Capabilities: [100 v2] Advanced Error Reporting
		UESta:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UEMsk:	DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
		UESvrt:	DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
		CESta:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
		CEMsk:	RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
		AERCap:	First Error Pointer: 00, ECRCGenCap+ ECRCGenEn- ECRCChkCap+ ECRCChkEn-
			MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
		HeaderLog: 00000000 00000000 00000000 00000000
	Capabilities: [140 v1] Device Serial Number 88-c9-b3-ff-ff-b5-19-bc
	Capabilities: [1c0 v1] Latency Tolerance Reporting
		Max snoop latency: 0ns
		Max no snoop latency: 0ns
	Capabilities: [1f0 v1] Precision Time Measurement
		PTMCap: Requester:+ Responder:- Root:-
		PTMClockGranularity: 4ns
		PTMControl: Enabled:- RootSelected:-
		PTMEffectiveGranularity: Unknown
	Capabilities: [1e0 v1] L1 PM Substates
		L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1+ ASPM_L1.2- ASPM_L1.1+ L1_PM_Substates+
		L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
		L1SubCtl2:
	Kernel driver in use: igc

I have not been able to find anyone selling the I225-V in the M.2 A+E form factor. However, you can adapt the M.2 2242 B/M key to an A+E key with an inexpensive passive adapter.

Performance is unaffected, but you should check that you have physical clearance for such an adapter as it extends the card length from 42mm to 53mm. This prevents one from installing the I225-V in the HP T530, as there is insufficient physical clearance for the card with the M.2 A+E adapter.

Finally, the I225-V M.2 designs I have seen are using larger perpendicular headers as compared to the Realtek, meaning they are less likely to fit in small/thin devices like the HP T640 thin client. Given the choice, I would stick to the Realtek for M.2 A+E applications rather than adapting the Intel I225-V.

HP ThunderBolt 120W G4 Dock teardown

Leave a reply

I bought an HP ThunderBolt 120W G4 dock because the Dell TB16 I have been using for years does not work well with the Framework Laptop 13″ (13th Gen; i5-1340P).

The Dell TB16 is recognized by the Framework Laptop and does function, however only the mini-DisplayPort output works. Despite repeated attempts, I could not make multiple monitor outputs function with the Framework Laptop and the TB16, which is annoying as I had two displays (DisplayPort and mini-DisplayPort) running at 4K60 from the XPS 9570.

HP ThunderBolt 120W G4 dock, HP product image

The HP Thunderbolt G4 dock is quite new and supports USB4 on the upstream port to the host (the dock ports support USB 3.2 Gen 2). Multiple displays work with the Framework Laptop: DisplayPort and HDMI outputs both work simultaneously with my two 4K60 displays. The dock is also able to output 4K60 to both monitors from a Lenovo ThinkPad X13 Gen 2 AMD, which was a pleasant surprise given that the X13 Gen 2 does not have Thunderbolt (only DP-Alt mode over USB-C).

lspci

56:00.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
57:00.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
57:01.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
57:02.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
57:03.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
57:04.0 PCI bridge: Intel Corporation Thunderbolt 4 Bridge [Goshen Ridge 2020] (rev 03)
7f:00.0 Ethernet controller: Intel Corporation Ethernet Controller (2) I225-LMvP (rev 03)

lsusb

03f0:0488 HP, Inc HP Thunderbolt Dock G4
03f0:2488 HP, Inc USB4206 Smart Hub
03f0:3488 HP, Inc USB7206 Smart Hub
03f0:4488 HP, Inc USB2734
03f0:5488 HP, Inc USB5734
1d5c:5801 Fresco Logic USB2.0 Hub
8087:0b40 Intel Corp. USB3.0 Hub

The dock also works as a USB-C docking station, with the following USB devices present in that mode:

03f0:0488 HP, Inc HP Thunderbolt Dock G4
03f0:2488 HP, Inc USB4206 Smart Hub
03f0:3488 HP, Inc USB7206 Smart Hub
03f0:4488 HP, Inc USB2734
03f0:5488 HP, Inc USB5734
0bda:8153 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter
1d5c:5801 Fresco Logic USB2.0 Hub
8087:0b40 Intel Corp. USB3.0 Hub

I was able to find a teardown for the HP ThunderBolt G2 dock, but I have not yet found any juicy details about the G4. So, here we go.

One Philips screw (on the base at rear) and the bottom slides off (gently lift and slide in the direction of the Thunderbolt cable).

Remove the two Philips screws securing the collar over the Thunderbolt cable and swing the collar up. You can gently pull it to remove it from the base, however this is not required.

The Thunderbolt cable may appear “fixed” however it is just secured in place, so if you ever have a dock with a ruined Thunderbolt cable, do not throw it away as the cable can be replaced!

Remove the four Philips screws securing the bottom of the dock. There are no plastic clips around the outside of the base, so you can gently lift it out.

Remove the three recessed Philips screws to remove the dock components from the plastic housing.

(Optional) If you need to release the bottom PCB (MB) from the heat spreader, remove the four Philips screws highlighted above. It is not necessary to remove these screws to remove the assembly from the plastic housing. There are several board-to-board connectors between the MB and DB PCBs inside the docking station; you need to remove the entire internal assembly from the plastic housing before you attempt to remove the bottom PCB.

Be mindful of the connector to the top power button when removing the internal component assembly.

To replace the fan (Delta Electronics NS55B00-17E11), remove the two Philips screws and unplug it from the top PCB (DB).

To remove the top PCB (DB) from the heat spreader, remove the four Philips screws highlighted above.

MB PCB bottom (full resolution PCB photo)

U3305: winbond W25Q80DVNIG (under black plastic, beside HP female power connector)

MB PCB top (full resolution PCB photo)

U2400/U2403: Infineon CYPD5236-96BZXI
U2600: Microchip USB7206
U????: Synaptics VMM5323BJGB1 (silk screen is obscured by underfill on my unit)
U3306: Pericom PI3WVR12412
U4000: Diodes Incorporated PI6C557-03BLE
U2900: Parade Tech PS8802
U2700: Intel JHL8440
U2701: winbond W25Q80DVSIG
U3500: fresco logic FL5801
U3501: winbond W25Q16JV

DB PCB bottom (full resolution PCB photo)

PCB silk screen:

HOOK20-PMV-HSB
6050A3310901-DB-A01
2021-11-02

U2550: Microchip USB5744
U453: winbond W25Q16JV
U4002: winbond W25Q64JVSIQ
CN9002: Power button header (power button PCB silk screen: 6050A3311201-PWRBUTTON-A01)

DB PCB top (full resolution PCB photo)

U451: P13L 2500ZHE 2136GG (PI3L?)
U400: Realtek RTL8153
U4003: Infineon CY7C65219-40LQXI
U5000: Diodes Incorporated PI6C557-03BLE
U450: Intel I225 (SLNNJ)
CN9001: Fan header

Fan: Delta Electronics NS55B00-17E11 (5V, 0.6A)

Power supply:
Output: 19.5V, 6.15A (120W)
Regulatory Model: TPN-DA19
HP Part No: L56786-013
HP Spare: L57117-001

Disabling Secure Boot on Intel Quark “secure SKU” silicon

3 Replies

Secure Boot is a bit like SELinux: people who use it really like it, and tell all their friends to use it. For everyone else, apart from those who don’t know about or even notice Secure Boot, it’s an annoyance that they almost immediately disable.

We’ve looked at the Intel DK200 from a hardware perspective before. Now it’s time to look at it from a software perspective. “Internet of Things Gateway” is pretty generic, so what can it actually do?

Following the instructions, I tried to register the system on Intel’s website so I could download the Wind River Intelligent Device Platform XT 2.0 SDK. I didn’t get very far:

No WindRiver SDK for you

Stormtrooper #1: This is not the product you’re looking for

Yeah… I guess this is what Mouser meant when they said the DK200 was End of Life.

Since this ships with the Linux Kernel, which is GPLv2 licensed, I believe Intel may be violating the GPL. Specifically:

Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange

But I am not a lawyer, and I am not really that interested in starting a legal battle over the source code for an ancient version of Wind River Linux I am not interested in using anyway.

So let’s go try to build Yocto. The Intel rep did say there was a Yocto BSP coming “soon” but “soon” in Intel time seems kind of variable.

After some hiccups (Yocto needs python2 and GCC <6) I had built a Yocto image and put it on an SD card. Does it boot?

...no

…no

So we can’t boot Yocto because this is a “secure SKU” which means Secure Boot is enabled. Is there some way we can disable Secure Boot? What about updating the BSP to a newer version with Secure Boot disabled?

Back to hardware
If I’ve learned anything from messing around with electronics, you want to make a backup before you start modifying things. This is doubly so if the data in question is related to the booting process. It sucks to end up with a brick, so make a backup!

Taking a backup of flash

Taking a backup of flash

The Intel Quark guide mentions using a Dediprog SF100 to flash EDKII. I don’t have a Dediprog, but I do have an SPI programmer. Unfortunately, none of the Intel documentation I could find mentions the Dediprog header on the DK200, so I had to go hunting.

I traced the pins from the Winbond flash to header J23. J23 is only 8 pins, so trial and error with a multimeter to find the pin mapping wasn’t terrible:

J23 pinout

J23 pinout

Here’s the pinout of J23 in text form:

J23 pin 25Q64 pin Pin description
1 8 VCC
2 4 GND
3 1 /CS
4 6 CLK
5 2 DO
6 5 DI
7 Not connected
8 Not connected

/WP and HOLD pins on the 25Q64FV are not routed to J23, but they aren’t required for flashing.

With the pinout known, I could attach the SPI programmer to the header instead of using the chip clip:

J23 to ch341a SPI programmer

J23 to ch341a SPI programmer

I took a dump of the Winbond 25Q64FV and then for good measure desoldered the chip and read it again to confirm the images were exactly the same. It was strange because the image from the chip clip wasn’t identical. But, the image from the desoldered chip was identical to the image taken from J23, so we’re done here. I wrote the image to a new 25Q64FV and soldered that back onto the board.

Firmware disassembly
Disassembling the firmware which shipped on my DK200, we see that a Secure Boot certificate was created by WindRiver.

I assume that had I been able to download the WindRiver SDK, I would have been able to build and sign Secure Boot with my own certificates. Given that industrial customers spend a lot of time and money worrying about security, I was surprised to see that the Secure Boot certificate in the firmware was created by WindRiver China.

I did try to load up the image in IDA, but not being a power user of IDA, I couldn’t figure out how to get it to analyze the SPI dump, and gave up to try and compile the firmware from source.

Building the BSP

Being Intel, there are hundreds of pages you can read about developing for EDK2 and other really fun things, probably. I didn’t read them.

A document which I did end up reading religiously was the Intel ® QuarkTM SoC X1000 Board Support Package (BSP) Build and Software User Guide [PDF] which describes how to build all the firmware components needed to bring up the X1000 SoC. I found out there is actually a newer version of this document (1.2.1 instead of 1.1) and there are some important differences between the documents I want to get to later.

By building the firmware, we’re hoping for one of two outcomes:

  1. A firmware with our own Secure Boot certificates, or
  2. A firmware which has Secure Boot disabled

Version 1.1 of the BSP Build and Software User Guide includes a section on pages 29 and 30 on how to bundle your own db, kek, and pk certificates:

Page 29 and 30 condensed

Unfortunately if you follow the instructions and try to use a layout.conf which specifies these files, you’ll get an error because there’s no address specified for this data in the image:

I do have a reference file from WindRiver with Secure Boot certificates, so if I was really interested in making Secure Boot work as intended, I could have reverse engineered the address to store the certificates.

The certificates section of layout.conf was removed from the 1.2.1 revision of the BSP Build and Software User Guide. I guess since it no longer works, Intel decided to remove it from the documentation.

So, we can’t install our own Secure Boot certificates in the firmware. What happens if we just leave out the certificates section entirely and build it?

Error 37: Quark signature file not found

Right, so even though there’s now no certificate in the firmware bundle, we still can’t boot.

Interestingly, if you don’t partition the uSD or USB stick correctly, you end up with this pretty screen:

I never saw that in the stock firmware.

Hacking GRUB
So it seems that we can’t include our own Secure Boot certificate in the firmware, due to the sample layout.conf file missing the certificates section, and not knowing the appropriate address to store the certificates.

What if we dig into Error 37: Quark signature file not found a bit more?

If you look in the grub source code included in the BSP, you can see a giant ~1000KB patch that Intel has made to the original upstream code to support the Quark platform.

If you grep for “Quark signature file not found” you’ll find it was added in stage2/common.c:
diff --git a/stage2/common.c b/stage2/common.c
index e96bec2..e122745 100644
--- a/stage2/common.c
+++ b/stage2/common.c
@@ -88,6 +88,8 @@ char *err_list[] =
[ERR_UNRECOGNIZED] = "Unrecognized command",
[ERR_WONT_FIT] = "Selected item cannot fit into memory",
[ERR_WRITE] = "Disk write error",
+ [ERR_QUARK_VERIFICATION] = "Quark signature verification failed",
+ [ERR_SGN_FILE_NOT_FOUND] = "Quark signature file not found",
};

If you grep for ERR_SGN_FILE_NOT_FOUND you’ll find it’s in the following files:
./work/efi/ia32/loader/linux.c:410: errnum = ERR_SGN_FILE_NOT_FOUND;
./work/efi/ia32/loader/linux.c:732: errnum = ERR_SGN_FILE_NOT_FOUND;
./work/efi/quark/boot_settings.c:190: errnum = ERR_SGN_FILE_NOT_FOUND;

Going back to Intel’s modifications to grub, we can see what they added:

It takes a bit of searching, but if you strip out all of the grub_quark_secure logic from linux.c and boot_settings.c, you end up with…

Ta-da! I can boot Yocto Linux

No more Secure Boot!

At the end of the day, the Quark X1000 is an x86: “secure SKU” is nothing but a fuse setting.

The comment should read:

Determine whether or not grub should enforce Secure Boot.

In our case, this is not a mandatory option 😉

Special offer for DK200 owners
As shown above, it is possible to modify the Intel sources to disable Secure Boot. If there are other people have a DK200 from Intel and are interested in running a firmware without Secure Boot, leave a comment with your contact details. Upon request, I can provide a firmware image* with generic Ethernet MAC addresses for you to flash. Note that this firmware is specific to the DK200 (Clanton Hill) hardware.

* No warranty, express or implied, provided for said firmware image. You flash at your own risk!