Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Wenting Profile picture
@zephray_wenting
Feb 25 37 tweets 12 min read Read on X
Scrolly
Bought a prison laptop on eBay. Thought it should be just some generic laptop with a clear shell, turns out it's actually a bit more than that. Image
Out of the box you get a laptop that basically doesn't do anything other than asking for the password. It doesn't have hard drive so obviously there is no operating system loaded. You can not even easily install your own because there is no USB port at all: Image
On the back it says the model number is NV116APNB, which also doesn't really help. After doing some researching online it turns out the model name for this thing is the Justice Tech Solutions Securebook 5. The latest generation is the Securebook 6. Image
Looking at the motherboard, it doesn't even offer any unpopulated USB port solder pads, so trying to add an USB port would require some additional effort I guess. (Unless I can get the official dock somehow). The specs are: Celeron N3450 + 4GB SKhynix LPDDR3 + Intel Wireless 7625 Image
On to the password issue. The boot splash basically told me it uses AMI BIOS. One generic way of clearing the password on AMI BIOS machines is use a flash programmer, searching for "AMITSESetup" in the BIOS NVRAM and simply zeroing out the the password. Image
And yes I can definitely find the AMITSESetup in the NVRAM and there is indeed an encrypted password waiting to be cleared: Image
The only issue is that, after clearing it and flashing it back. Turning on the machine I am greeted by the enter password screen again. After reading out the flash, I noticed that the password magically returned. What was going on? Image
Turns out this machine, intentionally or not, would automatically resets the BIOS after the board is fully powered down (both battery and DC input removed). And at least for the BIOS version I have (and the BIOS V06 available on the website), there is a default password.
This means if I remove the power to reflash the BIOS chip, the default password would return the next time it's powered on again after then automatic reset. So I need to reflash the BIOS without removing the power to the board. This is what I ended up doing: Image
I would wish I have one of those small SOP sockets, but this hacky solution would do for now. I am now able to reprogram the flash without having to power down the board (thus trigging a reset). The result... I got access to this boring BIOS setup screen: Image
Yes, the security tab is all it has. I can now set different passwords and see how they gets encrypted and saved on to SPI Flash. I am no expert on cryptography so I am not going to try further. I just hoped to checked it was just some extremely simple XOR, but it's not. Image
Apparently there is also a version of BIOS that doesn't have password and has way more options available:
For now the default password is not a big issue anyway. It only has default password for accessing the BIOS setup, not for booting up. The reason it wants password is just because there is no bootable device and it defaults to entering the BIOS.
Now how do I provide a bootable device? It doesn't have USB port so it gotta be the hard drive. Then it has some other surprise for me: IT HAS A HARD DRIVE WHITELIST Image
Guess what, I actually know the original hardware model number, because this machine model has been probed by ! . According to the probe, it should have a... "China SATA3 240GB SSD". I mean, the vendor string is literally "China". linux-hardware.org
linux-hardware.org/?probe=5b3d6e1…
Image
I guess based on that result I won't be able to the find the exact hard drive easily. Without diving deep into the BIOS reverse-engineering, how about USB boot? After all I think it would be crazy if you have to buy USB drive from them if they implement a USB whitelist...
So I quickly connected a USB Hub onto it. I decided to use the USB signal on the touchpad connector, because I am a bit too lazy to figure out the pinout of the dock connector. (Try not screaming at these wires, this is just a proof of concept) Image
And it just boots. Just power on and it boots right into Ubuntu MATE 22.04 amd64 installation USB. Image
So if I decide to do this USB mod properly in the future, I will probably design a custom USB Hub PCB. It would connect to the mainboard's touchpad connector through a ribbon cable. The touchpad would then be connected to one of the downstream port of the hub.
I would like to highlight there is an ongoing effort by @techknight2 to modify the BIOS to remove the whitelist:
@techknight2 There is also a way to simply bypass the hard drive limitation by @crtdude :
AND, we might be able to brute force the default password:
Additional notes: the unpopulated connector on the side are for speakers. These passives likely forms an LC low pass filter for the integrated class D amplifier. Image
I gotta go to sleep today, looks like people have started trying to crack the password!
This thread is going viral, thank you all for the like and repost! Update on the password, they literally just shared the password in a video:
Anyone knows how to fix the EFI checksum? I never successfully hacked any modern EFI firmware so I am bit clueless here:
Anyway, I am going to try the hard drive check bypass method shared previously. I believe the basic idea is to trick the BIOS into thinking the hard drive is actually a bootable CD instead of a ... hard drive, so it won't trigger the HDD ID check. Image
And to pair with the PrisonBook, I have this IBM SYSTEM X / INTEL DC S3700 ENTERPRISE DATACENTER SSD featuring HET MLC cells with 7.3PBW rating. I just kind of like the idea of putting a $1K SSD into this absolutely cheapest-made laptop (I got it from MIT flea for $5 though) Image
Couldn't seem to find my USB-SATA adapter, so I am just using another machine (Lenovo ThinkCentre M600) with SATA port to write the Debian ISO image into the hard drive. I quite like these small desktop machines Image
The bypass method definitely works on my machine as well as far as getting into installation. Installing Debian now, going to check back later to see how it goes. Image
Actually, I don't even need to use that bypass method anymore! @realOtakuNekoP just got the patched BIOS repacked. I flashed that in, plugged in my old hard drive with Ubuntu already installed, it just boots right into the OS! No more HDD swapped errors Image
@realOtakuNekoP Sorry but I have to do this
Most things work well in Linux: the touchpad and keyboard work, the backlight works, WiFi works at up to 867Mbps, suspend to RAM works, and the headphone jack works. Things don't work: Bluetooth and the unpopulated internal speaker connector have no signal coming through.
I would like to conclude the PrisonBook S1 here: We got BIOS patched to accept any hard drive thanks to @realOtakuNekoP and @techknight2 , password encoding and actual password figured out thanks to @thelithcore and @wlp3s0 . The BIOS is uploaded to ...archive.org/details/stock-…
@realOtakuNekoP @techknight2 @thelithcore @wlp3s0 If there will be a S2, it would be focusing on getting a USB breakout board made to add a USB port. But that's for another day. If you liked the thread maybe consider following me and checking out my other projects, like this DIY digital camera:
@realOtakuNekoP @techknight2 @thelithcore @wlp3s0 In any case, thanks for reading this long thread!
@soeasilynoticed But hey I somehow took an almost entirely different route than you guys... I was fiddling with the password, trying out encrypting different things with the BIOS with the hope to recover the default password, then connecting USB hubs, etc.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wenting

Wenting Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zephray_wenting

Wenting Profile picture
Sep 4, 2022
Quick weekend project: I have many LCD modules in my drawer. When I am feeling stressed out/ burnt out, I would just randomly pick one from the drawer and try to make it work. So, today I have got this small LCD module, with no datasheet or any documentation:
The backside of it, no identifiable LCD controller or driver chip. The connector has 25 pins. Searching the model number showed me that the manufacturer has gone bankrupt more than a decade ago, and it's being used on some data terminals, with a resolution of 160x128.
It’s a bit hard to take it apart without breaking it due to the construction so I am not doing it. But just peeking through the side, it looks like it has got 3 COB chips for driving the screen.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(