EC hack: your laptop is equipped with a microcontroller

EC hack: your laptop is equipped with a microcontroller

Recently I came across beautiful writing from [DHowett], on reprogramming the embedded controller (EC) of a Framework laptop. He shows us how to reuse the Caps Lock LED, having it instead indicate the state of the F1-F12 key layer – also known as “Fn Lock”, AKA, “Your F1 key is working- Is it currently as F1, or is it regulating the volume”. It tells us how to add custom code to your laptop’s EC firmware and integrate it properly into the various routines that EC runs.

The EC that the Framework uses is an MEC1521 chip from Microchip, and earlier this year they open-source firmware for that. Now there is a microcontroller code repository which you can compile yourself and flash your Framework laptop’s motherboard with. In a HackerNews comments section, a representative from Framework speculated that you might add GPIOs to a Framework motherboard via EC firmware hack.

Wait… Microcontroller code? GPIO? This brings us to the question: what is the EC, really? For starters, it’s just a microcontroller. You can find an EC in every x86 computer, including laptops, handling lower level functions of your computer such as power management, keyboard, touchpad, battery, and many other things. In Apple country, you may know them as SMC, but their function is the same.

Why haven’t we reprogrammed our CEs all this time? It’s a valid question, too, and I’ll tell you all about it.

What is the job of the EC?

The EC controls a whole bunch of devices in your laptop. Not devices connected to USB, LVDS/eDP or PCIe, as these would fall under the purview of the chipset. Instead, it’s devices such as power switches, the charger chip, and various current monitors, as these need to work properly even when the chipset and CPU are turned off. But of course, it’s not just power management – there are a lot of things in a laptop that you need GPIOs for.

section of the EEE PC 701 schematic, showing EC connections, and even some unused functions like extra button connections
The EC of an EEE PC 701. This one even has some extra signals for the media buttons that were left out in the hardware!

Generally, anything you would control with a digitalWrite or monitor with a digitalRead, measuring through an ADC or talking using I2C – these are things handled by the EC. Thus, the EC reads battery status and charger voltages, drives fans with PWM, and takes temperature readings from various sensors. The laptop keyboard is a matrix of keys, and the EC parses this matrix and processes key presses, passing key events to the chipset which your OS then reads. Whether your touchpad is PS/2 or I2C, the EC manages it and exposes it to the OS as well.

Your laptop’s power button is directly connected to the EC. Therefore, your EC is the first thing to turn on; and if your broken laptop doesn’t react to the power button, that means the EC can’t do its power management job for some reason. In fact, if you check out the recent release of the Framework laptop reduced diagrams, you will see that the EC has its own separate power rail coming directly from the battery.

How does it even talk to the chipset? For about two decades, ECs have used the LPC bus – a four-bit wide bus superficially resembling qSPI. Apart from the ECs, it has only really been used by the TPMs recently. LPC uses frequencies from 25 MHz to 100 MHz. So if you want to put a logic analyzer on your LPC signals and capture some packets, your typical cheap 25 Msps LA won’t suffice, but a ready-to-use FPGA board or a faster way LA will do wonders, and there is a pretty cool paper using LPC manipulation and an FPGA to extract keys from TPMs.

LPC is about two decades old and a direct successor to the ISA bus – in fact in some laptop schematics from 2003 you’ll find the EC connected via ISA instead, but everything is LPC beyond that. However, recent CEs speak rather of eSPI, a qSPI type interface intended to replace LPC, and the EC Framework also talks about eSPI.

Of course there is firmware involved

Every EC has firmware and every laptop (and desktop and server!) has an EC. EC firmware is almost always closed-source. As such, EC firmware is one of the binary blobs we tend to miss when talking about proprietary components inside our computers. Often the EC firmware is stored on the same SPI flash chip as the BIOS – other times there is a separate external or on-chip flash, in which case you usually have a UART bootloader you can reflash your EC to . This all depends on the specific manufacturer and model of EC you have.

Often your EC is built on something like the ARM or 8051 architecture, other times it’s something more obscure like CompactRISC. The common thing is – at most you will get a binary blob when it comes to your EC firmware. At some point when Google got into the laptop business, a group of engineers probably said “enough”, and open source their EC code – this is what Framework relied on when it comes to its own EC firmware. Last year, System76 opened its EC code, too. Unfortunately, the situation remains dire for other laptop manufacturers.

Could your EC be hijacked? Unlikely – changing and updating EC firmware is usually more difficult than doing the same with BIOS images. Now, could you modify the behavior of your CE yourself? It’s at least technically possible, and I’d say you should always have been able to do it.

So what about piracy?

Of course, with every subsystem in a laptop, you’ll find a subset of Thinkpad enthusiasts who have already dug deep and used it to do fun and useful things. The EC is one such aspect, and they definitely have something to offer – reprogramming keyboard layouts and removing battery locks, mostly. With the keyboard layouts, they’ve managed to make older (and apparently more superior) keyboards work with newer laptops, with a tutorial talk about how you specifically need to isolate certain pins, and a super convenient way to flash changes.

The battery part is more vital though – you can more often than not live with an inferior keyboard, even on supposedly stellar ThinkPads. The problem is the “genuine” battery check in the EC, which doesn’t allow you to charge (or even run from) the battery if it fails. It’s not just about limiting third-party battery options, if that sounds like it – such checks also prohibit the use of Lenovo batteries that were simply intended for another type of Thinkpad, but are otherwise perfectly matched mechanically, electrically and electronically.

There is a video on how the ThinkPad EC hack happened, and I recommend you check that one out to see what’s going on. Now Lenovo didn’t seem to like people swapping keyboards and allowing the use of third-party batteries for which Lenovo itself has stopped selling “genuine” counterparts. So at some point they decided to close one of the most comfortable ways for EC firmware update, and post a BIOS update citing “security enhancements”. The relevant CVE states this:

A vulnerability has been reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access to update the embedded controller with unsigned firmware.

If you ask me, that description is bonkers. This phrase basically means “Laptop owner can flash EC firmware not approved by Lenovo”. I wonder what led to this and what the possible justification could be, but in the end, whatever the reason, it’s a distraction from what I believe. That is, updating EC firmware on your own laptop should be possible, and Lenovo has closed down a user-friendly way to do this.

Also, not all manufacturers may respect your CE right to repair. As an example, for nearly a decade now, Dell has been shipping laptops with ECs that have encrypted firmware, keys fused inside the EC. This has been a particular problem for Dell laptop repair, as EC dies from time to time. Although you can buy a blank EC and redistribute it in place of Dell’s dead one, it will not have the decryption keys that Dell flashes into the EC at the factory and therefore will not run encrypted firmware from Dell. Modifications aren’t on the table here – it’s not even possible to find a suitable replacement for the EC when your laptop is broken, even if the chips themselves are plentiful.

What can you do now?

There are now three manufacturers that have open source firmware for ECs: Google, System76, and Framework. What could you do with this firmware, though? As with any underutilized area of ​​hacking, it will take time to realize its full potential. Key remapping isn’t the only thing – you can implement an 80% battery charge limit for cell longevity if your laptop manufacturer didn’t provide one, add additional layers to your laptop keyboard without the need for OS support, maybe adjust your fan curves. Or, indeed, you can add GPIOs inside your laptop, for whatever sensors or buttons your heart desires.

You can also fix bugs, which pop up every now and then in ECs, and can be quite annoying to deal with – imagine keyboard keys get stuck once in a while, seemingly randomly, and that’s exactly what happens when you have an EC bug. Bug fixes or improvements, as with any currently closed firmware, we won’t see a whole host of cool hacks from tomorrow, but there are definitely some cool things on the horizon when it comes to EC hacking.