In what’s perhaps one of the most impressive laptop reverse engineering posts in recent memory, [Andrey Konovalov] brings us an incredibly detailed story of how he’s discovered and successfully enabled a USB device controller in a ThinkPad X1 Carbon equipped with a 6th gen Intel CPU.
If you ever wanted to peek at the dirty secrets of a somewhat modern-day Intel CPU-based system, this write-up spares you no detail, and spans dozens of abstraction layers — from Linux drivers and modifying NVRAM to custom USB cable building and BIOS chip flashing, digging deep into undocumented PCH registers for the dessert.
All [Andrey] wanted was to avoid tinkering with an extra Raspberry Pi. While using a PCIe connected device controller, he’s found a reference to intel_xhci_usb_sw-role-switch
in Linux sysfs
, and dove into a rabbit hole, where he discovered that the IP core used for the laptop’s USB ports has a ‘device’ mode that can be enabled. A dig through ACPI tables confirmed this, but also highlighted that the device is disabled in BIOS. What’s more, it turned out to be locked away behind a hidden menu. Experiments in unlocking that menu ensued, in particular when it comes to bypassing Intel Boot Guard, a mechanism that checks BIOS image signatures before boot.
[Andrey] shows us a few different ways he’s tried to enable the controller, just for the fun of it, from using BootGuard exploits to reverse-engineering NVRAM EFI variable mapping, and even a lengthy section on poking directly at the Intel PCH’s registers trying to enable the USB device peripheral from userspace, assisted by [Maxim Goryachy] of Intel reverse-engineering fame. In the end, the NVRAM patching way turned out to be the most viable way for an average user, and the blog post has more than enough detail for any enterprising hacker who would like to make it work for them as well.
As a victory dance, we get a section on all the wonderful things you can do if your device supports USB device mode. There’s the obvious USB storage example, but [Alexey] shows us a few cool tools to remember – the Raw Gadget Linux kernel framework for building any kind of USB device you could dream of, the syzkaller USB stack fuzzer, and Facedancer, a framework for USB device emulation.
If you think all of this is a lot, mind you that we have only described about half of all the cool stuff that the blog post contains — you should go check it out, and make a cup of tea, because there’s just that much cool stuff to learn about.
Genuinely, this blog post is a testament to a hacker’s dedication, and a shining example of just how far you can reach if you are willing to keep digging. Does your laptop hide some secrets that nobody knew existed? Remember, there’s only one way to find out.
Or just buy a Macbook.
like any true hacker
Can macbook operate as usb device?
There were macbooks with the right Intel CPUs at least.
Only in a very specific way, as far as I know: they can be put into “target disk mode” on boot, which essentially converts your macbook into a very large and expensive external drive. Handy for data recovery, but not that interesting.
this has been a feature since the firewire (and even scsi!) days, and for a while, it could be done over usb as long as you had a usb-c intel macbook. You can also use thunderbolt, but that’s completely different under the hood.
This is pretty relentless. I would’ve given up as soon as I realized it’s a BIOS problem.
Side note: IIRC Intel added a USB device controller to serve the tablet/hybrid device market. Might be wrong though, and I don’t think I’ve ever seen a device use it.
It may be useful for recovering devices, or cross flashing between Android/Windows with tablets
Which brings the question, does USB-C work both ways by standard? Can you plug two laptops together and share files without any special drivers, just by configuring one to present as a portable drive?
There may be a part of the USB-C spec that allows that, and PCIe unidirectionally is becoming a thing so that Alt mode might work via USB-C. But as almost all of USB-C is optional I’d be astonished if any device ever included that feature – its not in the ‘must be included’ section as far as I recall. But boy do I hate the standard of confusion that USB-C is by its very nature…
2x Thunderbolt 3+ (≈ USB 4+) systems connected together will show up as a point-to-point ethernet interface with the link speed of the underlying Thunderbolt connection on both systems.
Set up a network share on one of the devices and you can happily do network transfers at 40Gbe with nothing but a $20 Thunderbolt cable.
You actually can (sort of). I plugged my Thinkpad T480 into an M1 Mac Mini, ran `sudo modprobe thunderbolt-net` and had an approximately 10Gbps network link between the two with almost no configuration. I just had to set a static IP on both ends.
It’s absolutely bizarre that he even has an Intel laptop because he’s “a security researcher and a software engineer” which means he knows that the chip in the laptop needed microcode patches for meltdown and spectre. On top of that, the IME had CVEs and needed patching too. I’m completely aghast that someone who knows would even bother with such a deeply flawed machine.
lol, as if every computing device has to be internet connected
What magic computers do you use that have never had bugs or vulnerabilities?
I used to have this little Linux PPC device that functioned entirely as a USB gadget. It had some patches that allowed it to do composite devices, and it would emulate a network card and cd-rom. With an X11 for windows on the CD-ROM plus an autorun script to setup networking and start X on windows. On the Linux end, you had a small linux distro with fingerprint reader.
https://en.wikipedia.org/wiki/BlackDog