CH341

4 Articles

An artistic representation of a red Moon, hovering over the Earth

Is That The Moon Worming Its Way Into Your BIOS?

January 23, 2022 by 51 Comments

When facing a malware situation, the usual “guaranteed solution” is to reinstall your OS. The new developments in malware world will also require you to have a CH341 programmer handy. In an arguably inevitable development, [Kaspersky Labs] researchers have found an active piece of malware, out in the wild, that would persist itself by writing its bootstrap code into the BIOS chip. It doesn’t matter if you shred the HDD and replace it with a new one. In fact, so-called MoonBounce never really touches the disk at all, being careful to only store itself in RAM, oh, and the SPI flash that stores the BIOS code, of course.

MoonBounce is Microsoft-tailored, and able to hook into a chain of components starting from the UEFI’s DXE environment, through the Windows Loader, and finishing as a part of svchost.exe, a process we all know and love.

This approach doesn’t seem to be widespread – yet, but it’s not inconceivable that we’ll eventually encounter a ransomware strain using this to, ahem, earn a bit of extra cash on the side. What will happen then – BIOS reflashing service trucks by our curbsides? After all, your motherboard built-in BIOS flasher UI is built into the same BIOS image that gets compromised, and at best, could be disabled effortlessly – at worst, subverted and used for further sneaky persistence, fooling repairpeople into comfort, only to be presented with one more Monero address a week later.

Will our hardware hacker skills suddenly go up in demand, with all the test clip fiddling and SOIC-8 desoldering being second nature to a good portion of us? Should we stock up on CH341 dongles? So many questions!

This week’s installment of “threat vectors that might soon become prevalent” is fun to speculate about! Want to read about other vectors we might not be paying enough attention to? Can’t go wrong with supply-chain attacks on our repositories! As for other auxiliary storage-based persistence methods – check out this HDD firmware-embedded proof-of-concept rootkit. Of course, we might not always need the newfangled ways to do things, the old ways still work pretty often – you might only need to disguise your malicious hardware as a cool laptop accessory to trick an average journalist, even in a hostile environment.

Continue reading “Is That The Moon Worming Its Way Into Your BIOS?”

A CH341 programmer dongle with a stack of adapters on top (one for 1.8V and one for clip connection), and a test clip to the right of it

BIOS Flashing Journey Writeup Puts Tutorials To Shame

December 26, 2021 by 18 Comments

A couple of weeks ago, [Doug Brown] bought a Ryzen motherboard, advertised as “non-working” and discounted accordingly. He noticed that the seller didn’t test it with any CPUs old enough to be supported by the board’s stock BIOS revision, and decided to take a gamble with upgrading it.

Not having a supported CPU in hand either, he decided to go the “external programmer” route, which succeeded and gave this board a new life. This is not why we’re writing this up, however. The reason this article caught our eye is because [Doug]’s research leaves no stone unturned, and it’s all there to learn from. Whether through careful observation or thorough research, this article covers all the important points and more, serving as an example to follow for anyone looking to program their BIOS.

For instance, [Doug] correctly points out a design issue with these common programmers resulting in 5 V getting onto the 3.3 V data lines, and fixes it by rewiring the board. Going through all the letters in the ICs part number, something that many of us would dismiss, [Doug] notices that the flash chip is 1.8 V-only and procures a 1.8 V adapter to avoid the possibility of frying his motherboard. After finding out that the 1.8 V adapters don’t work for some people, he reverse-engineers the adapter’s schematics and confirms that it, indeed, ought to work with the specific parts on adapter he received.

Noting another letter in the part number implying the flash chip might be configured for quad-SPI operation, he adds series resistors to make sure there’s no chance of the programmer damaging the BIOS chip with its hardwired pinout. This is just an example of the insights in [Doug]’s article, there’s way more that we can’t mention for brevity, and we encourage you to check it out for yourself.

With this level of care put into the process, it’s no surprise that the modification was successful. The kind of inquisitiveness shared here is worth aspiring to, and writeups like this often surpass general-purpose tutorials in their insights and usefulness. What’s your “successfully making use of something sold as non-working” story?

If you’re looking for other insightful BIOS stories, we’ve covered someone reverse-engineering their BIOS to remove miniPCIe card whitelisting. We’ve typically covered BIOS modification stories in laptops, since there’s more incentives to modify these, but a lot of laptop BIOS articles will apply to desktop motherboards too, such as this supervisor password removal story or this LibreBoot installation journey by our own [Tom Nardi].

Thank you [Sidney] for sharing this with us!

Linux Adds CH341 GPIO

February 21, 2018 by 64 Comments

There was a time when USB to serial hardware meant one company: FTDI. But today there are quite a few to choose from and one of the most common ones is the WCH CH341. There’s been support for these chips in Linux for a while, but only for use as a communication port. The device actually has RS232, I2C, SPI, and 8 general purpose I/O (GPIO) pins. [ZooBaB] took an out-of-tree driver that exposes the GPIO, and got it working with some frightening-looking CH341 boards.

He had to make a slight mod to the driver to get six GPIOs in /sys/class/gpio. Once there though, it is easy to manipulate the pins using a shell script or anything that can write to the virtual files corresponding to the GPIO pins.

Continue reading “Linux Adds CH341 GPIO”

Finding A Cheaper USB To Serial Chips

December 2, 2014 by 90 Comments

FTDI-gate wasn’t great for anybody, and now with hardware hobbyists and technological tinkerers moving away from the most popular USB to serial adapter, some other chip has to fill the void. The cheapest USB to serial chip on the market appears to be the CH340G, available for 20-40 cents apiece from the usual retailers. There is, however, almost no English documentation, and the datasheet for the CH340 family doesn’t include this chip. [Ian]’s here to help you out. He got his mitts on a few of these chips and managed to figure out the pinout and a few reference schematics. He even made an Eagle part for you. Isn’t that nice?

The CH340 series of chips do exactly what you would expect them to do: a full-speed USB device that emulates a standard serial interface, with speeds from 50bps to 2Mpbs. The chip supports 5V and 3.3V, and all the weird modem lines are supported. This chip even has an IrDA mode, because wireless communication in the 90s was exactly as rad as you remember.

With [Ian]’s help, we now have a cheap source of USB to serial chips. If you need the datasheet, here you go. The driver is a bit more difficult to find, but what you’re looking for is the CH341 family of chips. That can be found with a little bit of Google fu.