Flash Programmer Shows Some Nifty Tricks

November 5, 2023 by Jenny List 12 Comments

A handy tool to have on the bench is a Flash chip programmer, and the ones based around the CH341A USB bus converter chip are readily available. But the chip is capable of so much more than simply programming nonvolatile memory, so [Tomasz Ostrowski] has created a utility program that expands its capabilities. The software provides easy access to a range of common i2c peripherals. He’s got it talking to smart batteries, GPIOs, environmental sensors, an OLED display, and even an FM radio module. The code can all be found in a GitHub repository. The software is Windows-only so no fun and games for Linux users yet — but since it’s open source, new features are just a pull request away.

The CH341A is much more than an i2C controller, it also supports a surprising range of other interfaces including SPI, UARTs, and even a bidirectional parallel printer port. Maybe this software will serve to fire the imagination of a few others, and who knows, we could see more extended use of this versatile chip. Oddly we’ve featured these programmer boards before, though in a tricky flashing job.

An artistic representation of a red Moon, hovering over the Earth

Is That The Moon Worming Its Way Into Your BIOS?

January 23, 2022 by Arya Voronova 52 Comments

When facing a malware situation, the usual “guaranteed solution” is to reinstall your OS. The new developments in malware world will also require you to have a CH341 programmer handy. In an arguably inevitable development, [Kaspersky Labs] researchers have found an active piece of malware, out in the wild, that would persist itself by writing its bootstrap code into the BIOS chip. It doesn’t matter if you shred the HDD and replace it with a new one. In fact, so-called MoonBounce never really touches the disk at all, being careful to only store itself in RAM, oh, and the SPI flash that stores the BIOS code, of course.

MoonBounce is Microsoft-tailored, and able to hook into a chain of components starting from the UEFI’s DXE environment, through the Windows Loader, and finishing as a part of svchost.exe, a process we all know and love.

This approach doesn’t seem to be widespread – yet, but it’s not inconceivable that we’ll eventually encounter a ransomware strain using this to, ahem, earn a bit of extra cash on the side. What will happen then – BIOS reflashing service trucks by our curbsides? After all, your motherboard built-in BIOS flasher UI is built into the same BIOS image that gets compromised, and at best, could be disabled effortlessly – at worst, subverted and used for further sneaky persistence, fooling repairpeople into comfort, only to be presented with one more Monero address a week later.

Will our hardware hacker skills suddenly go up in demand, with all the test clip fiddling and SOIC-8 desoldering being second nature to a good portion of us? Should we stock up on CH341 dongles? So many questions!

This week’s installment of “threat vectors that might soon become prevalent” is fun to speculate about! Want to read about other vectors we might not be paying enough attention to? Can’t go wrong with supply-chain attacks on our repositories! As for other auxiliary storage-based persistence methods – check out this HDD firmware-embedded proof-of-concept rootkit. Of course, we might not always need the newfangled ways to do things, the old ways still work pretty often – you might only need to disguise your malicious hardware as a cool laptop accessory to trick an average journalist, even in a hostile environment.

Continue reading “Is That The Moon Worming Its Way Into Your BIOS?” →

A CH341 programmer dongle with a stack of adapters on top (one for 1.8V and one for clip connection), and a test clip to the right of it

BIOS Flashing Journey Writeup Puts Tutorials To Shame

December 26, 2021 by Arya Voronova 18 Comments

A couple of weeks ago, [Doug Brown] bought a Ryzen motherboard, advertised as “non-working” and discounted accordingly. He noticed that the seller didn’t test it with any CPUs old enough to be supported by the board’s stock BIOS revision, and decided to take a gamble with upgrading it.

Not having a supported CPU in hand either, he decided to go the “external programmer” route, which succeeded and gave this board a new life. This is not why we’re writing this up, however. The reason this article caught our eye is because [Doug]’s research leaves no stone unturned, and it’s all there to learn from. Whether through careful observation or thorough research, this article covers all the important points and more, serving as an example to follow for anyone looking to program their BIOS.

For instance, [Doug] correctly points out a design issue with these common programmers resulting in 5 V getting onto the 3.3 V data lines, and fixes it by rewiring the board. Going through all the letters in the ICs part number, something that many of us would dismiss, [Doug] notices that the flash chip is 1.8 V-only and procures a 1.8 V adapter to avoid the possibility of frying his motherboard. After finding out that the 1.8 V adapters don’t work for some people, he reverse-engineers the adapter’s schematics and confirms that it, indeed, ought to work with the specific parts on adapter he received.

Noting another letter in the part number implying the flash chip might be configured for quad-SPI operation, he adds series resistors to make sure there’s no chance of the programmer damaging the BIOS chip with its hardwired pinout. This is just an example of the insights in [Doug]’s article, there’s way more that we can’t mention for brevity, and we encourage you to check it out for yourself.

With this level of care put into the process, it’s no surprise that the modification was successful. The kind of inquisitiveness shared here is worth aspiring to, and writeups like this often surpass general-purpose tutorials in their insights and usefulness. What’s your “successfully making use of something sold as non-working” story?

If you’re looking for other insightful BIOS stories, we’ve covered someone reverse-engineering their BIOS to remove miniPCIe card whitelisting. We’ve typically covered BIOS modification stories in laptops, since there’s more incentives to modify these, but a lot of laptop BIOS articles will apply to desktop motherboards too, such as this supervisor password removal story or this LibreBoot installation journey by our own [Tom Nardi].

Thank you [Sidney] for sharing this with us!

New Breakout Board For Grid-EYE Thermal Sensor

May 18, 2020 by Donald Papp 13 Comments

Panasonic’s Grid-EYE sensor is essentially a low-cost 8×8 thermal imager with a 60 degree field of view, and a nice breakout board makes it much easier to integrate into projects. [Pure Engineering] has created an updated version of their handy breakout board for the Grid-EYE and are currently accepting orders. The new breakout board is well under an inch square and called the GridEye2 (not to be confused with the name of the main component, the AMG8833 Grid-EYE by Panasonic.)

GridEye2 connected to CH341A dev board, allowing easy PC interface over USB.

A common way to interface with the Grid-EYE is over I2C, but to make connecting and developing on a PC more straightforward, [Pure Engineering] has made sure the new unit can plug right into their (optional) CH341A development board to provide a USB interface. Getting up and running on a Linux box is then as simple as installing the Linux drivers for the CH341A, and using sample C code to start reading thermal data from an attached GridEye2 board.

The Grid-EYE is a low-cost and capable little device that mates well with an LED matrix display, and on the more advanced side, a simple Gaussian interpolation can have a striking effect when applied to low-resolution sensors, making them appear higher resolution than they actually are.