Funny to see this come back and see my write-up linked. I did this 8 years ago and think I was the first on this particular board (although others had done similar on other boards). I still have a pile of them sitting on my desk because I accidentally kept bricking them by being ... not careful. That said, even at the time this board was already old, so I guess it's positively prehistoric at this point. I eventually stopped working on this because I thought that others were making sufficient progress. It hasn't really fully materialized yet, but between openbmc, opensil, DC-SCM and the work the oxide folks are doing, I'm still hopeful that we'll get out of server firmware hell eventually.
Out of curiosity: how "bricked" are these boards? Is there irreversible hardware damage (and, if so, how?), or has some firmware just gotten overwritten?
One of them I managed to fry the pcie root complex somehow, not sure exactly how. One I damaged the traces to the BMC SPI flash. Two others I think just have bricked firmware, but it's been years, so I don't remember for sure.
Nice work. Getting at obscured firmware is the next best thing to open firmware. (Well, or firmware that's simply not there, if it's not open.)
I've had several Supermicro servers at home over the years, and I've kept the one that doesn't include the IPMI BMC. (You can see the unpopulated pads on the board where the Winbond(?) package was in a different variant of the server I had.) Fewer things to go wrong.
This is very interesting, but I'm a little lost. UART is serial. Are they trying to get a serial terminal set up with some chip on this motherboard? Wat does it let them do?
"X11SSH" is a Supermicro motherboard [1] with a (fairly common) Aspeed BMC implementing IPMI. (It has nothing to do with X11 or SSH - the name is an unfortunate coincidence.) The UART that is being accessed here is a debug UART for the BMC, which also runs Linux.
Accessing the BMC UART gives you console access to the baseboard management controller's operating system (typically Linux-based), allowing for firmware analysis, debugging, and potentially bypassing security restrictions that aren't accessible through the normal management interface.
Funny to see this come back and see my write-up linked. I did this 8 years ago and think I was the first on this particular board (although others had done similar on other boards). I still have a pile of them sitting on my desk because I accidentally kept bricking them by being ... not careful. That said, even at the time this board was already old, so I guess it's positively prehistoric at this point. I eventually stopped working on this because I thought that others were making sufficient progress. It hasn't really fully materialized yet, but between openbmc, opensil, DC-SCM and the work the oxide folks are doing, I'm still hopeful that we'll get out of server firmware hell eventually.
Out of curiosity: how "bricked" are these boards? Is there irreversible hardware damage (and, if so, how?), or has some firmware just gotten overwritten?
One of them I managed to fry the pcie root complex somehow, not sure exactly how. One I damaged the traces to the BMC SPI flash. Two others I think just have bricked firmware, but it's been years, so I don't remember for sure.
Nice work. Getting at obscured firmware is the next best thing to open firmware. (Well, or firmware that's simply not there, if it's not open.)
I've had several Supermicro servers at home over the years, and I've kept the one that doesn't include the IPMI BMC. (You can see the unpopulated pads on the board where the Winbond(?) package was in a different variant of the server I had.) Fewer things to go wrong.
Cool write up, but how in the world do they have Gerbers for a Supermicro motherboard?
You can ask Tim. Those Berbers sitting without any issues on the GitHub for two years already https://github.com/mithro/x11ssh-f-pcb
Right? I need that kind of friends.
Image a layer, sand it off, image another layer, sand it off, repeat until you have them all?
They drew them.
This is very interesting, but I'm a little lost. UART is serial. Are they trying to get a serial terminal set up with some chip on this motherboard? Wat does it let them do?
"X11SSH" is a Supermicro motherboard [1] with a (fairly common) Aspeed BMC implementing IPMI. (It has nothing to do with X11 or SSH - the name is an unfortunate coincidence.) The UART that is being accessed here is a debug UART for the BMC, which also runs Linux.
[1]: https://www.supermicro.com/en/products/motherboard/x11ssh-f
Yo dawg, I put linux on your linux so you can X11/SSH while you X11SSH
Great explanation.
Accessing the BMC UART gives you console access to the baseboard management controller's operating system (typically Linux-based), allowing for firmware analysis, debugging, and potentially bypassing security restrictions that aren't accessible through the normal management interface.
What is the benefit of this?
Possibility of runtime exploration of the system which may help in OpenBMC port.