Extract Firmware

Information of the SPI flash

Dumping the SPI flash from Linux
Dump the SPI flash by using the linux command line tool dd.
Command: dd if=/dev/mtd0 of=mtd0
This will dump the SPI flash to the file mtd0.
Device tree entry for the SPI
This is what the SPI flash device tree entry looks like.
[email protected] {
		status = "okay";
		spi-max-frequency = <25000000>;
		[email protected] {
			compatible = "winbond,w25q32", "jedec,spi-nor";
			reg = <1>;
			spi-max-frequency = <20000000>;
		};
	};
The dump
The first 6128 bytes are the BCT, encrypted with your platform key. The loader for UEFI is located at 0x0100000. 
How we can tell
To check it yourself, 
1.​Dump your SPI flash​
2.​Get your BCT with nvflash​
3.​Get your platform key​
To encrypt the BCT you got form nvflash use the following script, and replace <platform key> with your platform key.
Example usage: ./encrypt.sh surfacert.bct surfacert-encrypted.bct
#!/bin/sh
​
cut_bct=`tempfile`
dec_bct=`tempfile`
​
dd if=$1 of=$cut_bct bs=16 skip=1
openssl aes-128-cbc -K <platform key> -iv 00000000000000000000000000000000 -nopad -nosalt -in $cut_bct -out $dec_bct
dd if=$1 of=$2 bs=16 count=1
dd if=$dec_bct of=$2 bs=16 seek=1
​
rm -f $cut_bct $dec_bct
To check if it is really the same, create a hexdump of your SPI flash dump and encrypted BCT. Your encrypted BCT should match the first 6128 bytes of the SPI flash dump.
Downloads
The files are encrypted and board specific.
You cant use them on your Surface RT
A dump from @Leander's Surface RT. Here is the platform key of the used Surface RT: 28a5d126adf421e6a39bfc8f7ff32308
Leanders blob
mtd0
4MB
Binary
SPI-flash-dump
surfacert-encrypted.bct
6KB
Binary
BCT-encrypted
surfacert.bin
6KB
Binary
BCT-from-nvflash
CTS blob
mtd0Original_CTS.bin
4MB
Binary
​

Surface RT - Previous

Firmware

Decrypt Firmware

Last modified 2yr ago