Extract Firmware
Information of the SPI flash
Dump the SPI flash by using the linux command line tool
dd.
Command: dd if=/dev/mtd0 of=mtd0
This will dump the SPI flash to the file mtd0.This is what the SPI flash device tree entry looks like.
spi@7000da00 {
status = "okay";
spi-max-frequency = <25000000>;
spi-flash@1 {
compatible = "winbond,w25q32", "jedec,spi-nor";
reg = <1>;
spi-max-frequency = <20000000>;
};
};
The first 6128 bytes are the BCT, encrypted with your platform key. The loader for UEFI is located at 0x0100000.
To check it yourself,
To encrypt the BCT you got form nvflash use the following script, and replace <platform key> with your platform key.
Example usage:
./encrypt.sh surfacert.bct surfacert-encrypted.bct#!/bin/sh
cut_bct=`tempfile`
dec_bct=`tempfile`
dd if=$1 of=$cut_bct bs=16 skip=1
openssl aes-128-cbc -K <platform key> -iv 00000000000000000000000000000000 -nopad -nosalt -in $cut_bct -out $dec_bct
dd if=$1 of=$2 bs=16 count=1
dd if=$dec_bct of=$2 bs=16 seek=1
rm -f $cut_bct $dec_bct
To check if it is really the same, create a hexdump of your SPI flash dump and encrypted BCT. Your encrypted BCT should match the first 6128 bytes of the SPI flash dump.
The files are encrypted and board specific.
You cant use them on your Surface RT
A dump from @Leander's Surface RT. Here is the platform key of the used Surface RT:
28a5d126adf421e6a39bfc8f7ff32308mtd0
4MB
Binary
SPI-flash-dump
surfacert-encrypted.bct
6KB
Binary
BCT-encrypted
surfacert.bin
6KB
Binary
BCT-from-nvflash
mtd0Original_CTS.bin
4MB
Binary
Last modified 2yr ago