Dump the SPI flash by using the linux command line tool
dd if=/dev/mtd0 of=mtd0
This will dump the SPI flash to the file mtd0.
This is what the SPI flash device tree entry looks like.
status = "okay";spi-max-frequency = <25000000>;compatible = "winbond,w25q32", "jedec,spi-nor";reg = <1>;spi-max-frequency = <20000000>;};};
The first 6128 bytes are the BCT, encrypted with your platform key. The loader for UEFI is located at 0x0100000.
To check it yourself,
To encrypt the BCT you got form nvflash use the following script, and replace <platform key> with your platform key.
./encrypt.sh surfacert.bct surfacert-encrypted.bct
#!/bin/shcut_bct=`tempfile`dec_bct=`tempfile`dd if=$1 of=$cut_bct bs=16 skip=1openssl aes-128-cbc -K <platform key> -iv 00000000000000000000000000000000 -nopad -nosalt -in $cut_bct -out $dec_bctdd if=$1 of=$2 bs=16 count=1dd if=$dec_bct of=$2 bs=16 seek=1rm -f $cut_bct $dec_bct
To check if it is really the same, create a hexdump of your SPI flash dump and encrypted BCT. Your encrypted BCT should match the first 6128 bytes of the SPI flash dump.
A dump from @Leander's Surface RT. Here is the platform key of the used Surface RT: