Information of the SPI flash
Dump the SPI flash by using the linux command line tool
dd if=/dev/mtd0 of=mtd0This will dump the SPI flash to the file mtd0.
This is what the SPI flash device tree entry looks like.
status = "okay";
spi-max-frequency = <25000000>;
compatible = "winbond,w25q32", "jedec,spi-nor";
reg = <1>;
spi-max-frequency = <20000000>;
The first 6128 bytes are the BCT, encrypted with your platform key. The loader for UEFI is located at 0x0100000.
To check it yourself,
To encrypt the BCT you got form nvflash use the following script, and replace <platform key> with your platform key. Example usage:
./encrypt.sh surfacert.bct surfacert-encrypted.bct
dd if=$1 of=$cut_bct bs=16 skip=1
openssl aes-128-cbc -K <platform key> -iv 00000000000000000000000000000000 -nopad -nosalt -in $cut_bct -out $dec_bct
dd if=$1 of=$2 bs=16 count=1
dd if=$dec_bct of=$2 bs=16 seek=1
rm -f $cut_bct $dec_bct
To check if it is really the same, create a hexdump of your SPI flash dump and encrypted BCT. Your encrypted BCT should match the first 6128 bytes of the SPI flash dump.
The files are encrypted and board specific. You cant use them on your Surface RT
A dump from @Leander's Surface RT. Here is the platform key of the used Surface RT: