Extract Firmware

Information of the SPI flash

Dumping the SPI flash from Linux

Dump the SPI flash by using the linux command line tool dd. Command: dd if=/dev/mtd0 of=mtd0 This will dump the SPI flash to the file mtd0.

Device tree entry for the SPI

This is what the SPI flash device tree entry looks like.

spi@7000da00 {
		status = "okay";
		spi-max-frequency = <25000000>;
		spi-flash@1 {
			compatible = "winbond,w25q32", "jedec,spi-nor";
			reg = <1>;
			spi-max-frequency = <20000000>;
		};
	};

The dump

The first 6128 bytes are the BCT, encrypted with your platform key. The loader for UEFI is located at 0x0100000.

How we can tell

To check it yourself,

To encrypt the BCT you got form nvflash use the following script, and replace <platform key> with your platform key. Example usage: ./encrypt.sh surfacert.bct surfacert-encrypted.bct

#!/bin/sh

cut_bct=`tempfile`
dec_bct=`tempfile`

dd if=$1 of=$cut_bct bs=16 skip=1
openssl aes-128-cbc -K <platform key> -iv 00000000000000000000000000000000 -nopad -nosalt -in $cut_bct -out $dec_bct
dd if=$1 of=$2 bs=16 count=1
dd if=$dec_bct of=$2 bs=16 seek=1

rm -f $cut_bct $dec_bct

To check if it is really the same, create a hexdump of your SPI flash dump and encrypted BCT. Your encrypted BCT should match the first 6128 bytes of the SPI flash dump.

Downloads

The files are encrypted and board specific. You cant use them on your Surface RT

A dump from @Leander's Surface RT. Here is the platform key of the used Surface RT: 28a5d126adf421e6a39bfc8f7ff32308

Leanders blob

CTS blob

Last updated