
Unlocking my Lenovo laptop, part 3 - edward
http://www.zmatt.net/unlocking-my-lenovo-laptop-part-3/
======
yason
It makes me sad to think that first a group of engineers spend time writings
this complex system of checksums, partially encrypted firmware images,
proprietary challenge-response handshake and communications with the battery
so that another hacker must spend days to allow himself to make a fix as
simple as replacing the battery in _his own laptop_. Is this because of fear?
Money? Greed? All three? _How much money_ does Lenovo make out of Lenovo
batteries to make this all this extra complexity worth its salt in the first
place? Consider that maintaining all that complexity is a recurring cost: it's
not just writing the authentication scheme but making sure it works for each
future firmware release.

I haven't let go of the 80's and I still think if you buy a car, phone,
laptop, compact disc or a video disc, then it's _yours_ because you _paid for
it_ in your _own money_. From that standpoint it's simply inexcusable for
manufacturers to try to re-own parts of a device they've already sold to
someone.

~~~
nine_k
I think it's mostly about brand security.

If a battery works with the laptop, it's guaranteed to be a tested compatible
one. Quickly slapping up a counterfeit and selling it as a brand-name thing
won't work.

A battery ua a critical device, prone to fires or blasts if made improperly.
One such incident would significantly tarnish the brand. Thus the over-
reaction.

I wish there wad an open spec for certified batteries, to allow for third-
party fixes and replacements, though.

~~~
reirob
By applying this logic a computer manufacturer should not allow any non
certified OS to run on their machines.

Writing this on a ThinkPad running Linux. If this comes true I will stop
buying Lenovo products. Until today I continue buying ThinkPads because their
Linux support is among the best - and for the trackpoint and a good keyboard.
But I definitely do not like how they behave lately.

I am watching very closely for alternatives, every time I or any of people I
know need to buy a new computer.

As soon as the brand security will become more important as the requirements
of their customers I will jump off the brand. A brand without customers is not
worth anything.

~~~
bbradley406
There was a thread[1] recently in which a Linux (specifically systemd) bug was
capable of bricking motherboards. ACPI bugs can cause overheating, failure to
enter sleep mode, etc. In a perfect world of open source firmware this
wouldn't be an issue, but until then the cover-your-ass behavior makes sense.

Does the cost of replacing a few bricked machines outweigh the reputation
cost? Probably not, but it's easy to understand the liability issues that
arise from non certified OS's.

[1]
[https://news.ycombinator.com/item?id=11008449](https://news.ycombinator.com/item?id=11008449)

~~~
voltagex_
The way I see it the firmware has been implemented incorrectly - I don't think
there's anything in the spec but shouldn't clearing all values == a reset to
default, not a non-booting device?

------
userbinator
_The option of replacing the cells in a genuine battery may be worth
considering as an alternative to modifying the EC firmware, the advantage
being is that you can choose your own high quality Li-Ion cells versus
whatever you might happen to get in a replacement battery._

I suppose the whole "safety culture" around lithium cells in laptops has yet
to change, but high-quality 18650 cells have been available on the open market
for several years now, with all the accompanying products that use them
(torches, vapes, power banks, etc.) The general public handling bare lion
cells has increased significantly, whereas the amount of incidents related to
cells catching fire etc. doesn't seem to have increased correspondingly. The
majority seem to be from lipo "pouch cells" which are definitely far more
fragile and less resistant to abuse. (They're also higher density = more
energy to cause excitement when things go wrong, this is the type that's been
causing the hoverboard fires.) 18650s are more robust and it's hard to cause a
fire unless they're seriously abused (e.g. severe overcharge or physical
damage.)

Given that you can buy empty power banks and add your own cells like this...

[http://www.aliexpress.com/item/1Pc-6-X-18650-Battery-Case-
Us...](http://www.aliexpress.com/item/1Pc-6-X-18650-Battery-Case-Usb-
Charger-20000mAh-Power-Bank-Battery-Case-Box-Shell-With/1928848788.html)

...it's odd that I haven't found similar battery cases for laptops. (Or maybe
they do exist and I'm just using the wrong keywords. If they do, please say
so; that seems like a great product to have.)

~~~
Anechoic
_The general public handling bare lion cells has increased significantly,
whereas the amount of incidents related to cells catching fire etc. doesn 't
seem to have increased correspondingly._

This may in part be due to certification and testing methodologies [0] for
battery packs. The issue is that not all cells/battery packs go through this
testing, so unless the batteries have been appropriately certified, there are
restrictions on the handling and transportation of these batteries (for
example non UN 38.3-rated cells are not allowed on planes [1]).

CE manufacturers test and certify the batteries in their products ([2], [3],
[4] for example) which is why Amazon can ship them by air and passengers can
carry them on planes. The issue is that 3rd party batteries may be uncertified
and possibly unsafe. Lenovo doesn't want to take responsibility for an
uncertified battery in one of their laptops downing an airliner [5] so they
disallow the use of batteries they haven't certified. I doubt this is a
nefarious scheme and more about potential liability.

(at my company we use lithium-ion battery packs for our field equipment and
had to become very familiar with these issues when IATA promulgated their
lithium/lithium-ion battery pack shipping rules a couple of years ago.

[0]
[http://phmsa.dot.gov/pv_obj_cache/pv_obj_id_D4B2D17039E70621...](http://phmsa.dot.gov/pv_obj_cache/pv_obj_id_D4B2D17039E706213B36C1B309D41DCF8B4A0200/filename/UN_Test_Manual_Lithium_Battery_Requirements.pdf)

[1] [http://www.iata.org/whatwedo/cargo/dgr/Documents/lithium-
bat...](http://www.iata.org/whatwedo/cargo/dgr/Documents/lithium-battery-
guidance-document-2016-en.pdf)

[2]
[https://www.lenovo.com/lenovo/us/en/Lenovo_Battery_DoC_Lette...](https://www.lenovo.com/lenovo/us/en/Lenovo_Battery_DoC_Letter.pdf)

[3] [https://www.apple.com/legal/more-resources/docs/apple-
produc...](https://www.apple.com/legal/more-resources/docs/apple-product-
information-sheet.pdf)

[4]
[http://www.dell.com/downloads/global/corporate/environ/compl...](http://www.dell.com/downloads/global/corporate/environ/comply/dell_battery_declaration_january_2013.pdf)

[5] [http://news.yahoo.com/fires-involving-lithium-batteries-
plan...](http://news.yahoo.com/fires-involving-lithium-batteries-
planes-191455142--finance.html)

------
qb45
So... you need to reverse engineer some "security" thing to put 3rd party
battery in a laptop? The same Lenovo people are recommending everywhere?

~~~
pilif
Considering the damage a 3rd party battery can potentially cause, I can see
where Lenovo is coming from.

Of course there's also the aspect of securing margins on accessories, but
there's also the aspect of making sure people's machines don't go up in flames
or fail in ways that might trigger expensive repairs (which Lenovo will have
to pay for if the device is still in warranty)

~~~
rincebrain
Lenovo would only have to cover the repair if you had the incidental damage
coverage - last I checked, they're pretty sticky about not covering things
that aren't manufacturer defect unless you have it.

~~~
pilif
How would they prove that the damage was caused by a third-party battery if
there was no security feature to authenticate first-party ones?

People would buy third party batteries and put the original back before filing
a warranty claim

~~~
qb45
Heat damage or busted overvoltage protection diode. Is there something else a
broken/wrong battery can do to a laptop?

~~~
TeMPOraL
It can literally burst into flames?

~~~
qb45
They sometimes do, but then it's obvious that the laptop has been damaged by
battery so the user would better show remnants of a genuine one before asking
for warranty replacement.

~~~
Klathmon
But warranty replacement is only one aspect, what happens when a social media
website gets a tweet from someone saying their lenovo exploded?

Something like that could significantly hurt the brand

~~~
qb45
Various battery powered devices, including laptops, have been in use for
decades.

How many times somebody publicly blamed 3rd party battery failure on device
vendor?

Links or it doesn't happen.

~~~
frankchn
Not batteries, but Apple has had problems with third party chargers in the
past.

The initial reports often do not say whether a third party charger/accessory
is used and just says things like "Chinese flight attendant electrocuted after
picking up charging iPhone 5", which is not a good look for Apple.

* [http://www.pcmag.com/article2/0,2817,2484293,00.asp](http://www.pcmag.com/article2/0,2817,2484293,00.asp)

* [http://www.nydailynews.com/news/world/chinese-teen-dies-char...](http://www.nydailynews.com/news/world/chinese-teen-dies-charging-iphone-electrocutes-article-1.1886994)

------
davidovitch
Part 1 has been discussed on HN a week ago:
[https://news.ycombinator.com/item?id=11041210](https://news.ycombinator.com/item?id=11041210)

------
pedrocr
If you want a cheaper battery wouldn't it be simpler and safer to replace the
cells in an old Lenovo battery than to buy one of these dubious copies? That
way the charge electronics are all correct and you can also control that the
cells are good quality. There are even places that will do that for you if
you're worried about poor soldering or other issues with doing this kind of
swap.

~~~
xnzakg
He did mention that possibility in part 1. The reason he didn't do it is
because it's hard to open the original battery without damaging the case.

------
craig131
Nice article, that was a really enjoyable read. But one of the things that
stuck out to me was:

> The last four bytes of the EC firmware image clearly appeared to be a
> checksum, and there were some other locations that consistently varied as
> well. I guessed (correctly) that if I programmed an image with the wrong
> checksums the EC would fail to boot and I would have a brick on my hands, so
> trial and error was not a very good option.

I was under the impression that the checksum is validated before flashing?
Isn't that the primary purpose of checksums in ROM images?

~~~
fpgaminer
It's not possible to verify the checksum before flashing in this scheme. The
EC is the only device that can calculate the checksum (1), and its RAM is
probably smaller than its Flash. So there isn't enough RAM to receive the
entire update, checksum, and then flash. It needs to stream to flash. So the
checksum is either checked after flashing, after which it's too late to go
back, or it's checked by the EC during boot, which is again too late.

There are better ways of doing this, but based on the article it seems the EC
didn't implement them.

(1) We know this because the checksums are calculated on the decrypted image,
and only the EC has the keys to decrypt the image.

------
jhallenworld
Well this is very interesting- I had no idea there was a BMC-like embedded
controller for laptops. There is a standard way to update the BMC firmware:
"ipmitool hpm upgrade". Also sometimes the server will have a JTAG header or
even a socket for the flash chip.

------
deadgrey19
See also:
[https://news.ycombinator.com/item?id=11086158](https://news.ycombinator.com/item?id=11086158)

