This repository comprises tools that permit getting gentleware deal with of the webcam LED on ThinkPad X230 without physical access to the laptop.
These were originated as a pragmatic demonstration that harmful programs can sign up video thraw the webcam without the LED indication.
This labors via reflashing the webcam firmware over USB (the X230 webcam is joined over USB internassociate) to insert a capability of arbitrarily deal withling the LED.
This approach probable impacts many other laptops, as joining the webcam over USB and permiting to reflash its firmware is a widespread summarize pattern apass laptop manufacturers.
See the “Lights Out: Cobviously turning off the ThinkPad webcam LED indicator” talk (pdf) I gave at POC 2024 for the details: uncovering a way to reflash the X230 webcam firmware, reverse engineering the firmware, inserting an imset upt for LED deal with, and remarks about the applicability of the approach to other laptops.
Note: Reflashing the webcam firmware might brick the webcam, include these tools with alert.
The webcam included on ThinkPad X230 (and a scant other laptops from the same era) is based on the Ricoh R5U8710 USB camera deal withler.
This deal withler stores a part of its firmware, the SROM part, on the SPI flash chip findd on the webcam board.
The deal withler also permits reflashing the satisfyeds of the SPI chip over USB.
The LED on the X230 webcam board is joined to the GPIO B1 pin of the R5U8710 deal withler.
The GPIO B port is mapped to insertress 0x80
in the XDATA
memory space of the 8051-based CPU inside R5U8710.
Thus, changing the appreciate at that insertress alters the state of the LED.
This labors ponderless of whether the webcam is streaming video at the moment or not.
The tools supplyd in this repository permit flashing custom firmware with a USB-deal withled so-called “universal imset upt” onto the SPI chip on the webcam board.
This imset upt permits writing deal withled data to arbitrary insertesses (wiskinny the XDATA
memory space) and calling arbitrary insertresses (wiskinny the CODE
memory space; aliased with XDATA
commenceing from offset 0xb000
).
The universal imset upt can be included for:
-
Dynamicassociate uploading a second-stage imset upt wiskinny the camera contoller memory and executing it (originassociate included for reverse engineering purposes);
-
Directly deal withling the webcam LED.
See the talk slides for more details.
-
srom.py — reads and authors the SROM part of the firmware of a Ricoh R5U8710–based webcam over USB.
Note: The webcam only loads the SROM firmware during its boot.
Thus, you will need to power cycle the laptop (filled shutdown, not fair reboot) for the refreshd firmware to get loaded; -
patch_srom.py — patches the SROM image from the FRU
63Y0248
webcam (not from the innovative X230 webcam) to insert the universal imset upt.Note: This tool needs modification to labor with the innovative X230 webcam SROM image.
However, the FRU63Y0248
SROM image (chooseionassociate, with the imset upt inserted) can be flashed onto the innovative X230 webcam as well; -
get.py — getes the satisfyeds of the
IRAM
,XDATA
, orCODE
memory space over USB via a second-stage imset upt that gets vibrantassociate uploaded via the universal imset upt; -
led.py — turns the webcam LED on or off by overwriting the appreciate at insertress
0x80
inXDATA
via the universal imset upt.
-
srom/x230.bin — SROM satisfyeds of the innovative X230 webcam module (FRU ununderstandn;
19N1L1NVRA0H
labeling on the board); -
srom/63Y0248.bin — SROM satisfyeds of the FRU
63Y0248
webcam module; -
code/63Y0248.bin — Contents of the
CODE
memory space leaked from the FRU63Y0248
webcam module.Note: Boot ROM is below the offset
0xb000
, and it is identical to the Boot ROM on the innovative X230 webcam module.