Investigate if it's possible to have coreboot BIOS on Topton N5105 to remove all thoughts of suspicious software N5105 Soft Router 4x 2.5G i226 LAN
Investigate if it's possible to have coreboot on this Topton N5105 firewall as the latest coreboot release 25.06 mentions Topton, CWWK CW-ADL-4L-V1.0 and CW-ADLNTB-1C2L-V3.0
- Add pictures of the motherboard
- Search on the internet if someone has done anything for this already
- Does there exist any BIOS update for this firewall
- What flash chipsets are used? Can I read them with the equipment I have?
- Investigate probability for malware #1
From the top picture one gets the serial number 1338NP-12, and that shows it's actually BKHD that is the manufacturer.
It looks like they have a BIOS, but they have only made one version of it, and it's the same I have installed AMI BIOS 2.22.1282.
Read with flashrom with OPNsense 25.1
Tried using flashrom, which is used for Protectli, but this seems to complain:
# Install flashrom on opnsense
pkg install -y flashrom
flashrom -p internal:boardmismatch=force -r oldbios.bin
flashrom v1.3.0 on FreeBSD 14.2-RELEASE-p3 (amd64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 4, resolution: 1ns).
No DMI table found.
Found chipset "Intel Jasper Lake".
Enabling flash write... pcilib: This access method is not supported.
Read with flashrom with Kali Live Boot 2025.2
sudo flashrom -p internal -r oldbios.bin
flashrom 1.4.0 on Linux 6.12.25-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
No DMI table found.
Found chipset "Intel Jasper Lake".
Enabling flash write... SPI Configuration is locked down.
FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
FREG1: BIOS region (0x00800000-0x00ffffff) is read-write.
FREG2: Management Engine region (0x00001000-0x007fffff) is read-write.
Enabling hardware sequencing because some important opcode is locked.
OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, Programmer-specific) on internal.
Reading flash... done.
Looking inside the BIOS one sees they have made an Fpt.efi binary and the actual 16Mb BIOS is inside 1.bin, and 1.nsh is a script using both files.
The 25Q128JVSO is very close to the EN24A201S and capacitor, so getting an SOTC 8 test clip is very tricky, maybe some soldering or very samll testclips?
flashrom -p ft2232_spi:type=232H -c W25Q128.V -r oldbios.bin
- 1.bin and oldbios.bin have the same size 16M
- 1.bin and oldbios.bin differ in checksum (md5sum *.bin)
- Probability of malware in the AMI BIOS #1
Use inteltool to get inteltool.log data to generate gpio.h
sudo inteltool -G > inteltool.log
# This generates gpio.h in output directory
intelp2m -platform jsl -file inteltool.log
Probably Protectli V1*10
| Description | IC |
|---|---|
| flash 128MBIT | 1 x Winbond 25Q128JVSO |
| flash 8MBIT | 4 x Winbond 25Q80DVSIG |
| isolation transformers | 4 x EN24A201S |
| Ethernet I226-V | 4 x S2453L30 |
| Super I/O | 1 x IT8613E |
| Regulator | 1 x GS7166 |