https://github.com/xairy/lights-out Skip to content Navigation Menu Toggle navigation Sign in * Product + GitHub Copilot Write better code with AI + Security Find and fix vulnerabilities + Actions Automate any workflow + Codespaces Instant dev environments + Issues Plan and track work + Code Review Manage code changes + Discussions Collaborate outside of code + Code Search Find more, search less Explore + All features + Documentation + GitHub Skills + Blog * Solutions By company size + Enterprises + Small and medium teams + Startups By use case + DevSecOps + DevOps + CI/CD + View all use cases By industry + Healthcare + Financial services + Manufacturing + Government + View all industries View all solutions * Resources Topics + AI + DevOps + Security + Software Development + View all Explore + Learning Pathways + White papers, Ebooks, Webinars + Customer Stories + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Enterprise + Enterprise platform AI-powered developer platform Available add-ons + Advanced Security Enterprise-grade security features + GitHub Copilot Enterprise-grade AI features + Premium Support Enterprise-grade 24/7 support * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up Reseting focus You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert {{ message }} xairy / lights-out Public * Notifications You must be signed in to change notification settings * Fork 20 * Star 257 Tools for controlling webcam LED on ThinkPad X230 257 stars 20 forks Branches Tags Activity Star Notifications You must be signed in to change notification settings * Code * Issues 0 * Pull requests 0 * Actions * Projects 0 * Security * Insights Additional navigation options * Code * Issues * Pull requests * Actions * Projects * Security * Insights xairy/lights-out main BranchesTags [ ] Go to file Code Folders and files Name Name Last commit message Last commit date Latest commit History 4 Commits code code srom srom README.md README.md fetch.py fetch.py led.py led.py patch_srom.py patch_srom.py srom.py srom.py View all files Repository files navigation * README Lights Out This repository contains tools that allow getting software control of the webcam LED on ThinkPad X230 without physical access to the laptop . These were created as a practical demonstration that malware can record video through the webcam without the LED indication. This works via reflashing the webcam firmware over USB (the X230 webcam is connected over USB internally) to add a capability of arbitrarily controlling the LED. This approach likely affects many other laptops, as connecting the webcam over USB and allowing to reflash its firmware is a common design pattern across laptop manufacturers. See the "Lights Out: Covertly turning off the ThinkPad webcam LED indicator" talk (pdf) I gave at POC 2024 for the details: discovering a way to reflash the X230 webcam firmware, reverse engineering the firmware, adding an implant for LED control, and notes about the applicability of the approach to other laptops. Note: Reflashing the webcam firmware might brick the webcam, use these tools with caution. Overview The webcam used on ThinkPad X230 (and a few other laptops from the same era) is based on the Ricoh R5U8710 USB camera controller. This controller stores a part of its firmware, the SROM part, on the SPI flash chip located on the webcam board. The controller also allows reflashing the contents of the SPI chip over USB. The LED on the X230 webcam board is connected to the GPIO B1 pin of the R5U8710 controller. The GPIO B port is mapped to address 0x80 in the XDATA memory space of the 8051-based CPU inside R5U8710. Thus, changing the value at that address changes the state of the LED. This works regardless of whether the webcam is streaming video at the moment or not. The tools provided in this repository allow flashing custom firmware with a USB-controlled so-called "universal implant" onto the SPI chip on the webcam board. This implant allows writing controlled data to arbitrary addesses (within the XDATA memory space) and calling arbitrary addresses (within the CODE memory space; aliased with XDATA starting from offset 0xb000). The universal implant can be used for: * Dynamically uploading a second-stage implant within the camera contoller memory and executing it (originally used for reverse engineering purposes); * Directly controlling the webcam LED. See the talk slides for more details. Tools * srom.py -- reads and writes the SROM part of the firmware of a Ricoh R5U8710-based webcam over USB. Note: The webcam only loads the SROM firmware during its boot. Thus, you will need to power cycle the laptop (full shutdown, not just reboot) for the updated firmware to get loaded; * patch_srom.py -- patches the SROM image from the FRU 63Y0248 webcam (not from the original X230 webcam) to add the universal implant. Note: This tool requires modification to work with the original X230 webcam SROM image. However, the FRU 63Y0248 SROM image (optionally, with the implant added) can be flashed onto the original X230 webcam as well; * fetch.py -- fetches the contents of the IRAM, XDATA, or CODE memory space over USB via a second-stage implant that gets dynamically uploaded via the universal implant; * led.py -- turns the webcam LED on or off by overwriting the value at address 0x80 in XDATA via the universal implant. Memory dumps * srom/x230.bin -- SROM contents of the original X230 webcam module (FRU unknown; 19N1L1NVRA0H marking on the board); * srom/63Y0248.bin -- SROM contents of the FRU 63Y0248 webcam module; * code/63Y0248.bin -- Contents of the CODE memory space leaked from the FRU 63Y0248 webcam module. Note: Boot ROM is below the offset 0xb000, and it is identical to the Boot ROM on the original X230 webcam module. About Tools for controlling webcam LED on ThinkPad X230 Resources Readme Activity Stars 257 stars Watchers 2 watching Forks 20 forks Report repository Releases No releases published Packages 0 No packages published Languages * Python 100.0% Footer (c) 2024 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact * Manage cookies * Do not share my personal information You can't perform that action at this time.