About the Dell security solution

Dell's RFID icon at the Latitude E7240 palm rest

The Dell Latitude machines I use, E7240 and an E6530, show an icon on the palm rest indicating there's an contactless reader (NFC/RFID) device present. However, in the OS there's no sign of this is. PCSC does recognize the 'Contacted' reader, yet not the 'Contactless'.

# pcsc_scan
[...]
Scanning present readers...
0: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00

In this article I will show the steps on how to include...

1: Broadcom Corp 5880 [Contactless SmartCard] (0123456789ABCD) 01 00

It appears that Dell cooperated with Broadcom and created a security solution known as ControlVault for the Broadcom Unified Security Hub (USH). It may offer some nice pre-boot authentication solutions I can't seem to enable in the BIOS setup anyway. Also online not much is telling me how to actually use it. As I don't find any official Broadcom documentation and all points to Dell, I think this is a Dell-only offered OEM solution.

Some success on older Latitudes

Some first googling brought me to the blog of bibuweb. It shows how to disable the "CV-only" mode to enable CCID support. Nice! But... downloading a very old - 2008 - random binary from a Dell website still work on my 2014 E7240 machine? No, it didn't. Damn. But at least it gave a some hope to research on this further.

ControlVault support package DOS tools

Luckily, in some Dell ControlVault 'firmware upgrade' Windows-only support packages provided on the support page of the Latitude model I spotted some interesting document watermarked 'confidential' - about the use of this USH diagnostics tool, as well as a much newer ushdiag.exe tool itself!

Some first preparation steps:

  1. Download the ControlVault upgrade package, e.g. ControlVault_Setup_09J7J_A33_ZPE.exe.
  2. Rename the file to have it the .zip 'extention'.
  3. Unzip it.
  4. Notice a DOS folder there.
    DOS
    ├── DOS4GW.EXE
    ├── dosushdiag.pdf  <-- "Broadcom USH Keyboard Architecture Document"
    ├── errlvl.exe
    ├── release.txt
    ├── sleep.exe
    ├── ushdiag.exe     <-- there!
    └── ushfwumg.bat
    

Broadcom USH diagnostics tool

This PDF by Broadcom explains the usage of the ushdiag.exe tool. Most important is this part about the options to provide.

5.22 Device Enable (-de <devMask>)
This command will enable the specified devices.

<devMask>:

0: Smart Card:
1: Fingerprint:
2: RFID radio
3: CV Only Radio


5.23 Device Disable (-dd <devMask>)
This command will disable the specified devices.

<devMask>:

0: Smart Card:
1: Fingerprint:
2: RFID radio
3: CV Only Radio

Running it off a DOS USB flash drive

Let's continue on getting this DOS executable going.

  1. Create a DOS bootable USB flash drive. The easiest method I know is the SystemRescueCd for USB flash drives.
  2. Copy the whole DOS folder onto the drive.
  3. Boot your Latitude from the SystemRescueCd drive, in legacy (non-UEFI) mode. For my E7240 this means enabling Legacy Option ROMs and using F12 during POST to get the one-time boot menu to boot off the USB flash drive.
  4. In the boot choice option menu of SystemRescueCd, choose the floppy disk images, option FreeDOS.
  5. During boot of FreeDOS it will ask about which memory manager; I chose none.
  6. Go to the 'C' drive, so type: C: and press
  7. Go to the DOS folder: cd DOS.
  8. Check the current status of the USH device:

    FreeDOS C:\DOS>ushdiag.exe -u -stat
    [...]
    Smart Card: Present; Enabled
    Fingerprint: Present; Enabled
    RFID Radio: Present; Enabled
    RFID Lock: Disabled
    CV Only Radio: Enabled
    RFID AutoDetect Set
    RFID Present Not Forced
    WBDI: Enabled
    RFID Block Mode: Unknown (CV Only Radio Mode Enabled)
    

    As you can see the CV-only mode is enabled.

  9. Now disable the CV-only device to actually enable regular CCID RFID access by providing hexadecimal mask 8. This comes from the document found earlier by sending a disable command on bit field 3.

    FreeDOS C:\DOS>ushdiag.exe -u -dd 8
    [...]
    Disabled CV Only Radio Mode. waiting for USH to reset
    [...]
    RFID Lock: Disabled
    CV Only Radio: Disabled
    [...]
    
  10. Reboot your system and enjoy your RFID/NFC device!

Confirmed working is my Yubikey NEO (PIV applet). It appears the device lacks support in libnfc, so I haven't successfully managed to talk with MiFare cards for example.

Any thoughts? Or issues? Confirmed working for another Dell machine? Leave a comment below!

Share on: TwitterHacker NewsFacebookLinkedInRedditEmail


Related Posts


Published

Category

Security

Tags

Connect with me on...