1
00:00:00,240 --> 00:00:08,240
oh geez is it okay crap i bent a lot of pins

2
00:00:06,080 --> 00:00:13,759
Linus that's really bad i can fix it

3
00:00:12,240 --> 00:00:19,119
if everything goes according to plan today i'm gonna install this brand new

4
00:00:15,920 --> 00:00:22,640
ryzen 5600g CPU in that lenovo thing

5
00:00:19,119 --> 00:00:24,960
center m75s pc destroying it permanently

6
00:00:22,640 --> 00:00:30,640
and believe it or not that's a feature not a bug you see some AMD ryzen cpus

7
00:00:28,000 --> 00:00:37,120
contain a fuse that allows a motherboard manufacturer to lock the CPU to their

8
00:00:34,239 --> 00:00:41,520
own brand of motherboard it's a security feature that first showed up in epic

9
00:00:39,360 --> 00:00:47,520
server chips but lenovo seems to have taken it upon themselves to enable it on

10
00:00:44,640 --> 00:00:51,440
the desktop okay maybe destroyed permanently is a little unfair the chip

11
00:00:49,680 --> 00:00:56,879
will still work as long as you put it in a lenovo motherboard but

12
00:00:53,840 --> 00:00:58,719
damn it i'm mad or at least i will be if

13
00:00:56,879 --> 00:01:02,800
it behaves the way that i'm expecting obviously we don't want to break any

14
00:01:00,239 --> 00:01:06,560
more chips than we absolutely have to so we haven't actually tried it yet but

15
00:01:05,280 --> 00:01:11,119
we're about to smart deploy gives you zero touch zero

16
00:01:08,720 --> 00:01:15,680
headache pc management for it you can deploy Windows apps and drivers from the

17
00:01:13,280 --> 00:01:19,520
cloud with no vpn required get your free subscription worth over six hundred

18
00:01:17,200 --> 00:01:22,000
dollars at smartdeploy.com Linus

19
00:01:24,640 --> 00:01:29,840
why am i so good at fixing hardware when you break a lot of hardware you gotta

20
00:01:28,080 --> 00:01:32,560
fix a lot of hardware well it's not hardware in general that i'm good at

21
00:01:31,119 --> 00:01:35,799
fixing but i am pretty good at fixing dead pins

22
00:01:52,640 --> 00:01:59,280
there is virtually no way of knowing if the lenovo system that you just bought

23
00:01:56,640 --> 00:02:04,479
has a locked CPU inside it there's no visual indication no sticker the website

24
00:02:02,240 --> 00:02:09,039
no mention of it whatsoever and even the full nine page spec sheet nothing and

25
00:02:06,960 --> 00:02:13,920
i'd bet that the vast majority of people that bought a system like this one would

26
00:02:10,879 --> 00:02:16,400
think that the ryzen 5 5650g inside it

27
00:02:13,920 --> 00:02:21,280
would work like any other desktop CPU let's try that first maybe this is all a

28
00:02:18,480 --> 00:02:24,959
big misunderstanding and lenovo didn't lock down this machine i guess we should

29
00:02:23,360 --> 00:02:28,800
power it on first make sure it actually works right yeah sure

30
00:02:27,040 --> 00:02:33,680
there we go everything booted up as normal the dvd drive works which is

31
00:02:31,840 --> 00:02:39,920
really good overall what are we looking at here we've got solid front i o uh

32
00:02:36,560 --> 00:02:42,080
less solid rear i o ryzen 5650g

33
00:02:39,920 --> 00:02:45,360
processor with a very unexceptional looking blower cooler although i do like

34
00:02:43,760 --> 00:02:50,280
that it exhausts all the heat directly out of the back of the system

35
00:02:47,040 --> 00:02:53,360
m.2 boot drive

36
00:02:50,280 --> 00:02:56,640
260 watt power supply wow i don't even

37
00:02:53,360 --> 00:02:59,120
get a 260 watt power supply anymore oh

38
00:02:56,640 --> 00:03:03,200
lordy is that single channel memory for shame 16 gigs on a single stick well i

39
00:03:01,840 --> 00:03:07,200
can definitely see why people would want to put the CPU in a different computer

40
00:03:05,360 --> 00:03:11,440
so what's your bet alex doesn't work you bet it doesn't work it

41
00:03:09,120 --> 00:03:15,599
doesn't work i don't know there's so little concrete

42
00:03:13,840 --> 00:03:20,800
information out there about this i kind of am hoping that it's just a

43
00:03:17,680 --> 00:03:23,519
storm in a teacup situation holy crap

44
00:03:20,800 --> 00:03:29,280
it's just in a boot loop what's the code it's throwing it ends up at c2 and then

45
00:03:25,840 --> 00:03:31,040
it reboots it goes c2 0 0 and then it

46
00:03:29,280 --> 00:03:35,599
reboots and i know 0 0 means no processor we've given this a solid five

47
00:03:33,440 --> 00:03:39,360
minutes at this point it's clearly not going to fire up i want to take a closer

48
00:03:37,200 --> 00:03:44,319
look at this CPU maybe it's uh maybe there's something else at play here okay

49
00:03:41,440 --> 00:03:49,519
well here's one thing this is a ryzen 5 pro 5650g

50
00:03:47,040 --> 00:03:53,680
and we do know that their pro lineup is geared more towards the workstation

51
00:03:51,760 --> 00:03:57,680
market i don't mean workstation in the sense that you're doing like 3d modeling

52
00:03:55,840 --> 00:04:03,439
or animation certainly not on a machine like this but workstation that this is a

53
00:04:00,319 --> 00:04:06,000
professional machine maybe it's just pro

54
00:04:03,439 --> 00:04:10,159
ones or maybe that motherboard's not pro compatible or if you want we can test a

55
00:04:08,159 --> 00:04:14,239
pro CPU in that motherboard we have another pro yeah we have another pro oh

56
00:04:12,159 --> 00:04:17,840
i can go grab it yeah let's do that so i have this 4750g although we do have a

57
00:04:16,239 --> 00:04:23,759
problem that this is from a lenovo system so oh if it's locked that would suck i just

58
00:04:21,519 --> 00:04:27,680
fired this one up and alex is about to fire this one up if this turns on then

59
00:04:26,000 --> 00:04:32,320
what we'll know for sure is that this motherboard works with pro cpus and if

60
00:04:30,639 --> 00:04:36,800
it doesn't then we won't really know anything either that CPU is also vendor

61
00:04:34,800 --> 00:04:40,000
locked or this board doesn't support pro cpus

62
00:04:38,000 --> 00:04:44,960
if this one turns on then we will know for certain that the CPU itself still

63
00:04:42,240 --> 00:04:48,720
works but that lenovo absolutely did lock it down to their motherboard ryzen

64
00:04:46,960 --> 00:04:52,160
pro compatibility confirmed there we go it only took me

65
00:04:50,639 --> 00:04:56,479
two tries to time that do i have to break the 5600g

66
00:04:54,720 --> 00:04:58,800
well we don't know if it'll break or not we're pretty sure it's going to break

67
00:04:57,840 --> 00:05:05,360
alex but we don't know there it is

68
00:05:02,479 --> 00:05:09,199
psb enable enabled by default if it is enabled when a new CPU is installed the

69
00:05:07,120 --> 00:05:14,080
system will notify the user during post this notice message can be cleared by

70
00:05:11,120 --> 00:05:17,840
pressing y so you clear it by pressing y but which if i understand correctly will

71
00:05:16,240 --> 00:05:23,840
also mean that you have just vendor locked your CPU that's not as simple as just

72
00:05:21,120 --> 00:05:27,199
clearing a notification and confirmed it is

73
00:05:24,880 --> 00:05:31,600
locked down so that the CPU will only work in a lenovo system by default which

74
00:05:29,759 --> 00:05:35,759
raises the question why would anybody want that in the first

75
00:05:33,759 --> 00:05:40,320
place i mean i get why you'd want to lock down certain parts of your pc

76
00:05:37,919 --> 00:05:44,960
firmware for example could help prevent malicious code from being injected into

77
00:05:42,639 --> 00:05:49,039
it or having an encrypted hard drive to make sure people can't steal your data i

78
00:05:46,639 --> 00:05:52,639
mean heck even encrypted RAM since you could hypothetically have someone freeze

79
00:05:50,880 --> 00:05:58,080
it with liquid nitrogen and then read the bits off of it but how could vendor

80
00:05:54,720 --> 00:06:00,720
locking a CPU increase security well as

81
00:05:58,080 --> 00:06:06,160
it turns out we aren't actually super concerned about the CPU we're concerned

82
00:06:03,360 --> 00:06:11,680
about the UEFI BIOS the firmware and locking the CPU is a byproduct of

83
00:06:09,199 --> 00:06:17,520
locking down that the culprit here then is AMD's platform secure boot or psb and

84
00:06:15,840 --> 00:06:22,479
we can see it's enabled right here and it's legitimately a useful feature that

85
00:06:20,080 --> 00:06:26,479
some customers do want because once an intruder has access to your BIOS the

86
00:06:24,400 --> 00:06:31,520
rest of your security measures become largely meaningless so to address this

87
00:06:29,120 --> 00:06:35,759
AMD and Intel for that matter puts a little ARM microcontroller in their CPU

88
00:06:33,840 --> 00:06:40,000
that is responsible for security and to ensure that everything is secure the

89
00:06:37,440 --> 00:06:45,600
BIOS or firmware needs to trust the CPU and the CPU needs to trust the BIOS so

90
00:06:42,720 --> 00:06:49,840
when psb is enabled there's a little field programmable fuse in the CPU that

91
00:06:48,160 --> 00:06:53,120
has some information from the BIOS written onto it including a

92
00:06:51,280 --> 00:06:58,479
cryptographic code from the motherboard manufacturer so let's disable psp in the

93
00:06:55,759 --> 00:07:02,160
BIOS and put our off-the-shelf ryzen 5 5600g in here oh wow you did a great job

94
00:07:00,880 --> 00:07:06,880
of straightening those pins it actually goes in pretty easily thank you like so

95
00:07:04,479 --> 00:07:12,639
many parts of this video we are not 100 sure that our non-pro ryzen CPU will

96
00:07:10,000 --> 00:07:16,400
even have this feature at all so we're going to head into the BIOS

97
00:07:14,639 --> 00:07:21,199
with it disabled you don't want to accidentally lock it and see what it

98
00:07:18,400 --> 00:07:21,199
says okay

99
00:07:22,560 --> 00:07:28,639
pspn okay well the features here i want

100
00:07:25,680 --> 00:07:33,520
to enable it i want to i want to know oh apparently it's on the regular chips

101
00:07:31,840 --> 00:07:39,520
a new CPU has been installed on your system press yes button or y to lock the

102
00:07:37,120 --> 00:07:44,240
CPU and execute the platform secure boot process note the locked CPU cannot be

103
00:07:42,240 --> 00:07:47,599
used on other models am i supposed to do it now is this the point in the

104
00:07:45,440 --> 00:07:51,520
adventure when i have to do it press y oh god

105
00:07:48,800 --> 00:07:56,240
goodnight sweet friends to confirm the CPU does still work lttstore.com holy

106
00:07:54,800 --> 00:08:01,919
crap we launched the cute little plushies but i am now expecting the CPU

107
00:07:58,960 --> 00:08:05,919
to not work on our other machine i hate this that light's just blinking and it's

108
00:08:04,240 --> 00:08:10,720
going through the exact same postcode cycle oh i like really don't feel very

109
00:08:09,199 --> 00:08:15,680
good right now that really sucks so at this point you guys

110
00:08:14,000 --> 00:08:21,120
are probably thinking surely there is some way to reverse this

111
00:08:17,599 --> 00:08:24,000
process right no there is not once psb

112
00:08:21,120 --> 00:08:28,879
is enabled it cannot be undone in fact the whole point of AMD's psp is to allow

113
00:08:26,800 --> 00:08:31,280
the CPU to verify that the BIOS can be trusted so

114
00:08:30,160 --> 00:08:35,200
if a hacker was able to easily overwrite the

115
00:08:33,360 --> 00:08:39,039
cryptographic key then you can sure as heck bet that that would be the first

116
00:08:36,640 --> 00:08:41,919
step of their hack to just disable it right speaking of hacking we're

117
00:08:40,800 --> 00:08:45,839
currently working on a video where we hack a ps4 pro get subscribed so you

118
00:08:43,839 --> 00:08:50,959
don't miss it now to be clear i have no problem at all with this

119
00:08:47,360 --> 00:08:52,880
feature existing or even oems having it

120
00:08:50,959 --> 00:08:57,279
on their systems the problem is that in the case of this one i wasn't given a

121
00:08:55,040 --> 00:08:59,839
choice nor was i given clear messaging around it there are

122
00:08:58,720 --> 00:09:04,399
so many better ways that lenovo could have

123
00:09:02,160 --> 00:09:09,040
handled this they could have shipped the system with the feature enabled but not

124
00:09:06,720 --> 00:09:12,720
yet locked and maybe had a better worded warning about it they could have had psb

125
00:09:11,040 --> 00:09:16,880
as an option in their online configurator i mean heck even just

126
00:09:15,040 --> 00:09:20,640
clearly stating it on the web page would be a great start so people know what the

127
00:09:19,360 --> 00:09:26,640
trade-off is so the blame rests pretty much entirely

128
00:09:23,680 --> 00:09:30,880
on lenovo here because on servers for example psb is something that customers

129
00:09:28,720 --> 00:09:35,519
actually want and almost more importantly understand having a server

130
00:09:33,519 --> 00:09:39,200
shipped to you with psp enabled from the factory is

131
00:09:37,040 --> 00:09:43,200
valid because it allows the CPU to verify once it arrives that the BIOS of

132
00:09:41,680 --> 00:09:47,360
the firmware has not been tampered with in shipping hp dell and probably a bunch

133
00:09:45,839 --> 00:09:50,959
of other companies have been doing this for years and we didn't make a video

134
00:09:49,120 --> 00:09:55,200
about it Intel also has a similar feature in some xeons but again that

135
00:09:53,040 --> 00:09:59,519
kind of hardware is much less likely to end up in the hands of the average

136
00:09:56,320 --> 00:10:02,240
consumer by contrast when this desktop

137
00:09:59,519 --> 00:10:06,320
ends up at a recycler or in an office supplies auction do you think the person

138
00:10:04,320 --> 00:10:10,399
that buys this will know that that CPU cannot be used in other motherboards

139
00:10:08,240 --> 00:10:14,480
probably not and it's going to be a huge pain in the butt when these cpus end up

140
00:10:12,399 --> 00:10:19,680
on the second hand market even worse is the fact that nothing prevents lenovo

141
00:10:17,279 --> 00:10:24,160
from using this feature to actually lock the CPU to a particular model to our

142
00:10:22,240 --> 00:10:28,720
knowledge that hasn't been done yet it's only a vendor level lock for now but is

143
00:10:26,959 --> 00:10:33,040
there any reason lenovo couldn't have a whole host of different encryption keys

144
00:10:31,120 --> 00:10:36,800
for all their different models now patrick from serve the home came up

145
00:10:34,959 --> 00:10:43,040
with what he thinks is a solution to this problem AMD cpus could come with

146
00:10:39,360 --> 00:10:45,200
two fuses one that enables psb and then

147
00:10:43,040 --> 00:10:49,760
another that permanently disables it once that CPU is put out to pasture this

148
00:10:47,680 --> 00:10:53,920
would allow it to be disabled hopefully without compromising cpus that are

149
00:10:51,760 --> 00:10:58,480
currently using the feature but as much as that sounds good on paper it

150
00:10:56,720 --> 00:11:02,000
would probably require a hardware change so we are unlikely to see a solution

151
00:11:00,079 --> 00:11:06,079
like that in the short to midterm probably the biggest issue with this

152
00:11:03,760 --> 00:11:10,640
whole cluster though is that like Intel's notorious management engine

153
00:11:08,079 --> 00:11:15,760
psb's value as a security measure is unproven at best it assumes a couple of

154
00:11:13,920 --> 00:11:20,640
things number one that the vendor's cryptographic signature or signatures

155
00:11:18,000 --> 00:11:24,560
will never be leaked and number two it assumes that it's actually secure but

156
00:11:22,880 --> 00:11:29,360
it's closed source meaning that there's no way for independent security experts

157
00:11:26,640 --> 00:11:34,800
to audit it so it could very well be that we're just creating more e-waste

158
00:11:31,200 --> 00:11:36,320
for no good reason sorry mother earth i

159
00:11:34,800 --> 00:11:40,399
guess this is just one more that you're gonna have to take for the team graphis

160
00:11:38,399 --> 00:11:43,839
is an automated fishing defense solution that protects every inbox in your

161
00:11:41,920 --> 00:11:46,640
organization from outside threats adding graphics to your security stack allows

162
00:11:45,279 --> 00:11:50,320
you to defend your employees from cyber attacks including phishing email

163
00:11:48,480 --> 00:11:53,920
compromise account takeover identity spoofing malware and ransomware they use

164
00:11:52,399 --> 00:11:57,200
a patented machine learning technology that monitors communication patterns

165
00:11:55,440 --> 00:12:00,800
between people devices and networks to reveal untrustworthy emails and they

166
00:11:59,200 --> 00:12:04,320
analyze messages in real time integrating at the API level to detect

167
00:12:02,720 --> 00:12:08,240
social engineering attacks and activation only takes a few minutes so

168
00:12:06,320 --> 00:12:12,880
don't wait you can get 30 off the list price and 30 off onboarding with graphis

169
00:12:10,800 --> 00:12:16,720
at the link down below if you guys enjoyed this video why don't we throw it

170
00:12:14,320 --> 00:12:20,240
at the temple os video it's a good video and Anthony did a good job of writing it