I ordered and replaced my Librem 14 keyboard for 33€

Since I received my Librem 14 I was super happy about it. I was aware of all the complains about customer support and product quality, but for me I had no major issues. Until… Keyboard. And this is were all started, because it’s at the moment you start to have problems that you see all problems.

The Problem

So my keyboard started to malfunction, similar to other posts here (dead keys, pressing one key triggers multiples ones, etc). It came out of nowhere. It was so unusable that it was impossible to decrypt LUKS partition, and even if by chance or with an external keyboard I were able to do it, keys were triggered randomly so I needed to disable the internal keyboard completely on the software side. But how to type your sudo password when your keyboard plays with you . So the only solution was to unplug it.

The Investigations

I quickly understood it was a matrix issue like explained in another post, and that the keyboard needed to be replaced. But as you may know the machine is built in such a way that the keyboard is fixed to the chassis, so to replace it you have to buy a whole new chassis, with the trackpad, and contact Purism support by mail because they currently don’t sell it online. So it’s more expensive that just the defective matrix, and because I live in Europe the customs fees adds up.

I still decided to completely disassemble it and try to fix it, but we can’t do anything about it. This matrix thing is probably bad quality and completely enclosed in plastic.

The Hope

After some research I found this product on AliExpress: https://aliexpress.com/i/1005005665629497.html
The vendor claims that this keyboard is compatible with Librem 14v1, and for 33€ all included with free shipping and 3 months free return and warranty, I decided to give it a try despite the unknown adventure from China.

Once ordered, the vendor sent me a message to double check about the fact that it’s compatible only for Librem 14v1 Version 1. The ETA was 14 days, but 7 days after the parcel arrived in my mailbox. All the trip was clearly tracked through the transporter’s website.

kb907×362 276 KB

As you can see the keyboard looks different. You have the Windows logo, the FN keys don’t show the same things… but it’s just visuals.

The Miracle

Once I plugged it in, it worked out of the box. No Firmware or PureBoot or OS updates. It fits perfectly in the chassis.

To install it, you need to remove the first keyboard, and you can’t do it without breaking some parts. First, disassemble the machine completely as explained in the official documentation, including the screen.

image1920×1080 170 KB

Once you are at this stage, you need to break all the small plastic black points that fixes the metal plate to the chassis underneath. You don’t need to remove the blue plastic, just cut through it. there are a lot, maybe 30 or more, and you need a thin cutter. It’s not difficult, you just need to get used to it.

Then, the metal plate will be removable. Start by lifting the upper part (screen side), unclip where necessary and then slide to remove it completely. From there you can detach the old keyboard, and place the new one. Don’t forget to insert the keyboard cable in the metal part. Reinstall the whole, starting by sliding the bottom part. Reinstall everything. Boot. And tada

The Downfall

Everything is not perfect tho, first major issue is that because the keyboard is not firmly fixed to the chassis anymore, it’s quite wobbly/noisy. I was thinking about adding some thermal pads under the motherboards so it pushes the keyboard up, or maybe find a way to glue it again. Also it might be necessary to add capton tape where the blue one has been removed.
Next, this new keyboard doesn’t come with backlight.
And finally, the new caps are not compatible with the Librem ones, which is a bummer. I thought that I could just swap all the caps but it’s not possible, it’s not the same design.

Because I suspect the root issue to be this thin plastic matrix inside the keyboard, theoretically we could take the new one and put it into the Librem keyboard. Which would also bring back the backlight and key caps.

Final Thoughts

I wish I could order from Purism and replace it more easily, my solution is not perfect, experimental, it’s for advanced (and definitely adventurous) users, but I hope my contribution can help the community!

N.B.: If you break your laptop or set it on fire at any moment of the process, I can’t be held responsible

I would have gone to a thrift store and bought 5 for one dollar each until one of them worked.

How can I find a Librem 14 compatible internal keyboard in a random thrift store? The size or matrix would probably be different. Can you give me a laptop that use this very same model?

It is apparent I missed the word “internal”. Sorry about that.

Great! So now, you have a Chinese keyboard with integrated keylogger that phones home to AliExpress…

Theoretically yes but … where do think the original keyboard came from?

Ha ha! But we trust Purism with their hardware supply chain and controls - don’t we?

That depends on your threat model.

It doesn’t come directly from China, AFAIK Purism care about the security and verify the hardware as much as they can.

As long as they don’t ask for a page count on their user guides upon receipt.

Where did you get the idea that the original keyboard didn’t come directly from China? Purism has not divulged who their ODM is for the Librem 14, but it is almost certainly a Chinese company. i.e. It is assembled in China (except, perhaps, for the RAM and SSD?) and many parts, like the keyboard, almost certainly come directly from China.

Also, in regard to whether Purism cares about security, my view is that since Purism markets to people who value Freedom, privacy, and security … they must appear to care about security. But, given that they are a for-profit corporation, my opinion is that the appearance of valuing security is greater than the reality.

They are not an ordinary for-profit company in that they put other things, not profit as higher priorities. Quote:

The Corporation shall be devoted to ensuring the security, privacy, and freedom of the users of its products, and the hardware and software offered by Purism shall conform to the philosophy of the Free Software movement

It might have come from China, and it might even have a backdoor, but how do you think this backdoor talks to a server? Via secretly built satellite antenna inside?

An SPC can, but is not obligated to put its Social Purpose ahead of profits. If it does put its Social Purpose above profits, it’s supposed to document that in their annual Social Purpose Report. And I’m not even going into the fact that, AFAIK, they haven’t filed a single Social Purpose Report and what that means (e.g. Was it all just marketing? Can they lose their SPC status? ) .

It’s still a for-profit corporation. We saw how they treated their customers when they did not make good on their refund promises. That behavior, IMO, was worse than the typical for-profit corporation reaction.

You’re the one who asserted the following. I was just pointing out that I’m pretty sure you were wrong.

If you want to talk about backdoors … then maybe go full circle to where that claim was made (by somebody else) and reply to their claim:

It is well known how a backdoored keyboard can exfiltrate data (this is a standard badUSB attack mechanism).

I was never suggesting that either the original keyboard nor the replacement keyboard is actually backdoored. I was only assessing and comparing possibilities.

Interestingly, you mentioned this attack, which would affect a USB keyboard, that is true.
But continuing this reflection on a potentially backdoored Chinese keyboard, I came to the conclusion that this is not possible in this particular case of the replacement part purchased for a Librem 14.
The reason is because the internal keyboard is not USB (Thanks God!) but PS/2. So it is connected to the EC, a MCU for which - on the L14 - the code has been freed and validated.
The EC itself does not have a direct interface with critical internal hardware like memory, PCI busses, wifi card, GbE… Upon some event happening, like a keystroke for example, it produces an SMI (System Management Interrupt) either a hardware interrupt or MMIO issued. The SMI is non-maskable and has priority over everything: the CPU goes into SMM (System Management Mode - or “God mode”) and after saving states, executes the SMI handler in SMRAM (Ring -2) - the OS or Hypervisor is not even aware that the CPU entered SMM.
I don’t see any way a PS/2 keyboard could pass any information or directly communicate with critical hardware and phone home or do anything bad. The EC could, but the code is open and audited. As to trying to attack the SMI handler in Ring -2, I don’t see how this could be done - there is only one known such attack on older hardware and it’s a PoC published by ITL.
So no need to be paranoid and worry about your Chinese keyboard!

You are overthinking it.

A backdoored keyboard can record keystrokes in order to capture possible passwords and then exfiltrate what it has captured by generating keystrokes that will execute the right commands to exfiltrate data e.g. ctrl-alt-t, to bring up a terminal and then wget ... to POST the data to a server controlled by the attacker.

Of course you might notice the window flicker up (or indeed linger a long time if your internet is crappy), so it could also monitor keystrokes to decide when you are active on the computer and when you have wandered off. For example, if you locked the session explicitly (super-l) then it could see that, and quietly unlock while you are away, having learned your unlock password the previous time you locked the session and then unlocked it, do its mischief, then lock again.

A backdoored keyboard could also generate commands to exfiltrate all your files e.g. download (wget) a suitable script or program from a server controlled by the attacker and just let it run in the background.

A backdoored keyboard could, with care, learn your sudo password and hence make the attack nastier.

There are definitely ways this attack could fail, and ways you could defeat the exfiltration e.g. with good exfiltration detection in your internet gateway.

Is this attack real or hypothetical? It is hypothetical until it isn’t.

It’s an interesting way to look at the problem. I hadn’t thought about it this way.
And of course, you are right: a sophisticated backdoored keyboard could do all these things you describe.
I forgot one key factor in my analysis: keyboards are input devices and as such, the EC does not protect that input because it has no way to differentiate between a real finger hitting a key, or a script acting inside the keyboard hardware sending commands that look legitimate.
Well, just like Joanna Rutkowska always said: inputs are the real problem for security…

Since the discussion is headed closer to Qubes OS, I wanted to mention that the USB Rubber Ducky works as expected when connected to sys-usb on Qubes OS 4.2.2, and is at least able to execute Firefox as a process. Replugging it in does not seem to repeat the same instructions, and I have yet to explore the reason(s) in further detail.