Here is the HARD truth about Hardware Kill switches on Librem laptops.

The Librem laptops are secure machines that respect and protect your privacy and freedom. To this end, we at Purism are intensely suspicious of several items on a standard laptop that could be used, either maliciously or accidentally, to violate your privacy and security. Specifically, these items are:

1. The laptop’s built in Webcam and Microphone.
2. The laptop’s WiFi and Bluetooth radios.

Almost all laptops on the market today have a way to turn off a laptop’s WiFi and Bluetooth radios. However, most do it via software on the computer (example: a special program in the operating system) or a soft switch in the computer’s embedded controller within the bios (example: using the keyboard combination of pressing at the same time the Function Key plus the F2 key). Due to the threats that still remain possible for malicious software to turn on these peripherals, we opt to solve this with hardware.

There is NO other laptop on the market today that has a physical means to turn off a machine’s built in Webcam and Microphone.

Thus, to protect you from the risks of these devices, the Librem laptops come with the ability to physically disable or turn off the Webcam, Microphone, WiFi radio, and Bluetooth radio via a Hardware Kill Switch (HKS).

The HKS is a real physical switch that either:

1. Cuts the signal or power line to the device, as in the case of the Webcam and Microphone HKS, or,
2. Disable the chip running them, as is the case of the WiFi and Bluetooth radios HKS.

To give you an idea how this is done, let’s look at the HKSes on a Librem 13.

The HKS themselves

The HKSes are located in the hinge cover of a Librem 13. The HKS themselves are Double Pole, Double Throw (DPDT) switches with a switch function of ON-ON and have six leads on them.

Different Devices, Different Challenges

For starters, it helps to look at the motherboard on a Librem 13 and see where the various devices connect to it.

To physically shut off each of the questionable devices with a physical switch we broke the problem down into three parts:

1. Kill the Webcam
2. Kill the Microphone, and,
3. Kill the WiFi and Bluetooth radios

The reason for this is because each of the above devices has a different interface and thus requires a different solution to ensure it is really OFF.

Kill the Webcam

The webcam on a Librem 13 is located above the laptop’s screen and connects to the motherboard via connector EDPCON1, a x30 pin connector that also contains all the wiring for the laptop’s display. The webcam itself uses a USB 2.0 interface, meaning there are four wires on EDPCON1 that are just for the camera. Two of the four wires are for data, one is for a +3.3 volt DC signal to power the camera, and the last wire it the ground.

To kill the Webcam with a HKS, we insert a HKS and circuit during assembly, wiring the +3.3 volt DC power wire for the USB connection directly into the HKS.

With the HKS in the OFF position, no power gets to the Webcam, and thus making it impossible for the webcam to be used (in fact it is not detected by the kernel nor operating system when off).

Kill the Microphone

The microphone on a Librem 13 is located right next to the Webcam above the laptop’s screen and connects to the laptop’s motherboard via connector MIC_COM1. But unlike the Webcam, the microphone has only two leads: One for the microphone’s signal and the other for the microphone’s ground.

To kill the microphone with a HKS, we wire the microphone’s signal wire directly to the HKS.

With the HKS in the OFF position, no signal from the microphone gets to the motherboard, thus making it impossible for the microphone to send any signals to the laptop.

One Switch for Two

Both the Webcam and the Microphone are wired to the same HKS, so both devices are OFF at the same time.

The WiFi and Bluetooth radios are wired to a second HKS.

Kill the WiFi and Bluetooth Radios

To fully understand how to disable the WiFi and Bluetooth radios, it is necessary to gain some insight into the PCISIG M.2 NGFF standard and how it is used to turn OFF the devices. The PCISIG M.2 NGFF connector has 75 positions with up to 67 pins, each with a specific function. Some are used for data, some are used for power and ground, and still others are used for control signals. But for the HKSes, the two PCISIG M.2 NGFF pins of interest are pins 56 and 54, which control PCISIG M.2 NGFF functions called W_DISABLE#1 and W_DISABLE#2 (respectfully).

The WiFi/Bluetooth Hardware Kill Switch works by applying to pins 56 and 54 an input of one of two DC signals:

1. To turn the radios ON: Apply a Ground (GND) or +0 V signal.
2. To turn the radios OFF: Apply a +3.3 V signal.

Note that this standard is a bit counter intuitive with Voltage high (+3.3 Volt) = OFF and Voltage low (0 Volts or GND) = ON.

In a Librem 13, the M.2 NGFF connector pins 54 and 56 cannot be accessed directly on the NGFF connector, for it is much too small for any solder connections. Instead the pins are accessed via two 0402 Surface Mount Device (SMD) pads on the motherboard itself (pads R609 and R629).

So for the WiFi/Bluetooth HKS, wires are soldered from the SMD pads to the HKS. Then one side of the HKS is wired to a +3.3 volt signal with the other side wired to ground. The end result looks like this:

With the HKS in the +3.3 Volt position, pins 54 and 56 in the M.2 NGFF connector will receive a HIGH voltage, and the radios on the WiFi card will be turned OFF. With the HKS in the Ground (GND) position, pins 54 and 56 will receive a LOW voltage, and the radios will be turned ON.

Our Hard Work to Protect Your Privacy

As you can see, it is not a trivial matter to manufacture these HKSes. A lot of research and hard work went into the effort.

Purism believes in your rights to privacy, security, and freedom, and will continue to work hard for users’ rights.