Create 8mb flash images for t530/w530 (to bypass complete disassembly requirement)

[tlaurion]

This way no complete disassembly would be needed.

Since the 8mb SPI flash is the one exposed under palmrest and the 4mb is the one under bezel, we could create other flasher boards to flash maximized boards internally. The 8mb SPI flash being the one actually containing ifd GBE and me, a precooked ifd could be crafted and used in another specialized board config and coreboot config, crafted to create a valid 8mb ROM image.

The hypothesis here is since the ifd would be unlocked and the whole 12mb of combined 8mb+4mb flash space should be seen by flashrom, there should be no problem to flash the corresponding 12mb maximized board image from that image.

Basically automating the following: https://ch1p.io/coreboot-t530-one-chip/

How should those t530 and w530 boards be named?

[tlaurion]

Naming proposition: w530-flash-bottom t530-flash-bottom?

[zifxify]

I did the following to bypass complete disassembly for flashing the w530.

Downgrade BIOS to 2.58 or an earlier version for W530 (I downgraded to 2.50 if I remembered correctly)
You can do it as described on the following link (https://github.com/gch1p/thinkpad-bios-software-flashing-guide#downgrading-bios)

EC downgrade is not needed.

Read the 8MB chip, I'm using the ch341a

flashrom -p ch341a_spi -c "MX25L6406E/MX25L6408E" -r w530_8mb
flashrom -p ch341a_spi -c "MX25L6406E/MX25L6408E" -r w530-2_8mb

Check if the same

diff w530_8mb w530-2_8mb

Unlock firmware descriptor and ME region

./ifdtool -u w530_8mb

Flash the 8MB chip with unlocked descriptor

flashrom -p ch341a_spi -c "MX25L6406E/MX25L6408E" -w w530_8mb.new

Install and boot 1vyrain. See https://github.com/n4ru/1vyrain#installing

1. Press enter key to attempt BIOS exploit.
2. Press the power button to wake it up.
3. When asked: "Please enter a choice" press CTRL-C
4. Mount a USB drive with a 12MB w530 heads rom and save the original bios (for restoring back to stock if needed later.)
eg: mount /dev/sd* /mnt
cd /mnt
flashrom -p internal:laptop=force_I_want_a_brick -r 12mb-original.rom
flashrom -p internal:laptop=force_I_want_a_brick -w w530*.rom
5. Umount USB drive and reboot system

[tlaurion]

@zifxify that would work of course, but requires a lot of back and forth that could be removed. Of course, it is always encouraged to backup original spi content for restore.

1- What I meant in automatizing https://ch1p.io/coreboot-t530-one-chip/ was to create new Heads flashing board configs which would result in 8mb ROM images that could be directly flashed. What is missing to accomplish this today is simply to create a valid unlocked descriptor (ifd), modified to have regions describing for 8m spi chip. Once that file is crafted and dropped under blobs/xx30 in tree, new board configs could be created including the same basic modules x230-flash currently has, and point to new coreboot configs pointing to new ifd, actual GBE and ME, but generating 8mb spi, not 12. That would result in CI being able to create ROM images, which could be used to flash t530 /w530 internally to their chosen board config ROMs flavors. From my understanding, we could reuse the ifd under blobs/xx30 to generate the new one.

1.1- It would also be nice to have additional backup scripts, able to read the content of the whole 12mb image internally and extract the 4mb flash chip content for backup purposes. That could easily be added in additional scripts and instructions given at boot, just like xx30-flash boards point to custom init scripts. User could combine his original 8mb image with this 4mb image to flash resulting ROM internally and get bet to stock bios.

2- We could also create hotp-verification board configs that would generate roms fittimg into 8mb flash only, just like they do on xx20. Goal here would be to never touch the 4mb flash, flashing internally only the bios region on upgrades, instead of reflashing the whole 12mb regions for xx30 as it is currently done for maximized boards. That way, the user could flash back the original 8mb image any time if desired.

I think 1 and 1.1 are needed.
2 would be nice to have.

[tlaurion]

So, got my w530 dgpu K1000 today. Disasembled keyboard+palmrest, and saw 8bm spi chip exposed only.
Tried my generic programmer clip: too large. Had to find my pamona and rewire.
Updated linuxboot/heads-wiki#120 (comment)

Now, lets make a w530-flasher_exposed_under_palmrest for fun and profit.

[tlaurion]

#1558 won't work.

Field experience is that if crafting a 8mb self-contained firmware image that neuters ME, reduces it size and modify IFD that reduces ME region to minimal and maximizes BIOS region, we basically get a 8MB flash image that becomes a legacy board, not a maximized board that has 12mb of combined SPI space.

The problem here is this:

• To be able to boot the w530/t530 on the BIOS contianed in the 8mb chip alone, the IFD cannot span the BIOS region across the two combined SPI chips into opaque combined SPI space. If the IFD specifies the whole 12MB availabe space for BIOS region, when booting the computer, it boots on the proprietary BIOS with its implemented BIOS lock protections which prevents writing to the BIOS region unless 1vyrain exploit chain is ran. No win
• When modifying IFD to limit BIOS region to 8mb region alone, Heads flasher boots as expected. But when attempting to flash 12mb maximized image, flashrom fails with "read_flash: failed to read (0x001000..0xbffff)" which is flashrom unable to read or write to the 4mb region at the end of the 12mb region. Flashrom cannot read or write to the 4mb chip, even though IFD, ME, GBE and BIOS region are unlocked per IFD config. I might be missing something but I haven't been successful getting that BIOS lock bypass from IFD/coreboot config changes alone.

So next steps as of now:

• returning to backup of 8mb
• using windows coming with refurbished laptop to run https://github.com/n4ru/IVprep
• creating backup of 8mb, ifdtool -u it, flash back
• use ivyrain to run exploit and then ctrl-c, flashing maximized 12mb image internally.
• See how long that takes and maybe reconsider disassembling whole laptop

Alternative:

• Try to figure out how to do a gadget that would pin/clip/be stable enough to use exposed cn100 pad as shown under T530/w530 disassembling/flashing notes heads-wiki#83 (comment)
• Try to figure out report to coreboot author of https://doc.coreboot.org/mainboard/lenovo/w530.html the "easy trick" to pin CS to next chip (I don't understand. Might be the easiest but unsure how to properly do that)

[tlaurion]

Can't be done #1558 (comment)

[tlaurion]

Note that 8mb only could be done (legacy images vs maxmimized rom images). But since we try to get away of legacy boards.... That would need to have volonteers to struggle with me with smaller firmware footprint and jump into #590 revival.

[zifxify]

@tlaurion, you don't need full Windows to flash back to previous bios version. (to much hassle)
It's a long time ago but if I remembered correctly I only did the following. Extracted the .FL1,FL2(ec) and dosflash with geteltorito.
Created a bootable FREEDOS usb flash drive. (With rufus on Windows)
Boot from usb and just run the command beneath:
dosflash.exe /sd /file .FL1

If you also want to downgrade/upgrade EC
dosflash.exe /sd /ipf ec /file .FL2

(I have tried different bios versions with different ec firmwares and it always worked)