-
Notifications
You must be signed in to change notification settings - Fork 0
Home
(based on: http://www.coreboot.org/Board:lenovo/x201 )
I quickly checked the raminit and GPIOs part, and everything looks ... fine. There's the chance that the actual x201 code, renamed into t410 and modified to cope with Kconfig, will boot a T410 with minor quirks only. I didn't test it because the luck of a viable recovery procedure in the case of bad luck.
- Nothing works yet :)
- copy coreboot/src/mainboard/lenovo/x201 to coreboot/src/mainboard/lenovo/t410
- replace all occurences of x201 with t410 in coreboot/src/mainboard/lenovo/t410
- adapt X201's devicetree.cb to T410 (ramint, lspci -nnvvxxx )
- adapt X201's romstage.c to T410 (gpios, coreboot/util/inteltool )
- acpi ...
- something else?
- RAM module combinations of 4G+4G, 4G, 2G+2G,4G+2G, 2G
- suspend to RAM (S3)
- Video
- Sound
- mini-PCIe slots (both wlan and wwan)
- Expresscard slot (including hotplug)
- USB
- LAN
- eSata
- VGA
- rs232
- Firewire
- SD card slot
- Thermal management
- Webcam
- Bluetooth
- Modem
- Linux (through GRUB-as-payload & SeaBIOS-as-payload)
- Windows (through GRUB-as-payload loading SeaBIOS image from disk; you have to use extracted VGA blob, dumped from memory isn't good enough)
- nothing.
My T410 don't have those features:
- nVidia gpu.
- Digitizer.
- Fingerprint reader.
- Smartcard reader.
The Lenovo ThinkPad T410 is exactly the same platform of the X201 (Core iX Westmere + Intel QM57). The X201 is the 'air version of the T410'; Lenovo used low power CPUs ( Core iX *LM instead of Core iX *M) and removed the Ricoh SD reader, to make it lighter, thinner, smaller, cooler ... more fancy.
For this reasons the X201 code already in the coreboot repo needs minor changes only.
1 00:00.0 Host bridge [0600]: Intel Corporation Core Processor DRAM Controller [8086:0044] (rev 02) 2 00:02.0 VGA compatible controller [0300]: Intel Corporation Core Processor Integrated Graphics Controller [8086:0046] (rev 02) 3 00:16.0 Communication controller [0780]: Intel Corporation 5 Series/3400 Series Chipset HECI Controller [8086:3b64] (rev 06) 4 00:16.3 Serial controller [0700]: Intel Corporation 5 Series/3400 Series Chipset KT Controller [8086:3b67] (rev 06) 5 00:19.0 Ethernet controller [0200]: Intel Corporation 82577LM Gigabit Network Connection [8086:10ea] (rev 06) 6 00:1a.0 USB controller [0c03]: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller [8086:3b3c] (rev 06) 7 00:1b.0 Audio device [0403]: Intel Corporation 5 Series/3400 Series Chipset High Definition Audio [8086:3b56] (rev 06) 8 00:1c.0 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 1 [8086:3b42] (rev 06) 9 00:1c.3 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 4 [8086:3b48] (rev 06) 10 00:1c.4 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 5 [8086:3b4a] (rev 06) 11 00:1d.0 USB controller [0c03]: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller [8086:3b34] (rev 06) 12 00:1e.0 PCI bridge [0604]: Intel Corporation 82801 Mobile PCI Bridge [8086:2448] (rev a6) 13 00:1f.0 ISA bridge [0601]: Intel Corporation Mobile 5 Series Chipset LPC Interface Controller [8086:3b07] (rev 06) 14 00:1f.2 SATA controller [0106]: Intel Corporation 5 Series/3400 Series Chipset 6 port SATA AHCI Controller [8086:3b2f] (rev 06) 15 00:1f.3 SMBus [0c05]: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller [8086:3b30] (rev 06) 16 00:1f.6 Signal processing controller [1180]: Intel Corporation 5 Series/3400 Series Chipset Thermal Subsystem [8086:3b32] (rev 06) 17 02:00.0 Network controller [0280]: Intel Corporation Centrino Ultimate-N 6300 [8086:4238] (rev 35) 18 ff:00.0 Host bridge [0600]: Intel Corporation Core Processor QuickPath Architecture Generic Non-core Registers [8086:2c62] (rev 02) 19 ff:00.1 Host bridge [0600]: Intel Corporation Core Processor QuickPath Architecture System Address Decoder [8086:2d01] (rev 02) 20 ff:02.0 Host bridge [0600]: Intel Corporation Core Processor QPI Link 0 [8086:2d10] (rev 02) 21 ff:02.1 Host bridge [0600]: Intel Corporation Core Processor QPI Physical 0 [8086:2d11] (rev 02) 22 ff:02.2 Host bridge [0600]: Intel Corporation Core Processor Reserved [8086:2d12] (rev 02) 23 ff:02.3 Host bridge [0600]: Intel Corporation Core Processor Reserved [8086:2d13] (rev 02)
1 00:00.0 Host bridge [0600]: Intel Corporation Core Processor DRAM Controller [8086:0044] (rev 02) 2 00:02.0 VGA compatible controller [0300]: Intel Corporation Core Processor Integrated Graphics Controller [8086:0046] (rev 02) 3 00:16.0 Communication controller [0780]: Intel Corporation 5 Series/3400 Series Chipset HECI Controller [8086:3b64] (rev 06) 4 00:19.0 Ethernet controller [0200]: Intel Corporation 82577LM Gigabit Network Connection [8086:10ea] (rev 06) 5 00:1a.0 USB controller [0c03]: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller [8086:3b3c] (rev 06) 6 00:1b.0 Audio device [0403]: Intel Corporation 5 Series/3400 Series Chipset High Definition Audio [8086:3b56] (rev 06) 7 00:1c.0 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 1 [8086:3b42] (rev 06) 8 00:1c.1 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 2 [8086:3b44] (rev 06) 9 00:1c.3 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 4 [8086:3b48] (rev 06) 10 00:1c.4 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 5 [8086:3b4a] (rev 06) 11 00:1d.0 USB controller [0c03]: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller [8086:3b34] (rev 06) 12 00:1e.0 PCI bridge [0604]: Intel Corporation 82801 Mobile PCI Bridge [8086:2448] (rev a6) 13 00:1f.0 ISA bridge [0601]: Intel Corporation Mobile 5 Series Chipset LPC Interface Controller [8086:3b07] (rev 06) 14 00:1f.2 SATA controller [0106]: Intel Corporation 5 Series/3400 Series Chipset 6 port SATA AHCI Controller [8086:3b2f] (rev 06) 15 00:1f.3 SMBus [0c05]: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller [8086:3b30] (rev 06) 16 00:1f.6 Signal processing controller [1180]: Intel Corporation 5 Series/3400 Series Chipset Thermal Subsystem [8086:3b32] (rev 06) 17 03:00.0 Network controller [0280]: Intel Corporation Centrino Ultimate-N 6300 [8086:4238] (rev 35) 18 0d:00.0 SD Host controller [0805]: Ricoh Co Ltd MMC/SD Host Controller [1180:e822] (rev 01) 19 0d:00.1 System peripheral [0880]: Ricoh Co Ltd R5U2xx (R5U230 / R5U231 / R5U241) [Memory Stick Host Controller] [1180:e230] (rev 01) 20 0d:00.3 FireWire (IEEE 1394) [0c00]: Ricoh Co Ltd R5C832 PCIe IEEE 1394 Controller [1180:e832] (rev 01) 21 ff:00.0 Host bridge [0600]: Intel Corporation Core Processor QuickPath Architecture Generic Non-core Registers [8086:2c62] (rev 02) 22 ff:00.1 Host bridge [0600]: Intel Corporation Core Processor QuickPath Architecture System Address Decoder [8086:2d01] (rev 02) 23 ff:02.0 Host bridge [0600]: Intel Corporation Core Processor QPI Link 0 [8086:2d10] (rev 02) 24 ff:02.1 Host bridge [0600]: Intel Corporation Core Processor QPI Physical 0 [8086:2d11] (rev 02) 25 ff:02.2 Host bridge [0600]: Intel Corporation Core Processor Reserved [8086:2d12] (rev 02) 26 ff:02.3 Host bridge [0600]: Intel Corporation Core Processor Reserved [8086:2d13] (rev 02)
> 00:16.3 Serial controller [0700]: Intel Corporation 5 Series/3400 Series Chipset KT Controller < 00:1c.1 PCI bridge [0604]: Intel Corporation 5 Series/3400 Series Chipset PCI Express Root Port 2 < 03:00.0 Network controller [0280]: Intel Corporation Centrino Ultimate-N 6300 [8086:4238] (rev 35) < 0d:00.0 SD Host controller [0805]: Ricoh Co Ltd MMC/SD Host Controller [1180:e822] (rev 01) < 0d:00.1 System peripheral [0880]: Ricoh Co Ltd R5U2xx (R5U230 / R5U231 / R5U241) [Memory Stick Host Controller] [1180:e230] (rev 01) < 0d:00.3 FireWire (IEEE 1394) [0c00]: Ricoh Co Ltd R5C832 PCIe IEEE 1394 Controller [1180:e832] (rev 01) > 02:00.0 Network controller [0280]: Intel Corporation Centrino Ultimate-N 6300 [8086:4238] (rev 35)
Other differences can be seen on the USB bus.
To program the flash chip there are 3+ ways: external, internal, martian. The first one is the only known to succeed.
It looks like inside the machine there's a special version of the LPC protocol, called FWH (Firmware Hub) and made by Intel starting from their ICH8 to support movement of firmware from LPC to SPI, that leads to this:
=== Master Section === FLMSTR1 0x0a0b0000 FLMSTR2 0x0c0d0000 FLMSTR3 0x08080118
--- Details ---
Descr. BIOS ME GbE Platf.
BIOS r rw rw
ME r rw rw
GbE rw
As you can see a running system (BIOS row, ME column) can't read/write the ME region; making impossible for any software running on the machine, to access it. In theory. In practice:
- use an external SPI programmer.
- there are always backdoors from NSA and good fellows finding and sharing new exploits in Intel Shitem Tools; one day we could be able to recover 3-4Mb of that wasted flash precious space, to implement our own toys on our own computers.
There are plenty external programmers to buy or implement yourself with Cheap Charlie electronics; the one described here is just a beautified cut&paste from the x201 page on the coreboot wiki.
Depending on the flasher you use, you may have to use separate 3.3V source. Make sure not to feed more than 3.3V ot the chip. I used buspirate as flasher and 3.3V power lines from another computer. I recommend using SOIC-8 clip (Example: POMONA 5250). The pinout is as follows, the colors are buspirate colors
=== front (display) ====
3.3V (red) N/C violet (CLK) MOSI (gray)
| | | |
dot | | | |
CS (white) MISO (black) N/C ground (brown)
=== back (touchpad) ===
Proceed as follows:
- Turn off your laptop, remove battery and AC adapter.
- Remove the keyboard.
- Connect your external SPI flasher to the SPI chip which is under keyboard, around the position of trackpoint under protective layer.
- Burn ...
- insufficient power supply
- bad contacts
- too long wires
- bad pinout
It's known that the locking mechanism is in bootblock itself and that original firmware has a way to update it. For this reason a way to unlock the bootblock would be:
- Modify a firmware update to have a copy of bootblock without protection bit set on the other regions.
- Flash the special update of rewritable region.
- Reboot.
- The bootblock parses the image and sees that it contains a compressed copy of new bootblock. That copy is uncompressed and flashed as a new bootblock.
Using Windows and one of those:
- Intel System Tools. (specific for your Intel AMT/ME, T410 has version 6.0 for IbexPeak)
- phlash and winphlash.
In the case of brick you can use Crisis or WinCrisis to recover a bad flash that gave you a brick. Theoretically. Martianly.
In practice on T410 I haven't been able to trigger the automatic bios reflash using a USB memory and the Fn+R (or Fn+B or Win+R or Win+B) at boot. The whole procedure it is supposed to be: disconnect battery, disconnect AC, insert USB memory, keep Fn+R, reconnect AC, push Poweron button, release Fn+R+Poweron, check USB memory LED blinking, wait 10+ minutes, reboot. The Fn-R trick could be the way IBM wired the SMM execution mode to the keyboard in the old ICH models, but it doesn't work any more on PCH models.
So, without having a viable software recovery procedure (nor an external flasher), I didn't investigate further the Martian option. Curious fact: every time I investigated this option installing crappy tools found around the net, a bad strip appeared on my display. The first one was blue, the second was red ... and I don't want 50 stars appearing during the next 50 attempts, covering my porno in the intimate moments between me and my laptop!
The flash chip in T410 is divided roughly in 4 regions:
- Descriptor (12K)
- ME firmware (5M-12K)
- Rewriteable flash (3M-96K)
- Locked bootblock (96K)
We need to make the file rom.layout to allow flashrom to preserve descriptor and ME firmware while overwriting rewriteable region and bootblock.
For your courtesy there is a T410 whitelisted version of flashrom in my github fork. Otherwhise you will have to add
-pinternal:laptop=force_I_want_a_brick
to flashrom command lines.
Flashrom can identify the chip for you, example:
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) at physical address 0xff800000.
But as in this case, flashrom might misidentify the chip, this output is from MX25L6445E.
If flashrom fail, you must visually identify your chip's part number and find an appropriate datasheet then add the chip name to the command line, example:
-c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"
The Intel System Tools flashing utility (fptw.exe) reported that my T410 have a MX25L6405D.
Read the flash.
flashrom -VVV -p <yourprogrammer> -c <yourchip> -r flash.bin
Full example using the laptop itself (ie: no external programmer) to read the flash:
# flashrom -VVVV -p internal:laptop=force_I_want_a_brick -c "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E" -r t410.bin flashrom v0.9.6.1-r1563 on Linux 3.10-1-grml-amd64 (x86_64) flashrom is free software, get the source code at http://www.flashrom.org ...
It will print the ME regions, something like:
FREG2: WARNING: Management Engine region (0x00003000-0x004fffff) is locked.
You can use that output to make your rom.layout file.
rom.layout example:
000000000:00000fff fd 000001000:00002fff gbe 000003000:004fffff me 000500000:007fffff bios
Once we got the rom.layout file we can use it with the proper flashrom option:
-l, --layout <file>
Currently flashrom uses the layout feature for writing only. Flashrom's ME page (third workaround) reports that there are some flashrom patches to use the layout file for reading but they are locked behind an ident/confirm request for which I've no credentials.
If you can access the Intel System Tools, you can use those to read existing descriptor, gbe and bios regions. Probably more.
Once you got your current bios backup, you must extract descriptor and ME from it, than compile coreboot using those two blobs, and then flash back the new coreboot.rom. Recipe:
- Read the flash the second time and compare the two files to be sure that there's no corruption in the backup.
flashrom -VVV -p <yourprogrammer> -c <yourchip> -r flash2.bin diff flash.bin flash2.bin
- Save a copy of it on external media.
cp flash.bin /mnt/usb/
- Recover descriptor and me firmware:
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \
count=12288 bs=1M iflag=count_bytes
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \
skip=12288 count=5230592 bs=1M iflag=count_bytes,skip_bytes
- Compile coreboot. Remember to enable HAVE_IFD and HAVE_ME_BIN.
- Flash the resulting build/coreboot.rom
flashrom -l rom.layout -i bios -w coreboot.rom
Welcome to Coreboot.
Flashing coreboot in your bios chip won't set your laptop free, because some of the components are compulsory binary blobs from Intel&Co and there's a tall, long lasting, wall of indifference, on this issue:
- EC (Embedded Controller): DO NOT TOUCH.
- CPU Microcode: DO NOT TOUCH.
- ME (Management Engine): DO NOT TOUCH.
- GbE (Gigabit Ethernet): DO NOT TOUCH.
- VGA option rom: you need it if you want graphics in SeaBIOS, but most payloads should work without it (text mode or corebootfb mode)
- misc serialz and IDs entangling the whole machine here (S/N) and there (UUID) in the idiocratic attempt to close the gap between a machine and its owner, so that the legal department can assert accountability on insider trading cases, without lies to the prosecutor office.
... but If you actually think that you can talk with the animals, well, no worry: you are not crazy. Here some resources to get to the (tipping) point:
- http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20%28public%29.pdf
- http://me.bios.io/
Newer chip-not-sets (6th generation, Cougar Point; 7th gen, Panther Point; 8th gen, Lynx Point) are even worse. And the last one (Intel Skylake) is the definitive one: The major expected changes between the Haswell and Skylake architectures include ... the integration of the Platform Controller Hub (PCH) onto the die for Skylake's H, U and Y variants, effectively following a system-on-chip (SoC) design layout.. As far as I understand the T410 (5th gen chipset, and its ME/AMT 6.0) have chances to be set free because the only foreseeable extra limits, compared to the older ones (ICHx) are: ME read-locked flash region, and a new cryptographic algo in the extracted blob.
(Philosophy follows)
For this reason, today, you must beware a worst animal than a dog: Cerbero, a three headed dog!!!
Three heads:
- (60s) https://www.youtube.com/watch?v=OgtQj8O92eI
- (80s) https://www.youtube.com/watch?v=KsS0cvTxU-8
- (00s) https://www.youtube.com/watch?v=YnuZjQD4C2E
Managers: http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm System Integrators: https://www.crowdsupply.com/purism/librem-15 Journalists: http://surveillance.rsf.org/en/hacking-team/ Industry Leaders: http://www.zdnet.com/article/oracle-to-sinner-customers-reverse-engineering-is-a-sin-youd-better-pack-it-in/
The hope is still the same that was in place when the first Clipper Chip appeared: Intel would split its effort in two, one to support the corporate world (ie: cost-based choices of their equipment, to increase efficiency and security of the organization), and a new one to support the human rights (ie: release the FSP source code so that individuals can take full control over their own tools, for own safety).
At this point in time someone should have notice that the FYCs are the ones that loved Data Mining, Data Analysis, and Behavioural Sciences, all things that lead to believe in ... an Oracle; any: shamans, magicians, TV, computers, clerics, smartphones, credit cards ... whatever. I tell you more: Oracle's CEO in 2014 "was listed by Forbes as the third-wealthiest man in America and as the fifth-wealthiest person in the world, with a fortune of $56.2 billion". Compared to that one, Zucky is a poor paedophilia victim.
(End Of Philosophy)