Board:lenovo/x201: Difference between revisions
No edit summary |
|||
Line 32: | Line 32: | ||
* [http://review.coreboot.org/#/c/2663/ The code is here] | * [http://review.coreboot.org/#/c/2663/ The code is here] | ||
== Flashing == | == Flashing == | ||
* | Flash in X201 is divided roughly in 4 parts: | ||
* The | |||
* Descriptor (12K) | |||
* ME firmware (5M-12K) | |||
* Rewriteable flash (3M-96K) | |||
* Locked bootblock (96K) | |||
Descriptor and bootblock are read-only. ME firmware is not readable. | |||
Rewriteable region can be rewritten easily with flashrom. | |||
For coreboot we need to preserve descriptor and ME firmware while overwriting | |||
rewriteable region and bootblock. To achieve this there are 2 ways: | |||
* External flasher. | |||
* Unlock bootblock | |||
For the first one proceeds as follows: | |||
* Turn off your laptop, remove battery and AC adapter. | |||
* Remove the keyboard. | |||
* Connect your external SPI flasher to the SPI chip which is under keyboard, | |||
around the position of trackpoint under protective layer. I recommend using | |||
SOIC clip. Depending on the flasher you use, you may have to use separate | |||
3.3V source. Make sure not to feed more than 3.3V ot the chip. I used | |||
buspirate as flasher and 3.3V power lines from another computer. | |||
* Read the flash. Twice. Compare the files to be sure. Save a copy of it on | |||
external media. | |||
* Recover descriptor and me firmare: | |||
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \ | |||
count=12288 bs=1M iflag=count_bytes | |||
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \ | |||
skip=12288 count=5230592 bs=1M iflag=count_bytes | |||
* Compile coreboot | |||
* Flash the resulting build/coreboot.rom | |||
The other way has never been successfully used but it's known that the | |||
locking mechanism is in bootblock itself and that original firmware has | |||
a way to update it as follows: | |||
* Flash an update of rewriteable region. On next boot bootblock parses the | |||
image and sees that it contains a compressed copy of new bootblock. That | |||
copy is uncompressed and flashed. | |||
A way to unlock the bootblock would be to modify a firmware update to have a | |||
copy of bootblock without protection. For this you need to compress the | |||
modified block to fit into original space. The compression used is Lempel-Ziv- | |||
Huffman variant. I've written a compressor for it but unfortunately it's not | |||
performant enough. | |||
* To find exactly where it's divided run that command(the example below is on another laptop): | * To find exactly where it's divided run that command(the example below is on another laptop): | ||
[root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick | [root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick |
Revision as of 21:24, 25 November 2013
Status
Issues:
- suspend to RAM (S3) currently fails.
- No expresscard hotplug
- Sometimes Gnome starts to think that battery is 10 time larger than real
Information from sysfs remains correct.
- On my X201 there due to recent hardware failure thermal management doesn't
work with either coreboot or original BIOS. Before this hardware fault happened thermal management worked under coreboot as well.
Tested:
- RAM module combinations of 4G+4G, 4G, 2G+2G,4G+2G, 2G
- USB
- Video (both internal and VGA)
- Expresscard slot
- Sound
- LAN
- mini-PCIe slots (both wlan and wwan)
- Linux (through GRUB-as-payload)
- Windows (through GRUB-as-payload loading SeaBIOS image from disk)
- SD card slot
- Thermal management
Not tested:
- Modem
proprietary components status
- CPU Microcode (optional)
- VGA option rom (optional): you need it if you wantgraphics in SeaBIOS but most payloads should work without it (text mode)
- ME(Management Engine) => you do not have to touch it(just leave it where it is)
- EC(Embedded Controller) => you do not have to touch it(just leave it where it is)
Code
Flashing
Flash in X201 is divided roughly in 4 parts:
- Descriptor (12K)
- ME firmware (5M-12K)
- Rewriteable flash (3M-96K)
- Locked bootblock (96K)
Descriptor and bootblock are read-only. ME firmware is not readable. Rewriteable region can be rewritten easily with flashrom.
For coreboot we need to preserve descriptor and ME firmware while overwriting rewriteable region and bootblock. To achieve this there are 2 ways:
- External flasher.
- Unlock bootblock
For the first one proceeds as follows:
- Turn off your laptop, remove battery and AC adapter.
- Remove the keyboard.
- Connect your external SPI flasher to the SPI chip which is under keyboard,
around the position of trackpoint under protective layer. I recommend using SOIC clip. Depending on the flasher you use, you may have to use separate 3.3V source. Make sure not to feed more than 3.3V ot the chip. I used buspirate as flasher and 3.3V power lines from another computer.
- Read the flash. Twice. Compare the files to be sure. Save a copy of it on
external media.
- Recover descriptor and me firmare:
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \ count=12288 bs=1M iflag=count_bytes dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \ skip=12288 count=5230592 bs=1M iflag=count_bytes
- Compile coreboot
- Flash the resulting build/coreboot.rom
The other way has never been successfully used but it's known that the locking mechanism is in bootblock itself and that original firmware has a way to update it as follows:
- Flash an update of rewriteable region. On next boot bootblock parses the
image and sees that it contains a compressed copy of new bootblock. That copy is uncompressed and flashed.
A way to unlock the bootblock would be to modify a firmware update to have a copy of bootblock without protection. For this you need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant. I've written a compressor for it but unfortunately it's not performant enough.
- To find exactly where it's divided run that command(the example below is on another laptop):
[root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick flashrom v0.9.6.1-r1564 on Linux 3.8.2-1-LIBRE (x86_64) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. ======================================================================== WARNING! You may be running flashrom on an unsupported laptop. We could not detect this for sure because your vendor has not setup the SMBIOS tables correctly. You can enforce execution by adding '-p internal:laptop=this_is_not_a_laptop' to the command line, but please read the following warning if you are not sure. Laptops, notebooks and netbooks are difficult to support and we recommend to use the vendor flashing utility. The embedded controller (EC) in these machines often interacts badly with flashing. See http://www.flashrom.org/Laptops for details. If flash is shared with the EC, erase is guaranteed to brick your laptop and write may brick your laptop. Read and probe may irritate your EC and cause fan failure, backlight failure and sudden poweroff. You have been warned. ======================================================================== Proceeding anyway because user forced us to. Found chipset "Intel HM55". This chipset is marked as untested. If you are using an up-to-date version of flashrom *and* were (not) able to successfully update your firmware with it, then please email a report to flashrom@flashrom.org including a verbose (-V) log. Thank you! Enabling flash write... FREG0: WARNING: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: WARNING: Management Engine region (0x00003000-0x001fffff) is locked. Please send a verbose log to flashrom@flashrom.org if this board is not listed on http://flashrom.org/Supported_hardware#Supported_mainboards yet. Writes have been disabled. You can enforce write support with the ich_spi_force programmer option, but it will most likely harm your hardware! If you force flashrom you will get no support if something breaks. OK. Found SST flash chip "SST25VF032B" (4096 kB, SPI) at physical address 0xffc00000. Reading flash... Transaction error! Read operation failed! FAILED.
it will print the ME regions:
FREG2: WARNING: Management Engine region (0x00003000-0x001fffff) is locked.
it will also print the chip:
Found SST flash chip "SST25VF032B" (4096 kB, SPI) at physical address 0xffc00000.
=> verify if its voltage match with the programmer voltage...
- Then man flashrom says:
-l, --layout <file> Read ROM layout from <file>. flashrom supports ROM layouts. This allows you to flash certain parts of the flash chip only. A ROM layout file contains multiple lines with the following syntax: startaddr:endaddr imagename startaddr and endaddr are hexadecimal addresses within the ROM file and do not refer to any physical address. Please note that using a 0x prefix for those hexadecimal numbers is not necessary, but you can't specify decimal/octal numbers. imagename is an arbitrary name for the region/image from startaddr to endaddr (both addresses included). Example: 00000000:00008fff gfxrom 00009000:0003ffff normal 00040000:0007ffff fallback If you only want to update the image named normal in a ROM based on the layout above, run flashrom -p prog --layout rom.layout --image normal -w some.rom To update only the images named normal and fallback, run: flashrom -p prog -l rom.layout -i normal -i fallback -w some.rom Overlapping sections are not supported.