Board:lenovo/x201: Difference between revisions

From coreboot
Jump to navigation Jump to search
No edit summary
Line 32: Line 32:
* [http://review.coreboot.org/#/c/2663/ The code is here]
* [http://review.coreboot.org/#/c/2663/ The code is here]
== Flashing ==
== Flashing ==
* you need an external programmer to flash it.
Flash in X201 is divided roughly in 4 parts:
* The flash chip is divided between the ME and the BIOS:
 
<phcoder> First 5M is ME firmware, last 3M is BIOS/coreboot
* Descriptor (12K)
* ME firmware (5M-12K)
* Rewriteable flash (3M-96K)
* Locked bootblock (96K)
 
Descriptor and bootblock are read-only. ME firmware is not readable.
Rewriteable region can be rewritten easily with flashrom.
 
For coreboot we need to preserve descriptor and ME firmware while overwriting
rewriteable region and bootblock. To achieve this there are 2 ways:
 
* External flasher.
* Unlock bootblock
 
For the first one proceeds as follows:
* Turn off your laptop, remove battery and AC adapter.
* Remove the keyboard.
* Connect your external SPI flasher to the SPI chip which is under keyboard,
  around the position of trackpoint under protective layer. I recommend using
  SOIC clip. Depending on the flasher you use, you may have to use separate
  3.3V source. Make sure not to feed more than 3.3V ot the chip. I used
  buspirate as flasher and 3.3V power lines from another computer.
* Read the flash. Twice. Compare the files to be sure. Save a copy of it on
  external media.
* Recover descriptor and me firmare:
  dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \
    count=12288 bs=1M iflag=count_bytes
  dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \
    skip=12288 count=5230592 bs=1M iflag=count_bytes
* Compile coreboot
* Flash the resulting build/coreboot.rom
 
The other way has never been successfully used but it's known that the
locking mechanism is in bootblock itself and that original firmware has
a way to update it as follows:
* Flash an update of rewriteable region. On next boot bootblock parses the
  image and sees that it contains a compressed copy of new bootblock. That
  copy is uncompressed and flashed.
A way to unlock the bootblock would be to modify a firmware update to have a
copy of bootblock without protection. For this you need to compress the
modified block to fit into original space. The compression used is Lempel-Ziv-
Huffman variant. I've written a compressor for it but unfortunately it's not
performant enough.
 
 
* To find exactly where it's divided run that command(the example below is on another laptop):
* To find exactly where it's divided run that command(the example below is on another laptop):
  [root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick
  [root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick

Revision as of 21:24, 25 November 2013

Status

Issues:

  • suspend to RAM (S3) currently fails.
  • No expresscard hotplug
  • Sometimes Gnome starts to think that battery is 10 time larger than real
 Information from sysfs remains correct.
  • On my X201 there due to recent hardware failure thermal management doesn't
 work with either coreboot or original BIOS. Before this hardware fault
 happened thermal management worked under coreboot as well.

Tested:

  • RAM module combinations of 4G+4G, 4G, 2G+2G,4G+2G, 2G
  • USB
  • Video (both internal and VGA)
  • Expresscard slot
  • Sound
  • LAN
  • mini-PCIe slots (both wlan and wwan)
  • Linux (through GRUB-as-payload)
  • Windows (through GRUB-as-payload loading SeaBIOS image from disk)
  • SD card slot
  • Thermal management

Not tested:

  • Modem

proprietary components status

  • CPU Microcode (optional)
  • VGA option rom (optional): you need it if you wantgraphics in SeaBIOS but most payloads should work without it (text mode)
  • ME(Management Engine) => you do not have to touch it(just leave it where it is)
  • EC(Embedded Controller) => you do not have to touch it(just leave it where it is)

Code

Flashing

Flash in X201 is divided roughly in 4 parts:

  • Descriptor (12K)
  • ME firmware (5M-12K)
  • Rewriteable flash (3M-96K)
  • Locked bootblock (96K)

Descriptor and bootblock are read-only. ME firmware is not readable. Rewriteable region can be rewritten easily with flashrom.

For coreboot we need to preserve descriptor and ME firmware while overwriting rewriteable region and bootblock. To achieve this there are 2 ways:

  • External flasher.
  • Unlock bootblock

For the first one proceeds as follows:

  • Turn off your laptop, remove battery and AC adapter.
  • Remove the keyboard.
  • Connect your external SPI flasher to the SPI chip which is under keyboard,
 around the position of trackpoint under protective layer. I recommend using
 SOIC clip. Depending on the flasher you use, you may have to use separate
 3.3V source. Make sure not to feed more than 3.3V ot the chip. I used
 buspirate as flasher and 3.3V power lines from another computer.
  • Read the flash. Twice. Compare the files to be sure. Save a copy of it on
 external media.
  • Recover descriptor and me firmare:
 dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \
   count=12288 bs=1M iflag=count_bytes
 dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \
   skip=12288 count=5230592 bs=1M iflag=count_bytes
  • Compile coreboot
  • Flash the resulting build/coreboot.rom

The other way has never been successfully used but it's known that the locking mechanism is in bootblock itself and that original firmware has a way to update it as follows:

  • Flash an update of rewriteable region. On next boot bootblock parses the
 image and sees that it contains a compressed copy of new bootblock. That
 copy is uncompressed and flashed.

A way to unlock the bootblock would be to modify a firmware update to have a copy of bootblock without protection. For this you need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant. I've written a compressor for it but unfortunately it's not performant enough.


  • To find exactly where it's divided run that command(the example below is on another laptop):
[root@N71Jq ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick
flashrom v0.9.6.1-r1564 on Linux 3.8.2-1-LIBRE (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
========================================================================
WARNING! You may be running flashrom on an unsupported laptop. We could
not detect this for sure because your vendor has not setup the SMBIOS
tables correctly. You can enforce execution by adding
'-p internal:laptop=this_is_not_a_laptop' to the command line, but
please read the following warning if you are not sure.

Laptops, notebooks and netbooks are difficult to support and we
recommend to use the vendor flashing utility. The embedded controller
(EC) in these machines often interacts badly with flashing.
See http://www.flashrom.org/Laptops for details.

If flash is shared with the EC, erase is guaranteed to brick your laptop
and write may brick your laptop.
Read and probe may irritate your EC and cause fan failure, backlight
failure and sudden poweroff.
You have been warned.
========================================================================
Proceeding anyway because user forced us to.
Found chipset "Intel HM55". 
This chipset is marked as untested. If you are using an up-to-date version
of flashrom *and* were (not) able to successfully update your firmware with it,
then please email a report to flashrom@flashrom.org including a verbose (-V) log.
Thank you!
Enabling flash write... FREG0: WARNING: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
FREG2: WARNING: Management Engine region (0x00003000-0x001fffff) is locked.
Please send a verbose log to flashrom@flashrom.org if this board is not listed on
http://flashrom.org/Supported_hardware#Supported_mainboards yet.
Writes have been disabled. You can enforce write support with the
ich_spi_force programmer option, but it will most likely harm your hardware!
If you force flashrom you will get no support if something breaks.
OK.
Found SST flash chip "SST25VF032B" (4096 kB, SPI) at physical address 0xffc00000.
Reading flash... Transaction error!
Read operation failed!
FAILED.

it will print the ME regions:

FREG2: WARNING: Management Engine region (0x00003000-0x001fffff) is locked.

it will also print the chip:

Found SST flash chip "SST25VF032B" (4096 kB, SPI) at physical address 0xffc00000.

=> verify if its voltage match with the programmer voltage...

  • Then man flashrom says:
       -l, --layout <file>
              Read ROM layout from <file>.

              flashrom  supports  ROM  layouts. This allows you to flash certain parts of the flash chip only. A ROM layout file contains multiple lines with the following
              syntax:

                startaddr:endaddr imagename

              startaddr and endaddr are hexadecimal addresses within the ROM file and do not refer to any physical address. Please note that using a 0x  prefix  for  those
              hexadecimal  numbers  is  not necessary, but you can't specify decimal/octal numbers.  imagename is an arbitrary name for the region/image from  startaddr to
              endaddr (both addresses included).

              Example:

                00000000:00008fff gfxrom
                00009000:0003ffff normal
                00040000:0007ffff fallback

              If you only want to update the image named normal in a ROM based on the layout above, run

                flashrom -p prog --layout rom.layout --image normal -w some.rom

              To update only the images named normal and fallback, run:

                flashrom -p prog -l rom.layout -i normal -i fallback -w some.rom

              Overlapping sections are not supported.