Difference between revisions of "Board:lenovo/x201"
(→Method 2: unlocking the bootblock: Format for comprehensibility)
(→Method 2: unlocking the bootblock: Describe User:Phcoder's compressor in the third person, instead of the first person.)
|Line 175:||Line 175:|
* That copy is uncompressed and flashed.
* That copy is uncompressed and flashed.
A way to unlock the bootblock would be to modify a firmware update to have a copy of the bootblock without protection. For this you would need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant.
A way to unlock the bootblock would be to modify a firmware update to have a copy of the bootblock without protection. For this you would need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant. written a compressor for itbut it not performant enough.
===identify the regions===
===identify the regions===
Revision as of 23:50, 18 March 2017
Thanks for your interest in Lenovo X201 port.
- Sometimes Gnome starts to think that battery is 10 time larger than real. Information from sysfs remains correct. Doesn't appear in newer gnome
- Yellow USB port is not powered when computer is shut down or in S3.
- Most times after suspend an EC IRQ hangs in the queue and all functions keys stopped working until cold boot.
- Commit 456f495d broke USB and PCI-E (unable to boot from live ISO on USB), a hard reset to commit a3e41c08 fixed the boot issue, however the following issues occured/persisted:
- The X201 immedeatly powers off after resuming from suspend resulting a completely lost session sometimes (Race condition)
- See http://review.coreboot.org/#/c/10352/ for more details
- RAM module combinations of 4G+4G, 4G, 2G+2G,4G+2G, 2G
- suspend to RAM (S3) (see issue mentioned above)
- USB (see issues mentioned above)
- Video (both internal and VGA)
- Expresscard slot (including hotplug)
- mini-PCIe slots (both wlan and wwan)
- Linux (through GRUB-as-payload & SeaBIOS-as-payload)
- Windows (through GRUB-as-payload loading SeaBIOS image from disk; you have to use extracted VGA blob, dumped from memory isn't good enough)
- SD card slot
- Thermal management
- Fingerprint reader
- Digitizer on X201t variant.
proprietary components status
- CPU Microcode
- VGA Option ROM (optional): you need it if you want graphics in SeaBIOS but most payloads (e.g. GRUB2) work just fine without it (text mode or corebootfb mode)
- [[Intel_Management_Engine|ME(Management Engine)] => you do not have to touch it (just leave it where it is)
- EC(Embedded Controller) => you do not have to touch it (just leave it where it is)
$ git clone https://review.coreboot.org/coreboot.git
Background info: flash layout
The flash memory in the X201 is divided into roughly 4 parts, readable and writable thus:
|Part||Size||With Flashrom on
the running system
|With Flashrom via|
an external programmer
|ME firmware||5M minus 12K||No||No||Yes||Yes|
|Rewriteable flash||3M minus 96K||Yes||Yes||Yes||Yes|
To install coreboot onto the X201, we need to preserve the descriptor and the ME firmware, and to overwrite the rewriteable region and the bootblock. There are two ways to achieve this:
- External flasher.
- Unlock bootblock.
Method 1: external flasher
In addition to your X201, you will need an external SPI flasher supported by Flashrom, connected to a PC capable of running Flashrom.
Read the flash chip contents
Turn off your X201.
Remove the following:
Locate the SPI chip. It should be beneath a protective plastic sheet, under where the keyboard was, at roughly the location where the trackpoint was.
Connect your external SPI flasher to the SPI chip, ideally using a SOIC-8 clip.
The pinout is as follows. (The colors in parentheses are those used by the Bus Pirate breakout cable; your programmer may use leads with different colors.)
^ Towards LCD display (i.e. away from you) | (red) (violet) (gray) 3.3V N/C CLK MOSI _|_______|_______|_______|_ | | | | | | | | |___________________________| | | | | CS MISO N/C GND (white) (black) (brown) | v Towards front edge of laptop base (i.e. towards you)
Not all external programmers supply enough current to enable reliable reads from and writes to the flash chip. If yours does not (as is the case with the Bus Pirate and the BeagleBone Black), then you may have to use a more powerful regulated power supply to feed the chip's 3.3V pin. Make sure not to exceed 3.3V.
Read the flash chip's contents at least twice, using Flashrom. Compare the files to be sure they are identical.
flashrom -p <yourprogrammer> -r flash.bin flashrom -p <yourprogrammer> -r flash2.bin diff flash.bin flash2.bin
If you have trouble reading the chip successfully, check for an eliminate these common problems:
- insufficient power supply;
- bad contacts;
- excessively long wires (even 10cm may be too long);
- incorrect connections.
For additional troubleshooting, see: In-System Programming.
Once you have a good copy of the flash chip's contents, save a copy of the file to external media as a backup.
- Recover descriptor and ME firmare:
dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/descriptor.bin \ count=12288 bs=1M iflag=count_bytes dd if=flash.bin of=coreboot/3rdparty/mainboard/lenovo/x201/me.bin \ skip=12288 count=5230592 bs=1M iflag=count_bytes,skip_bytes
- Compile coreboot. Remember to enable HAVE_IFD and HAVE_ME_BIN
- Flash the resulting build/coreboot.rom
Method 2: unlocking the bootblock
No-one has so far published any success with this method. In theory, however, it is possible.
The locking mechanism is in the bootblock itself. The original firmware has a way to update it as follows.
- Flash an update to the rewriteable region, containing a compressed copy of the new bootblock.
- On next boot, the bootblock parses the rewritable region and sees that compressed copy.
- That copy is uncompressed and flashed.
A way to unlock the bootblock would be to modify a firmware update to have a copy of the bootblock without protection. For this you would need to compress the modified block to fit into original space. The compression used is Lempel-Ziv- Huffman variant. Phcoder has written a compressor for it, but stated that it was not performant enough.
identify the regions
[root@x201 ~]# flashrom -r bios.bin -pinternal:laptop=force_I_want_a_brick flashrom v0.9.6.1-r1563 on Linux 3.10-1-grml-amd64 (x86_64) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel QM57". Enabling flash write... WARNING: SPI Configuration Lockdown activated. FREG0: WARNING: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: WARNING: Management Engine region (0x00003000-0x004fffff) is locked. PR0: WARNING: 0x007d0000-0x01ffffff is read-only. Please send a verbose log to email@example.com if this board is not listed on http://flashrom.org/Supported_hardware#Supported_mainboards yet. Writes have been disabled. You can enforce write support with the ich_spi_force programmer option, but it will most likely harm your hardware! If you force flashrom you will get no support if something breaks. OK. Found Macronix flash chip "MX25L6405" (8192 kB, SPI) at physical address 0xff800000. Reading flash... FAILED.
it will print the ME regions:
FREG2: WARNING: Management Engine region (0x00003000-0x004fffff) is locked.
it will also print the chip:
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) at physical address 0xff800000.
But as in this case, flashrom might misidentify the chip, this output is from this MX25L6445E
visually verify your chip's part number and find an appropriate datasheet
=>verify that its voltage matches with the programmer voltage...
- Use flashrom layouts:
-l, --layout <file>
000000000:00000fff fd 000001000:00002fff gbe 000003000:004fffff me 000500000:007fffff bios
To flash only the bios partition (coreboot + payload) do:
flashrom -l <layout> -i bios -w coreboot.rom