GM45 Thinkpad Internal flashing research: Difference between revisions

From coreboot
Jump to navigation Jump to search
No edit summary
Line 7: Line 7:
* PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
* PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region


== Idea ==
== Non-working approaches ==
The flash descriptor restrictions can be lifted by using the GPIO33.
* If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
That would then permit us, once booted, to reflash all the flash chip but what is still covered by the PR registers.
** The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
This should be enough to relocate coreboot/libreboot outside of the region covered by the PR registers.
** Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
** Find a way to disable or crash the ME would probably have no effect at all on flash protections


Since the platform region would still be locked by the PR registers, flashrom will need to be patched not to touch it at all (it should not even try to read it).
== Approaches ==
* The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash it with coreboot.
* Some unofficial BIOS updates (that removes the WiFi whitelist limitation) exists and are rumored to disable PR registers protections.

Revision as of 15:19, 1 March 2017

Introduction

The goal is to be able to flash internally the x200 with Flashrom.

Anti-reflashing mechanisms

The Lenovo X200 uses the following mechanisms to prevent internal reflashing:

  • Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
  • PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region

Non-working approaches

  • If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
    • The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
    • Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
    • Find a way to disable or crash the ME would probably have no effect at all on flash protections

Approaches

  • The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash it with coreboot.
  • Some unofficial BIOS updates (that removes the WiFi whitelist limitation) exists and are rumored to disable PR registers protections.