GM45 Thinkpad Internal flashing research: Difference between revisions

From coreboot
Jump to navigation Jump to search
Line 15: Line 15:


== Approaches ==
== Approaches ==
* The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
When the computer boots, the bootblock sets the PR registers, which has the effect of making itself read-only.
* Modded boot firmware that disable WiFi card whitelist, have some unused components:
If there are conditions in which the bootblock doesn't set the PR registers, finding, understanding, and using them would allow us to reflash coreboot internally when booted from the default boot firmware.
** A bootblock that doesn't set the PR registers
 
** A flash descriptor that disables the Management Engine
There are several approaches that could help finding them:
* They are unused during the boot fimrware update,because it will only update other sections of the image.
* There are modded boot firmwares that aim to disable the WiFi card whitelist: While they only update some sections of the flash image, they also come with some unused bootblock and flash descriptor that respectively don't set the PR register and that disable the Management Engine:
** Comparing them with the original boot firmware might lead to interesting results.

Revision as of 15:44, 1 March 2017

Introduction

The goal is to be able to flash internally the x200 with Flashrom.

Anti-reflashing mechanisms

The Lenovo X200 uses the following mechanisms to prevent internal reflashing:

  • Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
  • PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
  • The BUC.TS register is locked.

Non-working approaches

  • If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
    • The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
    • Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
    • Find a way to disable or crash the ME would probably have no effect at all on flash protections

Approaches

When the computer boots, the bootblock sets the PR registers, which has the effect of making itself read-only. If there are conditions in which the bootblock doesn't set the PR registers, finding, understanding, and using them would allow us to reflash coreboot internally when booted from the default boot firmware.

There are several approaches that could help finding them:

  • There are modded boot firmwares that aim to disable the WiFi card whitelist: While they only update some sections of the flash image, they also come with some unused bootblock and flash descriptor that respectively don't set the PR register and that disable the Management Engine:
    • Comparing them with the original boot firmware might lead to interesting results.