[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Libreboot] [GM45/GS45] Internal reflash (GPIO33, and PR registers)

From: Denis 'GNUtoo' Carikli
Subject: [Libreboot] [GM45/GS45] Internal reflash (GPIO33, and PR registers)
Date: Wed, 20 Apr 2016 23:22:38 +0200


The libreboot documentation has a section about GPIO33[1].
If grounded, it can disable the flash descriptor protections.

Remains the PR registers protections.

On the X200T, with the stock BIOS, we have several regions:
Region 0 (Descr.) 0x00000000 - 0x00000fff
Region 2 (ME    ) 0x00001000 - 0x005f5fff
Region 3 (GbE   ) 0x005f6000 - 0x005f7fff
Region 4 (Platf.) 0x005f8000 - 0x005fffff
Region 1 (BIOS  ) 0x00600000 - 0x007fffff

The flash size is 8MiB (0x800000).

Here are the PR registers:
0x84: 0x85ff85f8 PR4: Warning: 0x005f8000-0x005fffff is locked.
0x74: 0x9fff07e0 PR0: Warning: 0x007e0000-0x01ffffff is read-only.

So PR4 locks the platform region. That means that we cannot read it.
PR0 prevent writing the last 128KiB of that flash chip.

If we patch flashrom (I've scripts for that at home) we can read the
whole flash but the platform partition.
I've not yet patched it for write support.

ifdtool[2] has a way to change the partition layout:
> $ ./ifdtool
> [...]
> usage: ./ifdtool [-vhdix?] <filename>
> [...]
>   -f | --layout <filename>           dump regions into a flashrom

It can also change the content of a region (like replace the BIOS
region with coreboot/libreboot).

So the idea would be:
0) Set GPIO33 to low/ground.
1) To dump the BIOS but the platform partition.
2) To modify such BIOS image:
   - By changing its layout to move the BIOS out of the region
     protected by the PR0 register
   - Replacing the BIOS by coreboot/libreboot
3) To flash that image, with flashrom patched not to read/write the
   platform region protected by the PR4
4) To boot, dump the platform region, reconstruct the stock image.
5) To reflash a normal coreboot/libreboot image.

Unfortunately I don't have the hardware to test with me right now, and I
don't have easy ways to recover yet on my Lenovo X200T(No clips exist
for such laptop, I would need to take the time to solder some
connector or replace the flash chip).

It would be nice if someone could test the idea mentioned above
assuming that person:
- Has enough experience not to break the laptop while grounding GPIO33.
- Can easily reflash in case of non-booting laptop.
- Can reflash the stock BIOS easily.

On my side, I left the flashrom patches on my X200T, I'll look if I can
re-create or find them.

I also need to implement the ability to skip touching(that includes
reading) regions while writing.

[2]util/ifdtool in coreboot sources.


Attachment: pgp4bP_PxkrNU.pgp
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]