[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Libreboot] [GM45/GS45] Internal reflash (GPIO33, and PR registers)

From: Leah Woods
Subject: Re: [Libreboot] [GM45/GS45] Internal reflash (GPIO33, and PR registers)
Date: Mon, 16 May 2016 12:59:35 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0

Hash: SHA1

Hi Denis,

Op 20/04/16 om 22:22 schreef Denis 'GNUtoo' Carikli:
> Here are the PR registers: 0x84: 0x85ff85f8 PR4: Warning:
> 0x005f8000-0x005fffff is locked. 0x74: 0x9fff07e0 PR0: Warning:
> 0x007e0000-0x01ffffff is read-only.

Finding out how to modify factory.rom to set these sothat there are no
write protections would be ideal.

Then you could modify a factory.rom image descriptor region to disable
the management engine, using this:

Theoretically, with both of those done, you'd have the ability to
easily switch between factory/libreboot when debugging something from
factory BIOS.

> So PR4 locks the platform region. That means that we cannot read
> it. PR0 prevent writing the last 128KiB of that flash chip.
> If we patch flashrom (I've scripts for that at home) we can read
> the whole flash but the platform partition. I've not yet patched it
> for write support.
> ifdtool[2] has a way to change the partition layout:
>> $ ./ifdtool [...] usage: ./ifdtool [-vhdix?] <filename> [...] -f
>> | --layout <filename>           dump regions into a flashrom

Libreboot also uses its own ich tool, in
resources/utilities/ich9deblob/ and can be modified. It already
modifies partition layout in the descriptor (removes ME and GbE regions)

(we weren't aware of ifdtool when writing it, otherwise we would have
modified ifdtool)

> It can also change the content of a region (like replace the BIOS 
> region with coreboot/libreboot).
> So the idea would be: 0) Set GPIO33 to low/ground. 1) To dump the
> BIOS but the platform partition. 2) To modify such BIOS image: - By
> changing its layout to move the BIOS out of the region protected by
> the PR0 register - Replacing the BIOS by coreboot/libreboot 3) To
> flash that image, with flashrom patched not to read/write the 
> platform region protected by the PR4 4) To boot, dump the platform
> region, reconstruct the stock image. 5) To reflash a normal
> coreboot/libreboot image.
> Unfortunately I don't have the hardware to test with me right now,
> and I don't have easy ways to recover yet on my Lenovo X200T(No
> clips exist for such laptop, I would need to take the time to
> solder some connector or replace the flash chip).

The WSON chip is SPI and has the same pinout as SOIC8. You could put a
SOIC8 chip in there. "swiftgeek" from the IRC did this on their X200T:

- -- 
Leah Woods

Libreboot developer
Freenode IRC nick (#libreboot): vimuser

Use free software. Free as in freedom.

Use a free operating system, GNU/Linux.

Use a free BIOS.

Support freedom. Join the Free Software Foundation.

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |

Version: GnuPG v2.0.22 (GNU/Linux)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]