Difference between revisions of "GM45 Thinkpad Internal flashing research"

From coreboot
Jump to: navigation, search
(Ideas)
Line 1: Line 1:
== Description ==
+
== BIOS reagion ==
 
Here is [http://paste.flashrom.org/view.php?id=2717 a log] of flashrom on the flash chip of an X200T
 
Here is [http://paste.flashrom.org/view.php?id=2717 a log] of flashrom on the flash chip of an X200T
 
In the log, we can see that the BIOS region is set read-write in the flash descriptor:
 
In the log, we can see that the BIOS region is set read-write in the flash descriptor:
Line 10: Line 10:
 
  0x74: 0x9fff07e0 PR0: Warning: 0x007e0000-0x01ffffff is read-only.
 
  0x74: 0x9fff07e0 PR0: Warning: 0x007e0000-0x01ffffff is read-only.
  
The flash descriptor probably cannot be reflashed easily from the x86 CPU, however messing with the ME partition is probably doable if we get luck with the BIOS:
+
The flash descriptor probably cannot be reflashed easily from the x86 CPU.
 +
 
 +
== ME reagion ==
 
If we remove the RAM DIMM from slot0, the BIOS outputs an error message on the screen that asks to put the DIMM back and refuses to boot. I guess it's related to what mysteries_intel.txt (inside flashrom source ) was mentioning.
 
If we remove the RAM DIMM from slot0, the BIOS outputs an error message on the screen that asks to put the DIMM back and refuses to boot. I guess it's related to what mysteries_intel.txt (inside flashrom source ) was mentioning.
  

Revision as of 20:55, 24 January 2015

BIOS reagion

Here is a log of flashrom on the flash chip of an X200T In the log, we can see that the BIOS region is set read-write in the flash descriptor:

      Descr. BIOS ME GbE Platf.
BIOS    r     rw      rw   rw
ME      r         rw  rw     
GbE                   rw     

The issue is that the BIOS region is still partially locked:

0x74: 0x9fff07e0 PR0: Warning: 0x007e0000-0x01ffffff is read-only.

The flash descriptor probably cannot be reflashed easily from the x86 CPU.

ME reagion

If we remove the RAM DIMM from slot0, the BIOS outputs an error message on the screen that asks to put the DIMM back and refuses to boot. I guess it's related to what mysteries_intel.txt (inside flashrom source ) was mentioning.

So I guess that either:

  • The BIOS can only be partially flashed at all.
  • The BIOS can be flashed by the vendor tools which probably reboots the computer when doing it. In that case the code doing the PR0 Locking could be located after the PR0 locked reagion.

Ideas

  • Try to see if, by remapping the GPU GTT we could get arround the PR registers issue.
  • Using suspend to RAM will probably result in the PR region being unmapped between when it resumes at 0xFFFF0000 and when it re-enables that region lock.
  • Look if SMM/SMI region is locked. And look what happen to it at resume.
  • The ME could also be disabled at boot by removing one of the RAM DIMM (I don't remember which one), but then the BIOS checks for that, outputs an error message, and interrupt the boot. I also wonder how that could be used.