Difference between revisions of "GM45 Thinkpad Internal flashing research"

From coreboot
Jump to: navigation, search
(Introduction)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
The goal is to be able to flash internally the x200 with flashrom.
+
The goal is to be able to flash internally the x200 with Flashrom.
We probably won't get around the flash descriptor locks.
 
however:
 
* the BIOS region isn't locked by it.
 
* The ME region can probably be worked around like described below.
 
  
== ME region ==
+
== Anti-reflashing mechanisms ==
If we remove the RAM DIMM from slot0, the BIOS outputs an error message on the screen that asks to put the DIMM back and refuses to boot. I guess it's related to what mysteries_intel.txt (inside flashrom source ) was mentioning.
+
The Lenovo X200 uses the following mechanisms to prevent internal reflashing:
 +
* Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
 +
* PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
  
=== Ideas ===
+
== Idea ==
* When Removing the DIMM, the BIOS executes the PXE option rom. Usually that option rom is run twice: onece early, and once to boot on the network. Here only the early part is run. I wonder if it would accept to run express card or PCI option rom cards.
+
The flash descriptor restrictions can be lifted by using the GPIO33.
 +
That would then permit us, once booted, to reflash all the flash chip but what is still covered by the PR registers.
 +
This should be enough to relocate coreboot/libreboot outside of the region covered by the PR registers.
  
== BIOS region ==
+
Since the platform region would still be locked by the PR registers, flashrom will need to be patched not to touch it at all (it should not even try to read it).
Here is [http://paste.flashrom.org/view.php?id=2717 a log] of flashrom on the flash chip of an X200T
 
In the log, we can see that the BIOS region is set read-write in the flash descriptor:
 
      Descr. BIOS ME GbE Platf.
 
BIOS    r    rw      rw  rw
 
ME      r        rw  rw   
 
GbE                  rw   
 
 
 
The issue is that the BIOS region is still partially locked:
 
0x74: 0x9fff07e0 PR0: Warning: 0x007e0000-0x01ffffff is read-only.
 
 
 
The flash descriptor probably cannot be reflashed easily from the x86 CPU.
 
=== Ideas ===
 
* Try to see if, by remapping the GPU GTT we could get around the PR registers issue.
 
* Using suspend to RAM will probably result in the PR region being unmapped between when it resumes at 0xFFFF0000 and when it re-enables that region lock.
 
* Look if SMM/SMI region is locked. And look what happen to it at resume.
 
* If we succeed to disable ME, it might result in some interesting behavior.
 

Revision as of 13:39, 14 June 2016

Introduction

The goal is to be able to flash internally the x200 with Flashrom.

Anti-reflashing mechanisms

The Lenovo X200 uses the following mechanisms to prevent internal reflashing:

  • Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
  • PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region

Idea

The flash descriptor restrictions can be lifted by using the GPIO33. That would then permit us, once booted, to reflash all the flash chip but what is still covered by the PR registers. This should be enough to relocate coreboot/libreboot outside of the region covered by the PR registers.

Since the platform region would still be locked by the PR registers, flashrom will need to be patched not to touch it at all (it should not even try to read it).