Difference between revisions of "GM45 Thinkpad Internal flashing research"

From coreboot
Jump to: navigation, search
(Approaches)
(Approaches)
Line 16: Line 16:
 
== Approaches ==
 
== Approaches ==
 
* The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
 
* The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
* Modded boot firmware that disable WiFi card whitelist, have:
+
* Modded boot firmware that disable WiFi card whitelist, have some unused components:
** The bootblock that doesn't set the PR registers
+
** A bootblock that doesn't set the PR registers
 
** A flash descriptor that disables the Management Engine
 
** A flash descriptor that disables the Management Engine
 +
* They are unused during the boot fimrware update,because it will only update other sections of the image.

Revision as of 15:29, 1 March 2017

Introduction

The goal is to be able to flash internally the x200 with Flashrom.

Anti-reflashing mechanisms

The Lenovo X200 uses the following mechanisms to prevent internal reflashing:

  • Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
  • PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
  • The BUC.TS register is locked.

Non-working approaches

  • If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
    • The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
    • Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
    • Find a way to disable or crash the ME would probably have no effect at all on flash protections

Approaches

  • The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
  • Modded boot firmware that disable WiFi card whitelist, have some unused components:
    • A bootblock that doesn't set the PR registers
    • A flash descriptor that disables the Management Engine
  • They are unused during the boot fimrware update,because it will only update other sections of the image.