Lenovo X60, X60s, T60 and T60p flashing instructions.
These Lenovo laptops have a register that must be flipped before coreboot can be flashed. Because the chipset locks down the available commands that flashrom can send to the flash chip, you also need to change the flashrom source in a way that is not suitable to upstream. Let me explain why: flash chips can be identified by various commands (REMS*, RDID etc.). Some of them reply with an ID for the vendor and the exact chip model; others just reply with a single byte which is fine if there is only a small number of chips to distinguish, but won't work for the huge number of flash chips known to flashrom. The problem with the vendor BIOS is that it forbids the higher quality identification commands, so you need to force flashrom to use the lower quality opcode for the chip in your Thinkpad. You have to know the chip model beforehand (e.g. by inspection).
You will need: the flashrom source, a small patch for it, and the bucts utility.
- Patch flashrom to use RES1 SPI identification and spi_chip_write1 for your flash chip, as well as change the flash chip model id to fit the RES1 command.
- Optionally, you can also copy the existing definition first as it is done in this patch but it is not necessary.
- Find the definition of your flash chip in flashrom's flashchips.c
- Change the .probe field to probe_spi_res1
- Modify .model_id field to the RES1 ID given in the datasheet of the flash chip
- Change the .write field to spi_chip_write1
flashrom -p internal:laptop=force_I_want_a_brick -r factory.bin
- This step is IMPORTANT since the factory BIOS in your machine is tied to your particular system board (or "planar" in IBM FRU terms) with a unique ID not present in factory BIOS updates.
dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- Verify that the complete range is filled with ff bytes before proceeding! The above command must output:
0000000 ffff ffff ffff ffff ffff ffff ffff ffff
- If this is not the case, the coreboot image needs to be rebuilt with the second-to-last 64kbyte block unused.
dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom
- This will be slow, and shall generate an erase error at e.g. 0x1f0000 when working with a 2 Mbyte flash chip.
- Power cycle the machine, now starting with coreboot
- Undo the flashrom patch, so that you have a stock flashrom
flashrom -p internal:laptop=force_I_want_a_brick -w coreboot.rom.
- This will successfully overwrite the entire flash chip, including the last 64k that were write protected with the factory BIOS.
These instructions were gleaned from the following mailing list threads: http://thread.gmane.org/gmane.linux.bios/69354 http://thread.gmane.org/gmane.linux.bios.flashrom/575