Re: [Libreboot] [GM45/GS45] Internal reflash (GPIO33, and PR registers)

[Leah Woods]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Denis,

Op 20/04/16 om 22:22 schreef Denis 'GNUtoo' Carikli:
> Here are the PR registers: 0x84: 0x85ff85f8 PR4: Warning:
> 0x005f8000-0x005fffff is locked. 0x74: 0x9fff07e0 PR0: Warning:
> 0x007e0000-0x01ffffff is read-only.

Finding out how to modify factory.rom to set these sothat there are no
write protections would be ideal.

Then you could modify a factory.rom image descriptor region to disable
the management engine, using this:
https://libreboot.org/docs/hcl/gm45_remove_me.html#demefactory

Theoretically, with both of those done, you'd have the ability to
easily switch between factory/libreboot when debugging something from
factory BIOS.

> So PR4 locks the platform region. That means that we cannot read
> it. PR0 prevent writing the last 128KiB of that flash chip.
> 
> If we patch flashrom (I've scripts for that at home) we can read
> the whole flash but the platform partition. I've not yet patched it
> for write support.
> 
> ifdtool[2] has a way to change the partition layout:
>> $ ./ifdtool [...] usage: ./ifdtool [-vhdix?] <filename> [...] -f
>> | --layout <filename>           dump regions into a flashrom

Libreboot also uses its own ich tool, in
resources/utilities/ich9deblob/ and can be modified. It already
modifies partition layout in the descriptor (removes ME and GbE regions)
.

(we weren't aware of ifdtool when writing it, otherwise we would have
modified ifdtool)

> It can also change the content of a region (like replace the BIOS 
> region with coreboot/libreboot).
> 
> So the idea would be: 0) Set GPIO33 to low/ground. 1) To dump the
> BIOS but the platform partition. 2) To modify such BIOS image: - By
> changing its layout to move the BIOS out of the region protected by
> the PR0 register - Replacing the BIOS by coreboot/libreboot 3) To
> flash that image, with flashrom patched not to read/write the 
> platform region protected by the PR4 4) To boot, dump the platform
> region, reconstruct the stock image. 5) To reflash a normal
> coreboot/libreboot image.
> 
> Unfortunately I don't have the hardware to test with me right now,
> and I don't have easy ways to recover yet on my Lenovo X200T(No
> clips exist for such laptop, I would need to take the time to
> solder some connector or replace the flash chip).
> 

The WSON chip is SPI and has the same pinout as SOIC8. You could put a
SOIC8 chip in there. "swiftgeek" from the IRC did this on their X200T:
http://h5ai.swiftgeek.net/Notebooks/ThinkPad%20X200T/SPI/

- -- 
Leah Woods

Libreboot developer
Freenode IRC nick (#libreboot): vimuser

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free operating system, GNU/Linux.
https://www.gnu.org/

Use a free BIOS.
https://libreboot.org/

Support freedom. Join the Free Software Foundation.
https://fsf.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: http://minifree.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXObYnAAoJEP9Ft0z50c+UP9oH/1joLNxE1X9qqQVDZP5itDxu
QiNTdt3EezS8/UXAAncXUsa+8zeAKrDG7Fpxhft/7LheBTX1CE1ws8Hb2vFfjf6v
4xYy/iYL4EcZ+8+nedM3xIAR3WBJ/Kmd0ZR/dc0IznvhkM93VSZavx0qRZ8q2trd
2JATN0a9nLAV9AhnR/IpMRiyXJLvb1JjhuAKBu5HTtlT1mBU1KRxMuSRKTKSK/WG
65rRv1/41Dp9M4nteC+oI1Nfl29VMrPpBA5OHAo+ioiPGb5abyKA4x0CIeVegGux
xMp+KglK40HKWNFSpTclS98/zMImCAzEp416U46x1xnwCbSfI5Va/wr2N6ubm9A=
=+OjZ
-----END PGP SIGNATURE-----