diff options
author | Francis Rowe <info@gluglug.org.uk> | 2014-12-22 14:18:09 +0000 |
---|---|---|
committer | Francis Rowe <info@gluglug.org.uk> | 2014-12-22 14:18:09 +0000 |
commit | ddbfcfe56f0cb01f21e9eadf88fd91e96ea086c3 (patch) | |
tree | 94e0fba0fdb86ae6d3b7057bd8ba7c861dcdcd1c /resources | |
parent | 627acfbc0119485c4b1e1a224b8e85916c9e5507 (diff) | |
download | librebootfr-ddbfcfe56f0cb01f21e9eadf88fd91e96ea086c3.tar.gz librebootfr-ddbfcfe56f0cb01f21e9eadf88fd91e96ea086c3.zip |
ich9deblob: descriptor deblobbing moved to separate function
Diffstat (limited to 'resources')
-rw-r--r-- | resources/utilities/ich9deblob/ich9deblob.c | 149 |
1 files changed, 84 insertions, 65 deletions
diff --git a/resources/utilities/ich9deblob/ich9deblob.c b/resources/utilities/ich9deblob/ich9deblob.c index fb96839b..9fa7db4b 100644 --- a/resources/utilities/ich9deblob/ich9deblob.c +++ b/resources/utilities/ich9deblob/ich9deblob.c @@ -52,10 +52,15 @@ // NOTE: The GBE region of 8K is actually 2x 4K regions in a single region; both 4K blocks can be identical (and by default, are) // The 2nd one is a "backup", but we don't know when it's used. perhaps it's used when the checksum on the first one does not match? +// Related to the flash descriptor +#define FLREGIONBITSHIFT 0xC // bits 12(0xC)-24(0x18) are represented for words found in the flash descriptor + // To manipulate these easily in C, we shift them by FLREGIONBITSHIFT and then shift them back when done + // gbe checksum related functions unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue); unsigned short gbeGetChecksumFrom8kBuffer(char* buffer, unsigned short desiredValue, char isBackup); // for GBe region (checksum calculation) unsigned short gbeGetRegionWordFrom8kBuffer(int i, char* buffer); // used for getting each word needed to calculate said checksum +struct DESCRIPTORREGIONRECORD deblobbedFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, int romSize); int main(int argc, char *argv[]) { @@ -133,10 +138,9 @@ int main(int argc, char *argv[]) // get original GBe region location // (it will be moved to the beginning of the flash, after the descriptor region) - unsigned int flRegionBitShift = 12;// bits 12-24 are represented. - // note for example, factoryGbeRegionLocation is set to <<12 of actual address (in C). this is how the addresses + // note for example, factoryGbeRegionLocation is set to <<FLREGIONBITSHIFT of actual address (in C). this is how the addresses // are stored in the descriptor. - unsigned int factoryGbeRegionLocation = factoryDescriptorStruct.regionSection.flReg3.BASE << flRegionBitShift; + unsigned int factoryGbeRegionLocation = factoryDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT; // Set offset so that we can read the data from // the gbe region @@ -175,71 +179,20 @@ int main(int argc, char *argv[]) // ----------------------------------------------------------------------------------------------- // debugging - printf("\nOriginal Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg0.LIMIT << flRegionBitShift); - printf("Original BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg1.LIMIT << flRegionBitShift); - printf("Original ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg2.LIMIT << flRegionBitShift); - printf("Original GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionLocation, factoryDescriptorStruct.regionSection.flReg3.LIMIT << flRegionBitShift); - - // Now we need to modify the descriptor so that the ME can be excluded - // from the final ROM image (libreboot one) after adding the modified - // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html - - // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2 - // means 3. We want 3 regions: descriptor, gbe and bios, in that order) - deblobbedDescriptorStruct.flMaps.flMap0.NR = 2; - - // make descriptor writable from OS. This is that the user can run: - // sudo ./flashrom -p internal:laptop=force_I_want_a_brick - // from the OS, without relying an an external SPI flasher, while - // being able to write to the descriptor region (locked by default, - // until making the change below): - deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1; - - // relocate BIOS region and increase size to fill image - deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<12 is 12KiB, which is where BIOS region is to begin (after descriptor and gbe) - deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((romSize >> flRegionBitShift) - 1); - // ^ for example, 8MB ROM, that's 8388608 bytes. - // ^ 8388608>>12 (or 8388608/4096) = 2048 bytes - // 2048 - 1 = 2047 bytes. - // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does: - // 2047<<12 (or 2047*4096) = 8384512 bytes, or 7FF000 bytes - // (it can't be 0x7FFFFF because of limited number of bits) - - // set ME region size to 0 - the ME is a blob, we don't want it in libreboot - deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<12 is outside of the ROM image (8MB) size? - // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. - deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0; - // ^ 0<<12=0, so basically, the size is 0, and the base (1FFF>>12) is well outside the higher 8MB range. - - // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor) - deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<12 is 4096, which is where the Gbe region is to begin (after the descriptor) - deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2; - // ^ 2<<12=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip. - - // set Platform region size to 0 - another blob that we don't want - deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<12 is outside of the ROM image (8MB) size? - // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. - deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0; - // ^ 0<<12=0, so basically, the size is 0, and the base (1FFF>>12) is well outside the higher 8MB range. - - // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot - deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1; + printf("\nOriginal Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); + printf("Original BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); + printf("Original ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); + printf("Original GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionLocation, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); - // disable ME and TPM in MCHSTRAP0 - deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot. - deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot - - // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above) - // This is sort of like the CPU microcode updates, but for the chipset - // (commented out below here, since blobs go against libreboot's purpose, - // but may be interesting for others) - // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1; + // Disable the ME and Platform regions. Put Gbe at the beginning (after descriptor). + // Also, extend the BIOS region to fill the ROM image (after descriptor+gbe). + deblobbedDescriptorStruct = deblobbedFromFactory(deblobbedDescriptorStruct, romSize); // debugging - printf("\nRelocated Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << flRegionBitShift); - printf("Relocated BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << flRegionBitShift); - printf("Relocated ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << flRegionBitShift); - printf("Relocated GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << flRegionBitShift); + printf("\nRelocated Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); + printf("Relocated BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); + printf("Relocated ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); + printf("Relocated GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); // ---------------------------------------------------------------------------------------------------------------- @@ -322,6 +275,72 @@ int main(int argc, char *argv[]) return 0; } +// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions +// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills romSize-12k) are left. +// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work. +struct DESCRIPTORREGIONRECORD deblobbedFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, int romSize) +{ + struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct; + memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE); + + // Now we need to modify the descriptor so that the ME can be excluded + // from the final ROM image (libreboot one) after adding the modified + // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html + + // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2 + // means 3. We want 3 regions: descriptor, gbe and bios, in that order) + deblobbedDescriptorStruct.flMaps.flMap0.NR = 2; + + // make descriptor writable from OS. This is that the user can run: + // sudo ./flashrom -p internal:laptop=force_I_want_a_brick + // from the OS, without relying an an external SPI flasher, while + // being able to write to the descriptor region (locked by default, + // until making the change below): + deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1; + + // relocate BIOS region and increase size to fill image + deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe) + deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((romSize >> FLREGIONBITSHIFT) - 1); + // ^ for example, 8MB ROM, that's 8388608 bytes. + // ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes + // 2048 - 1 = 2047 bytes. + // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does: + // 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes + // (it can't be 0x7FFFFF because of limited number of bits) + + // set ME region size to 0 - the ME is a blob, we don't want it in libreboot + deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? + // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. + deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0; + // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. + + // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor) + deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor) + deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2; + // ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip. + + // set Platform region size to 0 - another blob that we don't want + deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? + // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. + deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0; + // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. + + // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot + deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1; + + // disable ME and TPM in MCHSTRAP0 + deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot. + deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot + + // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above) + // This is sort of like the CPU microcode updates, but for the chipset + // (commented out below here, since blobs go against libreboot's purpose, + // but may be interesting for others) + // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1; + + return deblobbedDescriptorStruct; +} + // checksum calculation for 4k gbe struct (algorithm based on datasheet) unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue) { |