From fe169cfef2bd84d3d2995f3a039282dfe83d94dd Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Mon, 9 Feb 2015 01:18:56 +0000 Subject: New board: ThinkPad R400 support added to libreboot. --- docs/hcl/gm45_remove_me.html | 528 ++++++++++++++++++++++++++++ docs/hcl/index.html | 2 + docs/hcl/r400.html | 101 ++++++ docs/hcl/text/r400/r400_dmidecode.txt | 628 ---------------------------------- docs/hcl/x200.html | 10 +- docs/hcl/x200_remove_me.html | 525 ---------------------------- 6 files changed, 633 insertions(+), 1161 deletions(-) create mode 100644 docs/hcl/gm45_remove_me.html create mode 100644 docs/hcl/r400.html delete mode 100644 docs/hcl/text/r400/r400_dmidecode.txt delete mode 100644 docs/hcl/x200_remove_me.html (limited to 'docs/hcl') diff --git a/docs/hcl/gm45_remove_me.html b/docs/hcl/gm45_remove_me.html new file mode 100644 index 00000000..d6c36f42 --- /dev/null +++ b/docs/hcl/gm45_remove_me.html @@ -0,0 +1,528 @@ + + + + + + + + + GM45 chipsets: remove the ME (manageability engine) + + + + +
+ +

GM45 chipsets: remove the ME (manageability engine)

+

+ This sections relates to disabling and removing the ME (Intel Management Engine) on + GM45. This was originally done on the ThinkPad X200, and later adapted for the ThinkPad R400. It can + in principle be done on any GM45 or GS45 machine. +

+

+ The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined + by the default descriptor). On GM45, it is possible to remove it without any ill effects. All + other parts of coreboot on GM45 machines (provided GMA MHD4500 / Intel graphics) can be blob-free, + so removing the ME was the last obstacle to + make GM45 a feasible target in libreboot (the machines can also work without the microcode blobs). +

+

+ The ME is removed and disabled in libreboot by modifying the descriptor. More info about + this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/ + in libreboot, or more generally on this page. +

+

+ Back to previous index. +

+ +
+ +
+ +

ICH9 gen utility

+ +

+ This is no longer strictly necessary. Libreboot ROM images for GM45 now + contain the 12KiB descriptor+gbe generated from ich9gen, by default. +

+ +

+ It is no longer necessary to use ich9deblob to generate + a deblobbed descriptor+gbe image for the X200. ich9gen is a small utility within + ich9deblob that can generate them from scratch, without a factory.bin dump. +

+ +

+ Run:
+ $ ./ich9gen +

+ +

+ It is also possible to generate a descriptor+gbe image with your own MAC address + inside (with the Gbe checksum updated to match). Run:
+ $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
+ (replace the XX chars with the hexadecimal chars in the MAC address that you want) +

+ +

+ You can find out your MAC address from ip addr or ifconfig in GNU/Linux. + Alternatively, if you are running libreboot already (with the correct MAC address in your + ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor + (or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c + will be the individual bytes of your MAC address). If you are currently running the stock firmware + and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address. +

+ +

+ An even simpler way to get the MAC address would be to read what's on the little sticker on + the underside. (on the X200, this would be near the VGA port). +

+ +

+ A bash script is also included in libreboot which will change the mac address (using ich9gen) + on all GM45 ROM images. For instance:
+ $ ./ich9macchange XX:XX:XX:XX:XX:XX +

+ +

+ Two new files will be created: +

+ + +

+ ich9gen executables can be found under ./ich9deblob/ statically compiled in + libreboot_bin. If you are using src or git, build ich9gen from source with:
+ $ ./builddeps-ich9deblob
+ The executable will appear under resources/utilities/ich9deblob/ +

+ +

+ Assuming that your libreboot image is named libreboot.rom, copy + the file to where libreboot.rom is located + and then run, for instance:
+ $ dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
+ or:
+ $ dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc +

+ +

+ Your libreboot.rom image is now ready to be flashed on the machine. Refer back to + ../install/index.html#flashrom + for how to flash it. +

+ +
+ +
+ +

ICH9 deblob utility

+ +

+ This is no longer strictly necessary. Libreboot ROM images for GM45 machines now + contain the 12KiB descriptor+gbe generated from ich9gen, by default. +

+ +

+ This was the tool originally used to disable the ME on X200 (later adapted for other machines that use the + GM45 chipset). ich9gen now supersedes it; + ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does). +

+ +

+ This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image. +

+

+ If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/ + and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./), + otherwise you can build it like so:
+ $ ./builddeps-ich9deblob
+ An executable file named ich9deblob will now appear under resources/utilities/ich9deblob/ +

+

+ If you are working with libreboot_bin release archive, you can find the utility included, statically compiled + (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/. +

+ +

+ Place the factory.rom from your machine + (can be obtained using the external flashing guides for GM45 targets linked ../install/index.html) in + the directory where you have your ich9deblob executable, then run the tool:
+ $ ./ich9deblob +

+

+ A 12kiB file named deblobbed_descriptor.bin will now appear. Keep this and the factory.rom stored in a safe location! + The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your + gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case. +

+ +

+ Assuming that your libreboot image is named libreboot.rom, copy + the deblobbed_descriptor.bin file to where libreboot.rom is located + and then run:
+ $ dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc +

+ +

+ The utility will also generate 4 additional files: +

+ +

+ These are C source files that can re-generate the very same Gbe and Descriptor structs + (from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build. + The newly built ich9gen executable will be able to re-create the very same 12KiB file from scratch, + based on the C structs, this time without the need for a factory.rom dump! +

+ +

+ You should now have a libreboot.rom image containing the correct 4K descriptor and 8K gbe regions, which + will then be safe to flash. Refer back to ../install/index.html#flashrom + for how to flash it. +

+ +
+ +
+ +

+ The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on GM45. + They are useful for background information. This could not have been done without sgsit's help. +

+ +
+ +

Early notes

+ + + +
+ +
+ +
+ +
+ +

Flash chips

+ +
    +
  • + Schematics for X200 laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf + - Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)
    + - According to page 29, the X200 can have any of the following flash chips: +
      +
    • ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip
      • +
    • MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip
      • +
    • MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip
      • +
    • Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip
      • +
    + sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas + the 32Mb chips contain only the ME. +
    • +
  • + Schematics for X200s laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf. +
    • +
+ +
+ +
+ +
+ +

Early development notes

+ +
+
+Start (hex)	End (hex)	Length (hex)	Area Name
+-----------	---------	------------	---------
+00000000	003FFFFF	00400000	Flash Image
+
+00000000	00000FFF	00001000	Descriptor Region
+00000004	0000000F	0000000C		Descriptor Map
+00000010	0000001B	0000000C		Component Section
+00000040	0000004F	00000010		Region Section
+00000060	0000006B	0000000C		Master Access Section
+00000060	00000063	00000004			CPU/BIOS
+00000064	00000067	00000004			Manageability Engine (ME)
+00000068	0000006B	00000004			GbE LAN
+00000100	00000103	00000004		ICH Strap 0
+00000104	00000107	00000004		ICH Strap 1
+00000200	00000203	00000004		MCH Strap 0
+00000EFC	00000EFF	00000004		Descriptor Map 2
+00000ED0	00000EF7	00000028		ME VSCC Table
+00000ED0	00000ED7	00000008			Flash device 1
+00000ED8	00000EDF	00000008			Flash device 2
+00000EE0	00000EE7	00000008			Flash device 3
+00000EE8	00000EEF	00000008			Flash device 4
+00000EF0	00000EF7	00000008			Flash device 5
+00000F00	00000FFF	00000100		OEM Section
+00001000	001F5FFF	001F5000	ME Region
+001F6000	001F7FFF	00002000	GbE Region
+001F8000	001FFFFF	00008000	PDR Region
+00200000	003FFFFF	00200000	BIOS Region
+
+Start (hex)	End (hex)	Length (hex)	Area Name
+-----------	---------	------------	---------
+00000000	003FFFFF	00400000	Flash Image
+
+00000000	00000FFF	00001000	Descriptor Region
+00000004	0000000F	0000000C		Descriptor Map
+00000010	0000001B	0000000C		Component Section
+00000040	0000004F	00000010		Region Section
+00000060	0000006B	0000000C		Master Access Section
+00000060	00000063	00000004			CPU/BIOS
+00000064	00000067	00000004			Manageability Engine (ME)
+00000068	0000006B	00000004			GbE LAN
+00000100	00000103	00000004		ICH Strap 0
+00000104	00000107	00000004		ICH Strap 1
+00000200	00000203	00000004		MCH Strap 0
+00000ED0	00000EF7	00000028		ME VSCC Table
+00000ED0	00000ED7	00000008			Flash device 1
+00000ED8	00000EDF	00000008			Flash device 2
+00000EE0	00000EE7	00000008			Flash device 3
+00000EE8	00000EEF	00000008			Flash device 4
+00000EF0	00000EF7	00000008			Flash device 5
+00000EFC	00000EFF	00000004		Descriptor Map 2
+00000F00	00000FFF	00000100		OEM Section
+00001000	00002FFF	00002000	GbE Region
+00003000	00202FFF	00200000	BIOS Region
+
+Build Settings
+--------------
+Flash Erase Size = 0x1000
+
+
+
+ +

+ It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete + image into in and the utility decomposes the various components, allowing you to set soft straps. +

+

+ This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and + the utility is no longer needed since the ich9deblob utility (documented on this page) can now be + used to create deblobbed descriptors. +

+ +
+ +
+ +

+ GBE (gigabit ethernet) region in SPI flash +

+ +

+ Of the 8K, about 95% is 0xFF. + The data is the gbe region is fully documented in this public datasheet: + http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf +

+ +

+ The only actual content found was: +

+ +
+
+00  1F  1F  1F  1F  1F  00  08  FF  FF  83  10  FF  FF  FF  FF  
+08  10  FF  FF  C3  10  EE  20  AA  17  F5  10  86  80  00  00  
+01  0D  00  00  00  00  05  06  20  30  00  0A  00  00  8B  8D  
+02  06  40  2B  43  00  00  00  F5  10  AD  BA  F5  10  BF  10  
+AD  BA  CB  10  AD  BA  AD  BA  00  00  00  00  00  00  00  00  
+00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
+00  01  00  40  28  12  07  40  FF  FF  FF  FF  FF  FF  FF  FF  
+FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  D9  F0  
+20  60  1F  00  02  00  13  00  00  80  1D  00  FF  00  16  00  
+DD  CC  18  00  11  20  17  00  DD  DD  18  00  12  20  17  00  
+00  80  1D  00  00  00  1F  
+
+
+ +

+ The first part is the MAC address set to all 0x1F. It's repeated haly way through + the 8K area, and the rest is all 0xFF. This is all documented in the datasheet. +

+ +

+ The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long. + In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor. + So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region. +

+ +
+ +

GBE region: change MAC address

+ +

+ According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200. + https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums +

+

+ "One of those engineers loves classic rock music, so he selected 0xBABA" +

+

In honour of the song Baba O'Reilly by The Who apparently. We're not making this stuff up...

+ +

+ 0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps. + The checksums of the backup regions match BABA, however. +

+ +

+ By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct, + and is what these machines default to. Basically, you should do what you need on the *backup* gbe region, and + then correct the main one by copying from the backup. +

+ +

+ Look at resources/utilities/ich9deblob/ich9deblob.c. +

+
    +
  • Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value) + and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first + 0x3E 16bit numbers (unsigned), ignoring any overflow.
    • +
+ +
+ +
+ +
+ +

Flash descriptor region

+ +

+ http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf + from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot + is doing about modifying it. +

+ +

+ How to deblob: +

+ + +

+ There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge, + but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware + instead of a small 128K version. Useless for libreboot, though. +

+ +

+ To deblob GM45, you chop out the platform and ME regions and correct the addresses in flReg1-4. + Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0. +

+ +

How to patch the descriptor from the factory.rom dump

+ + +

+ This means that libreboot's descriptor region will simply define the following regions: +

+ + +

+ The data in the descriptor region is little endian, and it represents bits 24:12 of the address + (bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation). +

+

+ So, x << 12 = address +

+

+ If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F. +

+ +
+ + +
+ +

platform data partition in boot flash (factory.rom / lenovo bios)

+ +

+ Basically useless for libreboot, since it appears to be a blob. + Removing it didn't cause any issues in libreboot. +

+

+ This is a 32K region from the factory image. It could be data + (non-functional) that the original Lenovo BIOS used, but we don't know. +

+ +

+ It has only a 448 byte fragment different from 0x00 or 0xFF. +

+ +
+ +
+ +

+ Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +

+ +

+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../../license.txt for more information. +

+ +
+ + + diff --git a/docs/hcl/index.html b/docs/hcl/index.html index 6aec1c70..4aa74da8 100644 --- a/docs/hcl/index.html +++ b/docs/hcl/index.html @@ -25,6 +25,7 @@
  • List of supported ThinkPad X60 Tablets
  • List of supported ThinkPad T60s
  • List of supported ThinkPad X200s
    • +
  • List of supported ThinkPad R400s
  • ThinkPad T60 (ATI GPU) and ThinkPad T60 (Intel GPU) differences.
  • Information about the Macbook1,1
  • Information about the Macbook2,1
    • @@ -46,6 +47,7 @@
  • Lenovo ThinkPad X60 Tablet
  • Lenovo ThinkPad T60 (there are exceptions. see link)
  • Lenovo ThinkPad X200
    • +
  • Lenovo ThinkPad R400
  • Apple MacBook1,1
  • Apple MacBook2,1
    • diff --git a/docs/hcl/r400.html b/docs/hcl/r400.html new file mode 100644 index 00000000..43dfb096 --- /dev/null +++ b/docs/hcl/r400.html @@ -0,0 +1,101 @@ + + + + + + + + + ThinkPad R400 + + + + +
    +

    ThinkPad R400

    + + + +

    + It is believed that all R400 laptops are compatible. +

    + +

    + There are two possible flash chip sizes for the R400: 4MiB (32Mbit) or 8MiB (64Mbit). + This can be identified by the type of flash chip below the palmrest: 4MiB is SOIC-8, 8MiB + is SOIC-16. +

    + +

    + The R400 laptops come with the ME (and sometimes AMT in addition) before flashing libreboot. Libreboot disables and removes it + by using a modified descriptor: see gm45_remove_me.html (contains notes, plus + instructions) +

    + +

    + Flashing instructions can be found at ../install/index.html#flashrom +

    + +

    + Back to previous index. +

    +
    + +
    + +

    Compatibility (without blobs)

    + +

    + Usual limitations apply for native graphics initialization + (no VBT and/or INT10H and only GRUB works so no BIOS, so no DOS/Windows support + - who cares? There is no system but GNU, and Linux is one of it's kernels). +

    + +

    + When connecting the AC adapter while system is powered off, system will then power on. + This probably happens in coreboot aswell (with or without blobs). + It's a minor annoyance, but it should be fixed (if it's not already fixed by now). +

    + +

    + This method of disabling the ME leaves the flash descriptor and gbe in place (non-functional data, fully documented) + and disables the ME using soft straps. This means that the gigabit ethernet will still work (putting the machine in + non-descriptor mode would wipe it out). +

    + +
    +

    Hardware virtualization (vt-x)

    +

    + The R400, when run without CPU microcode updates in coreboot, currently kernel panics + if running QEMU with vt-x enabled on 2 cores for the guest. With a single core enabled + for the guest, the guest panics (but the host is fine). Working around this in QEMU + might be possible; if not, software virtualization should work fine (it's just slower). +

    +

    + The following errata datasheet from Intel might help with investigation: + http://download.intel.com/design/mobile/specupdt/320121.pdf +

    +
    + +
    + +
    + +

    + Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
    + This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +

    + +

    + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +

    + +
    + + + diff --git a/docs/hcl/text/r400/r400_dmidecode.txt b/docs/hcl/text/r400/r400_dmidecode.txt deleted file mode 100644 index 0c0ca2a9..00000000 --- a/docs/hcl/text/r400/r400_dmidecode.txt +++ /dev/null @@ -1,628 +0,0 @@ -# dmidecode 2.11 -SMBIOS 2.4 present. -74 structures occupying 2511 bytes. -Table at 0x000E0010. - -Handle 0x0000, DMI type 0, 24 bytes -BIOS Information - Vendor: LENOVO - Version: 7UET48WW (1.18 ) - Release Date: 10/09/2008 - Address: 0xE0000 - Runtime Size: 128 kB - ROM Size: 8192 kB - Characteristics: - PCI is supported - PC Card (PCMCIA) is supported - PNP is supported - BIOS is upgradeable - BIOS shadowing is allowed - ESCD support is available - Boot from CD is supported - Selectable boot is supported - BIOS ROM is socketed - EDD is supported - ACPI is supported - USB legacy is supported - BIOS boot specification is supported - Targeted content distribution is supported - BIOS Revision: 1.24 - Firmware Revision: 1.1 - -Handle 0x0001, DMI type 1, 27 bytes -System Information - Manufacturer: LENOVO - Product Name: 7439W3Q - Version: ThinkPad R400 - Serial Number: L3ACC2H - UUID: 85D49681-4A1D-11CB-B11C-ACDC80D4983E - Wake-up Type: Power Switch - SKU Number: Not Specified - Family: ThinkPad R400 - -Handle 0x0002, DMI type 2, 8 bytes -Base Board Information - Manufacturer: LENOVO - Product Name: 7439W3Q - Version: Not Available - Serial Number: VF22T89V14J - -Handle 0x0003, DMI type 3, 13 bytes -Chassis Information - Manufacturer: LENOVO - Type: Notebook - Lock: Not Present - Version: Not Available - Serial Number: Not Available - Asset Tag: No Asset Information - Boot-up State: Unknown - Power Supply State: Unknown - Thermal State: Unknown - Security Status: Unknown - -Handle 0x0004, DMI type 126, 13 bytes -Inactive - -Handle 0x0005, DMI type 126, 13 bytes -Inactive - -Handle 0x0006, DMI type 4, 35 bytes -Processor Information - Socket Designation: None - Type: Central Processor - Family: Other - Manufacturer: GenuineIntel - ID: 76 06 01 00 FF FB EB BF - Signature: Type 0, Family 6, Model 23, Stepping 6 - Flags: - FPU (Floating-point unit on-chip) - VME (Virtual mode extension) - DE (Debugging extension) - PSE (Page size extension) - TSC (Time stamp counter) - MSR (Model specific registers) - PAE (Physical address extension) - MCE (Machine check exception) - CX8 (CMPXCHG8 instruction supported) - APIC (On-chip APIC hardware supported) - SEP (Fast system call) - MTRR (Memory type range registers) - PGE (Page global enable) - MCA (Machine check architecture) - CMOV (Conditional move instruction supported) - PAT (Page attribute table) - PSE-36 (36-bit page size extension) - CLFSH (CLFLUSH instruction supported) - DS (Debug store) - ACPI (ACPI supported) - MMX (MMX technology supported) - FXSR (FXSAVE and FXSTOR instructions supported) - SSE (Streaming SIMD extensions) - SSE2 (Streaming SIMD extensions 2) - SS (Self-snoop) - HTT (Multi-threading) - TM (Thermal monitor supported) - PBE (Pending break enabled) - Version: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz - Voltage: 1.2 V - External Clock: 266 MHz - Max Speed: 2400 MHz - Current Speed: 2400 MHz - Status: Populated, Enabled - Upgrade: None - L1 Cache Handle: 0x000A - L2 Cache Handle: 0x000C - L3 Cache Handle: Not Provided - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x0007, DMI type 5, 20 bytes -Memory Controller Information - Error Detecting Method: None - Error Correcting Capabilities: - None - Supported Interleave: One-way Interleave - Current Interleave: One-way Interleave - Maximum Memory Module Size: 4096 MB - Maximum Total Memory Size: 8192 MB - Supported Speeds: - Other - Supported Memory Types: - DIMM - SDRAM - Memory Module Voltage: 2.9 V - Associated Memory Slots: 2 - 0x0008 - 0x0009 - Enabled Error Correcting Capabilities: - Unknown - -Handle 0x0008, DMI type 6, 12 bytes -Memory Module Information - Socket Designation: DIMM Slot 1 - Bank Connections: 0 1 - Current Speed: 155 ns - Type: DIMM SDRAM - Installed Size: 4096 MB (Double-bank Connection) - Enabled Size: 4096 MB (Double-bank Connection) - Error Status: OK - -Handle 0x0009, DMI type 6, 12 bytes -Memory Module Information - Socket Designation: DIMM Slot 2 - Bank Connections: 2 3 - Current Speed: 155 ns - Type: DIMM SDRAM - Installed Size: 4096 MB (Double-bank Connection) - Enabled Size: 4096 MB (Double-bank Connection) - Error Status: OK - -Handle 0x000A, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L1 Cache - Configuration: Enabled, Socketed, Level 1 - Operational Mode: Write Back - Location: Internal - Installed Size: 64 kB - Maximum Size: 64 kB - Supported SRAM Types: - Synchronous - Installed SRAM Type: Synchronous - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Instruction - Associativity: 8-way Set-associative - -Handle 0x000B, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L1 Cache - Configuration: Enabled, Socketed, Level 1 - Operational Mode: Write Back - Location: Internal - Installed Size: 64 kB - Maximum Size: 64 kB - Supported SRAM Types: - Synchronous - Installed SRAM Type: Synchronous - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Data - Associativity: 8-way Set-associative - -Handle 0x000C, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L2 Cache - Configuration: Enabled, Socketed, Level 2 - Operational Mode: Write Back - Location: Internal - Installed Size: 3072 kB - Maximum Size: 3072 kB - Supported SRAM Types: - Burst - Installed SRAM Type: Burst - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Unified - Associativity: 8-way Set-associative - -Handle 0x000D, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: External Monitor - External Connector Type: DB-15 female - Port Type: Video Port - -Handle 0x000E, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Microphone Jack - External Connector Type: Mini Jack (headphones) - Port Type: Audio Port - -Handle 0x000F, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Headphone Jack - External Connector Type: Mini Jack (headphones) - Port Type: Audio Port - -Handle 0x0010, DMI type 126, 9 bytes -Inactive - -Handle 0x0011, DMI type 126, 9 bytes -Inactive - -Handle 0x0012, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Modem - External Connector Type: RJ-11 - Port Type: Modem Port - -Handle 0x0013, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Ethernet - External Connector Type: RJ-45 - Port Type: Network Port - -Handle 0x0014, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 1 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0015, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 2 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0016, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 3 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0017, DMI type 126, 9 bytes -Inactive - -Handle 0x0018, DMI type 126, 9 bytes -Inactive - -Handle 0x0019, DMI type 126, 9 bytes -Inactive - -Handle 0x001A, DMI type 126, 9 bytes -Inactive - -Handle 0x001B, DMI type 126, 9 bytes -Inactive - -Handle 0x001C, DMI type 126, 9 bytes -Inactive - -Handle 0x001D, DMI type 126, 9 bytes -Inactive - -Handle 0x001E, DMI type 126, 9 bytes -Inactive - -Handle 0x001F, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: IEEE1394 - External Connector Type: IEEE 1394 - Port Type: Firewire (IEEE P1394) - -Handle 0x0020, DMI type 9, 13 bytes -System Slot Information - Designation: ExpressCard Slot 1 - Type: x1 PCI Express - Current Usage: Available - Length: Other - ID: 0 - Characteristics: - Hot-plug devices are supported - -Handle 0x0021, DMI type 9, 13 bytes -System Slot Information - Designation: CardBus Slot 1 - Type: 32-bit PC Card (PCMCIA) - Current Usage: Available - Length: Other - ID: Adapter 1, Socket 0 - Characteristics: - 5.0 V is provided - 3.3 V is provided - PC Card-16 is supported - Cardbus is supported - Zoom Video is supported - Modem ring resume is supported - PME signal is supported - Hot-plug devices are supported - -Handle 0x0022, DMI type 126, 13 bytes -Inactive - -Handle 0x0023, DMI type 126, 13 bytes -Inactive - -Handle 0x0024, DMI type 9, 13 bytes -System Slot Information - Designation: Media Card Slot 1 - Type: Other - Current Usage: Available - Length: Other - Characteristics: - Hot-plug devices are supported - -Handle 0x0025, DMI type 126, 13 bytes -Inactive - -Handle 0x0026, DMI type 126, 13 bytes -Inactive - -Handle 0x0027, DMI type 10, 6 bytes -On Board Device Information - Type: Other - Status: Enabled - Description: IBM Embedded Security hardware - -Handle 0x0028, DMI type 11, 5 bytes -OEM Strings - String 1: IBM ThinkPad Embedded Controller -[7VHT12WW-1.01 ]- - -Handle 0x0029, DMI type 13, 22 bytes -BIOS Language Information - Language Description Format: Abbreviated - Installable Languages: 1 - enUS - Currently Installed Language: enUS - -Handle 0x002A, DMI type 15, 25 bytes -System Event Log - Area Length: 0 bytes - Header Start Offset: 0x0000 - Header Length: 16 bytes - Data Start Offset: 0x0010 - Access Method: General-purpose non-volatile data functions - Access Address: 0x0000 - Status: Valid, Not Full - Change Token: 0x00000070 - Header Format: Type 1 - Supported Log Type Descriptors: 1 - Descriptor 1: POST error - Data Format 1: POST results bitmap - -Handle 0x002B, DMI type 16, 15 bytes -Physical Memory Array - Location: System Board Or Motherboard - Use: System Memory - Error Correction Type: None - Maximum Capacity: 4 GB - Error Information Handle: Not Provided - Number Of Devices: 2 - -Handle 0x002C, DMI type 17, 27 bytes -Memory Device - Array Handle: 0x002B - Error Information Handle: No Error - Total Width: 64 bits - Data Width: 64 bits - Size: 4096 MB - Form Factor: SODIMM - Set: None - Locator: DIMM 1 - Bank Locator: Bank 0/1 - Type: DDR2 - Type Detail: Synchronous - Speed: 667 MHz - Manufacturer: Not Specified - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x002D, DMI type 17, 27 bytes -Memory Device - Array Handle: 0x002B - Error Information Handle: No Error - Total Width: 64 bits - Data Width: 64 bits - Size: 4096 MB - Form Factor: SODIMM - Set: None - Locator: DIMM 2 - Bank Locator: Bank 2/3 - Type: DDR2 - Type Detail: Synchronous - Speed: 667 MHz - Manufacturer: Not Specified - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x002E, DMI type 18, 23 bytes -32-bit Memory Error Information - Type: OK - Granularity: Unknown - Operation: Unknown - Vendor Syndrome: Unknown - Memory Array Address: Unknown - Device Address: Unknown - Resolution: Unknown - -Handle 0x002F, DMI type 19, 15 bytes -Memory Array Mapped Address - Starting Address: 0x00000000000 - Ending Address: 0x001FFFFFFFF - Range Size: 8 GB - Physical Array Handle: 0x002B - Partition Width: 2 - -Handle 0x0030, DMI type 20, 19 bytes -Memory Device Mapped Address - Starting Address: 0x00000000000 - Ending Address: 0x000FFFFFFFF - Range Size: 4 GB - Physical Device Handle: 0x002C - Memory Array Mapped Address Handle: 0x002F - Partition Row Position: 1 - -Handle 0x0031, DMI type 20, 19 bytes -Memory Device Mapped Address - Starting Address: 0x00100000000 - Ending Address: 0x001FFFFFFFF - Range Size: 4 GB - Physical Device Handle: 0x002D - Memory Array Mapped Address Handle: 0x002F - Partition Row Position: 1 - -Handle 0x0032, DMI type 21, 7 bytes -Built-in Pointing Device - Type: Track Point - Interface: PS/2 - Buttons: 3 - -Handle 0x0033, DMI type 21, 7 bytes -Built-in Pointing Device - Type: Touch Pad - Interface: PS/2 - Buttons: 0 - -Handle 0x0034, DMI type 22, 26 bytes -Portable Battery - Location: Rear - Manufacturer: Panasonic - Name: 42T4532 - Design Capacity: 84240 mWh - Design Voltage: 10800 mV - SBDS Version: 03.01 - Maximum Error: Unknown - SBDS Serial Number: 02C2 - SBDS Manufacture Date: 2008-10-15 - SBDS Chemistry: LION - OEM-specific Information: 0x00000000 - -Handle 0x0035, DMI type 126, 26 bytes -Inactive - -Handle 0x0036, DMI type 24, 5 bytes -Hardware Security - Power-On Password Status: Enabled - Keyboard Password Status: Disabled - Administrator Password Status: Enabled - Front Panel Reset Status: Unknown - -Handle 0x0037, DMI type 32, 11 bytes -System Boot Information - Status: No errors detected - -Handle 0x0038, DMI type 131, 17 bytes -OEM-specific Type - Header and Data: - 83 11 38 00 01 02 03 FF FF 1F 00 00 00 00 00 02 - 00 - Strings: - BOOTINF 20h - BOOTDEV 21h - KEYPTRS 23h - -Handle 0x0039, DMI type 131, 22 bytes -OEM-specific Type - Header and Data: - 83 16 39 00 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 00 01 - Strings: - TVT-Enablement - -Handle 0x003A, DMI type 132, 7 bytes -OEM-specific Type - Header and Data: - 84 07 3A 00 02 DA 36 - -Handle 0x003B, DMI type 133, 5 bytes -OEM-specific Type - Header and Data: - 85 05 3B 00 01 - Strings: - KHOIHGIUCCHHII - -Handle 0x003C, DMI type 134, 13 bytes -OEM-specific Type - Header and Data: - 86 0D 3C 00 04 11 08 20 00 00 00 00 00 - -Handle 0x003D, DMI type 134, 16 bytes -OEM-specific Type - Header and Data: - 86 10 3D 00 00 49 4E 54 43 01 01 00 00 03 01 02 - Strings: - TPM INFO - System Reserved - -Handle 0x003E, DMI type 135, 13 bytes -OEM-specific Type - Header and Data: - 87 0D 3E 00 54 50 07 00 01 00 00 00 00 - -Handle 0x003F, DMI type 135, 18 bytes -OEM-specific Type - Header and Data: - 87 12 3F 00 54 50 07 01 01 B8 00 00 00 00 00 00 - 00 00 - -Handle 0x0040, DMI type 135, 35 bytes -OEM-specific Type - Header and Data: - 87 23 40 00 54 50 07 02 42 41 59 20 49 2F 4F 20 - 01 00 02 00 00 0B 00 48 1C 3E 18 02 00 0B 00 40 - 1C 3A 18 - -Handle 0x0041, DMI type 135, 34 bytes -OEM-specific Type - Header and Data: - 87 22 41 00 54 50 07 04 01 06 01 01 02 00 02 01 - 02 00 03 01 02 00 04 01 02 00 05 01 02 00 06 01 - 02 00 - -Handle 0x0042, DMI type 136, 6 bytes -OEM-specific Type - Header and Data: - 88 06 42 00 5A 5A - -Handle 0x0043, DMI type 126, 28 bytes -Inactive - -Handle 0x0044, DMI type 138, 40 bytes -OEM-specific Type - Header and Data: - 8A 28 44 00 14 01 02 01 40 02 01 40 02 01 40 02 - 01 40 01 40 42 49 4F 53 20 50 61 73 73 77 6F 72 - 64 20 46 6F 72 6D 61 74 - -Handle 0x0045, DMI type 139, 37 bytes -OEM-specific Type - Header and Data: - 8B 25 45 00 11 01 0A 00 00 00 00 00 00 00 00 00 - 00 50 57 4D 53 20 4B 65 79 20 49 6E 66 6F 72 6D - 61 74 69 6F 6E - -Handle 0x0046, DMI type 129, 8 bytes -OEM-specific Type - Header and Data: - 81 08 46 00 01 01 02 00 - Strings: - Intel_ASF - Intel_ASF_001 - -Handle 0x0047, DMI type 130, 20 bytes -OEM-specific Type - Header and Data: - 82 14 47 00 24 41 4D 54 01 00 00 00 00 00 00 00 - 00 00 00 00 - -Handle 0x0048, DMI type 131, 64 bytes -OEM-specific Type - Header and Data: - 83 40 48 00 3C 00 00 00 00 00 40 2A 0A 00 00 00 - F8 00 17 29 00 00 00 00 0F 00 00 00 00 00 04 00 - 64 04 03 00 03 00 01 15 C8 00 F5 10 00 00 00 00 - 00 00 00 00 07 00 00 00 76 50 72 6F 00 00 00 00 - -Handle 0x0049, DMI type 127, 4 bytes -End Of Table - diff --git a/docs/hcl/x200.html b/docs/hcl/x200.html index 0435efce..da35a1ec 100644 --- a/docs/hcl/x200.html +++ b/docs/hcl/x200.html @@ -34,7 +34,7 @@

    The X200 laptops come with the ME (and sometimes AMT in addition) before flashing libreboot. Libreboot disables and removes it - by using a modified descriptor: see x200_remove_me.html (contains notes, plus + by using a modified descriptor: see gm45_remove_me.html (contains notes, plus instructions)

    @@ -287,7 +287,7 @@

    New targets

    - ThinkPad R400/R500/T400/T400S/T500/W500. These all use either the GM45 or GS45 + ThinkPad R500/T400/T400S/T500/W500. These all use either the GM45 or GS45 chipset, and should be easy-ish to port to coreboot (based on the X200 port and the GM45 code), then adapted for use in libreboot.

    @@ -298,12 +298,6 @@ of Intel.

    -

    - For example, the R400 currently has issues with raminit (not yet ported to coreboot) - where it's DDR3 memory reported as DDR2, as shown in - text/r400/r400_dmidecode.txt -

    -
    diff --git a/docs/hcl/x200_remove_me.html b/docs/hcl/x200_remove_me.html deleted file mode 100644 index ae0a83f7..00000000 --- a/docs/hcl/x200_remove_me.html +++ /dev/null @@ -1,525 +0,0 @@ - - - - - - - - - ThinkPad X200: remove the ME (manageability engine) - - - - -
    - -

    ThinkPad X200: remove the ME (manageability engine)

    -

    - This sections relates to disabling and removing the ME (Intel Management Engine) - on the ThinkPad X200. -

    -

    - The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined - by the default descriptor). On the X200, it is possible to remove it without any ill effects. All - other parts of coreboot on the X200 can be blob-free, so removing the ME was the last obstacle to - get X200 support in libreboot (the machine can also work without the microcode blobs). -

    -

    - The ME is removed and disabled in libreboot by modifying the descriptor. More info about - this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/ - in libreboot, or more generally on this page. -

    -

    - Back to main X200 compatibility page (x200.html). -

    - -
    - -
    - -

    ICH9 gen utility

    - -

    - This is no longer strictly necessary. Libreboot ROM images for X200 now - contain the 12KiB descriptor+gbe generated from ich9gen, by default. -

    - -

    - It is no longer necessary to use ich9deblob to generate - a deblobbed descriptor+gbe image for the X200. ich9gen is a small utility within - ich9deblob that can generate them from scratch, without a factory.bin dump. -

    - -

    - Run:
    - $ ./ich9gen -

    - -

    - It is also possible to generate a descriptor+gbe image with your own MAC address - inside (with the Gbe checksum updated to match). Run:
    - $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
    - (replace the XX chars with the hexadecimal chars in the MAC address that you want) -

    - -

    - You can find out your MAC address from ip addr or ifconfig in GNU/Linux. - Alternatively, if you are running libreboot already (with the correct MAC address in your - ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor - (or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c - will be the individual bytes of your MAC address). If you are currently running the stock firmware - and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address. -

    - -

    - An even simpler way to get the MAC address would be to read what's on the little sticker on - the underside. (on the X200, this would be near the VGA port). -

    - -

    - A bash script is also included in libreboot which will change the mac address (using ich9gen) - on all X200 ROM images. For instance:
    - $ ./ich9macchange XX:XX:XX:XX:XX:XX -

    - -

    - Two new files will be created: -

    -
      -
    • ich9fdgbe_4m.bin: this is for X200 laptops with the 4MB flash chip.
      • -
    • ich9fdgbe_8m.bin: this is for X200 laptops with the 8MB flash chip.
      • -
    - -

    - ich9gen executables can be found under ./ich9deblob/ statically compiled in - libreboot_bin. If you are using src or git, build ich9gen from source with:
    - $ ./builddeps-ich9deblob
    - The executable will appear under resources/utilities/ich9deblob/ -

    - -

    - Assuming that your X200 libreboot image is named libreboot.rom, copy - the file to where libreboot.rom is located - and then run, for instance:
    - $ dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
    - or:
    - $ dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc -

    - -

    - Your X200 libreboot.rom image is now ready to be flashed on the machine. Refer back to - ../install/index.html#flashrom - for how to flash it. -

    - -
    - -
    - -

    ICH9 deblob utility

    - -

    - This is no longer strictly necessary. Libreboot ROM images for X200 now - contain the 12KiB descriptor+gbe generated from ich9gen, by default. -

    - -

    - This was the tool originally used to disable the ME on X200. ich9gen now supersedes it; - ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does). -

    - -

    - This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image. -

    -

    - If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/ - and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./), - otherwise you can build it like so:
    - $ ./builddeps-ich9deblob
    - An executable file named ich9deblob will now appear under resources/utilities/ich9deblob/ -

    -

    - If you are working with libreboot_bin release archive, you can find the utility included, statically compiled - (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/. -

    - -

    - Place the factory.rom from your X200 - (can be obtained using the guide at ../install/x200_external.html) in - the directory where you have your ich9deblob executable, then run the tool:
    - $ ./ich9deblob -

    -

    - A 12kiB file named deblobbed_descriptor.bin will now appear. Keep this and the factory.rom stored in a safe location! - The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your - gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case. -

    - -

    - Assuming that your X200 libreboot image is named libreboot.rom, copy - the deblobbed_descriptor.bin file to where libreboot.rom is located - and then run:
    - $ dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc -

    - -

    - The utility will also generate 4 additional files: -

    -
      -
    • mkdescriptor.c
      • -
    • mkdescriptor.h
      • -
    • mkgbe.c
      • -
    • mkgbe.h
      • -
    -

    - These are C source files that can re-generate the very same Gbe and Descriptor structs - (from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build. - The newly built ich9gen executable will be able to re-create the very same 12KiB file from scratch, - based on the C structs, this time without the need for a factory.rom dump! -

    - -

    - You should now have a libreboot.rom image containing the correct 4K descriptor and 8K gbe regions, which - will then be safe to flash. Refer back to ../install/index.html#flashrom - for how to flash it. -

    - -
    - -
    - -

    - The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on the X200. - They are useful for background information. This could not have been done without sgsit's help. -

    - -
    - -

    Early notes

    - - - -
    - -
    - -
    - -
    - -

    Flash chips

    - -
      -
    • - Schematics for X200 laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf - - Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)
      - - According to page 29, the X200 can have any of the following flash chips: -
        -
      • ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip
        • -
      • MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip
        • -
      • MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip
        • -
      • Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip
        • -
      - sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas - the 32Mb chips contain only the ME. -
      • -
    • - Schematics for X200s laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf. -
      • -
    - -
    - -
    - -
    - -

    Early development notes

    - -
    -
-Start (hex)	End (hex)	Length (hex)	Area Name
------------	---------	------------	---------
-00000000	003FFFFF	00400000	Flash Image
-
-00000000	00000FFF	00001000	Descriptor Region
-00000004	0000000F	0000000C		Descriptor Map
-00000010	0000001B	0000000C		Component Section
-00000040	0000004F	00000010		Region Section
-00000060	0000006B	0000000C		Master Access Section
-00000060	00000063	00000004			CPU/BIOS
-00000064	00000067	00000004			Manageability Engine (ME)
-00000068	0000006B	00000004			GbE LAN
-00000100	00000103	00000004		ICH Strap 0
-00000104	00000107	00000004		ICH Strap 1
-00000200	00000203	00000004		MCH Strap 0
-00000EFC	00000EFF	00000004		Descriptor Map 2
-00000ED0	00000EF7	00000028		ME VSCC Table
-00000ED0	00000ED7	00000008			Flash device 1
-00000ED8	00000EDF	00000008			Flash device 2
-00000EE0	00000EE7	00000008			Flash device 3
-00000EE8	00000EEF	00000008			Flash device 4
-00000EF0	00000EF7	00000008			Flash device 5
-00000F00	00000FFF	00000100		OEM Section
-00001000	001F5FFF	001F5000	ME Region
-001F6000	001F7FFF	00002000	GbE Region
-001F8000	001FFFFF	00008000	PDR Region
-00200000	003FFFFF	00200000	BIOS Region
-
-Start (hex)	End (hex)	Length (hex)	Area Name
------------	---------	------------	---------
-00000000	003FFFFF	00400000	Flash Image
-
-00000000	00000FFF	00001000	Descriptor Region
-00000004	0000000F	0000000C		Descriptor Map
-00000010	0000001B	0000000C		Component Section
-00000040	0000004F	00000010		Region Section
-00000060	0000006B	0000000C		Master Access Section
-00000060	00000063	00000004			CPU/BIOS
-00000064	00000067	00000004			Manageability Engine (ME)
-00000068	0000006B	00000004			GbE LAN
-00000100	00000103	00000004		ICH Strap 0
-00000104	00000107	00000004		ICH Strap 1
-00000200	00000203	00000004		MCH Strap 0
-00000ED0	00000EF7	00000028		ME VSCC Table
-00000ED0	00000ED7	00000008			Flash device 1
-00000ED8	00000EDF	00000008			Flash device 2
-00000EE0	00000EE7	00000008			Flash device 3
-00000EE8	00000EEF	00000008			Flash device 4
-00000EF0	00000EF7	00000008			Flash device 5
-00000EFC	00000EFF	00000004		Descriptor Map 2
-00000F00	00000FFF	00000100		OEM Section
-00001000	00002FFF	00002000	GbE Region
-00003000	00202FFF	00200000	BIOS Region
-
-Build Settings
---------------
-Flash Erase Size = 0x1000
-
-
-
    - -

    - It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete - image into in and the utility decomposes the various components, allowing you to set soft straps. -

    -

    - This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and - the utility is no longer needed since the ich9deblob utility (documented on this page) can now be - used to create deblobbed descriptors. -

    - -
    - -
    - -

    - GBE (gigabit ethernet) region in SPI flash -

    - -

    - Of the 8K, about 95% is 0xFF. - The data is the gbe region is fully documented in this public datasheet: - http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf -

    - -

    - The only actual content found was: -

    - -
    -
-00  1F  1F  1F  1F  1F  00  08  FF  FF  83  10  FF  FF  FF  FF  
-08  10  FF  FF  C3  10  EE  20  AA  17  F5  10  86  80  00  00  
-01  0D  00  00  00  00  05  06  20  30  00  0A  00  00  8B  8D  
-02  06  40  2B  43  00  00  00  F5  10  AD  BA  F5  10  BF  10  
-AD  BA  CB  10  AD  BA  AD  BA  00  00  00  00  00  00  00  00  
-00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
-00  01  00  40  28  12  07  40  FF  FF  FF  FF  FF  FF  FF  FF  
-FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  D9  F0  
-20  60  1F  00  02  00  13  00  00  80  1D  00  FF  00  16  00  
-DD  CC  18  00  11  20  17  00  DD  DD  18  00  12  20  17  00  
-00  80  1D  00  00  00  1F  
-
-
    - -

    - The first part is the MAC address set to all 0x1F. It's repeated haly way through - the 8K area, and the rest is all 0xFF. This is all documented in the datasheet. -

    - -

    - The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long. - In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor. - So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region. -

    - -
    - -

    GBE region: change MAC address

    - -

    - According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200. - https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums -

    -

    - "One of those engineers loves classic rock music, so he selected 0xBABA" -

    -

    In honour of the song Baba O'Reilly by The Who apparently. We're not making this stuff up...

    - -

    - 0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps. - The checksums of the backup regions match BABA, however. -

    - -

    - By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct, - and is what these machines default to. Basically, you should do what you need on the *backup* gbe region, and - then correct the main one by copying from the backup. -

    - -

    - Look at resources/utilities/ich9deblob/ich9deblob.c. -

    -
      -
    • Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value) - and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first - 0x3E 16bit numbers (unsigned), ignoring any overflow.
      • -
    - -
    - -
    - -
    - -

    Flash descriptor region

    - -

    - http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf - from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot - is doing about modifying it. -

    - -

    - How to deblob: -

    -
      -
    • patch the number of regions present in the descriptor from 5 - 3
      • -
    • originally descriptor + bios + me + gbe + platform
      • -
    • modified = descriptor + bios + gbe
      • -
    • the next stage is to patch the part of the descriptor which defines the start and end point of each section
      • -
    • then cut out the gbe region and insert it just after the region
      • -
    • all this can be substantiated with public docs (ICH9 datasheet)
      • -
    • the final part is flipping 2 bits. Halting the ME via 1 MCH soft strap and 1 ICH soft strap
      • -
    • the part of the descriptor described there gives the base address and length of each region (bits 12:24 of each address)
      • -
    • to disable a region, you set the base address to 0xFFF and the length to 0
      • -
    • and you change the number of regions from 4 (zero based) to 2
      • -
    - -

    - There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge, - but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware - instead of a small 128K version. Useless for libreboot, though. -

    - -

    - To deblob the x200, you chop out the platform and ME regions and correct the addresses in flReg1-4. - Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0. -

    - -

    How to patch the descriptor from the factory.rom dump

    -
      -
    • map the first 4k into the struct (minus the gbe region)
      • -
    • set NR in FLMAP0 to 2 (from 4)
      • -
    • adjust BASE and LIMIT in flReg1,2,3,4 to reflect the new location of each region (or remove them in the case of Platform and ME)
      • -
    • set meDisable to 1/true in ICHSTRAP0 and MCHSTRAP0
      • -
    • extract the 8k GBe region and append that to the end of the 4k descriptor
      • -
    • output the 12k concatenated chunk
      • -
    • Then it can be dd'd into the first 12K part of a coreboot image.
      • -
    • the GBe region always starts 0x20A000 bytes from the end of the ROM
      • -
    - -

    - This means that libreboot's descriptor region will simply define the following regions: -

    -
      -
    • descriptor (4K)
      • -
    • gbe (8K)
      • -
    • bios (rest of flash chip. CBFS also set to occupy this whole size)
      • -
    - -

    - The data in the descriptor region is little endian, and it represents bits 24:12 of the address - (bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation). -

    -

    - So, x << 12 = address -

    -

    - If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F. -

    - -
    - - -
    - -

    platform data partition in boot flash (factory.rom / lenovo bios)

    - -

    - Basically useless for libreboot, since it appears to be a blob. - Removing it didn't cause any issues in libreboot. -

    -

    - This is a 32K region from the factory image. It could be data - (non-functional) that the original Lenovo BIOS used, but we don't know. -

    - -

    - It has only a 448 byte fragment different from 0x00 or 0xFF. -

    - -
    - -
    - -

    - Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
    - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

    - -

    - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../../license.txt for more information. -

    - -
    - - - -- cgit v1.2.3-70-g09d2