@@ -542,7 +587,7 @@ On a ThinkPad T60, you can replace the CPU (Core 2 Duo T5600, T7200 or T7600. T5600 recommended) for 64-bit support. On an X60s, you can replace the board with one that has a Core 2 Duo L7400 (you could also use an X60 Tablet board with the same CPU). On an X60, you can replace the board with one that has a Core 2 Duo T5600 or T7200 (T5600 is recommended). All MacBook2,1 laptops - are 64-bit, as are all ThinkPad X200, X200S and X200 Tablet laptops. Warning: MacBook1,1 laptops are all 32-bit only. + are 64-bit, as are all ThinkPad X200, X200S, X200 Tablet and R400 laptops. Warning: MacBook1,1 laptops are all 32-bit only.

diff --git a/docs/hcl/gm45_remove_me.html b/docs/hcl/gm45_remove_me.html new file mode 100644 index 00000000..d6c36f42 --- /dev/null +++ b/docs/hcl/gm45_remove_me.html @@ -0,0 +1,528 @@ + + + + + + + + + GM45 chipsets: remove the ME (manageability engine) + + + + +

+ +

GM45 chipsets: remove the ME (manageability engine)

+ This sections relates to disabling and removing the ME (Intel Management Engine) on + GM45. This was originally done on the ThinkPad X200, and later adapted for the ThinkPad R400. It can + in principle be done on any GM45 or GS45 machine. +

+ The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined + by the default descriptor). On GM45, it is possible to remove it without any ill effects. All + other parts of coreboot on GM45 machines (provided GMA MHD4500 / Intel graphics) can be blob-free, + so removing the ME was the last obstacle to + make GM45 a feasible target in libreboot (the machines can also work without the microcode blobs). +

+ The ME is removed and disabled in libreboot by modifying the descriptor. More info about + this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/ + in libreboot, or more generally on this page. +

+ Back to previous index. +

+ +

ICH9 gen utility

+ +

+ This is no longer strictly necessary. Libreboot ROM images for GM45 now + contain the 12KiB descriptor+gbe generated from ich9gen, by default. +

+ +

+ It is no longer necessary to use ich9deblob to generate + a deblobbed descriptor+gbe image for the X200. ich9gen is a small utility within + ich9deblob that can generate them from scratch, without a factory.bin dump. +

+ +

+ Run:
+ $ ./ich9gen +

+ +

+ It is also possible to generate a descriptor+gbe image with your own MAC address + inside (with the Gbe checksum updated to match). Run:
+ $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
+ (replace the XX chars with the hexadecimal chars in the MAC address that you want) +

+ +

+ You can find out your MAC address from ip addr or ifconfig in GNU/Linux. + Alternatively, if you are running libreboot already (with the correct MAC address in your + ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor + (or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c + will be the individual bytes of your MAC address). If you are currently running the stock firmware + and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address. +

+ +

+ An even simpler way to get the MAC address would be to read what's on the little sticker on + the underside. (on the X200, this would be near the VGA port). +

+ +

+ A bash script is also included in libreboot which will change the mac address (using ich9gen) + on all GM45 ROM images. For instance:
+ $ ./ich9macchange XX:XX:XX:XX:XX:XX +

+ +

+ Two new files will be created: +

ich9fdgbe_4m.bin: this is for GM45 laptops with the 4MB flash chip.
ich9fdgbe_8m.bin: this is for GM45 laptops with the 8MB flash chip.

+ +

+ ich9gen executables can be found under ./ich9deblob/ statically compiled in + libreboot_bin. If you are using src or git, build ich9gen from source with:
+ $ ./builddeps-ich9deblob
+ The executable will appear under resources/utilities/ich9deblob/ +

+ +

+ Assuming that your libreboot image is named libreboot.rom, copy + the file to where libreboot.rom is located + and then run, for instance:
+ $ dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
+ or:
+ $ dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc +

+ +

+ Your libreboot.rom image is now ready to be flashed on the machine. Refer back to + ../install/index.html#flashrom + for how to flash it. +

+ +

ICH9 deblob utility

+ +

+ This is no longer strictly necessary. Libreboot ROM images for GM45 machines now + contain the 12KiB descriptor+gbe generated from ich9gen, by default. +

+ +

+ This was the tool originally used to disable the ME on X200 (later adapted for other machines that use the + GM45 chipset). ich9gen now supersedes it; + ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does). +

+ +

+ This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image. +

+ If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/ + and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./), + otherwise you can build it like so:
+ $ ./builddeps-ich9deblob
+ An executable file named ich9deblob will now appear under resources/utilities/ich9deblob/ +

+ If you are working with libreboot_bin release archive, you can find the utility included, statically compiled + (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/. +

+ +

+ Place the factory.rom from your machine + (can be obtained using the external flashing guides for GM45 targets linked ../install/index.html) in + the directory where you have your ich9deblob executable, then run the tool:
+ $ ./ich9deblob +

+ A 12kiB file named deblobbed_descriptor.bin will now appear. Keep this and the factory.rom stored in a safe location! + The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your + gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case. +

+ +

+ Assuming that your libreboot image is named libreboot.rom, copy + the deblobbed_descriptor.bin file to where libreboot.rom is located + and then run:
+ $ dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc +

+ +

+ The utility will also generate 4 additional files: +

mkdescriptor.c
mkdescriptor.h
mkgbe.c
mkgbe.h

+ These are C source files that can re-generate the very same Gbe and Descriptor structs + (from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build. + The newly built ich9gen executable will be able to re-create the very same 12KiB file from scratch, + based on the C structs, this time without the need for a factory.rom dump! +

+ +

+ You should now have a libreboot.rom image containing the correct 4K descriptor and 8K gbe regions, which + will then be safe to flash. Refer back to ../install/index.html#flashrom + for how to flash it. +

+ +

+ The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on GM45. + They are useful for background information. This could not have been done without sgsit's help. +

+ +

Early notes

+ +

+ http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf + page 230 mentions about descriptor and non-descriptor mode (which wipes out gbe and ME/AMT). +
+ ~~See reference to HDA_SDO (disable descriptor security)~~ + strap connected GPIO33 pin is it on ICH9-M (X200). HDA_SDO applies to later chipsets (series 6 or higher). + Disabling descriptor security also disables the ethernet according to sgsit. sgsit's method + involves use of 'soft straps' (see IRC logs below) instead of disabling the descriptor. +
+ and the location of GPIO33 on the x200s: (was an external link. Putting it here instead) + images/x200/gpio33_location.jpg + - it's above the number 7 on TP37 (which is above the big intel chip at the bottom) +
+ The ME datasheet may not be for the mobile chipsets but it doesn't vary that much. + This one gives some detail and covers QM67 which is what the X201 uses: + http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf +

+ +

Flash chips

+ +

+ Schematics for X200 laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf + ~~- Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT~~ only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)
+ - According to page 29, the X200 can have any of the following flash chips: +
- ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip
- MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip
- MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip
- Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip
+ sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas + the 32Mb chips contain only the ME. +
+ Schematics for X200s laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf. +

+ +

Early development notes

+ +

+
+Start (hex)	End (hex)	Length (hex)	Area Name
+-----------	---------	------------	---------
+00000000	003FFFFF	00400000	Flash Image
+
+00000000	00000FFF	00001000	Descriptor Region
+00000004	0000000F	0000000C		Descriptor Map
+00000010	0000001B	0000000C		Component Section
+00000040	0000004F	00000010		Region Section
+00000060	0000006B	0000000C		Master Access Section
+00000060	00000063	00000004			CPU/BIOS
+00000064	00000067	00000004			Manageability Engine (ME)
+00000068	0000006B	00000004			GbE LAN
+00000100	00000103	00000004		ICH Strap 0
+00000104	00000107	00000004		ICH Strap 1
+00000200	00000203	00000004		MCH Strap 0
+00000EFC	00000EFF	00000004		Descriptor Map 2
+00000ED0	00000EF7	00000028		ME VSCC Table
+00000ED0	00000ED7	00000008			Flash device 1
+00000ED8	00000EDF	00000008			Flash device 2
+00000EE0	00000EE7	00000008			Flash device 3
+00000EE8	00000EEF	00000008			Flash device 4
+00000EF0	00000EF7	00000008			Flash device 5
+00000F00	00000FFF	00000100		OEM Section
+00001000	001F5FFF	001F5000	ME Region
+001F6000	001F7FFF	00002000	GbE Region
+001F8000	001FFFFF	00008000	PDR Region
+00200000	003FFFFF	00200000	BIOS Region
+
+Start (hex)	End (hex)	Length (hex)	Area Name
+-----------	---------	------------	---------
+00000000	003FFFFF	00400000	Flash Image
+
+00000000	00000FFF	00001000	Descriptor Region
+00000004	0000000F	0000000C		Descriptor Map
+00000010	0000001B	0000000C		Component Section
+00000040	0000004F	00000010		Region Section
+00000060	0000006B	0000000C		Master Access Section
+00000060	00000063	00000004			CPU/BIOS
+00000064	00000067	00000004			Manageability Engine (ME)
+00000068	0000006B	00000004			GbE LAN
+00000100	00000103	00000004		ICH Strap 0
+00000104	00000107	00000004		ICH Strap 1
+00000200	00000203	00000004		MCH Strap 0
+00000ED0	00000EF7	00000028		ME VSCC Table
+00000ED0	00000ED7	00000008			Flash device 1
+00000ED8	00000EDF	00000008			Flash device 2
+00000EE0	00000EE7	00000008			Flash device 3
+00000EE8	00000EEF	00000008			Flash device 4
+00000EF0	00000EF7	00000008			Flash device 5
+00000EFC	00000EFF	00000004		Descriptor Map 2
+00000F00	00000FFF	00000100		OEM Section
+00001000	00002FFF	00002000	GbE Region
+00003000	00202FFF	00200000	BIOS Region
+
+Build Settings
+--------------
+Flash Erase Size = 0x1000
+
+
+

+ +

+ It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete + image into in and the utility decomposes the various components, allowing you to set soft straps. +

+ This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and + the utility is no longer needed since the ich9deblob utility (documented on this page) can now be + used to create deblobbed descriptors. +

+ +

+ GBE (gigabit ethernet) region in SPI flash +

+ +

+ Of the 8K, about 95% is 0xFF. + The data is the gbe region is fully documented in this public datasheet: + http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf +

+ +

+ The only actual content found was: +

+ +

+
+00  1F  1F  1F  1F  1F  00  08  FF  FF  83  10  FF  FF  FF  FF  
+08  10  FF  FF  C3  10  EE  20  AA  17  F5  10  86  80  00  00  
+01  0D  00  00  00  00  05  06  20  30  00  0A  00  00  8B  8D  
+02  06  40  2B  43  00  00  00  F5  10  AD  BA  F5  10  BF  10  
+AD  BA  CB  10  AD  BA  AD  BA  00  00  00  00  00  00  00  00  
+00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
+00  01  00  40  28  12  07  40  FF  FF  FF  FF  FF  FF  FF  FF  
+FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  D9  F0  
+20  60  1F  00  02  00  13  00  00  80  1D  00  FF  00  16  00  
+DD  CC  18  00  11  20  17  00  DD  DD  18  00  12  20  17  00  
+00  80  1D  00  00  00  1F  
+
+

+ +

+ The first part is the MAC address set to all 0x1F. It's repeated haly way through + the 8K area, and the rest is all 0xFF. This is all documented in the datasheet. +

+ +

+ The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long. + In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor. + So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region. +

+ +

GBE region: change MAC address

+ +

+ According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200. + https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums +

+ "One of those engineers loves classic rock music, so he selected 0xBABA" +

In honour of the song Baba O'Reilly by The Who apparently. We're not making this stuff up...

+ +

+ 0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps. + The checksums of the backup regions match BABA, however. +

+ +

+ By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct, + and is what these machines default to. Basically, you should do what you need on the *backup* gbe region, and + then correct the main one by copying from the backup. +

+ +

+ Look at resources/utilities/ich9deblob/ich9deblob.c. +

Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value) + and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first + 0x3E 16bit numbers (unsigned), ignoring any overflow.

+ +

Flash descriptor region

+ +

+ http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf + from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot + is doing about modifying it. +

+ +

+ How to deblob: +

patch the number of regions present in the descriptor from 5 - 3
originally descriptor + bios + me + gbe + platform
modified = descriptor + bios + gbe
the next stage is to patch the part of the descriptor which defines the start and end point of each section
then cut out the gbe region and insert it just after the region
all this can be substantiated with public docs (ICH9 datasheet)
the final part is flipping 2 bits. Halting the ME via 1 MCH soft strap and 1 ICH soft strap
the part of the descriptor described there gives the base address and length of each region (bits 12:24 of each address)
to disable a region, you set the base address to 0xFFF and the length to 0
and you change the number of regions from 4 (zero based) to 2

+ +

+ There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge, + but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware + instead of a small 128K version. Useless for libreboot, though. +

+ +

+ To deblob GM45, you chop out the platform and ME regions and correct the addresses in flReg1-4. + Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0. +

+ +

How to patch the descriptor from the factory.rom dump

map the first 4k into the struct (minus the gbe region)
set NR in FLMAP0 to 2 (from 4)
adjust BASE and LIMIT in flReg1,2,3,4 to reflect the new location of each region (or remove them in the case of Platform and ME)
set meDisable to 1/true in ICHSTRAP0 and MCHSTRAP0
extract the 8k GBe region and append that to the end of the 4k descriptor
output the 12k concatenated chunk
Then it can be dd'd into the first 12K part of a coreboot image.
the GBe region always starts 0x20A000 bytes from the end of the ROM

+ +

+ This means that libreboot's descriptor region will simply define the following regions: +

descriptor (4K)
gbe (8K)
bios (rest of flash chip. CBFS also set to occupy this whole size)

+ +

+ The data in the descriptor region is little endian, and it represents bits 24:12 of the address + (bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation). +

+ So, x << 12 = address +

+ If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F. +

+ +

+ + +

+ +

platform data partition in boot flash (factory.rom / lenovo bios)

+ +

+ Basically useless for libreboot, since it appears to be a blob. + Removing it didn't cause any issues in libreboot. +

+ This is a 32K region from the factory image. It could be data + (non-functional) that the original Lenovo BIOS used, but we don't know. +

+ +

+ It has only a 448 byte fragment different from 0x00 or 0xFF. +

+ +

+ Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +

+ +

+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../../license.txt for more information. +

+ +

+ + + diff --git a/docs/hcl/index.html b/docs/hcl/index.html index 6aec1c70..4aa74da8 100644 --- a/docs/hcl/index.html +++ b/docs/hcl/index.html @@ -25,6 +25,7 @@

List of supported ThinkPad X60 Tablets

List of supported ThinkPad T60s

List of supported ThinkPad X200s

List of supported ThinkPad R400s

ThinkPad T60 (ATI GPU) and ThinkPad T60 (Intel GPU) differences.

Information about the Macbook1,1

Information about the Macbook2,1

@@ -46,6 +47,7 @@

Lenovo ThinkPad X60 Tablet

Lenovo ThinkPad T60 (there are exceptions. see link)

diff --git a/docs/hcl/r400.html b/docs/hcl/r400.html new file mode 100644 index 00000000..43dfb096 --- /dev/null +++ b/docs/hcl/r400.html @@ -0,0 +1,101 @@ + + + + + + + + + ThinkPad R400 + + + + +

ThinkPad R400

+ + + +

+ It is believed that all R400 laptops are compatible. +

+ +

+ There are two possible flash chip sizes for the R400: 4MiB (32Mbit) or 8MiB (64Mbit). + This can be identified by the type of flash chip below the palmrest: 4MiB is SOIC-8, 8MiB + is SOIC-16. +

+ +

+ The R400 laptops come with the ME (and sometimes AMT in addition) before flashing libreboot. Libreboot disables and removes it + by using a modified descriptor: see gm45_remove_me.html (contains notes, plus + instructions) +

+ +

+ Flashing instructions can be found at ../install/index.html#flashrom +

+ +

+ Back to previous index. +

+ +

Compatibility (without blobs)

+ +

+ Usual limitations apply for native graphics initialization + (no VBT and/or INT10H and only GRUB works so no BIOS, so no DOS/Windows support + - who cares? There is no system but GNU, and Linux is one of it's kernels). +

+ +

+ When connecting the AC adapter while system is powered off, system will then power on. + This probably happens in coreboot aswell (with or without blobs). + It's a minor annoyance, but it should be fixed (if it's not already fixed by now). +

+ +

+ This method of disabling the ME leaves the flash descriptor and gbe in place (non-functional data, fully documented) + and disables the ME using soft straps. This means that the gigabit ethernet will still work (putting the machine in + non-descriptor mode would wipe it out). +

+ +

Hardware virtualization (vt-x)

+ The R400, when run without CPU microcode updates in coreboot, currently kernel panics + if running QEMU with vt-x enabled on 2 cores for the guest. With a single core enabled + for the guest, the guest panics (but the host is fine). Working around this in QEMU + might be possible; if not, software virtualization should work fine (it's just slower). +

+ The following errata datasheet from Intel might help with investigation: + http://download.intel.com/design/mobile/specupdt/320121.pdf +

+ +

+ + + diff --git a/docs/hcl/text/r400/r400_dmidecode.txt b/docs/hcl/text/r400/r400_dmidecode.txt deleted file mode 100644 index 0c0ca2a9..00000000 --- a/docs/hcl/text/r400/r400_dmidecode.txt +++ /dev/null @@ -1,628 +0,0 @@ -# dmidecode 2.11 -SMBIOS 2.4 present. -74 structures occupying 2511 bytes. -Table at 0x000E0010. - -Handle 0x0000, DMI type 0, 24 bytes -BIOS Information - Vendor: LENOVO - Version: 7UET48WW (1.18 ) - Release Date: 10/09/2008 - Address: 0xE0000 - Runtime Size: 128 kB - ROM Size: 8192 kB - Characteristics: - PCI is supported - PC Card (PCMCIA) is supported - PNP is supported - BIOS is upgradeable - BIOS shadowing is allowed - ESCD support is available - Boot from CD is supported - Selectable boot is supported - BIOS ROM is socketed - EDD is supported - ACPI is supported - USB legacy is supported - BIOS boot specification is supported - Targeted content distribution is supported - BIOS Revision: 1.24 - Firmware Revision: 1.1 - -Handle 0x0001, DMI type 1, 27 bytes -System Information - Manufacturer: LENOVO - Product Name: 7439W3Q - Version: ThinkPad R400 - Serial Number: L3ACC2H - UUID: 85D49681-4A1D-11CB-B11C-ACDC80D4983E - Wake-up Type: Power Switch - SKU Number: Not Specified - Family: ThinkPad R400 - -Handle 0x0002, DMI type 2, 8 bytes -Base Board Information - Manufacturer: LENOVO - Product Name: 7439W3Q - Version: Not Available - Serial Number: VF22T89V14J - -Handle 0x0003, DMI type 3, 13 bytes -Chassis Information - Manufacturer: LENOVO - Type: Notebook - Lock: Not Present - Version: Not Available - Serial Number: Not Available - Asset Tag: No Asset Information - Boot-up State: Unknown - Power Supply State: Unknown - Thermal State: Unknown - Security Status: Unknown - -Handle 0x0004, DMI type 126, 13 bytes -Inactive - -Handle 0x0005, DMI type 126, 13 bytes -Inactive - -Handle 0x0006, DMI type 4, 35 bytes -Processor Information - Socket Designation: None - Type: Central Processor - Family: Other - Manufacturer: GenuineIntel - ID: 76 06 01 00 FF FB EB BF - Signature: Type 0, Family 6, Model 23, Stepping 6 - Flags: - FPU (Floating-point unit on-chip) - VME (Virtual mode extension) - DE (Debugging extension) - PSE (Page size extension) - TSC (Time stamp counter) - MSR (Model specific registers) - PAE (Physical address extension) - MCE (Machine check exception) - CX8 (CMPXCHG8 instruction supported) - APIC (On-chip APIC hardware supported) - SEP (Fast system call) - MTRR (Memory type range registers) - PGE (Page global enable) - MCA (Machine check architecture) - CMOV (Conditional move instruction supported) - PAT (Page attribute table) - PSE-36 (36-bit page size extension) - CLFSH (CLFLUSH instruction supported) - DS (Debug store) - ACPI (ACPI supported) - MMX (MMX technology supported) - FXSR (FXSAVE and FXSTOR instructions supported) - SSE (Streaming SIMD extensions) - SSE2 (Streaming SIMD extensions 2) - SS (Self-snoop) - HTT (Multi-threading) - TM (Thermal monitor supported) - PBE (Pending break enabled) - Version: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz - Voltage: 1.2 V - External Clock: 266 MHz - Max Speed: 2400 MHz - Current Speed: 2400 MHz - Status: Populated, Enabled - Upgrade: None - L1 Cache Handle: 0x000A - L2 Cache Handle: 0x000C - L3 Cache Handle: Not Provided - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x0007, DMI type 5, 20 bytes -Memory Controller Information - Error Detecting Method: None - Error Correcting Capabilities: - None - Supported Interleave: One-way Interleave - Current Interleave: One-way Interleave - Maximum Memory Module Size: 4096 MB - Maximum Total Memory Size: 8192 MB - Supported Speeds: - Other - Supported Memory Types: - DIMM - SDRAM - Memory Module Voltage: 2.9 V - Associated Memory Slots: 2 - 0x0008 - 0x0009 - Enabled Error Correcting Capabilities: - Unknown - -Handle 0x0008, DMI type 6, 12 bytes -Memory Module Information - Socket Designation: DIMM Slot 1 - Bank Connections: 0 1 - Current Speed: 155 ns - Type: DIMM SDRAM - Installed Size: 4096 MB (Double-bank Connection) - Enabled Size: 4096 MB (Double-bank Connection) - Error Status: OK - -Handle 0x0009, DMI type 6, 12 bytes -Memory Module Information - Socket Designation: DIMM Slot 2 - Bank Connections: 2 3 - Current Speed: 155 ns - Type: DIMM SDRAM - Installed Size: 4096 MB (Double-bank Connection) - Enabled Size: 4096 MB (Double-bank Connection) - Error Status: OK - -Handle 0x000A, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L1 Cache - Configuration: Enabled, Socketed, Level 1 - Operational Mode: Write Back - Location: Internal - Installed Size: 64 kB - Maximum Size: 64 kB - Supported SRAM Types: - Synchronous - Installed SRAM Type: Synchronous - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Instruction - Associativity: 8-way Set-associative - -Handle 0x000B, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L1 Cache - Configuration: Enabled, Socketed, Level 1 - Operational Mode: Write Back - Location: Internal - Installed Size: 64 kB - Maximum Size: 64 kB - Supported SRAM Types: - Synchronous - Installed SRAM Type: Synchronous - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Data - Associativity: 8-way Set-associative - -Handle 0x000C, DMI type 7, 19 bytes -Cache Information - Socket Designation: Internal L2 Cache - Configuration: Enabled, Socketed, Level 2 - Operational Mode: Write Back - Location: Internal - Installed Size: 3072 kB - Maximum Size: 3072 kB - Supported SRAM Types: - Burst - Installed SRAM Type: Burst - Speed: Unknown - Error Correction Type: Single-bit ECC - System Type: Unified - Associativity: 8-way Set-associative - -Handle 0x000D, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: External Monitor - External Connector Type: DB-15 female - Port Type: Video Port - -Handle 0x000E, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Microphone Jack - External Connector Type: Mini Jack (headphones) - Port Type: Audio Port - -Handle 0x000F, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Headphone Jack - External Connector Type: Mini Jack (headphones) - Port Type: Audio Port - -Handle 0x0010, DMI type 126, 9 bytes -Inactive - -Handle 0x0011, DMI type 126, 9 bytes -Inactive - -Handle 0x0012, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Modem - External Connector Type: RJ-11 - Port Type: Modem Port - -Handle 0x0013, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: Ethernet - External Connector Type: RJ-45 - Port Type: Network Port - -Handle 0x0014, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 1 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0015, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 2 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0016, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: USB 3 - External Connector Type: Access Bus (USB) - Port Type: USB - -Handle 0x0017, DMI type 126, 9 bytes -Inactive - -Handle 0x0018, DMI type 126, 9 bytes -Inactive - -Handle 0x0019, DMI type 126, 9 bytes -Inactive - -Handle 0x001A, DMI type 126, 9 bytes -Inactive - -Handle 0x001B, DMI type 126, 9 bytes -Inactive - -Handle 0x001C, DMI type 126, 9 bytes -Inactive - -Handle 0x001D, DMI type 126, 9 bytes -Inactive - -Handle 0x001E, DMI type 126, 9 bytes -Inactive - -Handle 0x001F, DMI type 8, 9 bytes -Port Connector Information - Internal Reference Designator: Not Available - Internal Connector Type: None - External Reference Designator: IEEE1394 - External Connector Type: IEEE 1394 - Port Type: Firewire (IEEE P1394) - -Handle 0x0020, DMI type 9, 13 bytes -System Slot Information - Designation: ExpressCard Slot 1 - Type: x1 PCI Express - Current Usage: Available - Length: Other - ID: 0 - Characteristics: - Hot-plug devices are supported - -Handle 0x0021, DMI type 9, 13 bytes -System Slot Information - Designation: CardBus Slot 1 - Type: 32-bit PC Card (PCMCIA) - Current Usage: Available - Length: Other - ID: Adapter 1, Socket 0 - Characteristics: - 5.0 V is provided - 3.3 V is provided - PC Card-16 is supported - Cardbus is supported - Zoom Video is supported - Modem ring resume is supported - PME signal is supported - Hot-plug devices are supported - -Handle 0x0022, DMI type 126, 13 bytes -Inactive - -Handle 0x0023, DMI type 126, 13 bytes -Inactive - -Handle 0x0024, DMI type 9, 13 bytes -System Slot Information - Designation: Media Card Slot 1 - Type: Other - Current Usage: Available - Length: Other - Characteristics: - Hot-plug devices are supported - -Handle 0x0025, DMI type 126, 13 bytes -Inactive - -Handle 0x0026, DMI type 126, 13 bytes -Inactive - -Handle 0x0027, DMI type 10, 6 bytes -On Board Device Information - Type: Other - Status: Enabled - Description: IBM Embedded Security hardware - -Handle 0x0028, DMI type 11, 5 bytes -OEM Strings - String 1: IBM ThinkPad Embedded Controller -[7VHT12WW-1.01 ]- - -Handle 0x0029, DMI type 13, 22 bytes -BIOS Language Information - Language Description Format: Abbreviated - Installable Languages: 1 - enUS - Currently Installed Language: enUS - -Handle 0x002A, DMI type 15, 25 bytes -System Event Log - Area Length: 0 bytes - Header Start Offset: 0x0000 - Header Length: 16 bytes - Data Start Offset: 0x0010 - Access Method: General-purpose non-volatile data functions - Access Address: 0x0000 - Status: Valid, Not Full - Change Token: 0x00000070 - Header Format: Type 1 - Supported Log Type Descriptors: 1 - Descriptor 1: POST error - Data Format 1: POST results bitmap - -Handle 0x002B, DMI type 16, 15 bytes -Physical Memory Array - Location: System Board Or Motherboard - Use: System Memory - Error Correction Type: None - Maximum Capacity: 4 GB - Error Information Handle: Not Provided - Number Of Devices: 2 - -Handle 0x002C, DMI type 17, 27 bytes -Memory Device - Array Handle: 0x002B - Error Information Handle: No Error - Total Width: 64 bits - Data Width: 64 bits - Size: 4096 MB - Form Factor: SODIMM - Set: None - Locator: DIMM 1 - Bank Locator: Bank 0/1 - Type: DDR2 - Type Detail: Synchronous - Speed: 667 MHz - Manufacturer: Not Specified - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x002D, DMI type 17, 27 bytes -Memory Device - Array Handle: 0x002B - Error Information Handle: No Error - Total Width: 64 bits - Data Width: 64 bits - Size: 4096 MB - Form Factor: SODIMM - Set: None - Locator: DIMM 2 - Bank Locator: Bank 2/3 - Type: DDR2 - Type Detail: Synchronous - Speed: 667 MHz - Manufacturer: Not Specified - Serial Number: Not Specified - Asset Tag: Not Specified - Part Number: Not Specified - -Handle 0x002E, DMI type 18, 23 bytes -32-bit Memory Error Information - Type: OK - Granularity: Unknown - Operation: Unknown - Vendor Syndrome: Unknown - Memory Array Address: Unknown - Device Address: Unknown - Resolution: Unknown - -Handle 0x002F, DMI type 19, 15 bytes -Memory Array Mapped Address - Starting Address: 0x00000000000 - Ending Address: 0x001FFFFFFFF - Range Size: 8 GB - Physical Array Handle: 0x002B - Partition Width: 2 - -Handle 0x0030, DMI type 20, 19 bytes -Memory Device Mapped Address - Starting Address: 0x00000000000 - Ending Address: 0x000FFFFFFFF - Range Size: 4 GB - Physical Device Handle: 0x002C - Memory Array Mapped Address Handle: 0x002F - Partition Row Position: 1 - -Handle 0x0031, DMI type 20, 19 bytes -Memory Device Mapped Address - Starting Address: 0x00100000000 - Ending Address: 0x001FFFFFFFF - Range Size: 4 GB - Physical Device Handle: 0x002D - Memory Array Mapped Address Handle: 0x002F - Partition Row Position: 1 - -Handle 0x0032, DMI type 21, 7 bytes -Built-in Pointing Device - Type: Track Point - Interface: PS/2 - Buttons: 3 - -Handle 0x0033, DMI type 21, 7 bytes -Built-in Pointing Device - Type: Touch Pad - Interface: PS/2 - Buttons: 0 - -Handle 0x0034, DMI type 22, 26 bytes -Portable Battery - Location: Rear - Manufacturer: Panasonic - Name: 42T4532 - Design Capacity: 84240 mWh - Design Voltage: 10800 mV - SBDS Version: 03.01 - Maximum Error: Unknown - SBDS Serial Number: 02C2 - SBDS Manufacture Date: 2008-10-15 - SBDS Chemistry: LION - OEM-specific Information: 0x00000000 - -Handle 0x0035, DMI type 126, 26 bytes -Inactive - -Handle 0x0036, DMI type 24, 5 bytes -Hardware Security - Power-On Password Status: Enabled - Keyboard Password Status: Disabled - Administrator Password Status: Enabled - Front Panel Reset Status: Unknown - -Handle 0x0037, DMI type 32, 11 bytes -System Boot Information - Status: No errors detected - -Handle 0x0038, DMI type 131, 17 bytes -OEM-specific Type - Header and Data: - 83 11 38 00 01 02 03 FF FF 1F 00 00 00 00 00 02 - 00 - Strings: - BOOTINF 20h - BOOTDEV 21h - KEYPTRS 23h - -Handle 0x0039, DMI type 131, 22 bytes -OEM-specific Type - Header and Data: - 83 16 39 00 01 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 00 01 - Strings: - TVT-Enablement - -Handle 0x003A, DMI type 132, 7 bytes -OEM-specific Type - Header and Data: - 84 07 3A 00 02 DA 36 - -Handle 0x003B, DMI type 133, 5 bytes -OEM-specific Type - Header and Data: - 85 05 3B 00 01 - Strings: - KHOIHGIUCCHHII - -Handle 0x003C, DMI type 134, 13 bytes -OEM-specific Type - Header and Data: - 86 0D 3C 00 04 11 08 20 00 00 00 00 00 - -Handle 0x003D, DMI type 134, 16 bytes -OEM-specific Type - Header and Data: - 86 10 3D 00 00 49 4E 54 43 01 01 00 00 03 01 02 - Strings: - TPM INFO - System Reserved - -Handle 0x003E, DMI type 135, 13 bytes -OEM-specific Type - Header and Data: - 87 0D 3E 00 54 50 07 00 01 00 00 00 00 - -Handle 0x003F, DMI type 135, 18 bytes -OEM-specific Type - Header and Data: - 87 12 3F 00 54 50 07 01 01 B8 00 00 00 00 00 00 - 00 00 - -Handle 0x0040, DMI type 135, 35 bytes -OEM-specific Type - Header and Data: - 87 23 40 00 54 50 07 02 42 41 59 20 49 2F 4F 20 - 01 00 02 00 00 0B 00 48 1C 3E 18 02 00 0B 00 40 - 1C 3A 18 - -Handle 0x0041, DMI type 135, 34 bytes -OEM-specific Type - Header and Data: - 87 22 41 00 54 50 07 04 01 06 01 01 02 00 02 01 - 02 00 03 01 02 00 04 01 02 00 05 01 02 00 06 01 - 02 00 - -Handle 0x0042, DMI type 136, 6 bytes -OEM-specific Type - Header and Data: - 88 06 42 00 5A 5A - -Handle 0x0043, DMI type 126, 28 bytes -Inactive - -Handle 0x0044, DMI type 138, 40 bytes -OEM-specific Type - Header and Data: - 8A 28 44 00 14 01 02 01 40 02 01 40 02 01 40 02 - 01 40 01 40 42 49 4F 53 20 50 61 73 73 77 6F 72 - 64 20 46 6F 72 6D 61 74 - -Handle 0x0045, DMI type 139, 37 bytes -OEM-specific Type - Header and Data: - 8B 25 45 00 11 01 0A 00 00 00 00 00 00 00 00 00 - 00 50 57 4D 53 20 4B 65 79 20 49 6E 66 6F 72 6D - 61 74 69 6F 6E - -Handle 0x0046, DMI type 129, 8 bytes -OEM-specific Type - Header and Data: - 81 08 46 00 01 01 02 00 - Strings: - Intel_ASF - Intel_ASF_001 - -Handle 0x0047, DMI type 130, 20 bytes -OEM-specific Type - Header and Data: - 82 14 47 00 24 41 4D 54 01 00 00 00 00 00 00 00 - 00 00 00 00 - -Handle 0x0048, DMI type 131, 64 bytes -OEM-specific Type - Header and Data: - 83 40 48 00 3C 00 00 00 00 00 40 2A 0A 00 00 00 - F8 00 17 29 00 00 00 00 0F 00 00 00 00 00 04 00 - 64 04 03 00 03 00 01 15 C8 00 F5 10 00 00 00 00 - 00 00 00 00 07 00 00 00 76 50 72 6F 00 00 00 00 - -Handle 0x0049, DMI type 127, 4 bytes -End Of Table - diff --git a/docs/hcl/x200.html b/docs/hcl/x200.html index 0435efce..da35a1ec 100644 --- a/docs/hcl/x200.html +++ b/docs/hcl/x200.html @@ -34,7 +34,7 @@

The X200 laptops come with the ME (and sometimes AMT in addition) before flashing libreboot. Libreboot disables and removes it - by using a modified descriptor: see x200_remove_me.html (contains notes, plus + by using a modified descriptor: see gm45_remove_me.html (contains notes, plus instructions)

@@ -287,7 +287,7 @@

New targets

- ThinkPad R400/R500/T400/T400S/T500/W500. These all use either the GM45 or GS45 + ThinkPad R500/T400/T400S/T500/W500. These all use either the GM45 or GS45 chipset, and should be easy-ish to port to coreboot (based on the X200 port and the GM45 code), then adapted for use in libreboot.

@@ -298,12 +298,6 @@ of Intel.

- For example, the R400 currently has issues with raminit (not yet ported to coreboot) - where it's DDR3 memory reported as DDR2, as shown in - text/r400/r400_dmidecode.txt -

diff --git a/docs/hcl/x200_remove_me.html b/docs/hcl/x200_remove_me.html deleted file mode 100644 index ae0a83f7..00000000 --- a/docs/hcl/x200_remove_me.html +++ /dev/null @@ -1,525 +0,0 @@ - - - - - - - - - ThinkPad X200: remove the ME (manageability engine) - - - - -

- -

ThinkPad X200: remove the ME (manageability engine)

- This sections relates to disabling and removing the ME (Intel Management Engine) - on the ThinkPad X200. -

- The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined - by the default descriptor). On the X200, it is possible to remove it without any ill effects. All - other parts of coreboot on the X200 can be blob-free, so removing the ME was the last obstacle to - get X200 support in libreboot (the machine can also work without the microcode blobs). -

- The ME is removed and disabled in libreboot by modifying the descriptor. More info about - this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/ - in libreboot, or more generally on this page. -

- Back to main X200 compatibility page (x200.html). -

- -

ICH9 gen utility

- -

- This is no longer strictly necessary. Libreboot ROM images for X200 now - contain the 12KiB descriptor+gbe generated from ich9gen, by default. -

- -

- It is no longer necessary to use ich9deblob to generate - a deblobbed descriptor+gbe image for the X200. ich9gen is a small utility within - ich9deblob that can generate them from scratch, without a factory.bin dump. -

- -

- Run:
- $ ./ich9gen -

- -

- It is also possible to generate a descriptor+gbe image with your own MAC address - inside (with the Gbe checksum updated to match). Run:
- $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
- (replace the XX chars with the hexadecimal chars in the MAC address that you want) -

- -

- You can find out your MAC address from ip addr or ifconfig in GNU/Linux. - Alternatively, if you are running libreboot already (with the correct MAC address in your - ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor - (or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c - will be the individual bytes of your MAC address). If you are currently running the stock firmware - and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address. -

- -

- An even simpler way to get the MAC address would be to read what's on the little sticker on - the underside. (on the X200, this would be near the VGA port). -

- -

- A bash script is also included in libreboot which will change the mac address (using ich9gen) - on all X200 ROM images. For instance:
- $ ./ich9macchange XX:XX:XX:XX:XX:XX -

- -

- Two new files will be created: -

ich9fdgbe_4m.bin: this is for X200 laptops with the 4MB flash chip.
ich9fdgbe_8m.bin: this is for X200 laptops with the 8MB flash chip.

- -

- ich9gen executables can be found under ./ich9deblob/ statically compiled in - libreboot_bin. If you are using src or git, build ich9gen from source with:
- $ ./builddeps-ich9deblob
- The executable will appear under resources/utilities/ich9deblob/ -

- -

- Assuming that your X200 libreboot image is named libreboot.rom, copy - the file to where libreboot.rom is located - and then run, for instance:
- $ dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
- or:
- $ dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc -

- -

- Your X200 libreboot.rom image is now ready to be flashed on the machine. Refer back to - ../install/index.html#flashrom - for how to flash it. -

- -

ICH9 deblob utility

- -

- This is no longer strictly necessary. Libreboot ROM images for X200 now - contain the 12KiB descriptor+gbe generated from ich9gen, by default. -

- -

- This was the tool originally used to disable the ME on X200. ich9gen now supersedes it; - ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does). -

- -

- This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image. -

- If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/ - and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./), - otherwise you can build it like so:
- $ ./builddeps-ich9deblob
- An executable file named ich9deblob will now appear under resources/utilities/ich9deblob/ -

- If you are working with libreboot_bin release archive, you can find the utility included, statically compiled - (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/. -

- -

- Place the factory.rom from your X200 - (can be obtained using the guide at ../install/x200_external.html) in - the directory where you have your ich9deblob executable, then run the tool:
- $ ./ich9deblob -

- A 12kiB file named deblobbed_descriptor.bin will now appear. Keep this and the factory.rom stored in a safe location! - The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your - gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case. -

- -

- Assuming that your X200 libreboot image is named libreboot.rom, copy - the deblobbed_descriptor.bin file to where libreboot.rom is located - and then run:
- $ dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc -

- -

- The utility will also generate 4 additional files: -

mkdescriptor.c
mkdescriptor.h
mkgbe.c
mkgbe.h

- These are C source files that can re-generate the very same Gbe and Descriptor structs - (from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build. - The newly built ich9gen executable will be able to re-create the very same 12KiB file from scratch, - based on the C structs, this time without the need for a factory.rom dump! -

- -

- You should now have a libreboot.rom image containing the correct 4K descriptor and 8K gbe regions, which - will then be safe to flash. Refer back to ../install/index.html#flashrom - for how to flash it. -

- -

- The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on the X200. - They are useful for background information. This could not have been done without sgsit's help. -

- -

Early notes

- -

- http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf - page 230 mentions about descriptor and non-descriptor mode (which wipes out gbe and ME/AMT). -
- ~~See reference to HDA_SDO (disable descriptor security)~~ - strap connected GPIO33 pin is it on ICH9-M (X200). HDA_SDO applies to later chipsets (series 6 or higher). - Disabling descriptor security also disables the ethernet according to sgsit. sgsit's method - involves use of 'soft straps' (see IRC logs below) instead of disabling the descriptor. -
- and the location of GPIO33 on the x200s: (was an external link. Putting it here instead) - images/x200/gpio33_location.jpg - - it's above the number 7 on TP37 (which is above the big intel chip at the bottom) -
- The ME datasheet may not be for the mobile chipsets but it doesn't vary that much. - This one gives some detail and covers QM67 which is what the X201 uses: - http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf -

- -

Flash chips

- -

- Schematics for X200 laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf - ~~- Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT~~ only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)
- - According to page 29, the X200 can have any of the following flash chips: -
- ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip
- MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip
- MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip
- Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip
- sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas - the 32Mb chips contain only the ME. -
- Schematics for X200s laptop: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf. -

- -

Early development notes

- -

-
-Start (hex)	End (hex)	Length (hex)	Area Name
------------	---------	------------	---------
-00000000	003FFFFF	00400000	Flash Image
-
-00000000	00000FFF	00001000	Descriptor Region
-00000004	0000000F	0000000C		Descriptor Map
-00000010	0000001B	0000000C		Component Section
-00000040	0000004F	00000010		Region Section
-00000060	0000006B	0000000C		Master Access Section
-00000060	00000063	00000004			CPU/BIOS
-00000064	00000067	00000004			Manageability Engine (ME)
-00000068	0000006B	00000004			GbE LAN
-00000100	00000103	00000004		ICH Strap 0
-00000104	00000107	00000004		ICH Strap 1
-00000200	00000203	00000004		MCH Strap 0
-00000EFC	00000EFF	00000004		Descriptor Map 2
-00000ED0	00000EF7	00000028		ME VSCC Table
-00000ED0	00000ED7	00000008			Flash device 1
-00000ED8	00000EDF	00000008			Flash device 2
-00000EE0	00000EE7	00000008			Flash device 3
-00000EE8	00000EEF	00000008			Flash device 4
-00000EF0	00000EF7	00000008			Flash device 5
-00000F00	00000FFF	00000100		OEM Section
-00001000	001F5FFF	001F5000	ME Region
-001F6000	001F7FFF	00002000	GbE Region
-001F8000	001FFFFF	00008000	PDR Region
-00200000	003FFFFF	00200000	BIOS Region
-
-Start (hex)	End (hex)	Length (hex)	Area Name
------------	---------	------------	---------
-00000000	003FFFFF	00400000	Flash Image
-
-00000000	00000FFF	00001000	Descriptor Region
-00000004	0000000F	0000000C		Descriptor Map
-00000010	0000001B	0000000C		Component Section
-00000040	0000004F	00000010		Region Section
-00000060	0000006B	0000000C		Master Access Section
-00000060	00000063	00000004			CPU/BIOS
-00000064	00000067	00000004			Manageability Engine (ME)
-00000068	0000006B	00000004			GbE LAN
-00000100	00000103	00000004		ICH Strap 0
-00000104	00000107	00000004		ICH Strap 1
-00000200	00000203	00000004		MCH Strap 0
-00000ED0	00000EF7	00000028		ME VSCC Table
-00000ED0	00000ED7	00000008			Flash device 1
-00000ED8	00000EDF	00000008			Flash device 2
-00000EE0	00000EE7	00000008			Flash device 3
-00000EE8	00000EEF	00000008			Flash device 4
-00000EF0	00000EF7	00000008			Flash device 5
-00000EFC	00000EFF	00000004		Descriptor Map 2
-00000F00	00000FFF	00000100		OEM Section
-00001000	00002FFF	00002000	GbE Region
-00003000	00202FFF	00200000	BIOS Region
-
-Build Settings
---------------
-Flash Erase Size = 0x1000
-
-
-

- -

- It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete - image into in and the utility decomposes the various components, allowing you to set soft straps. -

- This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and - the utility is no longer needed since the ich9deblob utility (documented on this page) can now be - used to create deblobbed descriptors. -

- -

- GBE (gigabit ethernet) region in SPI flash -

- -

- Of the 8K, about 95% is 0xFF. - The data is the gbe region is fully documented in this public datasheet: - http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf -

- -

- The only actual content found was: -

- -

-
-00  1F  1F  1F  1F  1F  00  08  FF  FF  83  10  FF  FF  FF  FF  
-08  10  FF  FF  C3  10  EE  20  AA  17  F5  10  86  80  00  00  
-01  0D  00  00  00  00  05  06  20  30  00  0A  00  00  8B  8D  
-02  06  40  2B  43  00  00  00  F5  10  AD  BA  F5  10  BF  10  
-AD  BA  CB  10  AD  BA  AD  BA  00  00  00  00  00  00  00  00  
-00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  
-00  01  00  40  28  12  07  40  FF  FF  FF  FF  FF  FF  FF  FF  
-FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  FF  D9  F0  
-20  60  1F  00  02  00  13  00  00  80  1D  00  FF  00  16  00  
-DD  CC  18  00  11  20  17  00  DD  DD  18  00  12  20  17  00  
-00  80  1D  00  00  00  1F  
-
-

- -

- The first part is the MAC address set to all 0x1F. It's repeated haly way through - the 8K area, and the rest is all 0xFF. This is all documented in the datasheet. -

- -

- The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long. - In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor. - So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region. -

- -

GBE region: change MAC address

- -

- According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200. - https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums -

- "One of those engineers loves classic rock music, so he selected 0xBABA" -

In honour of the song Baba O'Reilly by The Who apparently. We're not making this stuff up...

- -

- 0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps. - The checksums of the backup regions match BABA, however. -

- -

- By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct, - and is what these machines default to. Basically, you should do what you need on the *backup* gbe region, and - then correct the main one by copying from the backup. -

- -

- Look at resources/utilities/ich9deblob/ich9deblob.c. -

Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value) - and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first - 0x3E 16bit numbers (unsigned), ignoring any overflow.

- -

Flash descriptor region

- -

- http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf - from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot - is doing about modifying it. -

- -

- How to deblob: -

patch the number of regions present in the descriptor from 5 - 3
originally descriptor + bios + me + gbe + platform
modified = descriptor + bios + gbe
the next stage is to patch the part of the descriptor which defines the start and end point of each section
then cut out the gbe region and insert it just after the region
all this can be substantiated with public docs (ICH9 datasheet)
the final part is flipping 2 bits. Halting the ME via 1 MCH soft strap and 1 ICH soft strap
the part of the descriptor described there gives the base address and length of each region (bits 12:24 of each address)
to disable a region, you set the base address to 0xFFF and the length to 0
and you change the number of regions from 4 (zero based) to 2

- -

- There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge, - but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware - instead of a small 128K version. Useless for libreboot, though. -

- -

- To deblob the x200, you chop out the platform and ME regions and correct the addresses in flReg1-4. - Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0. -

- -

How to patch the descriptor from the factory.rom dump

map the first 4k into the struct (minus the gbe region)
set NR in FLMAP0 to 2 (from 4)
adjust BASE and LIMIT in flReg1,2,3,4 to reflect the new location of each region (or remove them in the case of Platform and ME)
set meDisable to 1/true in ICHSTRAP0 and MCHSTRAP0
extract the 8k GBe region and append that to the end of the 4k descriptor
output the 12k concatenated chunk
Then it can be dd'd into the first 12K part of a coreboot image.
the GBe region always starts 0x20A000 bytes from the end of the ROM

- -

- This means that libreboot's descriptor region will simply define the following regions: -

descriptor (4K)
gbe (8K)
bios (rest of flash chip. CBFS also set to occupy this whole size)

- -

- The data in the descriptor region is little endian, and it represents bits 24:12 of the address - (bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation). -

- So, x << 12 = address -

- If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F. -

- -

- - -

- -

platform data partition in boot flash (factory.rom / lenovo bios)

- -

- Basically useless for libreboot, since it appears to be a blob. - Removing it didn't cause any issues in libreboot. -

- This is a 32K region from the factory image. It could be data - (non-functional) that the original Lenovo BIOS used, but we don't know. -

- -

- It has only a 448 byte fragment different from 0x00 or 0xFF. -

- -

- Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at ../license.txt. -

- -

- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../../license.txt for more information. -

- -

- - - diff --git a/docs/install/images/r400/r400_pomona.jpg b/docs/install/images/r400/r400_pomona.jpg new file mode 100644 index 00000000..32f3411b Binary files /dev/null and b/docs/install/images/r400/r400_pomona.jpg differ diff --git a/docs/install/index.html b/docs/install/index.html index 97462fd3..b5449093 100644 --- a/docs/install/index.html +++ b/docs/install/index.html @@ -38,7 +38,7 @@

Recommended ROMs to flash

X60/X60S/X60T/T60: How to flash your ROM (if running Lenovo BIOS firmware)

macbook21: How to flash your ROM (if running Apple EFI firmware)

X60/X60S/X60T/T60/X200/macbook21: How to flash your ROM (if running libreboot or coreboot already)

X60/X60S/X60T/T60/X200/R400/macbook21: How to flash your ROM (if running libreboot or coreboot already)

Installing libreboot (hardware)

@@ -47,6 +47,7 @@

ThinkPad X60 Tablet: How to unbrick

ThinkPad T60: How to unbrick

ThinkPad X200: How to unbrick (also the initial installation guide for this machine)

ThinkPad R400: How to unbrick (also the initial installation guide for this machine)

X60/X60S/X60T/T60/X200/macbook21: How to flash the ROMs onto your machine (if running libreboot or coreboot already)

X60/X60S/X60T/T60/X200/R400/macbook21: How to flash the ROMs onto your machine (if running libreboot or coreboot already)

@@ -351,6 +353,11 @@ If you have Lenovo BIOS running (X200), go to x200_external.html instead.

+ + If you have Lenovo BIOS running (R400), go to r400_external.html instead. + +

If you have Apple EFI firmware running (macbook21), go to #flashrom_macbook21 instead. @@ -363,16 +370,17 @@

- If you have an X200 with libreboot or coreboot already running, note that + If you have an X200 or R400 with libreboot or coreboot already running, note that the Gbe in the boot flash contains your MAC address. You will need to change the default MAC address inside the ROM images before flashing a new libreboot image. See - ich9gen for details. + ich9gen for details. - Another important note about the X200: even if you do already have libreboot or coreboot, + Another important note about the X200/R400: even if you do already have libreboot or coreboot, it is possible for the user to write-protect regions in the flash chip, by modifying the flash descriptor. If you have locked regions, you will need an external flasher - (see x200_external.html) to re-flash those regions. By default, - the X200 ROM images in libreboot contain a descriptor+gbe with all regions unlocked. + (see x200_external.html or x200_external.html) + to re-flash those regions. By default, + the X200 and R400 ROM images in libreboot contain a descriptor+gbe with all regions unlocked.

diff --git a/docs/install/r400_external.html b/docs/install/r400_external.html new file mode 100644 index 00000000..ad6e4bd7 --- /dev/null +++ b/docs/install/r400_external.html @@ -0,0 +1,202 @@ + + + + + + + + + ThinkPad R400: flashing tutorial (BeagleBone Black) + + + + +
+
Flashing the R400 with a BeagleBone Black
+
Initial flashing instructions for X200.
+
+ This guide is for those who want libreboot on their ThinkPad R400 + while they still have the original Lenovo BIOS present. This guide + can also be followed (adapted) if you brick your R400, to know how + to recover. +
+
+ Before following this section, please make sure to setup your libreboot ROM properly first. + Although ROM images are provided pre-built in libreboot, there are some modifications that + you need to make to the one you chose before flashing. (instructions referenced later in + this guide) +
+ +
Back to main index
+
+ +
+ +
Flash chips
+ +
+ There are two possible flash chip sizes for the R400: 4MiB + (32Mbit) or 8MiB (64Mbit). This can be identified by the type + of flash chip below the palmrest: 4MiB is SOIC-8 (8 pins), 8MiB + is SOIC-16 (16 pins). The X200S uses a WSON package and has the same + pinout as SOIC-8 (covered briefly later on in this guide) but + the chip is on the underside of the board (disassembly required). +
+ +
+ Back to top of page. +
+ +
+ +
+ +
Initial BBB setup
+ +
+ Refer to bbb_setup.html for how to + setup the BBB for flashing. +
+ +
+ The following shows how to connect clip to the BBB (on the P9 header), for SOIC-16 (clip: Pomona 5252): +
+
+POMONA 5252 (correlate with the BBB guide) +=== ethernet jack and VGA port ==== + NC - - 21 + 1 - - 17 + NC - - NC + NC - - NC + NC - - NC + NC - - NC + 18 - - 3.3V PSU RED + 22 - - NC - this is pin 1 on the flash chip +=== SATA port === +This is how you will connect. Numbers refer to pin numbers on the BBB, on the plugs near the DC jack. +
+
+ The following shows how to connect clip to the BBB (on the P9 header), for SOIC-8 (clip: Pomona 5250): +
+
+POMONA 5250 (correlate with the BBB guide) +=== RAM slots ==== + 18 - - 1 + 22 - - NC + NC - - 21 + 3.3V PSU RED - - 17 - this is pin 1 on the flash chip. in front of it is the screen. +=== slot where the AC jack is connected === +
+ +
+ Connect Pomona 5252/5250 to the R400 flash chip, and dump/flash +
+
+ images/r400/r400_pomona.jpg + shows everything connected. In this picture, the R400 is being flashed + with the BBB. +
+
+ No disassembly instructions yet, unfortunately. Check videos online or + look at the Hardware Maintenance Manual from Lenovo for this machine. + You will need to completely disassemble the machine, removing the motherboard + from its metal shell. + Connect your 5252/5250 (make sure to get it the right way round). + Then connect the 3.3v PSU wire (red one) and make sure that everything else is connected. +
+
+ I did (SSH'd into the BBB):
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512
+ In my case, the output was: +
+
+flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l) +flashrom is free software, get the source code at http://www.flashrom.org +Calibrating delay loop... OK. +Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi. +Found Macronix flash chip "MX25L6406E/MX25L6436E" (8192 kB, SPI) on linux_spi. +Found Macronix flash chip "MX25L6445E/MX25L6473E" (8192 kB, SPI) on linux_spi. +Multiple flash chip definitions match the detected chip(s): "MX25L6405(D)", "MX25L6406E/MX25L6436E", "MX25L6445E/MX25L6473E" +Please specify which chip definition to use with the -c <chipname> option. +
+
+ This is just to test that it's working. In my case, I had to define which chip to use, like so (in your case + it may be different, depending on what flash chip you have):
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" +
+
+ At this point, you need to create a copy of the original lenovo firmware that is currently flashed. + This is so that you can extract the gbe (gigabit ethernet) and flash descriptor regions for use in libreboot. These + are not blobs, they only contain non-functional data (configuration details, fully readable) which is fully documented in public datasheets. + The descriptor will need to be modified + to disable the ME (also disable AMT) so that you can flash a ROM that excludes it. +
+
+ How to backup factory.rom (change the -c option as neeed, for your flash chip):
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory.rom
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory1.rom
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory2.rom
+ Now compare the 3 images:
+ # sha512sum factory*.rom
+ If the hashes match, then just copy one of them (the factory.rom) to a safe place (on a drive connected to another machine, not + the BBB). You will need it later for part of the deblobbing. +
+
+ Information about the descriptor, gbe regions and how the ME was removed can be found in the notes linked at + ../hcl/gm45_remove_me.html. Libreboot ROM images now include + the 12KiB descriptor+gbe by default, generated using ich9gen; + however, do note that the MAC address in the Gbe region is generic. Follow the instructions at + ../hcl/gm45_remove_me.html#ich9gen and do what it says to change the MAC address + inside your R400 ROM image, before flashing it. +
+
+ Assuming that your libreboot ROM image is properly setup (modified descriptor plus gbe region included in the ROM), + then you can flash (assuming that the filename is libreboot.rom) for example I had to do:
+ # ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -w libreboot.rom +
+
+ You might see errors, but if it says Verifying flash... VERIFIED at the end, then it's flashed and should boot. + Test it! (boot your R400) +
+
+ My output when running the command above: +
+
+flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l) +flashrom is free software, get the source code at http://www.flashrom.org +Calibrating delay loop... OK. +Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi. +Reading old flash chip contents... done. +Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x0000ffff: 0xd716 +ERASE FAILED! +Reading current flash chip contents... done. Looking for another erase function. +Erase/write done. +Verifying flash... VERIFIED. +
+ +
+ Back to top of page. +
+ +
+ +
+ +
+ Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at ../license.txt. +
+ +
+ This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. +
+ +
+ + + diff --git a/docs/install/x200_external.html b/docs/install/x200_external.html index e353e244..d4f1a912 100644 --- a/docs/install/x200_external.html +++ b/docs/install/x200_external.html @@ -108,7 +108,7 @@ chip on those pins? connected to a BBB.
In this image, a pin header was soldered onto the WSON. Another solution might be to de-solder the WSON-8 chip and put a SOIC-8 there instead. - Check the list of SOIC-8 flash chips at ../hcl/x200_remove_me.html#flashchips but + Check the list of SOIC-8 flash chips at ../hcl/gm45_remove_me.html#flashchips but do note that these are only 4MiB (32Mb) chips. The only X200 SPI chips with 8MiB capacity are SOIC-16. For 8MiB capacity in this case, the X201 SOIC-8 flash chip (Macronix 25L6445E) might work.

@@ -167,10 +167,10 @@ Please specify which chip definition to use with the -c <chipname> option.

Information about the descriptor, gbe regions and how the ME was removed can be found in the notes linked at - ../hcl/x200_remove_me.html. Libreboot ROM images now include + ../hcl/gm45_remove_me.html. Libreboot ROM images now include the 12KiB descriptor+gbe by default, generated using ich9gen; however, do note that the MAC address in the Gbe region is generic. Follow the instructions at - ../hcl/x200_remove_me.html#ich9gen and do what it says to change the MAC address + ../hcl/gm45_remove_me.html#ich9gen and do what it says to change the MAC address inside your X200 ROM image, before flashing it.

diff --git a/docs/release.html b/docs/release.html index 94c44b7a..c686495e 100644 --- a/docs/release.html +++ b/docs/release.html @@ -115,7 +115,13 @@ Lenovo ThinkPad X200

X200S and X200 Tablet are also supported, conditionally; see hcl/x200.html#x200s
ME/AMT: libreboot removes this, permanently. hcl/x200_remove_me.html
ME/AMT: libreboot removes this, permanently. hcl/gm45_remove_me.html

+ +

+ Lenovo ThinkPad R400 +

ME/AMT: libreboot removes this, permanently. hcl/gm45_remove_me.html

-- cgit v1.2.3-70-g09d2

+ ThinkPad R400 configuration (file: resources/libreboot/config/r400_4mb/config and resources/libreboot/config/r400_8mb/config) +

GM45 chipsets: remove the ME (manageability engine)

ICH9 gen utility

ICH9 deblob utility

Early notes

Flash chips

Early development notes

+ GBE (gigabit ethernet) region in SPI flash +

GBE region: change MAC address

Flash descriptor region

platform data partition in boot flash (factory.rom / lenovo bios)

ThinkPad R400

Compatibility (without blobs)

Hardware virtualization (vt-x)

New targets

ThinkPad X200: remove the ME (manageability engine)

ICH9 gen utility

ICH9 deblob utility

Early notes

Flash chips

Early development notes

- GBE (gigabit ethernet) region in SPI flash -

GBE region: change MAC address

Flash descriptor region

platform data partition in boot flash (factory.rom / lenovo bios)

Installing libreboot (hardware)

X60/X60S/X60T/T60/X200/macbook21: How to flash the ROMs onto your machine (if running libreboot or coreboot already)

X60/X60S/X60T/T60/X200/R400/macbook21: How to flash the ROMs onto your machine (if running libreboot or coreboot already)

Flashing the R400 with a BeagleBone Black

Flash chips

Initial BBB setup

+ Connect Pomona 5252/5250 to the R400 flash chip, and dump/flash +