1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
\input texinfo
@documentencoding UTF-8
@ifnottex
@paragraphindent 0
@end ifnottex
@titlepage
@title ThinkPad X200: flashing tutorial (BeagleBone Black)
@end titlepage
@node Top
@top ThinkPad X200: flashing tutorial (BeagleBone Black)
@menu
* Flashing the X200 with a BeagleBone Black::
* X200 laptops with libreboot pre-installed::
* Flash chip size::
* MAC address::
* Initial BBB configuration::
* Wifi::
* WWAN::
* Memory::
@end menu
@node Flashing the X200 with a BeagleBone Black
@chapter Flashing the X200 with a BeagleBone Black
@anchor{#flashing-the-x200-with-a-beaglebone-black}
Initial flashing instructions for X200.
This guide is for those who want libreboot on their ThinkPad X200 while they still have the original Lenovo BIOS present. This guide can also be followed (adapted) if you brick your X200, to know how to recover.
@itemize
@item
@ref{#preinstall,X200 laptops with libreboot pre-installed}
@item
@ref{#flashchips,Flash chips}
@item
@ref{#macaddress,MAC address}
@item
@ref{#clip,Initial BBB configuration and installation procedure}
@item
@ref{#boot,Boot it!}
@item
@ref{#wifi,Wifi}
@item
@ref{#wwan,wwan}
@item
@ref{#memory,Memory}
@item
@ref{#gpio33,X200S and X200 Tablet users: GPIO33 trick will not work.}
@end itemize
@uref{index.html,Back to main index}
@node X200 laptops with libreboot pre-installed
@chapter X200 laptops with libreboot pre-installed
@anchor{#x200-laptops-with-libreboot-pre-installed}
If you don't want to install libreboot yourself, companies exist that sell these laptops with libreboot pre-installed, along with a free GNU/Linux distribution.
Check the @uref{../../suppliers,suppliers} page for more information.
@node Flash chip size
@chapter Flash chip size
@anchor{#flash-chip-size}
Use this to find out:@* # @strong{dmidecode | grep ROM\ Size}
The X200S and X200 Tablet will use a WSON-8 flash chip, on the bottom of the motherboard (this requires removal of the motherboard). @strong{Not all X200S/X200T are supported; see @uref{../hcl/x200.html#x200s,../hcl/x200.html#x200s}.}
@ref{#pagetop,Back to top of page.}
@node MAC address
@chapter MAC address
@anchor{#mac-address}
On the X200/X200S/X200T, the MAC address for the onboard gigabit ethernet chipset is stored inside the flash chip, along with other configuration data.
Keep a note of the MAC address before disassembly; this is very important, because you will need to insert this into the libreboot ROM image before flashing it. It will be written in one of these locations:
@image{../resources/images/x200/disassembly/0002,,,,jpg} @image{../resources/images/x200/disassembly/0001,,,,jpg}
@node Initial BBB configuration
@chapter Initial BBB configuration
@anchor{#initial-bbb-configuration}
Refer to @uref{bbb_setup.html,bbb_setup.html} for how to set up the BBB for flashing.
The following shows how to connect the clip to the BBB (on the P9 header), for SOIC-16 (clip: Pomona 5252):
@verbatim
POMONA 5252 (correlate with the BBB guide)
=== front (display) on your X200 ====
NC - - 21
1 - - 17
NC - - NC
NC - - NC
NC - - NC
NC - - NC
18 - - 3.3V (PSU)
22 - - NC - this is pin 1 on the flash chip
=== back (palmrest) on your X200 ===
This is how you will connect. Numbers refer to pin numbers on the BBB, on the plugs near the DC jack.
Here is a photo of the SOIC-16 flash chip. Pins are labelled:
@end verbatim
The following shows how to connect the clip to the BBB (on the P9 header), for SOIC-8 (clip: Pomona 5250):
@verbatim
POMONA 5250 (correlate with the BBB guide)
=== left side of the X200 (where the VGA port is) ====
18 - - 1
22 - - NC
NC - - 21
3.3V (PSU) - - 17 - this is pin 1 on the flash chip. in front of it is the screen.
=== right side of the X200 (where the audio jacks are) ===
This is how you will connect. Numbers refer to pin numbers on the BBB, on the plugs near the DC jack.
Here is a photo of the SOIC-8 flash chip. The pins are labelled:
Look at the pads in that photo, on the left and right. Those are for SOIC-16. Would it be possible to remove the SOIC-8 and solder a SOIC-16
chip on those pins?
@end verbatim
@strong{On the X200S and X200 Tablet the flash chip is underneath the board, in a WSON package. The pinout is very much the same as a SOIC-8, except you need to solder (there are no clips available).@* The following image shows how this is done:}@* @image{../resources/images/x200/wson_soldered,,,,jpg} @* In this image, a pin header was soldered onto the WSON. Another solution might be to de-solder the WSON-8 chip and put a SOIC-8 there instead. Check the list of SOIC-8 flash chips at @uref{../hcl/gm45_remove_me.html#flashchips,../hcl/gm45_remove_me.html#flashchips} but do note that these are only 4MiB (32Mb) chips. The only X200 SPI chips with 8MiB capacity are SOIC-16. For 8MiB capacity in this case, the X201 SOIC-8 flash chip (Macronix 25L6445E) might work.
@menu
* The procedure::
@end menu
@node The procedure
@section The procedure
@anchor{#the-procedure}
This section is for the X200. This does not apply to the X200S or X200 Tablet (for those systems, you have to remove the motherboard completely, since the flash chip is on the other side of the board).
Remove these screws:@* @image{../resources/images/x200/disassembly/0003,,,,jpg}
Push the keyboard forward, gently, then lift it off and disconnect it from the board:@* @image{../resources/images/x200/disassembly/0004,,,,jpg} @image{../resources/images/x200/disassembly/0005,,,,jpg}
Pull the palm rest off, lifting from the left and right side at the back of the palm rest:@* @image{../resources/images/x200/disassembly/0006,,,,jpg}
Lift back the tape that covers a part of the flash chip, and then connect the clip:@* @image{../resources/images/x200/disassembly/0007,,,,jpg} @image{../resources/images/x200/disassembly/0008,,,,jpg}
On pin 2 of the BBB, where you have the ground (GND), connect the ground to your PSU:@* @image{../resources/images/x200/disassembly/0009,,,,jpg} @image{../resources/images/x200/disassembly/0010,,,,jpg}
Connect the 3.3V supply from your PSU to the flash chip (via the clip):@* @image{../resources/images/x200/disassembly/0011,,,,jpg} @image{../resources/images/x200/disassembly/0012,,,,jpg}
Of course, make sure that your PSU is also plugged in and turn on:@* @image{../resources/images/x200/disassembly/0013,,,,jpg}
This tutorial tells you to use an ATX PSU, for the 3.3V DC supply. The PSU used when taking these photos is actually not an ATX PSU, but a PSU that is designed specifically for providing 3.3V DC (an ATX PSU will also work):@* @image{../resources/images/x200/disassembly/0014,,,,jpg}
Now, you should be ready to install libreboot.
Flashrom binaries for ARM (tested on a BBB) are distributed in libreboot_util. Alternatively, libreboot also distributes flashrom source code which can be built.
Log in as root on your BBB, using the instructions in @uref{bbb_setup.html#bbb_access,bbb_setup.html#bbb_access}.
Test that flashrom works:@* # @strong{./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512}@* In this case, the output was:
@verbatim
flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6406E/MX25L6436E" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6445E/MX25L6473E" (8192 kB, SPI) on linux_spi.
Multiple flash chip definitions match the detected chip(s): "MX25L6405(D)", "MX25L6406E/MX25L6436E", "MX25L6445E/MX25L6473E"
Please specify which chip definition to use with the -c <chipname> option.
@end verbatim
How to backup factory.rom (change the -c option as neeed, for your flash chip):@* # @strong{./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory.rom}@* # @strong{./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory1.rom}@* # @strong{./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -r factory2.rom}@* Note: the @strong{-c} option is not required in libreboot's patched flashrom, because the redundant flash chip definitions in @emph{flashchips.c} have been removed.@* Now compare the 3 images:@* # @strong{sha512sum factory*.rom}@* If the hashes match, then just copy one of them (the factory.rom) to a safe place (on a drive connected to another system, not the BBB). This is useful for reverse engineering work, if there is a desirable behaviour in the original firmware that could be replicated in coreboot and libreboot.
Follow the instructions at @uref{../hcl/gm45_remove_me.html#ich9gen,../hcl/gm45_remove_me.html#ich9gen} to change the MAC address inside the libreboot ROM image, before flashing it. Although there is a default MAC address inside the ROM image, this is not what you want. @strong{Make sure to always change the MAC address to one that is correct for your system.}
Now flash it:@* # @strong{./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -w path/to/libreboot/rom/image.rom -V}
@image{../resources/images/x200/disassembly/0015,,,,jpg}
You might see errors, but if it says @strong{Verifying flash... VERIFIED} at the end, then it's flashed and should boot. If you see errors, try again (and again, and again); the message @strong{Chip content is identical to the requested image} is also an indication of a successful installation.
Example output from running the command (see above):
@verbatim
flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x0000ffff: 0xd716
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.
@end verbatim
@ref{#pagetop,Back to top of page.}
@node Wifi
@chapter Wifi
@anchor{#wifi}
The X200 typically comes with an Intel wifi chipset, which does not work without proprietary software. For a list of wifi chipsets that work without proprietary software, see @uref{../hcl/index.html#recommended_wifi,../hcl/index.html#recommended_wifi}.
Some X200 laptops come with an Atheros chipset, but this is 802.11g only.
It is recommended that you install a new wifi chipset. This can only be done after installing libreboot, because the original firmware has a whitelist of approved chips, and it will refuse to boot if you use an 'unauthorized' wifi card.
The following photos show an Atheros AR5B95 being installed, to replace the Intel chip that this X200 came with:@* @image{../resources/images/x200/disassembly/0016,,,,jpg} @image{../resources/images/x200/disassembly/0017,,,,jpg}
@node WWAN
@chapter WWAN
@anchor{#wwan}
If you have a WWAN/3G card and/or sim card reader, remove them permanently. The WWAN-3G card has proprietary firmware inside; the technology is identical to what is used in mobile phones, so it can also track your movements.
Not to be confused with wifi (wifi is fine).
@node Memory
@chapter Memory
@anchor{#memory}
You need DDR3 SODIMM PC3-8500 RAM installed, in matching pairs (speed/size). Non-matching pairs won't work. You can also install a single module (meaning, one of the slots will be empty) in slot 0.
NOTE: reports from some users indicate that non matching pairs might work (e.g. 1+2 GiB).
Make sure that the RAM you buy is the 2Rx8 density.
@uref{http://www.forum.thinkpads.com/viewtopic.php?p=760721, This page} might be useful for RAM compatibility info
(note: coreboot raminit is different, so this page might be BS)
In this photo, 8GiB of RAM (2x4GiB) is installed:@* @image{../resources/images/x200/disassembly/0018,,,,jpg}
@menu
* Boot it!::
* X200S and X200 Tablet users GPIO33 trick will not work::
@end menu
@node Boot it!
@section Boot it!
@anchor{#boot-it}
You should see something like this:
@image{../resources/images/x200/disassembly/0019,,,,jpg}
Now @uref{../gnulinux/index.html,install GNU/Linux}.
@node X200S and X200 Tablet users GPIO33 trick will not work
@section X200S and X200 Tablet users: GPIO33 trick will not work.
@anchor{#x200s-and-x200-tablet-users-gpio33-trick-will-not-work.}
sgsit found out about a pin called GPIO33, which can be grounded to disable the flashing protections by the descriptor and stop the ME from starting (which itself interferes with flashing attempts). The theory was proven correct; however, it is still useless in practise.
Look just above the 7 in TP37 (that's GPIO33):@* @image{../hcl/../resources/images/x200/gpio33_location,,,,jpg}
By default we would see this in lenovobios, when trying flashrom -p internal -w rom.rom:
@verbatim
FREG0: Warning: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
FREG2: Warning: Management Engine region (0x00001000-0x005f5fff) is locked.
@end verbatim
With GPIO33 grounded during boot, this disabled the flash protections as set by descriptor, and stopped the ME from starting. The output changed to:
@verbatim
The Flash Descriptor Override Strap-Pin is set. Restrictions implied by
the Master Section of the flash descriptor are NOT in effect. Please note
that Protected Range (PR) restrictions still apply.
@end verbatim
The part in bold is what got us. This was still observed:
@verbatim
PR0: Warning: 0x007e0000-0x01ffffff is read-only.
PR4: Warning: 0x005f8000-0x005fffff is locked.
@end verbatim
It is actually possible to disable these protections. Lenovobios does, when updating the BIOS (proprietary one). One possible way to go about this would be to debug the BIOS update utility from Lenovo, to find out how it's disabling these protections. Some more research is available here: @uref{http://www.coreboot.org/Board:lenovo/x200/internal_flashing_research,http://www.coreboot.org/Board:lenovo/x200/internal_flashing_research}
On a related note, libreboot has a utility that could help with investigating this: @uref{../hcl/gm45_remove_me.html#demefactory,../hcl/gm45_remove_me.html#demefactory}
Copyright © 2014, 2015 Leah Woods <info@@minifree.org>@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at @uref{../resources/licenses/gfdl-1.3.txt,gfdl-1.3.txt}
Updated versions of the license (when available) can be found at @uref{https://www.gnu.org/licenses/licenses.html,https://www.gnu.org/licenses/licenses.html}
UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
@bye
|