summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--resources/utilities/ich9deblob/ich9deblob.c284
1 files changed, 148 insertions, 136 deletions
diff --git a/resources/utilities/ich9deblob/ich9deblob.c b/resources/utilities/ich9deblob/ich9deblob.c
index e0ebf45..3a4dbd5 100644
--- a/resources/utilities/ich9deblob/ich9deblob.c
+++ b/resources/utilities/ich9deblob/ich9deblob.c
@@ -227,6 +227,154 @@ int main(int argc, char *argv[])
return 0;
}
+// ---------------------------------------------------------------------
+// Descriptor functions
+// ---------------------------------------------------------------------
+
+// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions
+// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills factoryRomSize-12k) are left.
+// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work.
+struct DESCRIPTORREGIONRECORD deblobbedDescriptorStructFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, unsigned int factoryRomSize, unsigned int factoryGbeRegionStart)
+{
+ struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct;
+ memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE);
+
+ // Now we need to modify the descriptor so that the ME can be excluded
+ // from the final ROM image (libreboot one) after adding the modified
+ // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html
+
+ // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2
+ // means 3. We want 3 regions: descriptor, gbe and bios, in that order)
+ deblobbedDescriptorStruct.flMaps.flMap0.NR = 2;
+
+ // make descriptor writable from OS. This is that the user can run:
+ // sudo ./flashrom -p internal:laptop=force_I_want_a_brick
+ // from the OS, without relying an an external SPI flasher, while
+ // being able to write to the descriptor region (locked by default,
+ // until making the change below):
+ deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1;
+
+ // relocate BIOS region and increase size to fill image
+ deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe)
+ deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((factoryRomSize >> FLREGIONBITSHIFT) - 1);
+ // ^ for example, 8MB ROM, that's 8388608 bytes.
+ // ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes
+ // 2048 - 1 = 2047 bytes.
+ // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does:
+ // 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes
+ // (it can't be 0x7FFFFF because of limited number of bits)
+
+ // set ME region size to 0 - the ME is a blob, we don't want it in libreboot
+ deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
+ // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
+ deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0;
+ // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range.
+
+ // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor)
+ deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor)
+ deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2;
+ // ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip.
+
+ // set Platform region size to 0 - another blob that we don't want
+ deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
+ // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
+ deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0;
+ // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range.
+
+ // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot
+ deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1;
+
+ // disable ME and TPM in MCHSTRAP0
+ deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot.
+ deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot
+
+ // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above)
+ // This is sort of like the CPU microcode updates, but for the chipset
+ // (commented out below here, since blobs go against libreboot's purpose,
+ // but may be interesting for others)
+ // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1;
+
+ // debugging
+ printf("\nOriginal (factory.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
+ printf("Original (factory.rom) BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
+ printf("Original (factory.rom) ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
+ printf("Original (factory.rom) GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionStart, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
+
+ printf("\nRelocated (libreboot.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
+ printf("Relocated (libreboot.rom) BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
+ printf("Relocated (libreboot.rom) ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
+ printf("Relocated (libreboot.rom) GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
+
+ return deblobbedDescriptorStruct;
+}
+
+// ---------------------------------------------------------------------
+// Gbe functions
+// ---------------------------------------------------------------------
+
+struct GBEREGIONRECORD_8K deblobbedGbeStructFromFactory(struct GBEREGIONRECORD_8K factoryGbeStruct8k)
+{
+ // Correct the main gbe region. By default, the X200 (as shipped from Lenovo) comes
+ // with a broken main gbe region, where the backup gbe region is used instead. Modify
+ // the descriptor so that the main region is usable.
+
+ struct GBEREGIONRECORD_8K deblobbedGbeStruct8k;
+ memcpy(&deblobbedGbeStruct8k, &factoryGbeStruct8k, GBEREGIONSIZE);
+
+ deblobbedGbeStruct8k.backup.checkSum = gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA);
+ memcpy(&deblobbedGbeStruct8k.main, &deblobbedGbeStruct8k.backup, GBEREGIONSIZE>>1);
+
+ // Debugging:
+ // calculate the 0x3F'th 16-bit uint to make the desired final checksum for GBe
+ // observed checksum matches (from X200 factory.rom dumps) on main: 0x3ABA 0x34BA 0x40BA. spec defined as 0xBABA.
+ // X200 ships with a broken main gbe region by default (invalid checksum, and more)
+ // The "backup" gbe regions on these machines are correct, though, and is what the machines default to
+ // For libreboot's purpose, we can do much better than that by fixing the main one... below is only debugging
+ printf("\nfactory Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.main, 0xBABA), factoryGbeStruct8k.main.checkSum);
+ printf("factory Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.backup, 0xBABA), factoryGbeStruct8k.backup.checkSum);
+ printf("\ndeblobbed Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.main, 0xBABA), deblobbedGbeStruct8k.main.checkSum);
+ printf("deblobbed Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA), deblobbedGbeStruct8k.backup.checkSum);
+
+ return deblobbedGbeStruct8k;
+}
+
+// checksum calculation for 4k gbe struct (algorithm based on datasheet)
+unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue)
+{
+ char gbeBuffer4k[GBEREGIONSIZE>>1];
+ memcpy(&gbeBuffer4k, &gbeStruct4k, GBEREGIONSIZE>>1);
+ return gbeGetChecksumFrom8kBuffer(gbeBuffer4k, desiredValue, 0);
+}
+// checksum calculation for 8k gbe region (algorithm based on datasheet)
+// also works for 4k buffers, so long as isBackup remains false
+unsigned short gbeGetChecksumFrom8kBuffer(char* regionData, unsigned short desiredValue, char isBackup)
+{
+ int i;
+
+ unsigned short regionWord; // store words here for adding to checksum
+ unsigned short checksum = 0; // this gbe's checksum
+ unsigned short offset = 0; // in bytes, from the start of the gbe region.
+
+ // if isBackup is true, use 2nd gbe region ("backup" region)
+ if (isBackup) offset = 0x1000>>1; // this function uses *word* not *byte* indexes.
+
+ for (i = 0; i < 0x3F; i++) {
+ regionWord = gbeGetRegionWordFrom8kBuffer(i+offset, regionData);
+ checksum += regionWord;
+ }
+ checksum = desiredValue - checksum;
+ return checksum;
+}
+// Read a 16-bit unsigned int from a supplied region buffer
+unsigned short gbeGetRegionWordFrom8kBuffer(int index, char* regionData)
+{
+ return *((unsigned short*)(regionData + (index * 2)));
+}
+
+// ---------------------------------------------------------------------
+// x86 compatibility checking:
+// ---------------------------------------------------------------------
+
// Basically, this should only return true on non-x86 machines
int structSizesIncorrect(struct DESCRIPTORREGIONRECORD descriptorDummy, struct GBEREGIONRECORD_8K gbe8kDummy) {
unsigned int descriptorRegionStructSize = sizeof(descriptorDummy);
@@ -358,139 +506,3 @@ int systemOrCompilerIncompatible(struct DESCRIPTORREGIONRECORD descriptorStruct,
if (structMembersWrongOrder()) return 1;
return 0;
}
-
-struct GBEREGIONRECORD_8K deblobbedGbeStructFromFactory(struct GBEREGIONRECORD_8K factoryGbeStruct8k)
-{
- // Correct the main gbe region. By default, the X200 (as shipped from Lenovo) comes
- // with a broken main gbe region, where the backup gbe region is used instead. Modify
- // the descriptor so that the main region is usable.
-
- struct GBEREGIONRECORD_8K deblobbedGbeStruct8k;
- memcpy(&deblobbedGbeStruct8k, &factoryGbeStruct8k, GBEREGIONSIZE);
-
- deblobbedGbeStruct8k.backup.checkSum = gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA);
- memcpy(&deblobbedGbeStruct8k.main, &deblobbedGbeStruct8k.backup, GBEREGIONSIZE>>1);
-
- // Debugging:
- // calculate the 0x3F'th 16-bit uint to make the desired final checksum for GBe
- // observed checksum matches (from X200 factory.rom dumps) on main: 0x3ABA 0x34BA 0x40BA. spec defined as 0xBABA.
- // X200 ships with a broken main gbe region by default (invalid checksum, and more)
- // The "backup" gbe regions on these machines are correct, though, and is what the machines default to
- // For libreboot's purpose, we can do much better than that by fixing the main one... below is only debugging
- printf("\nfactory Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.main, 0xBABA), factoryGbeStruct8k.main.checkSum);
- printf("factory Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.backup, 0xBABA), factoryGbeStruct8k.backup.checkSum);
- printf("\ndeblobbed Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.main, 0xBABA), deblobbedGbeStruct8k.main.checkSum);
- printf("deblobbed Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA), deblobbedGbeStruct8k.backup.checkSum);
-
- return deblobbedGbeStruct8k;
-}
-
-// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions
-// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills factoryRomSize-12k) are left.
-// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work.
-struct DESCRIPTORREGIONRECORD deblobbedDescriptorStructFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, unsigned int factoryRomSize, unsigned int factoryGbeRegionStart)
-{
- struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct;
- memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE);
-
- // Now we need to modify the descriptor so that the ME can be excluded
- // from the final ROM image (libreboot one) after adding the modified
- // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html
-
- // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2
- // means 3. We want 3 regions: descriptor, gbe and bios, in that order)
- deblobbedDescriptorStruct.flMaps.flMap0.NR = 2;
-
- // make descriptor writable from OS. This is that the user can run:
- // sudo ./flashrom -p internal:laptop=force_I_want_a_brick
- // from the OS, without relying an an external SPI flasher, while
- // being able to write to the descriptor region (locked by default,
- // until making the change below):
- deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1;
-
- // relocate BIOS region and increase size to fill image
- deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe)
- deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((factoryRomSize >> FLREGIONBITSHIFT) - 1);
- // ^ for example, 8MB ROM, that's 8388608 bytes.
- // ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes
- // 2048 - 1 = 2047 bytes.
- // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does:
- // 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes
- // (it can't be 0x7FFFFF because of limited number of bits)
-
- // set ME region size to 0 - the ME is a blob, we don't want it in libreboot
- deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
- // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
- deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0;
- // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range.
-
- // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor)
- deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor)
- deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2;
- // ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip.
-
- // set Platform region size to 0 - another blob that we don't want
- deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
- // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
- deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0;
- // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range.
-
- // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot
- deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1;
-
- // disable ME and TPM in MCHSTRAP0
- deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot.
- deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot
-
- // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above)
- // This is sort of like the CPU microcode updates, but for the chipset
- // (commented out below here, since blobs go against libreboot's purpose,
- // but may be interesting for others)
- // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1;
-
- // debugging
- printf("\nOriginal (factory.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
- printf("Original (factory.rom) BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
- printf("Original (factory.rom) ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
- printf("Original (factory.rom) GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionStart, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
-
- printf("\nRelocated (libreboot.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
- printf("Relocated (libreboot.rom) BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
- printf("Relocated (libreboot.rom) ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
- printf("Relocated (libreboot.rom) GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
-
- return deblobbedDescriptorStruct;
-}
-
-// checksum calculation for 4k gbe struct (algorithm based on datasheet)
-unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue)
-{
- char gbeBuffer4k[GBEREGIONSIZE>>1];
- memcpy(&gbeBuffer4k, &gbeStruct4k, GBEREGIONSIZE>>1);
- return gbeGetChecksumFrom8kBuffer(gbeBuffer4k, desiredValue, 0);
-}
-// checksum calculation for 8k gbe region (algorithm based on datasheet)
-// also works for 4k buffers, so long as isBackup remains false
-unsigned short gbeGetChecksumFrom8kBuffer(char* regionData, unsigned short desiredValue, char isBackup)
-{
- int i;
-
- unsigned short regionWord; // store words here for adding to checksum
- unsigned short checksum = 0; // this gbe's checksum
- unsigned short offset = 0; // in bytes, from the start of the gbe region.
-
- // if isBackup is true, use 2nd gbe region ("backup" region)
- if (isBackup) offset = 0x1000>>1; // this function uses *word* not *byte* indexes.
-
- for (i = 0; i < 0x3F; i++) {
- regionWord = gbeGetRegionWordFrom8kBuffer(i+offset, regionData);
- checksum += regionWord;
- }
- checksum = desiredValue - checksum;
- return checksum;
-}
-// Read a 16-bit unsigned int from a supplied region buffer
-unsigned short gbeGetRegionWordFrom8kBuffer(int index, char* regionData)
-{
- return *((unsigned short*)(regionData + (index * 2)));
-}