From 1e07d74d562d72247af3a5567c2902a8ac1e418d Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Sat, 23 May 2015 16:24:06 -0400 Subject: docs/install/x200_external: update notes about GPIO33 --- diff --git a/docs/install/x200_external.html b/docs/install/x200_external.html index 0b32063..eaba5b9 100644 --- a/docs/install/x200_external.html +++ b/docs/install/x200_external.html @@ -22,6 +22,17 @@ can also be followed (adapted) if you brick your X200, to know how to recover.

+ +

Back to main index

@@ -127,8 +138,6 @@ chip on those pins? Check the list of SOIC-8 flash chips at ../hcl/gm45_remove_me.html#flashchips but do note that these are only 4MiB (32Mb) chips. The only X200 SPI chips with 8MiB capacity are SOIC-16. For 8MiB capacity in this case, the X201 SOIC-8 flash chip (Macronix 25L6445E) might work. - Another possible solution: ground GPIO33 and boot up in non-descriptor mode. This might make software flashing possible, if - it's possible to circumvent any flashing protections that might exist.

@@ -332,7 +341,7 @@ Verifying flash... VERIFIED.
-

+

Boot it!

@@ -347,6 +356,52 @@ Verifying flash... VERIFIED.

+ +
+

+ X200S and X200 Tablet users: GPIO33 trick will not work. +

+

+ sgsit found out about a pin called GPIO33, which can be grounded to disable the flashing protections + by the descriptor and stop the ME from starting (which itself interferes with flashing attempts). + The theory was proven correct; however, it is still useless in practise. +

+

+ Look just above the 7 in TP37 (that's GPIO33):
+ +

+

+ By default we would see this in lenovobios, when trying flashrom -p internal -w rom.rom: +

+
+FREG0: Warning: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
+FREG2: Warning: Management Engine region (0x00001000-0x005f5fff) is locked.
+
+

+ With GPIO33 grounded during boot, this disabled the flash protections as set + by descriptor, and stopped the ME from starting. The output changed to: +

+
+The Flash Descriptor Override Strap-Pin is set. Restrictions implied by
+the Master Section of the flash descriptor are NOT in effect. Please note
+that Protected Range (PR) restrictions still apply.
+
+

+ The part in bold is what got us. This was still observed: +

+
+PR0: Warning: 0x007e0000-0x01ffffff is read-only.
+PR4: Warning: 0x005f8000-0x005fffff is locked.
+
+ +

+ It is actually possible to disable these protections. Lenovobios does, + when updating the BIOS (proprietary one). One possible way to go about this + would be to debug the BIOS update utility from Lenovo, to find out + how it's disabling these protections. Some more research is available here: + http://www.coreboot.org/Board:lenovo/x200/internal_flashing_research +

+
-- cgit v0.9.1