From ddbfcfe56f0cb01f21e9eadf88fd91e96ea086c3 Mon Sep 17 00:00:00 2001
From: Francis Rowe <info@gluglug.org.uk>
Date: Mon, 22 Dec 2014 09:18:09 -0500
Subject: ich9deblob: descriptor deblobbing moved to separate function

---
diff --git a/resources/utilities/ich9deblob/ich9deblob.c b/resources/utilities/ich9deblob/ich9deblob.c
index fb96839..9fa7db4 100644
--- a/resources/utilities/ich9deblob/ich9deblob.c
+++ b/resources/utilities/ich9deblob/ich9deblob.c
@@ -52,10 +52,15 @@
 // NOTE: The GBE region of 8K is actually 2x 4K regions in a single region; both 4K blocks can be identical (and by default, are)
 // The 2nd one is a "backup", but we don't know when it's used. perhaps it's used when the checksum on the first one does not match?
 
+// Related to the flash descriptor
+#define FLREGIONBITSHIFT 0xC // bits 12(0xC)-24(0x18) are represented for words found in the flash descriptor
+												 // To manipulate these easily in C, we shift them by FLREGIONBITSHIFT and then shift them back when done
+
 // gbe checksum related functions
 unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue);
 unsigned short gbeGetChecksumFrom8kBuffer(char* buffer, unsigned short desiredValue, char isBackup); // for GBe region (checksum calculation)
 unsigned short gbeGetRegionWordFrom8kBuffer(int i, char* buffer); // used for getting each word needed to calculate said checksum
+struct DESCRIPTORREGIONRECORD deblobbedFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, int romSize);
 
 int main(int argc, char *argv[])
 {
@@ -133,10 +138,9 @@ int main(int argc, char *argv[])
 
 	// get original GBe region location
 	// (it will be moved to the beginning of the flash, after the descriptor region)
-	unsigned int flRegionBitShift = 12;// bits 12-24 are represented.
-	// note for example, factoryGbeRegionLocation is set to <<12 of actual address (in C). this is how the addresses
+	// note for example, factoryGbeRegionLocation is set to <<FLREGIONBITSHIFT of actual address (in C). this is how the addresses
 	// are stored in the descriptor.
-	unsigned int factoryGbeRegionLocation = factoryDescriptorStruct.regionSection.flReg3.BASE << flRegionBitShift;
+	unsigned int factoryGbeRegionLocation = factoryDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT;
 
 	// Set offset so that we can read the data from
 	// the gbe region
@@ -175,71 +179,20 @@ int main(int argc, char *argv[])
 	// -----------------------------------------------------------------------------------------------
 
 	// debugging
-	printf("\nOriginal Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg0.LIMIT << flRegionBitShift);
-	printf("Original BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg1.LIMIT << flRegionBitShift);
-	printf("Original ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << flRegionBitShift, factoryDescriptorStruct.regionSection.flReg2.LIMIT << flRegionBitShift);
-	printf("Original GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionLocation, factoryDescriptorStruct.regionSection.flReg3.LIMIT << flRegionBitShift);
-
-	// Now we need to modify the descriptor so that the ME can be excluded
-	// from the final ROM image (libreboot one) after adding the modified
-	// descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html
-
-	// set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2
-	// means 3. We want 3 regions: descriptor, gbe and bios, in that order)
-	deblobbedDescriptorStruct.flMaps.flMap0.NR = 2;
-
-	// make descriptor writable from OS. This is that the user can run:
-	// sudo ./flashrom -p internal:laptop=force_I_want_a_brick 
-	// from the OS, without relying an an external SPI flasher, while
-	// being able to write to the descriptor region (locked by default,
-	// until making the change below):
-	deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1;
-
-	// relocate BIOS region and increase size to fill image
-	deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<12 is 12KiB, which is where BIOS region is to begin (after descriptor and gbe)
-	deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((romSize >> flRegionBitShift) - 1);
-	// ^ for example, 8MB ROM, that's 8388608 bytes.
-	// ^ 8388608>>12 (or 8388608/4096) = 2048 bytes
-	// 2048 - 1 = 2047 bytes. 
-	// This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does:
-	// 2047<<12 (or 2047*4096) = 8384512 bytes, or 7FF000 bytes
-	// (it can't be 0x7FFFFF because of limited number of bits)
-
-	// set ME region size to 0 - the ME is a blob, we don't want it in libreboot
-	deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<12 is outside of the ROM image (8MB) size?
-	// ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
-	deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0;
-	// ^ 0<<12=0, so basically, the size is 0, and the base (1FFF>>12) is well outside the higher 8MB range. 
-	
-	// relocate Gbe region to begin at 4KiB (immediately after the flash descriptor)
-	deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<12 is 4096, which is where the Gbe region is to begin (after the descriptor)
-	deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2;
-	// ^ 2<<12=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip.
-
-	// set Platform region size to 0 - another blob that we don't want
-	deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<12 is outside of the ROM image (8MB) size?
-	// ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
-	deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0;
-	// ^ 0<<12=0, so basically, the size is 0, and the base (1FFF>>12) is well outside the higher 8MB range.
-
-	// disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot
-	deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1;
+	printf("\nOriginal Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
+	printf("Original BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
+	printf("Original ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
+	printf("Original GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionLocation, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
 
-	// disable ME and TPM in MCHSTRAP0
-	deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot.
-	deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot
-
-	// disable ME, apart from chipset bugfixes (ME region should first be re-enabled above)
-	// This is sort of like the CPU microcode updates, but for the chipset
-	// (commented out below here, since blobs go against libreboot's purpose,
-	// but may be interesting for others)
-	// deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1;
+	// Disable the ME and Platform regions. Put Gbe at the beginning (after descriptor). 
+	// Also, extend the BIOS region to fill the ROM image (after descriptor+gbe).
+	deblobbedDescriptorStruct = deblobbedFromFactory(deblobbedDescriptorStruct, romSize);
 
 	// debugging
-	printf("\nRelocated Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << flRegionBitShift);
-	printf("Relocated BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << flRegionBitShift);
-	printf("Relocated ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << flRegionBitShift);
-	printf("Relocated GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << flRegionBitShift, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << flRegionBitShift);
+	printf("\nRelocated Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT);
+	printf("Relocated BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT);
+	printf("Relocated ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT);
+	printf("Relocated GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT);
 
 	// ----------------------------------------------------------------------------------------------------------------
 
@@ -322,6 +275,72 @@ int main(int argc, char *argv[])
 	return 0;
 }
 
+// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions
+// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills romSize-12k) are left.
+// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work.
+struct DESCRIPTORREGIONRECORD deblobbedFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, int romSize)
+{
+	struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct;
+	memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE);
+	
+	// Now we need to modify the descriptor so that the ME can be excluded
+	// from the final ROM image (libreboot one) after adding the modified
+	// descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html
+
+	// set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2
+	// means 3. We want 3 regions: descriptor, gbe and bios, in that order)
+	deblobbedDescriptorStruct.flMaps.flMap0.NR = 2;
+
+	// make descriptor writable from OS. This is that the user can run:
+	// sudo ./flashrom -p internal:laptop=force_I_want_a_brick 
+	// from the OS, without relying an an external SPI flasher, while
+	// being able to write to the descriptor region (locked by default,
+	// until making the change below):
+	deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1;
+
+	// relocate BIOS region and increase size to fill image
+	deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe)
+	deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((romSize >> FLREGIONBITSHIFT) - 1);
+	// ^ for example, 8MB ROM, that's 8388608 bytes.
+	// ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes
+	// 2048 - 1 = 2047 bytes. 
+	// This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does:
+	// 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes
+	// (it can't be 0x7FFFFF because of limited number of bits)
+
+	// set ME region size to 0 - the ME is a blob, we don't want it in libreboot
+	deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
+	// ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
+	deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0;
+	// ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. 
+	
+	// relocate Gbe region to begin at 4KiB (immediately after the flash descriptor)
+	deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor)
+	deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2;
+	// ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip.
+
+	// set Platform region size to 0 - another blob that we don't want
+	deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size?
+	// ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked.
+	deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0;
+	// ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range.
+
+	// disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot
+	deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1;
+
+	// disable ME and TPM in MCHSTRAP0
+	deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot.
+	deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot
+
+	// disable ME, apart from chipset bugfixes (ME region should first be re-enabled above)
+	// This is sort of like the CPU microcode updates, but for the chipset
+	// (commented out below here, since blobs go against libreboot's purpose,
+	// but may be interesting for others)
+	// deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1;
+	
+	return deblobbedDescriptorStruct;
+}
+
 // checksum calculation for 4k gbe struct (algorithm based on datasheet)
 unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue)
 {
--
cgit v0.9.1