From 8b2219bfa2da36e7809588ef723a10483a6e137f Mon Sep 17 00:00:00 2001
From: Francis Rowe
- While not strictly related to the libreboot project, this guide
- is intended to be useful for those interested in installing
- Parabola on their libreboot machine. This is also beneficial because development
- is now being done on Parabola, where Trisquel is no longer used by the maintainer
- at the time of writing.
-
- It details configuration steps that I took after installing the base system,
- as a follow up to encrypted_parabola.html.
- This guide is likely to become obsolete at a later date (due to the volatile
- 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it.
-
-
- This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch
- with the libreboot project!
-
-
- You do not necessarily have to follow this guide word-for-word; parabola is extremely flexible.
- The aim here is to provide a common setup that most users will be happy with. While Parabola
- can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide
- all of the same usability as Trisquel, without hiding any details from the user.
-
- Paradoxically, as you get more advanced Parabola can actually become easier to use
- when you want to setup your machine in a special way compared to what most distributions provide.
- You will find over time that other distributions tend to get in your way.
-
-
- This guide assumes that you already have Parabola installed. If you have not yet installed Parabola,
- then this guide is highly recommended!
-
-
- A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses.
- Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries
- to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible.
- It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key,
- especially for new users.
-
- The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source),
- and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the
- Arch wiki.
-
- Some of these steps require internet access. I'll go into networking later but for now, I just connected
- my machine to a switch and did:
- pacman (package manager) is the name of the package management system in Arch, which Parabola
- (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel,
- this can be used to add/remove and update the software on your computer.
-
- Based on https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman
- and from reading https://wiki.archlinux.org/index.php/Pacman (make sure to read and understand this,
- it's very important) and
- https://wiki.parabolagnulinux.org/Official_Repositories
-
- In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:
-
- Before installing packages with 'pacman -S', always update first, using the notes above.
-
-
- Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages
- about maintenance steps that you will need to perform with certain files (typically configurations)
- after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues.
- If a new kernel is installed, you should also update to be able to use it (the currently running kernel will
- also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a
- rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This
- is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated.
- A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website,
- and more maintenance work.
-
- The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). Parabola's
- IRC channel (#parabola on freenode) can also help you.
-
- Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time
- in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event,
- like a presentation or sending an email to an important person before an allocated deadline, and so on.
-
- Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories
- exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free,
- so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in
- the rare event that they do occur.
-
- Parabola is a very simple distro, in the sense that you are in full control
- and everything is made transparent to you. One consequence is
- that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done
- with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro
- on another computer, for example).
-
-
- The following is very important as you continue to use, update and maintain your Parabola system:
- To clean out all old packages that are cached:
- The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo,
- if you encounter issues and want to revert back to an older package then it's useful to have the caches available.
- Only do this if you are sure that you won't need it.
-
- The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:
- The following table lists other distro package manager commands, and their equivalent in pacman:
- your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages
- from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola
- wiki for migrating - converting - an existing Arch system to a Parabola system), installing
- your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution
- is then to delete the offending packages, and continue installing your-freedom.
-
- Based on https://wiki.archlinux.org/index.php/Users_and_Groups.
-
- It is important (for security reasons) to create and use a non-root (non-admin) user account for every day use. The default 'root' account is intended
- only for critical administrative work, since it has complete access to the entire operating system.
-
- Read the entire document linked to above, and then continue.
-
- Add your user:
- This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it.
- Read https://wiki.archlinux.org/index.php/systemd
- and https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage
- to gain a full understanding. This is very important! Make sure to read them.
-
- An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others.
-
- https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 explains
- the background behind the decision by Arch (Parabola's upstream supplier) to use systemd.
-
- The manpage should also help:
- According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up.
- on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the
- log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki
- recommends 50MiB).
-
- Open /etc/systemd/journald.conf and find the line that says:
- The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12,
- and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it.
-
- Restart journald:
- The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/*
- but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically
- start to delete older records when the journal size reaches it's limit (according to systemd developers).
-
- Finally, the wiki mentions 'temporary' files and the utility for managing them.
- I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files.
- The first one was etc.conf, containing information and a reference to this manpage:
- The systemd developers tell me that it usually isn't necessary to touch the systemd-tmpfiles utility manually at all.
-
- Parabola wiki at https://wiki.parabolagnulinux.org/Repositories#kernels
- mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available
- there, depending on your use case.
-
- I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:
- Now sync with the repository:
- List all available packages in this repository:
- In the end, I decided not to install anything from it but I kept the repository enabled regardless.
-
- Read https://wiki.archlinux.org/index.php/Configuring_Network.
-
- This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):
- Add the same hostname to /etc/hosts, on each line. Example:
- You'll note that I set both lines; the 2nd line is for IPv6. More and more ISP's are providing this now (mine does)
- so it's good to be forward-thinking here.
-
- The hostname utility is part of the inetutils package and is in core/, installed by default (as part of base).
-
- According to the Arch wiki, udev should already detect the ethernet chipset
- and load the driver for it automatically at boot time. You can check this in the "Ethernet controller" section
- when running this command:
- Look at the remaining sections 'Kernel driver in use' and 'Kernel modules'. In my case it was as follows:
- Check that the driver was loaded by issuing dmesg | grep module_name. In my case, I did:
- According to https://wiki.archlinux.org/index.php/Configuring_Network#Device_names,
- it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, systemd
- creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates.
- An example device name for your ethernet chipset would be enp0s25, where it is never supposed to change.
-
- If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends
- adding net.ifnames=0 to your kernel parameters (in libreboot context, this would be accomplished by following the
- instructions in grub_cbfs.html).
-
- For background information,
- read Predictable Network Interface Names
-
- Show device names:
- Changing the device names is possible (I chose not to do it):
- I actually chose to ignore most of Networking section on the wiki. Instead, I plan to setup LXDE desktop with the graphical
- network-manager client. Here is a list of network managers:
- Read https://wiki.archlinux.org/index.php/System_maintenance before continuing.
- Also read https://wiki.archlinux.org/index.php/Enhance_system_stability.
- This is important, so make sure to read them!
-
- Install smartmontools (can be used to check smart data - note: HDD's use non-free firmware inside, it's transparent to you
- but the smart data comes from it. Therefore, don't rely on it too much):
- Based on steps from
- General Recommendations on the Arch wiki.
- The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE
- by default.
-
- Based on https://wiki.archlinux.org/index.php/Xorg.
-
- Firstly, install it!
- Install the driver. For me this was xf86-video-intel on the ThinkPad X60. T60 and macbook11/21 should be the same.
- Other drivers (not just video) can be found by looking at the xorg-drivers group:
- Mostly you will rely on a display manager, but in case you ever want to start X without one:
- <optional>
- Refer to https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg.
-
- Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you
- set in /etc/vconsole.conf earlier might not actually be the same in X.
-
- To see what layout you currently use, try this on a terminal emulator in X:
- In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout.
-
- I'll just say it now: XkbModel can be pc105 in this case (ThinkPad X60, with a 105-key UK keyboard).
- If you use an American keyboard (typically 104 keys) you will want to use pc104.
-
- XkbLayout in my case would be gb, and XkbVariant would be dvorak.
-
- The Arch wiki recommends two different methods for setting the keyboard layout:
- In my case, I chose to use the configuration file method:
- For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then
- you don't even need to do anything (though it might help, for the sake of being explicit).
-
- Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight
- and does everything that I need.
- If you would like to try something different, refer to
- https://wiki.archlinux.org/index.php/Desktop_environment
-
- Refer to https://wiki.archlinux.org/index.php/LXDE.
-
- Install it, choosing 'all' when asked for the default package list:
- I didn't want the following, so I removed them:
- I also lazily installed all fonts:
- LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the GNU project:
- In IceCat, go to Preferences :: Advanced and disable GNU IceCat Health Report.
-
- I also like to install these:
- Enable LXDM (the default display manager, providing a graphical login):
- Log in with your standard (non-root) user that you created earlier.
- It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm.
- Read https://wiki.archlinux.org/index.php/Xinitrc.
-
- Open LXterminal:
- In Digital Clock Settings (right click the clock) I set the Clock Format to %Y/%m/%d %H:%M:%S
-
- NOTE TO SELF: come back to this later.
-
- Arch wiki recommends to use xscreensaver:
- Under Preferences :: Screensaver in the LXDE menu, I chose Mode: Blank Screen Only,
- setting Blank After, Cycle After and Lock Screen After (checked) to 10 minutes.
-
- You can now lock the screen with Logout :: Lock Screen in the LXDE menu.
-
- Refer to https://wiki.archlinux.org/index.php/File_manager_functionality.
-
- I chose to ignore this for now. NOTE TO SELF: come back to this later.
-
- When closing the laptop lid, the machine suspends. This is annoying at least to me.
- NOTE TO SELF: disable it, then document the steps here.
-
- Right click lxde panel and Add/Remove Panel Items. Click Add and select Battery Monitor, then click Add.
- Close and then right-click the applet and go to Battery Monitor Settings, check the box that says Show Extended Information.
- Now click Close. When you hover the cursor over it, it'll show information about the battery.
-
- Refer to https://wiki.archlinux.org/index.php/LXDE#Network_Management.
- Then I read: https://wiki.archlinux.org/index.php/NetworkManager.
-
- Install Network Manager:
- You will also want the graphical applet:
- I want to be able to use a VPN at some point, so the wiki tells me to do:
- LXDE uses openbox, so I refer to:
- It tells me for the applet I need:
- I wanted to quickly enable networkmanager:
- Restart LXDE (log out, and then log back in).
-
- I added the volume control applet to the panel (right click panel, and add a new applet).
- I also later changed the icons to use the gnome icon theme, in lxappearance.
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt
-
-
-
diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html
deleted file mode 100644
index 3a1a75d..0000000
--- a/docs/howtos/encrypted_parabola.html
+++ /dev/null
@@ -1,577 +0,0 @@
-
-
-
- Libreboot uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and it's GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the machine.
-
- Boot Parabola's install environment. How to boot a GNU/Linux installer.
-
- For this guide I used the 2013 09 01 image to boot the live installer and install the system.
-
- Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel.
-
- Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it.
- See this page
- for more info.
-
- If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously
- contained plaintext copies of your data.
-
- Wipe the MBR (if you use MBR):
- Securely wipe the drive:
- If your drive was already LUKS encrypted (maybe you are re-installing your distro) then
- it is already 'wiped'. You should just wipe the LUKS header.
- https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/
- showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:
-
- If you do plan to use an SSD, make sure to read
- https://wiki.archlinux.org/index.php/Solid_State_Drives
- This guide will go through the installation steps taken at the time of writing, which may or may not change due to
- the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes,
- please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to
- the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15).
-
- Parabola live shell assumes US Qwerty. If you have something different, use:
- The beginning is based on https://wiki.parabolagnulinux.org/Installation_Guide.
- Then I referred to https://wiki.archlinux.org/index.php/Partitioning at first.
-
- device-mapper will be used - a lot. Make sure that the kernel module is loaded:
- I am using MBR partitioning, so I use cfdisk:
- I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83).
-
- Now I refer to https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning:
- Parabola forces you to RTFM.
-
- It tells me to run:
- Following that page, based on my requirements, I do the following based on
- based on https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode.
- Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option.
-
- I am initializing LUKS with the following:
- Now I refer to https://wiki.archlinux.org/index.php/LVM.
-
- Open the LUKS partition:
- Create LVM partition:
- Now I create the volume group, inside of which the logical volumes will be created:
- Now create the logical volumes:
- Verify that the logical volumes were created, using the following command:
- For the swapvol LV I use:
- For the rootvol LV I use:
- Mount the root (/) partition:
- This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola
- so that the guide can continue.
-
- Now I am following the rest of https://wiki.parabolagnulinux.org/Installation_Guide.
- I also also cross referencing https://wiki.archlinux.org/index.php/Installation_guide.
-
- Create /home and /boot on rootvol mountpoint:
- The wiki says to enable the swap so that it can be detected by 'genfstab':
- DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide.
- I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet.
- Otherwise, refer to https://wiki.archlinux.org/index.php/Configuring_Network.
- You can test to see if internet is already working by pinging a few domains.
-
- I commented out all lines except the Server line for the UK Parabola server (main server) in /etc/pacman.d/mirrorlist and then did:
- <troubleshooting>
- I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:
- From the Parabola installation guide (Arch's one was identical):
- Chroot into new system:
- It's a good idea to have this installed:
- It was also suggested that you should install this kernel (read up on what GRSEC is):
- This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels
- that can be used as a fallback during updates, if a bad kernel causes issues for you.
-
- Parabola does not have wget. This is sinister. Install it:
- At the time of writing, Parabola used SHA512 by default for it's password hashing.
-
- I referred to https://wiki.archlinux.org/index.php/SHA_password_hashes.
-
- Open /etc/pam.d/passwd and add rounds=65536 at the end of the uncommented 'password' line.
-
- # passwd root
- Based on https://wiki.archlinux.org/index.php/Security.
-
- Restrict access to important directories:
- Lockout user after three failed login attempts:
- Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date.
- If this is a single-user system, you don't really need sudo.
-
- Exit from chroot:
- unmount:
- deactivate the lvm lv's:
- Lock the encrypted partition (close it):
- # shutdown -h now
- Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional
- (using those 2 underlines will boot lts kernel instead of normal).
-
- grub> cryptomount -a (ahci0,msdos1)
- You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
-
- Now you need to modify the ROM, so that Parabola can boot automatically with this configuration.
- grub_cbfs.html shows you how. Follow that guide, using the configuration details below.
-
- Inside the 'Load Operating System' menu entry, change the contents to:
- Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels.
- You could also copy the menu entry and in one have -lts, and without in the other menuentry.
- You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img
-
- Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default.
-
- Above the 'Load Operating System' menu entry you should also add a GRUB password, like so:
-
- Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root.
- Change root on both of those 2 lines to whatever you want.
-
- Start dhcp on ethernet:
- The password hash (it's password, by the way) after 'password_pbkdf2 root' should be changed and is created by the grub-mkpasswd-pbkdf2 utility, which you need to install or otherwise compile,
- like so:
- GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash
- by entering your chosen password at the prompt, when running this command:
- It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password.
- Use it to replace the default hash mentioned above.
-
- With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal.
- This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware.
-
- You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:
- For flashing the modified ROM, I just used flashrom from the Parabola repo's:
- When done, deleted GRUB (remember, we only needed it for the grub-mkpasswd-pbkdf2 utility;
- GRUB is already part of libreboot, flashed alongside it as a payload):
- If you followed all that correctly, you should now have a fully encrypted Parabola installation.
- This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest
- (desktop, etc).
-
- https://wiki.archlinux.org/index.php/Security.
- configuring_parabola.html shows my own notes post-installation. Using these, you can get a basic
- system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system.
- Parabola is user-centric, which means that you are in control. For more information, read The Arch Way
- (Parabola also follows it).
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
-
- Libreboot uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and it's GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- On most systems, the /boot partition has to be left unencrypted while the others are encrypted.
- This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware
- can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a
- payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical
- access to the machine.
-
- This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer.
-
- Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols).
-
- when the installer asks you to setup
- encryption (ecryptfs) for your home directory, select 'Yes' if you want to: LUKS is already secure and performs well. Having ecryptfs on top of it
- will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended.
- Choose 'no'.
-
-
- Your user password should be different than the LUKS password which you will set later on.
- Your LUKS password should, like the user password, be secure.
-
- Choose 'Manual' partitioning:
- Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.
-
- Installation will ask what kernel you want to use. linux-generic is fine.
-
- Choose "Trisquel Desktop Environment" if you want GNOME,
- "Trisquel-mini Desktop Environment" if you
- want LXDE or "Triskel Desktop Environment" if you want KDE.
- If you want to have no desktop (just a basic shell)
- when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything).
- You might also want to choose some of the other package groups; it's up to you.
-
- If asked, choose "No Configuration" here (or maybe you want to select something else. It's up to you.)
-
- Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.
- You could also choose 'No'. Choice is irrelevant here.
-
- You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.
-
- Just say 'Yes'.
-
- At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.
-
- Do that:
- If you didn't encrypted your home directory, then you can safely ignore this section.
-
- Immediately after logging in, do that:
- This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note
- somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>
-
- Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.
-
- Modify your grub.cfg (in the firmware) using this tutorial;
- just change the default menu entry 'Load Operating System' to say this inside:
-
- cryptomount -a (ahci0,msdos1)
- Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see
- GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.
-
- The GRUB utility can be used like so:
- Give it a password (remember, it has to be secure) and it'll output something like:
- Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):
- Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!
-
- After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM
- using this tutorial.
-
- $ sudo apt-get update
- If you followed all that correctly, you should now have a fully encrypted system.
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
-
- Connect the USB drive. Check dmesg:
- Check that it wasn't automatically mounted. If it was, unmount it. For example:
- dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:
- Boot it in GRUB using the Parse ISOLINUX config (USB) option (it's in default libreboot grub.cfg, at least).
-
- A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual
- ISOLINUX menu provided by that distro.
-
- If the ISOLINUX parser won't work, then press C to get to GRUB command line.
- Now look at the ISOLINUX menuentry. It'll look like:
- Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer.
- This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions
- it can be problematic when they are trying to switch to a framebuffer because it doesn't exist.
-
- In most cases, you should use the vesafb ROM's. Example filename: libreboot_ukdvorak_vesafb.rom.
-
- Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode).
-
- When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer,
- booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't
- exist. Use that kernel parameter on the 'linux' line when booting it:
- Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer.
-
- If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this.
- Or, if you are booting manually (from GRUB terminal) then just add the parameters.
-
- This workaround was found on the page: https://www.debian.org/releases/stable/i386/ch05s04.html.
- It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method.
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
-
- Libreboot uses the GRUB payload
- by default, which means that the GRUB configuration file
- (where your GRUB menu comes from) is stored directly alongside libreboot
- and it's GRUB payload executable, inside
- the flash chip. In context, this means that installing distributions and managing them
- is handled slightly differently compared to traditional BIOS systems.
-
- A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual
- filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool'
- allows you to change the contents of the ROM image. In this case, libreboot is configured
- such that the 'grub.cfg' and 'grubtest.cfg' files exists directly inside CBFS instead of
- inside the GRUB payload's 'memdisk' (which is itself stored in CBFS).
-
- Here is an excellent writeup about CBFS (coreboot filesystem):
- http://lennartb.home.xs4all.nl/coreboot/col5.html.
-
- Download the latest release from
- http://libreboot.org/
-
- Install the build dependencies.
-
- If you are working with libreboot_src, then you can run make command in
- libreboot_src/coreboot/util/cbfstool to build the cbfstool and rmodtool
- executable.
-
- Alternatively if you are working with libreboot_bin, then you can run ./builddeps-cbfstool
- command inside libreboot_bin/; a cbfstool and rmodtool
- executable will appear under libreboot_bin/
-
- You can work directly with one of the ROM's already included in the libreboot ROM archives. For the purpose of
- this tutorial it is assumed that your ROM is named libreboot.rom so please make sure to adapt.
-
- If you want to re-use the ROM that you currently have flashed (and running) then see
- ../index.html#build_flashrom
- and then run:
- If you currently have flashed a ROM image from an older version, it is recommended to update first:
- basically, modify one of the latest ROM's and then flash it.
-
- Display contents of ROM:
- The libreboot.rom file contains your grub.cfg and grubtest.cfg files.
- You should extract, modify and re-insert the copy first. grub.cfg will load first,
- but it has a menu entry for switching to the copy (grubtest.cfg).
- This reduces your chance of making a mistake that could make your machine unbootable (or very hard to boot).
-
- Extract grubtest.cfg from the ROM image:
- Now you have a grubtest.cfg in cbfstool directory. Edit it however you wish.
-
- These are some common examples of ways in which the grubtest.cfg file can be modified.
-
- As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry:
-
- ro, quiet, splash, crashkernel=384M-2G:64M,2G-:128M and
- $vt_handoff can be safely ignored.
-
- I use this to get my partition layout:
- In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1.
- Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending
- on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or
- (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1).
- 'msdos' is GRUB's name simply because this partitioning type is traditionally used by MS-DOS.
- It doesn't mean you have a proprietary OS.
-
- Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and
- new kernel updates are provided with the version in the filename. This can make GRUB payload
- a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img
- so if your /boot and / are on the same partition, you can set GRUB to boot from that.
- These are also updated automatically when installing kernel updates from your distributions
- apt-get repositories.
-
- Note: when using jxself kernel releases,
- these are not updated at all and you have to update them manually.
-
-
- For the GRUB payload's grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):
- Optionally, you can convert the UUID to it's real device name, for example /dev/sda1 in this case.
- sdX naming isn't very reliable, though, which is why UUID is used for most distributions.
-
- Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks.
- Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).
- Replace the underlined kernel and initrd filenames above with the actual filenames, of course.
-
- Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:
- There are lots of possible variations so please try to adapt.
-
- You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names
- are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly.
-
- Delete the grubtest.cfg that remained inside the ROM:
- Display ROM contents and now you see grubtest.cfg no longer exists there:
- Add the modified version that you just made:
- Now display ROM contents again and see that it exists again:
-
- Now you have a modified ROM. Refer back to ../index.html#flashrom for information
- on how to flash it. Once you have done that, shut down and then boot up with your new test configuration.
-
-
- Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below.
-
-
- If it does not work like you want it to, if you are unsure or sceptical in any way,
- then re-do the steps above until you get it right! Do *not* proceed past this point
- unless you are 100% sure that your new configuration is safe (or desirable) to use.
-
-
- Create a copy of grubtest.cfg, called grub.cfg, which is the same except for one difference:
- change the menuentry 'Switch to grub.cfg' to 'Switch to grubtest.cfg' and inside it,
- change all instances of grub.cfg to grubtest.cfg. This is so that the main config still
- links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in
- case you ever want to follow this guide again in the future (modifying the already modified config)
- Delete the grub.cfg that remained inside the ROM:
- Display ROM contents and now you see grub.cfg no longer exists there:
- Add the modified version that you just made:
- Now display ROM contents again and see that it exists again:
-
- Now you have a modified ROM. Refer back to ../index.html#flashrom for information
- on how to flash it. Once you have done that, shut down and then boot up with your new configuration.
-
-
- A user reported that segmentation faults occur with cbfstool
- when using this procedure depending on the size of the grub.cfg being re-insterted.
- In his case, a minimum size of 857 bytes was required. This could (at the time of
- this release) be a bug in cbfstool that should be investigated with the coreboot
- community. If cbfstool segfaults, then keep this in mind. 'strace' (or gdb? clang?)
- could be used for debugging. This was in libreboot 5th release (based on coreboot
- from late 2013), and I'm not sure if the issue perists in the current releases.
- I have not been able to reproduce it. strace (from that user) is here:
- cbfstool_libreboot5_strace.
- The issue has been reported by a few users, so it does not happen all the time:
- this bug (if it still exists) could (should) be reproduced.
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- Or go back to main index
- Remove those screws and remove the HDD:
- Lift off the palm rest:
- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- Gently wedge both sides loose:
- Remove that cable from the position:
- Remove the bezel (sorry forgot to take pics).
-
- On the CPU (and there is another chip south-east to it, sorry forgot to take pic)
- clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too)
- you should also clean the heatsink the same way
- This is also an opportunity to change the CPU to another one. For example if you had a Core Duo T2400, you can upgrade it to a better processor
- (higher speed, 64-bit support). A Core 2 Duo T7600 was installed here.
-
- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
- Reinstall that upper bezel:
- Do that:
- Attach keyboard:
- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
- It lives!
- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- Or go back to main index
- Remove those covers and unscrew:
- Gently pry off the front bezel.
-
- Remove inverter board:
- Disconnect LCD cable:
- Remove the panel:
- Move the rails (left and right side) from the old panel to the new one and then attach LCD cable:
- Insert panel (this one is an LG-Philips LP150E05-A2K1, and there are others. See ../index.html#supported_t60_list):
- Insert new inverter board (see ../index.html#supported_t60_list for what is recommended on your LCD panel):
- Now re-attach the front bezel and put all the screws in.
-
- It lives!
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- Or go back to main index
- Most people think of security on the software side: the hardware is important aswell.
- Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work.
- It is also generally useful to all those that believe security and privacy are inalienable rights.
- Security starts with the hardware; crypto and network security come later.
-
- Paradoxically, going this far to increase your security also makes you a bigger target.
- At the same time, it protects you in the case that someone does attack your machine.
- This paradox only exists while few people take adequate steps to protect yourself: it is your duty
- to protect yourself, not only for your benefit but to make strong security normal so
- that those who do need protection (and claim it) are a smaller target against the masses.
-
- Even if there are levels of security beyond your ability (technically, financially and so on)
- doing at least something (what you are able to do) is extremely important.
- If you use the internet and your computer without protection, attacking you is cheap (some say it is
- only a few US cents). If everyone (majority of people) use strong security by default,
- it makes attacks more costly and time consuming; in effect, making them disappear.
-
- This tutorial deals with reducing the number of devices that have direct memory access that
- could communicate with inputs/outputs that could be used to remotely
- command the machine (or leak data).
-
- Remove those screws and remove the HDD:
- Lift off the palm rest:
- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- Gently wedge both sides loose:
- Remove that cable from the position:
- Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):
- Remove those screws:
- Disconnect the power jack:
- Remove nvram battery (we will put it back later):
- Disconnect cable (for 56k modem) and disconnect the other cable:
- Disconnect speaker cable:
- Disconnect the other end of the 56k modem cable:
- Make sure you removed it:
- Unscrew those:
- Make sure you removed those:
- Disconnect LCD cable from board:
- Remove those screws then remove the LCD assembly:
- Once again, make sure you removed those:
- Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady
- surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the
- screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:
- Remove microphone (soldering iron not needed. Just wedge it out gently):
- Remove infrared:
- Remove cardbus (it's in a socket, no need to disable. Just remove the port itself):
- Before re-installing the upper chassis, remove the speaker:
- Remove the wwan:
- This is where the simcard connector is soldered. See notes above about wwan. Remove simcard by removing battery
- and then it's accessible (so, remember to do this when you re-assemble. or you could do it now?)
- Put those screws back:
- Put it back into lower chassis:
- Attach LCD and insert screws (also, attach the lcd cable to the board):
- Insert those screws:
- On the CPU (and there is another chip south-east to it, sorry forgot to take pic)
- clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too)
- you should also clean the heatsink the same way
- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
- Reinstall that upper bezel:
- Do that:
- Attach keyboard and install nvram battery:
- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
- Remove those covers and unscrew:
- Gently pry off the front bezel (sorry, forgot to take pics).
-
- Remove bluetooth module:
- Re-attach the front bezel and re-insert the screws (sorry, forgot to take pics).
-
- It lives!
- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
- Go to http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html
- or directly to the video: http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm.
-
- A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above.
-
- EC: Cannot be removed but can be mitigated: it contains non-free
- non-loadable code, but it has no access to the computer's RAM.
- It has access to the on-switch of the wifi, bluetooth, modem and some
- other power management features. The issue is that it has access to the
- keyboard, however if the software security howto (not yet written) is followed correctly,
- it won't be able to leak data to a local attacker. It has no network
- access but it may still be able to leak data remotely, but that
- requires someone to be nearby to recover the data with the help of an
- SDR and some directional antennas[3].
-
- Intel 82573 Ethernet controller
- on the X60 seems safe, according to Denis.
-
- Explain that black hats, TAO, and so on might use a 0day to get in,
- and explain that in this case it mitigates what the attacker can do.
- Also the TAO do some evaluation before launching an attack: they take
- the probability of beeing caught into account, along with the kind of
- target. A 0day costs a lot of money, I heard that it was from 100000$
- to 400000$, some other websites had prices 10 times lower but that
- but it was probably a typo. So if people increase their security it
- makes it more risky and more costly to attack people.
-
- It's possible to turn headphones into a microphone, you could try
- yourself, however they don't record loud at all. Also intel cards have
- the capability to change a connector's function, for instance the
- microphone jack can now become a headphone plug, that's called
- retasking. There is some support for it in GNU/Linux but it's not very
- well known.
-
- 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While
- their demo is experimental(their hardware also got damaged during the
- transport), the spies probably already have that since a long time.
- http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
- Or go back to main index
- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and
- the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.
- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from
- booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all.
-
- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides).
-
- Remove those screws and remove the HDD:
- Lift off the palm rest:
- Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:
- Gently wedge both sides loose:
- Remove that cable from the position:
- Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):
- Remove those screws:
- Disconnect the power jack:
- Remove nvram battery:
- Disconnect cable (for 56k modem) and disconnect the other cable:
- Disconnect speaker cable:
- Disconnect the other end of the 56k modem cable:
- Make sure you removed it:
- Unscrew those:
- Make sure you removed those:
- Disconnect LCD cable from board:
- Remove those screws then remove the LCD assembly:
- Once again, make sure you removed those:
- Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady
- surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the
- screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:
- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- Connecting the pomona:
- Connect programmer to 2nd computer:
- Programmer has power:
- Now flash the bricked machine using the 2nd computer. in my case I did:Configuring Parabola (post-install)
-
-
-
- Table of Contents
-
-
-
-
-
-
- # systemctl start dhcpcd.service
- You can stop it later by running:
- # systemctl stop dhcpcd.service
- For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:
- Setup network connection in Parabola
-
-
- Configure pacman
- Updating Parabola
-
- # pacman -Syy
- (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date,
- which can be useful when switching to another mirror).
- Then, update the system:
- # pacman -Syu
- Maintaining Parabola
- Cleaning the package cache
-
- https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache.
- Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache
- of old package information, updated automatically when you do anything in pacman).
-
-
- # pacman -Sc
-
- # pacman -Scc
- This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used
- when disk space is at a premium.
- pacman command equivalents
-
- https://wiki.archlinux.org/index.php/Pacman_Rosetta
- your-freedom
-
-
- Add a user
-
- # useradd -m -G wheel -s /bin/bash yourusername
- Set a password:
- # passwd yourusername
-
-
- systemd
-
- # man systemd
- The section on 'unit types' is especially useful.
-
- #SystemMaxUse=
- Change it to say:
- SystemMaxUse=50M
-
- # systemctl restart systemd-journald
-
- # man systemd-tmpfiles
- The command for 'clean' is:
- # systemd-tmpfiles --clean
- According to the manpage, this "cleans all files and directories with an age parameter".
- According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/
- to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations
- to get a better understanding.
-
- # man tmpfiles.d
- Read that manpage, and then continue studying all of the files.
-
-
- Interesting repositories
-
-
- [kernels]
- Include = /etc/pacman.d/mirrorlist
-
-
- # pacman -Syy
-
- # pacman -Sl kernels
-
-
- Setup a network connection in Parabola
- Set the hostname
-
- # hostnamectl set-hostname yourhostname
- This writes the specified hostname to /etc/hostname. More information can be found in these manpages:
- # man hostname
- # info hostname
- # man hostnamectl
-
-
- 127.0.0.1 localhost.localdomain localhost myhostname
- ::1 localhost.localdomain localhost myhostname
-
- Network Status
-
- # lspci -v
-
-
- Kernel driver in use: e1000e
- Kernel modules: e1000e
-
-
- # dmesg | grep e1000e
- Network device names
-
- # ls /sys/class/net
-
- https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name
- Network setup
-
- https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers.
- If you need to, set a static IP address (temporarily) using the networking guide an the Arch wiki, or start the dhcpcd service in systemd.
- NetworkManager will be setup later, after installing LXDE.
-
-
- System Maintenance
-
- # pacman -S smartmontools
- Read https://wiki.archlinux.org/index.php/S.M.A.R.T. to learn how to use it.
-
-
- Configuring the desktop
- Installing Xorg
-
- # pacman -S xorg-server
- I also recommend installing this (contains lots of useful tools, including xrandr):
- # pacman -S xorg-server-utils
-
- # pacman -S xf86-video-intel
- For other systems you can try:
- # pacman -Ss xf86-video- | less
- Combined with looking at your lspci output, you can determine which driver is needed.
- By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration.
-
- # pacman -Sg xorg-drivers
-
- # pacman -S xorg-xinit
-
- Arch wiki recommends installing these, for testing that X works:
- # pacman -S xorg-twm xorg-xclock xterm
- Refer to https://wiki.archlinux.org/index.php/Xinitrc.
- and test X:
- # startx
- When you are satisfied, type exit in xterm, inside the X session.
- Uninstall them (clutter. eww): # pacman -S xorg-xinit xorg-twm xorg-xclock xterm
- </optional>
- Xorg keyboard layout
-
- # setxkbmap -print -verbose 10
-
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files and
- https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl.
-
- Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:
-
- Section "InputClass"
- Identifier "system-keyboard"
- MatchIsKeyboard "on"
- Option "XkbLayout" "gb"
- Option "XkbModel" "pc105"
- Option "XkbVariant" "dvorak"
- EndSection
-
- Install LXDE
-
- # pacman -S lxde obconf
-
- # pacman -R lxmusic lxtask
-
- # pacman -S $(pacman -Ssq ttf-)
-
- # pacman -S icecat
- And a mail client:
- # pacman -S icedove
-
- # pacman -S xsensors stress htop
-
- # systemctl enable lxdm.service
- It will start when you boot up the machine. To start it now, do:
- # systemctl start lxdm.service
-
- $ cp /etc/skel/.xinitrc ~
- Open .xinitrc and add the following plus a line break at the bottom of the file.
-
- # Probably not needed. The same locale info that we set before
- # Based on advice from the LXDE wiki
- export LC_ALL=en_GB.UTF-8
- export LANGUAGE=en_GB.UTF-8
- export LANG=en_GB.UTF-8
-
- # Start lxde desktop
- exec startlxde
-
- Now make sure that it is executable:
- $ chmod +x .xinitrc
- LXDE - clock
- LXDE - font
- LXDE - screenlock
-
- # pacman -S xscreensaver
- LXDE - automounting
- LXDE - disable suspend
- LXDE - battery monitor
- LXDE - Network Manager
-
- # pacman -S networkmanager
-
- # pacman -S network-manager-applet
- Arch wiki says that an autostart rule will be written at /etc/xdg/autostart/nm-applet.desktop
-
- # pacman -S networkmanager-openvpn
-
- https://wiki.archlinux.org/index.php/NetworkManager#Openbox.
-
- # pacman -S xfce4-notifyd gnome-icon-theme
- Also, for storing authentication details (wifi) I need:
- # pacman -S gnome-keyring
-
- # systemctl stop dhcpcd
- # systemctl start NetworkManager
- Enable NetworkManager at boot time:
- # systemctl enable NetworkManager
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Notes about DMA and the docking station (X60/T60)
-
-
-
-Use case:
----------
-Usually when people do full disk encryption, it's not really full disk,
-instead they still have a /boot in clear.
-
-So an evil maid attack can still be done, in two passes:
-1) Clone the hdd, Infect the initramfs or the kernel.
-2) Wait for the user to enter its password, recover the password,
-luksOpen the hdd image.
-
-I wanted a real full-disk encryption so I've put grub in flash and I
-have the following: The HDD has a LUKS rootfs(containing /boot) on an
-lvm partition, so no partition is in clear.
-
-So when the computer boots it executes coreboot, then grub as a payload.
-Grub then opens the LUKS partition and loads the kernel and initramfs
-from there.
-
-To prevent hardware level tempering(like reflashing), I used nail
-polish with a lot of gilder, that acts like a seal. Then a high
-resolution picture of it is taken, to be able to tell the difference.
-
-The problem:
-------------
-But then comes the docking port issue: Some LPC pins are exported
-there, such as the CLKRUN and LDRQ#.
-
-LDRQ# is "Encoded DMA/Bus Master Request": "Only needed by
-peripherals that need DMA or bus mastering. Requires an
-individual signal per peripheral. Peripherals may not share
-an LDRQ# signal."
-
-So now DMA access is possible trough the dock connector.
-So I want to be able to turn that off.
-
-If I got it right, the X60 has 2 superio, one is in the dock, and the
-other one is in the laptop, so we have:
- ________________
- _________________ | |
-| | | Dock connector:|
-|Dock: NSC pc87982|<--LPC--->D_LPC_DREQ0 |
-|_________________| |_______^________|
- |
- |
- |
- |
- ___________________|____
- | v |
- | SuperIO: DLDRQ# |
- | NSC pc87382 LDRQ# |
- |___________________^____|
- |
- |
- |
- |
- ___________________|___
- | v |
- | Southbridge: LDRQ0 |
- | ICH7 |
- |_______________________|
-
-
-The code:
----------
-Now if I look at the existing code, there is some superio drivers, like
-pc87382 in src/superio/nsc, the code is very small.
-The only interesting part is the pnp_info pnp_dev_info struct.
-
-Now if I look inside src/mainboard/lenovo/x60 there is some more
-complete dock driver:
-
-Inside dock.c I see some dock_connect and dock_disconnect functions.
-
-Such functions are called during the initialisation (romstage.c) and
-from the x60's SMI handler (smihandler.c).
-
-Questions:
-----------
-1) Would the following be sufficent to prevent DMA access from the
-outside:
-> int dock_connect(void)
-> {
-> int timeout = 1000;
-> + int val;
-> +
-> + if (get_option(&val, "dock") != CB_SUCCESS)
-> + val = 1;
-> + if (val == 0)
-> + return 0;
-> [...]
-> }
->
-> void dock_disconnect(void) {
-> + if (dock_present())
-> + return;
-> [...]
-> }
-2) Would an nvram option be ok for that? Should a Kconfig option be
-added too?
-
-> config DOCK_AUTODETECT
-> bool "Autodetect"
-> help
-> The dock is autodetected. If unsure select this option.
->
-> config DOCK_DISABLED
-> bool "Disabled"
-> help
-> The dock is always disabled.
->
-> config DOCK_NVRAM_ENABLE
-> bool "Nvram"
-> help
-> The dock autodetection is tried only if it is also enabled
-> trough nvram.
-
-
-
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Installing Parabola GNU/Linux with full disk encryption (including /boot)
-
-
- # lsblk
- Your HDD is probably /dev/sda:
- # dd if=/dev/zero of=/dev/sda bs=446 count=1; sync
- Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute.
- This guide is for libreboot with GRUB-as-payload only.
-
- # dd if=/dev/urandom of=/dev/sda; sync
- NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before,
- use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended
- erase block size is. For example if it was 2MiB:
- # dd if=/dev/urandom of=/dev/sda bs=2M; sync
-
- # head -c 3145728 /dev/urandom > /dev/sda; sync
- (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk).
-
- Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting
- them for this guide.
-
-
- Change keyboard layout
-
-
- # loadkeys LAYOUT
- For me, LAYOUT would have been dvorak-uk.
- Getting started
- dm-mod
-
- # modprobe dm-mod
- Create LUKS partition
-
- # cfdisk /dev/sda
-
- I am then directed to https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption.
-
- # cryptsetup benchmark (for making sure the list below is populated)
- Then:
- # cat /proc/crypto
- This gives me crypto options that I can use. It also provides a representation of the best way to setup LUKS (in this case, security is a priority; speed, a distant second).
- To gain a better understanding, I am also reading:
- # man cryptsetup
-
- # cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1
- -- choose a secure passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password
- length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more.
- It might take you a while to memorize a long passphrase before beginning this step.
- Create LVM
-
- # cryptsetup open --type luks /dev/sda1 lvm
- (it will be available at /dev/mapper/lvm)
- I'm told that the above is old syntax, which is what I did anyway. You could also try:
- # cryptsetup luksOpen /dev/sda1 lvm
-
- # pvcreate /dev/mapper/lvm
- Show that you just created it:
- # pvdisplay
-
- # vgcreate matrix /dev/mapper/lvm (volume group name is 'matrix')
- Show that you created it:
- # vgdisplay
-
- # lvcreate -L 2G matrix -n swapvol (2G swap partition, named swapvol)
- # lvcreate -l +100%FREE matrix -n rootvol (single large partition in the rest of the space, named rootvol)
- You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example,
- if you will be running a web/mail server then you want /var in it's own partition (so that if it fills up with logs, it won't crash your system).
- For a home/laptop system (typical use case), a root and a swap will do (really).
-
- # lvdisplay
- Create / and swap partitions
-
- # mkswap /dev/mapper/matrix-swapvol
-
- # mkfs.ext4 /dev/mapper/matrix-rootvol
- Continue with Parabola installation
-
- # mount /dev/matrix/rootvol /mnt
-
- # mkdir /mnt/home
- # mkdir /mnt/boot
-
- # swapon /dev/matrix/swapvol
-
- # pacman -Syy
- # pacman -Syu
- # pacman -Sy pacman (and then I did the other 2 steps above, again)
- In my case I did the steps in the next paragraph, and followed the steps in this paragraph again.
-
- The following is based on 'Verification of package signatures' in the Parabola install guide.
- Check there first to see if steps differ by now.
- Now you have to update the default Parabola keyring. This is used for signing and verifying packages:
- # pacman -Sy parabola-keyring
- It says that you you get GPG errors, it's probably an expired key so do:
- # pacman-key --populate parabola
- # pacman-key --refresh-keys
- # pacman -Sy parabola-keyring
- To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!
- Also, it says that if the clock is set incorrectly then you have to manually set the correct time
- (if keys are listed as expired because of it):
- # date MMDDhhmm[[CC]YY][.ss]
- I also had to install:
- # pacman -S archlinux-keyring
- # pacman-key --populate archlinux
- In my case I saw some conflicting files reported in pacman, stopping me from using it.
- I deleted the files that it mentioned
- and then it worked. Specifically, I had this error:
- licenses: /usr/share/licenses/common/MPS exists in filesystem
- I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:
- # pacman -Sf licenses
- </troubleshooting>
-
- # pacstrap /mnt base base-devel wpa_supplicant dialog
- Configure the system
-
- # genfstab -p /mnt >> /mnt/etc/fstab
-
- # arch-chroot /mnt
-
- # pacman -S linux-libre-lts
-
- # pacman -S linux-libre-grsec
-
- # pacman -S wget
-
-
-
-
-
-
-
- LANG="en_GB.UTF-8"
- # Keep the default sort order (e.g. files starting with a '.'
- # should appear at the start of a directory listing.)
- LC_COLLATE="C"
- # Set the short date to YYYY-MM-DD (test with "date +%c")
- LC_TIME="en_GB.UTF-8"
-
-
-
- KEYMAP=dvorak-uk
- FONT=Lat2-Terminus16
-
-
-
-
-
-
-
- add encrypt and lvm2 in that order, before the 'filesystems' entry in the HOOKS array.
- add keymap, consolefont and shutdown to the end of the HOOKS array in that order.
- move keyboard, keymap and consolefont in that order, to go before 'encrypt' in the HOOKS array.
- At the end your HOOKS array will look like this:
- HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"
-
-
-
- # mkinitcpio -p linux-libre
- Also do it for linux-libre-lts:
- # mkinitcpio -p linux-libre-lts
- Also do it for linux-libre-grsec:
- # mkinitcpio -p linux-libre-grsec
- Set a root password
-
- Make sure to set a secure password! Also, it must never be the same as your LUKS password.
- Extra security tweaks
-
- # chmod 700 /boot /etc/{iptables,arptables}
-
- Edit the file /etc/pam.d/system-login and comment out that line:
- # auth required pam_tally.so onerr=succeed file=/var/log/faillog
- Or just delete it. Above it, put:
- auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
- To unlock a user manually (if a password attempt is failed 3 times), do:
- # pam_tally --user theusername --reset
- What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts.
- Unmount, reboot!
-
- # exit
-
- # umount /mnt
- # swapoff -a
-
- # lvchange -an /dev/matrix/rootvol
- # lvchange -an /dev/matrix/swapvol
-
- # cryptsetup luksClose lvm
-
- Then boot up again.
- Booting from GRUB
-
- grub> set root='lvm/matrix-rootvol'
- grub> linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- grub> initrd /boot/initramfs-linux-libre-lts.img
- grub> boot
-
-
- Modify grub.cfg inside the ROM
-
-
-
- cryptomount -a (ahci0,msdos1)
- set root='lvm/matrix-rootvol'
- linux /boot/vmlinuz-linux-libre-lts root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root
- initrd /boot/initramfs-linux-libre-lts.img
-
- set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-
-
- # systemctl start dhcpcd.service
- This is just for the step below. I won't cover network configuration here. That is for another Parabola article.
-
- # pacman -S grub
-
- # grub-mkpasswd-pbkdf2
-
- # pacman -S base-devel
-
- # pacman -S flashrom
- I also installed dmidecode:
- # pacman -S dmidecode
-
- # pacman -R grub
-
-
-
-
- Further security tips
-
- https://wiki.parabolagnulinux.org/User:GNUtoo/laptop
-
-
- Follow-up tutorial: configuring Parabola
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Installing Trisquel GNU/Linux with full disk encryption (including /boot)
-
- Partitioning
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Further partitioning
-
-
-
-
-
-
-
-
- Kernel
-
- Tasksel
-
- Postfix configuration
-
- Install the GRUB boot loader to the master boot record
-
- Clock UTC
-
-
- Booting your system
-
-
-
- grub> cryptomount -a (ahci0,msdos1)
- grub> set root='lvm/buzz-distro'
- grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
- grub> initrd /initrd.img
- grub> boot
-
- ecryptfs
-
-
-
- $ sudo ecryptfs-unwrap-passphrase
-
- Modify grub.cfg (CBFS)
-
-
-
- set root='lvm/buzz-distro'
- linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root
- initrd /initrd.img
-
- $ grub-mkpasswd-pbkdf2
-
- grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-
-set superusers="root"
-password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
-
-
-
- Update Trisquel
-
-
-
- $ sudo apt-get upgrade
-
- Conclusion
-
-
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Boot a GNU/Linux installer on USB
-
- Prepare the USB drive (in GNU/Linux)
-
-
- $ dmesg
-
- Check lsblk to confirm which drive it is:
- $ lsblk
-
- $ sudo umount /dev/sdb*
- # umount /dev/sdb*
-
- $ sudo dd if=gnulinux.iso of=/dev/sdb bs=8M; sync
- # dd if=gnulinux.iso of=/dev/sdb bs=8M; sync
- Booting the USB drive (in GRUB)
-
-
- grub> ls
-
- Get the device from above output, eg (usb0). Example:
- grub> cat (usb0)/isolinux/isolinux.cfg
-
- Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.
-
- If it did that, then you do:
- grub> cat (usb0)/isolinux/foo.cfg
-
- And so on, until you find the correct menuentries for ISOLINUX.
-
-
- kernel /path/to/kernel
- append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS
-
-
- GRUB works the same way, but in it's own way. Example GRUB commands:
- grub> linux (usb0)/path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS
- grub> initrd (usb0)/path/to/initrd
- grub> boot
-
- Of course this will vary from distro to distro. If you did all that correctly, it should now be booting the ISO
- the way you specified.
- Troubleshooting
-
- parabola won't boot in text-mode
-
- debian-installer (trisquel net install) graphical corruption in text-mode
-
- vga=normal fb=false
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- How to change your default GRUB menu
-
-
-
- Table of Contents
-
-
-
-
-
-
- Getting started
-
-
If you downloaded from git, refer to
- ../index.html#build_meta before continuing.
-
-
- Build 'cbfstool' from source
-
-
-
- Which ROM image should I use?
-
-
- $ sudo ./flashrom -p internal -r libreboot.rom
- Notice that this is using "-r" (read) instead of "-w" (write).
- This will create a dump (copy) of your current firmware and name it libreboot.rom.
- You need to take ownership of the file. For example:
- $ sudo chown yourusername:yourusername libreboot.rom
- # chown yourusername:yourusername libreboot.rom
-
-
- Extract grubtest.cfg from the ROM image
-
-
- $ ./cbfstool libreboot.rom print
-
- $ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg
-
-
- Example modifications for grubtest.cfg
-
- Trisquel GNU/Linux-libre
-
-
-
-
-
- $ lsblk
-
- set root='ahci0,msdos1'
- linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951
- initrd /initrd.img
-
- $ sudo -s
- # cd /boot/
- # rm -rf vmlinuz initrd.img
- # ln -s kernel ksym
- # ln -s initrd isym
- # exit
-
- set root='ahci0,msdos1'
- linux /ksym root=/dev/sda2
- initrd /isym
- Parabola GNU/Linux-libre
-
-
-
- Re-insert the modified grubtest.cfg into the ROM image
-
-
- $ ./cbfstool libreboot.rom remove -n grubtest.cfg
-
- $ ./cbfstool libreboot.rom print
-
- $ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw
-
- $ ./cbfstool libreboot.rom print
-
-
- Test it!
-
-
-
- Final steps
-
-
- $ sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg
-
- $ ./cbfstool libreboot.rom remove -n grub.cfg
-
- $ ./cbfstool libreboot.rom print
-
- $ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw
-
- $ ./cbfstool libreboot.rom print
-
-
- Troubleshooting
-
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Changing heatsink (or CPU) on the ThinkPad T60
-
- Hardware requirements
-
-
-
- Software requirements
-
-
-
- Disassembly
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Changing the LCD panel on a 15.1" T60
-
- Disassembly
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Security on the ThinkPad T60
-
- Table of Contents
-
-
- Hardware requirements
-
-
-
- Software requirements
-
-
-
-
- Rationale
-
- Disassembly
-
-
-
-
-
-
-
-
-
-
-
-
-
- Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.
- Wifi: The ath5k/ath9k cards might not have firmware at all. They might safe but could have
- access to the computer's RAM trough DMA. If people have an intel
- card(most T60's come with Intel wifi by default, until you change it),then that card runs
- a non-free firwamre and has access to the computer's RAM trough DMA! So
- it's risk-level is very high.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Rationale:
- Another reason to remove the microphone: If your computer gets[1] compromised, it can
- record what you say, and use it to receive data from nearby devices if
- they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically
- be programmed to accept remote commands from some speaker somewhere (remote security hole). In other words,
- the machine could already be compromised from the factory.
-
-
-
-
- Rationale:
- It has direct memory access and can be used to extract sensitive details (such as LUKS keys). See
- 'GoodBIOS' video linked at the end (speaker is Peter Stuge, a coreboot hacker). The video covers X60
- but the same topics apply to T60.
-
-
- Reason: combined with the microphone issue, this could be used to leak data.
- If your computer gets[1] compromised, it can be used to
- transmit data to nearby compromised devices. It's unknown if it can be
- turned into a microphone[2].
- Replacement: headphones/speakers (line-out) or external DAC (USB).
-
-
- Wwan (3d modem): They run proprietary software and have access to the
- computer's RAM! So it's like AMT but over the GSM network which is
- probably even worse.
- Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Not covered yet:
-
-
-
-
- Also not covered yet:
-
-
-
-
-
- Just put nail polish with lot of glider on the important screws, take
- some good pictures. Keep the pictueres and make sure of their integrity.
- Compare the nail polish with the pictures before powering on the laptop.
-
-
-
- Extra notes
-
-
- Risk level
-
-
-
-
-
- Further reading material (software security)
-
-
-
-
-
- References
-
- [1] physical access
- [2] microphone
- [3] Video (CCC)
-
-
-
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
- Unbricking the ThinkPad T60
-
- Table of Contents
-
-
-
- Hardware requirements
-
-
-
- Software requirements
-
-
-
- Brick type 1: bucts not reset.
-
-
- In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-
-
- *Those dd commands should be applied to all newly compiled T60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running,
- using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation.
- (it says x60, but instructions for t60 are identical)
- bad rom (or user error), machine won't boot
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- (it says X60 but instructions are virtually the same for the T60, with except to physical differences in how to disassemble the machine)
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the
- AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
-
- Here is the pinout (correlate it with your programmer's documentation):
-
-
-
-
-
-
-
-
- flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/t60/libreboot_usqwerty.rom
- Note: there are also other ROM images for T60
- Note: this is using buspirate as the programmer, so it is flashing the T60, not the 2nd computer!
- Here's my terminal window on the 2nd computer (also the programmer is active):
-
- So, you should see the following:
- --
-
- flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian
- flashrom is free software, get the source code at http://www.flashrom.org
-
- Calibrating delay loop... delay loop is unreliable, trying to continue OK.
- Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
- Reading old flash chip contents... done.
- Erasing and writing flash chip... Erase/write done.
- Verifying flash... VERIFIED.
-
- --
- At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means
- that you can put your T60 back together. So let's do that now.
-
- Put those screws back:
-
-
- Put it back into lower chassis:
-
-
- Attach LCD and insert screws (also, attach the lcd cable to the board):
-
-
- Insert those screws:
-
-
- On the CPU (and there is another chip south-east to it, sorry forgot to take pic)
- clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too)
- you should also clean the heatsink the same way
-
-
- Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):
-
-
- Reinstall that upper bezel:
-
-
- Do that:
-
-
- Re-attach modem, wifi, (wwan?), and all necessary cables. Sorry, forgot to take pics. Look at previous removal steps to see where they go back to. -
- -
- Attach keyboard and install nvram battery:
-
-
- Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:
-
-
- It lives!
-
-
- Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:
-
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - diff --git a/docs/howtos/x60_heatsink.html b/docs/howtos/x60_heatsink.html deleted file mode 100644 index 22b55e1..0000000 --- a/docs/howtos/x60_heatsink.html +++ /dev/null @@ -1,149 +0,0 @@ - - - - - - - - -Or go back to main index
- -
- Remove those screws:
-
-
- Push the keyboard forward (carefully):
-
-
- Lift the keyboard up and disconnect it from the board:
-
-
- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
-
-
- You should now have this:
-
-
- Disconnect the wifi antenna cables, the modem cable and the speaker:
-
-
- Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem
- cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand
- side:
-
-
- Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape
- that holds it into place:
-
-
- Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:
-
-
- Remove those screws:
-
-
- Remove those screws:
-
-
- Carefully remove the plate, like so:
-
-
- Remove the SATA connector:
-
-
- Now remove the motherboard (gently) and cast the lcd/chassis aside:
-
-
- Look at that black tape above the heatsink, remove it:
-
-
- Now you have removed it:
-
-
- Disconnect the fan and remove all the screws, heatsink will easily come off:
-
-
- Remove the old paste with a cloth (from the CPU and heatsink) and then clean both of them with the alcholeel (to remove remaining residue. typo is intentional). - Apply a pea-sized amount of paste to the both chipsets that the heatsink covered and spread it evenly (uniformally). - Finally reinstall the heatsink, reversing previous steps. -
- -- stress -c 2 command can be used to push the CPU to 100%, and xsensors (or watch sensors command) can be used to monitor heat. - Below 90C is ok. -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - diff --git a/docs/howtos/x60_heatsink/0000.jpg b/docs/howtos/x60_heatsink/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_heatsink/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0001.jpg b/docs/howtos/x60_heatsink/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_heatsink/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0002.jpg b/docs/howtos/x60_heatsink/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_heatsink/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0003.jpg b/docs/howtos/x60_heatsink/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_heatsink/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0004.jpg b/docs/howtos/x60_heatsink/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_heatsink/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0005.jpg b/docs/howtos/x60_heatsink/0005.jpg deleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_heatsink/0005.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0006.jpg b/docs/howtos/x60_heatsink/0006.jpg deleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_heatsink/0006.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0007.jpg b/docs/howtos/x60_heatsink/0007.jpg deleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_heatsink/0007.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0008.jpg b/docs/howtos/x60_heatsink/0008.jpg deleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_heatsink/0008.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0009.jpg b/docs/howtos/x60_heatsink/0009.jpg deleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_heatsink/0009.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0010.jpg b/docs/howtos/x60_heatsink/0010.jpg deleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_heatsink/0010.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0011.jpg b/docs/howtos/x60_heatsink/0011.jpg deleted file mode 100644 index 101cf6a..0000000 --- a/docs/howtos/x60_heatsink/0011.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0012.jpg b/docs/howtos/x60_heatsink/0012.jpg deleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_heatsink/0012.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0013.jpg b/docs/howtos/x60_heatsink/0013.jpg deleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_heatsink/0013.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0014.jpg b/docs/howtos/x60_heatsink/0014.jpg deleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_heatsink/0014.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0015.jpg b/docs/howtos/x60_heatsink/0015.jpg deleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_heatsink/0015.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0016.jpg b/docs/howtos/x60_heatsink/0016.jpg deleted file mode 100644 index ea418a5..0000000 --- a/docs/howtos/x60_heatsink/0016.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0017.jpg b/docs/howtos/x60_heatsink/0017.jpg deleted file mode 100644 index 8a67482..0000000 --- a/docs/howtos/x60_heatsink/0017.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_heatsink/0018.jpg b/docs/howtos/x60_heatsink/0018.jpg deleted file mode 100644 index 98c43ac..0000000 --- a/docs/howtos/x60_heatsink/0018.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change.html b/docs/howtos/x60_lcd_change.html deleted file mode 100644 index 3ddeaac..0000000 --- a/docs/howtos/x60_lcd_change.html +++ /dev/null @@ -1,54 +0,0 @@ - - - - - - - - -Or go back to main index
- -This tutorial is incomplete, and only pictures for now.
- -- - - - - - - -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - diff --git a/docs/howtos/x60_lcd_change/0001.JPG b/docs/howtos/x60_lcd_change/0001.JPG deleted file mode 100755 index fd066eb..0000000 --- a/docs/howtos/x60_lcd_change/0001.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0002.JPG b/docs/howtos/x60_lcd_change/0002.JPG deleted file mode 100755 index 96949f1..0000000 --- a/docs/howtos/x60_lcd_change/0002.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0003.JPG b/docs/howtos/x60_lcd_change/0003.JPG deleted file mode 100755 index 90216aa..0000000 --- a/docs/howtos/x60_lcd_change/0003.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0004.JPG b/docs/howtos/x60_lcd_change/0004.JPG deleted file mode 100755 index 3b704a4..0000000 --- a/docs/howtos/x60_lcd_change/0004.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0005.JPG b/docs/howtos/x60_lcd_change/0005.JPG deleted file mode 100755 index 823bab9..0000000 --- a/docs/howtos/x60_lcd_change/0005.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0006.JPG b/docs/howtos/x60_lcd_change/0006.JPG deleted file mode 100755 index 040f2ca..0000000 --- a/docs/howtos/x60_lcd_change/0006.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_lcd_change/0007.JPG b/docs/howtos/x60_lcd_change/0007.JPG deleted file mode 100755 index 42c2607..0000000 --- a/docs/howtos/x60_lcd_change/0007.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html deleted file mode 100644 index e24ae12..0000000 --- a/docs/howtos/x60_security.html +++ /dev/null @@ -1,306 +0,0 @@ - - - - - - - - -Or go back to main index
- -- Most people think of security on the software side: the hardware is important aswell. - Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work. - It is also generally useful to all those that believe security and privacy are inalienable rights. - Security starts with the hardware; crypto and network security come later. -
-- Paradoxically, going this far to increase your security also makes you a bigger target. - At the same time, it protects you in the case that someone does attack your machine. - This paradox only exists while few people take adequate steps to protect yourself: it is your duty - to protect yourself, not only for your benefit but to make strong security normal so - that those who do need protection (and claim it) are a smaller target against the masses. -
-- Even if there are levels of security beyond your ability (technically, financially and so on) - doing at least something (what you are able to do) is extremely important. - If you use the internet and your computer without protection, attacking you is cheap (some say it is - only a few US cents). If everyone (majority of people) use strong security by default, - it makes attacks more costly and time consuming; in effect, making them disappear. -
-- This tutorial deals with reducing the number of devices that have direct memory access that - could communicate with inputs/outputs that could be used to remotely - command the machine (or leak data). -
- -
- Firstly remove the bluetooth (if your X60 has this):
- The marked screws are underneath those stickers (marked in those 3 locations at the bottom of the LCD assembly):
-
- Now gently pry off the bottom part of the front bezel, and the bluetooth module is on the left (easily removable):
-
-
- If your model was WWAN, remove the simcard (check anyway):
- Uncover those 2 screws at the bottom:
-
- SIM card (not present in the picture) is in the marked location:
-
- Replacement: USB dongle.
-
- Now get into the motherboard. -
- -
- Remove those screws:
-
-
- Push the keyboard forward (carefully):
-
-
- Lift the keyboard up and disconnect it from the board:
-
-
- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
-
-
- You should now have this:
-
-
- The following is a summary of what you will remove (already done to this machine):
-
- Note: the blue lines represent antenna cables and modem cables. You don't need to remove these, but you can if you want
- (to make it tidier after removing other parts). I removed the antenna wires, the modem jack, the modem cable and
- also (on another model) a device inside the part where the wwan antenna goes (wasn't sure what it was, but I knew it wasn't needed). This is optional
-
- Remove the microphone (can desolder it, but you can also easily pull it off with you hands). Already removed here:
-
- Rationale:
- Another reason to remove the microphone: If your computer gets[1] compromised, it can
- record what you say, and use it to receive data from nearby devices if
- they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically
- be programmed to accept remote commands from some speaker somewhere (remote security hole). In other words,
- the machine could already be compromised from the factory.
-
- Remove the modem:
-
- (useless, obsolete device)
-
- Remove the speaker:
-
- Reason: combined with the microphone issue, this could be used to leak data.
- If your computer gets[1] compromised, it can be used to
- transmit data to nearby compromised devices. It's unknown if it can be
- turned into a microphone[2].
- Replacement: headphones/speakers (line-out) or external DAC (USB).
-
- Remove the wlan (also remove wwan if you have it):
-
- Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.
- Wifi: The ath5k/ath9k cards might not have firmware at all. They might safe but could have
- access to the computer's RAM trough DMA. If people have an intel
- card(most X60's come with Intel wifi by default, until you change it),then that card runs
- a non-free firwamre and has access to the computer's RAM trough DMA! So
- it's risk-level is very high.
- Wwan (3d modem): They run proprietary software and have access to the
- computer's RAM! So it's like AMT but over the GSM network which is
- probably even worse.
- Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended).
-
- Go to http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html - or directly to the video: http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm. -
-- A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above. -
- -- EC: Cannot be removed but can be mitigated: it contains non-free - non-loadable code, but it has no access to the computer's RAM. - It has access to the on-switch of the wifi, bluetooth, modem and some - other power management features. The issue is that it has access to the - keyboard, however if the software security howto (not yet written) is followed correctly, - it won't be able to leak data to a local attacker. It has no network - access but it may still be able to leak data remotely, but that - requires someone to be nearby to recover the data with the help of an - SDR and some directional antennas[3]. -
-- Intel 82573 Ethernet controller - on the X60 seems safe, according to Denis. -
- -- Explain that black hats, TAO, and so on might use a 0day to get in, - and explain that in this case it mitigates what the attacker can do. - Also the TAO do some evaluation before launching an attack: they take - the probability of beeing caught into account, along with the kind of - target. A 0day costs a lot of money, I heard that it was from 100000$ - to 400000$, some other websites had prices 10 times lower but that - but it was probably a typo. So if people increase their security it - makes it more risky and more costly to attack people. -
-- It's possible to turn headphones into a microphone, you could try - yourself, however they don't record loud at all. Also intel cards have - the capability to change a connector's function, for instance the - microphone jack can now become a headphone plug, that's called - retasking. There is some support for it in GNU/Linux but it's not very - well known. -
-- 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While - their demo is experimental(their hardware also got damaged during the - transport), the spies probably already have that since a long time. - http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - diff --git a/docs/howtos/x60_security/0000.jpg b/docs/howtos/x60_security/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_security/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_bluetooth.jpg b/docs/howtos/x60_security/0000_bluetooth.jpg deleted file mode 100644 index 94a255f..0000000 --- a/docs/howtos/x60_security/0000_bluetooth.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_bluetooth0.jpg b/docs/howtos/x60_security/0000_bluetooth0.jpg deleted file mode 100644 index a750b0c..0000000 --- a/docs/howtos/x60_security/0000_bluetooth0.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_simcard0.jpg b/docs/howtos/x60_security/0000_simcard0.jpg deleted file mode 100644 index 40837ea..0000000 --- a/docs/howtos/x60_security/0000_simcard0.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0000_simcard1.jpg b/docs/howtos/x60_security/0000_simcard1.jpg deleted file mode 100644 index c0a5b35..0000000 --- a/docs/howtos/x60_security/0000_simcard1.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001.jpg b/docs/howtos/x60_security/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_security/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_microphone.jpg b/docs/howtos/x60_security/0001_microphone.jpg deleted file mode 100644 index c419060..0000000 --- a/docs/howtos/x60_security/0001_microphone.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_modem.jpg b/docs/howtos/x60_security/0001_modem.jpg deleted file mode 100644 index 6a7a6a0..0000000 --- a/docs/howtos/x60_security/0001_modem.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_overview.jpg b/docs/howtos/x60_security/0001_overview.jpg deleted file mode 100644 index 7268e49..0000000 --- a/docs/howtos/x60_security/0001_overview.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_speaker.jpg b/docs/howtos/x60_security/0001_speaker.jpg deleted file mode 100644 index 28d3ed6..0000000 --- a/docs/howtos/x60_security/0001_speaker.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0001_wlan_wwan.jpg b/docs/howtos/x60_security/0001_wlan_wwan.jpg deleted file mode 100644 index 0db858d..0000000 --- a/docs/howtos/x60_security/0001_wlan_wwan.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0002.jpg b/docs/howtos/x60_security/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_security/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0003.jpg b/docs/howtos/x60_security/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_security/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_security/0004.jpg b/docs/howtos/x60_security/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_security/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick.html b/docs/howtos/x60_unbrick.html deleted file mode 100644 index 945712d..0000000 --- a/docs/howtos/x60_unbrick.html +++ /dev/null @@ -1,310 +0,0 @@ - - - - - - - - -Or go back to main index
- -
- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and
- the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.
-
- In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-
-
- *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running,
- using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation.
-
- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. -
-- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). -
-
- Remove those screws:
-
-
- Push the keyboard forward (carefully):
-
-
- Lift the keyboard up and disconnect it from the board:
-
-
- Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:
-
-
- You should now have this:
-
-
- Disconnect the wifi antenna cables, the modem cable and the speaker:
-
-
- Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem
- cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand
- side:
-
-
- Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape
- that holds it into place:
-
-
- Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:
-
-
- Remove the screw that is highlighted (do NOT remove the other one; it holds part of the heatsink (other side) into place):
-
-
- Remove those screws:
-
-
- Carefully remove the plate, like so:
-
-
- Remove the SATA connector:
-
-
- Now remove the motherboard (gently) and cast the lcd/chassis aside:
-
-
- Lift back that tape and hold it with something. Highlighted is the SPI flash chip:
-
-
- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the
- AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
-
- Here is the pinout (correlate it with your programmer's documentation):
-
-
- My programmer, usb cable and clip:
-
- My programmer (bus pirate):
-
- My clip (pomona 5250):
-
- My USB mini a to b cable:
-
- Connecting the pomona:
-
- Connecting the USB cable from programmer to 2nd(working/non-bricked) computer, my T60:
-
- Programmer is now active:
-
- Now I install flashrom on the T60 (running Trisquel GNU/Linux) and do this:
- flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60/libreboot_usqwerty.rom
- Note: there are also other ROM images for X60
- Note: this is using buspirate as the programmer, so it is flashing the X60, not the T60!
- Here's my terminal window on the T60:
-
- So, you should see the following:
- --
-
- flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian - flashrom is free software, get the source code at http://www.flashrom.org - - Calibrating delay loop... delay loop is unreliable, trying to continue OK. - Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. -- --
- Remove the programmer and put it away somewhere. Put back the tape and press firmly over it:
-
-
- Your empty chassis:
-
-
- Put the motherboard back in:
-
-
- Reconnect SATA:
-
-
- Put the plate back and re-insert those screws:
-
-
- Re-route that antenna cable around the fan and apply the tape:
-
-
- Route the cable here and then (not shown, due to error on my part) reconnect the monitor cable to the motherboard
- and re-insert the screws:
-
-
- Re-insert that screw:
-
-
- Route the black antenna cable like so:
-
-
- Tuck it in neatly like so:
-
-
- Route the modem cable like so:
-
-
- Connect modem cable to board and tuck it in neatly like so:
-
-
- Route the power connection and connect it to the board like so:
-
-
- Route the antenna and modem cables neatly like so:
-
-
- Connect the wifi antenna cables. At the start of the tutorial, this machine had an Intel wifi chip. Here you see I've replaced it with an
- Atheros AR5B95 (supports 802.11n and can be used without blobs):
-
-
- Connect the modem cable:
-
-
- Connect the speaker:
-
-
- You should now have this:
-
-
- Re-connect the upper chassis:
-
-
- Re-connect the keyboard:
-
-
- Re-insert the screws that you removed earlier:
-
-
- Power on!
-
-
- Trisquel live USB menu (using GRUB's ISOLINUX parser):
-
-
- Trisquel live desktop:
-
-
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - diff --git a/docs/howtos/x60_unbrick/0000.jpg b/docs/howtos/x60_unbrick/0000.jpg deleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_unbrick/0000.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0001.jpg b/docs/howtos/x60_unbrick/0001.jpg deleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_unbrick/0001.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0002.jpg b/docs/howtos/x60_unbrick/0002.jpg deleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_unbrick/0002.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0003.jpg b/docs/howtos/x60_unbrick/0003.jpg deleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_unbrick/0003.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0004.jpg b/docs/howtos/x60_unbrick/0004.jpg deleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_unbrick/0004.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0005.jpg b/docs/howtos/x60_unbrick/0005.jpg deleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_unbrick/0005.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0006.jpg b/docs/howtos/x60_unbrick/0006.jpg deleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_unbrick/0006.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0007.jpg b/docs/howtos/x60_unbrick/0007.jpg deleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_unbrick/0007.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0008.jpg b/docs/howtos/x60_unbrick/0008.jpg deleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_unbrick/0008.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0009.jpg b/docs/howtos/x60_unbrick/0009.jpg deleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_unbrick/0009.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0010.jpg b/docs/howtos/x60_unbrick/0010.jpg deleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_unbrick/0010.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0011.jpg b/docs/howtos/x60_unbrick/0011.jpg deleted file mode 100644 index edc14c7..0000000 --- a/docs/howtos/x60_unbrick/0011.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0012.jpg b/docs/howtos/x60_unbrick/0012.jpg deleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_unbrick/0012.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0013.jpg b/docs/howtos/x60_unbrick/0013.jpg deleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_unbrick/0013.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0014.jpg b/docs/howtos/x60_unbrick/0014.jpg deleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_unbrick/0014.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0015.jpg b/docs/howtos/x60_unbrick/0015.jpg deleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_unbrick/0015.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0016.jpg b/docs/howtos/x60_unbrick/0016.jpg deleted file mode 100644 index f10ca88..0000000 --- a/docs/howtos/x60_unbrick/0016.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0017.jpg b/docs/howtos/x60_unbrick/0017.jpg deleted file mode 100644 index 69b28c0..0000000 --- a/docs/howtos/x60_unbrick/0017.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0018.jpg b/docs/howtos/x60_unbrick/0018.jpg deleted file mode 100644 index 7145d9f..0000000 --- a/docs/howtos/x60_unbrick/0018.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0019.jpg b/docs/howtos/x60_unbrick/0019.jpg deleted file mode 100644 index 959a6ee..0000000 --- a/docs/howtos/x60_unbrick/0019.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0020.jpg b/docs/howtos/x60_unbrick/0020.jpg deleted file mode 100644 index e6b2536..0000000 --- a/docs/howtos/x60_unbrick/0020.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0021.jpg b/docs/howtos/x60_unbrick/0021.jpg deleted file mode 100644 index 65bcb60..0000000 --- a/docs/howtos/x60_unbrick/0021.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0022.jpg b/docs/howtos/x60_unbrick/0022.jpg deleted file mode 100644 index cfcad6d..0000000 --- a/docs/howtos/x60_unbrick/0022.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0023.jpg b/docs/howtos/x60_unbrick/0023.jpg deleted file mode 100644 index 10824fd..0000000 --- a/docs/howtos/x60_unbrick/0023.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0024.jpg b/docs/howtos/x60_unbrick/0024.jpg deleted file mode 100644 index 9ce9d45..0000000 --- a/docs/howtos/x60_unbrick/0024.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0025.jpg b/docs/howtos/x60_unbrick/0025.jpg deleted file mode 100644 index 7b6da73..0000000 --- a/docs/howtos/x60_unbrick/0025.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0026.jpg b/docs/howtos/x60_unbrick/0026.jpg deleted file mode 100644 index 526c11c..0000000 --- a/docs/howtos/x60_unbrick/0026.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0027.jpg b/docs/howtos/x60_unbrick/0027.jpg deleted file mode 100644 index 877dc59..0000000 --- a/docs/howtos/x60_unbrick/0027.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0028.jpg b/docs/howtos/x60_unbrick/0028.jpg deleted file mode 100644 index d22d932..0000000 --- a/docs/howtos/x60_unbrick/0028.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0029.jpg b/docs/howtos/x60_unbrick/0029.jpg deleted file mode 100644 index 27f9190..0000000 --- a/docs/howtos/x60_unbrick/0029.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0030.jpg b/docs/howtos/x60_unbrick/0030.jpg deleted file mode 100644 index 813b5c6..0000000 --- a/docs/howtos/x60_unbrick/0030.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0031.jpg b/docs/howtos/x60_unbrick/0031.jpg deleted file mode 100644 index 49fe541..0000000 --- a/docs/howtos/x60_unbrick/0031.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0032.jpg b/docs/howtos/x60_unbrick/0032.jpg deleted file mode 100644 index e8625ef..0000000 --- a/docs/howtos/x60_unbrick/0032.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0033.jpg b/docs/howtos/x60_unbrick/0033.jpg deleted file mode 100644 index 3abfa37..0000000 --- a/docs/howtos/x60_unbrick/0033.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0034.jpg b/docs/howtos/x60_unbrick/0034.jpg deleted file mode 100644 index c8ab597..0000000 --- a/docs/howtos/x60_unbrick/0034.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0035.jpg b/docs/howtos/x60_unbrick/0035.jpg deleted file mode 100644 index 03d5482..0000000 --- a/docs/howtos/x60_unbrick/0035.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0036.jpg b/docs/howtos/x60_unbrick/0036.jpg deleted file mode 100644 index 244c06c..0000000 --- a/docs/howtos/x60_unbrick/0036.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0037.jpg b/docs/howtos/x60_unbrick/0037.jpg deleted file mode 100644 index f55db4f..0000000 --- a/docs/howtos/x60_unbrick/0037.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0038.jpg b/docs/howtos/x60_unbrick/0038.jpg deleted file mode 100644 index 0735825..0000000 --- a/docs/howtos/x60_unbrick/0038.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0039.jpg b/docs/howtos/x60_unbrick/0039.jpg deleted file mode 100644 index dff9ba4..0000000 --- a/docs/howtos/x60_unbrick/0039.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0040.jpg b/docs/howtos/x60_unbrick/0040.jpg deleted file mode 100644 index 74a9b7f..0000000 --- a/docs/howtos/x60_unbrick/0040.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0041.jpg b/docs/howtos/x60_unbrick/0041.jpg deleted file mode 100644 index 1b15834..0000000 --- a/docs/howtos/x60_unbrick/0041.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0042.jpg b/docs/howtos/x60_unbrick/0042.jpg deleted file mode 100644 index 849a260..0000000 --- a/docs/howtos/x60_unbrick/0042.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0043.jpg b/docs/howtos/x60_unbrick/0043.jpg deleted file mode 100644 index c842695..0000000 --- a/docs/howtos/x60_unbrick/0043.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0044.jpg b/docs/howtos/x60_unbrick/0044.jpg deleted file mode 100644 index 2b78380..0000000 --- a/docs/howtos/x60_unbrick/0044.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0045.jpg b/docs/howtos/x60_unbrick/0045.jpg deleted file mode 100644 index d6d8e2d..0000000 --- a/docs/howtos/x60_unbrick/0045.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0046.jpg b/docs/howtos/x60_unbrick/0046.jpg deleted file mode 100644 index 5eef878..0000000 --- a/docs/howtos/x60_unbrick/0046.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0047.jpg b/docs/howtos/x60_unbrick/0047.jpg deleted file mode 100644 index 87517e0..0000000 --- a/docs/howtos/x60_unbrick/0047.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0048.jpg b/docs/howtos/x60_unbrick/0048.jpg deleted file mode 100644 index a701a48..0000000 --- a/docs/howtos/x60_unbrick/0048.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60_unbrick/0049.jpg b/docs/howtos/x60_unbrick/0049.jpg deleted file mode 100644 index 630ac53..0000000 --- a/docs/howtos/x60_unbrick/0049.jpg +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/.htaccess b/docs/howtos/x60t_unbrick/.htaccess deleted file mode 100644 index 75da674..0000000 --- a/docs/howtos/x60t_unbrick/.htaccess +++ /dev/null @@ -1,2 +0,0 @@ -Options +Indexes -IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* diff --git a/docs/howtos/x60t_unbrick/0000.JPG b/docs/howtos/x60t_unbrick/0000.JPG deleted file mode 100644 index 4d8de31..0000000 --- a/docs/howtos/x60t_unbrick/0000.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0001.JPG b/docs/howtos/x60t_unbrick/0001.JPG deleted file mode 100644 index 7783c4f..0000000 --- a/docs/howtos/x60t_unbrick/0001.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0002.JPG b/docs/howtos/x60t_unbrick/0002.JPG deleted file mode 100644 index ddc6aac..0000000 --- a/docs/howtos/x60t_unbrick/0002.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0003.JPG b/docs/howtos/x60t_unbrick/0003.JPG deleted file mode 100644 index e1b6586..0000000 --- a/docs/howtos/x60t_unbrick/0003.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0004.JPG b/docs/howtos/x60t_unbrick/0004.JPG deleted file mode 100644 index b4ae18d..0000000 --- a/docs/howtos/x60t_unbrick/0004.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0005.JPG b/docs/howtos/x60t_unbrick/0005.JPG deleted file mode 100644 index b7b324b..0000000 --- a/docs/howtos/x60t_unbrick/0005.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0006.JPG b/docs/howtos/x60t_unbrick/0006.JPG deleted file mode 100644 index 795d02a..0000000 --- a/docs/howtos/x60t_unbrick/0006.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0007.JPG b/docs/howtos/x60t_unbrick/0007.JPG deleted file mode 100644 index 0ccdbad..0000000 --- a/docs/howtos/x60t_unbrick/0007.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0008.JPG b/docs/howtos/x60t_unbrick/0008.JPG deleted file mode 100644 index 5312934..0000000 --- a/docs/howtos/x60t_unbrick/0008.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0009.JPG b/docs/howtos/x60t_unbrick/0009.JPG deleted file mode 100644 index 9d8e7fa..0000000 --- a/docs/howtos/x60t_unbrick/0009.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0010.JPG b/docs/howtos/x60t_unbrick/0010.JPG deleted file mode 100644 index ea37b18..0000000 --- a/docs/howtos/x60t_unbrick/0010.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60t_unbrick/0011.JPG b/docs/howtos/x60t_unbrick/0011.JPG deleted file mode 100644 index ebbaa74..0000000 --- a/docs/howtos/x60t_unbrick/0011.JPG +++ /dev/null Binary files differ diff --git a/docs/howtos/x60tablet_unbrick.html b/docs/howtos/x60tablet_unbrick.html deleted file mode 100644 index da60227..0000000 --- a/docs/howtos/x60tablet_unbrick.html +++ /dev/null @@ -1,219 +0,0 @@ - - - - - - - - -Or go back to main index
- -
- You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and
- the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.
-
- In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:
-
-
- *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):
- dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k
- dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump
- dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc
- (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running,
- using those instructions: http://www.coreboot.org/Board:lenovo/x60/Installation.
-
- In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. -
-- "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). -
- -- -
- -
- Remove those screws:
-
-
- Remove the HDD:
-
-
- Push keyboard forward to loosen it:
-
-
- Lift:
-
-
- Remove those:
-
-
- - -
- -
- Also remove that (marked) and unroute the antenna cables:
-
-
- Some X60T's you have to unroute those too:
-
-
- Remove the LCD extend board screws. Also remove those screws (see blue marks) and remove/unroute the cables and remove the metal plate:
-
-
- Remove that screw and then remove the board:
-
-
- At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):
- http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts.
- Correlating with the following information, I was able to wire up my pirate correctly:
- http://flashrom.org/Bus_Pirate#Connections
- And by following that advice:
- http://www.coreboot.org/Board:lenovo/x60/Installation#Howto.
- Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.
- Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the
- AC adapter (without powering on the board).
- Note: I ignored that advice, and wired up all 8 pins. And it worked.
-
- Here is the pinout (correlate it with your programmer's documentation):
-
- (SPI chip here is on the bottom of the board)
-
- Bus pirate:
-
-
- Pomona 5250:
-
-
- Connect pomona:
-
-
- Connect pirate to USB on 2nd computer:
-
-
- Pirate is active:
-
-
- -
- -- On the 2nd machine, I did: flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60t/libreboot_ukqwerty.rom -
- -- flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian - flashrom is free software, get the source code at http://www.flashrom.org - - Calibrating delay loop... delay loop is unreliable, trying to continue OK. - Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. -- -
- At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means that you can put your X60T back together. So let's do that now. -
- -- Reverse the steps to re-assemble your machine. -
- -
- Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
- This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
- A copy of the license can be found at ../license.txt.
-
- This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information. -
- - - -- cgit v0.9.1