This sections relates to disabling and removing the ME (Intel Management Engine) on the ThinkPad X200.
The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined by the default descriptor). On the X200, it is possible to remove it without any ill effects. All other parts of coreboot on the X200 can be blob-free, so removing the ME was the last obstacle to get X200 support in libreboot (the machine can also work without the microcode blobs).
Or back to main X200 compatibility page (x200.html).
This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image.
If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/
and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./),
otherwise you can build it like so:
$ ./builddeps-ich9deblob
An executable file named ich9deblob will now appear under resources/utilities/ich9deblob/
If you are working with libreboot_bin release archive, you can find the utility included, statically compiled (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/.
Place the factory.rom from your X200
(can be obtained using the guide at ../install/x200_external.html) in
the directory where you have your ich9deblob executable, then run the tool:
$ ./ich9deblob
A 12kiB file named deblobbed_descriptor.bin will now appear. Keep this and the factory.rom stored in a safe location! The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case.
Assuming that your X200 libreboot image is named libreboot.rom, copy
the deblobbed_descriptor.bin file to where libreboot.rom is located
and then run:
$ dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc
You should now have a libreboot.rom image containing the correct 4K descriptor and 8K gbe regions, which will then be safe to flash. Refer back to ../install/index.html#flashrom_x200 for how to flash it.
The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on the X200. They are useful for background information. This could not have been done without sgsit's help.
sgsit said this: There are problems with the DMAR table and I get a kernel panic with KVM but day to day it's fine with no ME or microcode.
Usual limitations apply for native graphics initialization (no VBT and/or INT10H and only GRUB works so no BIOS, so no DOS/Windows support - who cares? There is no system but GNU, and Linux is one of it's kernels).
When connecting the AC adapter while system is powered off, system will then power on. This probably happens in coreboot aswell. It's a minor annoyance, but it should be fixed (if it's not already fixed by now).
This method of disabling the ME leaves the flash descriptor and gbe in place (non-functional data, fully documented) and disables the ME using soft straps. This means that the gigabit ethernet will still work (putting the machine in non-descriptor mode would wipe it out, not to mention require hardware modifications that most users will be unwilling to make).
There is a tool called FITC which contains all the descriptor manipulation tools. This is what sgsit used initially; it's proprietary software, for Windows, but it was useful for liberating the X200 and making it a real target in libreboot. End justified means, and the software is no longer needed.
<sgsit> here's some output: Was a paste link. putting it here instead: Start (hex) End (hex) Length (hex) Area Name ----------- --------- ------------ --------- 00000000 003FFFFF 00400000 Flash Image 00000000 00000FFF 00001000 Descriptor Region 00000004 0000000F 0000000C Descriptor Map 00000010 0000001B 0000000C Component Section 00000040 0000004F 00000010 Region Section 00000060 0000006B 0000000C Master Access Section 00000060 00000063 00000004 CPU/BIOS 00000064 00000067 00000004 Manageability Engine (ME) 00000068 0000006B 00000004 GbE LAN 00000100 00000103 00000004 ICH Strap 0 00000104 00000107 00000004 ICH Strap 1 00000200 00000203 00000004 MCH Strap 0 00000EFC 00000EFF 00000004 Descriptor Map 2 00000ED0 00000EF7 00000028 ME VSCC Table 00000ED0 00000ED7 00000008 Flash device 1 00000ED8 00000EDF 00000008 Flash device 2 00000EE0 00000EE7 00000008 Flash device 3 00000EE8 00000EEF 00000008 Flash device 4 00000EF0 00000EF7 00000008 Flash device 5 00000F00 00000FFF 00000100 OEM Section 00001000 001F5FFF 001F5000 ME Region 001F6000 001F7FFF 00002000 GbE Region 001F8000 001FFFFF 00008000 PDR Region 00200000 003FFFFF 00200000 BIOS Region <sgsit> this is the one that's running on my machine at the moment: Was a paste link. Putting here instead: Start (hex) End (hex) Length (hex) Area Name ----------- --------- ------------ --------- 00000000 003FFFFF 00400000 Flash Image 00000000 00000FFF 00001000 Descriptor Region 00000004 0000000F 0000000C Descriptor Map 00000010 0000001B 0000000C Component Section 00000040 0000004F 00000010 Region Section 00000060 0000006B 0000000C Master Access Section 00000060 00000063 00000004 CPU/BIOS 00000064 00000067 00000004 Manageability Engine (ME) 00000068 0000006B 00000004 GbE LAN 00000100 00000103 00000004 ICH Strap 0 00000104 00000107 00000004 ICH Strap 1 00000200 00000203 00000004 MCH Strap 0 00000ED0 00000EF7 00000028 ME VSCC Table 00000ED0 00000ED7 00000008 Flash device 1 00000ED8 00000EDF 00000008 Flash device 2 00000EE0 00000EE7 00000008 Flash device 3 00000EE8 00000EEF 00000008 Flash device 4 00000EF0 00000EF7 00000008 Flash device 5 00000EFC 00000EFF 00000004 Descriptor Map 2 00000F00 00000FFF 00000100 OEM Section 00001000 00002FFF 00002000 GbE Region 00003000 00202FFF 00200000 BIOS Region Build Settings -------------- Flash Erase Size = 0x1000 Tool used: <sgsit> it's called 'Flash Image Tool' from the 4.x package <sgsit> you drag a complete image into it and the the tool decomposes the various components <sgsit> and allows you to set the soft straps This tool is proprietary, for Windows only, but was used to deblob the X200. End justified by means, and the utility is no longer needed (sgsit's ich9deblob utility documented at the top of the page is now used to create deblobbed descriptors).
Of the 8K, about 95% is 0xFF. The data is the gbe region is fully documented in this public datasheet: http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf
<sgsit> this is the only content: Was a paste link. putting it here instead: 00 1F 1F 1F 1F 1F 00 08 FF FF 83 10 FF FF FF FF 08 10 FF FF C3 10 EE 20 AA 17 F5 10 86 80 00 00 01 0D 00 00 00 00 05 06 20 30 00 0A 00 00 8B 8D 02 06 40 2B 43 00 00 00 F5 10 AD BA F5 10 BF 10 AD BA CB 10 AD BA AD BA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 40 28 12 07 40 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF D9 F0 20 60 1F 00 02 00 13 00 00 80 1D 00 FF 00 16 00 DD CC 18 00 11 20 17 00 DD DD 18 00 12 20 17 00 00 80 1D 00 00 00 1F <sgsit> the first part is the MAC address which I've set to all 0x1F <sgsit> it's repeated half way through the 8k area. the rest is 0xFF <sgsit> it's not a blob - i've just found the intel docs with the full spec of the data there <sgsit> thanks to mtjm: http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf <sgsit> so we have a mostly functional libre x200 <sgsit> just need to sort some ACPI issues
The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long. In libreboot (deblobbed) the descriptor is set to put it directly after the initial 4K flash descriptor. So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region.
<sgsit> interesting fact about the gbe checksum: it's supposed to add up to 0xBABA (in honour of Baba O'Reilly apparently) but it is actually 0x3ABA <sgsit> either the checksum doesn't matter or the MSB of the checksum isn't checked. strange though <sgsit> https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums <sgsit> "One of those engineers loves classic rock music, so he selected 0xBABA" <sgsit> 0xBABA and 0x3ABA only differ by the most significant bit. <sgsit> the checksum in the GBe region of my X200S is 0x34BA <sgsit> when it should be 0xBABA 34BA is BABA in L33T speak. 3=B and 4=A. Thus, 34BA=BABA Apparently these intel people have a sense of humour.
http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot is doing about modifying it.
How to deblob:
There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge, but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware instead of a small 128K version. Useless for libreboot, though.
To deblob the x200, you chop out the platform and ME regions and correct the addresses in flReg1-4. Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0.
How to patch the descriptor from the factory.rom dump
<sgsit> the data in the descriptor is little endian <sgsit> and it represents bits 24:12 of the address (bits 12-24. written as 24:12 since bit 24 is more nearer to left than bit 12) <sgsit> so x << 12 = address -- <sgsit> if it is in descriptor mode, the first 4 bytes will be 5A A5 F0 0F -- <fchmmr> so there are just 3 regions in libreboot (X200) rom then: <fchmmr> * descriptor (4K) <fchmmr> * gbe (8K) <fchmmr> * bios (rest of flash chip. CBFS also set to occupy this whole size)
Basically useless for libreboot. Removing it didn't cause any issues.
<mtjm> sgsit: thanks; have you checked what platform data partition has? my notes state that it has only a 448 byte fragment different from 0x00 or 0xff <sgsit> mtjm: the contents of mine from the stock rom are here: Was a paste link. Moving it here: 53 FC 75 06 91 CA FA 62 91 27 D9 BF 59 93 A6 03 38 FA 2E 96 02 8C BD 1D F5 5F A6 6A 87 30 47 45 25 70 9A 60 B9 62 FD 9D 64 E1 88 37 FB 59 17 C2 91 B0 A5 25 26 9B 36 44 85 09 E4 02 CC 91 28 8F 01 FF 22 D9 7B AA 61 97 5B E6 EE 7D CD F2 7F B1 83 74 36 88 6B 4C 4F D5 DF 11 1E DF C0 D9 87 48 CA DC 57 B7 F9 65 E4 E5 78 BA 90 78 D7 1E CB 3B C3 8E 34 27 B9 B7 29 3D AA 53 96 0B 7D F7 47 82 C6 E2 08 CD 94 49 10 C4 6D BD B2 2F BD 84 1B 20 EC 8C 7E 33 6A B0 20 8D A4 7C 10 61 AD 11 66 BA 8F B1 07 B1 52 C2 F0 B7 88 BB 3A 6F 27 8F C1 EA F7 BF 82 11 92 39 44 51 AB 19 25 2B 8A 7A D1 66 2B 82 FF CE C7 EC 78 E2 9F 47 BE C2 37 F7 5A 2E A6 57 B6 B3 66 2B 2D 33 20 C6 4D F7 26 41 57 70 DC 04 42 39 BD B8 96 71 3E B1 9C 13 76 BF E2 AC DD 65 E1 82 D6 46 F3 39 EA B5 FE F6 56 3F B9 67 DE 5E 08 8B 00 77 D9 94 D0 16 F0 97 BF A6 44 3A C1 27 22 E1 7C DD 2F 15 A1 D5 53 61 2A 37 F8 E1 94 8E 1F 3D 8F 79 08 37 09 45 AC 1B 33 75 FB 3D 1D 6E 67 22 3D C3 90 B4 F8 9E 31 09 6F 70 1F BC 9E 48 29 A0 1F 29 5E 1B B5 D3 C3 D7 6C 14 AE 63 FE F3 3A 23 98 78 4C C9 7E 9E F0 A4 72 9F FF 25 CC 6F 2B D1 41 27 00 A5 79 4A 37 D3 83 63 32 89 FB 03 2C AE 6B 33 31 1A 5A A2 A8 C5 5E 1F A5 BD 40 A7 76 7D A9 AC AC 18 21 6D F6 74 7D 18 19 C4 DE 6D D1 55 A0 C9 2C FD 6A 56 BB 1B 08 C1 B6 60 16 B7 EB D3 8B D8 BC 41 5F D6 86 A5 45 F8 A7 99 68 6E EA 4D EA B6 39 6E 9B 5D 0E 58 9B D8 00 00 <sgsit> i've removed it - doesn't seem to have had any ill effect <sgsit> the region is 32k but like yours the rest of it is 0x00 or 0xFF <mtjm> mine is different; maybe it's just something that the BIOS used <sgsit> i think that's the case
R400, R500 T400, T400s, T500 W500 X200, X200s, X200 Tablet, X301 ^ these are other gm45 targets for coreboot (not yet ported at the time of writing) that could be in libreboot one day ^ some of them have ATI or Intel graphics. Avoid ATI (proprietary video bios rom needed) <sgsit> from the mailing list where somebody was enquiring abouy an R400 port: <sgsit> Your dmidecode.log shows that you have DDR2 memory. <sgsit> Sadly, our current GM45 chipset code does only support DDR3 (which is used in the Roda RK9). <sgsit> If this isn't a fault in your DMI tables and you really have DDR2 memory, porting coreboot will be especially hard (some more month of extra) <sgsit> re DDR3 on the R400, that's really weird <sgsit> mtjm will be able to confirm but maybe there's something messed up in the HW of the R400 because it reports DDR2 text/r400/r400_dmidecode.txt is dmidecode output from factory bios on R400. Some of them use DDR2 memory, or DDR3 memory that is detected as DDR2, or they are GS45 chipset. Basically, some of them involve the hell of getting raminit right. but these are all fine targets that could be ported to coreboot based on the X200 port.
<sgsit> do you know if it's possible to flash thinkpads over the LPC debug connector at the front edge? <sgsit> that would make life much easier for machines like this <sgsit> all the Wistron manufactured machines have this thing called a "golden finger", normally at the front edge of the board <sgsit> you can plug a board in which gives diagnostic codes but i'm wondering whether it is capable of more <sgsit> http://www.endeer.cz/bios.tools/bios.html
sgsit couldn't use vt-x without microcode updates. setting vm to have 1 core made vm kernel panic. setting vm to use 2 cores made host kernel panic. Might be possible to workaround this in qemu. according to sgsit (if not, just use software-only virtualization, no acceleration) http://download.intel.com/design/mobile/specupdt/320121.pdf
Only X200 is known to work so far. X200S and X200 Tablet have raminit issues at the time of writing (GS45 chipset. X200 is GM45).
X200S issues (X200T probably also affected): <sgsit> fchmmr: some light reading - https://www.cs.cmu.edu/~410/doc/minimal_boot.pdf <sgsit> mentions RCOMP which is the current stumbling block <sgsit> oh god - SFF platform unsupported in write i/o initialization. <sgsit> i think the X200S is doomed <sgsit> hi. i've just flashed the X200 image to an X200S and i'm getting the error "SFF platform unsupported in RCOMP initialization." after "Setting IGD memory frequencies for VCO #1.". can anyone point me in the right direction to resolve this? <sgsit> full log here: text/x200s/cblog00.txt <sgsit> i've tried many different SODIMM combinations <PaulePanter> sgsit: src/northbridge/intel/gm45/raminit.c: die("SFF platform unsupported in RCOMP initialization.\n"); <PaulePanter> sgsit: Check the source why it gets there. Found with `git grep "SFF platform"`. <sgsit> PaulePanter: thanks, i'll investigate <sgsit> PaulePanter: damn, looks like GS45 is unsupported <sgsit> pgeorgi: do you know if adding RCOMP and write i/o init support to GS45 is going to be a nightmare? or is it a matter of studying datasheets? did you write the GM45 raminit code? <pgeorgi> sgsit: I helped write some parts, but nico was the principal author <pgeorgi> sgsit: I think the ddr3 side is pretty complete <fchmmr> nico_h ? <sgsit> pgeorgi: is it possible that GM45 is marked as unsupported because it wasn't able to be tested? <sgsit> *GS45 <pgeorgi> sgsit: we wrote that specifically for gm45. gs45 is unsupported because nobody ever cared for it <sgsit> i know that GS45 only supports 1066/1333 and GM45 supports 800 too. i wonder if that points to big differences in the ram init code <pgeorgi> fchmmr: nico_h, yes <sgsit> sorry i meant 667/800/1066 <pgeorgi> sgsit: everything is possible. my approach on this (absent reasonable datasheet access) would be to trace the vendor bios with serialice, then compare against the gm45 code, since it's probably somewhat similar <sgsit> pgeorgi: thanks for the advice. you've given me hope <pgeorgi> of course, after testing that the current gm45 code isn't just blocked by something trivial (eg. a pci id test) <sgsit> yes, i was going to try removing the die command first.. the laptop i'm working on has a WSON-8 flash chip so i'm going to have to get the soldering iron out again. boo <kmalkki> sgsit: some lenovo boards have WSON-8 and SOIC-8 layout on the PCB in parallel <kmalkki> sgsit: does the silk screen have SPI1 and SPI2 ? <sgsit> kmalkki: on the X200S the land array can take a SOIC-8 too. i don't (yet) have a hot air rework tool though <sgsit> only thing is the supported SOIC-8 chips on that board are all 4MiB <kmalkki> sgsit: you can switch from WSON-8 to SOIC-8 if you have matching IDs on the SPI flash part <kmalkki> vendor bios might care, but for coreboot and flashrom you can switch to different SPI part entirely <sgsit> but i was looking forward to having loads of free space to do interesting things with <kmalkki> several options for 8MiB in SOIC-8 <sgsit> kmalkki: sorry, i hadn't realised the significance of what you were saying. i actually have some new MX25L6445EM2I-10G here which i could probably swap over then. would flashing internally, using the ICH be a problem? <kmalkki> sgsit: change of SPI flash part may confuse vendor BIOS and may require (simple) coreboot and flashrom development work <kmalkki> sgsit: internal flashing is only issue once your system boots to OS <sgsit> fchmmr: i have renewed hope for the X200S. after digging through the datasheet, i've discovered that the GS45 operates in 2 modes. <sgsit> low and high performance <sgsit> low performance uses the SU range of ultra-low voltage chips eg SU9400 <sgsit> my X200S has an SL9400 which is in the high-performance category <sgsit> from the docs, the GS45 behaves just like the GM45 when it's in high performance mode. <sgsit> i expect / hope that the coreboot devs were wary of the other mode. with any luck, if i remove the checks (or hardcode the sff param to 0) the board may just boot up. i may have time to try this later <sgsit> <fchmmr> I take it that the low-performance ones still wouldn't work, so for now you'd have to be careful to get one that has a particular cpu in it. <sgsit> that's my assumption <sgsit> orly_owl: no, i don't think so. the ulv cpus run at a different voltage. this is good news though, unless you buy an SUxxxx model <sgsit> fchmmr: my hand crafted and untested patch for raminit.c: <sgsit> --- <sgsit> 113 <sgsit> +++ sysinfo->gs45_low_power_mode = 1; <sgsit> 113 sysinfo->gs45_low_power_mode = 0; <sgsit> --- <sgsit> 1696 const int sff = sysinfo->gfx_type == GMCH_GS45; <sgsit> +++ <sgsit> 1696 const int sff = sysinfo->gfx_type == GMCH_GS45 && sysinfo->gs45_low_power_mode = 1; <sgsit> * 1696 const int sff = sysinfo->gfx_type == GMCH_GS45 && sysinfo->gs45_low_power_mode == 1; <sgsit> i'll try it later <sgsit> it assumes that GS45 is in high performance mode rather than low power which is no good for the masses <sgsit> fchmmr: progress ;) <sgsit> text/x200s/cblog01.txt <sgsit> doesn't like my 2GB dimms but it at least boots with 2x4GB <sgsit> haven't put it back together yet so no idea if it's stable <sgsit> note line 12 - GMCH: GS45, using high performance mode by default <sgsit> with the patch i wrote blind earlier <sgsit> needs testing <sgsit> may be barely functional <sgsit> and has problems with some SODIMMS <sgsit> text/x200s/cblog02.txt (2x2GB) <sgsit> text/x200s/cblog03.txt (1x2GB) <sgsit> the GS45 in high performance mode is just a shrunken GM45 afaict
Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
A copy of the license can be found at ../license.txt.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../../license.txt for more information.
