Initial flashing instructions for R400.
This guide is for those who want libreboot on their ThinkPad R400 while they still have the original Lenovo BIOS present. This guide can also be followed (adapted) if you brick your R400, to know how to recover.
Before following this section, please make sure to setup your libreboot ROM properly first. Although ROM images are provided pre-built in libreboot, there are some modifications that you need to make to the one you chose before flashing. (instructions referenced later in this guide)
There are two possible flash chip sizes for the R400: 4MiB (32Mbit) or 8MiB (64Mbit). This can be identified by the type of flash chip present: 4MiB is SOIC-8 (8 pins), 8MiB is SOIC-16 (16 pins).
Refer to bbb_setup.html for how to setup the BBB for flashing.
The following shows how to connect clip to the BBB (on the P9 header), for SOIC-16 (clip: Pomona 5252):
POMONA 5252 (correlate with the BBB guide) === ethernet jack and VGA port ==== NC - - 21 1 - - 17 NC - - NC NC - - NC NC - - NC NC - - NC 18 - - 3.3V PSU RED 22 - - NC - this is pin 1 on the flash chip === SATA port === This is how you will connect. Numbers refer to pin numbers on the BBB, on the plugs near the DC jack.
The following shows how to connect clip to the BBB (on the P9 header), for SOIC-8 (clip: Pomona 5250):
POMONA 5250 (correlate with the BBB guide) === RAM slots ==== 18 - - 1 22 - - NC NC - - 21 3.3V PSU RED - - 17 - this is pin 1 on the flash chip === slot where the AC jack is connected ===
images/r400/r400_pomona.jpg shows everything connected. In this picture, the R400 is being flashed with the BBB.
No disassembly instructions yet, unfortunately. Check videos online or look at the Hardware Maintenance Manual from Lenovo for this machine. You will need to completely disassemble the machine, removing the motherboard from its metal shell. Connect your 5252/5250 (make sure to get it the right way round). Then connect the 3.3v PSU wire (red one) and make sure that everything else is connected.
Flashrom binaries for ARM (tested on a BBB) are distributed in libreboot_util. Alternatively, libreboot also distributes flashrom source code which can be built.
I did (SSH'd into the BBB):
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512
In my case, the output was:
flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi. Found Macronix flash chip "MX25L6406E/MX25L6436E" (8192 kB, SPI) on linux_spi. Found Macronix flash chip "MX25L6445E/MX25L6473E" (8192 kB, SPI) on linux_spi. Multiple flash chip definitions match the detected chip(s): "MX25L6405(D)", "MX25L6406E/MX25L6436E", "MX25L6445E/MX25L6473E" Please specify which chip definition to use with the -c <chipname> option.
This is just to test that it's working. In my case, I had to define which chip to use, like so (in your case
it may be different, depending on what flash chip you have):
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)"
At this point, you need to create a copy of the original lenovo firmware that is currently flashed. This is so that you can extract the gbe (gigabit ethernet) and flash descriptor regions for use in libreboot. These are not blobs, they only contain non-functional data (configuration details, fully readable) which is fully documented in public datasheets. The descriptor will need to be modified to disable the ME (also disable AMT) so that you can flash a ROM that excludes it.
How to backup factory.rom (change the -c option as neeed, for your flash chip):
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory.rom
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory1.rom
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -r factory2.rom
Now compare the 3 images:
# sha512sum factory*.rom
If the hashes match, then just copy one of them (the factory.rom) to a safe place (on a drive connected to another machine, not
the BBB). You will need it later for part of the deblobbing.
Information about the descriptor, gbe regions and how the ME was removed can be found in the notes linked at ../hcl/gm45_remove_me.html. Libreboot ROM images now include the 12KiB descriptor+gbe by default, generated using ich9gen; however, do note that the MAC address in the Gbe region is generic. Follow the instructions at ../hcl/gm45_remove_me.html#ich9gen and do what it says to change the MAC address inside your R400 ROM image, before flashing it.
Assuming that your libreboot ROM image is properly setup (modified descriptor plus gbe region included in the ROM),
then you can flash (assuming that the filename is libreboot.rom) for example I had to do:
# ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=512 -c "MX25L6405(D)" -w libreboot.rom
You might see errors, but if it says Verifying flash... VERIFIED at the end, then it's flashed and should boot. Test it! (boot your R400)
My output when running the command above:
flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi. Reading old flash chip contents... done. Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x0000ffff: 0xd716 ERASE FAILED! Reading current flash chip contents... done. Looking for another erase function. Erase/write done. Verifying flash... VERIFIED.
Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
A copy of the license can be found at ../license.txt.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.
