diff options
author | Francis Rowe <info@gluglug.org.uk> | 2014-11-05 20:52:36 (EST) |
---|---|---|
committer | Francis Rowe <info@gluglug.org.uk> | 2014-11-05 20:52:36 (EST) |
commit | 8b2219bfa2da36e7809588ef723a10483a6e137f (patch) | |
tree | 8c4d74b9efbdabc1a2604b8cbd508c006c225241 /docs/howtos | |
parent | 7429bdcdbb4fc51c61897115112468642afeecfc (diff) | |
download | libreboot-8b2219bfa2da36e7809588ef723a10483a6e137f.zip libreboot-8b2219bfa2da36e7809588ef723a10483a6e137f.tar.gz libreboot-8b2219bfa2da36e7809588ef723a10483a6e137f.tar.bz2 |
Documentation: *major* cleanup.
Cleanup was long overdue. Old structure was messy and inefficient.
Diffstat (limited to 'docs/howtos')
194 files changed, 0 insertions, 4471 deletions
diff --git a/docs/howtos/cbfstool_libreboot5_strace b/docs/howtos/cbfstool_libreboot5_strace deleted file mode 100644 index 7e3794f..0000000 --- a/docs/howtos/cbfstool_libreboot5_strace +++ /dev/null @@ -1,48 +0,0 @@ -# strace ./cbfstool coreboot.rom add -n grub.cfg -f grub.cfg -t raw -execve("./cbfstool", ["./cbfstool", "coreboot.rom", "add", "-n", "grub.cfg", "-f", "grub.cfg", "-t", "raw"], [/* 25 vars */]) = 0 -brk(0) = 0x9577000 -access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) -mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f6000 -access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) -open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=94605, ...}) = 0 -mmap2(NULL, 94605, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76de000 -close(3) = 0 -access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) -open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 -read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232\1\0004\0\0\0"..., 512) = 512 -fstat64(3, {st_mode=S_IFREG|0755, st_size=1775080, ...}) = 0 -mmap2(NULL, 1784604, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb752a000 -mmap2(0xb76d8000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ae) = 0xb76d8000 -mmap2(0xb76db000, 11036, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76db000 -close(3) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7529000 -set_thread_area({entry_number:-1 -> 6, base_addr:0xb7529900, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 -mprotect(0xb76d8000, 8192, PROT_READ) = 0 -mprotect(0x8067000, 4096, PROT_READ) = 0 -mprotect(0xb7719000, 4096, PROT_READ) = 0 -munmap(0xb76de000, 94605) = 0 -brk(0) = 0x9577000 -brk(0x9598000) = 0x9598000 -open("grub.cfg", O_RDONLY) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=810, ...}) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f5000 -fstat64(3, {st_mode=S_IFREG|0644, st_size=810, ...}) = 0 -_llseek(3, 0, [0], SEEK_SET) = 0 -read(3, "set default=\"0\"\nset timeout=1\nse"..., 810) = 810 -_llseek(3, 810, [810], SEEK_SET) = 0 -close(3) = 0 -munmap(0xb76f5000, 4096) = 0 -open("coreboot.rom", O_RDONLY) = 3 -fstat64(3, {st_mode=S_IFREG|0644, st_size=2097152, ...}) = 0 -mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76f5000 -fstat64(3, {st_mode=S_IFREG|0644, st_size=2097152, ...}) = 0 -_llseek(3, 2097152, [2097152], SEEK_SET) = 0 -_llseek(3, 0, [0], SEEK_SET) = 0 -mmap2(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7328000 -read(3, "LARCHIVE\0\0\6\30\0\0\1\252\0\0\0\0\0\0\0(cmos_lay"..., 2097152) = 2097152 -close(3) = 0 -munmap(0xb76f5000, 4096) = 0 ---- SIGSEGV (Segmentation fault) @ 0 (0) --- -+++ killed by SIGSEGV +++ -Segmentation fault diff --git a/docs/howtos/configuring_parabola.html b/docs/howtos/configuring_parabola.html deleted file mode 100644 index 56c5420..0000000 --- a/docs/howtos/configuring_parabola.html +++ /dev/null @@ -1,784 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - div.important { - background-color:#ccc; - } - </style> - - <title>Configuring Parabola (post-install)</title> -</head> - -<body> - <header> - <h1 id="pagetop">Configuring Parabola (post-install)</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - -<hr/> - - <h2>Table of Contents</h2> - <ul> - <li> - <a href="#pacman_configure">Configuring pacman</a> - <ul> - <li><a href="#pacman_update">Updating Parabola</a></li> - <li> - <a href="#pacman_maintain">Maintaining Parabola during system updates</a> - <ul> - <li><a href="#pacman_cacheclean">Clearing package cache after updating</a></li> - <li><a href="#pacman_commandequiv">Pacman command equivalents (compared to other package managers)</a></li> - </ul> - </li> - <li><a href="#yourfreedom">your-freedom</a></li> - </ul> - </li> - <li><a href="#useradd">Add a user account</a></li> - <li><a href="#systemd">System D</a></li> - <li><a href="#interesting_repos">Interesting repositories</a></li> - <li> - <a href="#network">Setup a network connection in Parabola</a> - <ul> - <li><a href="#network_hostname">Setting hostname</a></li> - <li><a href="#network_status">Network status</a></li> - <li><a href="#network_devicenames">Network interface names</a></li> - <li><a href="#network_setup">Network setup</a></li> - </ul> - </li> - <li><a href="#system_maintain">System maintenance</a> - important!</li> - <li> - <a href="#desktop">Configuring the desktop</a> - <ul> - <li><a href="#desktop_xorg">Install Xorg</a></li> - <li><a href="#desktop_kblayout">Xorg keyboard layout</a></li> - <li><a href="#desktop_lxde">Install LXDE</a></li> - <li><a href="#lxde_clock">LXDE - clock</a></li> - <li><a href="#lxde_font">LXDE - font</a></li> - <li><a href="#lxde_screenlock">LXDE - screenlock</a></li> - <li><a href="#lxde_automount">LXDE - automounting</a></li> - <li><a href="#lxde_suspend">LXDE - disable suspend</a></li> - <li><a href="#lxde_battery">LXDE - battery monitor</a></li> - <li><a href="#lxde_network">LXDE - network manager</a></li> - </ul> - </li> - </ul> - -<hr/> - - <p> - While not strictly related to the libreboot project, this guide - is intended to be useful for those interested in installing - Parabola on their libreboot machine. This is also beneficial because development - is now being done on Parabola, where Trisquel is no longer used by the maintainer - at the time of writing. - </p> - - <p> - It details configuration steps that I took after installing the base system, - as a follow up to <a href="encrypted_parabola.html">encrypted_parabola.html</a>. - This guide is likely to become obsolete at a later date (due to the volatile - 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. - </p> - - <p> - <b> - This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch - with the libreboot project! - </b> - </p> - - <p> - You do not necessarily have to follow this guide word-for-word; <i>parabola</i> is extremely flexible. - The aim here is to provide a common setup that most users will be happy with. While Parabola - can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide - all of the same usability as Trisquel, without hiding any details from the user. - </p> - - <p> - Paradoxically, as you get more advanced Parabola can actually become <i>easier to use</i> - when you want to setup your machine in a special way compared to what most distributions provide. - You will find over time that other distributions tend to <i>get in your way</i>. - </p> - - <p> - <b> - This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, - then <a href="encrypted_parabola.html">this guide</a> is highly recommended! - </b> - </p> - - <p> - A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. - Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries - to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. - <b>It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, - especially for new users</b>. - </p> - - <p> - The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), - and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the - Arch wiki. - </p> - - <p> - Some of these steps require internet access. I'll go into networking later but for now, I just connected - my machine to a switch and did:<br/> - # <b>systemctl start dhcpcd.service</b><br/> - You can stop it later by running:<br/> - # <b>systemctl stop dhcpcd.service</b><br/> - For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:<br/> - <a href="#network">Setup network connection in Parabola</a> - </p> - -<hr/> - - <h2 id="pacman_configure">Configure pacman</h2> - <p> - pacman (<b>pac</b>kage <b>man</b>ager) is the name of the package management system in Arch, which Parabola - (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, - this can be used to add/remove and update the software on your computer. - </p> - <p> - Based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman">https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman</a> - and from reading <a href="https://wiki.archlinux.org/index.php/Pacman">https://wiki.archlinux.org/index.php/Pacman</a> (make sure to read and understand this, - it's very important) and - <a href="https://wiki.parabolagnulinux.org/Official_Repositories">https://wiki.parabolagnulinux.org/Official_Repositories</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="pacman_update">Updating Parabola</h3> - <p> - In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:<br/> - # <b>pacman -Syy</b><br/> - (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, - which can be useful when switching to another mirror).<br/> - Then, update the system:<br/> - # <b>pacman -Syu</b> - </p> - <p> - <b> - Before installing packages with 'pacman -S', always update first, using the notes above. - </b> - </p> - <p> - Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages - about maintenance steps that you will need to perform with certain files (typically configurations) - after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. - If a new kernel is installed, you should also update to be able to use it (the currently running kernel will - also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a - rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This - is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. - A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, - and more maintenance work. - </p> - <p> - The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). Parabola's - IRC channel (#parabola on freenode) can also help you. - </p> - <p> - Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time - in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event, - like a presentation or sending an email to an important person before an allocated deadline, and so on. - </p> - <p> - Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories - exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, - so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in - the rare event that they do occur. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="pacman_maintain">Maintaining Parabola</h3> - <p> - Parabola is a very simple distro, in the sense that you are in full control - and everything is made transparent to you. One consequence is - that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done - with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro - on another computer, for example). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h4 id="pacman_cacheclean">Cleaning the package cache</h4> - <p> - <b> - The following is very important as you continue to use, update and maintain your Parabola system:<br/> - <a href="https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache">https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache</a>. - Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache - of old package information, updated automatically when you do anything in pacman). - </b> - </p> - <p> - To clean out all old packages that are cached:<br/> - # <b>pacman -Sc</b> - </p> - <p> - The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, - if you encounter issues and want to revert back to an older package then it's useful to have the caches available. - Only do this if you are sure that you won't need it. - </p> - <p> - The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:<br/> - # <b>pacman -Scc</b><br/> - This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used - when disk space is at a premium. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h4 id="pacman_commandequiv">pacman command equivalents</h4> - <p> - The following table lists other distro package manager commands, and their equivalent in pacman:<br/> - <a href="https://wiki.archlinux.org/index.php/Pacman_Rosetta">https://wiki.archlinux.org/index.php/Pacman_Rosetta</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="yourfreedom">your-freedom</h3> - <p> - your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages - from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola - wiki for migrating - converting - an existing Arch system to a Parabola system), installing - your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution - is then to delete the offending packages, and continue installing <i>your-freedom</i>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="useradd">Add a user</h2> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Users_and_Groups">https://wiki.archlinux.org/index.php/Users_and_Groups</a>. - </p> - <p> - It is important (for security reasons) to create and use a non-root (non-admin) user account for every day use. The default 'root' account is intended - only for critical administrative work, since it has complete access to the entire operating system. - </p> - <p> - Read the entire document linked to above, and then continue. - </p> - <p> - Add your user:<br/> - # <b>useradd -m -G wheel -s /bin/bash <i>yourusername</i></b><br/> - Set a password:<br/> - # <b>passwd <i>yourusername</i></b> - </p> - - <p><a href="#pagetop">Back to top of page</a></p> - -<hr/> - - <h2 id="systemd">systemd</h2> - <p> - This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. - Read <a href="https://wiki.archlinux.org/index.php/systemd">https://wiki.archlinux.org/index.php/systemd</a> - and <a href="https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage">https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage</a> - to gain a full understanding. <b>This is very important! Make sure to read them.</b> - </p> - <p> - An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. - </p> - <p> - <a href="https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530">https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530</a> explains - the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. - </p> - - <p> - The manpage should also help:<br/> - # <b>man systemd</b><br/> - The section on 'unit types' is especially useful. - </p> - - <p> - According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. - on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the - log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki - recommends 50MiB). - </p> - <p> - Open /etc/systemd/journald.conf and find the line that says:<br/> - <i>#SystemMaxUse=</i><br/> - Change it to say:<br/> - <i>SystemMaxUse=50M</i> - </p> - <p> - The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, - and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. - </p> - <p> - Restart journald:<br/> - # <b>systemctl restart systemd-journald</b> - </p> - - <p> - The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/* - but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically - start to delete older records when the journal size reaches it's limit (according to systemd developers). - </p> - - <p> - Finally, the wiki mentions 'temporary' files and the utility for managing them.<br/> - # <b>man systemd-tmpfiles</b><br/> - The command for 'clean' is:<br/> - # <b>systemd-tmpfiles --clean</b><br/> - According to the manpage, this <i>"cleans all files and directories with an age parameter"</i>. - According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ - to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations - to get a better understanding. - </p> - <p> - I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. - The first one was etc.conf, containing information and a reference to this manpage:<br/> - # <b>man tmpfiles.d</b><br/> - Read that manpage, and then continue studying all of the files. - </p> - <p> - The systemd developers tell me that it usually isn't necessary to touch the systemd-tmpfiles utility manually at all. - </p> - - <p><a href="#pagetop">Back to top of page</a></p> - -<hr/> - - <h2 id="interesting_repos">Interesting repositories</h2> - <p> - Parabola wiki at <a href="https://wiki.parabolagnulinux.org/Repositories#kernels">https://wiki.parabolagnulinux.org/Repositories#kernels</a> - mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available - there, depending on your use case. - </p> - <p> - I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:<br/> - <i> - [kernels]<br/> - Include = /etc/pacman.d/mirrorlist - </i> - </p> - <p> - Now sync with the repository:<br/> - # <b>pacman -Syy</b> - </p> - <p> - List all available packages in this repository:<br/> - # <b>pacman -Sl kernels</b> - </p> - <p> - In the end, I decided not to install anything from it but I kept the repository enabled regardless. - </p> - <p><a href="#pagetop">Back to top of page.</a></p> - -<hr/> - - <h2 id="network">Setup a network connection in Parabola</h2> - <p> - Read <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_hostname">Set the hostname</h3> - <p> - This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):<br/> - # <b>hostnamectl set-hostname <i>yourhostname</i></b><br/> - This writes the specified hostname to /etc/hostname. More information can be found in these manpages:<br/> - # <b>man hostname</b><br/> - # <b>info hostname</b><br/> - # <b>man hostnamectl</b> - </p> - <p> - Add the same hostname to /etc/hosts, on each line. Example:<br/> - <i> - 127.0.0.1 localhost.localdomain localhost <u>myhostname</u><br/> - ::1 localhost.localdomain localhost <u>myhostname</u> - </i> - </p> - <p> - You'll note that I set both lines; the 2nd line is for IPv6. More and more ISP's are providing this now (mine does) - so it's good to be forward-thinking here. - </p> - <p> - The <i>hostname</i> utility is part of the <i>inetutils</i> package and is in core/, installed by default (as part of <i>base</i>). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_status">Network Status</h3> - <p> - According to the Arch wiki, <a href="https://wiki.archlinux.org/index.php/Udev">udev</a> should already detect the ethernet chipset - and load the driver for it automatically at boot time. You can check this in the <i>"Ethernet controller"</i> section - when running this command:<br/> - # <b>lspci -v</b> - </p> - <p> - Look at the remaining sections <i>'Kernel driver in use'</i> and <i>'Kernel modules'</i>. In my case it was as follows:<br/> - <i> - Kernel driver in use: e1000e<br/> - Kernel modules: e1000e - </i> - </p> - <p> - Check that the driver was loaded by issuing <i>dmesg | grep module_name</i>. In my case, I did:<br/> - # <b>dmesg | grep e1000e</b> - </p> - <h3 id="network_devicenames">Network device names</h3> - <p> - According to <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Device_names">https://wiki.archlinux.org/index.php/Configuring_Network#Device_names</a>, - it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, <i>systemd</i> - creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. - An example device name for your ethernet chipset would be <i>enp0s25</i>, where it is never supposed to change. - </p> - <p> - If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends - adding <i>net.ifnames=0</i> to your kernel parameters (in libreboot context, this would be accomplished by following the - instructions in <a href="grub_cbfs.html">grub_cbfs.html</a>). - </p> - <p> - For background information, - read <a href="http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/">Predictable Network Interface Names</a> - </p> - <p> - Show device names:<br/> - # <b>ls /sys/class/net</b> - </p> - <p> - Changing the device names is possible (I chose not to do it):<br/> - <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name">https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name</a> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="network_setup">Network setup</h3> - <p> - I actually chose to ignore most of Networking section on the wiki. Instead, I plan to setup LXDE desktop with the graphical - network-manager client. Here is a list of network managers:<br/> - <a href="https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers">https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers</a>. - If you need to, set a static IP address (temporarily) using the networking guide an the Arch wiki, or start the dhcpcd service in systemd. - NetworkManager will be setup later, after installing LXDE. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="system_maintain">System Maintenance</h2> - <p> - Read <a href="https://wiki.archlinux.org/index.php/System_maintenance">https://wiki.archlinux.org/index.php/System_maintenance</a> before continuing. - Also read <a href="https://wiki.archlinux.org/index.php/Enhance_system_stability">https://wiki.archlinux.org/index.php/Enhance_system_stability</a>. - <b>This is important, so make sure to read them!</b> - </p> - <p> - Install smartmontools (can be used to check smart data - note: HDD's use non-free firmware inside, it's transparent to you - but the smart data comes from it. Therefore, don't rely on it too much):<br/> - # <b>pacman -S smartmontools</b><br/> - Read <a href="https://wiki.archlinux.org/index.php/S.M.A.R.T.">https://wiki.archlinux.org/index.php/S.M.A.R.T.</a> to learn how to use it. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="desktop">Configuring the desktop</h2> - <p> - Based on steps from - <a href="https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface">General Recommendations</a> on the Arch wiki. - The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE - by default. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="desktop_xorg">Installing Xorg</h3> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Xorg">https://wiki.archlinux.org/index.php/Xorg</a>. - </p> - <p> - Firstly, install it!<br/> - # <b>pacman -S xorg-server</b><br/> - I also recommend installing this (contains lots of useful tools, including <i>xrandr</i>):<br/> - # <b>pacman -S xorg-server-utils</b> - </p> - <p> - Install the driver. For me this was <i>xf86-video-intel</i> on the ThinkPad X60. T60 and macbook11/21 should be the same.<br/> - # <b>pacman -S xf86-video-intel</b><br/> - For other systems you can try:<br/> - # <b>pacman -Ss xf86-video- | less</b><br/> - Combined with looking at your <i>lspci</i> output, you can determine which driver is needed. - By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. - </p> - <p> - Other drivers (not just video) can be found by looking at the <i>xorg-drivers</i> group:<br/> - # <b>pacman -Sg xorg-drivers</b><br/> - </p> - <p> - Mostly you will rely on a display manager, but in case you ever want to start X without one:<br/> - # <b>pacman -S xorg-xinit</b> - </p> - <p> - <optional><br/> - Arch wiki recommends installing these, for testing that X works:<br/> - # <b>pacman -S xorg-twm xorg-xclock xterm</b><br/> - Refer to <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. - and test X:<br/> - # <b>startx</b><br/> - When you are satisfied, type <b><i>exit</i></b> in xterm, inside the X session.<br/> - Uninstall them (clutter. eww): # <b>pacman -S xorg-xinit xorg-twm xorg-xclock xterm</b><br/> - </optional> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="desktop_kblayout">Xorg keyboard layout</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg</a>. - </p> - <p> - Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you - set in /etc/vconsole.conf earlier might not actually be the same in X. - </p> - <p> - To see what layout you currently use, try this on a terminal emulator in X:<br/> - # <b>setxkbmap -print -verbose 10</b> - </p> - <p> - In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. - </p> - <p> - I'll just say it now: <i>XkbModel</i> can be <i>pc105</i> in this case (ThinkPad X60, with a 105-key UK keyboard). - If you use an American keyboard (typically 104 keys) you will want to use <i>pc104</i>. - </p> - <p> - <i>XkbLayout</i> in my case would be <i>gb</i>, and <i>XkbVariant</i> would be <i>dvorak</i>. - </p> - <p> - The Arch wiki recommends two different methods for setting the keyboard layout:<br/> - <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files</a> and<br/> - <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl</a>. - </p> - <p> - In my case, I chose to use the <i>configuration file</i> method:<br/> - Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:<br/> - <i> - Section "InputClass"<br/> - Identifier "system-keyboard"<br/> - MatchIsKeyboard "on"<br/> - Option "XkbLayout" "gb"<br/> - Option "XkbModel" "pc105"<br/> - Option "XkbVariant" "dvorak"<br/> - EndSection - </i> - </p> - <p> - For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then - you don't even need to do anything (though it might help, for the sake of being explicit). - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="desktop_lxde">Install LXDE</h3> - <p> - Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight - and does everything that I need. - If you would like to try something different, refer to - <a href="https://wiki.archlinux.org/index.php/Desktop_environment">https://wiki.archlinux.org/index.php/Desktop_environment</a> - </p> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/LXDE">https://wiki.archlinux.org/index.php/LXDE</a>. - </p> - <p> - Install it, choosing 'all' when asked for the default package list:<br/> - # <b>pacman -S lxde obconf</b> - </p> - <p> - I didn't want the following, so I removed them:<br/> - # <b>pacman -R lxmusic lxtask</b> - </p> - <p> - I also lazily installed all fonts:<br/> - # <b>pacman -S $(pacman -Ssq ttf-)</b> - </p> - <p> - LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the <i><a href="https://gnu.org/">GNU project</a></i>:<br/> - # <b>pacman -S icecat</b><br/> - And a mail client:<br/> - # <b>pacman -S icedove</b> - </p> - <p> - In IceCat, go to <i>Preferences :: Advanced</i> and disable <i>GNU IceCat Health Report</i>. - </p> - <p> - I also like to install these:<br/> - # <b>pacman -S xsensors stress htop</b> - </p> - <p> - Enable LXDM (the default display manager, providing a graphical login):<br/> - # <b>systemctl enable lxdm.service</b><br/> - It will start when you boot up the machine. To start it now, do:<br/> - # <b>systemctl start lxdm.service</b> - </p> - <p> - Log in with your standard (non-root) user that you created earlier. - It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. - Read <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. - </p> - <p> - Open LXterminal:<br/> - $ <b>cp /etc/skel/.xinitrc ~</b><br/> - Open .xinitrc and add the following plus a line break at the bottom of the file.<br/> - <i> - # Probably not needed. The same locale info that we set before<br/> - # Based on advice from the LXDE wiki - export LC_ALL=en_GB.UTF-8<br/> - export LANGUAGE=en_GB.UTF-8<br/> - export LANG=en_GB.UTF-8<br/> - <br/> - # Start lxde desktop<br/> - exec startlxde<br/> - </i> - Now make sure that it is executable:<br/> - $ <b>chmod +x .xinitrc</b> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="lxde_clock">LXDE - clock</h3> - <p> - In <b>Digital Clock Settings</b> (right click the clock) I set the Clock Format to <i>%Y/%m/%d %H:%M:%S</i> - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="lxde_font">LXDE - font</h3> - <p> - NOTE TO SELF: come back to this later. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="lxde_screenlock">LXDE - screenlock</h3> - <p> - Arch wiki recommends to use <i>xscreensaver</i>:<br/> - # <b>pacman -S xscreensaver</b> - </p> - <p> - Under <i>Preferences :: Screensaver</i> in the LXDE menu, I chose <i>Mode: Blank Screen Only</i>, - setting <i>Blank After</i>, <i>Cycle After</i> and <i>Lock Screen After</i> (checked) to 10 minutes. - </p> - <p> - You can now lock the screen with <i>Logout :: Lock Screen</i> in the LXDE menu. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - - <h3 id="lxde_automount">LXDE - automounting</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/File_manager_functionality">https://wiki.archlinux.org/index.php/File_manager_functionality</a>. - </p> - <p> - I chose to ignore this for now. NOTE TO SELF: come back to this later. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="lxde_suspend">LXDE - disable suspend</h3> - <p> - When closing the laptop lid, the machine suspends. This is annoying at least to me. - NOTE TO SELF: disable it, then document the steps here. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="lxde_battery">LXDE - battery monitor</h3> - <p> - Right click lxde panel and <i>Add/Remove Panel Items</i>. Click <i>Add</i> and select <i>Battery Monitor</i>, then click <i>Add</i>. - Close and then right-click the applet and go to <i>Battery Monitor Settings</i>, check the box that says <i>Show Extended Information</i>. - Now click <i>Close</i>. When you hover the cursor over it, it'll show information about the battery. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - <h3 id="lxde_network">LXDE - Network Manager</h3> - <p> - Refer to <a href="https://wiki.archlinux.org/index.php/LXDE#Network_Management">https://wiki.archlinux.org/index.php/LXDE#Network_Management</a>. - Then I read: <a href="https://wiki.archlinux.org/index.php/NetworkManager">https://wiki.archlinux.org/index.php/NetworkManager</a>. - </p> - <p> - Install Network Manager:<br/> - # <b>pacman -S networkmanager</b> - </p> - <p> - You will also want the graphical applet:<br/> - # <b>pacman -S network-manager-applet</b><br/> - Arch wiki says that an autostart rule will be written at <i>/etc/xdg/autostart/nm-applet.desktop</i> - </p> - <p> - I want to be able to use a VPN at some point, so the wiki tells me to do:<br/> - # <b>pacman -S networkmanager-openvpn</b> - </p> - <p> - LXDE uses openbox, so I refer to:<br/> - <a href="https://wiki.archlinux.org/index.php/NetworkManager#Openbox">https://wiki.archlinux.org/index.php/NetworkManager#Openbox</a>. - </p> - <p> - It tells me for the applet I need:<br/> - # <b>pacman -S xfce4-notifyd gnome-icon-theme</b><br/> - Also, for storing authentication details (wifi) I need:<br/> - # <b>pacman -S gnome-keyring</b> - </p> - <p> - I wanted to quickly enable networkmanager:<br/> - # <b>systemctl stop dhcpcd</b><br/> - # <b>systemctl start NetworkManager</b><br/> - Enable NetworkManager at boot time:<br/> - # <b>systemctl enable NetworkManager</b> - </p> - <p> - Restart LXDE (log out, and then log back in). - </p> - <p> - I added the volume control applet to the panel (right click panel, and add a new applet). - I also later changed the icons to use the gnome icon theme, in <i>lxappearance</i>. - </p> - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/dock.html b/docs/howtos/dock.html deleted file mode 100644 index ef62e83..0000000 --- a/docs/howtos/dock.html +++ /dev/null @@ -1,163 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - div.important { - background-color:#ccc; - } - </style> - - <title>Notes about DMA and the docking station (X60/T60)</title> -</head> - -<body> - <header> - <h1>Notes about DMA and the docking station (X60/T60)</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - -<pre> - -Use case: ---------- -Usually when people do full disk encryption, it's not really full disk, -instead they still have a /boot in clear. - -So an evil maid attack can still be done, in two passes: -1) Clone the hdd, Infect the initramfs or the kernel. -2) Wait for the user to enter its password, recover the password, -luksOpen the hdd image. - -I wanted a real full-disk encryption so I've put grub in flash and I -have the following: The HDD has a LUKS rootfs(containing /boot) on an -lvm partition, so no partition is in clear. - -So when the computer boots it executes coreboot, then grub as a payload. -Grub then opens the LUKS partition and loads the kernel and initramfs -from there. - -To prevent hardware level tempering(like reflashing), I used nail -polish with a lot of gilder, that acts like a seal. Then a high -resolution picture of it is taken, to be able to tell the difference. - -The problem: ------------- -But then comes the docking port issue: Some LPC pins are exported -there, such as the CLKRUN and LDRQ#. - -LDRQ# is "Encoded DMA/Bus Master Request": "Only needed by -peripherals that need DMA or bus mastering. Requires an -individual signal per peripheral. Peripherals may not share -an LDRQ# signal." - -So now DMA access is possible trough the dock connector. -So I want to be able to turn that off. - -If I got it right, the X60 has 2 superio, one is in the dock, and the -other one is in the laptop, so we have: - ________________ - _________________ | | -| | | Dock connector:| -|Dock: NSC pc87982|<--LPC--->D_LPC_DREQ0 | -|_________________| |_______^________| - | - | - | - | - ___________________|____ - | v | - | SuperIO: DLDRQ# | - | NSC pc87382 LDRQ# | - |___________________^____| - | - | - | - | - ___________________|___ - | v | - | Southbridge: LDRQ0 | - | ICH7 | - |_______________________| - - -The code: ---------- -Now if I look at the existing code, there is some superio drivers, like -pc87382 in src/superio/nsc, the code is very small. -The only interesting part is the pnp_info pnp_dev_info struct. - -Now if I look inside src/mainboard/lenovo/x60 there is some more -complete dock driver: - -Inside dock.c I see some dock_connect and dock_disconnect functions. - -Such functions are called during the initialisation (romstage.c) and -from the x60's SMI handler (smihandler.c). - -Questions: ----------- -1) Would the following be sufficent to prevent DMA access from the -outside: -> int dock_connect(void) -> { -> int timeout = 1000; -> + int val; -> + -> + if (get_option(&val, "dock") != CB_SUCCESS) -> + val = 1; -> + if (val == 0) -> + return 0; -> [...] -> } -> -> void dock_disconnect(void) { -> + if (dock_present()) -> + return; -> [...] -> } -2) Would an nvram option be ok for that? Should a Kconfig option be -added too? - -> config DOCK_AUTODETECT -> bool "Autodetect" -> help -> The dock is autodetected. If unsure select this option. -> -> config DOCK_DISABLED -> bool "Disabled" -> help -> The dock is always disabled. -> -> config DOCK_NVRAM_ENABLE -> bool "Nvram" -> help -> The dock autodetection is tried only if it is also enabled -> trough nvram. - -</pre> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html deleted file mode 100644 index 3a1a75d..0000000 --- a/docs/howtos/encrypted_parabola.html +++ /dev/null @@ -1,577 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - div.important { - background-color:#ccc; - } - </style> - - <title>Installing Parabola GNU/Linux with full disk encryption (including /boot)</title> -</head> - -<body> - <header> - <h1>Installing Parabola GNU/Linux with full disk encryption (including /boot)</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - - <p> - Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - - <p> - On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. - </p> - - <p> - Boot Parabola's install environment. <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>. - </p> - - <p> - For this guide I used the 2013 09 01 image to boot the live installer and install the system. - </p> - - <p> - Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel. - </p> - - <p> - Firstly if you use an SSD, beware there are issues with TRIM (not enabled through luks) and security issues if you do enable it. - See <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Discard.2FTRIM_support_for_solid_state_drives_.28SSD.29">this page</a> - for more info. - </p> - - <p> - <b>If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously - contained plaintext copies of your data.</b> - </p> - - <p> - Wipe the MBR (if you use MBR):<br/> - # <b>lsblk</b><br/> - Your HDD is probably /dev/sda: - # <b>dd if=/dev/zero of=/dev/sda bs=446 count=1; sync</b><br/> - Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. - This guide is for libreboot with GRUB-as-payload only. - </p> - - <p> - Securely wipe the drive:<br/> - # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/> - NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, - use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended - erase block size is. For example if it was 2MiB:<br/> - # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b> - </p> - <p> - If your drive was already LUKS encrypted (maybe you are re-installing your distro) then - it is already 'wiped'. You should just wipe the LUKS header. - <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a> - showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:<br/> - # <b>head -c 3145728 /dev/urandom > /dev/sda; sync</b><br/> - (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). - </p> - <p> - <b> - If you do plan to use an SSD, make sure to read - <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">https://wiki.archlinux.org/index.php/Solid_State_Drives</a><br/> - Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting - them for this guide. - </b> - </p> - - <p> - This guide will go through the installation steps taken at the time of writing, which may or may not change due to - the volatile nature of Parabola (it changes all the time). In general most of it should remain the same. If you spot mistakes, - please say so! This guide will be ported to the Parabola wiki at a later date. For up to date Parabola install guide, go to - the Parabola wiki. This guide essentially cherry picks the useful information (valid at the time of writing: 2014-09-15). - </p> - - <h2> - Change keyboard layout - </h2> - <p> - Parabola live shell assumes US Qwerty. If you have something different, use:<br/> - # <b>loadkeys LAYOUT</b><br/> - For me, LAYOUT would have been dvorak-uk. - </p> - - <h2>Getting started</h2> - <p> - The beginning is based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>. - Then I referred to <a href="https://wiki.archlinux.org/index.php/Partitioning">https://wiki.archlinux.org/index.php/Partitioning</a> at first. - </p> - - <h2>dm-mod</h2> - <p> - device-mapper will be used - a lot. Make sure that the kernel module is loaded:<br/> - # <b>modprobe dm-mod</b> - </p> - - <h2>Create LUKS partition</h2> - <p> - I am using MBR partitioning, so I use cfdisk:<br/> - # <b>cfdisk /dev/sda</b> - </p> - <p> - I create a single large sda1 filling the whole drive, leaving it as the default type 'Linux' (83). - </p> - <p> - Now I refer to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning">https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#Partitioning</a>:<br/> - I am then directed to <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption</a>. - </p> - <p> - Parabola forces you to RTFM. - </p> - <p> - It tells me to run:<br/> - # <b>cryptsetup benchmark</b> (for making sure the list below is populated)<br/> - Then:<br/> - # <b>cat /proc/crypto</b><br/> - This gives me crypto options that I can use. It also provides a representation of the best way to setup LUKS (in this case, security is a priority; speed, a distant second). - To gain a better understanding, I am also reading:<br/> - # <b>man cryptsetup</b> - </p> - <p> - Following that page, based on my requirements, I do the following based on - based on <a href="https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode">https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</a>. - Reading through, it seems like Serpent (encryption) and Whirlpool (hash) is the best option. - </p> - <p> - I am initializing LUKS with the following:<br/> - # <b>cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --use-random --verify-passphrase luksFormat /dev/sda1</b> - -- choose a <b>secure</b> passphrase here. Ideally lots of lowercase/uppercase numbers, letters, symbols etc all in a random pattern. The password - length should be as long as you are able to handle without writing it down or storing it anywhere. Ideally, 100 characters or more. - It might take you a while to memorize a long passphrase before beginning this step. - </p> - - <h2>Create LVM</h2> - <p> - Now I refer to <a href="https://wiki.archlinux.org/index.php/LVM">https://wiki.archlinux.org/index.php/LVM</a>. - </p> - <p> - Open the LUKS partition:<br/> - # <b>cryptsetup open --type luks /dev/sda1 lvm</b><br/> - (it will be available at /dev/mapper/lvm)<br/> - I'm told that the above is old syntax, which is what I did anyway. You could also try:<br/> - # <b>cryptsetup luksOpen /dev/sda1 lvm</b> - </p> - <p> - Create LVM partition:<br/> - # <b>pvcreate /dev/mapper/lvm</b><br/> - Show that you just created it:<br/> - # <b>pvdisplay</b> - </p> - <p> - Now I create the volume group, inside of which the logical volumes will be created:<br/> - # <b>vgcreate matrix /dev/mapper/lvm</b> (volume group name is 'matrix')<br/> - Show that you created it:<br/> - # <b>vgdisplay</b> - </p> - <p> - Now create the logical volumes:<br/> - # <b>lvcreate -L 2G matrix -n swapvol</b> (2G swap partition, named <u>swapvol</u>)<br/> - # <b>lvcreate -l +100%FREE matrix -n rootvol</b> (single large partition in the rest of the space, named <u>rootvol</u>)<br/> - You can also be flexible here, for example you can specify a /boot, a /, a /home, a /var, a /usr, etc. For example, - if you will be running a web/mail server then you want /var in it's own partition (so that if it fills up with logs, it won't crash your system). - For a home/laptop system (typical use case), a root and a swap will do (really). - </p> - <p> - Verify that the logical volumes were created, using the following command:<br/> - # <b>lvdisplay</b> - </p> - - <h2>Create / and swap partitions</h2> - <p> - For the swapvol LV I use:<br/> - # <b>mkswap /dev/mapper/matrix-swapvol</b> - </p> - <p> - For the rootvol LV I use:<br/> - # <b>mkfs.ext4 /dev/mapper/matrix-rootvol</b> - </p> - - <h2>Continue with Parabola installation</h2> - <p> - Mount the root (/) partition:<br/> - # <b>mount /dev/matrix/rootvol /mnt</b><br/> - </p> - <p> - This guide is really about GRUB, Parabola and cryptomount. I have to show how to install Parabola - so that the guide can continue. - </p> - <p> - Now I am following the rest of <a href="https://wiki.parabolagnulinux.org/Installation_Guide">https://wiki.parabolagnulinux.org/Installation_Guide</a>. - I also also cross referencing <a href="https://wiki.archlinux.org/index.php/Installation_guide">https://wiki.archlinux.org/index.php/Installation_guide</a>. - </p> - <p> - Create /home and /boot on rootvol mountpoint:<br/> - # <b>mkdir /mnt/home</b><br/> - # <b>mkdir /mnt/boot</b> - </p> - <p> - The wiki says to enable the swap so that it can be detected by 'genfstab':<br/> - # <b>swapon /dev/matrix/swapvol</b> - </p> - <p> - DHCP was already working for me, so I had internet during the install. Therefore, I ignore the 'Connect to the Internet' section of the install guide. - I also ignore wifi, since I can set that up after the install. For now, I am just using ethernet. - Otherwise, refer to <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>. - You can test to see if internet is already working by pinging a few domains. - </p> - - <p> - I commented out all lines except the Server line for the UK Parabola server (main server) in <b>/etc/pacman.d/mirrorlist</b> and then did:<br/> - # <b>pacman -Syy</b><br/> - # <b>pacman -Syu</b><br/> - # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/> - In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. - </p> - <p> - <troubleshooting><br/> - The following is based on 'Verification of package signatures' in the Parabola install guide.<br/> - Check there first to see if steps differ by now.<br/> - Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/> - # <b>pacman -Sy parabola-keyring</b><br/> - It says that you you get GPG errors, it's probably an expired key so do:<br/> - # <b>pacman-key --populate parabola</b><br/> - # <b>pacman-key --refresh-keys</b><br/> - # <b>pacman -Sy parabola-keyring</b><br/> - To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/> - Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/> - (if keys are listed as expired because of it):<br/> - # <b>date MMDDhhmm[[CC]YY][.ss]</b><br/> - I also had to install:<br/> - # <b>pacman -S archlinux-keyring</b><br/> - # <b>pacman-key --populate archlinux</b><br/> - In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/> - I deleted the files that it mentioned - and then it worked. Specifically, I had this error:<br/> - <i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/> - I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/> - # <b>pacman -Sf licenses</b><br/> - </troubleshooting><br/> - </p> - <p> - I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:<br/> - # <b>pacstrap /mnt base base-devel wpa_supplicant dialog</b> - </p> - - <h3>Configure the system</h3> - <p> - From the Parabola installation guide (Arch's one was identical):<br/> - # <b>genfstab -p /mnt >> /mnt/etc/fstab</b> - </p> - <p> - Chroot into new system:<br/> - # <b>arch-chroot /mnt</b> - </p> - <p> - It's a good idea to have this installed:<br/> - # <b>pacman -S linux-libre-lts</b> - </p> - <p> - It was also suggested that you should install this kernel (read up on what GRSEC is):<br/> - # <b>pacman -S linux-libre-grsec</b> - </p> - <p> - This is another kernel that sits inside /boot, which you can use. LTS means 'long-term support'. These are so-called 'stable' kernels - that can be used as a fallback during updates, if a bad kernel causes issues for you. - </p> - <p> - Parabola does not have wget. This is sinister. Install it:<br/> - # <b>pacman -S wget</b> - </p> - <ul> - <li>Write your hostname to /etc/hostname</li> - <li> - Symlink /etc/localtime to /usr/share/zoneinfo/Zone/SubZone. Replace Zone and Subzone to your liking. For example: - <ul> - <li># <b>ln -s /usr/share/zoneinfo/Europe/London /etc/localtime</b></li> - </ul> - </li> - <li> - Set <a href="https://wiki.parabolagnulinux.org/Locale#Setting_system-wide_locale">locale</a> preferences in /etc/locale.conf. In my case, I did:<br/> - <i> - LANG="en_GB.UTF-8"<br/> - # Keep the default sort order (e.g. files starting with a '.'<br/> - # should appear at the start of a directory listing.)<br/> - LC_COLLATE="C"<br/> - # Set the short date to YYYY-MM-DD (test with "date +%c")<br/> - LC_TIME="en_GB.UTF-8" - </i> - </li> - <li> - Add <a href="https://wiki.parabolagnulinux.org/KEYMAP">console keymap and font</a> preferences in /etc/vconsole.conf. In my case:<br/> - <i> - KEYMAP=dvorak-uk<br/> - FONT=Lat2-Terminus16 - </i> - </li> - <li> - Uncomment the selected locale (same as what you specified in /etc/locale.conf) in /etc/locale.gen and generate it with: - <ul> - <li># <b>locale-gen</b></li> - </ul> - </li> - <li> - Configure /etc/mkinitcpio.conf as needed (see <a href="https://wiki.parabolagnulinux.org/Mkinitcpio">mkinitcpio</a>) - Specifically, for this use case:<br/> - <ul> - <li> - add <b>i915</b> to the MODULES array (forces the driver to load earlier, so that the consolefont isn't wiped out after getting to login).<br/> - add <b>encrypt</b> and <b>lvm2</b> in that order, before the 'filesystems' entry in the HOOKS array.<br/> - add <b>keymap</b>, <b>consolefont</b> and <b>shutdown</b> to the end of the HOOKS array in that order.<br/> - move <b>keyboard</b>, <b>keymap</b> and <b>consolefont</b> in that order, to go before 'encrypt' in the HOOKS array.<br/> - At the end your HOOKS array will look like this:<br/> - <i>HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"</i> - <ul> - <li>keymap adds to initramfs the keymap that you specified in /etc/vconsole.conf</li> - <li>consolefont adds to initramfs the font that you specified in /etc/vconsole.conf</li> - <li>encrypt adds LUKS support to the initramfs - needed to unlock your disks at boot time</li> - <li>lvm2 adds LVM support to the initramfs - needed to mount the LVM partitions at boot time</li> - <li>shutdown is needed according to Parabola wiki for unmounting devices (such as LUKS/LVM) during shutdown</li> - <li> - Runtime modules can be found in /usr/lib/initcpio/hooks, and build hooks can be found in - /usr/lib/initcpio/install. - </li> - <li><b>mkinitcpio -H hookname</b> gives information about each hook.</li> - </ul> - </li> - </ul> - </li> - <li> - Now using mkinitcpio, you can create the kernel and ramdisk for booting with (note, this is different than Arch, specifying linux-libre instead of linux):<br/> - # <b>mkinitcpio -p linux-libre</b><br/> - Also do it for linux-libre-lts:<br/> - # <b>mkinitcpio -p linux-libre-lts</b><br/> - Also do it for linux-libre-grsec:<br/> - # <b>mkinitcpio -p linux-libre-grsec</b> - </li> - </ul> - - <h3>Set a root password</h3> - <p> - At the time of writing, Parabola used SHA512 by default for it's password hashing. - </p> - <p> - I referred to <a href="https://wiki.archlinux.org/index.php/SHA_password_hashes">https://wiki.archlinux.org/index.php/SHA_password_hashes</a>. - </p> - <p> - Open /etc/pam.d/passwd and add rounds=65536 at the end of the uncommented 'password' line. - </p> - <p> - # <b>passwd root</b><br/> - Make sure to set a secure password! Also, it must never be the same as your LUKS password. - </p> - - <h3>Extra security tweaks</h3> - <p> - Based on <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>. - </p> - <p> - Restrict access to important directories:<br/> - # <b>chmod 700 /boot /etc/{iptables,arptables}</b> - </p> - <p> - Lockout user after three failed login attempts:<br/> - Edit the file /etc/pam.d/system-login and comment out that line:<br/> - <i># auth required pam_tally.so onerr=succeed file=/var/log/faillog</i><br/> - Or just delete it. Above it, put:<br/> - <i>auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</i><br/> - To unlock a user manually (if a password attempt is failed 3 times), do:<br/> - # <b>pam_tally --user <i>theusername</i> --reset</b> - What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. - </p> - <p> - Configure sudo - not covered here. Will be covered post-installation in another tutorial, at a later date. - If this is a single-user system, you don't really need sudo. - </p> - - <h3>Unmount, reboot!</h3> - <p> - Exit from chroot:<br/> - # <b>exit</b> - </p> - <p> - unmount:<br/> - # <b>umount /mnt</b><br/> - # <b>swapoff -a</b> - </p> - <p> - deactivate the lvm lv's:<br/> - # <b>lvchange -an /dev/matrix/rootvol</b><br/> - # <b>lvchange -an /dev/matrix/swapvol</b><br/> - </p> - <p> - Lock the encrypted partition (close it):<br/> - # <b>cryptsetup luksClose lvm</b> - </p> - <p> - # <b>shutdown -h now</b><br/> - Then boot up again. - </p> - - <h3>Booting from GRUB</h3> - <p> - Initially you will have to boot manually. Press C to get to the GRUB command line. The underlined parts are optional - (using those 2 underlines will boot lts kernel instead of normal). - </p> - <p> - grub> <b>cryptomount -a (ahci0,msdos1)</b><br/> - grub> <b>set root='lvm/matrix-rootvol'</b><br/> - grub> <b>linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root</b><br/> - grub> <b>initrd /boot/initramfs-linux-libre<u>-lts</u>.img</b><br/> - grub> <b>boot</b><br/> - </p> - <p> - You could also make it load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img - </p> - -<hr/> - - <h2>Modify grub.cfg inside the ROM</h2> - - <p> - Now you need to modify the ROM, so that Parabola can boot automatically with this configuration. - <a href="grub_cbfs.html">grub_cbfs.html</a> shows you how. Follow that guide, using the configuration details below. - </p> - <p> - Inside the 'Load Operating System' menu entry, change the contents to:<br/> - <b><i> - cryptomount -a (ahci0,msdos1)<br/> - set root='lvm/matrix-rootvol'<br/> - linux /boot/vmlinuz-linux-libre<u>-lts</u> root=/dev/matrix/rootvol cryptdevice=/dev/sda1:root<br/> - initrd /boot/initramfs-linux-libre<u>-lts</u>.img - </i></b> - </p> - - <p> - Note: the underlined parts above (-lts) can also be removed, to boot the latest kernel instead of LTS (long-term support) kernels. - You could also copy the menu entry and in one have -lts, and without in the other menuentry. - You could also create a menu entry to load /boot/vmlinuz-linux-libre-grsec and /boot/initramfs-linux-libre-grsec.img - </p> - - <p> - Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. - </p> - - <p> - Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: - </p> -<pre><b><i>set superusers="root" -password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711 -</i></b></pre> - - <p> - Note that the above entry specifies user 'root'; this is just a username for GRUB. You don't even need to use root. - Change root on both of those 2 lines to whatever you want. - </p> - - <p> - Start dhcp on ethernet:<br/> - # <b>systemctl start dhcpcd.service</b> - This is just for the step below. I won't cover network configuration here. That is for another Parabola article. - </p> - - <p> - The password hash (it's <b>password</b>, by the way) after <i>'password_pbkdf2 root'</i> <i>should be changed</i> and is created by the <b>grub-mkpasswd-pbkdf2</b> utility, which you need to install or otherwise compile, - like so:<br/> - # <b>pacman -S grub</b> - </p> - - <p> - GRUB isn't needed for booting, since it's already included as a payload in libreboot. This is only so that the utility needed becomes available. Get your hash - by entering your chosen password at the prompt, when running this command:<br/> - # <b>grub-mkpasswd-pbkdf2</b> - </p> - - <p> - It will output the hash for the password that you entered. Make sure to specify a password that is different from both your LUKS *and* your root/user password. - Use it to replace the default hash mentioned above. - </p> - - <p> - With this setup, you will have to enter a password at boot time, in GRUB, before being able to use any of the menu entries or switch to the terminal. - This protects your system from an attacker simply booting a live usb distro and re-flashing the boot firmware. - </p> - - <p> - You probably only need base-devel (compilers and so on) to build and use cbfstool. It was already installed if you followed this tutorial, but here it is:<br/> - # <b>pacman -S base-devel</b> - </p> - - <p> - For flashing the modified ROM, I just used flashrom from the Parabola repo's:<br/> - # <b>pacman -S flashrom</b><br/> - I also installed dmidecode:<br/> - # <b>pacman -S dmidecode</b> - </p> - - <p> - When done, deleted GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility; - GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/> - # <b>pacman -R grub</b> - </p> - -<hr/> - - <p> - If you followed all that correctly, you should now have a fully encrypted Parabola installation. - This is a very barebones Parabola install (the default one). Refer to the wiki for how to do the rest - (desktop, etc). - </p> - -<hr/> - - <h2>Further security tips</h2> - <p> - <a href="https://wiki.archlinux.org/index.php/Security">https://wiki.archlinux.org/index.php/Security</a>.<br/> - <a href="https://wiki.parabolagnulinux.org/User:GNUtoo/laptop">https://wiki.parabolagnulinux.org/User:GNUtoo/laptop</a> - </p> - -<hr/> - - <h2>Follow-up tutorial: configuring Parabola</h2> - <p> - <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic - system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. - Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a> - (Parabola also follows it). - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/encrypted_trisquel.html b/docs/howtos/encrypted_trisquel.html deleted file mode 100644 index 7599e02..0000000 --- a/docs/howtos/encrypted_trisquel.html +++ /dev/null @@ -1,316 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - div.important { - background-color:#ccc; - } - </style> - - <title>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</title> -</head> - -<body> - <header> - <h1>Installing Trisquel GNU/Linux with full disk encryption (including /boot)</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - - <p> - Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - - <p> - On most systems, the /boot partition has to be left unencrypted while the others are encrypted. - This is so that GRUB, and therefore the kernel, can be loaded and executed since the firmware - can't open a LUKS volume. Not so with libreboot! Since GRUB is already included directly as a - payload, even /boot can be encrypted. This protects /boot from tampering by someone with physical - access to the machine. - </p> - - <p> - This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). <a href="grub_boot_installer.html">How to boot a GNU/Linux installer</a>. - </p> - - <p> - Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols). - </p> - - <p> - when the installer asks you to setup - encryption (ecryptfs) for your home directory, select 'Yes' if you want to: <b>LUKS is already secure and performs well. Having ecryptfs on top of it - will add noticeable performance penalty, for little security gain in most use cases. This is therefore optional, and not recommended. - Choose 'no'.</b> - </p> - - <p> - <b> - Your user password should be different than the LUKS password which you will set later on. - Your LUKS password should, like the user password, be secure. - </b> - </p> - - <h1>Partitioning</h1> - - <p>Choose 'Manual' partitioning:</p> - <ul> - <li>Select drive and create new partition table</li> - <li> - Single large partition. The following are mostly defaults: - <ul> - <li>Use as: physical volume for encryption</li> - <li>Encryption: aes</li> - <li>key size: 256</li> - <li>IV algorithm: xts-plain64</li> - <li>Encryption key: passphrase</li> - <li>erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)</li> - </ul> - </li> - <li> - Select 'configure encrypted volumes' - <ul> - <li>Create encrypted volumes</li> - <li>Select your partition</li> - <li>Finish</li> - <li>Really erase: Yes</li> - <li>(erase will take a long time. be patient)</li> - <li>(if your old system was encrypted, just let this run for about a minute to - make sure that the LUKS header is wiped out)</li> - </ul> - </li> - <li> - Select encrypted space: - <ul> - <li>use as: physical volume for LVM</li> - <li>Choose 'done setting up the partition'</li> - </ul> - </li> - <li> - Configure the logical volume manager: - <ul> - <li>Keep settings: Yes</li> - </ul> - </li> - <li> - Create volume group: - <ul> - <li>Name: <b>buzz</b> (you can use whatever you want here, this is just an example)</li> - <li>Select crypto partition</li> - </ul> - </li> - <li> - Create logical volume - <ul> - <li>select <b>buzz</b> (or whatever you named it before)</li> - <li>name: <b>distro</b> (you can use whatever you want here, this is just an example)</li> - <li>size: default, minus 2048 MB</li> - </ul> - </li> - <li> - Create logical volume - <ul> - <li>select <b>buzz</b> (or whatever you named it before)</li> - <li>name: <b>swap</b> (you can use whatever you want here, this is just an example)</li> - <li>size: press enter</li> - </ul> - </li> - </ul> - - <h1>Further partitioning</h1> - - <p> - Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use. - </p> - <ul> - <li> - LVM LV distro - <ul> - <li>use as: ext4</li> - <li>mount point: /</li> - <li>done setting up partition</li> - </ul> - </li> - <li> - LVM LV swap - <ul> - <li>use as: swap area</li> - <li>done setting up partition</li> - </ul> - </li> - <li>Now you select 'Finished partitioning and write changes to disk'.</li> - </ul> - - <h1>Kernel</h1> - - <p> - Installation will ask what kernel you want to use. linux-generic is fine. - </p> - - <h1>Tasksel</h1> - - <p> - Choose <i>"Trisquel Desktop Environment"</i> if you want GNOME, - <i>"Trisquel-mini Desktop Environment"</i> if you - want LXDE or <i>"Triskel Desktop Environment"</i> if you want KDE. - If you want to have no desktop (just a basic shell) - when you boot or if you want to create your own custom setup, then choose nothing here (don't select anything). - You might also want to choose some of the other package groups; it's up to you. - </p> - - <h1>Postfix configuration</h1> - - <p> - If asked, choose <i>"No Configuration"</i> here (or maybe you want to select something else. It's up to you.) - </p> - - <h1>Install the GRUB boot loader to the master boot record</h1> - - <p> - Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'. - You could also choose 'No'. Choice is irrelevant here. - </p> - - <p> - <i>You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.</i> - </p> - - <h1>Clock UTC</h1> - - <p> - Just say 'Yes'. - </p> - - <h1> - Booting your system - </h1> - - <p> - At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line. - </p> - - <p> - Do that:<br/> - grub> <b>cryptomount -a (ahci0,msdos1)</b><br/> - grub> <b>set root='lvm/buzz-distro'</b><br/> - grub> <b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root</b><br/> - grub> <b>initrd /initrd.img</b><br/> - grub> <b>boot</b> - </p> - - <h1> - ecryptfs - </h1> - - <p> - If you didn't encrypted your home directory, then you can safely ignore this section. - </p> - - <p> - Immediately after logging in, do that:<br/> - $ <b>sudo ecryptfs-unwrap-passphrase</b> - </p> - - <p> - This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note - somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)> - </p> - - <h1> - Modify grub.cfg (CBFS) - </h1> - - <p> - Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands. - </p> - - <p> - Modify your grub.cfg (in the firmware) <a href="grub_cbfs.html">using this tutorial</a>; - just change the default menu entry 'Load Operating System' to say this inside: - </p> - - <p> - <b>cryptomount -a (ahci0,msdos1)</b><br/> - <b>set root='lvm/buzz-distro'</b><br/> - <b>linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root</b><br/> - <b>initrd /initrd.img</b> - </p> - - <p> - Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see - GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. <b>This should be different than your LUKS passphrase and user password.</b> - </p> - - <p> - The GRUB utility can be used like so:<br/> - $ <b>grub-mkpasswd-pbkdf2</b> - </p> - - <p> - Give it a password (remember, it has to be secure) and it'll output something like:<br/> - <b>grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b> - </p> - - <p> - Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):<br/> - </p> - <pre> -<b>set superusers="root"</b> -<b>password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711</b> - </pre> - - <p> - Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above! - </p> - - <p> - After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM - using <a href="../index.html#flashrom">this tutorial</a>. - </p> - - <h1> - Update Trisquel - </h1> - - <p> - $ <b>sudo apt-get update</b><br/> - $ <b>sudo apt-get upgrade</b> - </p> - - <h1> - Conclusion - </h1> - - <p> - If you followed all that correctly, you should now have a fully encrypted system. - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/grub_boot_installer.html b/docs/howtos/grub_boot_installer.html deleted file mode 100644 index 757b48f..0000000 --- a/docs/howtos/grub_boot_installer.html +++ /dev/null @@ -1,142 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: installing GNU/Linux</title> -</head> - -<body> - <header> - <h1>Boot a GNU/Linux installer on USB</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - - <h2>Prepare the USB drive (in GNU/Linux)</h2> - - <p> - Connect the USB drive. Check dmesg:<br/> - <b>$ dmesg</b><br/> - - Check lsblk to confirm which drive it is:<br/> - <b>$ lsblk</b> - </p> - - <p> - Check that it wasn't automatically mounted. If it was, unmount it. For example:<br/> - <b>$ sudo umount /dev/sdb*</b><br/> - <b># umount /dev/sdb*</b> - </p> - - <p> - dmesg told you what device it is. Overwrite the drive, writing your distro ISO to it with dd. For example:<br/> - <b>$ sudo dd if=gnulinux.iso of=/dev/sdb bs=8M; sync</b><br/> - <b># dd if=gnulinux.iso of=/dev/sdb bs=8M; sync</b> - </p> - - <h2>Booting the USB drive (in GRUB)</h2> - - <p> - Boot it in GRUB using the <i>Parse ISOLINUX config (USB)</i> option (it's in default libreboot grub.cfg, at least). - - A new menu should appear in GRUB, showing the boot options for that distro; this is a GRUB menu, converted from the usual - ISOLINUX menu provided by that distro. - </p> - - <p> - If the ISOLINUX parser won't work, then press C to get to GRUB command line.<br/> - grub> <b>ls</b><br/> - - Get the device from above output, eg (usb0). Example:<br/> - grub> <b>cat (usb0)/isolinux/isolinux.cfg</b><br/> - - Either this will show the ISOLINUX menuentries for that ISO, or link to other .cfg files, for example /isolinux/foo.cfg.<br/> - - If it did that, then you do:<br/> - grub> <b>cat (usb0)/isolinux/foo.cfg</b><br/> - - And so on, until you find the correct menuentries for ISOLINUX. - </p> - - <p> - Now look at the ISOLINUX menuentry. It'll look like:<br/> - <b> - kernel /path/to/kernel<br/> - append PARAMETERS initrd=/path/to/initrd MAYBE_MORE_PARAMETERS<br/> - </b> - - GRUB works the same way, but in it's own way. Example GRUB commands:<br/> - grub> <b>linux (usb0)/path/to/kernel PARAMETERS MAYBE_MORE_PARAMETERS</b><br/> - grub> <b>initrd (usb0)/path/to/initrd</b><br/> - grub> <b>boot</b><br/> - - Of course this will vary from distro to distro. If you did all that correctly, it should now be booting the ISO - the way you specified. - </p> - - <h1>Troubleshooting</h1> - - <p> - Most of these issues occur when using libreboot with coreboot's 'text mode' instead of the coreboot framebuffer. - This mode is useful for booting payloads like memtest86+ which expect text-mode, but for GNU/Linux distributions - it can be problematic when they are trying to switch to a framebuffer because it doesn't exist. - </p> - - <p> - In most cases, you should use the vesafb ROM's. Example filename: libreboot_ukdvorak_vesafb.rom. - </p> - - <h2>parabola won't boot in text-mode</h2> - - <p> - Use one of the ROM images with vesafb in the filename (uses coreboot framebuffer instead of text-mode). - </p> - - <h2>debian-installer (trisquel net install) graphical corruption in text-mode</h2> - <p> - When using the ROM images that use coreboot's "text mode" instead of the coreboot framebuffer, - booting the Trisquel net installer results in graphical corruption because it is trying to switch to a framebuffer which doesn't - exist. Use that kernel parameter on the 'linux' line when booting it:<br/> - <b>vga=normal fb=false</b> - </p> - - <p> - Tested in Trisquel 6 (and 7). This forces debian-installer to start in text-mode, instead of trying to switch to a framebuffer. - </p> - - <p> - If selecting text-mode from a GRUB menu created using the ISOLINUX parser, you can press E on the menu entry to add this. - Or, if you are booting manually (from GRUB terminal) then just add the parameters. - </p> - - <p> - This workaround was found on the page: <a href="https://www.debian.org/releases/stable/i386/ch05s04.html">https://www.debian.org/releases/stable/i386/ch05s04.html</a>. - It should also work for gNewSense, Debian and any other apt-get distro that provides debian-installer (text mode) net install method. - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/grub_cbfs.html b/docs/howtos/grub_cbfs.html deleted file mode 100644 index e603247..0000000 --- a/docs/howtos/grub_cbfs.html +++ /dev/null @@ -1,408 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - div.important { - background-color:#ccc; - } - </style> - - <title>Libreboot documentation: GRUB menu</title> -</head> - -<body> - <header> - <h1 id="pagetop">How to change your default GRUB menu</h1> - <aside>Or <a href="../index.html">back to main index</a></aside> - </header> - - <p> - Libreboot uses the GRUB <a href="http://www.coreboot.org/Payloads#GRUB_2">payload</a> - by default, which means that the GRUB configuration file - (where your GRUB menu comes from) is stored directly alongside libreboot - and it's GRUB payload executable, inside - the flash chip. In context, this means that installing distributions and managing them - is handled slightly differently compared to traditional BIOS systems. - </p> - - <p> - A libreboot (or coreboot) ROM image is not simply "flat"; there is an actual - filesystem inside called CBFS (coreboot filesystem). A utility called 'cbfstool' - allows you to change the contents of the ROM image. In this case, libreboot is configured - such that the 'grub.cfg' and 'grubtest.cfg' files exists directly inside CBFS instead of - inside the GRUB payload's 'memdisk' (which is itself stored in CBFS). - </p> - - <p> - Here is an excellent writeup about CBFS (coreboot filesystem): - <a href="http://lennartb.home.xs4all.nl/coreboot/col5.html" target="_blank">http://lennartb.home.xs4all.nl/coreboot/col5.html</a>. - </p> - -<hr/> - - <h2>Table of Contents</h2> - - <ul> - <li><a href="#getting_started">Getting started</a></li> - <li><a href="#build_cbfstool">Build 'cbfstool' from source</a></li> - <li><a href="#which_rom">Which ROM image should I use?</a></li> - <li><a href="#extract_grubtest">Extract grubtest from the ROM image</a> - <li> - <a href="#example_modifications">Example modifications for <i>grubtest.cfg</i></a> - <ul> - <li><a href="#example_modifications_trisquel">Trisquel GNU/Linux-libre</a></li> - <li><a href="#example_modifications_parabola">Parabola GNU/Linux-libre</a></li> - </lu> - </ul> - <li><a href="#reinsert_modified_grubtest">Re-insert the modified grubtest.cfg into the ROM image</a></li> - <li><a href="#test_it">Test it!</a> - <li><a href="#final_steps">Final steps</a></li> - <li><a href="#troubleshooting">Troubleshooting</a></li> - </ul> - -<hr/> - - <h2 id="getting_started">Getting started</h2> - - <p> - Download the latest release from - <a href="http://libreboot.org/" target="_blank">http://libreboot.org/</a> - <br/><b>If you downloaded from git, refer to - <a href="../index.html#build_meta">../index.html#build_meta</a> before continuing.</b> - </p> - - <p> - <a href="../index.html#build_dependencies">Install the build dependencies</a>. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="build_cbfstool">Build 'cbfstool' from source</h2> - - <p> - If you are working with libreboot_src, then you can run <b><i>make</i></b> command in - libreboot_src/coreboot/util/cbfstool to build the <b><i>cbfstool</i></b> and <b><i>rmodtool</i></b> - executable. - </p> - <p> - Alternatively if you are working with libreboot_bin, then you can run <b><i>./builddeps-cbfstool</i></b> - command inside libreboot_bin/; a <b><i>cbfstool</i></b> and <b><i>rmodtool</i></b> - executable will appear under libreboot_bin/ - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="which_rom">Which ROM image should I use?</h2> - - <p> - You can work directly with one of the ROM's already included in the libreboot ROM archives. For the purpose of - this tutorial it is assumed that your ROM is named <i>libreboot.rom</i> so please make sure to adapt. - </p> - - <p> - If you want to re-use the ROM that you currently have flashed (and running) then see - <a href="../index.html#build_flashrom">../index.html#build_flashrom</a> - and then run:<br/> - <b>$ sudo ./flashrom -p internal -r libreboot.rom</b><br/> - Notice that this is using <b>"-r"</b> (read) instead of <b>"-w"</b> (write). - This will create a dump (copy) of your current firmware and name it <b>libreboot.rom</b>. - You need to take ownership of the file. For example:<br/> - <b>$ sudo chown yourusername:yourusername libreboot.rom</b><br/> - <b># chown yourusername:yourusername libreboot.rom</b> - </p> - - <p> - If you currently have flashed a ROM image from an older version, it is recommended to update first: - basically, modify one of the latest ROM's and then flash it. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="extract_grubtest">Extract grubtest.cfg from the ROM image</h2> - - <p> - Display contents of ROM:<br/> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - The libreboot.rom file contains your <i>grub.cfg</i> and <i>grubtest.cfg</i> files. - You should extract, modify and re-insert the copy first. grub.cfg will load first, - but it has a menu entry for switching to the copy (grubtest.cfg). - This reduces your chance of making a mistake that could make your machine unbootable (or very hard to boot). - </p> - - <p> - Extract grubtest.cfg from the ROM image:<br/> - <b>$ ./cbfstool libreboot.rom extract -n grubtest.cfg -f grubtest.cfg</b> - </p> - - <p> - Now you have a grubtest.cfg in cbfstool directory. Edit it however you wish. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <div class="important"> - - <h2 id="example_modifications">Example modifications for <i>grubtest.cfg</i></h2> - - <p> - These are some common examples of ways in which the grubtest.cfg file can be modified. - </p> - - <h3 id="example_modifications_trisquel">Trisquel GNU/Linux-libre</h3> - - <p> - As an example, on my test system in /boot/grub/grub.cfg (on the HDD/SSD) I see for the main menu entry: - </p> - <ul> - <li><b>linux /boot/vmlinuz-3.15.1-gnu.nonpae root=UUID=3a008e14-4871-497b-95e5-fb180f277951 ro crashkernel=384M-2G:64M,2G-:128M quiet splash $vt_handoff</b></li> - <li><b>initrd /boot/initrd.img-3.15.1-gnu.nonpae</b></li> - </ul> - - <p> - <b>ro</b>, <b>quiet</b>, <b>splash</b>, <b>crashkernel=384M-2G:64M,2G-:128M</b> and - <b>$vt_handoff</b> can be safely ignored. - </p> - - <p> - I use this to get my partition layout:<br/> - $ <b>lsblk</b> - </p> - - <p> - In my case, I have no /boot partition, instead /boot is on the same partition as / on sda1. - Yours might be different. In GRUB terms, sda means ahci0. 1 means msdos1, or gpt1, depending - on whether I am using MBR or GPT partitioning. Thus, /dev/sda1 is GRUB is (ahci0,msdos1) or - (ahci0,gpt1). In my case, I use MBR partitioning so it's (ahci0,msdos1). - 'msdos' is GRUB's name simply because this partitioning type is traditionally used by MS-DOS. - It doesn't mean you have a proprietary OS. - </p> - - <p> - Trisquel doesn't keep the filenames of kernels consistent, instead it keeps old kernels and - new kernel updates are provided with the version in the filename. This can make GRUB payload - a bit tricky. Fortunately, there are symlinks /vmlinuz and /initrd.img - so if your /boot and / are on the same partition, you can set GRUB to boot from that. - These are also updated automatically when installing kernel updates from your distributions - apt-get repositories. - <b> - Note: when using <a href="http://jxself.org/linux-libre">jxself kernel releases</a>, - these are not updated at all and you have to update them manually. - </b> - </p> - - <p> - For the GRUB payload's grubtest.cfg (in the 'Load Operating System' menu entry), we therefore have (in this example):<br/> - <b>set root='ahci0,msdos1'</b><br/> - <b>linux /vmlinuz root=UUID=3a008e14-4871-497b-95e5-fb180f277951</b><br/> - <b>initrd /initrd.img</b> - </p> - - <p> - Optionally, you can convert the UUID to it's real device name, for example /dev/sda1 in this case. - sdX naming isn't very reliable, though, which is why UUID is used for most distributions. - </p> - - <p> - Alternatively, if your /boot is on a separate partition then you cannot rely on the /vmlinuz and /initrd.img symlinks. - Instead, go into /boot and create your own symlinks (update them manually when you install a new kernel update).<br/> - $ <b>sudo -s</b><br/> - # <b>cd /boot/</b><br/> - # <b>rm -rf vmlinuz initrd.img</b><br/> - # <b>ln -s <u>kernel</u> ksym</b><br/> - # <b>ln -s <u>initrd</u> isym</b><br/> - # <b>exit</b> - </p> - - <p> - Replace the underlined <b>kernel</b> and <b>initrd</b> filenames above with the actual filenames, of course. - </p> - - <p> - Then your grubtest.cfg menu entry (for payload) becomes like that, for example if / was on sda2 and /boot was on sda1:<br/> - <b>set root='ahci0,msdos1'</b><br/> - <b>linux /ksym root=/dev/sda2</b><br/> - <b>initrd /isym</b> - </p> - - <p> - There are lots of possible variations so please try to adapt. - </p> - - <h3 id="example_modifications_parabola">Parabola GNU/Linux-libre</h2> - - <p> - You can basically adapt the above. Note however that Parabola does not keep old kernels still installed, and the file names - are always consistent, so you don't need to boot from symlinks, you can just use the real thing directly. - </p> - - </div> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="reinsert_modified_grubtest">Re-insert the modified grubtest.cfg into the ROM image</h2> - - <p> - Delete the grubtest.cfg that remained inside the ROM:<br/> - <b>$ ./cbfstool libreboot.rom remove -n grubtest.cfg</b> - </p> - - <p> - Display ROM contents and now you see grubtest.cfg no longer exists there:<br/> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - Add the modified version that you just made:<br/> - <b>$ ./cbfstool libreboot.rom add -n grubtest.cfg -f grubtest.cfg -t raw</b> - </p> - - <p> - Now display ROM contents again and see that it exists again:<br/> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="test_it">Test it!</h2> - - <p> - <b> - Now you have a modified ROM. Refer back to <a href="../index.html#flashrom">../index.html#flashrom</a> for information - on how to flash it. Once you have done that, shut down and then boot up with your new test configuration. - </b> - </p> - - <p> - Choose (in GRUB) the menu entry that switches to grubtest.cfg. If it works, then your config is safe and you can continue below. - </p> - - <p> - <b> - If it does not work like you want it to, if you are unsure or sceptical in any way, - then re-do the steps above until you get it right! Do *not* proceed past this point - unless you are 100% sure that your new configuration is safe (or desirable) to use. - </b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="final_steps">Final steps</h2> - - <p> - Create a copy of grubtest.cfg, called grub.cfg, which is the same except for one difference: - change the menuentry 'Switch to grub.cfg' to 'Switch to grubtest.cfg' and inside it, - change all instances of grub.cfg to grubtest.cfg. This is so that the main config still - links (in the menu) to grubtest.cfg, so that you don't have to manually switch to it, in - case you ever want to follow this guide again in the future (modifying the already modified config)<br/> - $ <b>sed -e 's:(cbfsdisk)/grub.cfg:(cbfsdisk)/grubtest.cfg:g' -e 's:Switch to grub.cfg:Switch to grubtest.cfg:g' < grubtest.cfg > grub.cfg</b><br/> - </p> - - <p> - Delete the grub.cfg that remained inside the ROM:<br/> - <b>$ ./cbfstool libreboot.rom remove -n grub.cfg</b> - </p> - - <p> - Display ROM contents and now you see grub.cfg no longer exists there:<br/> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - Add the modified version that you just made:<br/> - <b>$ ./cbfstool libreboot.rom add -n grub.cfg -f grub.cfg -t raw</b> - </p> - - <p> - Now display ROM contents again and see that it exists again:<br/> - <b>$ ./cbfstool libreboot.rom print</b> - </p> - - <p> - <b> - Now you have a modified ROM. Refer back to <a href="../index.html#flashrom">../index.html#flashrom</a> for information - on how to flash it. Once you have done that, shut down and then boot up with your new configuration. - </b> - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <h2 id="troubleshooting">Troubleshooting</h2> - - <p> - A user reported that segmentation faults occur with cbfstool - when using this procedure depending on the size of the grub.cfg being re-insterted. - In his case, a minimum size of 857 bytes was required. This could (at the time of - this release) be a bug in cbfstool that should be investigated with the coreboot - community. If cbfstool segfaults, then keep this in mind. 'strace' (or gdb? clang?) - could be used for debugging. This was in libreboot 5th release (based on coreboot - from late 2013), and I'm not sure if the issue perists in the current releases. - I have not been able to reproduce it. strace (from that user) is here: - <a href="cbfstool_libreboot5_strace">cbfstool_libreboot5_strace</a>. - The issue has been reported by a few users, so it does not happen all the time: - this bug (if it still exists) could (should) be reproduced. - </p> - - <p> - <a href="#pagetop">Back to top of page.</a> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/t60_dev/.htaccess b/docs/howtos/t60_dev/.htaccess deleted file mode 100644 index 75da674..0000000 --- a/docs/howtos/t60_dev/.htaccess +++ /dev/null @@ -1,2 +0,0 @@ -Options +Indexes -IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* diff --git a/docs/howtos/t60_dev/0001.JPG b/docs/howtos/t60_dev/0001.JPG Binary files differdeleted file mode 100644 index 84d2f4f..0000000 --- a/docs/howtos/t60_dev/0001.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0002.JPG b/docs/howtos/t60_dev/0002.JPG Binary files differdeleted file mode 100644 index 5f8ead5..0000000 --- a/docs/howtos/t60_dev/0002.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0003.JPG b/docs/howtos/t60_dev/0003.JPG Binary files differdeleted file mode 100644 index 4b0826f..0000000 --- a/docs/howtos/t60_dev/0003.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0004.JPG b/docs/howtos/t60_dev/0004.JPG Binary files differdeleted file mode 100644 index 42d9086..0000000 --- a/docs/howtos/t60_dev/0004.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0005.JPG b/docs/howtos/t60_dev/0005.JPG Binary files differdeleted file mode 100644 index 8e9bce3..0000000 --- a/docs/howtos/t60_dev/0005.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0006.JPG b/docs/howtos/t60_dev/0006.JPG Binary files differdeleted file mode 100644 index 6371b46..0000000 --- a/docs/howtos/t60_dev/0006.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0007.JPG b/docs/howtos/t60_dev/0007.JPG Binary files differdeleted file mode 100644 index cedc9d9..0000000 --- a/docs/howtos/t60_dev/0007.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0008.JPG b/docs/howtos/t60_dev/0008.JPG Binary files differdeleted file mode 100644 index bec57a1..0000000 --- a/docs/howtos/t60_dev/0008.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0009.JPG b/docs/howtos/t60_dev/0009.JPG Binary files differdeleted file mode 100644 index aeeda57..0000000 --- a/docs/howtos/t60_dev/0009.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0010.JPG b/docs/howtos/t60_dev/0010.JPG Binary files differdeleted file mode 100644 index c776171..0000000 --- a/docs/howtos/t60_dev/0010.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0011.JPG b/docs/howtos/t60_dev/0011.JPG Binary files differdeleted file mode 100644 index 24cb443..0000000 --- a/docs/howtos/t60_dev/0011.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0012.JPG b/docs/howtos/t60_dev/0012.JPG Binary files differdeleted file mode 100644 index c719958..0000000 --- a/docs/howtos/t60_dev/0012.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0013.JPG b/docs/howtos/t60_dev/0013.JPG Binary files differdeleted file mode 100644 index b8ed7ee..0000000 --- a/docs/howtos/t60_dev/0013.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0014.JPG b/docs/howtos/t60_dev/0014.JPG Binary files differdeleted file mode 100644 index 5160dc3..0000000 --- a/docs/howtos/t60_dev/0014.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0015.JPG b/docs/howtos/t60_dev/0015.JPG Binary files differdeleted file mode 100644 index 0c1fd18..0000000 --- a/docs/howtos/t60_dev/0015.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0016.JPG b/docs/howtos/t60_dev/0016.JPG Binary files differdeleted file mode 100644 index c698be2..0000000 --- a/docs/howtos/t60_dev/0016.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0017.JPG b/docs/howtos/t60_dev/0017.JPG Binary files differdeleted file mode 100644 index 652a66e..0000000 --- a/docs/howtos/t60_dev/0017.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0018.JPG b/docs/howtos/t60_dev/0018.JPG Binary files differdeleted file mode 100644 index cf43067..0000000 --- a/docs/howtos/t60_dev/0018.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0019.JPG b/docs/howtos/t60_dev/0019.JPG Binary files differdeleted file mode 100644 index a75f68a..0000000 --- a/docs/howtos/t60_dev/0019.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0020.JPG b/docs/howtos/t60_dev/0020.JPG Binary files differdeleted file mode 100644 index 0c4f7db..0000000 --- a/docs/howtos/t60_dev/0020.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0021.JPG b/docs/howtos/t60_dev/0021.JPG Binary files differdeleted file mode 100644 index c7d5757..0000000 --- a/docs/howtos/t60_dev/0021.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0022.JPG b/docs/howtos/t60_dev/0022.JPG Binary files differdeleted file mode 100644 index 5971da2..0000000 --- a/docs/howtos/t60_dev/0022.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0023.JPG b/docs/howtos/t60_dev/0023.JPG Binary files differdeleted file mode 100644 index 99f67c3..0000000 --- a/docs/howtos/t60_dev/0023.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0024.JPG b/docs/howtos/t60_dev/0024.JPG Binary files differdeleted file mode 100644 index f89b537..0000000 --- a/docs/howtos/t60_dev/0024.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0025.JPG b/docs/howtos/t60_dev/0025.JPG Binary files differdeleted file mode 100644 index d6b180e..0000000 --- a/docs/howtos/t60_dev/0025.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0026.JPG b/docs/howtos/t60_dev/0026.JPG Binary files differdeleted file mode 100644 index c8f3299..0000000 --- a/docs/howtos/t60_dev/0026.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0027.JPG b/docs/howtos/t60_dev/0027.JPG Binary files differdeleted file mode 100644 index 10ab8e0..0000000 --- a/docs/howtos/t60_dev/0027.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0028.JPG b/docs/howtos/t60_dev/0028.JPG Binary files differdeleted file mode 100644 index 64cba1c..0000000 --- a/docs/howtos/t60_dev/0028.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0029.JPG b/docs/howtos/t60_dev/0029.JPG Binary files differdeleted file mode 100644 index 960ebdd..0000000 --- a/docs/howtos/t60_dev/0029.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0030.JPG b/docs/howtos/t60_dev/0030.JPG Binary files differdeleted file mode 100644 index 046fd00..0000000 --- a/docs/howtos/t60_dev/0030.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0031.JPG b/docs/howtos/t60_dev/0031.JPG Binary files differdeleted file mode 100644 index 870f22b..0000000 --- a/docs/howtos/t60_dev/0031.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0032.JPG b/docs/howtos/t60_dev/0032.JPG Binary files differdeleted file mode 100644 index 70ff44a..0000000 --- a/docs/howtos/t60_dev/0032.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0033.JPG b/docs/howtos/t60_dev/0033.JPG Binary files differdeleted file mode 100644 index 142ca97..0000000 --- a/docs/howtos/t60_dev/0033.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0034.JPG b/docs/howtos/t60_dev/0034.JPG Binary files differdeleted file mode 100644 index 907192e..0000000 --- a/docs/howtos/t60_dev/0034.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0035.JPG b/docs/howtos/t60_dev/0035.JPG Binary files differdeleted file mode 100644 index bf38c89..0000000 --- a/docs/howtos/t60_dev/0035.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0036.JPG b/docs/howtos/t60_dev/0036.JPG Binary files differdeleted file mode 100644 index a7e5bdf..0000000 --- a/docs/howtos/t60_dev/0036.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0037.JPG b/docs/howtos/t60_dev/0037.JPG Binary files differdeleted file mode 100644 index ab30c27..0000000 --- a/docs/howtos/t60_dev/0037.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0038.JPG b/docs/howtos/t60_dev/0038.JPG Binary files differdeleted file mode 100644 index 362c547..0000000 --- a/docs/howtos/t60_dev/0038.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0039.JPG b/docs/howtos/t60_dev/0039.JPG Binary files differdeleted file mode 100644 index 224f72e..0000000 --- a/docs/howtos/t60_dev/0039.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0040.JPG b/docs/howtos/t60_dev/0040.JPG Binary files differdeleted file mode 100644 index adcd923..0000000 --- a/docs/howtos/t60_dev/0040.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0041.JPG b/docs/howtos/t60_dev/0041.JPG Binary files differdeleted file mode 100644 index 2a04682..0000000 --- a/docs/howtos/t60_dev/0041.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0042.JPG b/docs/howtos/t60_dev/0042.JPG Binary files differdeleted file mode 100644 index b5ed8ec..0000000 --- a/docs/howtos/t60_dev/0042.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0043.JPG b/docs/howtos/t60_dev/0043.JPG Binary files differdeleted file mode 100644 index 7144a98..0000000 --- a/docs/howtos/t60_dev/0043.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0044.JPG b/docs/howtos/t60_dev/0044.JPG Binary files differdeleted file mode 100644 index 27a24c6..0000000 --- a/docs/howtos/t60_dev/0044.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0045.JPG b/docs/howtos/t60_dev/0045.JPG Binary files differdeleted file mode 100644 index 997b498..0000000 --- a/docs/howtos/t60_dev/0045.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0046.JPG b/docs/howtos/t60_dev/0046.JPG Binary files differdeleted file mode 100644 index 25d6baa..0000000 --- a/docs/howtos/t60_dev/0046.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0047.JPG b/docs/howtos/t60_dev/0047.JPG Binary files differdeleted file mode 100644 index 6b57bf3..0000000 --- a/docs/howtos/t60_dev/0047.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0048.JPG b/docs/howtos/t60_dev/0048.JPG Binary files differdeleted file mode 100644 index 7339f07..0000000 --- a/docs/howtos/t60_dev/0048.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0049.JPG b/docs/howtos/t60_dev/0049.JPG Binary files differdeleted file mode 100644 index cf3a7fd..0000000 --- a/docs/howtos/t60_dev/0049.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0050.JPG b/docs/howtos/t60_dev/0050.JPG Binary files differdeleted file mode 100644 index 7de4edd..0000000 --- a/docs/howtos/t60_dev/0050.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0051.JPG b/docs/howtos/t60_dev/0051.JPG Binary files differdeleted file mode 100644 index 87c41b3..0000000 --- a/docs/howtos/t60_dev/0051.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0052.JPG b/docs/howtos/t60_dev/0052.JPG Binary files differdeleted file mode 100644 index 4a8e443..0000000 --- a/docs/howtos/t60_dev/0052.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0053.JPG b/docs/howtos/t60_dev/0053.JPG Binary files differdeleted file mode 100644 index e1044fc..0000000 --- a/docs/howtos/t60_dev/0053.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0054.JPG b/docs/howtos/t60_dev/0054.JPG Binary files differdeleted file mode 100644 index c96c020..0000000 --- a/docs/howtos/t60_dev/0054.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0055.JPG b/docs/howtos/t60_dev/0055.JPG Binary files differdeleted file mode 100644 index 6da87d5..0000000 --- a/docs/howtos/t60_dev/0055.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0056.JPG b/docs/howtos/t60_dev/0056.JPG Binary files differdeleted file mode 100644 index 81a6659..0000000 --- a/docs/howtos/t60_dev/0056.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0057.JPG b/docs/howtos/t60_dev/0057.JPG Binary files differdeleted file mode 100644 index 268fede..0000000 --- a/docs/howtos/t60_dev/0057.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0058.JPG b/docs/howtos/t60_dev/0058.JPG Binary files differdeleted file mode 100644 index bedfb12..0000000 --- a/docs/howtos/t60_dev/0058.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0059.JPG b/docs/howtos/t60_dev/0059.JPG Binary files differdeleted file mode 100644 index 422687c..0000000 --- a/docs/howtos/t60_dev/0059.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0060.JPG b/docs/howtos/t60_dev/0060.JPG Binary files differdeleted file mode 100644 index 8743c0d..0000000 --- a/docs/howtos/t60_dev/0060.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0061.JPG b/docs/howtos/t60_dev/0061.JPG Binary files differdeleted file mode 100644 index e05f626..0000000 --- a/docs/howtos/t60_dev/0061.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0062.JPG b/docs/howtos/t60_dev/0062.JPG Binary files differdeleted file mode 100644 index 1fe77a7..0000000 --- a/docs/howtos/t60_dev/0062.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0063.JPG b/docs/howtos/t60_dev/0063.JPG Binary files differdeleted file mode 100644 index 87b7761..0000000 --- a/docs/howtos/t60_dev/0063.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0064.JPG b/docs/howtos/t60_dev/0064.JPG Binary files differdeleted file mode 100644 index e80189e..0000000 --- a/docs/howtos/t60_dev/0064.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0065.JPG b/docs/howtos/t60_dev/0065.JPG Binary files differdeleted file mode 100644 index 4e77a88..0000000 --- a/docs/howtos/t60_dev/0065.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0066.JPG b/docs/howtos/t60_dev/0066.JPG Binary files differdeleted file mode 100644 index 793c0f8..0000000 --- a/docs/howtos/t60_dev/0066.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0068.JPG b/docs/howtos/t60_dev/0068.JPG Binary files differdeleted file mode 100644 index 9f9f299..0000000 --- a/docs/howtos/t60_dev/0068.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0069.JPG b/docs/howtos/t60_dev/0069.JPG Binary files differdeleted file mode 100644 index 98931e6..0000000 --- a/docs/howtos/t60_dev/0069.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0070.JPG b/docs/howtos/t60_dev/0070.JPG Binary files differdeleted file mode 100644 index 09958c3..0000000 --- a/docs/howtos/t60_dev/0070.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0071.JPG b/docs/howtos/t60_dev/0071.JPG Binary files differdeleted file mode 100644 index 104d21e..0000000 --- a/docs/howtos/t60_dev/0071.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0072.JPG b/docs/howtos/t60_dev/0072.JPG Binary files differdeleted file mode 100644 index 66c8e3b..0000000 --- a/docs/howtos/t60_dev/0072.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0073.JPG b/docs/howtos/t60_dev/0073.JPG Binary files differdeleted file mode 100644 index 5d9b9fa..0000000 --- a/docs/howtos/t60_dev/0073.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/0074.JPG b/docs/howtos/t60_dev/0074.JPG Binary files differdeleted file mode 100644 index 303264a..0000000 --- a/docs/howtos/t60_dev/0074.JPG +++ /dev/null diff --git a/docs/howtos/t60_dev/t60_unbrick.jpg b/docs/howtos/t60_dev/t60_unbrick.jpg Binary files differdeleted file mode 100644 index 820a9b4..0000000 --- a/docs/howtos/t60_dev/t60_unbrick.jpg +++ /dev/null diff --git a/docs/howtos/t60_heatsink.html b/docs/howtos/t60_heatsink.html deleted file mode 100644 index f10ea60..0000000 --- a/docs/howtos/t60_heatsink.html +++ /dev/null @@ -1,133 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad T60</title> -</head> - -<body> - - <header> - <h1>Changing heatsink (or CPU) on the ThinkPad T60</h1> - <aside>Using this guide you can also change/upgrade the CPU.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>rubbing a***hol (misspelling intentional. halal internet) and thermal compound for changing CPU heatsink (procedure involves removing heatsink)</li> - <li>thermal compound/paste (Arctic Silver 5 is good. Others are also good.)</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>xsensors</li> - <li>stress</li> - </ul> - - <h1 id="recovery">Disassembly</h1> - - <p> - Remove those screws and remove the HDD:<br/> - <img src="t60_dev/0001.JPG" alt="" /> <img src="t60_dev/0002.JPG" alt="" /> - </p> - - <p> - Lift off the palm rest:<br/> - <img src="t60_dev/0003.JPG" alt="" /> - </p> - - <p> - Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:<br/> - <img src="t60_dev/0004.JPG" alt="" /> <img src="t60_dev/0005.JPG" alt="" /> <img src="t60_dev/0006.JPG" alt="" /> - </p> - - <p> - Gently wedge both sides loose:<br/> - <img src="t60_dev/0007.JPG" alt="" /> <img src="t60_dev/0008.JPG" alt="" /> - </p> - - <p> - Remove that cable from the position:<br/> - <img src="t60_dev/0009.JPG" alt="" /> <img src="t60_dev/0010.JPG" alt="" /> - </p> - - <p> - Remove the bezel (sorry forgot to take pics). - </p> - - <p> - On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way<br/> - <img src="t60_dev/0051.JPG" alt="" /> - </p> - - <p> - This is also an opportunity to change the CPU to another one. For example if you had a Core Duo T2400, you can upgrade it to a better processor - (higher speed, 64-bit support). A Core 2 Duo T7600 was installed here. - </p> - - <p> - Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):<br/> - <img src="t60_dev/0052.JPG" alt="" /> - </p> - - <p> - Reinstall that upper bezel:<br/> - <img src="t60_dev/0053.JPG" alt="" /> - </p> - - <p> - Do that:<br/> - <img src="t60_dev/0054.JPG" alt="" /> <img src="t60_dev/0055.JPG" alt="" /> - </p> - - <p> - Attach keyboard:<br/> - <img src="t60_dev/0056.JPG" alt="" /> - </p> - - <p> - Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:<br/> - <img src="t60_dev/0058.JPG" alt="" /> - </p> - - <p> - It lives!<br/> - <img src="t60_dev/0071.JPG" alt="" /> <img src="t60_dev/0072.JPG" alt="" /> <img src="t60_dev/0073.JPG" alt="" /> - </p> - - <p> - Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:<br/> - <img src="t60_dev/0074.JPG" alt="" /> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/t60_lcd_15.html b/docs/howtos/t60_lcd_15.html deleted file mode 100644 index 3b382f5..0000000 --- a/docs/howtos/t60_lcd_15.html +++ /dev/null @@ -1,94 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad T60</title> -</head> - -<body> - - <header> - <h1>Changing the LCD panel on a 15.1" T60</h1> - <aside>This is for the 15.1" T60. If you have another size then the procedure will differ; for example, on 14.1" you have - to remove the hinges and the procedure is a bit more involved than on 15.1".</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h1 id="recovery">Disassembly</h1> - - <p> - Remove those covers and unscrew:<br/> - <img src="t60_dev/0059.JPG" alt="" /> <img src="t60_dev/0060.JPG" alt="" /> <img src="t60_dev/0061.JPG" alt="" /> - </p> - - <p> - Gently pry off the front bezel. - </p> - - <p> - Remove inverter board:<br/> - <img src="t60_dev/0064.JPG" alt="" /> - </p> - - <p> - Disconnect LCD cable:<br/> - <img src="t60_dev/0065.JPG" alt="" /> - </p> - - <p> - Remove the panel:<br/> - <img src="t60_dev/0066.JPG" alt="" /> - </p> - - <p> - Move the rails (left and right side) from the old panel to the new one and then attach LCD cable:<br/> - <img src="t60_dev/0068.JPG" alt="" /> - </p> - - <p> - Insert panel (this one is an LG-Philips LP150E05-A2K1, and there are others. See <a href="../index.html#supported_t60_list">../index.html#supported_t60_list</a>):<br/> - <img src="t60_dev/0069.JPG" alt="" /> - </p> - - <p> - Insert new inverter board (see <a href="../index.html#supported_t60_list">../index.html#supported_t60_list</a> for what is recommended on your LCD panel):<br/> - <img src="t60_dev/0070.JPG" alt="" /> - </p> - - <p> - Now re-attach the front bezel and put all the screws in. - </p> - - <p> - It lives!<br/> - <img src="t60_dev/0071.JPG" alt="" /> <img src="t60_dev/0072.JPG" alt="" /> <img src="t60_dev/0073.JPG" alt="" /> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/t60_security.html b/docs/howtos/t60_security.html deleted file mode 100644 index f39c739..0000000 --- a/docs/howtos/t60_security.html +++ /dev/null @@ -1,445 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Security on the ThinkPad T60</title> -</head> - -<body> - - <header> - <h1>Security on the ThinkPad T60</h1> - <aside>Hardware modifications to enhance security on the ThinkPad T60. This tutorial is <b>incomplete</b> at the time of writing.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li><a href="#procedure">The procedure</a></li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>A T60</li> - <li>screwdriver</li> - <li>(in a later version of this tutorial: soldering iron and scalpel)</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>none (at least in the scope of the article as-is)</li> - <li>You probably want to encrypt your GNU/Linux install using LUKS</li> - </ul> - - <h1> - Rationale - </h1> - <p> - Most people think of security on the software side: the hardware is important aswell. - Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work. - It is also generally useful to all those that believe security and privacy are inalienable rights. - Security starts with the hardware; crypto and network security come later. - </p> - <p> - Paradoxically, going this far to increase your security also makes you a bigger target. - At the same time, it protects you in the case that someone does attack your machine. - This paradox only exists while few people take adequate steps to protect yourself: it is your <b>duty</b> - to protect yourself, not only for your benefit but to make strong security <i>normal</i> so - that those who do need protection (and claim it) are a smaller target against the masses. - </p> - <p> - Even if there are levels of security beyond your ability (technically, financially and so on) - doing at least <i>something</i> (what you are able to do) is extremely important. - If you use the internet and your computer without protection, attacking you is cheap (some say it is - only a few US cents). If everyone (majority of people) use strong security by default, - it makes attacks more costly and time consuming; in effect, making them disappear. - </p> - <p> - This tutorial deals with reducing the number of devices that have direct memory access that - could communicate with inputs/outputs that could be used to remotely - command the machine (or leak data). - </p> - - <h1 id="procedure">Disassembly</h1> - - <p> - Remove those screws and remove the HDD:<br/> - <img src="t60_dev/0001.JPG" alt="" /> <img src="t60_dev/0002.JPG" alt="" /> - </p> - - <p> - Lift off the palm rest:<br/> - <img src="t60_dev/0003.JPG" alt="" /> - </p> - - <p> - Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:<br/> - <img src="t60_dev/0004.JPG" alt="" /> <img src="t60_dev/0005.JPG" alt="" /> <img src="t60_dev/0006.JPG" alt="" /> - </p> - - <p> - Gently wedge both sides loose:<br/> - <img src="t60_dev/0007.JPG" alt="" /> <img src="t60_dev/0008.JPG" alt="" /> - </p> - - <p> - Remove that cable from the position:<br/> - <img src="t60_dev/0009.JPG" alt="" /> <img src="t60_dev/0010.JPG" alt="" /> - </p> - - <p> - Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):<br/> - <img src="t60_dev/0011.JPG" alt="" /><br/> - Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.<br/> - <b>Wifi:</b> The ath5k/ath9k cards might not have firmware at all. They might safe but could have - access to the computer's RAM trough DMA. If people have an intel - card(most T60's come with Intel wifi by default, until you change it),then that card runs - a non-free firwamre and has access to the computer's RAM trough DMA! So - it's risk-level is very high. - </p> - - <p> - Remove those screws:<br/> - <img src="t60_dev/0012.JPG" alt="" /> - </p> - - <p> - Disconnect the power jack:<br/> - <img src="t60_dev/0013.JPG" alt="" /> - </p> - - <p> - Remove nvram battery (we will put it back later):<br/> - <img src="t60_dev/0014.JPG" alt="" /> - </p> - - <p> - Disconnect cable (for 56k modem) and disconnect the other cable:<br/> - <img src="t60_dev/0015.JPG" alt="" /> <img src="t60_dev/0016.JPG" alt="" /> - </p> - - <p> - Disconnect speaker cable:<br/> - <img src="t60_dev/0017.JPG" alt="" /> - </p> - - <p> - Disconnect the other end of the 56k modem cable:<br/> - <img src="t60_dev/0018.JPG" alt="" /> - </p> - - <p> - Make sure you removed it:<br/> - <img src="t60_dev/0019.JPG" alt="" /> - </p> - - <p> - Unscrew those:<br/> - <img src="t60_dev/0020.JPG" alt="" /> - </p> - - <p> - Make sure you removed those:<br/> - <img src="t60_dev/0021.JPG" alt="" /> - </p> - - <p> - Disconnect LCD cable from board:<br/> - <img src="t60_dev/0022.JPG" alt="" /> - </p> - - <p> - Remove those screws then remove the LCD assembly:<br/> - <img src="t60_dev/0023.JPG" alt="" /> <img src="t60_dev/0024.JPG" alt="" /> <img src="t60_dev/0025.JPG" alt="" /> - </p> - - <p> - Once again, make sure you removed those:<br/> - <img src="t60_dev/0026.JPG" alt="" /> - </p> - - <p> - Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady - surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the - screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:<br/> - <img src="t60_dev/0027.JPG" alt="" /> <img src="t60_dev/0028.JPG" alt="" /> <img src="t60_dev/0029.JPG" alt="" /> - <img src="t60_dev/0031.JPG" alt="" /> <img src="t60_dev/0032.JPG" alt="" /> <img src="t60_dev/0033.JPG" alt="" /> - </p> - - <p> - Remove microphone (soldering iron not needed. Just wedge it out gently):<br/> - <img src="t60_dev/0039.JPG" alt="" /><br/> - <b>Rationale:</b><br/> - Another reason to remove the microphone: If your computer gets<a href="#ref1">[1]</a> compromised, it can - record what you say, and use it to receive data from nearby devices if - they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically - be programmed to accept remote commands from some speaker somewhere (remote security hole). <b>In other words, - the machine could already be compromised from the factory.</b> - </p> - - <p> - Remove infrared:<br/> - <img src="t60_dev/0040.JPG" alt="" /> <img src="t60_dev/0042.JPG" alt="" /> - </p> - - <p> - Remove cardbus (it's in a socket, no need to disable. Just remove the port itself):<br/> - <img src="t60_dev/0041.JPG" alt="" /><br/> - <b>Rationale:</b><br/> - It has direct memory access and can be used to extract sensitive details (such as LUKS keys). See - 'GoodBIOS' video linked at the end (speaker is Peter Stuge, a coreboot hacker). The video covers X60 - but the same topics apply to T60. - </p> - - <p> - Before re-installing the upper chassis, remove the speaker:<br/> - <img src="t60_dev/0043.JPG" alt="" /> <img src="t60_dev/0044.JPG" alt="" /><br/> - Reason: combined with the microphone issue, this could be used to leak data.<br/> - If your computer gets<a href="#ref1">[1]</a> compromised, it can be used to - transmit data to nearby compromised devices. It's unknown if it can be - turned into a microphone<a href="#ref2">[2]</a>.<br/> - Replacement: headphones/speakers (line-out) or external DAC (USB). - </p> - - <p> - Remove the wwan:<br/> - <img src="t60_dev/0045.JPG" alt="" /><br/> - <b>Wwan (3d modem):</b> They run proprietary software and have access to the - computer's RAM! So it's like AMT but over the GSM network which is - probably even worse.<br/> - Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended). - </p> - - <p> - This is where the simcard connector is soldered. See notes above about wwan. Remove simcard by removing battery - and then it's accessible (so, remember to do this when you re-assemble. or you could do it now?)<br/> - <img src="t60_dev/0046.JPG" alt="" /> - </p> - - <p> - Put those screws back:<br/> - <img src="t60_dev/0047.JPG" alt="" /> - </p> - - <p> - Put it back into lower chassis:<br/> - <img src="t60_dev/0048.JPG" alt="" /> - </p> - - <p> - Attach LCD and insert screws (also, attach the lcd cable to the board):<br/> - <img src="t60_dev/0049.JPG" alt="" /> - </p> - - <p> - Insert those screws:<br/> - <img src="t60_dev/0050.JPG" alt="" /> - </p> - - <p> - On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way<br/> - <img src="t60_dev/0051.JPG" alt="" /> - </p> - - <p> - Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):<br/> - <img src="t60_dev/0052.JPG" alt="" /> - </p> - - <p> - Reinstall that upper bezel:<br/> - <img src="t60_dev/0053.JPG" alt="" /> - </p> - - <p> - Do that:<br/> - <img src="t60_dev/0054.JPG" alt="" /> <img src="t60_dev/0055.JPG" alt="" /> - </p> - - <p> - Attach keyboard and install nvram battery:<br/> - <img src="t60_dev/0056.JPG" alt="" /> <img src="t60_dev/0057.JPG" alt="" /> - </p> - - <p> - Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:<br/> - <img src="t60_dev/0058.JPG" alt="" /> - </p> - - <p> - Remove those covers and unscrew:<br/> - <img src="t60_dev/0059.JPG" alt="" /> <img src="t60_dev/0060.JPG" alt="" /> <img src="t60_dev/0061.JPG" alt="" /> - </p> - - <p> - Gently pry off the front bezel (sorry, forgot to take pics). - </p> - - <p> - Remove bluetooth module:<br/> - <img src="t60_dev/0062.JPG" alt="" /> <img src="t60_dev/0063.JPG" alt="" /> - </p> - - <p> - Re-attach the front bezel and re-insert the screws (sorry, forgot to take pics). - </p> - - <p> - It lives!<br/> - <img src="t60_dev/0071.JPG" alt="" /> <img src="t60_dev/0072.JPG" alt="" /> <img src="t60_dev/0073.JPG" alt="" /> - </p> - - <p> - Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:<br/> - <img src="t60_dev/0074.JPG" alt="" /> - </p> - - <h2> - Not covered yet: - </h2> - <ul> - <li>Disable flashing the ethernet firmware</li> - <li>Disable SPI flash writes (can be re-enabled by unsoldering two parts)</li> - <li>Disable use of xrandr/edid on external monitor (cut 2 pins on VGA)</li> - <li>Disable docking station (might be possible to do it in software, in coreboot upstream as a Kconfig option)</li> - </ul> - <p> - Go to <a href="http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html">http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html</a> - or directly to the video: <a href="http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm">http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm</a>. - </p> - <p> - A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above. - </p> - - <h2> - Also not covered yet: - </h2> - <ul> - <li> - Intrusion detection: randomized seal on screws<br/> - Just put nail polish with lot of glider on the important screws, take - some good pictures. Keep the pictueres and make sure of their integrity. - Compare the nail polish with the pictures before powering on the laptop. - </li> - <li> - Tips about preventing/mitigating risk of cold boot attack. - <ul> - <li>soldered RAM?</li> - <li>wipe all RAM at boot/power-off/power-on? (patch in coreboot upstream?)</li> - <li>ask gnutoo about fallback patches (counts number of boots)</li> - </ul> - </li> - <li> - General tips/advice and web links showing how to detect physical intrusions. - </li> - <li> - For example: <a href="http://cs.tau.ac.il/~tromer/acoustic/">http://cs.tau.ac.il/~tromer/acoustic/</a> - </li> - <li> - https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: - </li> - </ul> - - <h1> - Extra notes - </h1> - <p> - EC: Cannot be removed but can be mitigated: it contains non-free - non-loadable code, but it has no access to the computer's RAM. - It has access to the on-switch of the wifi, bluetooth, modem and some - other power management features. The issue is that it has access to the - keyboard, however if the software security howto <b>(not yet written)</b> is followed correctly, - it won't be able to leak data to a local attacker. It has no network - access but it may still be able to leak data remotely, but that - requires someone to be nearby to recover the data with the help of an - SDR and some directional antennas<a href="#ref3">[3]</a>. - </p> - <p> - <a href="http://www.coreboot.org/Intel_82573_Ethernet_controller">Intel 82573 Ethernet controller</a> - on the X60 seems safe, according to Denis. - </p> - - <h2> - Risk level - </h2> - <ul> - <li>Modem (3g/wwan): highest</li> - <li>Intel wifi: Near highest</li> - <li>Atheros PCI wifi: unknown, but lower than intel wifi.</li> - <li>Microphone: only problematic if the computer gets compromised.</li> - <li>Speakers: only problematic if the computer gets compromised.</li> - <li>EC: can be mitigated if following the guide on software security.</li> - </ul> - - <h1> - Further reading material (software security) - </h1> - <ul> - <li><a href="encrypted_trisquel.html">Installing Trisquel GNU/Linux with full disk encryption (including /boot)</a></li> - <li><a href="encrypted_parabola.html">Installing Parabola GNU/Linux with full disk encryption (including /boot)</a></li> - <li><a href="dock.html">Notes about DMA access and the docking station</a></li> - </ul> - - <h1> - References - </h1> - <h2 id="ref1">[1] physical access</h2> - <p> - Explain that black hats, TAO, and so on might use a 0day to get in, - and explain that in this case it mitigates what the attacker can do. - Also the TAO do some evaluation before launching an attack: they take - the probability of beeing caught into account, along with the kind of - target. A 0day costs a lot of money, I heard that it was from 100000$ - to 400000$, some other websites had prices 10 times lower but that - but it was probably a typo. So if people increase their security it - makes it more risky and more costly to attack people. - </p> - <h2 id="ref2">[2] microphone</h2> - <p> - It's possible to turn headphones into a microphone, you could try - yourself, however they don't record loud at all. Also intel cards have - the capability to change a connector's function, for instance the - microphone jack can now become a headphone plug, that's called - retasking. There is some support for it in GNU/Linux but it's not very - well known. - </p> - <h2 id="ref3">[3] Video (CCC)</h2> - <p> - 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While - their demo is experimental(their hardware also got damaged during the - transport), the spies probably already have that since a long time. - <a href="http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm">http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm</a> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/t60_unbrick.html b/docs/howtos/t60_unbrick.html deleted file mode 100644 index 69648e1..0000000 --- a/docs/howtos/t60_unbrick.html +++ /dev/null @@ -1,319 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad T60</title> -</head> - -<body> - - <header> - <h1>Unbricking the ThinkPad T60</h1> - <aside>This guide will show you how to recover from a bad flash that prevents your ThinkPad T60 from booting.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li> - Types of brick: - <ul> - <li><a href="#bucts_brick">Brick type 1: bucts not reset</a></li> - <li><a href="#recovery">Brick type 2: bad rom (or user error), machine won't boot</a></li> - </ul> - </li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>a 2nd computer (maybe another T60. any computer will do)</li> - <li>external flashrom-compatible programmer (I'm using the "bus pirate") - <li>SOIC-8 IC clip (I'm using the Pomona 5250)</li> - <li>Cable (programmer<>clip) - mine came with the bus pirate.</li> - <li>USB mini a to b cable (for buspirate<>computer connection).</li> - <li>rubbing a***hol (misspelling intentional. halal internet) and thermal compound for changing CPU heatsink (procedure involves removing heatsink)</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>GNU/Linux (on the 2nd computer)</li> - <li>flashrom software (on the 2nd computer): <a href="http://flashrom.org/" target="_blank">http://flashrom.org/</a> - </ul> - - <h1 id="bucts_brick">Brick type 1: bucts not reset.</h1> - <p> - You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.<br/><br/> - - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:<br/> - <img src="t60_dev/0006.JPG" alt="" /><br/><br/> - - *Those dd commands should be applied to all newly compiled T60 ROM's (the ROM's in libreboot binary archives already have this applied!):<br/> - dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k<br/> - dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump<br/> - dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc<br/> - (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: <a href="http://www.coreboot.org/Board:lenovo/x60/Installation" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation</a>. - (it says x60, but instructions for t60 are identical) - </p> - - <h1 id="recovery">bad rom (or user error), machine won't boot</h1> - - <p> - In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. - </p> - <p> - "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). - </p> - - <p> - Remove those screws and remove the HDD:<br/> - <img src="t60_dev/0001.JPG" alt="" /> <img src="t60_dev/0002.JPG" alt="" /> - </p> - - <p> - Lift off the palm rest:<br/> - <img src="t60_dev/0003.JPG" alt="" /> - </p> - - <p> - Lift up the keyboard, pull it back a bit, flip it over like that and then disconnect it from the board:<br/> - <img src="t60_dev/0004.JPG" alt="" /> <img src="t60_dev/0005.JPG" alt="" /> <img src="t60_dev/0006.JPG" alt="" /> - </p> - - <p> - Gently wedge both sides loose:<br/> - <img src="t60_dev/0007.JPG" alt="" /> <img src="t60_dev/0008.JPG" alt="" /> - </p> - - <p> - Remove that cable from the position:<br/> - <img src="t60_dev/0009.JPG" alt="" /> <img src="t60_dev/0010.JPG" alt="" /> - </p> - - <p> - Now remove that bezel. Remove wifi, nvram battery and speaker connector (also remove 56k modem, on the left of wifi):<br/> - <img src="t60_dev/0011.JPG" alt="" /> - </p> - - <p> - Remove those screws:<br/> - <img src="t60_dev/0012.JPG" alt="" /> - </p> - - <p> - Disconnect the power jack:<br/> - <img src="t60_dev/0013.JPG" alt="" /> - </p> - - <p> - Remove nvram battery:<br/> - <img src="t60_dev/0014.JPG" alt="" /> - </p> - - <p> - Disconnect cable (for 56k modem) and disconnect the other cable:<br/> - <img src="t60_dev/0015.JPG" alt="" /> <img src="t60_dev/0016.JPG" alt="" /> - </p> - - <p> - Disconnect speaker cable:<br/> - <img src="t60_dev/0017.JPG" alt="" /> - </p> - - <p> - Disconnect the other end of the 56k modem cable:<br/> - <img src="t60_dev/0018.JPG" alt="" /> - </p> - - <p> - Make sure you removed it:<br/> - <img src="t60_dev/0019.JPG" alt="" /> - </p> - - <p> - Unscrew those:<br/> - <img src="t60_dev/0020.JPG" alt="" /> - </p> - - <p> - Make sure you removed those:<br/> - <img src="t60_dev/0021.JPG" alt="" /> - </p> - - <p> - Disconnect LCD cable from board:<br/> - <img src="t60_dev/0022.JPG" alt="" /> - </p> - - <p> - Remove those screws then remove the LCD assembly:<br/> - <img src="t60_dev/0023.JPG" alt="" /> <img src="t60_dev/0024.JPG" alt="" /> <img src="t60_dev/0025.JPG" alt="" /> - </p> - - <p> - Once again, make sure you removed those:<br/> - <img src="t60_dev/0026.JPG" alt="" /> - </p> - - <p> - Remove the shielding containing the motherboard, then flip it over. Remove these screws, placing them on a steady - surface in the same layout as they were in before you removed them. Also, you should mark each screw hole after removing the - screw (a permanent marker pen will do), this is so that you have a point of reference when re-assembling the machine:<br/> - <img src="t60_dev/0027.JPG" alt="" /> <img src="t60_dev/0028.JPG" alt="" /> <img src="t60_dev/0029.JPG" alt="" /> - <img src="t60_dev/0031.JPG" alt="" /> <img src="t60_dev/0032.JPG" alt="" /> <img src="t60_dev/0033.JPG" alt="" /> - </p> - - <p> - At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):<br/> - <a href="http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts" target="_blank">http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts</a>.<br/> - Correlating with the following information, I was able to wire up my pirate correctly:<br/> - <a href="http://flashrom.org/Bus_Pirate#Connections" target="_blank">http://flashrom.org/Bus_Pirate#Connections</a><br/> - And by following that advice:<br/> - <a href="http://www.coreboot.org/Board:lenovo/x60/Installation#Howto" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation#Howto</a>.<br/> - (it says X60 but instructions are virtually the same for the T60, with except to physical differences in how to disassemble the machine)<br/> - Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.<br/> - Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).<br/> - Note: I ignored that advice, and wired up all 8 pins. And it worked.<br/> - - Here is the pinout (correlate it with your programmer's documentation):<br/> - <img src="t60_dev/0030.JPG" alt="" /> - </p> - - <p> - Connecting the pomona:<br/> - <img src="t60_dev/0034.JPG" alt="" /> - </p> - - <p> - Connect programmer to 2nd computer:<br/> - <img src="t60_dev/0035.JPG" alt="" /> - </p> - - <p> - Programmer has power:<br/> - <img src="t60_dev/0036.JPG" alt="" /> - </p> - - <p> - Now flash the bricked machine using the 2nd computer. in my case I did:<br/> - <b>flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/t60/libreboot_usqwerty.rom</b><br/> - Note: there are also other ROM images for T60<br/> - Note: this is using buspirate as the programmer, so it is flashing the T60, not the 2nd computer!<br/> - Here's my terminal window on the 2nd computer (also the programmer is active):<br/> - <img src="t60_dev/0037.JPG" alt="" /> <img src="t60_dev/0038.JPG" alt="" /><br/> - So, you should see the following:<br/> - -- - <pre> - flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian - flashrom is free software, get the source code at http://www.flashrom.org - - Calibrating delay loop... delay loop is unreliable, trying to continue OK. - Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. - </pre> - --<br/> - At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means - that you can put your T60 back together. So let's do that now. - </p> - - <p> - Put those screws back:<br/> - <img src="t60_dev/0047.JPG" alt="" /> - </p> - - <p> - Put it back into lower chassis:<br/> - <img src="t60_dev/0048.JPG" alt="" /> - </p> - - <p> - Attach LCD and insert screws (also, attach the lcd cable to the board):<br/> - <img src="t60_dev/0049.JPG" alt="" /> - </p> - - <p> - Insert those screws:<br/> - <img src="t60_dev/0050.JPG" alt="" /> - </p> - - <p> - On the CPU (and there is another chip south-east to it, sorry forgot to take pic) - clean off the old thermal paste (rubbing a1ocheal (misspelling intentional. halal internet)) and apply new (Artic Silver 5 is good, others are good too) - you should also clean the heatsink the same way<br/> - <img src="t60_dev/0051.JPG" alt="" /> - </p> - - <p> - Attach the heatsink and install the screws (also, make sure to install the AC jack as highlighted):<br/> - <img src="t60_dev/0052.JPG" alt="" /> - </p> - - <p> - Reinstall that upper bezel:<br/> - <img src="t60_dev/0053.JPG" alt="" /> - </p> - - <p> - Do that:<br/> - <img src="t60_dev/0054.JPG" alt="" /> <img src="t60_dev/0055.JPG" alt="" /> - </p> - - <p> - Re-attach modem, wifi, (wwan?), and all necessary cables. Sorry, forgot to take pics. Look at previous removal steps to see where they go back to. - </p> - - <p> - Attach keyboard and install nvram battery:<br/> - <img src="t60_dev/0056.JPG" alt="" /> <img src="t60_dev/0057.JPG" alt="" /> - </p> - - <p> - Place keyboard and (sorry, forgot to take pics) reinstall the palmrest and insert screws on the underside:<br/> - <img src="t60_dev/0058.JPG" alt="" /> - </p> - - <p> - It lives!<br/> - <img src="t60_dev/0071.JPG" alt="" /> <img src="t60_dev/0072.JPG" alt="" /> <img src="t60_dev/0073.JPG" alt="" /> - </p> - - <p> - Always stress test ('stress -c 2' and xsensors. below 90C is ok) when replacing cpu paste/heatsink:<br/> - <img src="t60_dev/0074.JPG" alt="" /> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/x60_heatsink.html b/docs/howtos/x60_heatsink.html deleted file mode 100644 index 22b55e1..0000000 --- a/docs/howtos/x60_heatsink.html +++ /dev/null @@ -1,149 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Switch heatsink on ThinkPad X60</title> -</head> - -<body> - - <header> - <h1>Changing the fan/heatsink on the ThinkPad X60</h1> - <aside>This guide will teach you how to replace the fan and heatsink on your ThinkPad X60.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li><a href="#procedure">The procedure</a></li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>i<b></b>sopr<b></b>opyl <i>alc<b></b>h<i></i>olal</i> (sometimes called rubbing <i>alc<b></b>hole</i>) (cleaning material. DoNotIngest) (typo is intentional, due to fii1illt<a></a>erii1iiing für wörten von Großbritannien und oder nationale iintturnett)</li> - <li>your new fan and/or heatsink</li> - <li>CPU thermal compound (some say Arctic Silver 5 or IC Diamond 7 are good, others are also 'ok')</li> - <li>Something to spread the paste with</li> - </ul> - - <h1 id="software_requirements">Software requirements (for CPU stress testing)</h1> - <ul> - <li>xsensors utility</li> - <li>stress utility</li> - </ul> - - <h1 id="procedure">Disassembly</h1> - <p> - Remove those screws:<br/> - <img src="x60_heatsink/0000.jpg" alt="" /> - </p> - <p> - Push the keyboard forward (carefully):<br/> - <img src="x60_heatsink/0001.jpg" alt="" /> - </p> - <p> - Lift the keyboard up and disconnect it from the board:<br/> - <img src="x60_heatsink/0002.jpg" alt="" /> - </p> - <p> - Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:<br/> - <img src="x60_heatsink/0003.jpg" alt="" /> - </p> - <p> - You should now have this:<br/> - <img src="x60_heatsink/0004.jpg" alt="" /> - </p> - <p> - Disconnect the wifi antenna cables, the modem cable and the speaker:<br/> - <img src="x60_heatsink/0005.jpg" alt="" /> - </p> - <p> - Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem - cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand - side:<br/> - <img src="x60_heatsink/0006.jpg" alt="" /> - </p> - <p> - Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape - that holds it into place:<br/> - <img src="x60_heatsink/0008.jpg" alt="" /> - </p> - <p> - Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:<br/> - <img src="x60_heatsink/0009.jpg" alt="" /> - </p> - <p> - Remove those screws:<br/> - <img src="x60_heatsink/0011.jpg" alt="" /> - </p> - <p> - Remove those screws:<br/> - <img src="x60_heatsink/0012.jpg" alt="" /> - </p> - <p> - Carefully remove the plate, like so:<br/> - <img src="x60_heatsink/0013.jpg" alt="" /> - </p> - <p> - Remove the SATA connector:<br/> - <img src="x60_heatsink/0014.jpg" alt="" /> - </p> - <p> - Now remove the motherboard (gently) and cast the lcd/chassis aside:<br/> - <img src="x60_heatsink/0015.jpg" alt="" /> - </p> - <p> - Look at that black tape above the heatsink, remove it:<br/> - <img src="x60_heatsink/0016.jpg" alt="" /> - </p> - <p> - Now you have removed it:<br/> - <img src="x60_heatsink/0017.jpg" alt="" /> - </p> - - <p> - Disconnect the fan and remove all the screws, heatsink will easily come off:<br/> - <img src="x60_heatsink/0018.jpg" alt="" /> - </p> - - <p> - Remove the old paste with a cloth (from the CPU and heatsink) and then clean both of them with the <i>alc<a></a>h<b></b>oleel</i> (to remove remaining residue. typo is intentional). - Apply a pea-sized amount of paste to the both chipsets that the heatsink covered and spread it evenly (uniformally). - Finally reinstall the heatsink, reversing previous steps. - </p> - - <p> - <b>stress -c 2</b> command can be used to push the CPU to 100%, and <b>xsensors</b> (or <b>watch sensors</b> command) can be used to monitor heat. - Below 90C is ok. - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/x60_heatsink/0000.jpg b/docs/howtos/x60_heatsink/0000.jpg Binary files differdeleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_heatsink/0000.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0001.jpg b/docs/howtos/x60_heatsink/0001.jpg Binary files differdeleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_heatsink/0001.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0002.jpg b/docs/howtos/x60_heatsink/0002.jpg Binary files differdeleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_heatsink/0002.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0003.jpg b/docs/howtos/x60_heatsink/0003.jpg Binary files differdeleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_heatsink/0003.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0004.jpg b/docs/howtos/x60_heatsink/0004.jpg Binary files differdeleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_heatsink/0004.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0005.jpg b/docs/howtos/x60_heatsink/0005.jpg Binary files differdeleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_heatsink/0005.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0006.jpg b/docs/howtos/x60_heatsink/0006.jpg Binary files differdeleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_heatsink/0006.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0007.jpg b/docs/howtos/x60_heatsink/0007.jpg Binary files differdeleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_heatsink/0007.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0008.jpg b/docs/howtos/x60_heatsink/0008.jpg Binary files differdeleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_heatsink/0008.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0009.jpg b/docs/howtos/x60_heatsink/0009.jpg Binary files differdeleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_heatsink/0009.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0010.jpg b/docs/howtos/x60_heatsink/0010.jpg Binary files differdeleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_heatsink/0010.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0011.jpg b/docs/howtos/x60_heatsink/0011.jpg Binary files differdeleted file mode 100644 index 101cf6a..0000000 --- a/docs/howtos/x60_heatsink/0011.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0012.jpg b/docs/howtos/x60_heatsink/0012.jpg Binary files differdeleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_heatsink/0012.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0013.jpg b/docs/howtos/x60_heatsink/0013.jpg Binary files differdeleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_heatsink/0013.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0014.jpg b/docs/howtos/x60_heatsink/0014.jpg Binary files differdeleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_heatsink/0014.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0015.jpg b/docs/howtos/x60_heatsink/0015.jpg Binary files differdeleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_heatsink/0015.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0016.jpg b/docs/howtos/x60_heatsink/0016.jpg Binary files differdeleted file mode 100644 index ea418a5..0000000 --- a/docs/howtos/x60_heatsink/0016.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0017.jpg b/docs/howtos/x60_heatsink/0017.jpg Binary files differdeleted file mode 100644 index 8a67482..0000000 --- a/docs/howtos/x60_heatsink/0017.jpg +++ /dev/null diff --git a/docs/howtos/x60_heatsink/0018.jpg b/docs/howtos/x60_heatsink/0018.jpg Binary files differdeleted file mode 100644 index 98c43ac..0000000 --- a/docs/howtos/x60_heatsink/0018.jpg +++ /dev/null diff --git a/docs/howtos/x60_lcd_change.html b/docs/howtos/x60_lcd_change.html deleted file mode 100644 index 3ddeaac..0000000 --- a/docs/howtos/x60_lcd_change.html +++ /dev/null @@ -1,54 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad T60</title> -</head> - -<body> - - <header> - <h1>Changing the LCD panel on X60</h1> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <p>This tutorial is incomplete, and only pictures for now.</p> - - <p> - <img src="x60_lcd_change/0001.JPG" alt="" /> - <img src="x60_lcd_change/0002.JPG" alt="" /> - <img src="x60_lcd_change/0003.JPG" alt="" /> - <img src="x60_lcd_change/0004.JPG" alt="" /> - <img src="x60_lcd_change/0005.JPG" alt="" /> - <img src="x60_lcd_change/0006.JPG" alt="" /> - <img src="x60_lcd_change/0007.JPG" alt="" /> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/x60_lcd_change/0001.JPG b/docs/howtos/x60_lcd_change/0001.JPG Binary files differdeleted file mode 100755 index fd066eb..0000000 --- a/docs/howtos/x60_lcd_change/0001.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0002.JPG b/docs/howtos/x60_lcd_change/0002.JPG Binary files differdeleted file mode 100755 index 96949f1..0000000 --- a/docs/howtos/x60_lcd_change/0002.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0003.JPG b/docs/howtos/x60_lcd_change/0003.JPG Binary files differdeleted file mode 100755 index 90216aa..0000000 --- a/docs/howtos/x60_lcd_change/0003.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0004.JPG b/docs/howtos/x60_lcd_change/0004.JPG Binary files differdeleted file mode 100755 index 3b704a4..0000000 --- a/docs/howtos/x60_lcd_change/0004.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0005.JPG b/docs/howtos/x60_lcd_change/0005.JPG Binary files differdeleted file mode 100755 index 823bab9..0000000 --- a/docs/howtos/x60_lcd_change/0005.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0006.JPG b/docs/howtos/x60_lcd_change/0006.JPG Binary files differdeleted file mode 100755 index 040f2ca..0000000 --- a/docs/howtos/x60_lcd_change/0006.JPG +++ /dev/null diff --git a/docs/howtos/x60_lcd_change/0007.JPG b/docs/howtos/x60_lcd_change/0007.JPG Binary files differdeleted file mode 100755 index 42c2607..0000000 --- a/docs/howtos/x60_lcd_change/0007.JPG +++ /dev/null diff --git a/docs/howtos/x60_security.html b/docs/howtos/x60_security.html deleted file mode 100644 index e24ae12..0000000 --- a/docs/howtos/x60_security.html +++ /dev/null @@ -1,306 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Security on the ThinkPad X60</title> -</head> - -<body> - - <header> - <h1>Security on the ThinkPad X60</h1> - <aside>Hardware modifications to enhance security on the ThinkPad X60. This tutorial is <b>incomplete</b> at the time of writing.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li><a href="#procedure">The procedure</a></li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>An X60</li> - <li>screwdriver</li> - <li>(in a later version of this tutorial: soldering iron and scalpel)</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>none (at least in the scope of the article as-is)</li> - <li>You probably want to encrypt your GNU/Linux install using LUKS</li> - </ul> - - <h1> - Rationale - </h1> - <p> - Most people think of security on the software side: the hardware is important aswell. - Hardware security is useful in particular to journalists (or activists in a given movement) who need absolute privacy in their work. - It is also generally useful to all those that believe security and privacy are inalienable rights. - Security starts with the hardware; crypto and network security come later. - </p> - <p> - Paradoxically, going this far to increase your security also makes you a bigger target. - At the same time, it protects you in the case that someone does attack your machine. - This paradox only exists while few people take adequate steps to protect yourself: it is your <b>duty</b> - to protect yourself, not only for your benefit but to make strong security <i>normal</i> so - that those who do need protection (and claim it) are a smaller target against the masses. - </p> - <p> - Even if there are levels of security beyond your ability (technically, financially and so on) - doing at least <i>something</i> (what you are able to do) is extremely important. - If you use the internet and your computer without protection, attacking you is cheap (some say it is - only a few US cents). If everyone (majority of people) use strong security by default, - it makes attacks more costly and time consuming; in effect, making them disappear. - </p> - <p> - This tutorial deals with reducing the number of devices that have direct memory access that - could communicate with inputs/outputs that could be used to remotely - command the machine (or leak data). - </p> - - <h1 id="procedure">Disassembly</h1> - - <p> - Firstly remove the bluetooth (if your X60 has this):<br/> - The marked screws are underneath those stickers (marked in those 3 locations at the bottom of the LCD assembly):<br/> - <img src="x60_security/0000_bluetooth0.jpg" alt="" /><br/> - Now gently pry off the bottom part of the front bezel, and the bluetooth module is on the left (easily removable):<br/> - <img src="x60_security/0000_bluetooth.jpg" alt="" /><br/> - </p> - - <p> - If your model was WWAN, remove the simcard (check anyway):<br/> - Uncover those 2 screws at the bottom:<br/> - <img src="x60_security/0000_simcard0.jpg" alt="" /><br/> - SIM card (not present in the picture) is in the marked location:<br/> - <img src="x60_security/0000_simcard1.jpg" alt="" /><br/> - Replacement: USB dongle. - </p> - - <p> - Now get into the motherboard. - </p> - - <p> - Remove those screws:<br/> - <img src="x60_security/0000.jpg" alt="" /> - </p> - <p> - Push the keyboard forward (carefully):<br/> - <img src="x60_security/0001.jpg" alt="" /> - </p> - <p> - Lift the keyboard up and disconnect it from the board:<br/> - <img src="x60_security/0002.jpg" alt="" /> - </p> - <p> - Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:<br/> - <img src="x60_security/0003.jpg" alt="" /> - </p> - <p> - You should now have this:<br/> - <img src="x60_security/0004.jpg" alt="" /> - </p> - - <p> - The following is a summary of what you will remove (already done to this machine):<br/> - <img src="x60_security/0001_overview.jpg" alt="" /><br/> - Note: the blue lines represent antenna cables and modem cables. You don't need to remove these, but you can if you want - (to make it tidier after removing other parts). I removed the antenna wires, the modem jack, the modem cable and - also (on another model) a device inside the part where the wwan antenna goes (wasn't sure what it was, but I knew it wasn't needed). <b>This is optional</b> - </p> - - <p> - Remove the microphone (can desolder it, but you can also easily pull it off with you hands). Already removed here:<br/> - <img src="x60_security/0001_microphone.jpg" alt="" /><br/> - <b>Rationale:</b><br/> - Another reason to remove the microphone: If your computer gets<a href="#ref1">[1]</a> compromised, it can - record what you say, and use it to receive data from nearby devices if - they're compromised too. Also, we do not know what the built-in microcode (in the CPU) is doing; it could theoretically - be programmed to accept remote commands from some speaker somewhere (remote security hole). <b>In other words, - the machine could already be compromised from the factory.</b> - </p> - - <p> - Remove the modem:<br/> - <img src="x60_security/0001_modem.jpg" alt="" /><br/> - (useless, obsolete device) - </p> - - <p> - Remove the speaker:<br/> - <img src="x60_security/0001_speaker.jpg" alt="" /><br/> - Reason: combined with the microphone issue, this could be used to leak data.<br/> - If your computer gets<a href="#ref1">[1]</a> compromised, it can be used to - transmit data to nearby compromised devices. It's unknown if it can be - turned into a microphone<a href="#ref2">[2]</a>.<br/> - Replacement: headphones/speakers (line-out) or external DAC (USB). - </p> - - <p> - Remove the wlan (also remove wwan if you have it):<br/> - <img src="x60_security/0001_wlan_wwan.jpg" alt="" /><br/> - Reason: has direct (and very fast) memory access, and could (theoretically) leak data over a side-channel.<br/> - <b>Wifi:</b> The ath5k/ath9k cards might not have firmware at all. They might safe but could have - access to the computer's RAM trough DMA. If people have an intel - card(most X60's come with Intel wifi by default, until you change it),then that card runs - a non-free firwamre and has access to the computer's RAM trough DMA! So - it's risk-level is very high.<br/> - <b>Wwan (3d modem):</b> They run proprietary software and have access to the - computer's RAM! So it's like AMT but over the GSM network which is - probably even worse.<br/> - Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note, this has all the same privacy issues as mobile phones. wwan not recommended). - </p> - - <h2> - Not covered yet: - </h2> - <ul> - <li>Disable cardbus (has fast/direct memory access)</li> - <li>Disable firewire (has fast/direct memory access)</li> - <li>Disable flashing the ethernet firmware</li> - <li>Disable SPI flash writes (can be re-enabled by unsoldering two parts)</li> - <li>Disable use of xrandr/edid on external monitor (cut 2 pins on VGA)</li> - <li>Disable docking station (might be possible to do it in software, in coreboot upstream as a Kconfig option)</li> - </ul> - <p> - Go to <a href="http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html">http://media.ccc.de/browse/congress/2013/30C3_-_5529_-_en_-_saal_2_-_201312271830_-_hardening_hardware_and_choosing_a_goodbios_-_peter_stuge.html</a> - or directly to the video: <a href="http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm">http://mirror.netcologne.de/CCC/congress/2013/webm/30c3-5529-en-Hardening_hardware_and_choosing_a_goodBIOS_webm.webm</a>. - </p> - <p> - A lot of this tutorial is based on that video. Look towards the second half of the video to see how to do the above. - </p> - - <h2> - Also not covered yet: - </h2> - <ul> - <li> - Intrusion detection: randomized seal on screws<br/> - Just put nail polish with lot of glider on the important screws, take - some good pictures. Keep the pictueres and make sure of their integrity. - Compare the nail polish with the pictures before powering on the laptop. - </li> - <li> - Tips about preventing/mitigating risk of cold boot attack. - <ul> - <li>soldered RAM?</li> - <li>seal RAM door shut (possibly modified lower chassis) so that system has to be disassembled (which has to go through the nail polish)</li> - <li>wipe all RAM at boot/power-off/power-on? (patch in coreboot upstream?)</li> - <li>ask gnutoo about fallback patches (counts number of boots)</li> - </ul> - </li> - <li> - General tips/advice and web links showing how to detect physical intrusions. - </li> - <li> - For example: <a href="http://cs.tau.ac.il/~tromer/acoustic/">http://cs.tau.ac.il/~tromer/acoustic/</a> - </li> - <li> - https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3: - </li> - </ul> - - <h1> - Extra notes - </h1> - <p> - EC: Cannot be removed but can be mitigated: it contains non-free - non-loadable code, but it has no access to the computer's RAM. - It has access to the on-switch of the wifi, bluetooth, modem and some - other power management features. The issue is that it has access to the - keyboard, however if the software security howto <b>(not yet written)</b> is followed correctly, - it won't be able to leak data to a local attacker. It has no network - access but it may still be able to leak data remotely, but that - requires someone to be nearby to recover the data with the help of an - SDR and some directional antennas<a href="#ref3">[3]</a>. - </p> - <p> - <a href="http://www.coreboot.org/Intel_82573_Ethernet_controller">Intel 82573 Ethernet controller</a> - on the X60 seems safe, according to Denis. - </p> - - <h2> - Risk level - </h2> - <ul> - <li>Modem (3g/wwan): highest</li> - <li>Intel wifi: Near highest</li> - <li>Atheros PCI wifi: unknown, but lower than intel wifi.</li> - <li>Microphone: only problematic if the computer gets compromised.</li> - <li>Speakers: only problematic if the computer gets compromised.</li> - <li>EC: can be mitigated if following the guide on software security.</li> - </ul> - - <h1> - Further reading material (software security) - </h1> - <ul> - <li><a href="encrypted_trisquel.html">Installing Trisquel GNU/Linux with full disk encryption (including /boot)</a></li> - <li><a href="encrypted_parabola.html">Installing Parabola GNU/Linux with full disk encryption (including /boot)</a></li> - <li><a href="dock.html">Notes about DMA access and the docking station</a></li> - </ul> - - <h1> - References - </h1> - <h2 id="ref1">[1] physical access</h2> - <p> - Explain that black hats, TAO, and so on might use a 0day to get in, - and explain that in this case it mitigates what the attacker can do. - Also the TAO do some evaluation before launching an attack: they take - the probability of beeing caught into account, along with the kind of - target. A 0day costs a lot of money, I heard that it was from 100000$ - to 400000$, some other websites had prices 10 times lower but that - but it was probably a typo. So if people increase their security it - makes it more risky and more costly to attack people. - </p> - <h2 id="ref2">[2] microphone</h2> - <p> - It's possible to turn headphones into a microphone, you could try - yourself, however they don't record loud at all. Also intel cards have - the capability to change a connector's function, for instance the - microphone jack can now become a headphone plug, that's called - retasking. There is some support for it in GNU/Linux but it's not very - well known. - </p> - <h2 id="ref3">[3] Video (CCC)</h2> - <p> - 30c3-5356-en-Firmware_Fat_Camp_webm.webm from the 30th CCC. While - their demo is experimental(their hardware also got damaged during the - transport), the spies probably already have that since a long time. - <a href="http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm">http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm</a> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/x60_security/0000.jpg b/docs/howtos/x60_security/0000.jpg Binary files differdeleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_security/0000.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0000_bluetooth.jpg b/docs/howtos/x60_security/0000_bluetooth.jpg Binary files differdeleted file mode 100644 index 94a255f..0000000 --- a/docs/howtos/x60_security/0000_bluetooth.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0000_bluetooth0.jpg b/docs/howtos/x60_security/0000_bluetooth0.jpg Binary files differdeleted file mode 100644 index a750b0c..0000000 --- a/docs/howtos/x60_security/0000_bluetooth0.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0000_simcard0.jpg b/docs/howtos/x60_security/0000_simcard0.jpg Binary files differdeleted file mode 100644 index 40837ea..0000000 --- a/docs/howtos/x60_security/0000_simcard0.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0000_simcard1.jpg b/docs/howtos/x60_security/0000_simcard1.jpg Binary files differdeleted file mode 100644 index c0a5b35..0000000 --- a/docs/howtos/x60_security/0000_simcard1.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001.jpg b/docs/howtos/x60_security/0001.jpg Binary files differdeleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_security/0001.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001_microphone.jpg b/docs/howtos/x60_security/0001_microphone.jpg Binary files differdeleted file mode 100644 index c419060..0000000 --- a/docs/howtos/x60_security/0001_microphone.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001_modem.jpg b/docs/howtos/x60_security/0001_modem.jpg Binary files differdeleted file mode 100644 index 6a7a6a0..0000000 --- a/docs/howtos/x60_security/0001_modem.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001_overview.jpg b/docs/howtos/x60_security/0001_overview.jpg Binary files differdeleted file mode 100644 index 7268e49..0000000 --- a/docs/howtos/x60_security/0001_overview.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001_speaker.jpg b/docs/howtos/x60_security/0001_speaker.jpg Binary files differdeleted file mode 100644 index 28d3ed6..0000000 --- a/docs/howtos/x60_security/0001_speaker.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0001_wlan_wwan.jpg b/docs/howtos/x60_security/0001_wlan_wwan.jpg Binary files differdeleted file mode 100644 index 0db858d..0000000 --- a/docs/howtos/x60_security/0001_wlan_wwan.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0002.jpg b/docs/howtos/x60_security/0002.jpg Binary files differdeleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_security/0002.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0003.jpg b/docs/howtos/x60_security/0003.jpg Binary files differdeleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_security/0003.jpg +++ /dev/null diff --git a/docs/howtos/x60_security/0004.jpg b/docs/howtos/x60_security/0004.jpg Binary files differdeleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_security/0004.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick.html b/docs/howtos/x60_unbrick.html deleted file mode 100644 index 945712d..0000000 --- a/docs/howtos/x60_unbrick.html +++ /dev/null @@ -1,310 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad X60</title> -</head> - -<body> - - <header> - <h1>Unbricking the ThinkPad X60</h1> - <aside>This guide will show you how to recover from a bad flash that prevents your ThinkPad X60 from booting.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li> - Types of brick: - <ul> - <li><a href="#bucts_brick">Brick type 1: bucts not reset</a></li> - <li><a href="#recovery">Brick type 2: bad rom (or user error), machine won't boot</a></li> - </ul> - </li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>a 2nd computer (maybe another X60. any computer will do)</li> - <li>external flashrom-compatible programmer (I'm using the "bus pirate") - <li>SOIC-8 IC clip (I'm using the Pomona 5250)</li> - <li>Cable (programmer<>clip) - mine came with the bus pirate.</li> - <li>USB mini a to b cable (for buspirate<>computer connection).</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>GNU/Linux (on the 2nd computer)</li> - <li>flashrom software (on the 2nd computer): <a href="http://flashrom.org/" target="_blank">http://flashrom.org/</a> - </ul> - - <h1 id="bucts_brick">Brick type 1: bucts not reset.</h1> - <p> - You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.<br/><br/> - - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:<br/> - <img src="x60_unbrick/0004.jpg" alt="" /><br/><br/> - - *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):<br/> - dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k<br/> - dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump<br/> - dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc<br/> - (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: <a href="http://www.coreboot.org/Board:lenovo/x60/Installation" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation</a>. - </p> - - <h1 id="recovery">bad rom (or user error), machine won't boot</h1> - <p> - In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. - </p> - <p> - "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). - </p> - <p> - Remove those screws:<br/> - <img src="x60_unbrick/0000.jpg" alt="" /> - </p> - <p> - Push the keyboard forward (carefully):<br/> - <img src="x60_unbrick/0001.jpg" alt="" /> - </p> - <p> - Lift the keyboard up and disconnect it from the board:<br/> - <img src="x60_unbrick/0002.jpg" alt="" /> - </p> - <p> - Grab the right-hand side of the chassis and force it off (gently) and pry up the rest of the chassis:<br/> - <img src="x60_unbrick/0003.jpg" alt="" /> - </p> - <p> - You should now have this:<br/> - <img src="x60_unbrick/0004.jpg" alt="" /> - </p> - <p> - Disconnect the wifi antenna cables, the modem cable and the speaker:<br/> - <img src="x60_unbrick/0005.jpg" alt="" /> - </p> - <p> - Unroute the cables along their path, carefully lifting the tape that holds them in place. Then, disconnect the modem - cable (other end) and power connection and unroute all the cables so that they dangle by the monitor hinge on the right-hand - side:<br/> - <img src="x60_unbrick/0006.jpg" alt="" /> - </p> - <p> - Disconnect the monitor from the motherboard, and unroute the grey antenna cable, carefully lifting the tape - that holds it into place:<br/> - <img src="x60_unbrick/0008.jpg" alt="" /> - </p> - <p> - Carefully lift the remaining tape and unroute the left antenna cable so that it is loose:<br/> - <img src="x60_unbrick/0009.jpg" alt="" /> - </p> - <p> - Remove the screw that is highlighted (do NOT remove the other one; it holds part of the heatsink (other side) into place):<br/> - <img src="x60_unbrick/0011.jpg" alt="" /> - </p> - <p> - Remove those screws:<br/> - <img src="x60_unbrick/0012.jpg" alt="" /> - </p> - <p> - Carefully remove the plate, like so:<br/> - <img src="x60_unbrick/0013.jpg" alt="" /> - </p> - <p> - Remove the SATA connector:<br/> - <img src="x60_unbrick/0014.jpg" alt="" /> - </p> - <p> - Now remove the motherboard (gently) and cast the lcd/chassis aside:<br/> - <img src="x60_unbrick/0015.jpg" alt="" /> - </p> - <p> - Lift back that tape and hold it with something. Highlighted is the SPI flash chip:<br/> - <img src="x60_unbrick/0016.jpg" alt="" /> - </p> - <p> - At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):<br/> - <a href="http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts" target="_blank">http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts</a>.<br/> - Correlating with the following information, I was able to wire up my pirate correctly:<br/> - <a href="http://flashrom.org/Bus_Pirate#Connections" target="_blank">http://flashrom.org/Bus_Pirate#Connections</a><br/> - And by following that advice:<br/> - <a href="http://www.coreboot.org/Board:lenovo/x60/Installation#Howto" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation#Howto</a>.<br/> - Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.<br/> - Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).<br/> - Note: I ignored that advice, and wired up all 8 pins. And it worked.<br/> - - Here is the pinout (correlate it with your programmer's documentation):<br/> - <img src="x60_unbrick/0017.jpg" alt="" /> - </p> - - <p> - My programmer, usb cable and clip:<br/> - <img src="x60_unbrick/0018.jpg" alt="" /><br/> - My programmer (bus pirate):<br/> - <img src="x60_unbrick/0019.jpg" alt="" /><br/> - My clip (pomona 5250):<br/> - <img src="x60_unbrick/0020.jpg" alt="" /><br/> - My USB mini a to b cable:<br/> - <img src="x60_unbrick/0021.jpg" alt="" /><br/> - Connecting the pomona:<br/> - <img src="x60_unbrick/0022.jpg" alt="" /><br/> - Connecting the USB cable from programmer to 2nd(working/non-bricked) computer, my T60:<br/> - <img src="x60_unbrick/0024.jpg" alt="" /><br/> - Programmer is now active:<br/> - <img src="x60_unbrick/0023.jpg" alt="" /><br/> - Now I install flashrom on the T60 (running Trisquel GNU/Linux) and do this:<br/> - <b>flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60/libreboot_usqwerty.rom</b><br/> - Note: there are also other ROM images for X60<br/> - Note: this is using buspirate as the programmer, so it is flashing the X60, not the T60!<br/> - Here's my terminal window on the T60:<br/> - <img src="x60_unbrick/0025.jpg" alt="" /><br/> - So, you should see the following:<br/> - -- - <pre> - flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian - flashrom is free software, get the source code at http://www.flashrom.org - - Calibrating delay loop... delay loop is unreliable, trying to continue OK. - Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. - </pre> - --<br/> - At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means - that you can put your X60 back together. So let's do that now. - </p> - <p> - Remove the programmer and put it away somewhere. Put back the tape and press firmly over it:<br/> - <img src="x60_unbrick/0026.jpg" alt="" /> - </p> - <p> - Your empty chassis:<br/> - <img src="x60_unbrick/0027.jpg" alt="" /> - </p> - <p> - Put the motherboard back in:<br/> - <img src="x60_unbrick/0028.jpg" alt="" /> - </p> - <p> - Reconnect SATA:<br/> - <img src="x60_unbrick/0029.jpg" alt="" /> - </p> - <p> - Put the plate back and re-insert those screws:<br/> - <img src="x60_unbrick/0030.jpg" alt="" /> - </p> - <p> - Re-route that antenna cable around the fan and apply the tape:<br/> - <img src="x60_unbrick/0031.jpg" alt="" /> - </p> - <p> - Route the cable here and then (not shown, due to error on my part) reconnect the monitor cable to the motherboard - and re-insert the screws:<br/> - <img src="x60_unbrick/0032.jpg" alt="" /> - </p> - <p> - Re-insert that screw:<br/> - <img src="x60_unbrick/0033.jpg" alt="" /> - </p> - <p> - Route the black antenna cable like so:<br/> - <img src="x60_unbrick/0034.jpg" alt="" /> - </p> - <p> - Tuck it in neatly like so:<br/> - <img src="x60_unbrick/0035.jpg" alt="" /> - </p> - <p> - Route the modem cable like so:<br/> - <img src="x60_unbrick/0036.jpg" alt="" /> - </p> - <p> - Connect modem cable to board and tuck it in neatly like so:<br/> - <img src="x60_unbrick/0037.jpg" alt="" /> - </p> - <p> - Route the power connection and connect it to the board like so:<br/> - <img src="x60_unbrick/0038.jpg" alt="" /> - </p> - <p> - Route the antenna and modem cables neatly like so:<br/> - <img src="x60_unbrick/0039.jpg" alt="" /> - </p> - <p> - Connect the wifi antenna cables. At the start of the tutorial, this machine had an Intel wifi chip. Here you see I've replaced it with an - Atheros AR5B95 (supports 802.11n and can be used without blobs):<br/> - <img src="x60_unbrick/0040.jpg" alt="" /> - </p> - <p> - Connect the modem cable:<br/> - <img src="x60_unbrick/0041.jpg" alt="" /> - </p> - <p> - Connect the speaker:<br/> - <img src="x60_unbrick/0042.jpg" alt="" /> - </p> - <p> - You should now have this:<br/> - <img src="x60_unbrick/0043.jpg" alt="" /> - </p> - <p> - Re-connect the upper chassis:<br/> - <img src="x60_unbrick/0044.jpg" alt="" /> - </p> - <p> - Re-connect the keyboard:<br/> - <img src="x60_unbrick/0045.jpg" alt="" /> - </p> - <p> - Re-insert the screws that you removed earlier:<br/> - <img src="x60_unbrick/0046.jpg" alt="" /> - </p> - <p> - Power on!<br/> - <img src="x60_unbrick/0047.jpg" alt="" /> - </p> - <p> - Trisquel live USB menu (using GRUB's ISOLINUX parser):<br/> - <img src="x60_unbrick/0048.jpg" alt="" /> - </p> - <p> - Trisquel live desktop:<br/> - <img src="x60_unbrick/0049.jpg" alt="" /> - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> diff --git a/docs/howtos/x60_unbrick/0000.jpg b/docs/howtos/x60_unbrick/0000.jpg Binary files differdeleted file mode 100644 index ce0ec3b..0000000 --- a/docs/howtos/x60_unbrick/0000.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0001.jpg b/docs/howtos/x60_unbrick/0001.jpg Binary files differdeleted file mode 100644 index 2bbc0ca..0000000 --- a/docs/howtos/x60_unbrick/0001.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0002.jpg b/docs/howtos/x60_unbrick/0002.jpg Binary files differdeleted file mode 100644 index b55db3b..0000000 --- a/docs/howtos/x60_unbrick/0002.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0003.jpg b/docs/howtos/x60_unbrick/0003.jpg Binary files differdeleted file mode 100644 index c5799ae..0000000 --- a/docs/howtos/x60_unbrick/0003.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0004.jpg b/docs/howtos/x60_unbrick/0004.jpg Binary files differdeleted file mode 100644 index cd47840..0000000 --- a/docs/howtos/x60_unbrick/0004.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0005.jpg b/docs/howtos/x60_unbrick/0005.jpg Binary files differdeleted file mode 100644 index 418c9d2..0000000 --- a/docs/howtos/x60_unbrick/0005.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0006.jpg b/docs/howtos/x60_unbrick/0006.jpg Binary files differdeleted file mode 100644 index 6d36d93..0000000 --- a/docs/howtos/x60_unbrick/0006.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0007.jpg b/docs/howtos/x60_unbrick/0007.jpg Binary files differdeleted file mode 100644 index 971ccdf..0000000 --- a/docs/howtos/x60_unbrick/0007.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0008.jpg b/docs/howtos/x60_unbrick/0008.jpg Binary files differdeleted file mode 100644 index 24e6526..0000000 --- a/docs/howtos/x60_unbrick/0008.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0009.jpg b/docs/howtos/x60_unbrick/0009.jpg Binary files differdeleted file mode 100644 index d318395..0000000 --- a/docs/howtos/x60_unbrick/0009.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0010.jpg b/docs/howtos/x60_unbrick/0010.jpg Binary files differdeleted file mode 100644 index 5e6fdc7..0000000 --- a/docs/howtos/x60_unbrick/0010.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0011.jpg b/docs/howtos/x60_unbrick/0011.jpg Binary files differdeleted file mode 100644 index edc14c7..0000000 --- a/docs/howtos/x60_unbrick/0011.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0012.jpg b/docs/howtos/x60_unbrick/0012.jpg Binary files differdeleted file mode 100644 index dbb6669..0000000 --- a/docs/howtos/x60_unbrick/0012.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0013.jpg b/docs/howtos/x60_unbrick/0013.jpg Binary files differdeleted file mode 100644 index 2d2b9dd..0000000 --- a/docs/howtos/x60_unbrick/0013.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0014.jpg b/docs/howtos/x60_unbrick/0014.jpg Binary files differdeleted file mode 100644 index 733f997..0000000 --- a/docs/howtos/x60_unbrick/0014.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0015.jpg b/docs/howtos/x60_unbrick/0015.jpg Binary files differdeleted file mode 100644 index 1e81166..0000000 --- a/docs/howtos/x60_unbrick/0015.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0016.jpg b/docs/howtos/x60_unbrick/0016.jpg Binary files differdeleted file mode 100644 index f10ca88..0000000 --- a/docs/howtos/x60_unbrick/0016.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0017.jpg b/docs/howtos/x60_unbrick/0017.jpg Binary files differdeleted file mode 100644 index 69b28c0..0000000 --- a/docs/howtos/x60_unbrick/0017.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0018.jpg b/docs/howtos/x60_unbrick/0018.jpg Binary files differdeleted file mode 100644 index 7145d9f..0000000 --- a/docs/howtos/x60_unbrick/0018.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0019.jpg b/docs/howtos/x60_unbrick/0019.jpg Binary files differdeleted file mode 100644 index 959a6ee..0000000 --- a/docs/howtos/x60_unbrick/0019.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0020.jpg b/docs/howtos/x60_unbrick/0020.jpg Binary files differdeleted file mode 100644 index e6b2536..0000000 --- a/docs/howtos/x60_unbrick/0020.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0021.jpg b/docs/howtos/x60_unbrick/0021.jpg Binary files differdeleted file mode 100644 index 65bcb60..0000000 --- a/docs/howtos/x60_unbrick/0021.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0022.jpg b/docs/howtos/x60_unbrick/0022.jpg Binary files differdeleted file mode 100644 index cfcad6d..0000000 --- a/docs/howtos/x60_unbrick/0022.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0023.jpg b/docs/howtos/x60_unbrick/0023.jpg Binary files differdeleted file mode 100644 index 10824fd..0000000 --- a/docs/howtos/x60_unbrick/0023.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0024.jpg b/docs/howtos/x60_unbrick/0024.jpg Binary files differdeleted file mode 100644 index 9ce9d45..0000000 --- a/docs/howtos/x60_unbrick/0024.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0025.jpg b/docs/howtos/x60_unbrick/0025.jpg Binary files differdeleted file mode 100644 index 7b6da73..0000000 --- a/docs/howtos/x60_unbrick/0025.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0026.jpg b/docs/howtos/x60_unbrick/0026.jpg Binary files differdeleted file mode 100644 index 526c11c..0000000 --- a/docs/howtos/x60_unbrick/0026.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0027.jpg b/docs/howtos/x60_unbrick/0027.jpg Binary files differdeleted file mode 100644 index 877dc59..0000000 --- a/docs/howtos/x60_unbrick/0027.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0028.jpg b/docs/howtos/x60_unbrick/0028.jpg Binary files differdeleted file mode 100644 index d22d932..0000000 --- a/docs/howtos/x60_unbrick/0028.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0029.jpg b/docs/howtos/x60_unbrick/0029.jpg Binary files differdeleted file mode 100644 index 27f9190..0000000 --- a/docs/howtos/x60_unbrick/0029.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0030.jpg b/docs/howtos/x60_unbrick/0030.jpg Binary files differdeleted file mode 100644 index 813b5c6..0000000 --- a/docs/howtos/x60_unbrick/0030.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0031.jpg b/docs/howtos/x60_unbrick/0031.jpg Binary files differdeleted file mode 100644 index 49fe541..0000000 --- a/docs/howtos/x60_unbrick/0031.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0032.jpg b/docs/howtos/x60_unbrick/0032.jpg Binary files differdeleted file mode 100644 index e8625ef..0000000 --- a/docs/howtos/x60_unbrick/0032.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0033.jpg b/docs/howtos/x60_unbrick/0033.jpg Binary files differdeleted file mode 100644 index 3abfa37..0000000 --- a/docs/howtos/x60_unbrick/0033.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0034.jpg b/docs/howtos/x60_unbrick/0034.jpg Binary files differdeleted file mode 100644 index c8ab597..0000000 --- a/docs/howtos/x60_unbrick/0034.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0035.jpg b/docs/howtos/x60_unbrick/0035.jpg Binary files differdeleted file mode 100644 index 03d5482..0000000 --- a/docs/howtos/x60_unbrick/0035.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0036.jpg b/docs/howtos/x60_unbrick/0036.jpg Binary files differdeleted file mode 100644 index 244c06c..0000000 --- a/docs/howtos/x60_unbrick/0036.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0037.jpg b/docs/howtos/x60_unbrick/0037.jpg Binary files differdeleted file mode 100644 index f55db4f..0000000 --- a/docs/howtos/x60_unbrick/0037.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0038.jpg b/docs/howtos/x60_unbrick/0038.jpg Binary files differdeleted file mode 100644 index 0735825..0000000 --- a/docs/howtos/x60_unbrick/0038.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0039.jpg b/docs/howtos/x60_unbrick/0039.jpg Binary files differdeleted file mode 100644 index dff9ba4..0000000 --- a/docs/howtos/x60_unbrick/0039.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0040.jpg b/docs/howtos/x60_unbrick/0040.jpg Binary files differdeleted file mode 100644 index 74a9b7f..0000000 --- a/docs/howtos/x60_unbrick/0040.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0041.jpg b/docs/howtos/x60_unbrick/0041.jpg Binary files differdeleted file mode 100644 index 1b15834..0000000 --- a/docs/howtos/x60_unbrick/0041.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0042.jpg b/docs/howtos/x60_unbrick/0042.jpg Binary files differdeleted file mode 100644 index 849a260..0000000 --- a/docs/howtos/x60_unbrick/0042.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0043.jpg b/docs/howtos/x60_unbrick/0043.jpg Binary files differdeleted file mode 100644 index c842695..0000000 --- a/docs/howtos/x60_unbrick/0043.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0044.jpg b/docs/howtos/x60_unbrick/0044.jpg Binary files differdeleted file mode 100644 index 2b78380..0000000 --- a/docs/howtos/x60_unbrick/0044.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0045.jpg b/docs/howtos/x60_unbrick/0045.jpg Binary files differdeleted file mode 100644 index d6d8e2d..0000000 --- a/docs/howtos/x60_unbrick/0045.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0046.jpg b/docs/howtos/x60_unbrick/0046.jpg Binary files differdeleted file mode 100644 index 5eef878..0000000 --- a/docs/howtos/x60_unbrick/0046.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0047.jpg b/docs/howtos/x60_unbrick/0047.jpg Binary files differdeleted file mode 100644 index 87517e0..0000000 --- a/docs/howtos/x60_unbrick/0047.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0048.jpg b/docs/howtos/x60_unbrick/0048.jpg Binary files differdeleted file mode 100644 index a701a48..0000000 --- a/docs/howtos/x60_unbrick/0048.jpg +++ /dev/null diff --git a/docs/howtos/x60_unbrick/0049.jpg b/docs/howtos/x60_unbrick/0049.jpg Binary files differdeleted file mode 100644 index 630ac53..0000000 --- a/docs/howtos/x60_unbrick/0049.jpg +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/.htaccess b/docs/howtos/x60t_unbrick/.htaccess deleted file mode 100644 index 75da674..0000000 --- a/docs/howtos/x60t_unbrick/.htaccess +++ /dev/null @@ -1,2 +0,0 @@ -Options +Indexes -IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* diff --git a/docs/howtos/x60t_unbrick/0000.JPG b/docs/howtos/x60t_unbrick/0000.JPG Binary files differdeleted file mode 100644 index 4d8de31..0000000 --- a/docs/howtos/x60t_unbrick/0000.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0001.JPG b/docs/howtos/x60t_unbrick/0001.JPG Binary files differdeleted file mode 100644 index 7783c4f..0000000 --- a/docs/howtos/x60t_unbrick/0001.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0002.JPG b/docs/howtos/x60t_unbrick/0002.JPG Binary files differdeleted file mode 100644 index ddc6aac..0000000 --- a/docs/howtos/x60t_unbrick/0002.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0003.JPG b/docs/howtos/x60t_unbrick/0003.JPG Binary files differdeleted file mode 100644 index e1b6586..0000000 --- a/docs/howtos/x60t_unbrick/0003.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0004.JPG b/docs/howtos/x60t_unbrick/0004.JPG Binary files differdeleted file mode 100644 index b4ae18d..0000000 --- a/docs/howtos/x60t_unbrick/0004.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0005.JPG b/docs/howtos/x60t_unbrick/0005.JPG Binary files differdeleted file mode 100644 index b7b324b..0000000 --- a/docs/howtos/x60t_unbrick/0005.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0006.JPG b/docs/howtos/x60t_unbrick/0006.JPG Binary files differdeleted file mode 100644 index 795d02a..0000000 --- a/docs/howtos/x60t_unbrick/0006.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0007.JPG b/docs/howtos/x60t_unbrick/0007.JPG Binary files differdeleted file mode 100644 index 0ccdbad..0000000 --- a/docs/howtos/x60t_unbrick/0007.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0008.JPG b/docs/howtos/x60t_unbrick/0008.JPG Binary files differdeleted file mode 100644 index 5312934..0000000 --- a/docs/howtos/x60t_unbrick/0008.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0009.JPG b/docs/howtos/x60t_unbrick/0009.JPG Binary files differdeleted file mode 100644 index 9d8e7fa..0000000 --- a/docs/howtos/x60t_unbrick/0009.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0010.JPG b/docs/howtos/x60t_unbrick/0010.JPG Binary files differdeleted file mode 100644 index ea37b18..0000000 --- a/docs/howtos/x60t_unbrick/0010.JPG +++ /dev/null diff --git a/docs/howtos/x60t_unbrick/0011.JPG b/docs/howtos/x60t_unbrick/0011.JPG Binary files differdeleted file mode 100644 index ebbaa74..0000000 --- a/docs/howtos/x60t_unbrick/0011.JPG +++ /dev/null diff --git a/docs/howtos/x60tablet_unbrick.html b/docs/howtos/x60tablet_unbrick.html deleted file mode 100644 index da60227..0000000 --- a/docs/howtos/x60tablet_unbrick.html +++ /dev/null @@ -1,219 +0,0 @@ -<!DOCTYPE html> -<html> -<head> - <meta charset="utf-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - - <style type="text/css"> - body { - background:#fff; - color:#000; - font-family:sans-serif; - font-size:1em; - } - </style> - - <title>Libreboot documentation: Unbricking the ThinkPad X60 Tablet</title> -</head> - -<body> - - <header> - <h1>Unbricking the ThinkPad X60</h1> - <aside>This guide will show you how to recover from a bad flash that prevents your ThinkPad X60 Tablet from booting.</aside> - </header> - - <p>Or go <a href="../index.html">back to main index</a></p> - - <h2>Table of Contents</h2> - <ul> - <li><a href="#hardware_requirements">Hardware Requirements</a></li> - <li><a href="#software_requirements">Software Requirements</a></li> - <li> - Types of brick: - <ul> - <li><a href="#bucts_brick">Brick type 1: bucts not reset</a></li> - <li><a href="#recovery">Brick type 2: bad rom (or user error), machine won't boot</a></li> - </ul> - </li> - </ul> - - <h1 id="hardware_requirements">Hardware requirements</h1> - <ul> - <li>a 2nd computer (maybe another X60 Tablet. any computer will do)</li> - <li>external flashrom-compatible programmer (I'm using the "bus pirate") - <li>SOIC-8 IC clip (I'm using the Pomona 5250)</li> - <li>Cable (programmer<>clip) - mine came with the bus pirate.</li> - <li>USB mini a to b cable (for buspirate<>computer connection).</li> - </ul> - - <h1 id="software_requirements">Software requirements</h1> - <ul> - <li>GNU/Linux (on the 2nd computer)</li> - <li>flashrom software (on the 2nd computer): <a href="http://flashrom.org/" target="_blank">http://flashrom.org/</a> - </ul> - - <h1 id="bucts_brick">Brick type 1: bucts not reset.</h1> - <p> - You still have Lenovo BIOS, or you had libreboot running and you flashed another ROM; and you had bucts 1 set and - the ROM wasn't dd'd.* or if Lenovo BIOS was present and libreboot wasn't flashed.<br/><br/> - - In this case, unbricking is easy: reset BUC.TS to 0 by removing that yellow cmos coin (it's a battery) and putting it back after a minute or two:<br/> - <img src="x60t_unbrick/0008.JPG" alt="" /><br/><br/> - - *Those dd commands should be applied to all newly compiled X60 ROM's (the ROM's in libreboot binary archives already have this applied!):<br/> - dd if=coreboot.rom of=top64k.bin bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x10000] count=64k<br/> - dd if=coreboot.rom bs=1 skip=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k | hexdump<br/> - dd if=top64k.bin of=coreboot.rom bs=1 seek=$[$(stat -c %s coreboot.rom) - 0x20000] count=64k conv=notrunc<br/> - (doing this makes the ROM suitable for use when flashing a machine that still has Lenovo BIOS running, - using those instructions: <a href="http://www.coreboot.org/Board:lenovo/x60/Installation" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation</a>. - </p> - - <h1 id="recovery">bad rom (or user error), machine won't boot</h1> - <p> - In this scenario, you compiled a ROM that had an incorrect configuration, or there is an actual bug preventing your machine from - booting. Or, maybe, you set BUC.TS to 0 and shut down after first flash while Lenovo BIOS was running. In any case, your machine is bricked and will not boot at all. - </p> - <p> - "Unbricking" means flashing a known-good (working) ROM. The problem: you can't boot the machine, making this difficult. In this situation, external hardware (see hardware requirements above) is needed which can flash the SPI chip (where libreboot resides). - </p> - - <p> - <img src="x60t_unbrick/0000.JPG" alt="" /> - </p> - - <p> - Remove those screws:<br/> - <img src="x60t_unbrick/0001.JPG" alt="" /> - </p> - - <p> - Remove the HDD:<br/> - <img src="x60t_unbrick/0002.JPG" alt="" /> - </p> - - <p> - Push keyboard forward to loosen it:<br/> - <img src="x60t_unbrick/0003.JPG" alt="" /> - </p> - - <p> - Lift:<br/> - <img src="x60t_unbrick/0004.JPG" alt="" /> - </p> - - <p> - Remove those:<br/> - <img src="x60t_unbrick/0005.JPG" alt="" /> - </p> - - <p> - - <img src="x60t_unbrick/0006.JPG" alt="" /> - </p> - - <p> - Also remove that (marked) and unroute the antenna cables:<br/> - <img src="x60t_unbrick/0007.JPG" alt="" /> - </p> - - <p> - Some X60T's you have to unroute those too:<br/> - <img src="x60t_unbrick/0010.JPG" alt="" /> - </p> - - <p> - Remove the LCD extend board screws. Also remove those screws (see blue marks) and remove/unroute the cables and remove the metal plate:<br/> - <img src="x60t_unbrick/0008.JPG" alt="" /> - </p> - - <p> - Remove that screw and then remove the board:<br/> - <img src="x60t_unbrick/0009.JPG" alt="" /> - </p> - - <p> - At this point, you should wire up your programmer according to it's documentation. For me, this was (see: "SparkFun cable pin reference"):<br/> - <a href="http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts" target="_blank">http://dangerousprototypes.com/docs/Common_Bus_Pirate_cable_pinouts</a>.<br/> - Correlating with the following information, I was able to wire up my pirate correctly:<br/> - <a href="http://flashrom.org/Bus_Pirate#Connections" target="_blank">http://flashrom.org/Bus_Pirate#Connections</a><br/> - And by following that advice:<br/> - <a href="http://www.coreboot.org/Board:lenovo/x60/Installation#Howto" target="_blank">http://www.coreboot.org/Board:lenovo/x60/Installation#Howto</a>.<br/> - Note: that last page says to wire up only those 5 pins (see below) like that: 1, 2, 4, 5, 6.<br/> - Note: and then, for power it says (on that coreboot.org page) to connect the power jack to the board and connect the - AC adapter (without powering on the board).<br/> - Note: I ignored that advice, and wired up all 8 pins. And it worked.<br/> - - Here is the pinout (correlate it with your programmer's documentation):<br/> - <img src="x60t_unbrick/0011.JPG" alt="" /><br/> - (SPI chip here is on the bottom of the board) - </p> - - <p> - Bus pirate:<br/> - <img src="x60_unbrick/0019.jpg" alt="" /> - </p> - - <p> - Pomona 5250:<br/> - <img src="x60_unbrick/0020.jpg" alt="" /> - </p> - - <p> - Connect pomona:<br/> - <img src="x60_unbrick/0022.jpg" alt="" /> - </p> - - <p> - Connect pirate to USB on 2nd computer:<br/> - <img src="x60_unbrick/0024.jpg" alt="" /> - </p> - - <p> - Pirate is active:<br/> - <img src="x60_unbrick/0023.jpg" alt="" /> - </p> - - <p> - <img src="x60_unbrick/0025.jpg" alt="" /> - </p> - - <p> - On the 2nd machine, I did: <b>flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w bin/x60t/libreboot_ukqwerty.rom</b> - </p> - - <pre> - flashrom v0.9.5.2-r1517 on Linux 3.2.0-61-generic (i686), built with libpci 3.1.8, GCC 4.6.3, little endian - flashrom is free software, get the source code at http://www.flashrom.org - - Calibrating delay loop... delay loop is unreliable, trying to continue OK. - Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. - </pre> - - <p> - At the end it says "VERIFIED", which means that the procedure worked. If you see this, it means that you can put your X60T back together. So let's do that now. - </p> - - <p> - Reverse the steps to re-assemble your machine. - </p> - -<hr/> - - <p> - Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> - This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. - A copy of the license can be found at <a href="../license.txt">../license.txt</a>. - </p> - - <p> - This document is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. - </p> - -</body> -</html> |