diff options
-rw-r--r-- | resources/utilities/ich9deblob/ich9deblob.c | 284 |
1 files changed, 148 insertions, 136 deletions
diff --git a/resources/utilities/ich9deblob/ich9deblob.c b/resources/utilities/ich9deblob/ich9deblob.c index e0ebf45..3a4dbd5 100644 --- a/resources/utilities/ich9deblob/ich9deblob.c +++ b/resources/utilities/ich9deblob/ich9deblob.c @@ -227,6 +227,154 @@ int main(int argc, char *argv[]) return 0; } +// --------------------------------------------------------------------- +// Descriptor functions +// --------------------------------------------------------------------- + +// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions +// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills factoryRomSize-12k) are left. +// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work. +struct DESCRIPTORREGIONRECORD deblobbedDescriptorStructFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, unsigned int factoryRomSize, unsigned int factoryGbeRegionStart) +{ + struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct; + memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE); + + // Now we need to modify the descriptor so that the ME can be excluded + // from the final ROM image (libreboot one) after adding the modified + // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html + + // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2 + // means 3. We want 3 regions: descriptor, gbe and bios, in that order) + deblobbedDescriptorStruct.flMaps.flMap0.NR = 2; + + // make descriptor writable from OS. This is that the user can run: + // sudo ./flashrom -p internal:laptop=force_I_want_a_brick + // from the OS, without relying an an external SPI flasher, while + // being able to write to the descriptor region (locked by default, + // until making the change below): + deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1; + + // relocate BIOS region and increase size to fill image + deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe) + deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((factoryRomSize >> FLREGIONBITSHIFT) - 1); + // ^ for example, 8MB ROM, that's 8388608 bytes. + // ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes + // 2048 - 1 = 2047 bytes. + // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does: + // 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes + // (it can't be 0x7FFFFF because of limited number of bits) + + // set ME region size to 0 - the ME is a blob, we don't want it in libreboot + deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? + // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. + deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0; + // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. + + // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor) + deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor) + deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2; + // ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip. + + // set Platform region size to 0 - another blob that we don't want + deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? + // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. + deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0; + // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. + + // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot + deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1; + + // disable ME and TPM in MCHSTRAP0 + deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot. + deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot + + // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above) + // This is sort of like the CPU microcode updates, but for the chipset + // (commented out below here, since blobs go against libreboot's purpose, + // but may be interesting for others) + // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1; + + // debugging + printf("\nOriginal (factory.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); + printf("Original (factory.rom) BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); + printf("Original (factory.rom) ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); + printf("Original (factory.rom) GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionStart, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); + + printf("\nRelocated (libreboot.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); + printf("Relocated (libreboot.rom) BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); + printf("Relocated (libreboot.rom) ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); + printf("Relocated (libreboot.rom) GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); + + return deblobbedDescriptorStruct; +} + +// --------------------------------------------------------------------- +// Gbe functions +// --------------------------------------------------------------------- + +struct GBEREGIONRECORD_8K deblobbedGbeStructFromFactory(struct GBEREGIONRECORD_8K factoryGbeStruct8k) +{ + // Correct the main gbe region. By default, the X200 (as shipped from Lenovo) comes + // with a broken main gbe region, where the backup gbe region is used instead. Modify + // the descriptor so that the main region is usable. + + struct GBEREGIONRECORD_8K deblobbedGbeStruct8k; + memcpy(&deblobbedGbeStruct8k, &factoryGbeStruct8k, GBEREGIONSIZE); + + deblobbedGbeStruct8k.backup.checkSum = gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA); + memcpy(&deblobbedGbeStruct8k.main, &deblobbedGbeStruct8k.backup, GBEREGIONSIZE>>1); + + // Debugging: + // calculate the 0x3F'th 16-bit uint to make the desired final checksum for GBe + // observed checksum matches (from X200 factory.rom dumps) on main: 0x3ABA 0x34BA 0x40BA. spec defined as 0xBABA. + // X200 ships with a broken main gbe region by default (invalid checksum, and more) + // The "backup" gbe regions on these machines are correct, though, and is what the machines default to + // For libreboot's purpose, we can do much better than that by fixing the main one... below is only debugging + printf("\nfactory Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.main, 0xBABA), factoryGbeStruct8k.main.checkSum); + printf("factory Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.backup, 0xBABA), factoryGbeStruct8k.backup.checkSum); + printf("\ndeblobbed Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.main, 0xBABA), deblobbedGbeStruct8k.main.checkSum); + printf("deblobbed Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA), deblobbedGbeStruct8k.backup.checkSum); + + return deblobbedGbeStruct8k; +} + +// checksum calculation for 4k gbe struct (algorithm based on datasheet) +unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue) +{ + char gbeBuffer4k[GBEREGIONSIZE>>1]; + memcpy(&gbeBuffer4k, &gbeStruct4k, GBEREGIONSIZE>>1); + return gbeGetChecksumFrom8kBuffer(gbeBuffer4k, desiredValue, 0); +} +// checksum calculation for 8k gbe region (algorithm based on datasheet) +// also works for 4k buffers, so long as isBackup remains false +unsigned short gbeGetChecksumFrom8kBuffer(char* regionData, unsigned short desiredValue, char isBackup) +{ + int i; + + unsigned short regionWord; // store words here for adding to checksum + unsigned short checksum = 0; // this gbe's checksum + unsigned short offset = 0; // in bytes, from the start of the gbe region. + + // if isBackup is true, use 2nd gbe region ("backup" region) + if (isBackup) offset = 0x1000>>1; // this function uses *word* not *byte* indexes. + + for (i = 0; i < 0x3F; i++) { + regionWord = gbeGetRegionWordFrom8kBuffer(i+offset, regionData); + checksum += regionWord; + } + checksum = desiredValue - checksum; + return checksum; +} +// Read a 16-bit unsigned int from a supplied region buffer +unsigned short gbeGetRegionWordFrom8kBuffer(int index, char* regionData) +{ + return *((unsigned short*)(regionData + (index * 2))); +} + +// --------------------------------------------------------------------- +// x86 compatibility checking: +// --------------------------------------------------------------------- + // Basically, this should only return true on non-x86 machines int structSizesIncorrect(struct DESCRIPTORREGIONRECORD descriptorDummy, struct GBEREGIONRECORD_8K gbe8kDummy) { unsigned int descriptorRegionStructSize = sizeof(descriptorDummy); @@ -358,139 +506,3 @@ int systemOrCompilerIncompatible(struct DESCRIPTORREGIONRECORD descriptorStruct, if (structMembersWrongOrder()) return 1; return 0; } - -struct GBEREGIONRECORD_8K deblobbedGbeStructFromFactory(struct GBEREGIONRECORD_8K factoryGbeStruct8k) -{ - // Correct the main gbe region. By default, the X200 (as shipped from Lenovo) comes - // with a broken main gbe region, where the backup gbe region is used instead. Modify - // the descriptor so that the main region is usable. - - struct GBEREGIONRECORD_8K deblobbedGbeStruct8k; - memcpy(&deblobbedGbeStruct8k, &factoryGbeStruct8k, GBEREGIONSIZE); - - deblobbedGbeStruct8k.backup.checkSum = gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA); - memcpy(&deblobbedGbeStruct8k.main, &deblobbedGbeStruct8k.backup, GBEREGIONSIZE>>1); - - // Debugging: - // calculate the 0x3F'th 16-bit uint to make the desired final checksum for GBe - // observed checksum matches (from X200 factory.rom dumps) on main: 0x3ABA 0x34BA 0x40BA. spec defined as 0xBABA. - // X200 ships with a broken main gbe region by default (invalid checksum, and more) - // The "backup" gbe regions on these machines are correct, though, and is what the machines default to - // For libreboot's purpose, we can do much better than that by fixing the main one... below is only debugging - printf("\nfactory Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.main, 0xBABA), factoryGbeStruct8k.main.checkSum); - printf("factory Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(factoryGbeStruct8k.backup, 0xBABA), factoryGbeStruct8k.backup.checkSum); - printf("\ndeblobbed Gbe (main): calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.main, 0xBABA), deblobbedGbeStruct8k.main.checkSum); - printf("deblobbed Gbe (backup) calculated Gbe checksum: 0x%hx and actual GBe checksum: 0x%hx\n", gbeGetChecksumFrom4kStruct(deblobbedGbeStruct8k.backup, 0xBABA), deblobbedGbeStruct8k.backup.checkSum); - - return deblobbedGbeStruct8k; -} - -// Modify the flash descriptor, to remove the ME/AMT, and disable all other regions -// Only Flash Descriptor, Gbe and BIOS regions (BIOS region fills factoryRomSize-12k) are left. -// Tested on ThinkPad X200 and X200S. X200T and other GM45 targets may also work. -struct DESCRIPTORREGIONRECORD deblobbedDescriptorStructFromFactory(struct DESCRIPTORREGIONRECORD factoryDescriptorStruct, unsigned int factoryRomSize, unsigned int factoryGbeRegionStart) -{ - struct DESCRIPTORREGIONRECORD deblobbedDescriptorStruct; - memcpy(&deblobbedDescriptorStruct, &factoryDescriptorStruct, DESCRIPTORREGIONSIZE); - - // Now we need to modify the descriptor so that the ME can be excluded - // from the final ROM image (libreboot one) after adding the modified - // descriptor+gbe. Refer to libreboot docs for details: docs/hcl/x200_remove_me.html - - // set number of regions from 4 -> 2 (0 based, so 4 means 5 and 2 - // means 3. We want 3 regions: descriptor, gbe and bios, in that order) - deblobbedDescriptorStruct.flMaps.flMap0.NR = 2; - - // make descriptor writable from OS. This is that the user can run: - // sudo ./flashrom -p internal:laptop=force_I_want_a_brick - // from the OS, without relying an an external SPI flasher, while - // being able to write to the descriptor region (locked by default, - // until making the change below): - deblobbedDescriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 1; - - // relocate BIOS region and increase size to fill image - deblobbedDescriptorStruct.regionSection.flReg1.BASE = 3; // 3<<FLREGIONBITSHIFT is 12KiB, which is where BIOS region is to begin (after descriptor and gbe) - deblobbedDescriptorStruct.regionSection.flReg1.LIMIT = ((factoryRomSize >> FLREGIONBITSHIFT) - 1); - // ^ for example, 8MB ROM, that's 8388608 bytes. - // ^ 8388608>>FLREGIONBITSHIFT (or 8388608/4096) = 2048 bytes - // 2048 - 1 = 2047 bytes. - // This defines where the final 0x1000 (4KiB) page starts in the flash chip, because the hardware does: - // 2047<<FLREGIONBITSHIFT (or 2047*4096) = 8384512 bytes, or 7FF000 bytes - // (it can't be 0x7FFFFF because of limited number of bits) - - // set ME region size to 0 - the ME is a blob, we don't want it in libreboot - deblobbedDescriptorStruct.regionSection.flReg2.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? - // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. - deblobbedDescriptorStruct.regionSection.flReg2.LIMIT = 0; - // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. - - // relocate Gbe region to begin at 4KiB (immediately after the flash descriptor) - deblobbedDescriptorStruct.regionSection.flReg3.BASE = 1; // 1<<FLREGIONBITSHIFT is 4096, which is where the Gbe region is to begin (after the descriptor) - deblobbedDescriptorStruct.regionSection.flReg3.LIMIT = 2; - // ^ 2<<FLREGIONBITSHIFT=8192 bytes. So we are set it to size 8KiB after the first 4KiB in the flash chip. - - // set Platform region size to 0 - another blob that we don't want - deblobbedDescriptorStruct.regionSection.flReg4.BASE = 0x1FFF; // setting 1FFF means setting size to 0. 1FFF<<FLREGIONBITSHIFT is outside of the ROM image (8MB) size? - // ^ datasheet says to set this to 1FFF, but FFF was previously used and also worked. - deblobbedDescriptorStruct.regionSection.flReg4.LIMIT = 0; - // ^ 0<<FLREGIONBITSHIFT=0, so basically, the size is 0, and the base (1FFF>>FLREGIONBITSHIFT) is well outside the higher 8MB range. - - // disable ME in ICHSTRAP0 - the ME is a blob, we don't want it in libreboot - deblobbedDescriptorStruct.ichStraps.ichStrap0.meDisable = 1; - - // disable ME and TPM in MCHSTRAP0 - deblobbedDescriptorStruct.mchStraps.mchStrap0.meDisable = 1; // ME is a blob. not wanted in libreboot. - deblobbedDescriptorStruct.mchStraps.mchStrap0.tpmDisable = 1; // not wanted in libreboot - - // disable ME, apart from chipset bugfixes (ME region should first be re-enabled above) - // This is sort of like the CPU microcode updates, but for the chipset - // (commented out below here, since blobs go against libreboot's purpose, - // but may be interesting for others) - // deblobbedDescriptorStruct.mchStraps.mchStrap0.meAlternateDisable = 1; - - // debugging - printf("\nOriginal (factory.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", factoryDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); - printf("Original (factory.rom) BIOS start block: %08x ; BIOS end block: %08x\n", factoryDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); - printf("Original (factory.rom) ME start block: %08x ; ME end block: %08x\n", factoryDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, factoryDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); - printf("Original (factory.rom) GBe start block: %08x ; GBe end block: %08x\n", factoryGbeRegionStart, factoryDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); - - printf("\nRelocated (libreboot.rom) Descriptor start block: %08x ; Descriptor end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg0.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg0.LIMIT << FLREGIONBITSHIFT); - printf("Relocated (libreboot.rom) BIOS start block: %08x ; BIOS end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg1.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg1.LIMIT << FLREGIONBITSHIFT); - printf("Relocated (libreboot.rom) ME start block: %08x ; ME end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg2.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg2.LIMIT << FLREGIONBITSHIFT); - printf("Relocated (libreboot.rom) GBe start block: %08x ; GBe end block: %08x\n", deblobbedDescriptorStruct.regionSection.flReg3.BASE << FLREGIONBITSHIFT, deblobbedDescriptorStruct.regionSection.flReg3.LIMIT << FLREGIONBITSHIFT); - - return deblobbedDescriptorStruct; -} - -// checksum calculation for 4k gbe struct (algorithm based on datasheet) -unsigned short gbeGetChecksumFrom4kStruct(struct GBEREGIONRECORD_4K gbeStruct4k, unsigned short desiredValue) -{ - char gbeBuffer4k[GBEREGIONSIZE>>1]; - memcpy(&gbeBuffer4k, &gbeStruct4k, GBEREGIONSIZE>>1); - return gbeGetChecksumFrom8kBuffer(gbeBuffer4k, desiredValue, 0); -} -// checksum calculation for 8k gbe region (algorithm based on datasheet) -// also works for 4k buffers, so long as isBackup remains false -unsigned short gbeGetChecksumFrom8kBuffer(char* regionData, unsigned short desiredValue, char isBackup) -{ - int i; - - unsigned short regionWord; // store words here for adding to checksum - unsigned short checksum = 0; // this gbe's checksum - unsigned short offset = 0; // in bytes, from the start of the gbe region. - - // if isBackup is true, use 2nd gbe region ("backup" region) - if (isBackup) offset = 0x1000>>1; // this function uses *word* not *byte* indexes. - - for (i = 0; i < 0x3F; i++) { - regionWord = gbeGetRegionWordFrom8kBuffer(i+offset, regionData); - checksum += regionWord; - } - checksum = desiredValue - checksum; - return checksum; -} -// Read a 16-bit unsigned int from a supplied region buffer -unsigned short gbeGetRegionWordFrom8kBuffer(int index, char* regionData) -{ - return *((unsigned short*)(regionData + (index * 2))); -} |