summaryrefslogtreecommitdiffstats
path: root/docs/hcl/gm45_remove_me.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/hcl/gm45_remove_me.html')
-rw-r--r--docs/hcl/gm45_remove_me.html528
1 files changed, 528 insertions, 0 deletions
diff --git a/docs/hcl/gm45_remove_me.html b/docs/hcl/gm45_remove_me.html
new file mode 100644
index 0000000..d6c36f4
--- /dev/null
+++ b/docs/hcl/gm45_remove_me.html
@@ -0,0 +1,528 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+
+ <style type="text/css">
+ @import url('../css/main.css');
+ </style>
+
+ <title>GM45 chipsets: remove the ME (manageability engine)</title>
+</head>
+
+<body>
+
+ <div class="section">
+
+ <h1 id="pagetop">GM45 chipsets: remove the ME (manageability engine)</h1>
+ <p>
+ This sections relates to disabling and removing the ME (Intel <b>M</b>anagement <b>E</b>ngine) on
+ GM45. This was originally done on the ThinkPad X200, and later adapted for the ThinkPad R400. It can
+ in principle be done on any GM45 or GS45 machine.
+ </p>
+ <p>
+ The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined
+ by the default descriptor). On GM45, it is possible to remove it without any ill effects. All
+ other parts of coreboot on GM45 machines (provided GMA MHD4500 / Intel graphics) can be blob-free,
+ so removing the ME was the last obstacle to
+ make GM45 a feasible target in libreboot (the machines can also work without the microcode blobs).
+ </p>
+ <p>
+ The ME is removed and disabled in libreboot by modifying the descriptor. More info about
+ this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/
+ in libreboot, or more generally on this page.
+ </p>
+ <p>
+ <a href="index.html">Back to previous index</a>.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1 id="ich9gen">ICH9 gen utility</h1>
+
+ <p>
+ <b>This is no longer strictly necessary. Libreboot ROM images for GM45 now
+ contain the 12KiB descriptor+gbe generated from ich9gen, by default.</b>
+ </p>
+
+ <p>
+ It is no longer necessary to use <a href="#ich9deblob">ich9deblob</a> to generate
+ a deblobbed descriptor+gbe image for the X200. ich9gen is a small utility within
+ ich9deblob that can generate them from scratch, without a factory.bin dump.
+ </p>
+
+ <p>
+ Run:<br/>
+ $ <b>./ich9gen</b>
+ </p>
+
+ <p>
+ It is also possible to generate a descriptor+gbe image with your own MAC address
+ inside (with the Gbe checksum updated to match). Run:<br/>
+ $ <b>./ich9gen --macaddress XX:XX:XX:XX:XX:XX</b><br/>
+ (replace the XX chars with the hexadecimal chars in the MAC address that you want)
+ </p>
+
+ <p>
+ You can find out your MAC address from <b>ip addr</b> or <b>ifconfig</b> in GNU/Linux.
+ Alternatively, if you are running libreboot already (with the correct MAC address in your
+ ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor
+ (or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c
+ will be the individual bytes of your MAC address). If you are currently running the stock firmware
+ and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address.
+ </p>
+
+ <p>
+ An even simpler way to get the MAC address would be to read what's on the little sticker on
+ the underside. (on the X200, this would be near the VGA port).
+ </p>
+
+ <p>
+ A bash script is also included in libreboot which will change the mac address (using ich9gen)
+ on all GM45 ROM images. For instance:<br/>
+ $ <b>./ich9macchange XX:XX:XX:XX:XX:XX</b>
+ </p>
+
+ <p>
+ Two new files will be created:
+ </p>
+ <ul>
+ <li><b>ich9fdgbe_4m.bin</b>: this is for GM45 laptops with the 4MB flash chip.</li>
+ <li><b>ich9fdgbe_8m.bin</b>: this is for GM45 laptops with the 8MB flash chip.</li>
+ </ul>
+
+ <p>
+ ich9gen executables can be found under ./ich9deblob/ statically compiled in
+ libreboot_bin. If you are using src or git, build ich9gen from source with:<br/>
+ $ <b>./builddeps-ich9deblob</b><br/>
+ The executable will appear under resources/utilities/ich9deblob/
+ </p>
+
+ <p>
+ Assuming that your libreboot image is named <b>libreboot.rom</b>, copy
+ the file to where <b>libreboot.rom</b> is located
+ and then run, for instance:<br/>
+ $ <b>dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b><br/>
+ or:<br/>
+ $ <b>dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b>
+ </p>
+
+ <p>
+ Your libreboot.rom image is now ready to be flashed on the machine. Refer back to
+ <a href="../install/index.html#flashrom">../install/index.html#flashrom</a>
+ for how to flash it.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h1 id="ich9deblob">ICH9 deblob utility</h1>
+
+ <p>
+ <b>This is no longer strictly necessary. Libreboot ROM images for GM45 machines now
+ contain the 12KiB descriptor+gbe generated from ich9gen, by default.</b>
+ </p>
+
+ <p>
+ This was the tool originally used to disable the ME on X200 (later adapted for other machines that use the
+ GM45 chipset). <a href="#ich9gen">ich9gen</a> now supersedes it;
+ ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does).
+ </p>
+
+ <p>
+ This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image.
+ </p>
+ <p>
+ If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/
+ and will already be compiled if you ran ./builddeps or ./builddeps-ich9deblob from the main directory (./),
+ otherwise you can build it like so:<br/>
+ $ <b>./builddeps-ich9deblob</b><br/>
+ An executable file named <b>ich9deblob</b> will now appear under resources/utilities/ich9deblob/
+ </p>
+ <p>
+ If you are working with libreboot_bin release archive, you can find the utility included, statically compiled
+ (for i686 and x86_64 on GNU/Linux) under ./ich9deblob/.
+ </p>
+
+ <p>
+ Place the factory.rom from your machine
+ (can be obtained using the external flashing guides for GM45 targets linked <a href="../install/index.html">../install/index.html</a>) in
+ the directory where you have your ich9deblob executable, then run the tool:<br/>
+ $ <b>./ich9deblob</b>
+ </p>
+ <p>
+ A 12kiB file named <b>deblobbed_descriptor.bin</b> will now appear. <b>Keep this and the factory.rom stored in a safe location!</b>
+ The first 4KiB contains the descriptor data region for your machine, and the next 8KiB contains the gbe region (config data for your
+ gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case.
+ </p>
+
+ <p>
+ Assuming that your libreboot image is named <b>libreboot.rom</b>, copy
+ the <b>deblobbed_descriptor.bin</b> file to where <b>libreboot.rom</b> is located
+ and then run:<br/>
+ $ <b>dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b>
+ </p>
+
+ <p>
+ The utility will also generate 4 additional files:
+ </p>
+ <ul>
+ <li>mkdescriptor.c</li>
+ <li>mkdescriptor.h</li>
+ <li>mkgbe.c</li>
+ <li>mkgbe.h</li>
+ </ul>
+ <p>
+ These are C source files that can re-generate the very same Gbe and Descriptor structs
+ (from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build.
+ The newly built <b>ich9gen</b> executable will be able to re-create the very same 12KiB file from scratch,
+ based on the C structs, this time <b>without</b> the need for a factory.rom dump!
+ </p>
+
+ <p>
+ You should now have a <b>libreboot.rom</b> image containing the correct 4K descriptor and 8K gbe regions, which
+ will then be safe to flash. Refer back to <a href="../install/index.html#flashrom">../install/index.html#flashrom</a>
+ for how to flash it.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on GM45.
+ They are useful for background information. This could not have been done without sgsit's help.
+ </p>
+
+ <div class="subsection">
+
+ <h2 id="early_notes">Early notes</h2>
+
+ <ul>
+ <li>
+ <a href="http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf">http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf</a>
+ page 230 mentions about descriptor and non-descriptor mode (which wipes out gbe and ME/AMT).
+ </li>
+ <li>
+ <s><b>See reference to HDA_SDO (disable descriptor security)</b></s>
+ strap connected GPIO33 pin is it on ICH9-M (X200). HDA_SDO applies to later chipsets (series 6 or higher).
+ Disabling descriptor security also disables the ethernet according to sgsit. sgsit's method
+ involves use of 'soft straps' (see IRC logs below) instead of disabling the descriptor.
+ </li>
+ <li>
+ <b>and the location of GPIO33 on the x200s: (was an external link. Putting it here instead)</b>
+ <a href="images/x200/gpio33_location.jpg">images/x200/gpio33_location.jpg</a>
+ - it's above the number 7 on TP37 (which is above the big intel chip at the bottom)
+ </li>
+ <li>
+ The ME datasheet may not be for the mobile chipsets but it doesn't vary that much.
+ This one gives some detail and covers QM67 which is what the X201 uses:
+ <a href="http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf">http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf</a>
+ </li>
+ </ul>
+
+ </div>
+
+ </div>
+
+ <div class="section">
+
+ <div class="subsection">
+
+ <h2 id="flashchips">Flash chips</h2>
+
+ <ul>
+ <li>
+ Schematics for X200 laptop: <a href="http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf">http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf</a>
+ <b><s>- Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT</s></b> only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)<br/>
+ - According to page 29, the X200 can have any of the following flash chips:
+ <ul>
+ <li>ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip</li>
+ <li>MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip</li>
+ <li>MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip</li>
+ <li>Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip</li>
+ </ul>
+ sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas
+ the 32Mb chips contain only the ME.
+ </li>
+ <li>
+ Schematics for X200s laptop: <a href="http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf">http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf</a>.
+ </li>
+ </ul>
+
+ </div>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="early_development_notes">Early development notes</h2>
+
+<pre>
+<i>
+Start (hex) End (hex) Length (hex) Area Name
+----------- --------- ------------ ---------
+00000000 003FFFFF 00400000 Flash Image
+
+00000000 00000FFF 00001000 Descriptor Region
+00000004 0000000F 0000000C Descriptor Map
+00000010 0000001B 0000000C Component Section
+00000040 0000004F 00000010 Region Section
+00000060 0000006B 0000000C Master Access Section
+00000060 00000063 00000004 CPU/BIOS
+00000064 00000067 00000004 Manageability Engine (ME)
+00000068 0000006B 00000004 GbE LAN
+00000100 00000103 00000004 ICH Strap 0
+00000104 00000107 00000004 ICH Strap 1
+00000200 00000203 00000004 MCH Strap 0
+00000EFC 00000EFF 00000004 Descriptor Map 2
+00000ED0 00000EF7 00000028 ME VSCC Table
+00000ED0 00000ED7 00000008 Flash device 1
+00000ED8 00000EDF 00000008 Flash device 2
+00000EE0 00000EE7 00000008 Flash device 3
+00000EE8 00000EEF 00000008 Flash device 4
+00000EF0 00000EF7 00000008 Flash device 5
+00000F00 00000FFF 00000100 OEM Section
+00001000 001F5FFF 001F5000 ME Region
+001F6000 001F7FFF 00002000 GbE Region
+001F8000 001FFFFF 00008000 PDR Region
+00200000 003FFFFF 00200000 BIOS Region
+
+Start (hex) End (hex) Length (hex) Area Name
+----------- --------- ------------ ---------
+00000000 003FFFFF 00400000 Flash Image
+
+00000000 00000FFF 00001000 Descriptor Region
+00000004 0000000F 0000000C Descriptor Map
+00000010 0000001B 0000000C Component Section
+00000040 0000004F 00000010 Region Section
+00000060 0000006B 0000000C Master Access Section
+00000060 00000063 00000004 CPU/BIOS
+00000064 00000067 00000004 Manageability Engine (ME)
+00000068 0000006B 00000004 GbE LAN
+00000100 00000103 00000004 ICH Strap 0
+00000104 00000107 00000004 ICH Strap 1
+00000200 00000203 00000004 MCH Strap 0
+00000ED0 00000EF7 00000028 ME VSCC Table
+00000ED0 00000ED7 00000008 Flash device 1
+00000ED8 00000EDF 00000008 Flash device 2
+00000EE0 00000EE7 00000008 Flash device 3
+00000EE8 00000EEF 00000008 Flash device 4
+00000EF0 00000EF7 00000008 Flash device 5
+00000EFC 00000EFF 00000004 Descriptor Map 2
+00000F00 00000FFF 00000100 OEM Section
+00001000 00002FFF 00002000 GbE Region
+00003000 00202FFF 00200000 BIOS Region
+
+Build Settings
+--------------
+Flash Erase Size = 0x1000
+
+</i>
+</pre>
+
+ <p>
+ It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete
+ image into in and the utility decomposes the various components, allowing you to set soft straps.
+ </p>
+ <p>
+ This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and
+ the utility is no longer needed since the ich9deblob utility (documented on this page) can now be
+ used to create deblobbed descriptors.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="gbe_region">
+ GBE (gigabit ethernet) region in SPI flash
+ </h2>
+
+ <p>
+ Of the 8K, about 95% is 0xFF.
+ The data is the gbe region is fully documented in this public datasheet:
+ <a href="http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf">http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf</a>
+ </p>
+
+ <p>
+ The only actual content found was:
+ </p>
+
+<pre>
+<i>
+00 1F 1F 1F 1F 1F 00 08 FF FF 83 10 FF FF FF FF
+08 10 FF FF C3 10 EE 20 AA 17 F5 10 86 80 00 00
+01 0D 00 00 00 00 05 06 20 30 00 0A 00 00 8B 8D
+02 06 40 2B 43 00 00 00 F5 10 AD BA F5 10 BF 10
+AD BA CB 10 AD BA AD BA 00 00 00 00 00 00 00 00
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00 01 00 40 28 12 07 40 FF FF FF FF FF FF FF FF
+FF FF FF FF FF FF FF FF FF FF FF FF FF FF D9 F0
+20 60 1F 00 02 00 13 00 00 80 1D 00 FF 00 16 00
+DD CC 18 00 11 20 17 00 DD DD 18 00 12 20 17 00
+00 80 1D 00 00 00 1F
+</i>
+</pre>
+
+ <p>
+ The first part is the MAC address set to all 0x1F. It's repeated haly way through
+ the 8K area, and the rest is all 0xFF. This is all documented in the datasheet.
+ </p>
+
+ <p>
+ The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long.
+ In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor.
+ So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region.
+ </p>
+
+ <div class="subsection">
+
+ <h3 id="gbe_region_changemacaddress">GBE region: change MAC address</h3>
+
+ <p>
+ According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200.
+ <a href="https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums">https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums</a>
+ </p>
+ <p>
+ <i>&quot;One of those engineers loves classic rock music, so he selected 0xBABA&quot;</i>
+ </p>
+ <p>In honour of the song <i>Baba O'Reilly</i> by <i>The Who</i> apparently. We're not making this stuff up...</p>
+
+ <p>
+ 0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps.
+ The checksums of the backup regions match BABA, however.
+ </p>
+
+ <p>
+ By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct,
+ and is what these machines default to. Basically, you should do what you need on the *backup* gbe region, and
+ then correct the main one by copying from the backup.
+ </p>
+
+ <p>
+ Look at resources/utilities/ich9deblob/ich9deblob.c.
+ </p>
+ <ul>
+ <li>Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value)
+ and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first
+ 0x3E 16bit numbers (unsigned), ignoring any overflow.</li>
+ </ul>
+
+ </div>
+
+ </div>
+
+ <div class="section">
+
+ <h2 id="flash_descriptor_region">Flash descriptor region</h2>
+
+ <p>
+ <a href="http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf">http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf</a>
+ from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot
+ is doing about modifying it.
+ </p>
+
+ <p>
+ How to deblob:
+ </p>
+ <ul>
+ <li>patch the number of regions present in the descriptor from 5 - 3</li>
+ <li>originally descriptor + bios + me + gbe + platform</li>
+ <li>modified = descriptor + bios + gbe</li>
+ <li>the next stage is to patch the part of the descriptor which defines the start and end point of each section</li>
+ <li>then cut out the gbe region and insert it just after the region</li>
+ <li>all this can be substantiated with public docs (ICH9 datasheet)</li>
+ <li>the final part is flipping 2 bits. Halting the ME via 1 MCH soft strap and 1 ICH soft strap</li>
+ <li>the part of the descriptor described there gives the base address and length of each region (bits 12:24 of each address)</li>
+ <li>to disable a region, you set the base address to 0xFFF and the length to 0</li>
+ <li>and you change the number of regions from 4 (zero based) to 2</li>
+ </ul>
+
+ <p>
+ There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge,
+ but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware
+ instead of a small 128K version. Useless for libreboot, though.
+ </p>
+
+ <p>
+ To deblob GM45, you chop out the platform and ME regions and correct the addresses in flReg1-4.
+ Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0.
+ </p>
+
+ <p>How to patch the descriptor from the factory.rom dump</p>
+ <ul>
+ <li>map the first 4k into the struct (minus the gbe region)</li>
+ <li>set NR in FLMAP0 to 2 (from 4)</li>
+ <li>adjust BASE and LIMIT in flReg1,2,3,4 to reflect the new location of each region (or remove them in the case of Platform and ME)</li>
+ <li>set meDisable to 1/true in ICHSTRAP0 and MCHSTRAP0</li>
+ <li>extract the 8k GBe region and append that to the end of the 4k descriptor</li>
+ <li>output the 12k concatenated chunk</li>
+ <li>Then it can be dd'd into the first 12K part of a coreboot image.</li>
+ <li>the GBe region always starts 0x20A000 bytes from the end of the ROM</li>
+ </ul>
+
+ <p>
+ This means that libreboot's descriptor region will simply define the following regions:
+ </p>
+ <ul>
+ <li>descriptor (4K)</li>
+ <li>gbe (8K)</li>
+ <li>bios (rest of flash chip. CBFS also set to occupy this whole size)</li>
+ </ul>
+
+ <p>
+ The data in the descriptor region is little endian, and it represents bits 24:12 of the address
+ (bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation).
+ </p>
+ <p>
+ So, <i>x &lt;&lt; 12 = address</i>
+ </p>
+ <p>
+ If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F.
+ </p>
+
+ </div>
+
+
+ <div class="section">
+
+ <h2 id="platform_data_region">platform data partition in boot flash (factory.rom / lenovo bios)</h2>
+
+ <p>
+ Basically useless for libreboot, since it appears to be a blob.
+ Removing it didn't cause any issues in libreboot.
+ </p>
+ <p>
+ This is a 32K region from the factory image. It could be data
+ (non-functional) that the original Lenovo BIOS used, but we don't know.
+ </p>
+
+ <p>
+ It has only a 448 byte fragment different from 0x00 or 0xFF.
+ </p>
+
+ </div>
+
+ <div class="section">
+
+ <p>
+ Copyright &copy; 2014, 2015 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
+ This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions.
+ A copy of the license can be found at <a href="../license.txt">../license.txt</a>.
+ </p>
+
+ <p>
+ This document is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../../license.txt</a> for more information.
+ </p>
+
+ </div>
+
+</body>
+</html>
generated by cgit v0.9.1 at 2024-11-10 21:43:52 (EST)