From 969ac353569c8f9f29a7a97e4d24203b04d7d8c2 Mon Sep 17 00:00:00 2001
From: Francis Rowe <info@gluglug.org.uk>
Date: Thu, 07 May 2015 12:13:44 -0400
Subject: docs/hcl/gm45_remove_me.html: notes about the demefactory util

---
(limited to 'docs')

diff --git a/docs/hcl/gm45_remove_me.html b/docs/hcl/gm45_remove_me.html
index 8f7d56f..0e86166 100644
--- a/docs/hcl/gm45_remove_me.html
+++ b/docs/hcl/gm45_remove_me.html
@@ -228,6 +228,61 @@
 			</p>
 			
 	</div>
+	
+	<div class="section">
+
+		<h1 id="demefactory">demefactory utility</h1>
+
+			<p>
+				This takes a factory.rom dump and disables the ME/TPM, but leaves the region intact.
+				It also sets all regions read-write.
+			</p>
+			
+			<p>
+				The ME interferes with flash read/write in flashrom, and the default descriptor
+				locks some regions. The idea is that doing this will remove all of those restrictions.
+			</p>
+			
+			<p>
+				Simply run (with factory.rom in the same directory):<br/>
+				$ <b>./demefactory</b>
+			</p>
+			
+			<p>
+				It will generate a 4KiB descriptor file (only the descriptor, no GbE). Insert that into
+				a factory.rom image (NOTE: do this on a copy of it. Keep the original factory.rom stored
+				safely somewhere):<br/>
+				$ <b>dd if=demefactory_4kdescriptor.bin of=factory_nome.rom bs=1 count=4k conv=notrunc</b>
+			</p>
+			
+			<p>
+				TODO: test this.<br/>
+				TODO: lenovobios (GM45 thinkpads) still write-protects parts of the flash. Modify the assembly code
+				inside.
+				Note: the factory.rom (BIOS region) from lenovobios is in a compressed format, which you have to extract.
+				bios_extract upstream won't work, but the following was said in #coreboot on freenode IRC:
+			</p>
+<pre>
+&lt;roxfan&gt; fchmmr: try bios_extract with ffv patch <a href="http://patchwork.coreboot.org/patch/3444/">http://patchwork.coreboot.org/patch/3444/</a>
+&lt;roxfan&gt; or <a href="https://github.com/coreboot/bios_extract/blob/master/phoenix_extract.py">https://github.com/coreboot/bios_extract/blob/master/phoenix_extract.py</a>
+&lt;roxfan&gt; what are you looking for specifically, btw?
+
+0x74: 0x9fff03e0 PR0: Warning: 0x003e0000-0x01ffffff is read-only.
+0x84: 0x81ff81f8 PR4: Warning: 0x001f8000-0x001fffff is locked.
+</pre>
+
+			<p>
+				Use-case: a factory.rom image modified in this way would theoretically have no
+				flash protections whatsoever, making it easy to quickly switch between factory/libreboot
+				in software, without ever having to disassemble and re-flash externally unless you brick
+				the device.
+			</p>
+			
+			<p>
+				demefactory is part of the ich9deblob src, found at <i>resources/utilities/ich9deblob/</i>
+			</p>
+
+	</div>
 		
 	<div class="section">
 		
diff --git a/docs/tasks.html b/docs/tasks.html
index b188aaa..2cf4852 100644
--- a/docs/tasks.html
+++ b/docs/tasks.html
@@ -275,6 +275,17 @@
 						</li>
 					</ul>
 					
+				<h3>
+					Flashing from lenovobios to libreboot (and vice versa)
+				</h3>
+					<ul>
+						<li>
+							Implement everything outlined in
+							<a href="hcl/gm45_remove_me.html#demefactory">hcl/gm45_remove_me.html#demefactory</a>
+							and test it.
+						</li>
+					</ul>
+					
 				<h3>Payloads</h3>
 					<ul>
 						<li>
--
cgit v0.9.1