1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
|
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type="text/css">
@import url('../css/main.css');
</style>
<title>GM45 chipsets: remove the ME (manageability engine)</title>
</head>
<body>
<div class="section">
<h1 id="pagetop">GM45 chipsets: remove the ME (manageability engine)</h1>
<p>
This sections relates to disabling and removing the ME (Intel <b>M</b>anagement <b>E</b>ngine) on
GM45. This was originally done on the ThinkPad X200, and later adapted for the ThinkPad R400/T400/T500. It can
in principle be done on any GM45 or GS45 system.
</p>
<p>
The ME is a blob that typically must be left inside the flash chip (in the ME region, as outlined
by the default descriptor). On GM45, it is possible to remove it without any ill effects. All
other parts of coreboot on GM45 systems (provided GMA MHD4500 / Intel graphics) can be blob-free,
so removing the ME was the last obstacle to
make GM45 a feasible target in libreboot (the systems can also work without the microcode blobs).
</p>
<p>
The ME is removed and disabled in libreboot by modifying the descriptor. More info about
this can be found in the ich9deblob/ich9gen source code in resources/utilities/ich9deblob/
in libreboot, or more generally on this page.
</p>
<p>
More information about the ME can be found at
<a href="http://www.coreboot.org/Intel_Management_Engine">http://www.coreboot.org/Intel_Management_Engine</a>
and <a href="http://me.bios.io/Main_Page">http://me.bios.io/Main_Page</a>.
</p>
<p>
Another project recently found:
<a href="http://io.smashthestack.org/me/">http://io.smashthestack.org/me/</a>
</p>
<p>
<a href="index.html">Back to previous index</a>.
</p>
</div>
<div class="section">
<h1 id="ich9gen">ICH9 gen utility</h1>
<p>
It is no longer necessary to use <a href="#ich9deblob">ich9deblob</a> to generate
a deblobbed descriptor+gbe image for GM45 targets. ich9gen is a small utility within
ich9deblob that can generate them from scratch, without a factory.bin dump.
</p>
<p>
ich9gen executables can be found under ./ich9deblob/ statically compiled in
libreboot_util. If you are using src or git, build ich9gen from source with:<br/>
$ <b>./build module ich9deblob</b><br/>
The executable will appear under resources/utilities/ich9deblob/
</p>
<p>
Run:<br/>
$ <b>./ich9gen</b>
</p>
<p>
Running ich9gen this way (without any arguments) generates
a default descriptor+gbe image with a generic MAC address.
You probably don't want to use the generic one; the ROM images
in libreboot contain a descriptor+gbe image by default (already
inserted) just to prevent or mitigate the risk of bricking
your laptop, but with the generic MAC address (the libreboot
project does not know what your real MAC address is).
</p>
<p>
You can find out your MAC address from <b>ip addr</b> or <b>ifconfig</b> in GNU/Linux.
Alternatively, if you are running libreboot already (with the correct MAC address in your
ROM), dump it (flashrom -r) and read the first 6 bytes from position 0x1000 (or 0x2000) in a hex editor
(or, rename it to factory.rom and run it in ich9deblob: in the newly created mkgbe.c
will be the individual bytes of your MAC address). If you are currently running the stock firmware
and haven't installed libreboot yet, you can also run that through ich9deblob to get the mac address.
</p>
<p>
An even simpler way to get the MAC address would be to read what's on the little sticker on
the bottom/base of the laptop.
</p>
<p>
On GM45 laptops that use flash descriptors, the MAC address
or the onboard ethernet chipset is flashed (inside the ROM image).
You should generate a descriptor+gbe image with your own MAC address
inside (with the Gbe checksum updated to match). Run:<br/>
$ <b>./ich9gen --macaddress XX:XX:XX:XX:XX:XX</b><br/>
(replace the XX chars with the hexadecimal chars in the MAC address that you want)
</p>
<p>
Two new files will be created:
</p>
<ul>
<li><b>ich9fdgbe_4m.bin</b>: this is for GM45 laptops with the 4MB flash chip.</li>
<li><b>ich9fdgbe_8m.bin</b>: this is for GM45 laptops with the 8MB flash chip.</li>
</ul>
<p>
Two other files will also be created, for the ThinkPad R500 which has a different NIC and, therefore,
no GbE region (for this laptop, it is not necessary to change the MAC address in the flash chip, because
it's burned into the NIC):
</p>
<ul>
<li><b>ich9fdnogbe_4m.bin</b>: this is for ThinkPad R500 laptops with the 4MB flash chip, where no GbE region is to be defined.</li>
<li><b>ich9fdnogbe_8m.bin</b>: this is for ThinkPad R500 laptops with the 8MB flash chip, where no GbE region is to be defined
- <b>NOTE: No actual R500 laptops with 8MiB are believed to exist. It is believed, that all R500 laptops have 4MiB flash chips</b>.</li>
</ul>
<p>
Assuming that your libreboot image is named <b>libreboot.rom</b>, copy
the file to where <b>libreboot.rom</b> is located
and then insert the descriptor+gbe file into the ROM image. For 8MiB flash chips:<br/>
$ <b>dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b><br/>
For 4MiB flash chips:<br/>
$ <b>dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b><br/>
</p>
<p>
<b>For the ThinkPad R500, do this instead:</b><br/>
For 8MiB flash chips (<b>highly unlikely on the ThinkPad R500)</b>:<br/>
$ <b>dd if=ich9fdnogbe_8m.bin of=libreboot.rom bs=1 count=4k conv=notrunc</b><br/>
For 4MiB flash chips (<b>You probably have this)</b>:<br/>
$ <b>dd if=ich9fdnogbe_4m.bin of=libreboot.rom bs=1 count=4k conv=notrunc</b><br/>
NOTE: This shouldn't be necessary. Libreboot ROM images already contain a descriptor embedded inside
the ROM images for GM45, generated by the ich9gen utility. It's only desirable to re-insert your own
when changing the MAC address, which is unnecessary (actually impossible) on the R500, because on that laptop,
as already stated, the NIC already has the correct MAC address burned in, along with along configuration data.
</p>
<p>
Your libreboot.rom image is now ready to be flashed on the system. Refer back to
<a href="../install/index.html#flashrom">../install/index.html#flashrom</a>
for how to flash it.
</p>
<h2>
Write-protecting the flash chip
</h2>
<p>
Look in <i>resources/utilities/ich9deblob/src/descriptor/descriptor.c</i>
for the following lines in the <i>descriptorHostRegionsUnlocked</i> function:
</p>
<pre>
descriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 0x1;
descriptorStruct.masterAccessSection.flMstr1.biosRegionWriteAccess = 0x1;
descriptorStruct.masterAccessSection.flMstr1.meRegionWriteAccess = 0x1;
descriptorStruct.masterAccessSection.flMstr1.gbeRegionWriteAccess = 0x1;
descriptorStruct.masterAccessSection.flMstr1.pdRegionWriteAccess = 0x1;
</pre>
<p>
Also look in <i>resources/utilities/ich9deblob/src/ich9gen/mkdescriptor.c</i>
for the following lines:
</p>
<pre>
descriptorStruct.masterAccessSection.flMstr1.fdRegionWriteAccess = 0x1; /* see ../descriptor/descriptor.c */
descriptorStruct.masterAccessSection.flMstr1.biosRegionWriteAccess = 0x1; /* see ../descriptor/descriptor.c */
descriptorStruct.masterAccessSection.flMstr1.meRegionWriteAccess = 0x1; /* see ../descriptor/descriptor.c */
descriptorStruct.masterAccessSection.flMstr1.gbeRegionWriteAccess = 0x1; /* see ../descriptor/descriptor.c */
descriptorStruct.masterAccessSection.flMstr1.pdRegionWriteAccess = 0x1; /* see ../descriptor/descriptor.c */
</pre>
<p style="font-size:2em;">
NOTE: When you write-protect the flash chip, re-flashing is no longer possible unless you
use dedicated external equipment, which also means disassembling the laptop. The same equipment
can also be used to remove the write-protection later on, if you choose to do so. *Only* write-protect
the chip if you have the right equipment for external flashing later on; for example, see
<a href="../install/bbb_setup.html">../install/bbb_setup.html</a>.
</p>
<p>
Change them all to 0x0, then re-compile ich9gen. After you have done that,
follow the notes in <a href="#ich9gen">#ich9gen</a> to generate a new
descriptor+gbe image and insert that into your ROM image, then flash it.
The next time you boot, the flash chip will be read-only in software
(hardware re-flashing will still work, which you will need for re-flashing
the chip after write-protecting it, to clear the write protection or
to flash yet another ROM image with write protection set in the descriptor).
</p>
<p>
Flashrom will tell you that you can still forcefully re-flash, using <i>-p internal:ich_spi_force=yes</i> but
this won't actually work; it'll just brick your laptop.
</p>
<p>
For external flashing guides, refer to <a href="../install/index.html">../install/index.html</a>.
</p>
</div>
<div class="section">
<h1 id="ich9deblob">ICH9 deblob utility</h1>
<p>
<b>This is no longer strictly necessary. Libreboot ROM images for GM45 systems now
contain the 12KiB descriptor+gbe generated from ich9gen, by default.</b>
</p>
<p>
This was the tool originally used to disable the ME on X200 (later adapted for other systems that use the
GM45 chipset). <a href="#ich9gen">ich9gen</a> now supersedes it;
ich9gen is better because it does not rely on dumping the factory.rom image (whereas, ich9deblob does).
</p>
<p>
This is what you will use to generate the deblobbed descriptor+gbe regions for your libreboot ROM image.
</p>
<p>
If you are working with libreboot_src (or git), you can find the source under resources/utilities/ich9deblob/
and will already be compiled if you ran <b>./build module all</b> or <b>./build module ich9deblob</b> from the main directory (./),
otherwise you can build it like so:<br/>
$ <b>./build module ich9deblob</b><br/>
An executable file named <b>ich9deblob</b> will now appear under resources/utilities/ich9deblob/
</p>
<p>
If you are working with libreboot_util release archive, you can find the utility included, statically compiled
(for i686 and x86_64 on GNU/Linux) under ./ich9deblob/.
</p>
<p>
Place the factory.rom from your system
(can be obtained using the external flashing guides for GM45 targets linked <a href="../install/index.html">../install/index.html</a>) in
the directory where you have your ich9deblob executable, then run the tool:<br/>
$ <b>./ich9deblob</b>
</p>
<p>
A 12kiB file named <b>deblobbed_descriptor.bin</b> will now appear. <b>Keep this and the factory.rom stored in a safe location!</b>
The first 4KiB contains the descriptor data region for your system, and the next 8KiB contains the gbe region (config data for your
gigabit NIC). These 2 regions could actually be separate files, but they are joined into 1 file in this case.
</p>
<p>
A 4KiB file named <b>deblobbed_4kdescriptor.bin</b> will alternatively appear, if no GbE region was detected inside the ROM image.
This is usually the case, when a discrete NIC is used (eg Broadcom) instead of Intel. Only the Intel NICs need a GbE region in
the flash chip.
</p>
<p>
Assuming that your libreboot image is named <b>libreboot.rom</b>, copy
the <b>deblobbed_descriptor.bin</b> file to where <b>libreboot.rom</b> is located
and then run:<br/>
$ <b>dd if=deblobbed_descriptor.bin of=libreboot.rom bs=1 count=12k conv=notrunc</b>
</p>
<p>
Alternatively, if you got a the <b>deblobbed_4kdescriptor.bin</b> file (no GbE defined),
do this:
$ <b>dd if=deblobbed_4kdescriptor.bin of=libreboot.rom bs=1 count=4k conv=notrunc</b>
</p>
<p>
</p>
<p>
The utility will also generate 4 additional files:
</p>
<ul>
<li>mkdescriptor.c</li>
<li>mkdescriptor.h</li>
<li>mkgbe.c</li>
<li>mkgbe.h</li>
</ul>
<p>
These are C source files that can re-generate the very same Gbe and Descriptor structs
(from ich9deblob/ich9gen). To use these, place them in src/ich9gen/ in ich9deblob, then re-build.
The newly built <b>ich9gen</b> executable will be able to re-create the very same 12KiB file from scratch,
based on the C structs, this time <b>without</b> the need for a factory.rom dump!
</p>
<p>
You should now have a <b>libreboot.rom</b> image containing the correct 4K descriptor and 8K gbe regions, which
will then be safe to flash. Refer back to <a href="../install/index.html#flashrom">../install/index.html#flashrom</a>
for how to flash it.
</p>
</div>
<div class="section">
<h1 id="demefactory">demefactory utility</h1>
<p>
This takes a factory.rom dump and disables the ME/TPM, but leaves the region intact.
It also sets all regions read-write.
</p>
<p>
The ME interferes with flash read/write in flashrom, and the default descriptor
locks some regions. The idea is that doing this will remove all of those restrictions.
</p>
<p>
Simply run (with factory.rom in the same directory):<br/>
$ <b>./demefactory</b>
</p>
<p>
It will generate a 4KiB descriptor file (only the descriptor, no GbE). Insert that into
a factory.rom image (NOTE: do this on a copy of it. Keep the original factory.rom stored
safely somewhere):<br/>
$ <b>dd if=demefactory_4kdescriptor.bin of=factory_nome.rom bs=1 count=4k conv=notrunc</b>
</p>
<p>
TODO: test this.<br/>
TODO: lenovobios (GM45 thinkpads) still write-protects parts of the flash. Modify the assembly code
inside.
Note: the factory.rom (BIOS region) from lenovobios is in a compressed format, which you have to extract.
bios_extract upstream won't work, but the following was said in #coreboot on freenode IRC:
</p>
<pre>
<roxfan> fchmmr: try bios_extract with ffv patch <a href="http://patchwork.coreboot.org/patch/3444/">http://patchwork.coreboot.org/patch/3444/</a>
<roxfan> or <a href="https://github.com/coreboot/bios_extract/blob/master/phoenix_extract.py">https://github.com/coreboot/bios_extract/blob/master/phoenix_extract.py</a>
<roxfan> what are you looking for specifically, btw?
0x74: 0x9fff03e0 PR0: Warning: 0x003e0000-0x01ffffff is read-only.
0x84: 0x81ff81f8 PR4: Warning: 0x001f8000-0x001fffff is locked.
</pre>
<p>
Use-case: a factory.rom image modified in this way would theoretically have no
flash protections whatsoever, making it easy to quickly switch between factory/libreboot
in software, without ever having to disassemble and re-flash externally unless you brick
the device.
</p>
<p>
demefactory is part of the ich9deblob src, found at <i>resources/utilities/ich9deblob/</i>
</p>
</div>
<div class="section">
<p>
The sections below are adapted from (mostly) IRC logs related to early development getting the ME removed on GM45.
They are useful for background information. This could not have been done without sgsit's help.
</p>
<div class="subsection">
<h2 id="early_notes">Early notes</h2>
<ul>
<li>
<a href="http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf">http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-10-family-datasheet.pdf</a>
page 230 mentions about descriptor and non-descriptor mode (which wipes out gbe and ME/AMT).
</li>
<li>
<s><b>See reference to HDA_SDO (disable descriptor security)</b></s>
strap connected GPIO33 pin is it on ICH9-M (X200). HDA_SDO applies to later chipsets (series 6 or higher).
Disabling descriptor security also disables the ethernet according to sgsit. sgsit's method
involves use of 'soft straps' (see IRC logs below) instead of disabling the descriptor.
</li>
<li>
<b>and the location of GPIO33 on the x200s: (was an external link. Putting it here instead)</b>
<a href="images/x200/gpio33_location.jpg">images/x200/gpio33_location.jpg</a>
- it's above the number 7 on TP37 (which is above the big intel chip at the bottom)
</li>
<li>
The ME datasheet may not be for the mobile chipsets but it doesn't vary that much.
This one gives some detail and covers QM67 which is what the X201 uses:
<a href="http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf">http://www.intel.co.uk/content/dam/www/public/us/en/documents/datasheets/6-chipset-c200-chipset-datasheet.pdf</a>
</li>
</ul>
</div>
</div>
<div class="section">
<div class="subsection">
<h2 id="flashchips">Flash chips</h2>
<ul>
<li>
Schematics for X200 laptop: <a href="http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf">http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006075.pdf</a>
<b><s>- Page 20 and page 9 refer to SDA_HDO or SDA_HDOUT</s></b> only on series 6 or higher chipsets. ICH9-M (X200) does it with a strap connected to GPIO33 pin (see IRC notes below)<br/>
- According to page 29, the X200 can have any of the following flash chips:
<ul>
<li>ATMEL AT26DF321-SU 72.26321.A01 - this is a 32Mb (4MiB) chip</li>
<li>MXIC (Macronix?) MX25L3205DM2I-12G 72.25325.A01 - another 32Mb (4MiB) chip</li>
<li>MXIC (Macronix?) MX25L6405DMI-12G 41R0820AA - this is a 64Mb (8MiB) chip</li>
<li>Winbond W25X64VSFIG 41R0820BA - another 64Mb (8MiB) chip</li>
</ul>
sgsit says that the X200s with the 64Mb flash chips are (probably) the ones with AMT (alongside the ME), whereas
the 32Mb chips contain only the ME.
</li>
<li>
Schematics for X200s laptop: <a href="http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf">http://pdf.datasheetarchive.com/indexerfiles/Datasheets-USER/DSAUPLD00006104.pdf</a>.
</li>
</ul>
</div>
</div>
<div class="section">
<h2 id="early_development_notes">Early development notes</h2>
<pre>
<i>
Start (hex) End (hex) Length (hex) Area Name
----------- --------- ------------ ---------
00000000 003FFFFF 00400000 Flash Image
00000000 00000FFF 00001000 Descriptor Region
00000004 0000000F 0000000C Descriptor Map
00000010 0000001B 0000000C Component Section
00000040 0000004F 00000010 Region Section
00000060 0000006B 0000000C Master Access Section
00000060 00000063 00000004 CPU/BIOS
00000064 00000067 00000004 Manageability Engine (ME)
00000068 0000006B 00000004 GbE LAN
00000100 00000103 00000004 ICH Strap 0
00000104 00000107 00000004 ICH Strap 1
00000200 00000203 00000004 MCH Strap 0
00000EFC 00000EFF 00000004 Descriptor Map 2
00000ED0 00000EF7 00000028 ME VSCC Table
00000ED0 00000ED7 00000008 Flash device 1
00000ED8 00000EDF 00000008 Flash device 2
00000EE0 00000EE7 00000008 Flash device 3
00000EE8 00000EEF 00000008 Flash device 4
00000EF0 00000EF7 00000008 Flash device 5
00000F00 00000FFF 00000100 OEM Section
00001000 001F5FFF 001F5000 ME Region
001F6000 001F7FFF 00002000 GbE Region
001F8000 001FFFFF 00008000 PDR Region
00200000 003FFFFF 00200000 BIOS Region
Start (hex) End (hex) Length (hex) Area Name
----------- --------- ------------ ---------
00000000 003FFFFF 00400000 Flash Image
00000000 00000FFF 00001000 Descriptor Region
00000004 0000000F 0000000C Descriptor Map
00000010 0000001B 0000000C Component Section
00000040 0000004F 00000010 Region Section
00000060 0000006B 0000000C Master Access Section
00000060 00000063 00000004 CPU/BIOS
00000064 00000067 00000004 Manageability Engine (ME)
00000068 0000006B 00000004 GbE LAN
00000100 00000103 00000004 ICH Strap 0
00000104 00000107 00000004 ICH Strap 1
00000200 00000203 00000004 MCH Strap 0
00000ED0 00000EF7 00000028 ME VSCC Table
00000ED0 00000ED7 00000008 Flash device 1
00000ED8 00000EDF 00000008 Flash device 2
00000EE0 00000EE7 00000008 Flash device 3
00000EE8 00000EEF 00000008 Flash device 4
00000EF0 00000EF7 00000008 Flash device 5
00000EFC 00000EFF 00000004 Descriptor Map 2
00000F00 00000FFF 00000100 OEM Section
00001000 00002FFF 00002000 GbE Region
00003000 00202FFF 00200000 BIOS Region
Build Settings
--------------
Flash Erase Size = 0x1000
</i>
</pre>
<p>
It's a utility called 'Flash Image Tool' for ME 4.x that was used for this. You drag a complete
image into in and the utility decomposes the various components, allowing you to set soft straps.
</p>
<p>
This tool is proprietary, for Windows only, but was used to deblob the X200. End justified means, and
the utility is no longer needed since the ich9deblob utility (documented on this page) can now be
used to create deblobbed descriptors.
</p>
</div>
<div class="section">
<h2 id="gbe_region">
GBE (gigabit ethernet) region in SPI flash
</h2>
<p>
Of the 8K, about 95% is 0xFF.
The data is the gbe region is fully documented in this public datasheet:
<a href="http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf">http://www.intel.co.uk/content/dam/doc/application-note/i-o-controller-hub-9m-82567lf-lm-v-nvm-map-appl-note.pdf</a>
</p>
<p>
The only actual content found was:
</p>
<pre>
<i>
00 1F 1F 1F 1F 1F 00 08 FF FF 83 10 FF FF FF FF
08 10 FF FF C3 10 EE 20 AA 17 F5 10 86 80 00 00
01 0D 00 00 00 00 05 06 20 30 00 0A 00 00 8B 8D
02 06 40 2B 43 00 00 00 F5 10 AD BA F5 10 BF 10
AD BA CB 10 AD BA AD BA 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 01 00 40 28 12 07 40 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF D9 F0
20 60 1F 00 02 00 13 00 00 80 1D 00 FF 00 16 00
DD CC 18 00 11 20 17 00 DD DD 18 00 12 20 17 00
00 80 1D 00 00 00 1F
</i>
</pre>
<p>
The first part is the MAC address set to all 0x1F. It's repeated haly way through
the 8K area, and the rest is all 0xFF. This is all documented in the datasheet.
</p>
<p>
The GBe region starts at 0x20A000 bytes from the *end* of a factory image and is 0x2000 bytes long.
In libreboot (deblobbed) the descriptor is set to put gbe directly after the initial 4K flash descriptor.
So the first 4K of the ROM is the descriptor, and then the next 8K is the gbe region.
</p>
<div class="subsection">
<h3 id="gbe_region_changemacaddress">GBE region: change MAC address</h3>
<p>
According to the datasheet, it's supposed to add up to 0xBABA but can actually be others on the X200.
<a href="https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums">https://communities.intel.com/community/wired/blog/2010/10/14/how-to-basic-eeprom-checksums</a>
</p>
<p>
<i>"One of those engineers loves classic rock music, so he selected 0xBABA"</i>
</p>
<p>In honour of the song <i>Baba O'Reilly</i> by <i>The Who</i> apparently. We're not making this stuff up...</p>
<p>
0x3ABA, 0x34BA, 0x40BA and more have been observed in the main Gbe regions on the X200 factory.rom dumps.
The checksums of the backup regions match BABA, however.
</p>
<p>
By default, the X200 (as shipped by Lenovo) actually has an invalid main gbe checksum. The backup gbe region is correct,
and is what these systems default to. Basically, you should do what you need on the *backup* gbe region, and
then correct the main one by copying from the backup.
</p>
<p>
Look at resources/utilities/ich9deblob/ich9deblob.c.
</p>
<ul>
<li>Add the first 0x3F 16bit numbers (unsigned) of the GBe descriptor together (this includes the checksum value)
and that has to add up to 0xBABA. In other words, the checksum is 0xBABA minus the total of the first
0x3E 16bit numbers (unsigned), ignoring any overflow.</li>
</ul>
</div>
</div>
<div class="section">
<h2 id="flash_descriptor_region">Flash descriptor region</h2>
<p>
<a href="http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf">http://www.intel.co.uk/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf</a>
from page 850 onwards. This explains everything that is in the flash descriptor, which can be used to understand what libreboot
is doing about modifying it.
</p>
<p>
How to deblob:
</p>
<ul>
<li>patch the number of regions present in the descriptor from 5 - 3</li>
<li>originally descriptor + bios + me + gbe + platform</li>
<li>modified = descriptor + bios + gbe</li>
<li>the next stage is to patch the part of the descriptor which defines the start and end point of each section</li>
<li>then cut out the gbe region and insert it just after the region</li>
<li>all this can be substantiated with public docs (ICH9 datasheet)</li>
<li>the final part is flipping 2 bits. Halting the ME via 1 MCH soft strap and 1 ICH soft strap</li>
<li>the part of the descriptor described there gives the base address and length of each region (bits 12:24 of each address)</li>
<li>to disable a region, you set the base address to 0xFFF and the length to 0</li>
<li>and you change the number of regions from 4 (zero based) to 2</li>
</ul>
<p>
There's an interesting parameter called 'ME Alternate disable', which allows the ME to only handle hardware errata in the southbridge,
but disables any other functionality. This is similar to the 'ignition' in the 5 series and higher but using the standard firmware
instead of a small 128K version. Useless for libreboot, though.
</p>
<p>
To deblob GM45, you chop out the platform and ME regions and correct the addresses in flReg1-4.
Then you set meDisable to 1 in ICHSTRAP0 and MCHSTRAP0.
</p>
<p>How to patch the descriptor from the factory.rom dump</p>
<ul>
<li>map the first 4k into the struct (minus the gbe region)</li>
<li>set NR in FLMAP0 to 2 (from 4)</li>
<li>adjust BASE and LIMIT in flReg1,2,3,4 to reflect the new location of each region (or remove them in the case of Platform and ME)</li>
<li>set meDisable to 1/true in ICHSTRAP0 and MCHSTRAP0</li>
<li>extract the 8k GBe region and append that to the end of the 4k descriptor</li>
<li>output the 12k concatenated chunk</li>
<li>Then it can be dd'd into the first 12K part of a coreboot image.</li>
<li>the GBe region always starts 0x20A000 bytes from the end of the ROM</li>
</ul>
<p>
This means that libreboot's descriptor region will simply define the following regions:
</p>
<ul>
<li>descriptor (4K)</li>
<li>gbe (8K)</li>
<li>bios (rest of flash chip. CBFS also set to occupy this whole size)</li>
</ul>
<p>
The data in the descriptor region is little endian, and it represents bits 24:12 of the address
(bits 12-24, written this way since bit 24 is nearer to left than bit 12 in the binary representation).
</p>
<p>
So, <i>x << 12 = address</i>
</p>
<p>
If it's in descriptor mode, then the first 4 bytes will be 5A A5 F0 0F.
</p>
</div>
<div class="section">
<h2 id="platform_data_region">platform data partition in boot flash (factory.rom / lenovo bios)</h2>
<p>
Basically useless for libreboot, since it appears to be a blob.
Removing it didn't cause any issues in libreboot.
</p>
<p>
This is a 32K region from the factory image. It could be data
(non-functional) that the original Lenovo BIOS used, but we don't know.
</p>
<p>
It has only a 448 byte fragment different from 0x00 or 0xFF.
</p>
</div>
<div class="section">
<p>
Copyright © 2014, 2015 Francis Rowe <info@gluglug.org.uk><br/>
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license can be found at <a href="../gfdl-1.3.txt">../gfdl-1.3.txt</a>
</p>
<p>
Updated versions of the license (when available) can be found at
<a href="https://www.gnu.org/licenses/licenses.html">https://www.gnu.org/licenses/licenses.html</a>
</p>
<p>
UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
</p>
<p>
TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
</p>
<p>
The disclaimer of warranties and limitation of liability provided
above shall be interpreted in a manner that, to the extent
possible, most closely approximates an absolute disclaimer and
waiver of all liability.
</p>
</div>
</body>
</html>
|
