GM45 Thinkpad Internal flashing research: Difference between revisions
Jump to navigation
Jump to search
Line 16: | Line 16: | ||
== Approaches == | == Approaches == | ||
* The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot. | * The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot. | ||
* Modded boot firmware that disable WiFi card whitelist, have: | * Modded boot firmware that disable WiFi card whitelist, have some unused components: | ||
** | ** A bootblock that doesn't set the PR registers | ||
** A flash descriptor that disables the Management Engine | ** A flash descriptor that disables the Management Engine | ||
* They are unused during the boot fimrware update,because it will only update other sections of the image. |
Revision as of 15:29, 1 March 2017
Introduction
The goal is to be able to flash internally the x200 with Flashrom.
Anti-reflashing mechanisms
The Lenovo X200 uses the following mechanisms to prevent internal reflashing:
- Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
- PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
- The BUC.TS register is locked.
Non-working approaches
- If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
- The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
- Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
- Find a way to disable or crash the ME would probably have no effect at all on flash protections
Approaches
- The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
- Modded boot firmware that disable WiFi card whitelist, have some unused components:
- A bootblock that doesn't set the PR registers
- A flash descriptor that disables the Management Engine
- They are unused during the boot fimrware update,because it will only update other sections of the image.