GM45 Thinkpad Internal flashing research: Difference between revisions

Revision as of 15:25, 1 March 2017

The goal is to be able to flash internally the x200 with Flashrom.

The Lenovo X200 uses the following mechanisms to prevent internal reflashing:

Flash descriptor: Set the flash descriptor read-only, locks the ME, and platform regions.
PR registers: Sets the BIOS bootblock read-only and prevent access to the platform region
The BUC.TS register is locked.

If we remove the flash descriptor read-only protection we are able to easily reflash coreboot, but:
- The flash descriptor restrictions may be able to be lifted by using the GPIO33, but accessing that pin is very difficult and has huge probability of breaking the board.
- Finding a command to send to the ME to unlock it is very unlikely, as it is only supposed to work when the management engine is in manufacture-mode. The Me is not in manufacture-mode on production laptops.
- Find a way to disable or crash the ME would probably have no effect at all on flash protections

The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
Modded boot firmware that disable WiFi card whitelist, have:
- The bootblock that doesn't set the PR registers
- A flash descriptor that disables the Management Engine

@@ Line 16: / Line 16: @@
 == Approaches ==
 * The bootblock is read-only, and sets the PR registers protections. There might be a way to ask it nicely to remove such protections, to be able to reflash coreboot.
-* Some unofficial BIOS updates (that removes the WiFi whitelist limitation) exists and are rumored to disable PR registers protections.
+* Modded boot firmware that disable WiFi card whitelist, have:
+** The bootblock that doesn't set the PR registers
+** A flash descriptor that disables the Management Engine