Re: [coreboot] Where to get ME image/flash descriptors for the x220?
Have fun https://github.com/zaolin/coreboot-thinkpad-doc/tree/x220/firmware/splited On 03/13/2017 09:11 PM, taii...@gmx.com wrote: On 03/08/2017 01:29 PM, Igor Skochinsky wrote: Hello Taiidan, Alas, the 8duj28us.exe update and a few others I checked do not seem to contain the ME region or the descriptor. There is 8duj28us.exe with the ME update but it requires an already running ME to be applied. You could in theory extract the partitions from it and assemble into a valid ME region by constructing an FPT but that's not trivial. I would suggest you to just take the descriptor and ME region from "random people on the internet". The descriptor does not contain any code and the ME firmware is signed by Intel so it can't be backdoored by randos (there are much easier ways to hack people than stealing keys from Intel). Damn :[ There is also the .iso bios update with the .FL2 and FL1 files what about that? I had heard rumors from a couple people that there are ME signing keys floating around in the darknet on some elite hacker forums so I was paranoid as I don't want to have my machine used to hack something important. -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
On 03/08/2017 01:29 PM, Igor Skochinsky wrote: Hello Taiidan, Alas, the 8duj28us.exe update and a few others I checked do not seem to contain the ME region or the descriptor. There is 8duj28us.exe with the ME update but it requires an already running ME to be applied. You could in theory extract the partitions from it and assemble into a valid ME region by constructing an FPT but that's not trivial. I would suggest you to just take the descriptor and ME region from "random people on the internet". The descriptor does not contain any code and the ME firmware is signed by Intel so it can't be backdoored by randos (there are much easier ways to hack people than stealing keys from Intel). Damn :[ There is also the .iso bios update with the .FL2 and FL1 files what about that? I had heard rumors from a couple people that there are ME signing keys floating around in the darknet on some elite hacker forums so I was paranoid as I don't want to have my machine used to hack something important. -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
Hello Taiidan, Tuesday, March 7, 2017, 6:23:37 AM, you wrote: Tgc>Uhh thanks but that's kinda missing the point of this - that I Tgc>don't want binaries from random people on the internet. Alas, the 8duj28us.exe update and a few others I checked do not seem to contain the ME region or the descriptor. There is 8duj28us.exe with the ME update but it requires an already running ME to be applied. You could in theory extract the partitions from it and assemble into a valid ME region by constructing an FPT but that's not trivial. I would suggest you to just take the descriptor and ME region from "random people on the internet". The descriptor does not contain any code and the ME firmware is signed by Intel so it can't be backdoored by randos (there are much easier ways to hack people than stealing keys from Intel). Tgc>I need to know how to extract it from the bios update files, not the bios already on the EEPROM. Tgc>On 03/06/2017 11:35 PM, Matt DeVillier wrote: Tgc>>I have the IFD and ME from an x220 that I recently flashed with coreboot Tgc>>for a customer, extracted from their stock firmware, and verified working Tgc>>with the coreboot ROM I subsequently flashed. Can zip and send via email, Tgc>>or whatever you prefer Tgc>?On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.comwrote: Tgc>?On 03/05/2017 05:20 AM, Arthur Heymans wrote: Tgc>?"taii...@gmx.com" writes: Tgc>?Well I managed to download the latest BIOS from the lenovo site, which Tgc>?includes an ME update now the issue is that I can't seem to figure out Tgc>?how to extract it from the .FL1 and .FL2 files. Tgc>?Those might have a length too long to fit a flash so you need to trim Tgc>?those down before using ifdtool on those (If they contain and ifd of Tgc>?course) Tgc>?so depending on size of rom Tgc>?dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM Tgc>?and then ifdtool -x vendor_bios.rom Tgc>?It didn't work after that still "no flash descriptor found in this Tgc>?image" Tgc>?These are the files and the flash chip on the board is 8M Tgc>?8523776 '$01CB000.FL1' Tgc>?8523776 '$01CB000.FL2' Tgc>?8523776 '$01CB100.FL2' Tgc>?All of them have different hashes, but I do not know what makes them Tgc>?different (maybe it is for various board revisions?) Tgc>?I would also like to know as to how I can re-flash the EC firmware if Tgc>?that could potentially cause problems, I of course do not know if it Tgc>?has DMA. Tgc>?Only existing tool to flash EC is using vendor tool. Tgc>?EC are only accessed trough port mapped IO (or on newer ones also via Tgc>?memory mapped IO). EC itself does not have DMA afaik. Tgc>?-- Tgc>?coreboot mailing list: coreboot@coreboot.org Tgc>?https://www.coreboot.org/mailman/listinfo/coreboot -- WBR, Igormailto:rox...@skynet.be -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
Hi Taiidan, try following these instructions: 1) download the latest official BIOS update .exe file from your laptop manufacturer's website (Lenovo in this case) 2) open this .exe file with 7zip utility and extract all its' contents to a separate folder 3) most likely is that amoung these extracted files you will see a several megabytes binary file, which contains not just a BIOS image but also EC firmware image and some other images. Then you open this binary file in a hex editor like Okteta and search for some ASCII string symbols like for example _EC_IMG to e.g. locate the beginning of EC firmware block, and knowing what size in bytes the EC firmware should be - you cut the same amount of bytes after _EC_IMG text - and save into a new binary file Something like that, will probably work for you. Good luck in your research ;) 2017-03-07 5:23 GMT+00:00 taii...@gmx.com: > Uhh thanks but that's kinda missing the point of this - that I don't want > binaries from random people on the internet. > > I need to know how to extract it from the bios update files, not the bios > already on the EEPROM. > > > On 03/06/2017 11:35 PM, Matt DeVillier wrote: > > I have the IFD and ME from an x220 that I recently flashed with coreboot > for a customer, extracted from their stock firmware, and verified working > with the coreboot ROM I subsequently flashed. Can zip and send via email, > or whatever you prefer > > On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.com > wrote: > > > On 03/05/2017 05:20 AM, Arthur Heymans wrote: > "taii...@gmx.com" > writes: > > Well I managed to download the latest BIOS from the lenovo site, which > > includes an ME update now the issue is that I can't seem to figure out > how to extract it from the .FL1 and .FL2 files. > > Those might have a length too long to fit a flash so you need to trim > > those down before using ifdtool on those (If they contain and ifd of > course) > so depending on size of rom > dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM > > and then ifdtool -x vendor_bios.rom > > > It didn't work :( after that still "no flash descriptor found in this > image" > > These are the files and the flash chip on the board is 8M > 8523776 '$01CB000.FL1' > 8523776 '$01CB000.FL2' > 8523776 '$01CB100.FL2' > All of them have different hashes, but I do not know what makes them > different (maybe it is for various board revisions?) > > > > I would also like to know as to how I can re-flash the EC firmware if > > that could potentially cause problems, I of course do not know if it > has DMA. > > Only existing tool to flash EC is using vendor tool. > > EC are only accessed trough port mapped IO (or on newer ones also via > memory mapped IO). EC itself does not have DMA afaik. > > > > -- > coreboot mailing list: > coreboot@coreboot.orghttps://www.coreboot.org/mailman/listinfo/coreboot > > > > > > -- > coreboot mailing list: coreboot@coreboot.org > https://www.coreboot.org/mailman/listinfo/coreboot > -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
Uhh thanks but that's kinda missing the point of this - that I don't want binaries from random people on the internet. I need to know how to extract it from the bios update files, not the bios already on the EEPROM. On 03/06/2017 11:35 PM, Matt DeVillier wrote: I have the IFD and ME from an x220 that I recently flashed with coreboot for a customer, extracted from their stock firmware, and verified working with the coreboot ROM I subsequently flashed. Can zip and send via email, or whatever you prefer On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.comwrote: On 03/05/2017 05:20 AM, Arthur Heymans wrote: "taii...@gmx.com" writes: Well I managed to download the latest BIOS from the lenovo site, which includes an ME update now the issue is that I can't seem to figure out how to extract it from the .FL1 and .FL2 files. Those might have a length too long to fit a flash so you need to trim those down before using ifdtool on those (If they contain and ifd of course) so depending on size of rom dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM and then ifdtool -x vendor_bios.rom It didn't work :( after that still "no flash descriptor found in this image" These are the files and the flash chip on the board is 8M 8523776 '$01CB000.FL1' 8523776 '$01CB000.FL2' 8523776 '$01CB100.FL2' All of them have different hashes, but I do not know what makes them different (maybe it is for various board revisions?) I would also like to know as to how I can re-flash the EC firmware if that could potentially cause problems, I of course do not know if it has DMA. Only existing tool to flash EC is using vendor tool. EC are only accessed trough port mapped IO (or on newer ones also via memory mapped IO). EC itself does not have DMA afaik. -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
I have the IFD and ME from an x220 that I recently flashed with coreboot for a customer, extracted from their stock firmware, and verified working with the coreboot ROM I subsequently flashed. Can zip and send via email, or whatever you prefer On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.comwrote: > On 03/05/2017 05:20 AM, Arthur Heymans wrote: > > "taii...@gmx.com" writes: >> >> Well I managed to download the latest BIOS from the lenovo site, which >>> includes an ME update now the issue is that I can't seem to figure out >>> how to extract it from the .FL1 and .FL2 files. >>> >>> Those might have a length too long to fit a flash so you need to trim >> those down before using ifdtool on those (If they contain and ifd of >> course) >> so depending on size of rom >> dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM >> >> and then ifdtool -x vendor_bios.rom >> > It didn't work :( after that still "no flash descriptor found in this > image" > > These are the files and the flash chip on the board is 8M > 8523776 '$01CB000.FL1' > 8523776 '$01CB000.FL2' > 8523776 '$01CB100.FL2' > All of them have different hashes, but I do not know what makes them > different (maybe it is for various board revisions?) > > >> I would also like to know as to how I can re-flash the EC firmware if >>> that could potentially cause problems, I of course do not know if it >>> has DMA. >>> >>> Only existing tool to flash EC is using vendor tool. >> EC are only accessed trough port mapped IO (or on newer ones also via >> memory mapped IO). EC itself does not have DMA afaik. >> >> > -- > coreboot mailing list: coreboot@coreboot.org > https://www.coreboot.org/mailman/listinfo/coreboot > -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
On 03/05/2017 05:20 AM, Arthur Heymans wrote: "taii...@gmx.com"writes: Well I managed to download the latest BIOS from the lenovo site, which includes an ME update now the issue is that I can't seem to figure out how to extract it from the .FL1 and .FL2 files. Those might have a length too long to fit a flash so you need to trim those down before using ifdtool on those (If they contain and ifd of course) so depending on size of rom dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM and then ifdtool -x vendor_bios.rom It didn't work :( after that still "no flash descriptor found in this image" These are the files and the flash chip on the board is 8M 8523776 '$01CB000.FL1' 8523776 '$01CB000.FL2' 8523776 '$01CB100.FL2' All of them have different hashes, but I do not know what makes them different (maybe it is for various board revisions?) I would also like to know as to how I can re-flash the EC firmware if that could potentially cause problems, I of course do not know if it has DMA. Only existing tool to flash EC is using vendor tool. EC are only accessed trough port mapped IO (or on newer ones also via memory mapped IO). EC itself does not have DMA afaik. -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
There's a lot of useful info here relating to X230 ECs, which may help. Mostly applicable to the X220 too. https://github.com/hamishcoleman/thinkpad-ec On Sun, 5 Mar 2017, at 14:31, qma ster wrote: > It should be possible to reflash EC internal firmware through a > keyboard port, - or maybe through some other debug port that may or > may not be soldered by default... For example, here is a guide that > describes how to reflash EC KB9012 internal firmware on Lenovo G505S - > "AMD based laptop that is supported by coreboot project" , > http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate . > Thanks to this method it is possible to flash a completely clean EC > KB9012 firmware image, which: 1) does not contain any "secret configs" > (could be stored in the free place after the firmware) 2) does not > contain any serial numbers or other specific laptop information ... > For any EC it is guaranteed that it IS possible to reflash a firmware > through In-System Programming (direct flashing) - otherwise, 1) how > the manufacturers flash EC for the first time? ;) 2) if some laptop's > EC is burned, how do repair shops flash a firmware to a new > replacement EC? > Sadly, for this direct flashing method you may need to buy a > proprietary programmer (closed source hardware/software) , because a > flashrom does not support every EC in existence > > 2017-03-05 13:20 GMT+03:00 Arthur Heymans: >> "taii...@gmx.com" writes: >> >> > Well I managed to download the latest BIOS from the lenovo site, >> > which includes an ME update now the issue is that I can't seem to >> > figure out how to extract it from the .FL1 and .FL2 files. >> > >> Those might have a length too long to fit a flash so you need to trim >> those down before using ifdtool on those (If they contain and ifd of >> course) >> so depending on size of rom >> dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM >> >> and then ifdtool -x vendor_bios.rom >> >> > I would also like to know as to how I can re-flash the EC firmware >> > if that could potentially cause problems, I of course do not know >> > if it has DMA. >> > >> >> Only existing tool to flash EC is using vendor tool. >> EC are only accessed trough port mapped IO (or on newer ones >> also via >> memory mapped IO). EC itself does not have DMA afaik. >> >> -- >> Arthur Heymans >> >> -- >> coreboot mailing list: coreboot@coreboot.org >> https://www.coreboot.org/mailman/listinfo/coreboot > -- > coreboot mailing list: coreboot@coreboot.org > https://www.coreboot.org/mailman/listinfo/coreboot -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
It should be possible to reflash EC internal firmware through a keyboard port, - or maybe through some other debug port that may or may not be soldered by default... For example, here is a guide that describes how to reflash EC KB9012 internal firmware on Lenovo G505S - "AMD based laptop that is supported by coreboot project" , http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate . Thanks to this method it is possible to flash a completely clean EC KB9012 firmware image, which: 1) does not contain any "secret configs" (could be stored in the free place after the firmware) 2) does not contain any serial numbers or other specific laptop information ... For any EC it is guaranteed that it IS possible to reflash a firmware through In-System Programming (direct flashing) - otherwise, 1) how the manufacturers flash EC for the first time? ;) 2) if some laptop's EC is burned, how do repair shops flash a firmware to a new replacement EC? Sadly, for this direct flashing method you may need to buy a proprietary programmer (closed source hardware/software) , because a flashrom does not support every EC in existence 2017-03-05 13:20 GMT+03:00 Arthur Heymans: > "taii...@gmx.com" writes: > > > Well I managed to download the latest BIOS from the lenovo site, which > > includes an ME update now the issue is that I can't seem to figure out > > how to extract it from the .FL1 and .FL2 files. > > > Those might have a length too long to fit a flash so you need to trim > those down before using ifdtool on those (If they contain and ifd of > course) > so depending on size of rom > dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM > > and then ifdtool -x vendor_bios.rom > > > I would also like to know as to how I can re-flash the EC firmware if > > that could potentially cause problems, I of course do not know if it > > has DMA. > > > > Only existing tool to flash EC is using vendor tool. > EC are only accessed trough port mapped IO (or on newer ones also via > memory mapped IO). EC itself does not have DMA afaik. > > -- > Arthur Heymans > > -- > coreboot mailing list: coreboot@coreboot.org > https://www.coreboot.org/mailman/listinfo/coreboot > -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
"taii...@gmx.com"writes: > Well I managed to download the latest BIOS from the lenovo site, which > includes an ME update now the issue is that I can't seem to figure out > how to extract it from the .FL1 and .FL2 files. > Those might have a length too long to fit a flash so you need to trim those down before using ifdtool on those (If they contain and ifd of course) so depending on size of rom dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM and then ifdtool -x vendor_bios.rom > I would also like to know as to how I can re-flash the EC firmware if > that could potentially cause problems, I of course do not know if it > has DMA. > Only existing tool to flash EC is using vendor tool. EC are only accessed trough port mapped IO (or on newer ones also via memory mapped IO). EC itself does not have DMA afaik. -- Arthur Heymans -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Re: [coreboot] Where to get ME image/flash descriptors for the x220?
Well I managed to download the latest BIOS from the lenovo site, which includes an ME update now the issue is that I can't seem to figure out how to extract it from the .FL1 and .FL2 files. I would also like to know as to how I can re-flash the EC firmware if that could potentially cause problems, I of course do not know if it has DMA. If I was a foreign intel service I would definitely be selling thinkpads on ebay, considering that sysadmins and programmers are the only ones who buy them. On 02/20/2017 05:16 PM, taii...@gmx.com wrote: I want generic ones, not the sketchy extracted ones that came with my fleabay laptop. The lenovo website doesn't work on my computer BTW -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
[coreboot] Where to get ME image/flash descriptors for the x220?
I want generic ones, not the sketchy extracted ones that came with my fleabay laptop. The lenovo website doesn't work on my computer BTW -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot