Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[Zaolin]

Have fun 
https://github.com/zaolin/coreboot-thinkpad-doc/tree/x220/firmware/splited



On 03/13/2017 09:11 PM, taii...@gmx.com wrote:

On 03/08/2017 01:29 PM, Igor Skochinsky wrote:


Hello Taiidan,

Alas, the 8duj28us.exe update and a few others I checked do not seem 
to contain the ME region or the descriptor. There is 8duj28us.exe 
with the ME update but it requires an already running ME to be 
applied. You could in theory extract the partitions from it and 
assemble into a valid ME region by constructing an FPT but that's not 
trivial. I would suggest you to just take the descriptor and ME 
region from "random people on the internet". The descriptor does not 
contain any code and the ME firmware is signed by Intel so it can't 
be backdoored by randos (there are much easier ways to hack people 
than stealing keys from Intel).

Damn :[
There is also the .iso bios update with the .FL2 and FL1 files what 
about that?


I had heard rumors from a couple people that there are ME signing keys 
floating around in the darknet on some elite hacker forums so I was 
paranoid as I don't want to have my machine used to hack something 
important.





--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[taii...@gmx.com]

On 03/08/2017 01:29 PM, Igor Skochinsky wrote:


Hello Taiidan,

Alas, the 8duj28us.exe update and a few others I checked do not seem to contain the ME 
region or the descriptor. There is 8duj28us.exe with the ME update but it requires an 
already running ME to be applied. You could in theory extract the partitions from it and 
assemble into a valid ME region by constructing an FPT but that's not trivial. I would 
suggest you to just take the descriptor and ME region from "random people on the 
internet". The descriptor does not contain any code and the ME firmware is signed by 
Intel so it can't be backdoored by randos (there are much easier ways to hack people than 
stealing keys from Intel).

Damn :[
There is also the .iso bios update with the .FL2 and FL1 files what 
about that?


I had heard rumors from a couple people that there are ME signing keys 
floating around in the darknet on some elite hacker forums so I was 
paranoid as I don't want to have my machine used to hack something 
important.


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[Igor Skochinsky via coreboot]

Hello Taiidan,

Tuesday, March 7, 2017, 6:23:37 AM, you wrote:

Tgc>Uhh thanks but that's kinda missing the point of this - that I
Tgc>don't want binaries from random people on the internet.

Alas, the 8duj28us.exe update and a few others I checked do not seem to contain 
the ME region or the descriptor. There is 8duj28us.exe with the ME update but 
it requires an already running ME to be applied. You could in theory extract 
the partitions from it and assemble into a valid ME region by constructing an 
FPT but that's not trivial. I would suggest you to just take the descriptor and 
ME region from "random people on the internet". The descriptor does not contain 
any code and the ME firmware is signed by Intel so it can't be backdoored by 
randos (there are much easier ways to hack people than stealing keys from 
Intel).

Tgc>I need to know how to extract it from the bios update files, not the bios 
already on the EEPROM.

Tgc>On 03/06/2017 11:35 PM, Matt DeVillier wrote:
Tgc>>I have the IFD and ME from an x220 that I recently flashed with coreboot
Tgc>>for a customer, extracted from their stock firmware, and verified working
Tgc>>with the coreboot ROM I subsequently flashed.  Can zip and send via email,
Tgc>>or whatever you prefer

Tgc>?On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.com  wrote:

Tgc>?On 03/05/2017 05:20 AM, Arthur Heymans wrote:

Tgc>?"taii...@gmx.com"  writes:
Tgc>?Well I managed to download the latest BIOS from the lenovo site, which
Tgc>?includes an ME update now the issue is that I can't seem to figure out
Tgc>?how to extract it from the .FL1 and .FL2 files.

Tgc>?Those might have a length too long to fit a flash so you need to trim
Tgc>?those down before using ifdtool on those (If they contain and ifd of
Tgc>?course)
Tgc>?so depending on size of rom
Tgc>?dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM

Tgc>?and then ifdtool -x vendor_bios.rom

Tgc>?It didn't work   after that still "no flash descriptor found in this
Tgc>?image"

Tgc>?These are the files and the flash chip on the board is 8M
Tgc>?8523776 '$01CB000.FL1'
Tgc>?8523776 '$01CB000.FL2'
Tgc>?8523776 '$01CB100.FL2'
Tgc>?All of them have different hashes, but I do not know what makes them
Tgc>?different (maybe it is for various board revisions?)


Tgc>?I would also like to know as to how I can re-flash the EC firmware if
Tgc>?that could potentially cause problems, I of course do not know if it
Tgc>?has DMA.

Tgc>?Only existing tool to flash EC is using vendor tool.
Tgc>?EC are only accessed trough port mapped IO (or on newer ones also via
Tgc>?memory mapped IO). EC itself does not have DMA afaik.


Tgc>?--
Tgc>?coreboot mailing list: coreboot@coreboot.org 
Tgc>?https://www.coreboot.org/mailman/listinfo/coreboot






-- 
WBR,
 Igormailto:rox...@skynet.be


-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[qma ster]

Hi Taiidan, try following these instructions:
1) download the latest official BIOS update .exe file from your laptop
manufacturer's website (Lenovo in this case)
2) open this .exe file with 7zip utility and extract all its' contents to a
separate folder
3) most likely is that amoung these extracted files you will see a several
megabytes binary file, which contains not just a BIOS image but also EC
firmware image and some other images. Then you open this binary file in a
hex editor like Okteta and search for some ASCII string symbols like for
example _EC_IMG to e.g. locate the beginning of EC firmware block, and
knowing what size in bytes the EC firmware should be - you cut the same
amount of bytes after _EC_IMG text - and save into a new binary file
Something like that, will probably work for you. Good luck in your research
;)

2017-03-07 5:23 GMT+00:00 taii...@gmx.com :

> Uhh thanks but that's kinda missing the point of this - that I don't want
> binaries from random people on the internet.
>
> I need to know how to extract it from the bios update files, not the bios
> already on the EEPROM.
>
>
> On 03/06/2017 11:35 PM, Matt DeVillier wrote:
>
> I have the IFD and ME from an x220 that I recently flashed with coreboot
> for a customer, extracted from their stock firmware, and verified working
> with the coreboot ROM I subsequently flashed.  Can zip and send via email,
> or whatever you prefer
>
> On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.com  
>  wrote:
>
>
> On 03/05/2017 05:20 AM, Arthur Heymans wrote:
> "taii...@gmx.com"    
> writes:
>
> Well I managed to download the latest BIOS from the lenovo site, which
>
> includes an ME update now the issue is that I can't seem to figure out
> how to extract it from the .FL1 and .FL2 files.
>
> Those might have a length too long to fit a flash so you need to trim
>
> those down before using ifdtool on those (If they contain and ifd of
> course)
> so depending on size of rom
> dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM
>
> and then ifdtool -x vendor_bios.rom
>
>
> It didn't work :( after that still "no flash descriptor found in this
> image"
>
> These are the files and the flash chip on the board is 8M
> 8523776 '$01CB000.FL1'
> 8523776 '$01CB000.FL2'
> 8523776 '$01CB100.FL2'
> All of them have different hashes, but I do not know what makes them
> different (maybe it is for various board revisions?)
>
>
>
> I would also like to know as to how I can re-flash the EC firmware if
>
> that could potentially cause problems, I of course do not know if it
> has DMA.
>
> Only existing tool to flash EC is using vendor tool.
>
> EC are only accessed trough port mapped IO (or on newer ones also via
> memory mapped IO). EC itself does not have DMA afaik.
>
>
>
> --
> coreboot mailing list: 
> coreboot@coreboot.orghttps://www.coreboot.org/mailman/listinfo/coreboot
>
>
>
>
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[taii...@gmx.com]

Uhh thanks but that's kinda missing the point of this - that I don't 
want binaries from random people on the internet.


I need to know how to extract it from the bios update files, not the 
bios already on the EEPROM.


On 03/06/2017 11:35 PM, Matt DeVillier wrote:

I have the IFD and ME from an x220 that I recently flashed with coreboot
for a customer, extracted from their stock firmware, and verified working
with the coreboot ROM I subsequently flashed.  Can zip and send via email,
or whatever you prefer

On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.com  wrote:


On 03/05/2017 05:20 AM, Arthur Heymans wrote:

"taii...@gmx.com"  writes:

Well I managed to download the latest BIOS from the lenovo site, which

includes an ME update now the issue is that I can't seem to figure out
how to extract it from the .FL1 and .FL2 files.

Those might have a length too long to fit a flash so you need to trim

those down before using ifdtool on those (If they contain and ifd of
course)
so depending on size of rom
dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM

and then ifdtool -x vendor_bios.rom


It didn't work :( after that still "no flash descriptor found in this
image"

These are the files and the flash chip on the board is 8M
8523776 '$01CB000.FL1'
8523776 '$01CB000.FL2'
8523776 '$01CB100.FL2'
All of them have different hashes, but I do not know what makes them
different (maybe it is for various board revisions?)



I would also like to know as to how I can re-flash the EC firmware if

that could potentially cause problems, I of course do not know if it
has DMA.

Only existing tool to flash EC is using vendor tool.

EC are only accessed trough port mapped IO (or on newer ones also via
memory mapped IO). EC itself does not have DMA afaik.



--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot






-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[Matt DeVillier]

I have the IFD and ME from an x220 that I recently flashed with coreboot
for a customer, extracted from their stock firmware, and verified working
with the coreboot ROM I subsequently flashed.  Can zip and send via email,
or whatever you prefer

On Mon, Mar 6, 2017 at 10:23 PM, taii...@gmx.com  wrote:

> On 03/05/2017 05:20 AM, Arthur Heymans wrote:
>
> "taii...@gmx.com"  writes:
>>
>> Well I managed to download the latest BIOS from the lenovo site, which
>>> includes an ME update now the issue is that I can't seem to figure out
>>> how to extract it from the .FL1 and .FL2 files.
>>>
>>> Those might have a length too long to fit a flash so you need to trim
>> those down before using ifdtool on those (If they contain and ifd of
>> course)
>> so depending on size of rom
>> dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM
>>
>> and then ifdtool -x vendor_bios.rom
>>
> It didn't work :( after that still "no flash descriptor found in this
> image"
>
> These are the files and the flash chip on the board is 8M
> 8523776 '$01CB000.FL1'
> 8523776 '$01CB000.FL2'
> 8523776 '$01CB100.FL2'
> All of them have different hashes, but I do not know what makes them
> different (maybe it is for various board revisions?)
>
>
>> I would also like to know as to how I can re-flash the EC firmware if
>>> that could potentially cause problems, I of course do not know if it
>>> has DMA.
>>>
>>> Only existing tool to flash EC is using vendor tool.
>> EC are only accessed trough port mapped IO (or on newer ones also via
>> memory mapped IO). EC itself does not have DMA afaik.
>>
>>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[taii...@gmx.com]

On 03/05/2017 05:20 AM, Arthur Heymans wrote:


"taii...@gmx.com"  writes:


Well I managed to download the latest BIOS from the lenovo site, which
includes an ME update now the issue is that I can't seem to figure out
how to extract it from the .FL1 and .FL2 files.


Those might have a length too long to fit a flash so you need to trim
those down before using ifdtool on those (If they contain and ifd of
course)
so depending on size of rom
dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM

and then ifdtool -x vendor_bios.rom

It didn't work :( after that still "no flash descriptor found in this image"

These are the files and the flash chip on the board is 8M
8523776 '$01CB000.FL1'
8523776 '$01CB000.FL2'
8523776 '$01CB100.FL2'
All of them have different hashes, but I do not know what makes them 
different (maybe it is for various board revisions?)





I would also like to know as to how I can re-flash the EC firmware if
that could potentially cause problems, I of course do not know if it
has DMA.


Only existing tool to flash EC is using vendor tool.
EC are only accessed trough port mapped IO (or on newer ones also via
memory mapped IO). EC itself does not have DMA afaik.



--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[cb]

There's a lot of useful info here relating to X230 ECs, which may help.
Mostly applicable to the X220 too.


https://github.com/hamishcoleman/thinkpad-ec





On Sun, 5 Mar 2017, at 14:31, qma ster wrote:

> It should be possible to reflash EC internal firmware through a
> keyboard port, - or maybe through some other debug port that may or
> may not be soldered by default... For example, here is a guide that
> describes how to reflash EC KB9012 internal firmware on Lenovo G505S -
> "AMD based laptop that is supported by coreboot project" ,
> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate .
> Thanks to this method it is possible to flash a completely clean EC
> KB9012 firmware image, which: 1) does not contain any "secret configs"
> (could be stored in the free place after the firmware) 2) does not
> contain any serial numbers or other specific laptop information ...
> For any EC it is guaranteed that it IS possible to reflash a firmware
> through In-System Programming (direct flashing) - otherwise, 1) how
> the manufacturers flash EC for the first time? ;) 2) if some laptop's
> EC is burned, how do repair shops flash a firmware to a new
> replacement EC?
> Sadly, for this direct flashing method you may need to buy a
> proprietary programmer (closed source hardware/software) , because a
> flashrom does not support every EC in existence
> 

> 2017-03-05 13:20 GMT+03:00 Arthur Heymans :

>> "taii...@gmx.com"  writes:
>>
>>  > Well I managed to download the latest BIOS from the lenovo site,
>>  > which includes an ME update now the issue is that I can't seem to
>>  > figure out how to extract it from the .FL1 and .FL2 files.
>>  >
>> Those might have a length too long to fit a flash so you need to trim
>>  those down before using ifdtool on those (If they contain and ifd of
>>  course)

>>  so depending on size of rom

>>  dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM

>> 

>>  and then ifdtool -x vendor_bios.rom

>>
>>  > I would also like to know as to how I can re-flash the EC firmware
>>  > if that could potentially cause problems, I of course do not know
>>  > if it has DMA.
>>  >
>>
>> Only existing tool to flash EC is using vendor tool.
>>  EC are only accessed trough port mapped IO (or on newer ones
>>  also via
>>  memory mapped IO). EC itself does not have DMA afaik.

>> 
>>  --
>>  Arthur Heymans

>> 

>> --

>>  coreboot mailing list: coreboot@coreboot.org

>> https://www.coreboot.org/mailman/listinfo/coreboot

> --

> coreboot mailing list: coreboot@coreboot.org

> https://www.coreboot.org/mailman/listinfo/coreboot


-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[qma ster]

It should be possible to reflash EC internal firmware through a keyboard
port, - or maybe through some other debug port that may or may not be
soldered by default... For example, here is a guide that describes how to
reflash EC KB9012 internal firmware on Lenovo G505S - "AMD based laptop
that is supported by coreboot project" ,
http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate .
Thanks to this method it is possible to flash a completely clean EC KB9012
firmware image, which: 1) does not contain any "secret configs" (could be
stored in the free place after the firmware) 2) does not contain any serial
numbers or other specific laptop information ... For any EC it is
guaranteed that it IS possible to reflash a firmware through In-System
Programming (direct flashing) - otherwise, 1) how the manufacturers flash
EC for the first time? ;) 2) if some laptop's EC is burned, how do repair
shops flash a firmware to a new replacement EC?
Sadly, for this direct flashing method you may need to buy a proprietary
programmer (closed source hardware/software) , because a flashrom does not
support every EC in existence

2017-03-05 13:20 GMT+03:00 Arthur Heymans :

> "taii...@gmx.com"  writes:
>
> > Well I managed to download the latest BIOS from the lenovo site, which
> > includes an ME update now the issue is that I can't seem to figure out
> > how to extract it from the .FL1 and .FL2 files.
> >
> Those might have a length too long to fit a flash so you need to trim
> those down before using ifdtool on those (If they contain and ifd of
> course)
> so depending on size of rom
> dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM
>
> and then ifdtool -x vendor_bios.rom
>
> > I would also like to know as to how I can re-flash the EC firmware if
> > that could potentially cause problems, I of course do not know if it
> > has DMA.
> >
>
> Only existing tool to flash EC is using vendor tool.
> EC are only accessed trough port mapped IO (or on newer ones also via
> memory mapped IO). EC itself does not have DMA afaik.
>
> --
> Arthur Heymans
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[Arthur Heymans]

"taii...@gmx.com"  writes:

> Well I managed to download the latest BIOS from the lenovo site, which
> includes an ME update now the issue is that I can't seem to figure out
> how to extract it from the .FL1 and .FL2 files.
>
Those might have a length too long to fit a flash so you need to trim
those down before using ifdtool on those (If they contain and ifd of
course)
so depending on size of rom
dd if=FL1(or 2)file of=vendor_bios.rom bs=1 count=xM

and then ifdtool -x vendor_bios.rom

> I would also like to know as to how I can re-flash the EC firmware if
> that could potentially cause problems, I of course do not know if it
> has DMA.
>

Only existing tool to flash EC is using vendor tool.
EC are only accessed trough port mapped IO (or on newer ones also via
memory mapped IO). EC itself does not have DMA afaik.

-- 
Arthur Heymans

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Where to get ME image/flash descriptors for the x220?

[taii...@gmx.com]

Well I managed to download the latest BIOS from the lenovo site, which 
includes an ME update now the issue is that I can't seem to figure out 
how to extract it from the .FL1 and .FL2 files.


I would also like to know as to how I can re-flash the EC firmware if 
that could potentially cause problems, I of course do not know if it has 
DMA.



If I was a foreign intel service I would definitely be selling thinkpads 
on ebay, considering that sysadmins and programmers are the only ones 
who buy them.

On 02/20/2017 05:16 PM, taii...@gmx.com wrote:
I want generic ones, not the sketchy extracted ones that came with my 
fleabay laptop.


The lenovo website doesn't work on my computer BTW





--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

[coreboot] Where to get ME image/flash descriptors for the x220?

[taii...@gmx.com]

I want generic ones, not the sketchy extracted ones that came with my 
fleabay laptop.


The lenovo website doesn't work on my computer BTW


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot