Hello Zoran,
I've run quite a lot of test recently and the results are in fact inconclusive... Following is the (long) description of experiments I made recently and in the past.
1. BIOS structure. T400 Bios does not fully looks like T420. It seems that BIOS does not start at 0x500000 more likely at 0x600000 The MAC address can be find 4 or 5 times in the image at: 0x22F48, 0x81FDD, 0x5F6000, 0x5F7000. In fact it is in different places in different images, however last 2 locations 0x5F6000, 0x5F7000 are always the same. Looking around I find nice info about the bios, made by people that by-pass whitelists in lenovo bioses - You might find it interesting: http://www.endeer.cz/bios.tools/ http://www.endeer.cz/bios.tools/bios.html http://web.dodds.net/~vorlon/wiki/blog/Upgrading_a_ThinkPad_BIOS/ With phnxsplit I was able to get 60 different files out of the bios image and it seems that the tool works right. I'm attaching a list of modules the program found, description of "code characters" can be found in phnxfunc.c. This tool compiles on Linux, but it need some simple patching because of tons of compiler warnings.
2. Coreboot/libreboot. For testing I used precompiled libreboot image from https://libreboot.org/release/stable/20160907/rom/grub/ made for T400. Can be put on any machine (overwritting all flash chip) and it works equally well. MAC adresses are at 0x1000 and 0x2000 in the image and can be changed with ich9gen - I think that You know it well.
3. Moving bioses - this is strange. In the past when I just started working on T400 I had one board with already installed coreboot and one with original bios. Coreboot board had ati and intel graphics, while bios board only intel. I decided to exchange flash chips and it worked. Now it really sounds strange, but both boards booted OK and original bios correctly detected that it is on dual graphics board and show right menu options. Then after upgrading bios to the latest version (3.22) the board experienced long booting problem. It happens and there are threads on lenovo forums about it, so I assume that it nothing to do with the chip exchange. I tried to fix by changing settings of TPM chip and after enabling it the board did not boot at all - I left the board as spare parts supply then. Now I took it back and started to experiment: put the libreboot image - works right, but any other original bios image and it does not boot. On the other hand other board (with just intel graphics) works with any original bios image - I've tried 2 different, again overwritting whole chip. It seems that the problem is not related to flash chip data but maybe to RFID memory You mentioned, or TPM. I don't know what can I do about it - maybe boot the machine with coreboot and then try to change some TPM settings on Linux??
4. Further tests. I put back 2 T400 laptops with easily accessible programming connectors, so now I can play with any images without complicated disassembly. If there is anything I can check/post/try then let mo know. My ultimate dream would be to have tp_smapi functionality in coreboot, but it seems that this is a long way ahead. Anyway I am attaching descriptor (0x0-0x1000) from original bios image.
Very Best Regards, Michael Widlok
On Sun, Feb 5, 2017 at 6:00 PM, Zoran Stojsavljevic < zoran.stojsavljevic@gmail.com> wrote:
Hello Michael,
Before doing any programming, I have here couple suggestions to you. You should investigate.
Namely, this: http://thinkwiki.de/UEFI_BIOS_T420_BIOS_Structure
Also, you should look upon the movie here: https://www.youtube.com/ watch?v=DLwaKb6pLrc&feature=player_embedded
Since I am not sure that T420 UEFI BIOS is the same structure as legacy BIOS T400 has (since I remember that T420 is UEFI, legacy/CSM was on - I had one at work since 2011 till 2014). But it is worth trying, nothing to lose.
Knowing that T420 BIOS structure looks like (and I bet it is stored in only one 8MB flash, as my best bet):
[image: Inline image 1]
You should read your T400 Coreboot flash content, and try to see if it complies with the given above structure. If it does, you are All Cool. Namely, you should try to read GbE region, and see where the MAC address (which you find using Linux command: ifconfig -a). If you appear to find the spot, you are 100% sure you are All Good, since then you'll read another BIOS content, and after you will have lot of possibilities for experiments: [1] You can reprogram the BIOS from original BIOS to your Coreboot flash rewriting last 0x300000 bytes; [2] You can rewrite original MAC address to another BIOS, and try to boot; [3] You can compare/combine regions, and see what'll happen?! [4] You name it!
I have no idea if you tampered with ME... And no idea if ME for each LENOVO specimen keeps some unique data from/for the platform.
But I am eager to hear/read what did you find investigating about T400 structure, does it looks the same as T420, and et cetera. :-)
You can also read descriptor region, and post it somewhere, so we can peek into it (I remember, I have somewhere some explanations about some of these descriptor region data).
Thank you, Zoran
On Sat, Feb 4, 2017 at 8:41 AM, Michal Widlok michalwd1979@gmail.com wrote:
Zoran, I'm working on this subject now, but I need to do regular work too :-).
Seriously I'm in the process of changing my current stationary work-horse to two T400 laptops on docking stations. I've just received docks (very dirty, noisy fans) and I borrowed my Raspberry programmer to a friend. I hope to finish working on hardware this weekend and I will be ready to play with bioses when I get Raspberry back. I think that the first method would be to "copy" flash from one board to another and we will see. I also try to change MAC in original bios, maybe this is possible. I will report everything back, hope it will help someone. Michael Widlok
PS. Sorry for double mail I messed addresses.
On Fri, Feb 3, 2017 at 9:58 PM, Zoran Stojsavljevic zoran.stojsavljevic@gmail.com wrote:
Ron, I do agree, does not seem to be promising. It will add problems
down
the road, as requirements grow.
Zoran
On Fri, Feb 3, 2017 at 8:45 PM, ron minnich rminnich@gmail.com wrote:
On Fri, Feb 3, 2017 at 9:45 AM Zoran Stojsavljevic zoran.stojsavljevic@gmail.com wrote:
Ron, any (practical) example of above described practices? I have in
my
laptops here 6 x 4 GB DIMM modules and 2 x 8GB DIMM modules, all of
them
have SPD mounted.
DIMMs are so great but so old school :-)
on some systems, in flash, there are 4 and 8 element tables which are indexed by GPIOs .You use the 2 or 3 bits from 2-3 GPIOs to index the
table
and that's how you get your RAM programming. No SPD. You can see how
much
room this leaves for problems.
This is just one simple example.
ron
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot