Hi,
Short version: I am trying to reset/remove Computrace in a Lenovo T500 laptop. If you have a solution, please share.
Long version: I am trying to adapt the attached Python script but it relies on an earlier version of Flashrom. So far, I find two issues: 1) The newer version of Flashrom require the -p parameter, which is easy to fix in the script. 2) The script also seems to rely on a specific format of the -L output. See the line in def dumpTheHardWay(): if line.find("chipsets")>0: The output file is created, but the subsequent loop to parse the chip list does not find "chipsets".
I contacted Core Security but they have not provided an update to the Python script, so I am trying to figure it out. The Python script is from 2009, so can you provide a sample of the -L output from a 2009 version of Flashrom so I can make the parsing loop work?
Yes, I have read the disclaimer about using Flashrom on laptops. I did not receive any warnings when running the attached so hopefully it won't brick the T500.
Thanks,
Robert
On Tue, 15 Jan 2013 15:00:29 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
Short version: I am trying to reset/remove Computrace in a Lenovo T500 laptop. If you have a solution, please share.
interesting :)
- The script also seems to rely on a specific format of the -L
output. See the line in def dumpTheHardWay(): if line.find("chipsets")>0: The output file is created, but the subsequent loop to parse the chip list does not find "chipsets".
you can get rid of the hardway method entirely without a big hit in functionality IMHO. if flashrom can not detect the flash chip itself it is very unlikely to succeed. the exception are some boards with SPI flashes and intel chipset where the manufacturer decided to disable the most useful ID commands (thinkpad X60, T60 etc.). as you seem to need it, i guess the t500 is affected by this too? can you please post the verbose output of flashrom on that machine? flashrom -p internal:laptop=... -VV
(fully) parsing the -L output of a current flashrom binary will be a pain. we do line funky line breaks nowadays. it is also just wrong. anyway, please see the attached version that works at least for those chips that are not broken up into multiple lines.
fun fact: software by a security firm that does not check against OOB array accesses :)
(fully) parsing the -L output of a current flashrom binary will be a pain. we do line funky line breaks nowadays. it is also just wrong. anyway, please see the attached version that works at least for those chips that are not broken up into multiple lines.
The revised version ran but did not detect the chip.
you can get rid of the hardway method entirely without a big hit in functionality IMHO. if flashrom can not detect the flash chip itself it is very unlikely to succeed. the exception are some boards with SPI flashes and intel chipset where the manufacturer decided to disable the most useful ID commands (thinkpad X60, T60 etc.). as you seem to need it, i guess the t500 is affected by this too? can you please post the verbose output of flashrom on that machine? flashrom -p internal:laptop=... -VV
To clarify, you want me to run flashrom -p internal:laptop=force_I_want_a_brick -VV ?
Thanks,
Robert
On Tue, 15 Jan 2013 19:29:44 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
To clarify, you want me to run flashrom -p internal:laptop=force_I_want_a_brick -VV ?
yes, so that we can investigate what the underlying problem is.
Attached is the output.
Also, here is info on a Dell. Probably a different chip, but maybe the details (offset 0×50) will be useful. http://stephane.emisfr.info/2009/09/08/getting-rid-of-computrace-on-dell-ins...
Thanks, Robert
-----Original Message----- From: Stefan Tauner [mailto:stefan.tauner@student.tuwien.ac.at] Sent: Tuesday, January 15, 2013 7:44 PM To: Robert S. Done, Ph.D. Cc: flashrom@flashrom.org Subject: Re: [flashrom] 2009 era -L output
On Tue, 15 Jan 2013 19:29:44 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
To clarify, you want me to run flashrom -p internal:laptop=force_I_want_a_brick -VV ?
yes, so that we can investigate what the underlying problem is.
On Tue, 15 Jan 2013 20:05:09 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
FREG0: WARNING: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: WARNING: Management Engine region (0x00001000-0x005f5fff) is locked. PR0: WARNING: 0x007e0000-0x01ffffff is read-only. PR4: WARNING: 0x005f8000-0x005fffff is locked.
It's a bit complicated... access to the flash chip is locked down by the chipset. This can not be circumvented easily (you do not own an external flash programmer i presume?). 'locked' means neither write nor read access. The hex numbers are the address ranges involved. If the parts you want to modify are inside the writeable area then flashrom can be used by adding a few patches which were not committed to our repository yet. Without them flashrom can only do partial writes (but not reads which is needed to be any useful in this case).
The patches can be found here: http://patchwork.coreboot.org/user/bundle/37/ They are most probably outdated and wont apply to the current code, but you can either apply them to the old revision or ask me to update them if you really want to continue (there is probably a bit of additional work to do and things to learn for you if you are not familiar with software management etc).
PS: I told you to use -VV. That would be way more verbose and show you and me the complete configuration (i.a. the address range of the BIOS region which probably contains the computrace stuff).
Apologies Stefan, attached and below is the -VV output. I do not have an external flash programmer but I am interested in resolving this issue and am willing to invest in figuring it out. Let me know what the -VV output indicates the next steps should be. Thanks, Robert
robert@LenovoT500:~$ sudo flashrom -p internal:laptop=force_I_want_a_brick -VV [sudo] password for robert: flashrom v0.9.6.1-r1563 on Linux 3.5.0-19-generic (i686) flashrom is free software, get the source code at http://www.flashrom.org
flashrom was built with libpci 3.1.9, GCC 4.7.1, little endian Command line (3 args): flashrom -p internal:laptop=force_I_want_a_brick -VV Calibrating delay loop... OS timer resolution is 1 usecs, 2381M loops per second, 10 myus = 11 us, 100 myus = 113 us, 1000 myus = 1022 us, 10000 myus = 10057 us, 4 myus = 5 us, OK. Initializing internal programmer No coreboot table found. DMI string system-manufacturer: "LENOVO" DMI string system-product-name: "2241W3V" DMI string system-version: "ThinkPad T500" DMI string baseboard-manufacturer: "LENOVO" DMI string baseboard-product-name: "2241W3V" DMI string baseboard-version: "Not Available" DMI string chassis-type: "Notebook" Laptop detected via DMI. ======================================================================== WARNING! You seem to be running flashrom on an unsupported laptop. Laptops, notebooks and netbooks are difficult to support and we recommend to use the vendor flashing utility. The embedded controller (EC) in these machines often interacts badly with flashing. See http://www.flashrom.org/Laptops for details.
If flash is shared with the EC, erase is guaranteed to brick your laptop and write may brick your laptop. Read and probe may irritate your EC and cause fan failure, backlight failure and sudden poweroff. You have been warned. ======================================================================== Proceeding anyway because user forced us to. Found chipset "Intel ICH9M-E" with PCI ID 8086:2917. Enabling flash write... 0xfff80000/0xffb80000 FWH IDSEL: 0x0 0xfff00000/0xffb00000 FWH IDSEL: 0x0 0xffe80000/0xffa80000 FWH IDSEL: 0x0 0xffe00000/0xffa00000 FWH IDSEL: 0x0 0xffd80000/0xff980000 FWH IDSEL: 0x0 0xffd00000/0xff900000 FWH IDSEL: 0x0 0xffc80000/0xff880000 FWH IDSEL: 0x0 0xffc00000/0xff800000 FWH IDSEL: 0x0 0xff700000/0xff300000 FWH IDSEL: 0x4 0xff600000/0xff200000 FWH IDSEL: 0x5 0xff500000/0xff100000 FWH IDSEL: 0x6 0xff400000/0xff000000 FWH IDSEL: 0x7 0xfff80000/0xffb80000 FWH decode enabled 0xfff00000/0xffb00000 FWH decode enabled 0xffe80000/0xffa80000 FWH decode enabled 0xffe00000/0xffa00000 FWH decode enabled 0xffd80000/0xff980000 FWH decode enabled 0xffd00000/0xff900000 FWH decode enabled 0xffc80000/0xff880000 FWH decode enabled 0xffc00000/0xff800000 FWH decode enabled 0xff700000/0xff300000 FWH decode disabled 0xff600000/0xff200000 FWH decode disabled 0xff500000/0xff100000 FWH decode disabled 0xff400000/0xff000000 FWH decode disabled Maximum FWH chip size: 0x400000 bytes BIOS Lock Enable: disabled, BIOS Write Enable: disabled, BIOS_CNTL is 0x0 Root Complex Register Block address = 0xfed1c000 GCS = 0x461: BIOS Interface Lock-Down: enabled, Boot BIOS Straps: 0x1 (SPI) Top Swap : not enabled SPIBAR = 0xfed1c000 + 0x3800 0x04: 0xe008 (HSFS)
-----Original Message----- From: Stefan Tauner [mailto:stefan.tauner@student.tuwien.ac.at] Sent: Friday, January 18, 2013 7:30 PM To: Robert S. Done, Ph.D. Cc: flashrom@flashrom.org Subject: Re: [flashrom] 2009 era -L output
On Tue, 15 Jan 2013 20:05:09 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
FREG0: WARNING: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: WARNING: Management Engine region (0x00001000-0x005f5fff) is locked. PR0: WARNING: 0x007e0000-0x01ffffff is read-only. PR4: WARNING: 0x005f8000-0x005fffff is locked.
It's a bit complicated... access to the flash chip is locked down by the chipset. This can not be circumvented easily (you do not own an external flash programmer i presume?). 'locked' means neither write nor read access. The hex numbers are the address ranges involved. If the parts you want to modify are inside the writeable area then flashrom can be used by adding a few patches which were not committed to our repository yet. Without them flashrom can only do partial writes (but not reads which is needed to be any useful in this case).
The patches can be found here: http://patchwork.coreboot.org/user/bundle/37/ They are most probably outdated and wont apply to the current code, but you can either apply them to the old revision or ask me to update them if you really want to continue (there is probably a bit of additional work to do and things to learn for you if you are not familiar with software management etc).
PS: I told you to use -VV. That would be way more verbose and show you and me the complete configuration (i.a. the address range of the BIOS region which probably contains the computrace stuff). -- Kind regards/Mit freundlichen Gr en, Stefan Tauner
On Sat, 19 Jan 2013 09:19:35 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
Apologies Stefan, attached and below is the -VV output. I do not have an external flash programmer but I am interested in resolving this issue and am willing to invest in figuring it out. Let me know what the -VV output indicates the next steps should be.
The next steps are what i have described in my previous mail, namely: - getting flashrom to build from source so that you can change it where/when required - applying the patches i mentioned - understanding the layout of the flash regions and the protected address ranges - using the modified version of flashrom and an appropriate layout file (see manpage) to extract the relevant parts from the flash device
In addressing Step 1 below, I attempted to get the Flashrom source from http://tracker.coreboot.org/trac/flashrom/browser/trunk but there are many files listed and I'm not sure how to proceed if I was even looking in the right place. So, please let me know if I need all of those files or just flashrom.8 or what. Thanks.
The next steps are what i have described in my previous mail, namely: 1 - getting flashrom to build from source so that you can change it where/when required 2 - applying the patches i mentioned 3 - understanding the layout of the flash regions and the protected address ranges 4 - using the modified version of flashrom and an appropriate layout file (see manpage) to extract the relevant parts from the flash device
-----Original Message----- From: Stefan Tauner [mailto:stefan.tauner@student.tuwien.ac.at] Sent: Thursday, January 24, 2013 10:06 PM To: Robert S. Done, Ph.D. Cc: flashrom@flashrom.org Subject: Re: [flashrom] 2009 era -L output
On Sat, 19 Jan 2013 09:19:35 -0700 "Robert S. Done, Ph.D." rdone@cox.net wrote:
Apologies Stefan, attached and below is the -VV output. I do not have an external flash programmer but I am interested in resolving this issue and am willing to invest in figuring it out. Let me know what the -VV output indicates the next steps should be.
The next steps are what i have described in my previous mail, namely: - getting flashrom to build from source so that you can change it where/when required - applying the patches i mentioned - understanding the layout of the flash regions and the protected address ranges - using the modified version of flashrom and an appropriate layout file (see manpage) to extract the relevant parts from the flash device
2013/1/15 Robert S. Done, Ph.D. rdone@cox.net:
Hi,
Short version: I am trying to reset/remove Computrace in a Lenovo T500 laptop. If you have a solution, please share.
It's easy to find out that the CompuTrace module (optionrom) can be permanently disabled:
https://www.google.nl/search?q=t500+remove+computrace
http://forums.lenovo.com/t5/T400-T500-and-newer-T-series/BIOS-option-to-quot...
-
Idwer Vollering -
Robert S. Done, Ph.D. -
Stefan Tauner