[coreboot] Back to original BIOS
Michal Widlok
michalwd1979 at gmail.com
Wed Feb 8 12:04:40 CET 2017
Hello Zoran,
I've run quite a lot of test recently and the results are in fact
inconclusive... Following is the (long) description of experiments I made
recently and in the past.
1. BIOS structure. T400 Bios does not fully looks like T420. It seems that
BIOS does not start at 0x500000 more likely at 0x600000 The MAC address can
be find 4 or 5 times in the image at: 0x22F48, 0x81FDD, 0x5F6000, 0x5F7000.
In fact it is in different places in different images, however last 2
locations 0x5F6000, 0x5F7000 are always the same. Looking around I find
nice info about the bios, made by people that by-pass whitelists in lenovo
bioses - You might find it interesting:
http://www.endeer.cz/bios.tools/
http://www.endeer.cz/bios.tools/bios.html
http://web.dodds.net/~vorlon/wiki/blog/Upgrading_a_ThinkPad_BIOS/
With phnxsplit I was able to get 60 different files out of the bios image
and it seems that the tool works right. I'm attaching a list of modules the
program found, description of "code characters" can be found in phnxfunc.c.
This tool compiles on Linux, but it need some simple patching because of
tons of compiler warnings.
2. Coreboot/libreboot. For testing I used precompiled libreboot image from
https://libreboot.org/release/stable/20160907/rom/grub/ made for T400. Can
be put on any machine (overwritting all flash chip) and it works equally
well. MAC adresses are at 0x1000 and 0x2000 in the image and can be changed
with ich9gen - I think that You know it well.
3. Moving bioses - this is strange. In the past when I just started working
on T400 I had one board with already installed coreboot and one with
original bios. Coreboot board had ati and intel graphics, while bios board
only intel. I decided to exchange flash chips and it worked. Now it really
sounds strange, but both boards booted OK and original bios correctly
detected that it is on dual graphics board and show right menu options.
Then after upgrading bios to the latest version (3.22) the board
experienced long booting problem. It happens and there are threads on
lenovo forums about it, so I assume that it nothing to do with the chip
exchange. I tried to fix by changing settings of TPM chip and after
enabling it the board did not boot at all - I left the board as spare parts
supply then.
Now I took it back and started to experiment: put the libreboot image -
works right, but any other original bios image and it does not boot.
On the other hand other board (with just intel graphics) works with any
original bios image - I've tried 2 different, again overwritting whole
chip.
It seems that the problem is not related to flash chip data but maybe to
RFID memory You mentioned, or TPM. I don't know what can I do about it -
maybe boot the machine with coreboot and then try to change some TPM
settings on Linux??
4. Further tests. I put back 2 T400 laptops with easily accessible
programming connectors, so now I can play with any images without
complicated disassembly. If there is anything I can check/post/try then let
mo know. My ultimate dream would be to have tp_smapi functionality in
coreboot, but it seems that this is a long way ahead. Anyway I am attaching
descriptor (0x0-0x1000) from original bios image.
Very Best Regards,
Michael Widlok
On Sun, Feb 5, 2017 at 6:00 PM, Zoran Stojsavljevic <
zoran.stojsavljevic at gmail.com> wrote:
> Hello Michael,
>
> Before doing any programming, I have here couple suggestions to you. You
> should investigate.
>
> Namely, this: http://thinkwiki.de/UEFI_BIOS_T420_BIOS_Structure
>
> Also, you should look upon the movie here: https://www.youtube.com/
> watch?v=DLwaKb6pLrc&feature=player_embedded
>
> Since I am not sure that T420 UEFI BIOS is the same structure as legacy
> BIOS T400 has (since I remember that T420 is UEFI, legacy/CSM was on - I
> had one at work since 2011 till 2014). But it is worth trying, nothing to
> lose.
>
> Knowing that T420 BIOS structure looks like (and I bet it is stored in
> only one 8MB flash, as my best bet):
>
> [image: Inline image 1]
>
> You should read your T400 Coreboot flash content, and try to see if it
> complies with the given above structure. If it does, you are All Cool.
> Namely, you should try to read GbE region, and see where the MAC address
> (which you find using Linux command: ifconfig -a). If you appear to find
> the spot, you are 100% sure you are All Good, since then you'll read
> another BIOS content, and after you will have lot of possibilities for
> experiments:
> [1] You can reprogram the BIOS from original BIOS to your Coreboot flash
> rewriting last 0x300000 bytes;
> [2] You can rewrite original MAC address to another BIOS, and try to boot;
> [3] You can compare/combine regions, and see what'll happen?!
> [4] You name it!
>
> I have no idea if you tampered with ME... And no idea if ME for each
> LENOVO specimen keeps some unique data from/for the platform.
>
> But I am eager to hear/read what did you find investigating about T400
> structure, does it looks the same as T420, and et cetera. :-)
>
> You can also read descriptor region, and post it somewhere, so we can peek
> into it (I remember, I have somewhere some explanations about some of these
> descriptor region data).
>
> Thank you,
> Zoran
>
> On Sat, Feb 4, 2017 at 8:41 AM, Michal Widlok <michalwd1979 at gmail.com>
> wrote:
>
>> Zoran, I'm working on this subject now, but I need to do regular work too
>> :-).
>>
>> Seriously I'm in the process of changing my current stationary
>> work-horse to two T400 laptops on docking stations. I've just received
>> docks (very dirty, noisy fans) and I borrowed my Raspberry programmer
>> to a friend. I hope to finish working on hardware this weekend and I
>> will be ready to play with bioses when I get Raspberry back. I think
>> that the first method would be to "copy" flash from one board to
>> another and we will see. I also try to change MAC in original bios,
>> maybe this is possible. I will report everything back, hope it will
>> help someone.
>> Michael Widlok
>>
>> PS. Sorry for double mail I messed addresses.
>>
>> On Fri, Feb 3, 2017 at 9:58 PM, Zoran Stojsavljevic
>> <zoran.stojsavljevic at gmail.com> wrote:
>> > Ron, I do agree, does not seem to be promising. It will add problems
>> down
>> > the road, as requirements grow.
>> >
>> > Zoran
>> >
>> > On Fri, Feb 3, 2017 at 8:45 PM, ron minnich <rminnich at gmail.com> wrote:
>> >>
>> >>
>> >>
>> >> On Fri, Feb 3, 2017 at 9:45 AM Zoran Stojsavljevic
>> >> <zoran.stojsavljevic at gmail.com> wrote:
>> >>>
>> >>>
>> >>>
>> >>> Ron, any (practical) example of above described practices? I have in
>> my
>> >>> laptops here 6 x 4 GB DIMM modules and 2 x 8GB DIMM modules, all of
>> them
>> >>> have SPD mounted.
>> >>
>> >>
>> >>
>> >> DIMMs are so great but so old school :-)
>> >>
>> >> on some systems, in flash, there are 4 and 8 element tables which are
>> >> indexed by GPIOs .You use the 2 or 3 bits from 2-3 GPIOs to index the
>> table
>> >> and that's how you get your RAM programming. No SPD. You can see how
>> much
>> >> room this leaves for problems.
>> >>
>> >> This is just one simple example.
>> >>
>> >> ron
>> >>
>> >
>> >
>>
>> --
>> coreboot mailing list: coreboot at coreboot.org
>> https://www.coreboot.org/mailman/listinfo/coreboot
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20170208/2338e617/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 9235 bytes
Desc: not available
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20170208/2338e617/attachment.png>
-------------- next part --------------
phnxsplit.exe by Ender
Found module at position 0x68858D.
Type A, number 03, block length 26653.
possible lzint compression (1, 6805).
pos 6849969 orig 26617 pack 26617
Ok.
Found module at position 0x68EDAA.
Type A, number 02, block length 354.
possible lzint compression (1, 14A).
pos 6876622 orig 318 pack 318
Ok.
Found module at position 0x68EF0C.
Type +, number 01, block length 34.
Unknown compression (54, 4E4C), lens 100, 25, A1F9. Just copying.
Found module at position 0x6B3000.
Type B, number 02, block length 46405.
lzint compression (C6, 8).
pos 7024684
Ok.
Found module at position 0x6BE545.
Type B, number 07, block length 6399.
lzint compression (C6, 8).
pos 7071089
Ok.
Found module at position 0x6BFE44.
Type L, number 02, block length 182.
possible lzint compression (1, 9E).
pos 7077480 orig 158 pack 158
Ok.
Found module at position 0x6BFEFA.
Type A, number 04, block length 107.
possible lzint compression (1, 53).
pos 7077662 orig 71 pack 71
Ok.
Found module at position 0x6C9000.
Type Q, number 00, block length 13902.
possible lzint compression (1, 3636).
pos 7114788 orig 13878 pack 13878
Ok.
Found module at position 0x6DC64E.
Type +, number 00, block length 10416.
possible lzint compression (1, 2898).
pos 7194226 orig 10392 pack 10392
Ok.
Found module at position 0x6EEEFE.
Type /, number 00, block length 24.
Unknown compression (EB, AA55), lens 6867, AB4, 7970. Just copying.
Found module at position 0x6FEF16.
Type ), number 00, block length 24.
Unknown compression (E9, AA55), lens 4E, 4000, 4943. Just copying.
Found module at position 0x70EF2E.
Type B, number 03, block length 43836.
lzint compression (C6, 8).
pos 7401306
Ok.
Found module at position 0x719A6A.
Type ,, number 00, block length 25476.
Unknown compression (60, 8B55), lens 9B16, 2E06, 9C. Just copying.
Found module at position 0x721D85.
Type B, number 00, block length 42037.
lzint compression (C6, 8).
pos 7478705
Ok.
Found module at position 0x72C1BA.
Type R, number 01, block length 41777.
possible lzint compression (1, A319).
pos 7520734 orig 41753 pack 41753
Ok.
Found module at position 0x7364EB.
Type R, number 02, block length 41772.
possible lzint compression (1, A314).
pos 7562511 orig 41748 pack 41748
Ok.
Found module at position 0x740817.
Type R, number 03, block length 41445.
possible lzint compression (1, A1CD).
pos 7604283 orig 41421 pack 41421
Ok.
Found module at position 0x74A9FC.
Type R, number 00, block length 41089.
possible lzint compression (1, A069).
pos 7645728 orig 41065 pack 41065
Ok.
Found module at position 0x75E7C7.
Type B, number 04, block length 38737.
lzint compression (C6, 8).
pos 7727091
Ok.
Found module at position 0x767F18.
Type B, number 06, block length 35080.
lzint compression (C6, 8).
pos 7765828
Ok.
Found module at position 0x770828.
Type M, number 00, block length 25032.
possible lzint compression (1, 61B0).
pos 7800908 orig 25008 pack 25008
Ok.
Found module at position 0x7769F0.
Type H, number 00, block length 24497.
possible lzint compression (1, 5F99).
pos 7825940 orig 24473 pack 24473
Ok.
Found module at position 0x7769F0.
Type H, number 00, block length 24497.
possible lzint compression (1, 5F99).
pos 7825940 orig 24473 pack 24473
Ok.
Found module at position 0x77C9A1.
Type R, number 05, block length 22976.
possible lzint compression (1, 59A8).
pos 7850437 orig 22952 pack 22952
Ok.
Found module at position 0x782361.
Type R, number 06, block length 22976.
possible lzint compression (1, 59A8).
pos 7873413 orig 22952 pack 22952
Ok.
Found module at position 0x787D21.
Type E, number 00, block length 22811.
possible lzint compression (1, 5903).
pos 7896389 orig 22787 pack 22787
Ok.
Found module at position 0x78D63C.
Type J, number 00, block length 21528.
Unknown compression (EB, AA55), lens 3856, 7570, 6361. Just copying.
Found module at position 0x792A54.
Type T, number 00, block length 21156.
possible lzint compression (1, 528C).
pos 7940728 orig 21132 pack 21132
Ok.
Found module at position 0x797CF8.
Type S, number 00, block length 19885.
possible lzint compression (1, 4D95).
pos 7961884 orig 19861 pack 19861
Ok.
Found module at position 0x79CAA5.
Type R, number 04, block length 18418.
possible lzint compression (1, 47DA).
pos 7981769 orig 18394 pack 18394
Ok.
Found module at position 0x7A1297.
Type K, number 00, block length 17578.
possible lzint compression (1, 4492).
pos 8000187 orig 17554 pack 17554
Ok.
Found module at position 0x7A5741.
Type %, number 00, block length 15393.
possible lzint compression (1, 3C09).
pos 8017765 orig 15369 pack 15369
Ok.
Found module at position 0x7A9362.
Type B, number 08, block length 14332.
lzint compression (C6, 8).
pos 8033166
Ok.
Found module at position 0x7ACB5E.
Type L, number 00, block length 10268.
possible lzint compression (1, 2804).
pos 8047490 orig 10244 pack 10244
Ok.
Found module at position 0x7AF37A.
Type D, number 00, block length 3160.
lzint compression (C6, 8).
pos 8057766
Ok.
Found module at position 0x7B0F3D.
Type A, number 00, block length 164.
possible lzint compression (1, 8C).
pos 8064865 orig 128 pack 128
Ok.
Found module at position 0x7BB800.
Type Y, number 00, block length 13868.
possible lzint compression (1, 3614).
pos 8108068 orig 13844 pack 13844
Ok.
Found module at position 0x7BEE2C.
Type K, number 03, block length 9105.
possible lzint compression (1, 2379).
pos 8121936 orig 9081 pack 9081
Ok.
Found module at position 0x7C11BD.
Type -, number 00, block length 7050.
Unknown compression (20, 38E9), lens CDE8, 3856, E6E8. Just copying.
Found module at position 0x7C600A.
Type B, number 05, block length 4128.
lzint compression (C6, 8).
pos 8151094
Ok.
Found module at position 0x7C7E4B.
Type B, number 01, block length 3471.
lzint compression (C6, 8).
pos 8158839
Ok.
Found module at position 0x7C8BDA.
Type K, number 01, block length 3111.
possible lzint compression (1, C0F).
pos 8162302 orig 3087 pack 3087
Ok.
Found module at position 0x7C9801.
Type K, number 02, block length 3111.
possible lzint compression (1, C0F).
pos 8165413 orig 3087 pack 3087
Ok.
Found module at position 0x7CB9EF.
Type L, number 0F, block length 2464.
possible lzint compression (1, 988).
pos 8174099 orig 2440 pack 2440
Ok.
Found module at position 0x7D175B.
Type L, number 11, block length 1860.
possible lzint compression (1, 72C).
pos 8198015 orig 1836 pack 1836
Ok.
Found module at position 0x7D1E9F.
Type L, number 0D, block length 1822.
possible lzint compression (1, 706).
pos 8199875 orig 1798 pack 1798
Ok.
Found module at position 0x7D25BD.
Type L, number 12, block length 1747.
possible lzint compression (1, 6BB).
pos 8201697 orig 1723 pack 1723
Ok.
Found module at position 0x7D39E9.
Type L, number 13, block length 1593.
possible lzint compression (1, 621).
pos 8206861 orig 1569 pack 1569
Ok.
Found module at position 0x7D5B5E.
Type L, number 10, block length 1295.
possible lzint compression (1, 4F7).
pos 8215426 orig 1271 pack 1271
Ok.
Found module at position 0x7D778A.
Type L, number 0E, block length 963.
possible lzint compression (1, 3AB).
pos 8222638 orig 939 pack 939
Ok.
Found module at position 0x7D7B4D.
Type F, number 00, block length 666.
possible lzint compression (1, 282).
pos 8223601 orig 642 pack 642
Ok.
Found module at position 0x7D7F36.
Type J, number 01, block length 180.
Unknown compression (0, 0), lens 5352, 206, 2400. Just copying.
Found module at position 0x7D7FEA.
Type L, number 03, block length 152.
possible lzint compression (1, 80).
pos 8224782 orig 128 pack 128
Ok.
Found module at position 0x7D8082.
Type L, number 08, block length 149.
possible lzint compression (1, 7D).
pos 8224934 orig 125 pack 125
Ok.
Found module at position 0x7D8117.
Type L, number 09, block length 148.
possible lzint compression (1, 7C).
pos 8225083 orig 124 pack 124
Ok.
Found module at position 0x7D81AB.
Type L, number 0A, block length 148.
possible lzint compression (1, 7C).
pos 8225231 orig 124 pack 124
Ok.
Found module at position 0x7D823F.
Type L, number 07, block length 147.
possible lzint compression (1, 7B).
pos 8225379 orig 123 pack 123
Ok.
Found module at position 0x7D8362.
Type L, number 06, block length 142.
possible lzint compression (1, 76).
pos 8225670 orig 118 pack 118
Ok.
Found module at position 0x7D83F0.
Type L, number 01, block length 132.
possible lzint compression (1, 6C).
pos 8225812 orig 108 pack 108
Ok.
Found module at position 0x7D83F0.
Type L, number 01, block length 132.
possible lzint compression (1, 6C).
pos 8225812 orig 108 pack 108
Ok.
Found module at position 0x7D84F2.
Type A, number 05, block length 124.
possible lzint compression (1, 64).
pos 8226070 orig 88 pack 88
Ok.
Found module at position 0x7D84F2.
Type A, number 05, block length 124.
possible lzint compression (1, 64).
pos 8226070 orig 88 pack 88
Ok.
Found module at position 0x7D85E2.
Type L, number 0C, block length 101.
possible lzint compression (1, 4D).
pos 8226310 orig 77 pack 77
Ok.
Found module at position 0x7D8647.
Type A, number 01, block length 98.
possible lzint compression (1, 4A).
pos 8226411 orig 62 pack 62
Ok.
Found module at position 0x7D86A9.
Type A, number 07, block length 95.
possible lzint compression (1, 47).
pos 8226509 orig 59 pack 59
Ok.
Found module at position 0x7D8762.
Type A, number 06, block length 87.
possible lzint compression (1, 3F).
pos 8226694 orig 51 pack 51
Ok.
Found module at position 0x7D87B9.
Type L, number 04, block length 76.
possible lzint compression (1, 34).
pos 8226781 orig 52 pack 52
Ok.
Found module at position 0x7D8925.
Type L, number 05, block length 71.
possible lzint compression (1, 2F).
pos 8227145 orig 47 pack 47
Ok.
Found module at position 0x7D896C.
Type L, number 0B, block length 50.
Unknown compression (0, 4750), lens 0, F00, 2. Just copying.
Done.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: desc.rom
Type: application/octet-stream
Size: 4096 bytes
Desc: not available
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20170208/2338e617/attachment.obj>
More information about the coreboot
mailing list