[coreboot] Flashing Coreboot on Lenovo G505s

Sun Sep 23 19:37:12 CEST 2018

Hello Anac! I am "mikeb" , wrote these BIOS / KB9012 flashing articles
at DP wiki ;-)

> I finally got myself a A10-5750M with dedicated GPU

Indeed your G505S has two GPUs: 1) integrated HD 8650G 2) discrete HD
8570M . Hope you understand that the main benefit of "discrete GPU"
G505S version is that it has two heatpipes instead of one, so when you
aren't using a discrete GPU your CPU should be running cooler. The
performance of integrated and discrete GPUs is the same at this laptop
- they are meant to be running together at Crossfire but Crossfire
doesn't work at Linux... Also, sadly that discrete GPU doesn't work
with coreboot installed (we are trying to fix it at the moment, and
already have some ideas of how it could be fixed)

> A)
> According to DP / Flashing_a_BIOS_chip_with_Bus_Pirate
> either a Bus Pirate or a CH341A programmer is needed for flashing
> CoreBoot. LibreBoot folks can just take a Raspberry Pi (or better a
> Beagle Bone Black) and a SOIC clip, while CoreBoot needs more equipment.
> Why is that?

libreboot is a version of coreboot for some computers which could run
without any blobs (for G505S a few blobs are still needed). And its
possible to use RPi for coreboot flashing, like any other
flashrom-supported programmer. But there are three main reasons why
you should prefer CH341A flashing over RPi :
1) CH341A is much cheaper than RPi: just $2-$3 with free shipping
instead of RPi $40 price. SOIC8 test clip is about $4-$7 (depending on
a type), together with CH341A it all costs less than $10. That is the
minimal set of hardware required for flashing, and as you see it is
super cheap, although for KB9012 flashing you also need a flex cable
and solder some wires to it - so the soldering equipment is required
(btw its' convenient to have at least two CH341A if you're flashing
both BIOS and KB9012, to avoid reconnecting the wires with a chance of
mistake)
2) Being a dedicated tool, CH341A is more reliable: I've seen many
people having troubles with their RPi, some of which are caused by RPi
software ; while CH341A always "just works". Bus Pirate is reliable
too, although only after you'd upgrade its' firmware to the latest
version.
3) Like the rest of single board computers (except EOMA68 but it
hasn't been released yet), RPi uses some non-free blobs which
theoretically could contain the backdoors. If everyone is using RPi to
flash their BIOSes, would it make sense for ***someone*** to try to
implement the backdoors there? Meanwhile, CH341A doesn't have any
firmware at all, just a few config registers. And for Bus Pirate, both
bootloader and firmware are 100% open source and you could rebuild
them by yourself and flash to your Bus Pirate.

> Somewhere it reads that the CH341A was faster than BusPirate.
> But is it faster than a Raspi or BeagleBone?

While I've been comparing them earlier, CH341A was indeed
significantly faster. But after that there have been some
BusPirate-related fixes committed to flashrom, and now if there's
still any speed difference it's probably small enough. And speed
doesn't matter much, any chip flashing usually takes just a couple of
minutes - unless we're talking about KB9012 flashing which is slow
with any programmer (15 - 45 minutes if I remember correctly), but you
don't need to do it often.

CH341A could be faster than RPi / BeagleBone just because you need to
spend some time setting up their OS / software and also have to copy
your coreboot.rom from your build PC/server to that programmer, while
it should be much faster to just plug in CH341A / Bus Pirate into your
build PC USB and flash without any transmission of the files.

> The reason for asking is because I really don't want to brick anything
> and/or destroy the G505s. And I don't know how to operate a CH341A

Operating CH341A is very easy: I wrote the instructions for Bus Pirate
because of its' confusing pinout, and thought CH341A pretty is
obvious. But, seeing there are requests like yours from time to time,
finally I've expanded that flashing article with two extra photos,
they should explain everything -
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate#CH341A_flashing_coreboot_open_source_BIOS_to_Lenovo_G505S_hacking
 You just need to make sure that the pins of your programmer and chip
are matching each other, e.g. CS - chip select. Also, remember to
disconnect all the power sources from your laptop (both battery and
power adapter) and before plugging the programmer into USB you need to
connect its' SOIC8 clip, and after the flashing you disconnect USB
first and SOIC8 clip second.

> B)
> The instructions on
> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate#Flashing
> suggest the following order of operations:

Sorry but that's not the order of operations, just a list of things
you can do; quoting:
" After that, you could do any operation listed below and some others:
1) ... 2) ... 3) ... 4) ... 5) ... "

> But should't the original content of the flash chip first got read and
> saved before erasing it? Just in case anything goes wrong and the
> original BIOS would be needed for some reason? So, step 2 and 3 are to
> be swapped, right?

Don't worry, if you ever need the proprietary crappy UEFI/BIOS we got
its' ROM ( 83CN53WW_v3.00_clean_BIOS.bin ) at this repository
https://github.com/g505s-opensource-researcher/g505s-proprietary
Actually this ROM is much better than what you could dump, because
your dump would contain the personally identifying info such as serial
numbers, while that "clean" ROM doesn't have any.

> C)
> Which Coreboot version should I use? v4.6 or the newest v4.8.1 ? I
> remember @Taiidan mentioning that he used v4.6 and somewhere else it
> reads that there will be some major changes after v4.8. Should I avoid it?

Always try using the latest master revision ( git clone
https://review.coreboot.org/coreboot ), so that when G505S coreboot
support breaks down because of some bad commit we will notice it
quickly. And, despite these major changes, the latest coreboot G505S
version is quite stable. Also its' a good idea to choose the latest
SeaBIOS version (master) at coreboot's menuconfig

> D)
> About flashing KB9012: Is it advisable to flash it with Origami-EC ?

As far as I know Origami-EC still can't " launch " this laptop, last
time I tried it - it could only blink some LEDs (please fix me if I'm
wrong here)

> Getting rid of serial numbers sounds nice.

That is achieved by flashing the "clean" version of proprietary KB9012
firmware, we got this ROM also.

> But is it save to do? Or is there a risk of bricking the KB9012?

What kind of bricking? You can't software brick it because you could
always recover it with flashrom. And its hard to hardware brick unless
you'd do something really stupid: like connecting 3.3V to its' ground
(always recheck all the wires before connecting), or short circuiting
it with the bottom of programmer (put some insulation tape at the
bottom of programmer)

> http://git.code.paulk.fr/gitweb/?p=origami-ec.git;a=summary
> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate

> E)
> This machine is going to be a Qubes workstation. Are there any special
> Coreboot options for Qubes OS that one should be aware of?

Before building your freshly cloned coreboot you need to upgrade the
AMD microcode to its' latest version (this update couldn't be merged
to coreboot until the AMD releases it "officially") to avoid the
freezing problems with low level hardware virtualization that Qubes is
using. Luckily now the microcode upgrades could be quickly done in a
semi-automatic mode, please look at this article -
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking

Best regards,
Mike Banon

On Sun, Sep 23, 2018 at 8:32 AM Anac <anac at rbox.co> wrote:
>
> Greetings
>
> Following various recommendations on Lenovo G505s, I finally got myself a A10-5750M with dedicated GPU. At least I think it has dedicated graphics, due to the following output:
>
> # inxi -G
>
> Card-1: AMD Richland [Radeon HD 8650G]
> Card-2: AMD Sun Pro [Radeon HD 8570A/8570M]
>
> While waiting for some AliExpress deliveries, I'd like to ask a few questions that worry me. I have never flashed anything, but I'm used to Linux, the command line and soldering.
>
> A)
> According to http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
> either a Bus Pirate or a CH341A programmer is needed for flashing CoreBoot. LibreBoot folks can just take a Raspberry Pi (or better a Beagle Bone Black) and a SOIC clip, while CoreBoot needs more equipment. Why is that?
> Somewhere it reads that the CH341A was faster than BusPirate. But is it faster than a Raspi or BeagleBone?
> Btw. Flashrom does in fact support RaspberryPi: https://www.flashrom.org/RaspberryPi
>
> The reason for asking is because I really don't want to brick anything and/or destroy the G505s. And I don't know how to operate a CH341A and feel that I'm not really in control of this whole undertaking. Hence, I'm trying to keep things as clear and easy as possible.
>
> B)
> The instructions on http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate#Flashing suggest the following order of operations:
> 1) receive a flashrom help
> 2) erase a flash chip
> 3) read from a flash chip
> 4) write to a flash chip
> 5) verify a flash chip against the file
>
> But should't the original content of the flash chip first got read and saved before erasing it? Just in case anything goes wrong and the original BIOS would be needed for some reason? So, step 2 and 3 are to be swapped, right?
>
> C)
> Which Coreboot version should I use? v4.6 or the newest v4.8.1 ? I remember @Taiidan mentioning that he used v4.6 and somewhere else it reads that there will be some major changes after v4.8. Should I avoid it?
>
> D)
> About flashing KB9012: Is it advisable to flash it with Origami-EC ? Getting rid of serial numbers sounds nice. But is it save to do? Or is there a risk of bricking the KB9012?
> http://git.code.paulk.fr/gitweb/?p=origami-ec.git;a=summary
> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate
>
> E)
> This machine is going to be a Qubes workstation. Are there any special Coreboot options for Qubes OS that one should be aware of?
>
> Thank you! And thanks for all the work that the good folks from dangerousprototypes have done and shared!
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot