-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Denis,
Op 20/04/16 om 22:22 schreef Denis 'GNUtoo' Carikli: > Here are the PR registers: 0x84: 0x85ff85f8 PR4: Warning: > 0x005f8000-0x005fffff is locked. 0x74: 0x9fff07e0 PR0: Warning: > 0x007e0000-0x01ffffff is read-only. Finding out how to modify factory.rom to set these sothat there are no write protections would be ideal. Then you could modify a factory.rom image descriptor region to disable the management engine, using this: https://libreboot.org/docs/hcl/gm45_remove_me.html#demefactory Theoretically, with both of those done, you'd have the ability to easily switch between factory/libreboot when debugging something from factory BIOS. > So PR4 locks the platform region. That means that we cannot read > it. PR0 prevent writing the last 128KiB of that flash chip. > > If we patch flashrom (I've scripts for that at home) we can read > the whole flash but the platform partition. I've not yet patched it > for write support. > > ifdtool[2] has a way to change the partition layout: >> $ ./ifdtool [...] usage: ./ifdtool [-vhdix?] <filename> [...] -f >> | --layout <filename> dump regions into a flashrom Libreboot also uses its own ich tool, in resources/utilities/ich9deblob/ and can be modified. It already modifies partition layout in the descriptor (removes ME and GbE regions) . (we weren't aware of ifdtool when writing it, otherwise we would have modified ifdtool) > It can also change the content of a region (like replace the BIOS > region with coreboot/libreboot). > > So the idea would be: 0) Set GPIO33 to low/ground. 1) To dump the > BIOS but the platform partition. 2) To modify such BIOS image: - By > changing its layout to move the BIOS out of the region protected by > the PR0 register - Replacing the BIOS by coreboot/libreboot 3) To > flash that image, with flashrom patched not to read/write the > platform region protected by the PR4 4) To boot, dump the platform > region, reconstruct the stock image. 5) To reflash a normal > coreboot/libreboot image. > > Unfortunately I don't have the hardware to test with me right now, > and I don't have easy ways to recover yet on my Lenovo X200T(No > clips exist for such laptop, I would need to take the time to > solder some connector or replace the flash chip). > The WSON chip is SPI and has the same pinout as SOIC8. You could put a SOIC8 chip in there. "swiftgeek" from the IRC did this on their X200T: http://h5ai.swiftgeek.net/Notebooks/ThinkPad%20X200T/SPI/ - -- Leah Woods Libreboot developer Freenode IRC nick (#libreboot): vimuser Use free software. Free as in freedom. https://www.gnu.org/philosophy/free-sw.html Use a free operating system, GNU/Linux. https://www.gnu.org/ Use a free BIOS. https://libreboot.org/ Support freedom. Join the Free Software Foundation. https://fsf.org/ Minifree Ltd, trading as Ministry of Freedom | Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | Web: http://minifree.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXObYnAAoJEP9Ft0z50c+UP9oH/1joLNxE1X9qqQVDZP5itDxu QiNTdt3EezS8/UXAAncXUsa+8zeAKrDG7Fpxhft/7LheBTX1CE1ws8Hb2vFfjf6v 4xYy/iYL4EcZ+8+nedM3xIAR3WBJ/Kmd0ZR/dc0IznvhkM93VSZavx0qRZ8q2trd 2JATN0a9nLAV9AhnR/IpMRiyXJLvb1JjhuAKBu5HTtlT1mBU1KRxMuSRKTKSK/WG 65rRv1/41Dp9M4nteC+oI1Nfl29VMrPpBA5OHAo+ioiPGb5abyKA4x0CIeVegGux xMp+KglK40HKWNFSpTclS98/zMImCAzEp416U46x1xnwCbSfI5Va/wr2N6ubm9A= =+OjZ -----END PGP SIGNATURE-----
