Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-07 Thread Igor Skochinsky via coreboot 
Hello Nico,

Monday, August 7, 2017, 2:16:05 PM, you wrote:

NH> Hi Philipp,

NH> On 05.08.2017 21:58, Philipp Stanner wrote:
>> Do we have any idea what exactly they do to update the firmware internally?

NH> Well, I don't. Though, the flash chip is usually only partially
NH> protected (something like the upper 128KiB?). They probably only
NH> update the unprotected part or put an UEFI capsule (or something
NH> similar) into another part of the chip and update the protected
NH> part from within the firmware on the next boot.

AFAIK the capsule is not written to flash. It's usually put into RAM or
may be alternatively written to the EFI system partition on disk[1]
(though I don't think I've ever observed that).


>>
>> The wiki says once coreboot is flashed you can flash it internally. I
>> suppose this means the blockade protecting the flash can be switched of
>> somehow, as the vendor's have to do it to install firmware-updates.

NH> The upper most part of the chip is protected by a Protected Range
NH> Register (PRR). These PRRs are reset on each reboot. So the only
NH> chance to write to the protected region is during early boot before
NH> the firmware writes the PRR.

NH> In case they do support updates to the protected region at all, it's
NH> likely that the code therein writes the PRR. So it's the update mecha-
NH> nism in the firmware that could be attacked (maybe it's just a check-
NH> sum, who knows?). You probably can't flash a whole coreboot image this
NH> way, but if you can make it write a modified firmware that doesn't set
NH> the PRR (or locks it to all zero early), you'd have won.

NH> But first things first, we'd have to find out when the PRR is written
NH> and whether the protected region is updatable.

You can use chipsec[2] to dump out the current configuration of the
system and see if PRRs are indeed used (and how).

[1]: 
http://www.uefi.org/sites/default/files/resources/UEFI_Summerfest_Insyde_2013_final.pdf
[2]: https://github.com/chipsec/chipsec

-- 
WBR,
 Igormailto:skochin...@mail.ru


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-07 Thread Nico Huber 

Hi Philipp,

On 05.08.2017 21:58, Philipp Stanner wrote:

Do we have any idea what exactly they do to update the firmware internally?


Well, I don't. Though, the flash chip is usually only partially
protected (something like the upper 128KiB?). They probably only
update the unprotected part or put an UEFI capsule (or something
similar) into another part of the chip and update the protected
part from within the firmware on the next boot.



The wiki says once coreboot is flashed you can flash it internally. I
suppose this means the blockade protecting the flash can be switched of
somehow, as the vendor's have to do it to install firmware-updates.


The upper most part of the chip is protected by a Protected Range
Register (PRR). These PRRs are reset on each reboot. So the only
chance to write to the protected region is during early boot before
the firmware writes the PRR.

In case they do support updates to the protected region at all, it's
likely that the code therein writes the PRR. So it's the update mecha-
nism in the firmware that could be attacked (maybe it's just a check-
sum, who knows?). You probably can't flash a whole coreboot image this
way, but if you can make it write a modified firmware that doesn't set
the PRR (or locks it to all zero early), you'd have won.

But first things first, we'd have to find out when the PRR is written
and whether the protected region is updatable.

Nico


--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread Philipp Stanner 
Do we have any idea what exactly they do to update the firmware internally?

The wiki says once coreboot is flashed you can flash it internally. I
suppose this means the blockade protecting the flash can be switched of
somehow, as the vendor's have to do it to install firmware-updates.


Am 05.08.2017 um 21:12 schrieb Igor Skochinsky via coreboot:
> Hello Philipp,
>
> Saturday, August 5, 2017, 8:41:42 PM, you wrote:
>
> PS> Yes, you're probably right.
>
> PS> Though I wonder when and how they programmed the firmware. Before or
> PS> after soldering?
>
> Most likely before, unless they have some debug header exposed. From
> [1]:
>
>> When the hardware and software nears production readiness, it is
>> common practice to preprogram flash memory devices prior to
>> starting high-volume PCB manufacturing flows for two principal
>> reasons. First, firmware loaded onto the device can be used to
>> perform basic booting and testing of the PCB during manufacturing
>> to check system/module functionality. Second, loading the final
>> firmware, operating system (OS), and application code on the flash
>> device prior to manufacturing maintains a high-volume
>> manufacturing beat rate. To support these usage models, multiple
>> vendors provide systems for loading firmware and data into flash
>> memory devices prior to the PCB solder flow process.
> Modern flash chips don't have issues retaining programmed bits during reflow
> soldering as long as the correct temperature profile is observed [2].
>
> [1]: 
> http://www.electronicdesign.com/memory/understanding-onboard-flash-programming
> [2]: http://dataioinfo.com/LiveImages/26/20/DocumentURL.pdf
>
>
>


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread Igor Skochinsky via coreboot 
Hello Philipp,

Saturday, August 5, 2017, 8:41:42 PM, you wrote:

PS> Yes, you're probably right.

PS> Though I wonder when and how they programmed the firmware. Before or
PS> after soldering?

Most likely before, unless they have some debug header exposed. From
[1]:

> When the hardware and software nears production readiness, it is
> common practice to preprogram flash memory devices prior to
> starting high-volume PCB manufacturing flows for two principal
> reasons. First, firmware loaded onto the device can be used to
> perform basic booting and testing of the PCB during manufacturing
> to check system/module functionality. Second, loading the final
> firmware, operating system (OS), and application code on the flash
> device prior to manufacturing maintains a high-volume
> manufacturing beat rate. To support these usage models, multiple
> vendors provide systems for loading firmware and data into flash
> memory devices prior to the PCB solder flow process.

Modern flash chips don't have issues retaining programmed bits during reflow
soldering as long as the correct temperature profile is observed [2].

[1]: 
http://www.electronicdesign.com/memory/understanding-onboard-flash-programming
[2]: http://dataioinfo.com/LiveImages/26/20/DocumentURL.pdf



-- 
WBR,
 Igormailto:rox...@skynet.be


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread Philipp Stanner 
Yes, you're probably right.

Though I wonder when and how they programmed the firmware. Before or
after soldering?


Am 05.08.2017 um 19:41 schrieb Igor Skochinsky via coreboot:
> Hello Philipp,
>
> Saturday, August 5, 2017, 6:01:04 PM, you wrote:
> PS> PS: Rantmode: Why the hell don't they just solder a socket? It's not
> PS> that unrealistic that someone bricks the BIOS while updating the
> PS> firmware from time to time. Being able to replace the ROM with a fresh
> PS> one is a huge plus.
>
> A socket would add some cost; not just of the part itself but
> also cost of the assembly process since flash chip could not be soldered
> together with the rest of the components now, and possibly other
> logistical issues (e.g. they would have to order DIP chips
> specifically for this model instead of SMD parts like for everything
> else).
> It would also increase the height of the board, and you know how
> everyone is obsessed with thin laptops nowadays. 
>
> Just because it would be convenient for maybe ten people in the world
> doesn't make it an incentive for the manufacturers. 
>
> Besides, 99.9% users are not expected to ever open their device, let alone 
> mess
> with the chips. If they get a brick (which is a pretty rare thing
> nowadays AFAIK), they send it off for repairs.
>


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread persmule 
Hi Philipp,

It is just a wson-8 flash rom, whose soldering plates are compatible
with those for soic-8 chips, often found on thinkpads produced when 8MiB
soic-8 chip are hardly available.

The common way to deal with wson-8 chips is to blow it off with hot air
blower, suck up its content, and finally replace it with a soic-8 chip.

There is an article mentioned wson-8 chips:
https://www.coreboot.org/Board:lenovo/t430s

Persmule

在 2017年08月06日 00:01, Philipp Stanner 写道:
> Hi list,
>
> I don't know if it's common yet (the wiki article doesn't mention it)
> but today I discovered that there are Lenovo Thinkpads with very flat
> SMD-Flash-ROMs which make it impossible to access them with a SOIC-Clip
> or flash them by soldering wires to the pins directly.
>
> I aborted the flashing but am going to try finding a work-around.
>
> About the laptop:
> Type 4298-W28 S/N R9-E4CFC 11/06 (so probably manufactured in 2011)
>
> Product ID: 4298W28
>
> Maybe we should write one sentence in the wiki mentioning that not all
> chips are accessable very comfortably.
>
> Greetings,
>
> P.
>
> PS: Rantmode: Why the hell don't they just solder a socket? It's not
> that unrealistic that someone bricks the BIOS while updating the
> firmware from time to time. Being able to replace the ROM with a fresh
> one is a huge plus.
>
>
>

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread Igor Skochinsky via coreboot 
Hello Philipp,

Saturday, August 5, 2017, 6:01:04 PM, you wrote:
PS> PS: Rantmode: Why the hell don't they just solder a socket? It's not
PS> that unrealistic that someone bricks the BIOS while updating the
PS> firmware from time to time. Being able to replace the ROM with a fresh
PS> one is a huge plus.

A socket would add some cost; not just of the part itself but
also cost of the assembly process since flash chip could not be soldered
together with the rest of the components now, and possibly other
logistical issues (e.g. they would have to order DIP chips
specifically for this model instead of SMD parts like for everything
else).
It would also increase the height of the board, and you know how
everyone is obsessed with thin laptops nowadays. 

Just because it would be convenient for maybe ten people in the world
doesn't make it an incentive for the manufacturers. 

Besides, 99.9% users are not expected to ever open their device, let alone mess
with the chips. If they get a brick (which is a pretty rare thing
nowadays AFAIK), they send it off for repairs.

-- 
WBR,
 Igormailto:rox...@skynet.be


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Lenovo X220t variants with SMD-Flash-ROMs

2017-08-05 Thread John Lewis 
On Sat, 5 Aug, 2017 at 5:01 PM, Philipp Stanner  
wrote:



PS: Rantmode: Why the hell don't they just solder a socket? It's not
that unrealistic that someone bricks the BIOS while updating the
firmware from time to time. Being able to replace the ROM with a fresh
one is a huge plus.


I guess that's just the throw-it-away philosophy ...
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot