Re: [qubes-users] Re: Lenovo G505S Coreboot
Alternatively, it could be that NDA is required not exactly to get these updated microcode files for our a-bit-old CPUs, but to understand - against what vulnerabilities these microcodes are trying to give the protection. Maybe there are some secret release notes that usually come with these microcodes to the OEMs. If you would look at the commit message which came with 15h/17h files, you would not notice any mention of the vulnerabilities and spectre - or any other mention of what has been changed or improved. Its "just an update" - https://marc.info/?l=linux-kernel=152651230014241=2 . More messages from this author - https://marc.info/?a=13724479713=1=2 Best regards, Ivan 2018-05-22 15:34 GMT+03:00 Ivan Ivanov: > I think: at the moment, the only possible way to become confident that > a new 15h microcode at linux-firmware.git is the same (or at least > close to being the same) as being offered to us under an NDA, without > signing this NDA, is to install this microcode to your coreboot and > then run some tests to see the degree of vulnerability to the various > spectres. Also, that AMD person has uploaded only 15h and 17h - > meanwhile, there are some nice desktop coreboot-supported 16h boards > like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor, > only late-16h has), and these 16h boards are still vulnerable. I will > try to contact to "remind" about 16h. Maybe they don't share the > microcodes publicly until they have fully tested them, and NDA is a > way for OEMs to get the not-publicly-released-yet microcodes to test > on their hardware. It could be that AMD's guidelines require fully > testing a new microcode at all the compatible platforms before > releasing it publicly even if its just a matter of setting a few bits > - to make sure that all the other functions are still working > correctly > > Best regards, > Ivan > > 2018-05-22 8:19 GMT+03:00 taii...@gmx.com : >> *ML thread reply* >> Hey guys you can install the latest microcode now from linux-firmware, >> no NDA or w/e I believe this is the latest version. >> See my thread on the coreboot ML for more info. >> >> Remember folks the G505S has a piledriver cpu and thus it NEEDS a >> microcode update to have IOMMU (and thus work for V4) and be secure due >> to various exploits. >> >> before: >> microcode: CPU0 patch_level=0x0600084f >> >> after: >> microcode: CPU0: new patch_level=0x06000852 >> >> I think this is the latest version but I don't know for sure. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "qubes-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> qubes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to qubes-users@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com. >> For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAaskFD7KPUiVOBJFCgN2JprZ1oB2Yr2CPh4Z3bkLcrynqRFgA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
I think: at the moment, the only possible way to become confident that a new 15h microcode at linux-firmware.git is the same (or at least close to being the same) as being offered to us under an NDA, without signing this NDA, is to install this microcode to your coreboot and then run some tests to see the degree of vulnerability to the various spectres. Also, that AMD person has uploaded only 15h and 17h - meanwhile, there are some nice desktop coreboot-supported 16h boards like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor, only late-16h has), and these 16h boards are still vulnerable. I will try to contact to "remind" about 16h. Maybe they don't share the microcodes publicly until they have fully tested them, and NDA is a way for OEMs to get the not-publicly-released-yet microcodes to test on their hardware. It could be that AMD's guidelines require fully testing a new microcode at all the compatible platforms before releasing it publicly even if its just a matter of setting a few bits - to make sure that all the other functions are still working correctly Best regards, Ivan 2018-05-22 8:19 GMT+03:00 taii...@gmx.com: > *ML thread reply* > Hey guys you can install the latest microcode now from linux-firmware, > no NDA or w/e I believe this is the latest version. > See my thread on the coreboot ML for more info. > > Remember folks the G505S has a piledriver cpu and thus it NEEDS a > microcode update to have IOMMU (and thus work for V4) and be secure due > to various exploits. > > before: > microcode: CPU0 patch_level=0x0600084f > > after: > microcode: CPU0: new patch_level=0x06000852 > > I think this is the latest version but I don't know for sure. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAaskFB-Y8ZWHzwb0tq-KT3qFEJD%3DxfWWhP4oEMxyZKCwBxXNg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
*ML thread reply* Hey guys you can install the latest microcode now from linux-firmware, no NDA or w/e I believe this is the latest version. See my thread on the coreboot ML for more info. Remember folks the G505S has a piledriver cpu and thus it NEEDS a microcode update to have IOMMU (and thus work for V4) and be secure due to various exploits. before: microcode: CPU0 patch_level=0x0600084f after: microcode: CPU0: new patch_level=0x06000852 I think this is the latest version but I don't know for sure. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com. For more options, visit https://groups.google.com/d/optout. 0xDF372A17.asc Description: application/pgp-keys
Re: [qubes-users] Re: Lenovo G505S Coreboot
These microcodes from platomav are not new enough to have spectre v2 fixed at them! We are in the process of requesting an updated microcodes from AMD, and there is already some progress: we have been offered the updated microcodes with spectre V2 fix under the NDA. However, most likely this NDA requirement is only because of the Ryzen microcodes and maybe the microcodes for the other CPUs with built-in PSP Platform Secure Processor. We have asked AMD to offer us a smaller set of the microcodes (for the older CPUs only) which will be possible to obtain without signing the NDA, and we are currently waiting for reply. It does not make sense to ask the NDA for the microcodes of CPUs that are ~5 years old, also, the older microcodes could be found as publicly shared at e.g. linux-firmware.git and nobody sent a DMCA takedown regarding them , so most likely it means that both 15h and 16h microcodes, as well as some other older ones, should be possible to obtain without any NDAs. We will keep you updated Best regards, Ivan Ivanov 2018-05-16 5:50 GMT+03:00 awokd: > On Sat, May 12, 2018 7:58 pm, matthewwbradl...@gmail.com wrote: >> On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com > >>> Does anybody know where I can find an up-to-date copy of the microcode >>> for this laptop? The latest microcode images I've been able to find >>> *anywhere* are >>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode >>> which according to the logs date back to 2016 and therefore can't >>> possibly contain spectre mitigations for an A10-5750M CPU. >>> >>> Supposedly AMD has/will release mitigating microcode for family 15h but >>> I don't think AMD has an equivalent to: >>> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File >>> >>> Does AMD even announce when they release microcode for a particular >>> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one >>> can only dream I guess... >>> >>> The next step of course will be figuring out how to build coreboot to >>> load the microcode image, but, one step at a time. >> >> EDIT: >> https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html >> doesn't seem to have been up since 2016 > > See below. There seems to be a way to do it if you edit the patch file > directly into microcode_amd_fam15h.bin (but we might be getting off-topic > for Qubes here). > > https://www.mail-archive.com/coreboot@coreboot.org/msg51496.html > > > > > > -- > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAaskFBLbjznJZSOmexVGSKFCRMuE1fiHemCbitap9ZEvPEJ_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Sat, May 12, 2018 7:58 pm, matthewwbradl...@gmail.com wrote: > On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com >> Does anybody know where I can find an up-to-date copy of the microcode >> for this laptop? The latest microcode images I've been able to find >> *anywhere* are >> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode >> which according to the logs date back to 2016 and therefore can't >> possibly contain spectre mitigations for an A10-5750M CPU. >> >> Supposedly AMD has/will release mitigating microcode for family 15h but >> I don't think AMD has an equivalent to: >> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File >> >> Does AMD even announce when they release microcode for a particular >> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one >> can only dream I guess... >> >> The next step of course will be figuring out how to build coreboot to >> load the microcode image, but, one step at a time. > > EDIT: > https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html > doesn't seem to have been up since 2016 See below. There seems to be a way to do it if you edit the patch file directly into microcode_amd_fam15h.bin (but we might be getting off-topic for Qubes here). https://www.mail-archive.com/coreboot@coreboot.org/msg51496.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com wrote: > On Wednesday, January 18, 2017 at 6:34:29 AM UTC-5, Asterysk wrote: > > >First of all we need to make sure that you are prepared for flashing. > > >coreboot image cannot be >flashed internally on Lenovo G505S through a > > >purely software way (I tried with >internal:laptop=force_I_want_a_brick > > >flashrom option, it always fails, cant do that!) . > > > > >To install a coreboot, you will have to: > > >1) get some hardware tools like screwdrivers, CH341A USB flasher and > > >SOIC-8 test clip > > >2) tear down your laptop to access the motherboard > > >3) take SOIC-8 test clip and attach its wires to USB flasher that is > > >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to > > >BIOS chip with 8 legs, then plug USB flasher device to another computer > > >with Linux (while it is still connected to G505S motherboard through wires > > >and SOIC-8 test clip) > > >4) using flashrom, make a dump of your existing BIOS just in case, then > > >flash a new coreboot image with verification 5) assemble your laptop in > > >reverse order . That is exactly how computer repair shops are repairing > > >laptops with failed BIOS updates, and are earning pretty good money on it > > > > >Here is a hardware flashing manual - > > >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . > > > > Everything is described in a great detail here: complete list of tools and > > where you could buy them (need to spend from $0 to $30, depends on what > > tools you already have), how to connect these tools properly, a lot of > > helpful photos - for example, photo of G505S motherboard, so you could > > easily see where is that BIOS chip with 8 legs is located, dont need to > > spend time reading the motherboard chip labels. While this instruction > > mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher > > are exactly the same - only a flashrom command is different (could see this > > command at the end of page) > > > > My current coreboot build is from December 2016 - it is not the latest, but > > still pretty recent, so I am not going to rebuild it from scratch yet. > > Still, there is one component inside BIOS image that could be easily > > updated: KolibriOS, tiny wonderful open source operating system that fits > > on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a > > RamDisk (no changes to your computer saved). After you tell that you are > > prepared for hardware BIOS flashing, I will take KolibriOS latest daily > > build, add it to ROM and send a complete coreboot BIOS ROM to you > > > > Please reply if you have any questions > > > > Best regards, > > qmastery > > --- > > > > Is it possible to also reflash the USB firmware at the same time in case it > > has been tampered by Bad USB ? > > Does anybody know where I can find an up-to-date copy of the microcode for > this laptop? The latest microcode images I've been able to find *anywhere* are > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode > which according to the logs date back to 2016 and therefore can't possibly > contain spectre mitigations for an A10-5750M CPU. > > Supposedly AMD has/will release mitigating microcode for family 15h but I > don't think AMD has an equivalent to: > https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File > > > Does AMD even announce when they release microcode for a particular > family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one can > only dream I guess... > > The next step of course will be figuring out how to build coreboot to load > the microcode image, but, one step at a time. EDIT: https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html doesn't seem to have been up since 2016 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fff92020-1c6d-49c9-9090-dcfbdff66613%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
On Wednesday, January 18, 2017 at 6:34:29 AM UTC-5, Asterysk wrote: > >First of all we need to make sure that you are prepared for flashing. > >coreboot image cannot be >flashed internally on Lenovo G505S through a > >purely software way (I tried with >internal:laptop=force_I_want_a_brick > >flashrom option, it always fails, cant do that!) . > > >To install a coreboot, you will have to: > >1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8 > >test clip > >2) tear down your laptop to access the motherboard > >3) take SOIC-8 test clip and attach its wires to USB flasher that is > >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS > >chip with 8 legs, then plug USB flasher device to another computer with > >Linux (while it is still connected to G505S motherboard through wires and > >SOIC-8 test clip) > >4) using flashrom, make a dump of your existing BIOS just in case, then > >flash a new coreboot image with verification 5) assemble your laptop in > >reverse order . That is exactly how computer repair shops are repairing > >laptops with failed BIOS updates, and are earning pretty good money on it > > >Here is a hardware flashing manual - > >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . > > Everything is described in a great detail here: complete list of tools and > where you could buy them (need to spend from $0 to $30, depends on what tools > you already have), how to connect these tools properly, a lot of helpful > photos - for example, photo of G505S motherboard, so you could easily see > where is that BIOS chip with 8 legs is located, dont need to spend time > reading the motherboard chip labels. While this instruction mentions Bus > Pirate USB flasher, the instructions for CH341A USB flasher are exactly the > same - only a flashrom command is different (could see this command at the > end of page) > > My current coreboot build is from December 2016 - it is not the latest, but > still pretty recent, so I am not going to rebuild it from scratch yet. Still, > there is one component inside BIOS image that could be easily updated: > KolibriOS, tiny wonderful open source operating system that fits on a floppy. > It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no > changes to your computer saved). After you tell that you are prepared for > hardware BIOS flashing, I will take KolibriOS latest daily build, add it to > ROM and send a complete coreboot BIOS ROM to you > > Please reply if you have any questions > > Best regards, > qmastery > --- > > Is it possible to also reflash the USB firmware at the same time in case it > has been tampered by Bad USB ? Does anybody know where I can find an up-to-date copy of the microcode for this laptop? The latest microcode images I've been able to find *anywhere* are https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode which according to the logs date back to 2016 and therefore can't possibly contain spectre mitigations for an A10-5750M CPU. Supposedly AMD has/will release mitigating microcode for family 15h but I don't think AMD has an equivalent to: https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File Does AMD even announce when they release microcode for a particular family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one can only dream I guess... The next step of course will be figuring out how to build coreboot to load the microcode image, but, one step at a time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b6c8e67-8188-4212-9998-8e1d1e9e2e1e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Got it. I understand I need to build the coreboot image and flash it. However still a little confused on how exactly to implement the microcode update? I assume its still not a part of the latest coreboot. Was it these two files I am looking for changes in? src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnEquivalenceTable.c src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnMicrocodePatch0600110F_Enc.c or do I understand correctly that I can run these commands at a Debian terminal and get the needed output too? dd skip=5284 iflag=skip_bytes if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i amd.bin I then copy some/all of that content and paste it into the image file itself? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a21a8d4a-18f9-4ca5-9b28-1c4dae1a3ff2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On 04/30/2018 08:49 PM, Andrew B wrote: > OK, just to clarify, if I am to build the coreboot image, I need to do that > on the G505s by say running Debian or Ubuntu (presumably could use a Live > disc/USB) or similar and building the image as shown here? > https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image Yeah. But you need another PC in case something goes wrong. > Then I take the created coreboot.rom file and load it onto a separate > computer where I can externally flash the G505s as shown here: > http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate Get a USB CH341A, they're easier. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a4db6a2-96a8-b6fc-9130-b3416111cc65%40gmx.com. For more options, visit https://groups.google.com/d/optout. 0xDF372A17.asc Description: application/pgp-keys
Re: [qubes-users] Re: Lenovo G505S Coreboot
OK, just to clarify, if I am to build the coreboot image, I need to do that on the G505s by say running Debian or Ubuntu (presumably could use a Live disc/USB) or similar and building the image as shown here? https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image Then I take the created coreboot.rom file and load it onto a separate computer where I can externally flash the G505s as shown here: http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40dcefb1-64ab-49d1-911e-b71c4c9b6756%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On 04/20/2018 12:21 PM, River~~ wrote: correction where I said My assumption is that the time is explained by the fact that it is not only booting the physical machine but also the various CMs that are tagged to be started at bootup. I meant VMs, not CMs correction where I said My assumption is that the time is explained by the fact that it is not only booting the physical machine but also the various CMs that are tagged to be started at bootup. I meant VMs, not CMs Yes, it tends to be 7s for normal booting with SSD and 30s+ for the VMs - that's normal. There is a feature request [1] out there to get the VMs started after X instead of before. So that might change in the future. [1] https://github.com/QubesOS/qubes-issues/issues/3149 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78ab7eae-1279-0bb0-af0d-6d4321127c9c%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Re: Lenovo G505S Coreboot
correction where I said > > My assumption is that the time is explained by the fact that it is not > only booting the physical machine but also the various CMs that are tagged > to be started at bootup. > I meant VMs, not CMs -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAK3jUKoxR9ct5FE4U1UqsZsCWtNVBSw0aubo6wSTNZ2KFQcKEw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
wrote: > On Tuesday, April 10, 2018 at ... One question I have is regarding boot time for 4.0. Is it several minutes > long for you on coreboot/Qubes 4.0? It is what I am seeing. Is this significantly longer than for Qubes 3.2? (I am new here and never used 3.2) My assumption is that the time is explained by the fact that it is not only booting the physical machine but also the various CMs that are tagged to be started at bootup. I also get a Failed to Load Kernel Modules message early on Yes, I see this as the first line after the four Tuxes appear. I think the message is slightly different - from memory it is Failed to Start Load Kernel Modules > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAK3jUKorcGAefCFefr%2B4bvpgKqrwfZgEkoxByEzPxrYcVMXfCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Tuesday, April 10, 2018 at 7:08:37 AM UTC, qma ster wrote: > Hi there Friend ! What 8 cells battery you have got, and from which seller? > It is either your battery needs a few power cycles to get to its' full > performance, > or maybe you have received a battery with the different power cells > (not SANYO) : > e.g. your original battery was SANYO but that new 8cells could be SMP ? :P > > If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S > laptop > (easily found online, contains many FRU replacement parts > descriptions/IDs, useful) > you will see that - even for the official G505S batteries, there were > three manufacturers: > Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much > better than SMP/LG. > > Please look at the attached picture - it contains a small review of > the battery cells (could be expanded) > > my 8cells battery is Sanyo, and its almost twice longer battery life! > Mike result is ~1.5x longer, > but he haven't told me who made his cells, or I forgot what he has > replied to me and couldnt find. > Guess its a bit of a lottery... If your battery would not perform > better after a few power cycles, > you could try getting another 8 cells battery, preferably from another > seller - for a higher chance > that these batteries would be from the different batches with the > different internals - and we will see > > However, if you would look through this guide above, there are some > more worthy investments: > in example, AR9462 wireless network adapter from ath9k family - does > not need the binary blobs, > runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth, > works fine even at the > Stallman-endorsed Linux distros. Ideally, batteries should be bought > after you have got everything else. > By the way, 2-3 times per year you could get 10-20% off AliExpress > coupons for a great real discount > > Retyped table from the attached image (so that it will be searchable > through the Internet) : > Thanks for all the info! I bought my battery from some random seller on eBay and it was disappointing initially but seems better after a few cycles. I may check out your recommended ones anyway. I did many of the other recommended upgrades already, including replacing the thermal paste, the WiFi adapter and upgrading to 16gb of Patriot Viper RAM and an SSD. I'm very happy with my current setup thanks to you and others. One question I have is regarding boot time for 4.0. Is it several minutes long for you on coreboot/Qubes 4.0? I also get a Failed to Load Kernel Modules message early on in Qubes boot if that matters. Once it's up and running, things run smoothly. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a7dfba15-9558-48bf-a2f8-452b98ba45cd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Hi there Friend ! What 8 cells battery you have got, and from which seller? It is either your battery needs a few power cycles to get to its' full performance, or maybe you have received a battery with the different power cells (not SANYO) : e.g. your original battery was SANYO but that new 8cells could be SMP ? :P If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S laptop (easily found online, contains many FRU replacement parts descriptions/IDs, useful) you will see that - even for the official G505S batteries, there were three manufacturers: Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much better than SMP/LG. Please look at the attached picture - it contains a small review of the battery cells (could be expanded) my 8cells battery is Sanyo, and its almost twice longer battery life! Mike result is ~1.5x longer, but he haven't told me who made his cells, or I forgot what he has replied to me and couldnt find. Guess its a bit of a lottery... If your battery would not perform better after a few power cycles, you could try getting another 8 cells battery, preferably from another seller - for a higher chance that these batteries would be from the different batches with the different internals - and we will see However, if you would look through this guide above, there are some more worthy investments: in example, AR9462 wireless network adapter from ath9k family - does not need the binary blobs, runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth, works fine even at the Stallman-endorsed Linux distros. Ideally, batteries should be bought after you have got everything else. By the way, 2-3 times per year you could get 10-20% off AliExpress coupons for a great real discount Retyped table from the attached image (so that it will be searchable through the Internet) : Laptop batteries for | Model -- ___ | __ | Stated __| Max energy capacity | Max energy capacity __| __| G505S and other __| battery cells | ___| capacity | by design __| after 3 months of _| __| compatible Lenovo | manufacturer | Voltage | in mAh _| (as seen by | heavy usage _| Rating | laptops __|___| ___|_| Ubuntu Linux OS ) __| | __| official Lenovo | L12S4E01 -- | 14.4V | 2900 mAh | 3.8 Wh | 3.5 Wh (94% of design) | medium | 4 cells battery | SANYO |__|__|___| | battery | (older revision) |___|__|__||_|__| official Lenovo | L12M4E01 -- | 14.88V | 2800 mAh | 3.8 Wh | 3.1 Wh (81% of design) | bad__ | 4 cells battery | Simplo _|___|__|___| | battery | (newer revision) | Technology |___|__|___||___| __| ( SMP ) ___|__|__|||___| 8cells G505S battery | " Replace | 14.4V _| 5200 mAh | 6.3 Wh | 6.1 Wh (96% of design) | the best | by AliExpress seller _| L12L4A02, |__|__|___| ___| battery !_| MX (HK) LTD -- _| L12L4E01, |__|__|___||| Ming Xuan | L12M4A02 " |_|__|___||_| __| -- SANYO |__|__|___||_| NOTE: battery model number is L12*4E01, where * letter means the manufacturer of battery cells. in L12S4E01 , S means SANYO, || in L12M4E01 , M means Simplo Technology ( SMP ), in L12L4E01, L means LG chemicals || Older (official) batteries were usually SANYO, newer (official) batteries are usually SMP, sadly. My experience: SANYO cells are the best performance Best regards, Ivan Ivanov aka qmastery 2018-04-04 4:53 GMT+03:00: > Among other suggestions, I added an 8-cell battery to my G505s. What kind of > battery life are people getting with these? Mine seems hardly better than > the OEM 4-cell. Just wondering if I got a bum battery or if the improvement > isn't really that significant. > > Thanks again to everyone for helping me get my G505s up and going with > coreboot and for all the useful info on recommended upgrades here. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/0b9d5ae8-6650-47de-9de1-1d520e7b77d5%40googlegroups.com. > For
Re: [qubes-users] Re: Lenovo G505S Coreboot
Among other suggestions, I added an 8-cell battery to my G505s. What kind of battery life are people getting with these? Mine seems hardly better than the OEM 4-cell. Just wondering if I got a bum battery or if the improvement isn't really that significant. Thanks again to everyone for helping me get my G505s up and going with coreboot and for all the useful info on recommended upgrades here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b9d5ae8-6650-47de-9de1-1d520e7b77d5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Thank you very much for answering the qubesthrowaway's questions ! Regarding > Some of us G505s users are putting together a page with tips on Coreboot and Qubes, but I'm not sure where it will end up yet - sorry for delay! we just got a bit distracted with KolibriOS driver stuff (will be really awesome if that assembly network driver becomes a reality!), in the same time we would like to 1) upgrade the LZMA libraries of coreboot/seabios - the currently used ones are very very outdated 2) add paq8px compression support for putting even more useful stuff to our small 4 MB BIOS chips By the way it could be possible to upgrade a BIOS chip to 8 MB or even to 16 MB ;-) Asterysk has been trying to test this but accidentally damaged a copper track on his motherboard, so its going to take a while before we find out the answer to this question. Ideally we'd like to stay at 4 MB, because if some of us would be sitting at 8 MB / 16 MB while everyone else is at 4 MB BIOS chips - that would result in unnecessary fragmentation, so more of our efforts should be going towards those "compression methods". On average, paq8px is 25% better compression than LZMA used by coreboot/SeaBIOS, but it is much slower - perhaps it is going to take about 3 minutes to extract 1.44MB KolibriOS floppy to boot it, although we have not tested this on bare metal (from coreboot) yet - could be faster! There are also some extra challenges, e.g. paq8px sources are C++ but coreboot is C and doesn't even have g++ in its' toolchains, so I'm unsure how to merge them together. And using a "random g++" provided by some distro does not guarantee that this will be bootable. Maybe you know a great way of how to put C++ code into coreboot and make it compile? Best regards, Ivan Ivanov aka qmastery 2018-03-28 0:52 GMT+03:00 'awokd' via qubes-users: > On Mon, March 26, 2018 6:36 am, qubesthrowa...@gmail.com wrote: > > Could you please trim emails when you reply? It was hard to find your > questions in all that text! > >> Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi >> card? > > I'm not sure you could fit one in there, the hole is only big enough for > half-height mini-PCIe cards. > >> Would 1866MHz @ CL10 be as good/better? > > Not sure on this one; Coreboot can be picky on memory timings. Might have > to dig in to the source code to see if that is supported, if nobody else > knows. > >> I just ordered a G505S and several of these upgrades and I'm excited to >> try flashing coreboot and getting Qubes going on it. Thanks for all the >> tips/help. > > Welcome! Some of us G505s users are putting together a page with tips on > Coreboot and Qubes, but I'm not sure where it will end up yet. > > -- > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAaskFDF7J4kPHUbyZyo%3DM6QR19MW789x4Zqe2JJXPzji8XgWQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Sunday, April 1, 2018 at 10:20:29 AM UTC-5, awokd wrote: > On Sun, April 1, 2018 2:53 pm, qubesthrowa...@gmail.com wrote: > >> 1) Erase a BIOS chip and flash it with coreboot - > >> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirat > >> e . For a BIOS image you could either: > > > > I decided to use your prebuilt rom and flashed it successfully on my > > G505s last night. Afterwards, I began the Qubes 4.0 installation. It > > installed fine, but following the restart it freezes while setting up the > > Template VMs. I waiting several hours to verify that it was indeed > > frozen. I restarted and tried setup again and it keeps freezing at > > various points (Fedora Template, Debian Template, Whonix). I then tried > > a fresh reinstall but that yielded the same result. > > > > I'm currently in the process of downloading 4.0 again and I'll try the > > install on a different usb stick. Is there anything else that I might > > try to make this work? Thanks for any assistance. > > If you're referring to the rom from Qmaster's post from a year ago, it > doesn't contain the microcode update needed to run 4.0. See > https://review.coreboot.org/22843? . There are some more notes > http://dangerousprototypes.com/docs/Lenovo_G505S_hacking, but be warned > it's still pretty rough. I can help you build your own Coreboot image with > the patch or if you trust anonymous strangers bearing gifts, send you the > one I built for myself. Let me know if you need either! I'd love to try your prebuilt one! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/50f8866d-849d-4bad-806a-9cafa8c62d68%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
FYI the microcode update is mandatory no matter what OS you are running otherwise I could literally root your computer with a few commands due to the NMI exploit on piledriver CPU's and of course the IOMMU wouldn't work either so no DMA protection. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/242012f5-5225-3bd7-8bb6-1bc5ed8380a0%40gmx.com. For more options, visit https://groups.google.com/d/optout. 0xDF372A17.asc Description: application/pgp-keys
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Sun, April 1, 2018 2:53 pm, qubesthrowa...@gmail.com wrote: >> 1) Erase a BIOS chip and flash it with coreboot - >> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirat >> e . For a BIOS image you could either: > > I decided to use your prebuilt rom and flashed it successfully on my > G505s last night. Afterwards, I began the Qubes 4.0 installation. It > installed fine, but following the restart it freezes while setting up the > Template VMs. I waiting several hours to verify that it was indeed > frozen. I restarted and tried setup again and it keeps freezing at > various points (Fedora Template, Debian Template, Whonix). I then tried > a fresh reinstall but that yielded the same result. > > I'm currently in the process of downloading 4.0 again and I'll try the > install on a different usb stick. Is there anything else that I might > try to make this work? Thanks for any assistance. If you're referring to the rom from Qmaster's post from a year ago, it doesn't contain the microcode update needed to run 4.0. See https://review.coreboot.org/22843? . There are some more notes http://dangerousprototypes.com/docs/Lenovo_G505S_hacking, but be warned it's still pretty rough. I can help you build your own Coreboot image with the patch or if you trust anonymous strangers bearing gifts, send you the one I built for myself. Let me know if you need either! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d535d467bbe3ad3a11ff06ac0213b7d.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
> 1) Erase a BIOS chip and flash it with coreboot - > http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . > For a BIOS image you could either: I decided to use your prebuilt rom and flashed it successfully on my G505s last night. Afterwards, I began the Qubes 4.0 installation. It installed fine, but following the restart it freezes while setting up the Template VMs. I waiting several hours to verify that it was indeed frozen. I restarted and tried setup again and it keeps freezing at various points (Fedora Template, Debian Template, Whonix). I then tried a fresh reinstall but that yielded the same result. I'm currently in the process of downloading 4.0 again and I'll try the install on a different usb stick. Is there anything else that I might try to make this work? Thanks for any assistance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/00a0dca6-69a6-4322-91b9-105db0c33470%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Tuesday, March 27, 2018 at 4:52:33 PM UTC-5, awokd wrote: > > Could you please trim emails when you reply? It was hard to find your > questions in all that text! > Sorry about not trimming the original! > > I'm not sure you could fit one in there, the hole is only big enough for > half-height mini-PCIe cards. > Okay. I found some half mini PCIe SSD but it appears to just use SATA interface and probably not worth losing WiFi. > > Not sure on this one; Coreboot can be picky on memory timings. Might have > to dig in to the source code to see if that is supported, if nobody else > knows. > Good to know. > Welcome! Some of us G505s users are putting together a page with tips on > Coreboot and Qubes, but I'm not sure where it will end up yet. That would be amazing and much appreciated. This seems like a great hardware choice for running Qubes. I have the tools and have flashed a BIOS chip before so I feel okay about that part, but building the coreboot file is going to stretch me a bit. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bcc0c21d-ce90-4e2d-8c61-6594826a89b8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, March 26, 2018 6:36 am, qubesthrowa...@gmail.com wrote: Could you please trim emails when you reply? It was hard to find your questions in all that text! > Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi > card? I'm not sure you could fit one in there, the hole is only big enough for half-height mini-PCIe cards. > Would 1866MHz @ CL10 be as good/better? Not sure on this one; Coreboot can be picky on memory timings. Might have to dig in to the source code to see if that is supported, if nobody else knows. > I just ordered a G505S and several of these upgrades and I'm excited to > try flashing coreboot and getting Qubes going on it. Thanks for all the > tips/help. Welcome! Some of us G505s users are putting together a page with tips on Coreboot and Qubes, but I'm not sure where it will end up yet. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Thursday, January 19, 2017 at 7:28:12 AM UTC-6, qma ster wrote: > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com > написал: > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > > > As always physical access is a checkmate situation, you need to not be > > > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > > > secure locks on your door. > > > > > > Unless USB port seals (e.g. > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place > > > as soon as the laptop is removed from the manufacturers box it is > > > impossible to know whether someone has installed a device that has in > > > turn infected firmware. A similar situation for any DMA access ports > > > (Thunderbolt etc) > > > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > > infected with firmware malware) and reset it to a known safe starting > > > point. Coreboot seems to handle the BIOS (thank you for clarification > > > that it completely rewrite legacy and UEFI). Replacing the HD with a new > > > SSD should handle that firmware attack vector. That leaves the other > > > EEPROMS. > > > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > > > should see what other EEPROMs I can reflash. > > > > > > Apart from the obvious RAM and SSD upgrade and possible putting switches > > > on peripherals, are there any other hardware mods you can suggest for the > > > G505S. > > > > > > Having sorted out the hardware, I am then going to be looking to use > > > Qubes to protect against any attempts to reflash through Malware and > > > after thats done, I'll be looking for ways to detect that any attack is > > > being attempted. > > > > > > All in all I think I've got about a years work ahead ! > > > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > > drive, web camera ; Maybe also a small board with LS-9901P part number > > (dont confuse with LA-9901P), see its' google pictures online - and > > according to G505S laptop's LA-A091P motherboard datasheet (which also > > contains a datasheet for laptop's smaller boards) this board has a Realtek > > chip for card reader. By the way, you could either find out what lines of > > flex cable the card reader is using, and install a custom jumper on them ; > > or maybe get a flex cable with the same number of pins / same pitch between > > them , find (from datasheet?) what lines that lonely USB port is using to > > get to Bolton-M3 FCH, get a USB female header and solder a custom adapter > > which adds only a USB port to laptop (so no card reader chip). Probably the > > hardest thing to do is to disconnect a web camera - you will need to tear > > down a screen which is quite risky. BTW screen also contains the internal > > reprogrammable memory (e.g. for storing EDID), and a malicious firmware > > could cause screen to transfer information through electromagnetic impulses > > (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) > > > > Actually it is possible to remove a motherboard with CPU, CPU Fan, > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a > > custom power button adapter with huge convenient buttons!) and create a > > custom case for all this stuff. If you are lucky you could find someone > > selling a used G505S with broken screen for very cheap price, and do that. > > This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, > > and internal keyboard (see below why) > > > > Maybe don't need to seal the USB ports yet: it not just seriously reducing > > the usability of this laptop, but also makes it impossible to connect a USB > > keyboard. Maybe you would prefer that, when you type, your keystrokes are > > going through external keyboard's USB controller, rather than through > > laptop's Embedded Controller KB9012 which has a closed source firmware and > > controls PS/2-like laptop's internal keyboard. You could make your own open > > hardware USB keyboard with open source firmware, and using it will be > > slightly safer (and slightly less convenient) than laptop's internal one > > > > Also, another possible hardware mod (not related to security) - instead of > > DVD drive you could install a fan for extra cooling, see > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > > . Although dont know if it worth it, because some really great external > > USB coolers are available - > > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html > > Please read a message above... If we are talking about the motherboard, main > board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's >
Re: [qubes-users] Re: Lenovo G505S Coreboot
Tuesday 26 December 2017 г., 15:18:14 UTC+0 user Blooorp wrote: > Le mardi 26 décembre 2017 00:05:28 UTC+1, tai...@gmx.com a écrit : > > On 12/25/2017 12:16 PM, Blooorp wrote: > > > > > Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit : > > >> On Mon, December 25, 2017 3:07 pm, Blooorp wrote: > > >>> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it > > >>> auto-populate) " > > >>> > > >>> make: *** No rule to make target 'vgabios.bin', needed by > > >>> 'build/coreboot.pre'. Stop. > > >>> > > >>> > > >>> Looks like it didn't work, should I put the location and ID of the one I > > >>> extracted from the stock bios? > > >> I think I copied mine to the top level coreboot folder as "vgabios.bin" > > >> and let it find it there. > > >> > > >> Email me directly if it's still not working and I can help, we're off > > >> topic from qubes-users now... > > > Everything works now, my mistake was using the wrong vgabios.bin, the > > > stock bios contains the ones for each version of the laptop but I didn't > > > know that so I took the first that I found, with device ID 6663. > > > The one I then searched for and that worked, thanks to awokd, was with > > > device ID 990b, appropriate for the G505s with integrated graphics and > > > not discrete card. > > > > > Don't forget about that microcode update - it is mandatory both for for > > security and IOMMU. > > > > Use the patch that awoke made, a true service to the community - the > > lenovo g505s is now properly working and is the best laptop for qubes as > > it supports an open source init version of coreboot without ME/PSP > > unlike purisms laptops with the not really disabled ME and entirely > > blobbed silicon init via intel FSP. > > Didn't forget about it, he did some awesome work :) > > I took my time to choose the right laptop to get into Qubes, really feels > that I made the right choice ! > But now, I need to make Qubes work on it, I'm collecting the issues haha The perfect VGA BIOSes for Lenovo G505S could be obtained here - https://mail.coreboot.org/pipermail/coreboot/2017-July/084680.html Go to "g505s-atombios" repository and download one or two vgabios files (depending on if your G505S had just integrated GPU, or integrated+discrete), then compare their checksums - and, if the checksums are correct - feel free to add them to your completed coreboot BIOS build. At the ReadMe of this repository, you could see how to add (or remove) a vgabios file to coreboot BIOS after its building - one or two simple commands. Actually, for G505S with "integrated+discrete GPU" even a single vgabios for integrated GPU - would be enough to show the image on display. I just hope that, if you add both vgabios you could somehow make your discrete GPU working (it still doesnt work for me) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3822342b-1205-4be1-8623-bb9cba8c71db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Le mardi 26 décembre 2017 00:05:28 UTC+1, tai...@gmx.com a écrit : > On 12/25/2017 12:16 PM, Blooorp wrote: > > > Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit : > >> On Mon, December 25, 2017 3:07 pm, Blooorp wrote: > >>> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it > >>> auto-populate) " > >>> > >>> make: *** No rule to make target 'vgabios.bin', needed by > >>> 'build/coreboot.pre'. Stop. > >>> > >>> > >>> Looks like it didn't work, should I put the location and ID of the one I > >>> extracted from the stock bios? > >> I think I copied mine to the top level coreboot folder as "vgabios.bin" > >> and let it find it there. > >> > >> Email me directly if it's still not working and I can help, we're off > >> topic from qubes-users now... > > Everything works now, my mistake was using the wrong vgabios.bin, the stock > > bios contains the ones for each version of the laptop but I didn't know > > that so I took the first that I found, with device ID 6663. > > The one I then searched for and that worked, thanks to awokd, was with > > device ID 990b, appropriate for the G505s with integrated graphics and not > > discrete card. > > > Don't forget about that microcode update - it is mandatory both for for > security and IOMMU. > > Use the patch that awoke made, a true service to the community - the > lenovo g505s is now properly working and is the best laptop for qubes as > it supports an open source init version of coreboot without ME/PSP > unlike purisms laptops with the not really disabled ME and entirely > blobbed silicon init via intel FSP. Didn't forget about it, he did some awesome work :) I took my time to choose the right laptop to get into Qubes, really feels that I made the right choice ! But now, I need to make Qubes work on it, I'm collecting the issues haha -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a2a17389-fa86-4ef1-be57-26eab8feb169%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On 12/25/2017 12:16 PM, Blooorp wrote: Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit : On Mon, December 25, 2017 3:07 pm, Blooorp wrote: "Devices/Add a VGA BIOS image (don't specify location or IDs, let it auto-populate) " make: *** No rule to make target 'vgabios.bin', needed by 'build/coreboot.pre'. Stop. Looks like it didn't work, should I put the location and ID of the one I extracted from the stock bios? I think I copied mine to the top level coreboot folder as "vgabios.bin" and let it find it there. Email me directly if it's still not working and I can help, we're off topic from qubes-users now... Everything works now, my mistake was using the wrong vgabios.bin, the stock bios contains the ones for each version of the laptop but I didn't know that so I took the first that I found, with device ID 6663. The one I then searched for and that worked, thanks to awokd, was with device ID 990b, appropriate for the G505s with integrated graphics and not discrete card. Don't forget about that microcode update - it is mandatory both for for security and IOMMU. Use the patch that awoke made, a true service to the community - the lenovo g505s is now properly working and is the best laptop for qubes as it supports an open source init version of coreboot without ME/PSP unlike purisms laptops with the not really disabled ME and entirely blobbed silicon init via intel FSP. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/04faa467-9978-b94d-828b-e82ee25858f3%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit : > On Mon, December 25, 2017 3:07 pm, Blooorp wrote: > > > > "Devices/Add a VGA BIOS image (don't specify location or IDs, let it > > auto-populate) " > > > > make: *** No rule to make target 'vgabios.bin', needed by > > 'build/coreboot.pre'. Stop. > > > > > > Looks like it didn't work, should I put the location and ID of the one I > > extracted from the stock bios? > > I think I copied mine to the top level coreboot folder as "vgabios.bin" > and let it find it there. > > Email me directly if it's still not working and I can help, we're off > topic from qubes-users now... Everything works now, my mistake was using the wrong vgabios.bin, the stock bios contains the ones for each version of the laptop but I didn't know that so I took the first that I found, with device ID 6663. The one I then searched for and that worked, thanks to awokd, was with device ID 990b, appropriate for the G505s with integrated graphics and not discrete card. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ac37dcd-5b99-48bd-9524-63d53fbfb78b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, December 25, 2017 3:07 pm, Blooorp wrote: > > "Devices/Add a VGA BIOS image (don't specify location or IDs, let it > auto-populate) " > > make: *** No rule to make target 'vgabios.bin', needed by > 'build/coreboot.pre'. Stop. > > > Looks like it didn't work, should I put the location and ID of the one I > extracted from the stock bios? I think I copied mine to the top level coreboot folder as "vgabios.bin" and let it find it there. Email me directly if it's still not working and I can help, we're off topic from qubes-users now... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80d656a4e734839f31b0b57ad40ab633.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Le lundi 25 décembre 2017 15:50:33 UTC+1, awokd a écrit : > On Mon, December 25, 2017 2:38 pm, awokd wrote: > > On Mon, December 25, 2017 2:24 pm, Blooorp wrote: > > > >> Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit : > >> > >> > >>> On Mon, December 25, 2017 1:47 pm, Blooorp wrote: > >>> > >>> > Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : > > > > > On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > > > > > > > >> Hey, I'm having some heavy trouble getting coreboot on my > >> G505s, > >> could you take a look at how I did it to see if you spot any > >> difference compared to how you did it? > >> > >> Here is how I built, flashed and tested it : > >> https://ghostbin.com/paste/wprhk > >> > >> > >> > > > > They seem to block Tor users. I can take a look if you put it on > > pastebin.com for example. > > Coreboot Lenovo G505s - Build/Flash/Test > https://pastebin.com/58K4VGgf > Full make output https://pastebin.com/nAPbNjJG > > > >>> > >>> I think you are very close to having it working, probably only the > >>> video. > >>> > >>> Try the following options in your menuconfig: > >>> General/Use CMOS for configuration values > >>> General/Allow use of binary-only repository > >>> Chipset/Add imc firmware (don't specify location or IDs, let it > >>> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let > >>> it auto-populate) Devices/Add a VGA BIOS image (don't specify location > >>> or IDs, let it > >>> auto-populate) Payload/SeaBIOS 1.11.0 > >>> > >>> > >>> And to keep this on topic for the Qubes Users mailing list, if you > >>> plan on running Qubes 4.0 on there, you'll also want this Coreboot > >>> patch currently waiting on code review: > >>> https://review.coreboot.org/#/c/coreboot/+/22843 . > >>> > >>> > >> > >> I do plan on running Qubes 4.0, how to I actually patch coreboot before > >> the build? > > > > See the changes I made in that link to those two files, and copy and > > paste them into your own source files manually. If you don't trust the > > blob I provided (and you shouldn't!) perform the following steps to verify > > it: > > > > > > Executing the following on a Debian Stretch install: > > dd skip=5284 iflag=skip_bytes > > if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i > > amd.bin Then copying and pasting. > > > > > > Executing these steps against > > coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin > > provides identical results. > > > Forgot to add, you should also include nvramcui as a secondary payload to > let you change CMOS options. "Devices/Add a VGA BIOS image (don't specify location or IDs, let it auto-populate) " make: *** No rule to make target 'vgabios.bin', needed by 'build/coreboot.pre'. Stop. Looks like it didn't work, should I put the location and ID of the one I extracted from the stock bios? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16d07c78-3d48-4d98-a22c-c3609dce98aa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, December 25, 2017 2:38 pm, awokd wrote: > On Mon, December 25, 2017 2:24 pm, Blooorp wrote: > >> Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit : >> >> >>> On Mon, December 25, 2017 1:47 pm, Blooorp wrote: >>> >>> Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : > On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > > > >> Hey, I'm having some heavy trouble getting coreboot on my >> G505s, >> could you take a look at how I did it to see if you spot any >> difference compared to how you did it? >> >> Here is how I built, flashed and tested it : >> https://ghostbin.com/paste/wprhk >> >> >> > > They seem to block Tor users. I can take a look if you put it on > pastebin.com for example. Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf Full make output https://pastebin.com/nAPbNjJG >>> >>> I think you are very close to having it working, probably only the >>> video. >>> >>> Try the following options in your menuconfig: >>> General/Use CMOS for configuration values >>> General/Allow use of binary-only repository >>> Chipset/Add imc firmware (don't specify location or IDs, let it >>> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let >>> it auto-populate) Devices/Add a VGA BIOS image (don't specify location >>> or IDs, let it >>> auto-populate) Payload/SeaBIOS 1.11.0 >>> >>> >>> And to keep this on topic for the Qubes Users mailing list, if you >>> plan on running Qubes 4.0 on there, you'll also want this Coreboot >>> patch currently waiting on code review: >>> https://review.coreboot.org/#/c/coreboot/+/22843 . >>> >>> >> >> I do plan on running Qubes 4.0, how to I actually patch coreboot before >> the build? > > See the changes I made in that link to those two files, and copy and > paste them into your own source files manually. If you don't trust the > blob I provided (and you shouldn't!) perform the following steps to verify > it: > > > Executing the following on a Debian Stretch install: > dd skip=5284 iflag=skip_bytes > if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i > amd.bin Then copying and pasting. > > > Executing these steps against > coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin > provides identical results. > Forgot to add, you should also include nvramcui as a secondary payload to let you change CMOS options. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0865b38b19dd1a219c6abbaa49ebe44.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, December 25, 2017 2:24 pm, Blooorp wrote: > Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit : > >> On Mon, December 25, 2017 1:47 pm, Blooorp wrote: >> >>> Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : >>> >>> On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > Hey, I'm having some heavy trouble getting coreboot on my G505s, > could you take a look at how I did it to see if you spot any > difference compared to how you did it? > > Here is how I built, flashed and tested it : > https://ghostbin.com/paste/wprhk > > They seem to block Tor users. I can take a look if you put it on pastebin.com for example. >>> >>> Coreboot Lenovo G505s - Build/Flash/Test >>> https://pastebin.com/58K4VGgf >>> Full make output https://pastebin.com/nAPbNjJG >>> >> >> I think you are very close to having it working, probably only the >> video. >> >> Try the following options in your menuconfig: >> General/Use CMOS for configuration values >> General/Allow use of binary-only repository >> Chipset/Add imc firmware (don't specify location or IDs, let it >> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let it >> auto-populate) Devices/Add a VGA BIOS image (don't specify location or >> IDs, let it >> auto-populate) Payload/SeaBIOS 1.11.0 >> >> >> And to keep this on topic for the Qubes Users mailing list, if you plan >> on running Qubes 4.0 on there, you'll also want this Coreboot patch >> currently waiting on code review: >> https://review.coreboot.org/#/c/coreboot/+/22843 . >> > > I do plan on running Qubes 4.0, how to I actually patch coreboot before > the build? See the changes I made in that link to those two files, and copy and paste them into your own source files manually. If you don't trust the blob I provided (and you shouldn't!) perform the following steps to verify it: Executing the following on a Debian Stretch install: dd skip=5284 iflag=skip_bytes if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i amd.bin Then copying and pasting. Executing these steps against coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin provides identical results. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/537cb1d917b78ea166d54b2eeda83dac.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit : > On Mon, December 25, 2017 1:47 pm, Blooorp wrote: > > Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : > > > >> On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > >> > >>> Hey, I'm having some heavy trouble getting coreboot on my G505s, > >>> could you take a look at how I did it to see if you spot any > >>> difference compared to how you did it? > >>> > >>> Here is how I built, flashed and tested it : > >>> https://ghostbin.com/paste/wprhk > >>> > >> > >> They seem to block Tor users. I can take a look if you put it on > >> pastebin.com for example. > > > > Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf > > Full make output https://pastebin.com/nAPbNjJG > > I think you are very close to having it working, probably only the video. > > Try the following options in your menuconfig: > General/Use CMOS for configuration values > General/Allow use of binary-only repository > Chipset/Add imc firmware (don't specify location or IDs, let it > auto-populate) > Chipset/SATA Mode 2 (don't specify location or IDs, let it auto-populate) > Devices/Add a VGA BIOS image (don't specify location or IDs, let it > auto-populate) > Payload/SeaBIOS 1.11.0 > > And to keep this on topic for the Qubes Users mailing list, if you plan on > running Qubes 4.0 on there, you'll also want this Coreboot patch currently > waiting on code review: https://review.coreboot.org/#/c/coreboot/+/22843 . I do plan on running Qubes 4.0, how to I actually patch coreboot before the build? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac317a8d-fd7c-442d-a4bb-3d73acce13f0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, December 25, 2017 1:47 pm, Blooorp wrote: > Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : > >> On Mon, December 25, 2017 12:35 pm, Blooorp wrote: >> >>> Hey, I'm having some heavy trouble getting coreboot on my G505s, >>> could you take a look at how I did it to see if you spot any >>> difference compared to how you did it? >>> >>> Here is how I built, flashed and tested it : >>> https://ghostbin.com/paste/wprhk >>> >> >> They seem to block Tor users. I can take a look if you put it on >> pastebin.com for example. > > Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf > Full make output https://pastebin.com/nAPbNjJG I think you are very close to having it working, probably only the video. Try the following options in your menuconfig: General/Use CMOS for configuration values General/Allow use of binary-only repository Chipset/Add imc firmware (don't specify location or IDs, let it auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let it auto-populate) Devices/Add a VGA BIOS image (don't specify location or IDs, let it auto-populate) Payload/SeaBIOS 1.11.0 And to keep this on topic for the Qubes Users mailing list, if you plan on running Qubes 4.0 on there, you'll also want this Coreboot patch currently waiting on code review: https://review.coreboot.org/#/c/coreboot/+/22843 . -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f620a3f08307557df1e69fa2c9074bd.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit : > On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > > Hey, I'm having some heavy trouble getting coreboot on my G505s, could > > you take a look at how I did it to see if you spot any difference > > compared to how you did it? > > > > Here is how I built, flashed and tested it : > > https://ghostbin.com/paste/wprhk > > They seem to block Tor users. I can take a look if you put it on > pastebin.com for example. Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf Full make output https://pastebin.com/nAPbNjJG If you need any more information, just ask me, I don't know exactly what may be relevant to pinpoint my issue but I really want to get it done :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87ab68b9-3b46-4f8d-ae9e-12d43ee7bfc6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Mon, December 25, 2017 12:35 pm, Blooorp wrote: > Hey, I'm having some heavy trouble getting coreboot on my G505s, could > you take a look at how I did it to see if you spot any difference > compared to how you did it? > > Here is how I built, flashed and tested it : > https://ghostbin.com/paste/wprhk They seem to block Tor users. I can take a look if you put it on pastebin.com for example. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ecffb2dd647bae9b9075ed6b1e3d9940.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
Hey, I'm having some heavy trouble getting coreboot on my G505s, could you take a look at how I did it to see if you spot any difference compared to how you did it? Here is how I built, flashed and tested it : https://ghostbin.com/paste/wprhk Basically, I built it with the extracted vgabios binary from the stock rom, flashed it with Bus Pirate and tried to start the laptop. The screen would not turn on, at all. Thanks in advance :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1bc45461-677a-4b4f-b850-5c6142feae3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
Hey Asterysk, I'm having some heavy trouble getting coreboot on my G505s, could you take a look at how I did it to see if you spot any difference compared to how you did it? Here is how I built, flashed and tested it : https://ghostbin.com/paste/wprhk Basically, I built it with the extracted vgabios binary from the stock rom, flashed it with Bus Pirate and tried to start the laptop. The screen would not turn on, at all. Thanks in advance :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/db8d3b4a-494a-4512-b154-d8ceaf71220c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
четверг, 19 января 2017 г., 18:31:35 UTC+3 пользователь Asterysk написал: > On Thursday, 19 January 2017 17:28:12 UTC+4, qmast...@gmail.com wrote: > > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com > > написал: > > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > > > > As always physical access is a checkmate situation, you need to not > > > > > be > > > > > an idiot and don't leave your stuff in overseas hotel rooms or not > > > > > have > > > > > secure locks on your door. > > > > > > > > Unless USB port seals (e.g. > > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in > > > > place as soon as the laptop is removed from the manufacturers box it is > > > > impossible to know whether someone has installed a device that has in > > > > turn infected firmware. A similar situation for any DMA access ports > > > > (Thunderbolt etc) > > > > > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > > > infected with firmware malware) and reset it to a known safe starting > > > > point. Coreboot seems to handle the BIOS (thank you for clarification > > > > that it completely rewrite legacy and UEFI). Replacing the HD with a > > > > new SSD should handle that firmware attack vector. That leaves the > > > > other EEPROMS. > > > > > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, > > > > I should see what other EEPROMs I can reflash. > > > > > > > > Apart from the obvious RAM and SSD upgrade and possible putting > > > > switches on peripherals, are there any other hardware mods you can > > > > suggest for the G505S. > > > > > > > > Having sorted out the hardware, I am then going to be looking to use > > > > Qubes to protect against any attempts to reflash through Malware and > > > > after thats done, I'll be looking for ways to detect that any attack is > > > > being attempted. > > > > > > > > All in all I think I've got about a years work ahead ! > > > > > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > > > drive, web camera ; Maybe also a small board with LS-9901P part number > > > (dont confuse with LA-9901P), see its' google pictures online - and > > > according to G505S laptop's LA-A091P motherboard datasheet (which also > > > contains a datasheet for laptop's smaller boards) this board has a > > > Realtek chip for card reader. By the way, you could either find out what > > > lines of flex cable the card reader is using, and install a custom jumper > > > on them ; or maybe get a flex cable with the same number of pins / same > > > pitch between them , find (from datasheet?) what lines that lonely USB > > > port is using to get to Bolton-M3 FCH, get a USB female header and solder > > > a custom adapter which adds only a USB port to laptop (so no card reader > > > chip). Probably the hardest thing to do is to disconnect a web camera - > > > you will need to tear down a screen which is quite risky. BTW screen also > > > contains the internal reprogrammable memory (e.g. for storing EDID), and > > > a malicious firmware could cause screen to transfer information through > > > electromagnetic impulses (TEMPEST? - > > > http://www.surasoft.com/articles/tempest.php ) > > > > > > Actually it is possible to remove a motherboard with CPU, CPU Fan, > > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a > > > custom power button adapter with huge convenient buttons!) and create a > > > custom case for all this stuff. If you are lucky you could find someone > > > selling a used G505S with broken screen for very cheap price, and do > > > that. This way you avoid webcam, screen, dvd drive, touchpad, card reader > > > chip, and internal keyboard (see below why) > > > > > > Maybe don't need to seal the USB ports yet: it not just seriously > > > reducing the usability of this laptop, but also makes it impossible to > > > connect a USB keyboard. Maybe you would prefer that, when you type, your > > > keystrokes are going through external keyboard's USB controller, rather > > > than through laptop's Embedded Controller KB9012 which has a closed > > > source firmware and controls PS/2-like laptop's internal keyboard. You > > > could make your own open hardware USB keyboard with open source firmware, > > > and using it will be slightly safer (and slightly less convenient) than > > > laptop's internal one > > > > > > Also, another possible hardware mod (not related to security) - instead > > > of DVD drive you could install a fan for extra cooling, see > > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > > > . Although dont know if it worth it, because some really great external > > > USB coolers are available - > > >
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Thursday, 19 January 2017 17:28:12 UTC+4, qmast...@gmail.com wrote: > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com > написал: > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > > > As always physical access is a checkmate situation, you need to not be > > > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > > > secure locks on your door. > > > > > > Unless USB port seals (e.g. > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place > > > as soon as the laptop is removed from the manufacturers box it is > > > impossible to know whether someone has installed a device that has in > > > turn infected firmware. A similar situation for any DMA access ports > > > (Thunderbolt etc) > > > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > > infected with firmware malware) and reset it to a known safe starting > > > point. Coreboot seems to handle the BIOS (thank you for clarification > > > that it completely rewrite legacy and UEFI). Replacing the HD with a new > > > SSD should handle that firmware attack vector. That leaves the other > > > EEPROMS. > > > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > > > should see what other EEPROMs I can reflash. > > > > > > Apart from the obvious RAM and SSD upgrade and possible putting switches > > > on peripherals, are there any other hardware mods you can suggest for the > > > G505S. > > > > > > Having sorted out the hardware, I am then going to be looking to use > > > Qubes to protect against any attempts to reflash through Malware and > > > after thats done, I'll be looking for ways to detect that any attack is > > > being attempted. > > > > > > All in all I think I've got about a years work ahead ! > > > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > > drive, web camera ; Maybe also a small board with LS-9901P part number > > (dont confuse with LA-9901P), see its' google pictures online - and > > according to G505S laptop's LA-A091P motherboard datasheet (which also > > contains a datasheet for laptop's smaller boards) this board has a Realtek > > chip for card reader. By the way, you could either find out what lines of > > flex cable the card reader is using, and install a custom jumper on them ; > > or maybe get a flex cable with the same number of pins / same pitch between > > them , find (from datasheet?) what lines that lonely USB port is using to > > get to Bolton-M3 FCH, get a USB female header and solder a custom adapter > > which adds only a USB port to laptop (so no card reader chip). Probably the > > hardest thing to do is to disconnect a web camera - you will need to tear > > down a screen which is quite risky. BTW screen also contains the internal > > reprogrammable memory (e.g. for storing EDID), and a malicious firmware > > could cause screen to transfer information through electromagnetic impulses > > (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) > > > > Actually it is possible to remove a motherboard with CPU, CPU Fan, > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a > > custom power button adapter with huge convenient buttons!) and create a > > custom case for all this stuff. If you are lucky you could find someone > > selling a used G505S with broken screen for very cheap price, and do that. > > This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, > > and internal keyboard (see below why) > > > > Maybe don't need to seal the USB ports yet: it not just seriously reducing > > the usability of this laptop, but also makes it impossible to connect a USB > > keyboard. Maybe you would prefer that, when you type, your keystrokes are > > going through external keyboard's USB controller, rather than through > > laptop's Embedded Controller KB9012 which has a closed source firmware and > > controls PS/2-like laptop's internal keyboard. You could make your own open > > hardware USB keyboard with open source firmware, and using it will be > > slightly safer (and slightly less convenient) than laptop's internal one > > > > Also, another possible hardware mod (not related to security) - instead of > > DVD drive you could install a fan for extra cooling, see > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > > . Although dont know if it worth it, because some really great external > > USB coolers are available - > > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html > > Please read a message above... If we are talking about the motherboard, main > board of this laptop : aside from 4MB BIOS flash chip and 128KB EC
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Thursday, 19 January 2017 18:17:59 UTC+4, Asterysk wrote: > "1) Erase a BIOS chip and flash it with coreboot > http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate " > > Did you buy the necessary components from AliExpress as linked in the article > ? They are saying a couple of months delivery time !! All components now ordered, most from Ali Express but a couple from USA. I should hopefully be good to start in about a month -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f96c4e71-3529-45bd-bfd6-0436ad6bc506%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
"1) Erase a BIOS chip and flash it with coreboot http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate " Did you buy the necessary components from AliExpress as linked in the article ? They are saying a couple of months delivery time !! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/379e48f9-0f41-4057-a1f4-e2a318ae1f38%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com написал: > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > > As always physical access is a checkmate situation, you need to not be > > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > > secure locks on your door. > > > > Unless USB port seals (e.g. > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as > > soon as the laptop is removed from the manufacturers box it is impossible > > to know whether someone has installed a device that has in turn infected > > firmware. A similar situation for any DMA access ports (Thunderbolt etc) > > > > I'm interested in being able to take a possibly infected laptop (i.e. > > infected with firmware malware) and reset it to a known safe starting > > point. Coreboot seems to handle the BIOS (thank you for clarification that > > it completely rewrite legacy and UEFI). Replacing the HD with a new SSD > > should handle that firmware attack vector. That leaves the other EEPROMS. > > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > > should see what other EEPROMs I can reflash. > > > > Apart from the obvious RAM and SSD upgrade and possible putting switches on > > peripherals, are there any other hardware mods you can suggest for the > > G505S. > > > > Having sorted out the hardware, I am then going to be looking to use Qubes > > to protect against any attempts to reflash through Malware and after thats > > done, I'll be looking for ways to detect that any attack is being attempted. > > > > All in all I think I've got about a years work ahead ! > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD > drive, web camera ; Maybe also a small board with LS-9901P part number (dont > confuse with LA-9901P), see its' google pictures online - and according to > G505S laptop's LA-A091P motherboard datasheet (which also contains a > datasheet for laptop's smaller boards) this board has a Realtek chip for card > reader. By the way, you could either find out what lines of flex cable the > card reader is using, and install a custom jumper on them ; or maybe get a > flex cable with the same number of pins / same pitch between them , find > (from datasheet?) what lines that lonely USB port is using to get to > Bolton-M3 FCH, get a USB female header and solder a custom adapter which adds > only a USB port to laptop (so no card reader chip). Probably the hardest > thing to do is to disconnect a web camera - you will need to tear down a > screen which is quite risky. BTW screen also contains the internal > reprogrammable memory (e.g. for storing EDID), and a malicious firmware could > cause screen to transfer information through electromagnetic impulses > (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) > > Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, > Power Jack Wire, and Power Button Board attached (could make a custom power > button adapter with huge convenient buttons!) and create a custom case for > all this stuff. If you are lucky you could find someone selling a used G505S > with broken screen for very cheap price, and do that. This way you avoid > webcam, screen, dvd drive, touchpad, card reader chip, and internal keyboard > (see below why) > > Maybe don't need to seal the USB ports yet: it not just seriously reducing > the usability of this laptop, but also makes it impossible to connect a USB > keyboard. Maybe you would prefer that, when you type, your keystrokes are > going through external keyboard's USB controller, rather than through > laptop's Embedded Controller KB9012 which has a closed source firmware and > controls PS/2-like laptop's internal keyboard. You could make your own open > hardware USB keyboard with open source firmware, and using it will be > slightly safer (and slightly less convenient) than laptop's internal one > > Also, another possible hardware mod (not related to security) - instead of > DVD drive you could install a fan for extra cooling, see > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ > . Although dont know if it worth it, because some really great external USB > coolers are available - > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html Please read a message above... If we are talking about the motherboard, main board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's internal memory, I am not aware about any other "EEPROMs" on this board which could be reflashed and how to reflash them. Well, there is probably a CMOS memory somewhere, but I dont know where it is located and dont know how to access
Re: [qubes-users] Re: Lenovo G505S Coreboot
четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > As always physical access is a checkmate situation, you need to not be > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > secure locks on your door. > > Unless USB port seals (e.g. > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as > soon as the laptop is removed from the manufacturers box it is impossible to > know whether someone has installed a device that has in turn infected > firmware. A similar situation for any DMA access ports (Thunderbolt etc) > > I'm interested in being able to take a possibly infected laptop (i.e. > infected with firmware malware) and reset it to a known safe starting point. > Coreboot seems to handle the BIOS (thank you for clarification that it > completely rewrite legacy and UEFI). Replacing the HD with a new SSD should > handle that firmware attack vector. That leaves the other EEPROMS. > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > should see what other EEPROMs I can reflash. > > Apart from the obvious RAM and SSD upgrade and possible putting switches on > peripherals, are there any other hardware mods you can suggest for the G505S. > > Having sorted out the hardware, I am then going to be looking to use Qubes to > protect against any attempts to reflash through Malware and after thats done, > I'll be looking for ways to detect that any attack is being attempted. > > All in all I think I've got about a years work ahead ! To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD drive, web camera ; Maybe also a small board with LS-9901P part number (dont confuse with LA-9901P), see its' google pictures online - and according to G505S laptop's LA-A091P motherboard datasheet (which also contains a datasheet for laptop's smaller boards) this board has a Realtek chip for card reader. By the way, you could either find out what lines of flex cable the card reader is using, and install a custom jumper on them ; or maybe get a flex cable with the same number of pins / same pitch between them , find (from datasheet?) what lines that lonely USB port is using to get to Bolton-M3 FCH, get a USB female header and solder a custom adapter which adds only a USB port to laptop (so no card reader chip). Probably the hardest thing to do is to disconnect a web camera - you will need to tear down a screen which is quite risky. BTW screen also contains the internal reprogrammable memory (e.g. for storing EDID), and a malicious firmware could cause screen to transfer information through electromagnetic impulses (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, Power Jack Wire, and Power Button Board attached (could make a custom power button adapter with huge convenient buttons!) and create a custom case for all this stuff. If you are lucky you could find someone selling a used G505S with broken screen for very cheap price, and do that. This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, and internal keyboard (see below why) Maybe don't need to seal the USB ports yet: it not just seriously reducing the usability of this laptop, but also makes it impossible to connect a USB keyboard. Maybe you would prefer that, when you type, your keystrokes are going through external keyboard's USB controller, rather than through laptop's Embedded Controller KB9012 which has a closed source firmware and controls PS/2-like laptop's internal keyboard. You could make your own open hardware USB keyboard with open source firmware, and using it will be slightly safer (and slightly less convenient) than laptop's internal one Also, another possible hardware mod (not related to security) - instead of DVD drive you could install a fan for extra cooling, see http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ . Although dont know if it worth it, because some really great external USB coolers are available - https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80b3bae1-4efe-44eb-bbe2-d45d459db4ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.