You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

248 lines
12 KiB

6 years ago
  1. # Skulls - [Thinkpad X230](https://pcsupport.lenovo.com/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x230).
  2. ![seabios_bootmenu](front.jpg)
  3. ## Latest release
  4. * This directory's `./build.sh` should produce the exact release image file (from a skulls git checkout).
  5. Get it from our [release page](https://github.com/merge/coreboot-x230/releases)
  6. * __coreboot__: We take coreboot's master branch at the time we build a release image.
  7. * __microcode update__: revision `20` from 2018-04-10 (includes mitigations for Spectre Variant 3a and 4)
  8. * __SeaBIOS__: version [1.12.0](https://seabios.org/Releases) from 2018-11-17
  9. ## table of contents
  10. * [TL;DR](#tldr)
  11. * [First-time installation](#firsttime-installation)
  12. * [Updating](#updating)
  13. * [Moving to Heads](#moving-to-heads)
  14. * [Why does this work](#why-does-this-work)
  15. ## TL;DR
  16. 1. run `sudo ./x230_before_first_install.sh` on your current X230 Linux system
  17. 2. Power down, remove the battery. Remove the keyboard and palmrest. Connect
  18. a hardware flasher to an external PC (or a Raspberry Pi with a SPI 8-pin chip clip
  19. can directly be used), and run
  20. `sudo ./external_install_bottom.sh` on the lower chip
  21. and `sudo ./external_install_top.sh` on the top chip of the two.
  22. 3. For updating later, run `./x230_skulls.sh`. No need to disassemble.
  23. And always use the latest [released](https://github.com/merge/coreboot-x230/releases)
  24. package. This will be tested. The git master
  25. branch is _not_ meant to be stable. Use it for testing only.
  26. ## First-time installation
  27. #### before you begin
  28. Before starting, run Linux on your X230, install `dmidecode` and run
  29. `sudo ./x230_before_first_install.sh`. It simply prints system information and helps
  30. you find out your RAM voltage. Make sure you have RAM that uses
  31. [1,5V, not 1,35V](https://www.coreboot.org/Intel_Native_Raminit#Sandybridge.2FIvybridge).
  32. Also make sure you have the latest skulls-x230 package release by running `./upgrade.sh`.
  33. #### original BIOS update / EC firmware (optional)
  34. Before flashing coreboot, consider doing one original Lenovo upgrade process
  35. in case you're not running the latest version. This is not supported anymore,
  36. once you're running coreboot (You'd have to manually flash back your backup
  37. images first, see later chapters).
  38. Also, this updates the BIOS _and_ Embedded Controller (EC) firmware. The EC
  39. is not updated anymore, when running coreboot. The latest EC version is 1.14
  40. and that's unlikely to change.
  41. In case you're not running the latest BIOS version, either
  42. * use [the latest original CD](https://support.lenovo.com/at/en/downloads/ds029188) and burn it, or
  43. * use the same, only with a patched EC firmware that allows using any aftermarket-battery:
  44. By default, only original Lenovo batteries are allowed.
  45. Thanks to [this](http://zmatt.net/unlocking-my-lenovo-laptop-part-3/)
  46. [project](https://github.com/eigenmatt/mec-tools) we can use Lenovo's bootable
  47. upgrade image, change it and create a bootable _USB_ image, with an EC update
  48. that allows us to use any 3rd party aftermarket battery:
  49. sudo apt-get install build-essential git mtools libssl-dev
  50. git clone https://github.com/hamishcoleman/thinkpad-ec && cd thinkpad-ec
  51. make patch_disable_keyboard clean
  52. make patch_enable_battery clean
  53. make patched.x230.img
  54. That's it. You can create a bootable USB stick: `sudo dd if=patched.x230.img of=/dev/sdx`
  55. and boot from it. Alternatively, burn `patched.x230.iso` to a CD. And make sure
  56. you have "legacy" boot set, not "UEFI" boot.
  57. #### preparation: required hardware
  58. * An 8 Pin SOIC Clip, for example from
  59. [Pomona electronics](https://www.pomonaelectronics.com/products/test-clips/soic-clip-8-pin)
  60. (for availability, check
  61. [aliexpress](https://de.aliexpress.com/item/POMONA-SOIC-CLIP-5250-8pin-eeprom-for-tacho-8pin-cable-for-pomana-soic-8pin/32814247676.html) or
  62. [elsewhere](https://geizhals.eu/?fs=pomona+test+clip+5250))
  63. or alternatively hooks like
  64. [E-Z-Hook](http://catalog.e-z-hook.com/viewitems/test-hooks/e-z-micro-hooks-single-hook-style)
  65. * 6 [female](https://electronics.stackexchange.com/questions/37783/how-can-i-create-a-female-jumper-wire-connector)
  66. [jumper wires](https://en.wikipedia.org/wiki/Jump_wire) like
  67. [these](https://geizhals.eu/jumper-cable-female-female-20cm-a1471094.html)
  68. to connect the clip to a hardware flasher (if not included with the clip)
  69. * a hardware flasher
  70. [supported by flashrom](https://www.flashrom.org/Flashrom/0.9.9/Supported_Hardware#USB_Devices), see below for the examples we support
  71. #### open up the X230
  72. Remove the 7 screws of your X230 to remove the keyboard (by pushing it towards the
  73. screen before lifting) and the palmrest. You'll find the chips using the photo
  74. below. This is how the SPI connection looks like on both of the X230's chips:
  75. Screen (furthest from you)
  76. ______
  77. MOSI 5 --| |-- 4 GND
  78. CLK 6 --| |-- 3 N/C
  79. N/C 7 --| |-- 2 MISO
  80. VCC 8 --|______|-- 1 CS
  81. Edge (closest to you)
  82. ... choose __one of the following__ supported flashing hardware examples:
  83. #### Hardware Example: Raspberry Pi 3
  84. A Raspberry Pi can directly be a flasher through it's I/O pins, see below.
  85. Use a test clip or hooks, see [required hardware](#preparation-required-hardware).
  86. On the RPi we run [Raspbian](https://www.raspberrypi.org/downloads/raspbian/)
  87. and have the following setup:
  88. * Connect to the console: Either
  89. * connect a screen and a keyboard, or
  90. * Use the [Serial connection](https://elinux.org/RPi_Serial_Connection) using a
  91. USB-to-serial cable (like [Adafruit 954](http://www.adafruit.com/products/954),
  92. [FTDI TTL-232R-RPI](http://www.ftdichip.com/Products/Cables/RPi.htm) or
  93. [others](https://geizhals.eu/usb-to-ttl-serial-adapter-cable-a1461312.html)) and
  94. picocom (`picocom -b 115200 /dev/ttyUSB0`) or minicom
  95. * in the SD Cards's `/boot/config.txt` file `enable_uart=1` and `dtparam=spi=on`
  96. * [For flashrom](https://www.flashrom.org/RaspberryPi) we put `spi_bcm2835`
  97. and `spidev` in /etc/modules
  98. * [Connect to a wifi](https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md)
  99. or ethernet to `sudo apt-get install flashrom`
  100. * connect the Clip to the Raspberry Pi 3 (there are
  101. [prettier images](https://github.com/splitbrain/rpibplusleaf) too):
  102. Edge of pi (furthest from you)
  103. (UART)
  104. L GND TX RX CS
  105. E | | | |
  106. F +---------------------------------------------------------------------------------+
  107. T | x x x x x x x x x x x x x x x x x x x x |
  108. | x x x x x x x x x x x x x x x x x x x x |
  109. E +----------------------------------^---^---^---^-------------------------------^--+
  110. D | | | | |
  111. G 3.3V MOSIMISO| GND
  112. E (VCC) CLK
  113. Body of Pi (closest to you)
  114. ![Raspberry Pi at work](rpi_clip.jpg)
  115. Now copy the Skulls release tarball over to the Rasperry Pi and
  116. [continue](#unpack-the-skulls-release-archive) on the Pi.
  117. #### Hardware Example: CH341A based
  118. The CH341A from [Winchiphead](http://www.wch.cn/), a USB interface chip,
  119. is used by some cheap memory programmers.
  120. The one we describe can be bought at
  121. [aliexpress](http://www.aliexpress.com/item/Free-Shipping-CH341A-24-25-Series-EEPROM-Flash-BIOS-DVD-USB-Programmer-DVD-programmer-router-Nine/32583059603.html),
  122. but it's available [elsewhere](https://geizhals.eu/?fs=ch341a) too.
  123. Also, we don't use the included 3,3V power output (provides too little power),
  124. but a separate power supply. If you don't have any, consider getting a AMS1117
  125. based supply for a second USB port (like [this](https://de.aliexpress.com/item/1PCS-AMS1117-3-3V-Mini-USB-5V-3-3V-DC-Perfect-Power-Supply-Module/32785334595.html) or [this](https://www.ebay.com/sch/i.html?_nkw=ams1117+usb)).
  126. * Leave the P/S Jumper connected (programmer mode, 1a86:5512 USB device)
  127. * Connect 3,3V from your external supply to the Pomona clip's (or hook) VCC
  128. * Connect GND from your external supply to GND on your CH341A programmer
  129. * Connect your clip or hooks to the rest of the programmer's SPI pins
  130. * Connect the programmer (and power supply, if USB) to your PC's USB port
  131. ![ch341a programmer with extra USB power supply](ch341a.jpg)
  132. #### unpack the Skulls release archive
  133. tar -xf skulls-x230-<version>.tar.xz
  134. cd skulls-x230-<version>
  135. #### ifd unlock and me_cleaner: the 8MB chip
  136. The [Intel Management Engine](https://en.wikipedia.org/wiki/Intel_Management_Engine)
  137. resides on the 8MB chip (at the bottom, closer to you).
  138. We don't need to touch it for coreboot-upgrades in the future, but to
  139. enable internal flashing, we need to unlock it once, and remove the Management
  140. Engine for
  141. [security reasons](https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities):
  142. sudo ./external_install_bottom.sh -m -k <backup-file-to-create>
  143. That's it. Keep the backup safe.
  144. Background (just so you know):
  145. * The `-m` option above also runs `me_cleaner -S` before flashing back, see [me_cleaner](https://github.com/corna/me_cleaner).
  146. * The `-l` option will (re-)lock your flash ROM, in case you want to force
  147. yourself (and others) to hardware-flashing.
  148. * Connecting an ethernet cable as a power-source for SPI (instead of the VCC pin)
  149. is not necessary (some other flashing how-to guides mention this).
  150. Setting a fixed (and low) SPI speed for flashrom offeres the same stability.
  151. Our scripts do this for you.
  152. #### BIOS: the 4MB chip
  153. sudo ./external_install_top.sh -k <backup-file-to-create>
  154. Select the image to flash and that's it. The image named "free" includes
  155. [SeaVGABIOS](https://www.seabios.org/SeaVGABIOS) instead of
  156. [Intel's VGA Bios](https://www.intel.com/content/www/us/en/intelligent-systems/intel-embedded-graphics-drivers/faq-bios-firmware.html).
  157. Keep the backup safe, assemble and
  158. turn on the X230. coreboot will do hardware init and start SeaBIOS.
  159. ## Updating
  160. Only the "upper" 4MB chip has to be written.
  161. You can again flash externally, using `external_install_top.sh` just like the
  162. first time, see above.
  163. Instead you can run the update directly on your X230
  164. using Linux. That's of course very convenient - just install flashrom from your
  165. Linux distribution - but according to the
  166. [flashrom manpage](https://manpages.debian.org/stretch/flashrom/flashrom.8.en.html)
  167. this is very dangerous:
  168. 1. boot Linux with the `iomem=relaxed` boot parameter (for example in /etc/default/grub `GRUB_CMDLINE_LINUX_DEFAULT`)
  169. 2. [download](https://github.com/merge/skulls/releases) the latest Skulls release tarball and unpack it
  170. 3. run `sudo ./x230_skulls.sh` and choose the image to flash.
  171. ## Moving to Heads
  172. [Heads](http://osresearch.net/) is an alternative BIOS system with advanced
  173. security features. It's more complicated to use though. When having Skulls
  174. installed, installing Heads is as easy as updating Skulls. You can directly
  175. start using it:
  176. * [build Heads](https://github.com/osresearch/heads)
  177. * boot Linux with the `iomem=relaxed` boot parameter
  178. * copy Heads' 12M image file `build/x230/coreboot.rom` to Skulls' x230 directory
  179. * run `sudo ./x230_heads.sh`
  180. That's it. Heads is a completely different project. Please read the
  181. [documentation](http://osresearch.net/) for how to use it and report bugs
  182. [over there](https://github.com/osresearch/heads/issues)
  183. Switching back to Skulls is the same as [updating](#updating). Just run
  184. `./x230_skulls.sh`.
  185. ## Why does this work?
  186. On the X230, there are 2 physical "BIOS" chips. The "upper" 4MB
  187. one holds the actual bios we can generate using coreboot, and the "lower" 8MB
  188. one holds the rest that you can [modify yourself once](#flashing-for-the-first-time),
  189. if you like, but strictly speaking, you
  190. [don't need to touch it at all](https://www.coreboot.org/Board:lenovo/x230#Building_Firmware).
  191. What's this "rest"?
  192. Mainly a tiny binary used by the Ethernet card and the Intel Management Engine.