Tom Schlenkhoff d6af286752 | 5 years ago | |
---|---|---|
.. | ||
util | 6 years ago | |
.gitignore | 5 years ago | |
LICENSE | 6 years ago | |
NEWS | 5 years ago | |
README.md | 5 years ago | |
bootsplash.jpg | 5 years ago | |
bootsplash.xcf | 5 years ago | |
build.sh | 5 years ago | |
ch341a.jpg | 6 years ago | |
compile.sh | 6 years ago | |
external_install_bottom.sh | 5 years ago | |
external_install_top.sh | 5 years ago | |
free-config-cd97982e2e | 5 years ago | |
front.jpg | 5 years ago | |
nonfree-config-cd97982e2e | 5 years ago | |
pci8086,0166.rom | 6 years ago | |
release.sh | 6 years ago | |
rpi_clip.jpg | 6 years ago | |
skulls_common.sh | 6 years ago | |
upgrade.sh | 6 years ago | |
x230_before_first_install.sh | 5 years ago | |
x230_heads.sh | 6 years ago | |
x230_skulls.sh | 5 years ago |
Get it from our release page
20
from 2018-04-10 (includes mitigations for Spectre Variant 3a and 4)We release multiple different, but very similar images you can choose from. They all should work on all versions of the X230/X230T. These are the differences; (xxxxxxxxxx stands for random characters in the filename):
x230_coreboot_seabios_xxxxxxxxxx_top.rom
includes the proprietary
VGA BIOS from Intel
which is non-free software. It is executed in "secure" mode.x230_coreboot_seabios_free_xxxxxxxxxx_top.rom
includes the
VGA BIOS
SeaVGABIOS which is free software.
While technically more interesting, visually this is currently not as
beautiful:
sudo ./x230_before_first_install.sh
on your current X230 Linux systemsudo ./external_install_bottom.sh
on the lower chip
and sudo ./external_install_top.sh
on the top chip of the two../x230_skulls.sh
. No need to disassemble.And always use the latest released package. This will be tested. The git master branch is not meant to be stable. Use it for testing only.
Before starting, run Linux on your X230, install dmidecode
and run
sudo ./x230_before_first_install.sh
. It simply prints system information and
helps you to be up to date.
Also make sure you have the latest skulls-x230 package release by running ./upgrade.sh
.
Before flashing coreboot, consider doing one original Lenovo upgrade process in case you're not running the latest version. This is not supported anymore, once you're running coreboot (You'd have to manually flash back your backup images first, see later chapters).
Also, this updates the BIOS and Embedded Controller (EC) firmware. The EC is not updated anymore, when running coreboot. The latest EC version is 1.14 and that's unlikely to change.
In case you're not running the latest BIOS version, either
use the latest original CD and burn it, or
use the same, only with a patched EC firmware that allows using any aftermarket-battery: By default, only original Lenovo batteries are allowed. Thanks to this project we can use Lenovo's bootable upgrade image, change it and create a bootable USB image, with an EC update that allows us to use any 3rd party aftermarket battery:
sudo apt-get install build-essential git mtools libssl-dev
git clone https://github.com/hamishcoleman/thinkpad-ec && cd thinkpad-ec
make patch_disable_keyboard clean
make patch_enable_battery clean
make patched.x230.img
That's it. You can create a bootable USB stick: sudo dd if=patched.x230.img of=/dev/sdx
and boot from it. Alternatively, burn patched.x230.iso
to a CD. And make sure
you have "legacy" boot set, not "UEFI" boot.
Remove the 7 screws of your X230 to remove the keyboard (by pushing it towards the screen before lifting) and the palmrest. You'll find the chips using the photo below. This is how the SPI connection looks like on both of the X230's chips:
Screen (furthest from you)
______
MOSI 5 --| |-- 4 GND
CLK 6 --| |-- 3 N/C
N/C 7 --| |-- 2 MISO
VCC 8 --|______|-- 1 CS
Edge (closest to you)
... choose one of the following supported flashing hardware examples:
A Raspberry Pi can directly be a flasher through it's I/O pins, see below. Use a test clip or hooks, see required hardware.
On the RPi we run Raspbian and have the following setup:
Connect to the console: Either
picocom -b 115200 /dev/ttyUSB0
) or minicomin the SD Cards's /boot/config.txt
file enable_uart=1
and dtparam=spi=on
For flashrom we put spi_bcm2835
and spidev
in /etc/modules
Connect to a wifi
or ethernet to sudo apt-get install flashrom
connect the Clip to the Raspberry Pi 3 (there are prettier images too):
Edge of pi (furthest from you)
(UART)
L GND TX RX CS
E | | | |
F +---------------------------------------------------------------------------------+
T | x x x x x x x x x x x x x x x x x x x x |
| x x x x x x x x x x x x x x x x x x x x |
E +----------------------------------^---^---^---^-------------------------------^--+
D | | | | |
G 3.3V MOSIMISO| GND
E (VCC) CLK
Body of Pi (closest to you)
Now copy the Skulls release tarball over to the Rasperry Pi and continue on the Pi.
We flash at low speeds. Unlocking the bottom chip with its two reads, one write and one verify step usually takes approximately one hour in total.
The CH341A from Winchiphead, a USB interface chip, is used by some cheap memory programmers. The one we describe can be bought at aliexpress, but it's available elsewhere too. Also, we don't use the included 3,3V power output (provides too little power), but a separate power supply. If you don't have any, consider getting a AMS1117 based supply for a second USB port (like this or this).
tar -xf skulls-x230-<version>.tar.xz
cd skulls-x230-<version>
Flashing the bottom chip (closer to you) is optional. It has the same pinout than the upper chip. This allows you to enable in-system flashing (flashing without opening the Thinkpad) and/or to neuter the the Intel Management Engine for security reasons.
Choose wisely, by unlocking any software can re-flash the BIOS. By neutering the Intel ME you can not have a e.g. measured boot with Qubes.
The following command defaults to unlocking the BIOS and cleaning the IME.
sudo ./external_install_bottom.sh -m -k <backup-file-to-create>
That's it. Keep the backup safe.
Background (just so you know):
-m
option above also runs me_cleaner -S
before flashing back, see me_cleaner.-l
option will (re-)lock your flash ROM, in case you want to force
yourself (and others) to hardware-flashing.sudo ./external_install_top.sh -k <backup-file-to-create>
Select the image to flash and that's it. Keep the backup safe, assemble and turn on the X230. coreboot will do hardware init and start SeaBIOS.
Only the "upper" 4MB chip has to be written.
You can again flash externally, using external_install_top.sh
just like the
first time, see above.
Instead you can run the update directly on your X230 using Linux. That's of course very convenient - just install flashrom from your Linux distribution - but according to the flashrom manpage this is very dangerous:
iomem=relaxed
boot parameter (for example in /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT
)sudo ./x230_skulls.sh
and choose the image to flash.Heads is an alternative BIOS system with advanced security features. It's more complicated to use though. When having Skulls installed, installing Heads is as easy as updating Skulls. You can directly start using it:
iomem=relaxed
boot parameterbuild/x230/coreboot.rom
to Skulls' x230 directorysudo ./x230_heads.sh
That's it. Heads is a completely different project. Please read the documentation for how to use it and report bugs over there
Switching back to Skulls is the same as updating. Just run
./x230_skulls.sh
.
On the X230, there are 2 physical "BIOS" chips. The "upper" 4MB one holds the actual bios we can generate using coreboot, and the "lower" 8MB one holds the rest that you can modify yourself once, if you like, but strictly speaking, you don't need to touch it at all. What's this "rest"? Mainly a tiny binary used by the Ethernet card and the Intel Management Engine. Read the coreboot documentation for more details.
git clone https://github.com/merge/skulls
git checkout <VERSION>
for the release you want to buildcd skulls/x230
./build.sh
and choose the configuration you want to build