-
-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add xx30-maximized and xx30-hotp-maximized boards (11.5mb flashable B…
…IOS regions, reproducible me.bin and generated gbe.bin and totally externally and internally flashable roms) (#703) * xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER #703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations. * Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!) * xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin. download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place. Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space. * CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit).
- Loading branch information
Showing
17 changed files
with
1,234 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
The ME blobs dumped in this directory come from the following link: https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t430/downloads/DS032435 | ||
|
||
This provides latest ME version 8.1.72.3002, for which only BUP and ROMP regions will be kept as non-removable: | ||
Here is what Lenovo provides as a Summary of Changes: | ||
Version 8.1.72.3002 (G1RG24WW) | ||
|
||
(Fix) Fixed the following security vulnerabilites: CVE-2017-5711, CVE-2017-5712, CVE-2017-13077, CVE-2017-13078, CVE-2017-13080. | ||
|
||
1.0.0:Automatically extract and neuter me.bin | ||
download_clean_me.sh : Downloads latest ME from lenovo verify checksum, extract ME, neuters ME, relocate and trim it and place it into me.bin | ||
|
||
sha256sum: | ||
c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin | ||
|
||
1.0.1: Extract blobs from rom original and updated to 2.76 BIOS version: | ||
extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim it, modify BIOS and ME region of IFD and place output files into this dir. | ||
|
||
sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent. | ||
|
||
|
||
|
||
|
||
1.1: Manually generating blobs | ||
-------------------- | ||
Manually generate me.bin: | ||
You can arrive to the same result of the following me.bin by doing the following manually: | ||
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe && innoextract g1rg24ww.exe && python ~/me_cleaner/me_cleaner.py -r -t -O ~/heads/blobs/xx30/me.bin app/ME8_5M_Production.bin | ||
|
||
sha256sums: | ||
f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe | ||
821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin | ||
c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 blobs/xx30/me.bin | ||
|
||
ifd.bin was extracted from sacrificed X230 (dead motherboard) fron an external flashrom backup (no way found to be able to extract it from Lenovo firmware upgrades as of now): | ||
python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/xx30/ifd.bin -M /tmp/temporary_me.bin dead_serving_a_purpose_x230_bottom_spi_backup.rom | ||
|
||
sha256sum: | ||
c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin | ||
|
||
ls -al blobs/xx30/*.bin | ||
-rw-r--r-- 1 user user 8192 Oct 25 14:07 gbe.bin | ||
-rw-r--r-- 1 user user 4096 Oct 28 16:19 ifd.bin | ||
-rw-r--r-- 1 user user 98304 Oct 28 16:15 me.bin | ||
|
||
|
||
Manually regenerate gbe.bin: | ||
blobs/x230/gbe.bin is generated per bincfg from the following coreboot patch: https://review.coreboot.org/c/coreboot/+/44510 | ||
And then by following those instructions: | ||
# Use this target to generate GbE for X220/x230 | ||
gen-gbe-82579LM: | ||
cd build/coreboot-*/util/bincfg/ | ||
make | ||
./bincfg gbe-82579LM.spec gbe-82579LM.set gbe1.bin | ||
# duplicate binary as per spec | ||
cat gbe1.bin gbe1.bin > ../../../../blobs/xx30/gbe.bin | ||
rm -f gbe1.bin | ||
cd - | ||
|
||
sha256sum: | ||
9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 blobs/xx30/gbe.bin | ||
------------------------ | ||
|
||
Notes: as specified in first link, this ME can be deployed to: | ||
Helix (Type 3xxx) | ||
T430, T430i, T430s, T430si, T431s | ||
T530, T530i | ||
W530 | ||
X1 Carbon (Type 34xx), X1 Helix (Type 3xxx), X1 Helix (Type 3xxx) 3G | ||
X230, X230i, X230 Tablet, X230i Tablet, X230s | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
#!/bin/bash | ||
|
||
function printusage { | ||
echo "Usage: $0 -m <me_cleaner>(optional)" | ||
} | ||
|
||
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
||
if [ "$#" -eq 0 ]; then printusage; fi | ||
|
||
while getopts ":m:" opt; do | ||
case $opt in | ||
m) | ||
if [ -x "$OPTARG" ]; then | ||
MECLEAN="$OPTARG" | ||
fi | ||
;; | ||
esac | ||
done | ||
|
||
FINAL_ME_BIN_SHA256SUM="c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 $BLOBDIR/me.bin" | ||
ME_EXE_SHA256SUM="f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe" | ||
ME8_5M_PRODUCTION_SHA256SUM="821c6fa16e62e15bc902ce2e958ffb61f63349a471685bed0dc78ce721a01bfa app/ME8_5M_Production.bin" | ||
|
||
|
||
if [ -z "$MECLEAN" ]; then | ||
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` | ||
if [ -z "$MECLEAN" ]; then | ||
echo "me_cleaner.py required but not found or specified with -m. Aborting." | ||
exit 1; | ||
fi | ||
fi | ||
|
||
echo "### Creating temp dir" | ||
extractdir=$(mktemp -d) | ||
cd "$extractdir" | ||
|
||
echo "### Downloading https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe..." | ||
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe || ( echo "ERROR: wget not found" && exit 1 ) | ||
echo "### Verifying expected hash of g1rg24ww.exe" | ||
echo "$ME_EXE_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on downloaded binary..." && exit 1 ) | ||
|
||
echo "### Extracting g1rg24ww.exe..." | ||
innoextract ./g1rg24ww.exe || exit 1 "Failed calling innoextract. Tool installed on host?" | ||
echo "### Verifying expected hash of app/ME8_5M_Production.bin" | ||
echo "$ME8_5M_PRODUCTION_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on extracted binary..." && exit 1 ) | ||
|
||
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin... " | ||
$MECLEAN -r -t -O "$BLOBDIR/me.bin" app/ME8_5M_Production.bin | ||
echo "### Verifying expected hash of me.bin" | ||
echo "$FINAL_ME_BIN_SHA256SUM" | sha256sum --check || ( echo "Failed sha256sum verification on final binary..." && exit 1 ) | ||
|
||
|
||
echo "###Cleaning up..." | ||
cd - | ||
rm -r "$extractdir" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
#!/bin/bash | ||
|
||
function printusage { | ||
echo "Usage: $0 -f <romdump> -m <me_cleaner>(optional) -i <ifdtool>(optional)" | ||
exit 0 | ||
} | ||
|
||
BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
||
if [ "$#" -eq 0 ]; then printusage; fi | ||
|
||
while getopts ":f:m:i:" opt; do | ||
case $opt in | ||
f) | ||
FILE="$OPTARG" | ||
;; | ||
m) | ||
if [ -x "$OPTARG" ]; then | ||
MECLEAN="$OPTARG" | ||
fi | ||
;; | ||
i) | ||
if [ -x "$OPTARG" ]; then | ||
IFDTOOL="$OPTARG" | ||
fi | ||
;; | ||
esac | ||
done | ||
|
||
if [ -z "$MECLEAN" ]; then | ||
MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` | ||
if [ -z "$MECLEAN" ]; then | ||
echo "me_cleaner.py required but not found or specified with -m. Aborting." | ||
exit 1; | ||
fi | ||
fi | ||
|
||
if [ -z "$IFDTOOL" ]; then | ||
IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` | ||
if [ -z "$IFDTOOL" ]; then | ||
echo "ifdtool required but not found or specified with -m. Aborting." | ||
exit 1; | ||
fi | ||
fi | ||
|
||
echo "FILE: $FILE" | ||
echo "ME: $MECLEAN" | ||
echo "IFD: $IFDTOOL" | ||
|
||
bioscopy=$(mktemp) | ||
extractdir=$(mktemp -d) | ||
|
||
echo "###Copying $FILE under $bioscopy" | ||
cp "$FILE" $bioscopy | ||
|
||
cd "$extractdir" | ||
echo "###Unlocking $bioscopy IFD..." | ||
$IFDTOOL -u $bioscopy | ||
echo "###Extracting regions from ROM..." | ||
$IFDTOOL -x $bioscopy | ||
echo "###Copying GBE region under $BLOBDIR/gbe.bin..." | ||
cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" | ||
echo "###Applying me_cleaner to neuter+deactivate+maximize reduction of ME on $bioscopy, outputting minimized ME under $BLOBDIR/me.bin and adapting BIOS+ME regions under $BLOBDIR/ifd.bin... " | ||
$MECLEAN -r -t -d -O /tmp/unneeded.bin -D "$BLOBDIR/ifd.bin" -M "$BLOBDIR/me.bin" "$bioscopy" | ||
|
||
echo "###Cleaning up..." | ||
rm "$bioscopy" | ||
rm -r "$extractdir" |
Binary file not shown.
Oops, something went wrong.