Posted May 31, 2022
For disassembly you can watch my video here.
But you’ll just have to remove all the screws with the keyboard icon and all the screws with the box(ish) icon. (Like I said, you can watch the video).
In order to actually read/write to the BIOS chip you need to attach the SOIC8 clip to the bios chip.
______
MOSI 5 --| |-- 4 GND
CLK 6 --| BIOS |-- 3 No Connection
No Connection 7 --| |-- 2 MISO
VCC (3.3V) 8 --|______|-- 1 CS
CS GND
2 | | 40
+-----------------------v-----v-----------+
| x x x x x x x x x x x x x x x x x x x x |
| x x x x x x x x x x x x x x x x x x x x |
+-----------------^-^-^-^-----------------+
1 | | | | 39
VCC | | CLK
MOSI/ \MISO
Make sure to update your Raspberry PI and install and the needed packages as well as flashrom using these commands:
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev
git clone https://review.coreboot.org/flashrom.git
cd flashrom
make -j3 && sudo make install
Now we need to download the Coreboot repo on our Raspberry PI.
git clone --recursive https://review.coreboot.org/coreboot.git ~/coreboot
Next we need to install ifdtool on the Raspberry PI, you can do that by running:
cd ~/coreboot/util/ifdtool
make -j3 && sudo make install
First, we are going to create an alias so we don’t need to type in a long drawn out command every time we want to read/write to the BIOS.
alias fr='sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1024'
Now we can get the name of our BIOS chip by just running fr.
fr
The output should give you multiple chip names.
All of these are the same chip just with different names so you can use any of them, mine is “MX25L6405”.
We are going to use this to set a CHIP variable.
CHIP="MX25L6405"
We are now ready to read the flash from the BIOS chip. We are going to do this a few times in order to make sure that the connection is consistent when reading and writing.
fr -c "$CHIP" -r flash01.bin
fr -c "$CHIP" -r flash02.bin
fr -c "$CHIP" -r flash03.bin
md5sum flash01.bin flash02.bin flash03.bin
The output for md5sum for all three of the files should be exactly the same.
If the checksum for all three files are not the same then DO NOT CONTINUE!!!
Make sure that your connection is good and retry until everything reads correctly.
(If necessary, the spispeed can be lowered from 1024 for a more reliable read).
First we need to download me_cleaner.
git clone https://github.com/corna/me_cleaner ~/me_cleaner
Now we can run me_cleaner on our flash file, in this case I will be using flash01.bin.
~/me_cleaner/me_cleaner.py -S flash01.bin
If all goes well you should see a message that says: Done! Good Luck!
Now we can run ifdtool on our flash image in order to separate it.
ifdtool -x flash01.bin
You should now have four different .bin files: 1. flashregion_0_flashdescriptor.bin 2. flashregion_1_bios.bin (Not needed) 3. flashregion_2_intel_me.bin 4. flashregion_3_gbe.bin
We can now rename all the files to have a shorter name.
mv flashregion_0_descriptor.bin descriptor.bin
mv flashregion_2_intel_me.bin me.bin
mv flashregion_3_gbe.bin gbe.bin
If you want to compile Coreboot on your Raspberry PI you can go ahead, however it might take anywhere from a few hours to a few DAYS, so be warned. I copied my “.bin” files to my laptop in order to compile faster.
Now we want to download the Coreboot repo onto our computer that we are compiling Coreboot on. (This may take a while). (If you are compiling Coreboot on your Raspberry PI you can skip this).
git clone --recursive https://review.coreboot.org/coreboot.git ~/coreboot
(Optional) Downloading VGA BIOS
Windows and some Linux distributions rely on the VGA BIOS in order to display video. So you can optionally download it if you need it.
curl -fLO "https://github.com/thetarkus/x220-coreboot-guide/raw/master/vga-8086-0126.bin"
Now we need to make a directory to place our “.bin” files.
mkdir -p ~/coreboot/3rdparty/blobs/mainboard/lenovo/x220
mv descriptor.bin ~/coreboot/3rdparty/blobs/mainboard/lenovo/x220/
mv me.bin ~/coreboot/3rdparty/blobs/mainboard/lenovo/x220/
mv gbe.bin ~/coreboot/3rdparty/blobs/mainboard/lenovo/x220/
On the computer you’re compiling Coreboot with, you’ll need to install these development packages (or their equivalents). On Ubuntu, Debian, or any derivative you can run:
sudo apt-get install git build-essential gnat flex bison libncurses5-dev wget zlib1g-dev
On Void Linux (what I use) I ran:
sudo xbps-install git base-devel ncurses-devel wget zlib-devel gcc-ada
Now we can go into the Coreboot directory and run make nconfig.
cd ~/coreboot
make nconfig
You should see a menu pop up, now we can configure our Coreboot build. Below is a list of what needs to be enabled, you can leave the rest of the settings just the way they are.
General Setup
- [*] Compress ramstage with LZMA
- [*] Include coreboot .config file into the ROM image
- [*] Allow use of binary-only repository
Mainboard
- Mainboard vendor (Lenovo)
- Mainboard model (Thinkpad X220)
- ROM chip size (8192 KB (8 MB))
- (0x100000) Size of CBFS filesystem in ROM
Chipset
- [*] Enable VMX for virtualization
- Include CPU microcode in CBFS (Generate from tree)
- Flash ROM locking on S3 resume (Don't lock ROM sections on S3 resume)
- [*] Add Intel descriptor.bin file
(3rdparty/blobs/mainboard/$(MAINBOARDDIR)/descriptor.bin) Path and filename of the descriptor.bin file
- [*] Add Intel ME/TXE firmware
(3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin) Path to management engine firmware
- [*] Add gigabit ethernet firmware
(3rdparty/blobs/mainboard/$(MAINBOARDDIR)/gbe.bin) Path to gigabit ethernet firmware
Devices
- Graphics initialization (Run VGA Option ROMs)
- [*] Use native graphics initialization
- [*] Add a VGA BIOS image
(/home/$USER/vga-8086-0126.bin) VGA BIOS path and filename
(8086,0126) VGA device PCI IDs
Generic Drivers
- [*] PS/2 keyboard init
- [*] Support Intel PCI-e WiFi adapters
Console
- [*] Squelch AP CPUs from early console.
- [*] Show POST codes on the debug console
System tables
- [*] Generate SMBIOS tables
Payload
- Add a payload (SeaBIOS)
- SeaBIOS version (master)
- (3000) PS/2 keyboard controller initialization timeout (milliseconds)
- [*] Harware init during option ROM execution
- [*] Include generated option rom that implements legacy VGA BIOS compatibility
- [*] Use LZMA compression for payloads
You can press F6 to save your config and then press F9 to exit.
Now we can actually compile Coreboot now.
(Optional) Create Cross Compiler
If you don’t have an
i386cross compiler you can make one by running:make crossgcc-i386 make iasl
Let’s compile coreboot by running:
make -j$(nproc)
This might take a while.
NOTE: If you can’t compile Coreboot, try checking and making sure you did everything correctly.
WARNING: Proceed with caution, you can possibly brick your computer if you are not careful!!!
You should now be left with a file named coreboot.rom in the ~/coreboot directory.
You can copy this file back to your Raspberry PI into order to flash it.
Now let’s go ahead and read our flash chip again to make sure that our connection is still good.
fr -c "$CHIP" -r flash01.bin
fr -c "$CHIP" -r flash02.bin
fr -c "$CHIP" -r flash03.bin
md5sum flash01.bin flash02.bin flash03.bin
And, like before, if all the checksums match, you can go ahead and flash coreboot.rom.
fr -c "$CHIP" -w coreboot.rom
Now, for the moment of truth, go ahead and boot your Thinkpad. If it won’t boot, don’t sweat, just rebuild and try again. If Coreboot won’t work on your Thinkpad no matter what you try, then you can just flash a backup of the BIOS that you read earlier and your computer should work just fine.
Congrats!!! You successfully freed your computer from the spying eyes of Intel and your local three letter government agency. You can now enjoy your computing in peace.
If you have any questions or comments you can find my contact info here.