Lenovo G505S hacking

From DP

Jump to: navigation , search

Contents

Introduction

Lenovo G505S is the latest most powerful laptop from the Supported Motherboards list of coreboot open source BIOS ( FAQ about coreboot ) which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU. That makes this laptop very unique and valuable to any hardware/software hacker, and hopefully this page could be of a great interest - and maybe even useful! - to you, the visitor of DangerousPrototypes

Current status

The software of this laptop is already 98% open source and free-as-in-freedom ; this page will describe the hacking efforts to liberate the remaining 2% as well as to make this laptop truly future-proof by collecting the described spare parts and upgrading its' various components

Future plans

1) Fill this page with a lot of truly valuable information (a bit unexpected? ;)

2) Create a new "Lenovo G505S spare parts" page ( maybe would come up with a better title )

3) Describe the great-to-have software patches on top of the mainline code of coreboot open-source BIOS ( hopefully we'll get our changes merged and these descriptions would not be needed )

...

Unofficial coreboot patches

AMD microcode updates

Go to coreboot's configuration menu and check that " Chipset ---> Include CPU microcode in CBFS " option is set to " Do not include microcode updates " - because this microcode updating procedure is broken, and stupid: why load "old" then update to "new" when you could load "new" from the beginning? Hidden ./coreboot/.config file should contain

# CONFIG_CPU_MICROCODE_CBFS_GENERATE is not set
# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set
CONFIG_CPU_MICROCODE_CBFS_NONE=y


Instead, let's take a look at

28425: AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates

These scripts will help you to securely and conveniently apply the two changes to update AMD microcodes by patching the hardcoded arrays of hex values at some .c source code files. Updated microcode is required to improve system stability - in particular, to fix Xen hardware virtualization freezes e.g. while running Qubes 4 - as well as to patch some security vulnerabilities like piledriver+ NMI CPU userland to root exploit (if G505S's A10-5750M is affected) and maybe some Spectre-related vulnerabilities.

Download all 4 files of this change above. If you can't do it with your browser (don't want to enable JavaScript) or like to do it "the console way", just run the following script:

#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/28425
### AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates
###
rm -f ./*_ucode_patches.sh
rm -f ./sha256sums_correct.txt
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/28425/revisions/5/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_correct="6f84c17436a1b33d9834878003250b053dc4f0ce8235d04ef023d5d9276501b1  ./2b158e9.diff"
sha256sum_my=$(sha256sum ./2b158e9.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_correct"
if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then
    echo "^^^ this is correct, will extract a microcode patching patch now..."
    patch -p1 < ./2b158e9.diff
else
    echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./2b158e9.diff"
fi


Save all 4 files of this change to

./coreboot/


Allow the execution of 3 scripts by doing

chmod +x ./*_ucode_patches.sh


then run

./get_ucode_patches.sh


to download the patches and extract them,

./check_ucode_patches.sh


to compare their checksums with

./sha256sums_correct.txt
0dcd889f1a90899b8c5852c41311a38cc6cb61622eabb5bdeec2aa96f62eecaa  ./7c771be.diff
69dce983976e38d577b797bd802ad21cdcb1c559705c664d91ec1d0fbde9854f  ./d5107a0.diff


and finally, if everything is good,

./apply_ucode_patches.sh


This will install the following AMD ucode patches:

28273: src/vendorcode/amd/agesa/f15tn: Update microcode to version 0x600111F 2018-03-05 - for CPU IDs 0x610F01/0x610F31 (replaces the very outdated 0x600110F [2012-01-11])

28370: src/vendorcode/amd/agesa/f16kb: Update microcode to version 0x7000110 2018-02-09 - for CPU ID 0x700F01 (replaces the very outdated 0x700010B [2013-07-09])

AMD GPU AtomBIOS blobs

Clean blobs

Under construction

This page is currently under construction and may be significantly changed without further notice ;)

awokd's info dump:

Coreboot G505s page

Caveats: Sleep mode does not work under Qubes. Good to disable both XHCI options in Coreboot menu or the left side ports won't work at all. Disabled they sort of function as USB 2.0 (or 1.1?) ports, but you may have to use irqpoll (on sys-usb kernel options if using Qubes).

Flashing KB9012.

After flashing with coreboot, you can use the following command for internal flashes:

sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w coreboot.rom


A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31

If your model has a secondary GPU, need to add xen-pciback.hide=(02:00.0) to boot options (02:00.0 is an example, check first) to use with Qubes.

To locate the firmware in the OEM image, use UEFITool and search for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006.