Lenovo G505S hacking

From DP

(Difference between revisions)
Jump to: navigation , search
(Unofficial coreboot patches)
m (NEWS)
 
Line 1: Line 1:
== NEWS ==
== NEWS ==
-
I've updated this page and csb_patcher script with many important improvements, such as ASUS A88XM-E board support and XMP / custom RAM timings support.
+
I've updated this page and csb_patcher script with many important improvements, such as ASUS A88XM-E board support and XMP / custom RAM timings support. If you have any questions/suggestions, please contact Mike Banon - current address: mikebdp2 [at] gmail [d0t] c0m
'''csb_patcher.sh script is ready! GET IT HERE (25th May 2020) - https://pastebin.com/KqV20RCf , https://ghostbin.co/paste/tg9zf , or - a more official place - https://review.coreboot.org/c/coreboot/+/33509 . It has replaced the smaller patcher scripts, and I'll be happy if you can do a code review of it and share your feedback.'''
'''csb_patcher.sh script is ready! GET IT HERE (25th May 2020) - https://pastebin.com/KqV20RCf , https://ghostbin.co/paste/tg9zf , or - a more official place - https://review.coreboot.org/c/coreboot/+/33509 . It has replaced the smaller patcher scripts, and I'll be happy if you can do a code review of it and share your feedback.'''

Latest revision as of 21:36, 26 May 2020

Contents

NEWS

I've updated this page and csb_patcher script with many important improvements, such as ASUS A88XM-E board support and XMP / custom RAM timings support. If you have any questions/suggestions, please contact Mike Banon - current address: mikebdp2 [at] gmail [d0t] c0m

csb_patcher.sh script is ready! GET IT HERE (25th May 2020) - https://pastebin.com/KqV20RCf , https://ghostbin.co/paste/tg9zf , or - a more official place - https://review.coreboot.org/c/coreboot/+/33509 . It has replaced the smaller patcher scripts, and I'll be happy if you can do a code review of it and share your feedback.

Copy this ./csbget.sh script to your ./coreboot/ directory, chmod +x ./csbget.sh and run it - ./csbget.sh - to easily and securely download a (much) larger csb_patcher.sh script :

#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/33509
### csb_patcher.sh: gets,checks,installs the coreboot and SeaBIOS patches
###
rm -f "./csb_patcher.sh"
rm -f "./a4afebb.diff" && rm -f "./patch?zip"
wget "https://review.coreboot.org/changes/33509/revisions/31/patch?zip"
unzip "./patch?zip" && rm -f "./patch?zip"
sha256sum_correct="65031c731c29a6875c3326f739cf433e9bb76cc631c58b6b9bc53893d14706bf  ./a4afebb.diff"
sha256sum_my=$(sha256sum "./a4afebb.diff")
printf "\n=== sha256sum should be\n$sha256sum_correct\n"
if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then
    printf "^^^ this is correct, will extract a ./csb_patcher.sh script now...\n"
    patch -p1 < "./a4afebb.diff"
    chmod +x "./csb_patcher.sh"
    printf "\nRun ./csb_patcher.sh help or ./csb_patcher.sh usage for more information.\n\n"
    exit 0
else
    printf "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./a4afebb.diff\n"
    exit 1
fi
###


Run ./csb_patcher.sh help or ./csb_patcher.sh usage for more information.

csb_patcher.sh: gets,checks,installs the coreboot and SeaBIOS patches

Conveniently and securely gets, checks SHA256 and installs some of my
patches from this page - https://review.coreboot.org/q/status:open+banon
- and also gets a collection of useful floppy-based operating systems.

Sometimes it takes quite a long time to get a patch merged, while the
people might need it today! - and this script could be really helpful.

It asks a [Y/N] question for every addition, and since there are some
"universal" patches as well as great floppies, you may still want to
run this script - even if your board is not Lenovo G505S or not AMD.

Please share your feedback/suggestions and tell about other useful patches,
preferably the "universal" ones - i.e. SeaBIOS. Currently included:

1) "board-specific": Lenovo G505S dGPU support, ASUS A88XM-E board support,
example configs for G505S / AM1I-A / A88XM-E and known good AtomBIOS ROMs,
and also XMP / custom RAM timings support for all the AMD AGESA boards

2) "universal": SeaBIOS patches: advanced_bootmenu, multiple_floppies,
writeprotected_usb ; tint build system ; and also a floppies collection :
KolibriOS, FreeDOS, MichalOS, Snowdrop, Fiwix, Memtest, Tatos, Plop, FloppyBird.


Check out the G505S-related coreboot patches I'm currently working on here - https://review.coreboot.org/q/status:open+banon . 38200, 38202 and 38203 patches are required for getting a discrete GPU working ( together with AMD GPU AtomBIOS blobs ). If you are impatient to test them, you could grab a "16JUN2019" build here.

Introduction

Lenovo G505S is the latest most powerful laptop from the Supported Motherboards list of coreboot open source BIOS ( FAQ about coreboot ) which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU. That makes this laptop very unique and valuable to any hardware/software hacker, and hopefully this page could be of a great interest - and maybe even useful! - to you, the visitor of DangerousPrototypes.

Current status

The firmware of this laptop is already 98% open source and free-as-in-freedom ; this page will describe the hacking efforts to liberate the remaining 2% as well as to make this laptop truly future-proof by collecting the described Lenovo G505S parts and upgrading its' various components.

Instructions

1) On a temporarily installed Windows 8, update your proprietary UEFI to the latest version v3.00 - 83CN53WW using the official Lenovo software, because it also updates the firmware of EC-controller KB9012 to a version v3.00 - 83EC53WW . The updated EC KB9012 firmware is i.e. more efficiently controls the fan speeds in response to a changing temperatures - so such an update is really recommended and this is the only currently available software way of doing this - unless you would like to do a hardware flashing described at Flashing KB9012

2) At your favourite Linux distro install the packages required for building a coreboot - coreboot Build HOWTO, then execute the commands:

3)

git clone https://review.coreboot.org/coreboot.git # <--- download a coreboot

cd ./coreboot/ # <--- go to a ./coreboot/ directory

git submodule update --init --checkout # <--- get the additional modules which could be useful (i.e. while building a cbfstool)

make crossgcc-i386 # <--- build a toolchain, which will be used for the compilation of coreboot (crossgcc-x64 is not supported yet, it compiles badly)

4) Copy-paste a ./csb_patcher.sh script given at the beginning of this page, save it to your ./coreboot/ directory and apply to your ./coreboot/ source tree. Or use a ./csbget.sh script for obtaining a ./csb_patcher.sh :

cd ./coreboot/ # <--- go to a ./coreboot/ directory

nano ./csbget.sh # <--- create a new ./csbget.sh text file, fill it with a code given above and save

chmod +x ./csbget.sh # <--- make this script executable

./csbget.sh # <--- get a ./csb_patcher.sh script

./csb_patcher.sh # <--- answer Y to almost all the questions

5) Build a coreboot by a make command, and - if you desire - make a floppy-filled version of coreboot.rom by running a ./csb_patcher.sh flop command - result will be a coreflop.rom file instead of coreboot.rom. Then using an instruction Flashing a BIOS chip, flash a coreboot to your Lenovo G505S using the described hardware tools. After flashing with coreboot once, you can use the following command for the internal flashing:

sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w coreboot.rom


To successfully compile flashrom at ubuntu-like systems (e.g. Trisquel 8) you need to install the following packages:

sudo apt-get install build-essential git libpci-dev libusb-dev libusb-1.0-0-dev libftdi-dev


Please take a look at Lenovo_G505S_.config after applying the Unofficial coreboot patches.

Unofficial coreboot patches

NOTE: THEY COULD BE EASILY INSTALLED ON TOP OF A FRESHLY CLONED COREBOOT WITH A SCRIPT HERE - http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#NEWS

Discrete GPU support

39873: G505S dGPU support: scripts for applying the unofficial (not-merged-yet) patches

These scripts will help you to securely and conveniently apply the three changes to add the discrete GPU support by patching the source code files.

Save all 4 files of this change to

./coreboot/


Allow the execution of 3 scripts by doing

chmod +x ./*_dgpu_patches.sh


then run

./get_dgpu_patches.sh


to download the patches and extract them,

./check_dgpu_patches.sh


to compare their checksums with

./sha256sums_dgpu_correct.txt
6c367872fd65e6451b393223131c14cd212fe44493537076aa8e005db730a177  ./ff34035.diff
d761a1187e09ecaf85a66b3a36664064c10d460b41563c35bfb54f56ca9cc4f2  ./a9495cd.diff
3a295fffabf748acb1a593605d4fb27a9e953813589d228fb8726f6d7d8e27fc  ./1bdb7a5.diff


and finally, if everything is good,

./apply_dgpu_patches.sh


This will install the following dGPU support patches:

38200: src/device/Kconfig: introduce the MULTIPLE_VGA_ADAPTERS symbols

38202: src/device/pci: Add support for discrete VGA initialization and OpROM loading

38203: lenovo/g505s: enable the discrete VGA adapter

AMD GPU AtomBIOS blobs

33886: G505S AtomBIOS ROMs: known good binaries with a script to check their SHA256

This change contains the known good AtomBIOS ROMs for your G505S, together with their SHA256 checksums and two scripts - to extract them from .rom.txt files by xxd -r and check their SHA256. NOTE: for my convenience I've just added two ROMs for my ASUS AM1I-A and A88XM-E boards to the same change; if you don't have these boards, please ignore their ROMs.

Save all 8 files of this change to

./coreboot/


Allow the execution of 2 scripts by doing

chmod +x ./*_atombios_roms.sh


then run

./extract_atombios_roms.sh


to extract the AtomBIOS ROMs from .rom.txt files using the xxd -r command,

./check_atombios_roms.sh


to compare their checksums with

./sha256sums_atombios_correct.txt
6104e6989ea3f494d7bfa30573bf38e830f1068bab9980caec5e890e0ccbfced  ./pci1002,990b.rom
6052b5def3fda2a93f6c4d55ec91b819429e212e26cdb8e0fcca54599c9c92ed  ./pci1002,6663.rom
15d74515332bc512de66e0dc910d8600aeb134bf715bbc34a4faac0257f4a0dc  ./pci1002,6665.rom
cf5ad6f562cda07c8455a5fd33aae49ee6f451561a758e9761d1788767348115  ./pci1002,9830.rom
73d52887c5c0797a00c38ff1d26528f32620efe41b47c592aa295f008712d0e5  ./pci1002,990c.rom


and, if everything is good, use these AtomBIOS ROMs at your coreboot Lenovo_G505S_.config :

*990b.rom = iGPU HD-8650G | *6663.rom = dGPU HD-8570M /
                            *6665.rom = dGPU R5-M230


Origin of these AtomBIOS ROMs, and how they have been obtained:

https://github.com/g505s-opensource-researcher/g505s-atombios

pci1002,990b.rom (for iGPU HD-8650G) has been taken from G505S with R5-M230, and despite the tiny voltage difference - it's working great for all G505S versions. See this thread for more information.

AMD AGESA DDR3 XMP support

40495: AMD AGESA DDR3 XMP support: scripts for applying the not-merged-yet patches

These scripts will help you to securely and conveniently apply the five changes to add the XMP / custom RAM timings support by patching the source code files.

Save all 4 files of this change to

./coreboot/


Allow the execution of 3 scripts by doing

chmod +x ./*_xmp_patches.sh


then run

./get_xmp_patches.sh


to download the patches and extract them,

./check_xmp_patches.sh


to compare their checksums with

./sha256sums_xmp_correct.txt
0b19e790c27cc4344f5427e2af62b3d8f5c729c49a528709689e4c1536e55daf  ./b8b7fb7.diff
0f5816d40a56e5fe3201e539c2f6cae51a03ae606085731f3c70eb7f2a007bd5  ./a81f3eb.diff
6749bbe5a8a33b0a32d214e32ffba4b6d7df740c73fd674c344653041e5103aa  ./bf4bd85.diff
4579e9a7f3454e4909789b56d2fd6422129e31185a363cf6cd13485907b82b1d  ./3b9288e.diff
d5161276160d1cf4d77a5252cb7f9855d2ff5de00dedea28790627d9a144b556  ./413db53.diff


and finally, if everything is good,

./apply_xmp_patches.sh


This will install the following XMP / custom RAM timings support patches:

40484: nb/amd/agesa: read 256 bytes to SPD buffer instead of 128

40485: vc/amd/agesa/f15tn: add 933 MHz to GfxMemClockFrequencyDefinitionTable

40488: vc/amd/agesa/f.../Proc/Mem/Tech/DDR3: Support XMP memory profiles

40489: vc/amd/agesa/f.../Proc/Mem/Tech/DDR3: Support a custom memory profile

40490: vc/amd/agesa/f15tn: add DDR1866_FREQUENCY to DdrMaxRateTab table

Then, you can set up the XMP / custom RAM timings by going to Chipset ---> AMD Platform Initialization ---> DDR3 memory profile at menuconfig.

tint build system

33887: tint: introduce the new tint build system with checksum verification

Contains the tint build system - for more secure tint installation.

Unofficial SeaBIOS patches

32351: SeaBIOS patches: advanced_bootmenu, multiple_floppies, writeprotected_usb

Contains the following unofficial SeaBIOS patches:

advanced_bootmenu: up to 35 entries (2 pages if >18), numpad support (console)

|PATCH v2| ramdisk: search for all available floppy images instead of one

|PATCHv2| Support booting USB drives with a write protect switch enabled

Sample G505S .config

32352: configs: add Lenovo G505S sample configuration (use with dGPU patches)

Contains the sample Lenovo_G505S_.config - which should be used only after you have installed the Discrete GPU support patches. Read important notes about this .config here.

Useful floppies

They could be easily added to your coreboot's CBFS with one simple command:

./build/cbfstool ./build/coreboot.rom add -f ./yourfloppy.img -n floppyimg/nameinsidecbfs.lzma -t raw -c lzma


1) KolibriOS - great x86 OS with GUI and lots of really useful apps! After the networking driver for our chip will be completed, it should become possible to access the Internet and IRC chaaat with your friends right from a BIOS chip.

2) FreeDOS - also lots of cool apps, although many of them are proprietary and also FreeDOS might be vulnerable to DOS viruses. Their floppy seems to be only for installation and does not contain anything useful, but it should be possible to replace the installer in it with more useful stuff and extend the floppy from 1.44MB to 2.88MB - which is also supported by SeaBIOS - if needed. Luckily LZMA compression will reduce its' size significantly, allowing to still put more useful floppies instead of just FreeDOS.

3) MichalOS - really interesting OS based on MikeOS but significantly evolved, has many cool things like PLAYER.APP --> two octave piano which is using a beeper, and great for showing off to your IRL friends what your opensource BIOS can do. Currently MichalOS is much better than its' brother TachyonOS, but maybe something could be borrowed from there as well.

4) Snowdrop - very promising OS, has some cool games and could be useful to develop something bigger on top of it.

5) Fiwix - quite a prominent project and also may be useful.

6) Memtest - for testing your RAM, and much better than coreboot's poor version. A bit more work is required for it - e.g. you'd need to extend its' image to 1.44MB - so here are the instructions

7) TatOS - sadly abandoned, tried contacting the author but he is not replying. Not fully explored yet but may be quite useful for research purposes and occupies just about 100KB in your CBFS when LZMA compressed.

8) Plop Boot Manager 5.0 - prominent boot manager that is still proprietary, but may be possible to persuade its' author to release the source code.

9) FloppyBird OS - provides a FloppyBird game and occupies just ~2K bytes inside a flash chip when LZMA compressed.

Improve this page

Fill this page with a lot of truly valuable information. For example:

maybe copy some info from Coreboot G505s page and other sources like coreboot subreddit or 4chan.

TODO list

1) Sleep mode does not work under Qubes. See https://www.mail-archive.com/qubes-users@googlegroups.com/msg27687.html.

2) Both XHCI options in Coreboot menu should be disabled (unless you'd like to add the XHCI firmware) or the left side ports won't work at all. These options are already disabled by default and all the ports are functioning as USB 2.0.

awokd tells:

"You may have to use irqpoll in sys-usb kernel options with Qubes OS. USB interrupts don't seem to be routing correctly in Coreboot, and the only way to use them in Qubes is with irqpoll in the kernel options."


3) A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31

vendor_id       : AuthenticAMD
cpu family      : 21
model           : 19
model name      : AMD A10-5750M APU with Radeon(tm) HD Graphics
stepping        : 1
microcode       : 0x600111f
cache size      : 2048 KB
physical id     : 0
siblings        : 4
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mm>
bugs            : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips        : 4992.72
TLB size        : 1536 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 48 bits physical, 48 bits virtual
power management: ts ttp tm 100mhzsteps hwpstate cpb eff_freq_ro


4) If your model has a secondary GPU and you are NOT using the discrete GPU support patches, then you need to add

xen-pciback.hide=(02:00.0)


to boot options (02:00.0 is an example, check first!). xen-pciback.hide hides the secondary GPU from Qubes so it doesn't even attempt to initialize it.

5) If reverse engineering an OEM image, you can locate the firmware by using UEFITool and searching for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006.