Lenovo G505S hacking
From DP
All this info is also valid for the other AMD coreboot-supported boards that I am maintaining: ASUS AM1I-A and ASUS A88XM-E. The only major difference are the flashing BIOS instructions: SPI flash BIOS chip of G505S laptop is SOIC8 shape while the desktop boards' chips are DIP8.
If you have any questions/suggestions, write to Mike Banon : [ mikebdp2 [at] gmail [d0t] c0m ]
Contents |
Introduction
AMD-based Lenovo G505S is the fastest laptop from the Supported Motherboards list of coreboot open source BIOS (coreboot's FAQ) which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU. That makes this laptop really unique and valuable to any hardware/software hacker, and hopefully this page can be useful for you - the visitor of DangerousPrototypes. AMD-based ASUS A88XM-E & AM1I-A are coreboot-supported too and also don't contain AMD PSP backdoor. This hardware is ~2013 - but if you'll upgrade it fully (i.e. 16 GB RAM), it will do fine even the modern tasks.
Current status
coreboot BIOS firmware of G505S is already 98% open source and free-as-in-freedom; this page will describe how to install this firmware, the hacking efforts to liberate the remaining 2% (TODO) as well as how to make this laptop future-proof by collecting the Lenovo G505S parts and doing the upgrades.
NOTE : put the Atheros AR9462 MiniPCIe WiFi module inside G505S - because it's one of the best WiFi chips of ath9k / ath9k_htc family which works on 100% opensource drivers & firmware.
NOTE : the best possible RAM upgrades for G505S are 16GB of 1600MHz CL9 fast RAM (9-9-9-24 or 9-9-9-27 CAS latency timings, less is better), achievable by two 8GB DDR3 SO-DIMM sticks. Although 32GB is also possible on G505S with two 16GB sticks and even works with coreboot, these 16GB sticks are expensive & rare and aren't as fast - couldn't find any 16GB 1600MHz CL9 SO-DIMMs. Meanwhile, A88XM-E and AM1I-A can be upgraded to 16GB by two 8GB 1866MHz CL9 DIMMs.
The freedom/security of A88XM-E and AM1I-A is the same as G505S or even better! Unfortunately soon after 5e8e911 commit (0 point of history aka PoH, 07th Nov 2022) our AMD AGESA boards - G505S, A88XM-E, AM1I-A, etc. - have been removed from a coreboot main branch. To be able to still build a fresh coreboot, I am maintaining a new restore_agesa.sh script - which does a bunch of git reverts to restore our boards. At the moment it reverts 193 "bad commits" (40 CBF + 153 GRF) - that's not a big loss, considering the current PoH of 5173 commits since the removal of our boards: this way our coreboot is still ~5k commits newer than 0 PoH and almost as fresh as a coreboot main branch.
40 CBF ("coreboot build failure") commits - that either remove our boards or break our builds
153 GRF ("git revert failure") commits - that stand in the way of reverting the CBF commits
Also, I am maintaining a csb_patcher.sh script: it helps to apply the unofficial not-merged-yet coreboot patches that are useful for many boards - especially our AMD-based ones! - and it delivers a collection of floppy-based OS that could be embedded into coreboot to be available as SeaBIOS boot entries.
NEWS
29th Nov 2023 : public release of restore_agesa.sh , updated csb_patcher.sh , updated instructions. 07th Nov 2022 : that day our precious AMD boards have been removed from coreboot main branch, so came up with a temporary " git reset --hard 5e8e911 " to reset your local repository to the older PoH (point of history) when our boards still were there, before downgrading a GCC and doing the other steps 05th Jan 2022 : found out that a new gcc 11.x of the latest coreboot master's compiler toolchain builds the unstable ROMs for our AMD (more info here), so came up with two git reverts to downgrade a gcc to old trusty 8.3.0 : ce134ab and b0d87f7 EDIT: now these reverts are a part of restore_agesa.sh
Instructions
If you have any questions/suggestions, write to Mike Banon : [ mikebdp2 [at] gmail [d0t] c0m ]
EC KB9012 firmware update
On a temporarily installed Windows 8 (Windows 7 may also work but no guarantees), upgrade your proprietary UEFI to the latest version v3.00 - 83CN53WW using the official Lenovo UEFI update utility, because it also upgrades the firmware of EC-controller KB9012 to a version v3.00 - 83EC53WW . The upgraded EC KB9012 firmware is i.e. more efficiently controls the fan speeds in response to the changing temperatures - so such an upgrade is must have and Lenovo UEFI update utility is the only currently-available way to do it by software. The hardware flashing way - an alternative for the skilled people - is fully described at Flashing KB9012 and helps to flash the latest "clean" EC KB9012 firmware image from here - https://github.com/g505s-opensource-researcher/g505s-proprietary
Build tools preparation
At your favourite Linux distribution install the packages required for building a coreboot BIOS - the Devuan (Debian without SystemD) package names are mentioned at coreboot Build HOWTO but could be different for your particular Linux. In example, on Artix Linux (user-friendly Arch without SystemD) which can be installed using this Full Disk Encryption method , the required packages are:
pacman -S gcc make patch m4 flex bison xxd pkgconf git
NOTE : make sure that your " git --version " is recent enough: i.e. 2.43.0 and not some ancient 1.8.3.1, otherwise restore_agesa.sh may have trouble doing all these git reverts.
NOTE : please remove gcc-ada / gnat from your OS if it's there, because it may cause the Ada-related build problems and our AMD platforms do not need any Ada code.
NOTE : if your PC has >=8GB RAM, you may even use a Linux LiveUSB for coreboot BIOS building.
Coreboot repository cloning
Before working with git, make sure that you have configured your ~/.gitconfig : check if it contains something by cat ~/.gitconfig - and, if you get No such file or directory , then run these commands to configure it:
git config --global user.name "Your Name" git config --global user.email "you@example.com"
Now, execute these commands to obtain the latest version of coreboot source code:
git clone https://review.coreboot.org/coreboot.git ### get a coreboot cd ./coreboot/ ### go to a ./coreboot/ directory git submodule update --init --checkout ### get the extra dependencies
restore_agesa.sh
Obtain the latest version of restore_agesa.sh script from util/scripts/restore_agesa.sh - restores the opensource AMD AGESA boards - and while still in a ./coreboot/ directory do the following:
cat ./path_to/restore_agesa.sh | grep "coreboot master at the moment" # copy a "git reset --hard REVISION" line without # before git, i.e.: # git reset --hard 16875ec8e304e87922af2f26a3fbd825bccb312e git reset --hard REVISION cp ./your_path_to/restore_agesa.sh ./ chmod +x ./restore_agesa.sh ./restore_agesa.sh
NOTE : this git reset --hard is required because restore_agesa.sh is tied to the specific coreboot revision - the upcoming new commits might block its git reverts! - so we are downgrading our coreboot to that knowingly supported git revision mentioned inside this script before launching it at ./coreboot/
NOTE : alternatively, restore_agesa.sh can also be obtained by using this resget.sh script:
#!/bin/sh ### ### https://review.coreboot.org/c/coreboot/+/76832 ### restore_agesa.sh: restores the opensource AMD AGESA boards ### rm -f "./restore_agesa.sh" rm -f "./fd6a775.diff" && rm -f "./patch?zip" wget "https://review.coreboot.org/changes/76832/revisions/9/patch?zip" unzip "./patch?zip" && rm -f "./patch?zip" sha256sum_correct="e380f234cc196097a09f1768b9705a8d8fda5aa08c089ec0ec347b2336c190f2 ./fd6a775.diff" sha256sum_my=$(sha256sum "./fd6a775.diff") printf "\n=== sha256sum should be\n$sha256sum_correct\n" if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then printf "^^^ this is correct, will extract a ./restore_agesa.sh script now...\n" patch -p1 < "./fd6a775.diff" "./restore_agesa.sh" chmod +x "./restore_agesa.sh" printf "\n git reset --hard your coreboot directory to the following revision:\n" cat "./restore_agesa.sh" | grep "coreboot master at the moment" printf " And then run ./restore_agesa.sh while still at coreboot directory\n\n" exit 0 else printf "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./fd6a775.diff\n" exit 1 fi ###
Run it as chmod +x ./resget.sh && ./resget.sh and use restore_agesa.sh as described above.
Toolchain making
Build a coreboot's crossgcc-i386 toolchain of x86 build tools (crossgcc-x64 doesn't work yet) with
make crossgcc-i386 BUILD_LANGUAGES=c ### build a compiler toolchain
NOTE : we are using BUILD_LANGUAGES=c flag to avoid any possible Ada-related build problems.
NOTE : if you have a problem with acpica.org web access while trying to build your toolchain, then run this extra command while in a ./coreboot/ directory before trying again:
sed -i -e "s,acpica.org/sites/acpica/files,sources.buildroot.net/acpica,g" ./util/crossgcc/buildgcc
This will change the download link for acpica tool (don't worry, the file checksum will still be verified)
csb_patcher.sh
csb_patcher.sh helps to apply the unofficial not-merged-yet coreboot patches that are useful for many boards - especially our AMD-based ones! - and it delivers a collection of floppy-based OS that could be embedded into coreboot to be available as SeaBIOS boot entries. GET IT HERE (28th Nov 2023) - https://review.coreboot.org/c/coreboot/+/64873 , https://pastebin.com/UAX5NXCQ , or use a csbget.sh script below: copy it to ./coreboot/ and run by chmod +x ./csbget.sh && ./csbget.sh to securely wget a csb_patcher.sh
#!/bin/sh ### ### https://review.coreboot.org/c/coreboot/+/64873 ### csb_patcher.sh: gets,checks,installs the coreboot and SeaBIOS patches ### rm -f "./csb_patcher.sh" rm -f "./7099d14.diff" && rm -f "./patch?zip" wget "https://review.coreboot.org/changes/64873/revisions/8/patch?zip" unzip "./patch?zip" && rm -f "./patch?zip" sha256sum_correct="55809314f3339a1b0159731b596a0eb096ec5b257333600c192d9147f05e570c ./7099d14.diff" sha256sum_my=$(sha256sum "./7099d14.diff") printf "\n=== sha256sum should be\n$sha256sum_correct\n" if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then printf "^^^ this is correct, will extract a ./csb_patcher.sh script now...\n" patch -p1 < "./7099d14.diff" chmod +x "./csb_patcher.sh" printf "\nRun ./csb_patcher.sh help or ./csb_patcher.sh usage for more information.\n\n" exit 0 else printf "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./7099d14.diff\n" exit 1 fi ###
Then, after you somehow got a ./csb_patcher.sh :
chmod +x ./csb_patcher.sh ### make this script executable cp ./path_to/csb_patcher.sh ./path_to/coreboot/ cd ./path_to/coreboot ./csb_patcher.sh ### answer Y to almost all the questions
Run " ./csb_patcher.sh help " or " ./csb_patcher.sh usage " for more information.
Check out the other AMD-related coreboot patches I'm working on here - https://review.coreboot.org/q/status:open+banon , i.e. the patches of change 58745 (applied by ./csb_patcher.sh) are required for a working G505S discrete GPU ( together with AMD GPU AtomBIOS blobs )
Copy-paste a ./csb_patcher.sh , save it to your ./coreboot/ directory and launch it to apply the unofficial good patches to your ./coreboot/ source code tree. Or use a ./csbget.sh script for obtaining a ./csb_patcher.sh :
cd ./coreboot/ ### go to a ./coreboot/ directory nano ./csbget.sh ### create and fill a script with a code given above chmod +x ./csbget.sh ### make this script executable ./csbget.sh ### get a ./csb_patcher.sh script ./csb_patcher.sh ### answer Y to almost all the questions
Now, to "refresh" a ./coreboot/.config which has been installed by ./csb_patcher.sh , run
make menuconfig
and just exit with saving the changes.
Coreboot building & flashing
Build a coreboot by a make command, and - if you desire - make a floppy-filled version of coreboot.rom by running a ./csb_patcher.sh flop command - result will be a coreflop.rom file instead of coreboot.rom. Then using an instruction Flashing a BIOS chip, flash a coreboot to your Lenovo G505S using the described hardware tools (before disassembling a laptop, it is recommended to discharge a laptop by disconnecting both power supply and battery and then holding a power button for a few seconds). After flashing with coreboot once, you can use an open source flashrom utility to do the internal flashing (i.e. to upgrade your coreboot BIOS) :
sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w ./build/coreflop.rom
To build a flashrom at ubuntu-like systems (e.g. Trisquel 8) you need to install the following packages:
sudo apt-get install build-essential git libpci-dev libusb-dev libusb-1.0-0-dev libftdi-dev
Please take a look at Lenovo_G505S_.config (TODO: sync it with what we're using) after applying the Unofficial coreboot patches. Also, here are some demo builds - that are really outdated, so better build your own.
If you have any questions/suggestions, write to Mike Banon : [ mikebdp2 [at] gmail [d0t] c0m ]
Unofficial coreboot patches included into csb_patcher.sh
csb_patcher.sh: gets,checks,installs the coreboot and SeaBIOS patches Conveniently and securely gets, checks SHA256 and installs some of my patches from this page - https://review.coreboot.org/q/status:open+banon - and also gets a collection of useful floppy-based operating systems. Sometimes it takes quite a long time to get a patch merged, while the people might need it today! - and this script could be really helpful. It asks a [Y/N] question for every addition, and since there are some "universal" patches as well as great floppies, you may still want to run this script - even if your board is not Lenovo G505S or not AMD. Use restore_agesa.sh script to restore AMD AGESA boards before running. Please share your feedback/suggestions and tell about other useful patches, preferably the "universal" ones - i.e. SeaBIOS. Currently included: 1) "board-specific": Lenovo G505S discrete GPU support, custom SeaBIOS options, example configs for G505S / AM1I-A / A88XM-E and known good AtomBIOS ROMs, and also good IRQ routing for AMD Lenovo G505S, ASUS A88XM-E and AM1I-A boards. 2) "universal": SeaBIOS patches: advanced_bootmenu, multiple_floppies, smbios_mptable_768; and also a floppies collection: KolibriOS, FreeDOS, MichalOS, Snowdrop, Fiwix, Memtest, Tatos, Plop, FloppyBird.
Discrete GPU support
58745: G505S dGPU support: scripts for applying the unofficial (not-merged-yet) patches
These scripts will help you to securely and conveniently apply the three changes to add the discrete GPU support by patching the source code files.
Save all 4 files of this change to
./coreboot/
Allow the execution of 3 scripts by doing
chmod +x ./*_dgpu_patches.sh
then run
./get_dgpu_patches.sh
to download the patches and extract them,
./check_dgpu_patches.sh
to compare their checksums with
./sha256sums_dgpu_correct.txt
80507c51330e20c8b3452311a341e1ffbf081789ea9e6d4833df047df74768f3 ./eaca99f.diff af5895aff81b03b1b386b69be06c77f0d22c7347ec8752e8a117109d794c6203 ./578fd0f.diff 8ae3213b1254c02a3908e35a140b5905c94d785d618b313689dd9b67e5e69467 ./c0f27d0.diff
and finally, if everything is good,
./apply_dgpu_patches.sh
This will install the following dGPU support patches:
57319: src/device/Kconfig: introduce the AMD_DGPU_WITHOUT_EEPROM symbols
58652: src/device/pci: add support for AMD_DGPU_WITHOUT_EEPROM init and OpROM loading
58653: lenovo/g505s: enable the AMD_DGPU_WITHOUT_EEPROM discrete VGA adapter
AMD GPU AtomBIOS blobs
58748: G505S AtomBIOS ROMs: known good binaries with a script to check their SHA256
This change contains the known good AtomBIOS ROMs for your G505S, together with their SHA256 checksums and two scripts - to extract them from .rom.txt files by xxd -r and check their SHA256. NOTE: for my convenience I've just added two ROMs for my ASUS AM1I-A and A88XM-E boards to the same change; if you don't have these boards, please ignore their ROMs.
Save all 8 files of this change to
./coreboot/
Allow the execution of 2 scripts by doing
chmod +x ./*_atombios_roms.sh
then run
./extract_atombios_roms.sh
to extract the AtomBIOS ROMs from .rom.txt files using the xxd -r command,
./check_atombios_roms.sh
to compare their checksums with
./sha256sums_atombios_correct.txt
6104e6989ea3f494d7bfa30573bf38e830f1068bab9980caec5e890e0ccbfced ./pci1002,990b.rom 6052b5def3fda2a93f6c4d55ec91b819429e212e26cdb8e0fcca54599c9c92ed ./pci1002,6663.rom 15d74515332bc512de66e0dc910d8600aeb134bf715bbc34a4faac0257f4a0dc ./pci1002,6665.rom cf5ad6f562cda07c8455a5fd33aae49ee6f451561a758e9761d1788767348115 ./pci1002,9830.rom 73d52887c5c0797a00c38ff1d26528f32620efe41b47c592aa295f008712d0e5 ./pci1002,990c.rom
and, if everything is good, use these AtomBIOS ROMs at your coreboot Lenovo_G505S_.config :
*990b.rom = iGPU HD-8650G | *6663.rom = dGPU HD-8570M /
*6665.rom = dGPU R5-M230
Origin of these AtomBIOS ROMs, and how they have been obtained:
https://github.com/g505s-opensource-researcher/g505s-atombios
pci1002,990b.rom (for iGPU HD-8650G) has been taken from G505S with R5-M230, and despite the tiny voltage difference - it's working great for all G505S versions. See this thread for more information.
AMD AGESA DDR3 XMP support
The following XMP / custom RAM timings support patches - have been already merged to coreboot:
40484: nb/amd/agesa: read 256 bytes to SPD buffer instead of 128
40485: vc/amd/agesa/f15tn: add 933 MHz to GfxMemClockFrequencyDefinitionTable
40488: vc/amd/agesa/f.../Proc/Mem/Tech/DDR3: Support XMP memory profiles
40489: vc/amd/agesa/f.../Proc/Mem/Tech/DDR3: Support a custom memory profile
40490: vc/amd/agesa/f15tn: add DDR1866_FREQUENCY to DdrMaxRateTab table
So, now you can set up the XMP / custom RAM timings by going to Chipset ---> AMD Platform Initialization ---> DDR3 memory profile at menuconfig.
Unofficial SeaBIOS patches
32351: SeaBIOS patches: advanced_bootmenu, multiple_floppies, writeprotected_usb
Contains the following unofficial SeaBIOS patches:
advanced_bootmenu: up to 35 entries (2 pages if >18), numpad support (console)
|PATCH v2| ramdisk: search for all available floppy images instead of one
Bump max MPTABLE and SMBIOS sizes from 600 to 768
Sample G505S .config
64829: configs: add Lenovo G505S sample configuration (use with dGPU patches)
Contains the sample Lenovo_G505S_.config - which should be used only after you have installed the Discrete GPU support patches. Read important notes about this .config here.
Useful floppies
They could be easily added to your coreboot's CBFS with one simple command:
./build/cbfstool ./build/coreboot.rom add -f ./yourfloppy.img -n floppyimg/nameinsidecbfs.lzma -t raw -c lzma
1) KolibriOS - great x86 OS with GUI and lots of really useful apps! After the networking driver for our chip will be completed, it should become possible to access the Internet and IRC chaaat with your friends right from a BIOS chip.
2) FreeDOS - also lots of cool apps, although many of them are proprietary and also FreeDOS might be vulnerable to DOS viruses. Their floppy seems to be only for installation and does not contain anything useful, but it should be possible to replace the installer in it with more useful stuff and extend the floppy from 1.44MB to 2.88MB - which is also supported by SeaBIOS - if needed. Luckily LZMA compression will reduce its' size significantly, allowing to still put more useful floppies instead of just FreeDOS.
3) MichalOS - really interesting OS based on MikeOS but significantly evolved, has many cool things like PLAYER.APP --> two octave piano which is using a beeper, and great for showing off to your IRL friends what your opensource BIOS can do. Currently MichalOS is much better than its' brother TachyonOS, but maybe something could be borrowed from there as well.
4) Snowdrop - very promising OS, has some cool games and could be useful to develop something bigger on top of it.
5) Fiwix - quite a prominent project and also may be useful.
6) Memtest - for testing your RAM, and much better than coreboot's poor version. A bit more work is required for it - e.g. you'd need to extend its' image to 1.44MB - so here are the instructions
7) TatOS - sadly abandoned, tried contacting the author but he is not replying. Not fully explored yet but may be quite useful for research purposes and occupies just about 100KB in your CBFS when LZMA compressed.
8) Plop Boot Manager 5.0 - prominent boot manager that is still proprietary, but may be possible to persuade its' author to release the source code.
9) FloppyBird OS - provides a FloppyBird game and occupies just ~2K bytes inside a flash chip when LZMA compressed.
Debugging
If your coreboot-supported PC couldn't boot to OS after you've installed a new coreboot ROM, it may be caused by:
[*] your weird experiments with the coreboot source code ---> you may need to insert some print messages to debug it further; [*] some recent change in a fresh coreboot source code ---> you may need to do a commit dichotomy to find a bad commit;
In either case, it might be useful to get the coreboot logs. However, since you can't boot to OS, you couldn't use the ./coreboot/util/cbmem utility to extract the coreboot logs from a special location at RAM. Then, your only option is to rebuild the coreboot ROM with exactly the same config, but CONFIG_USBDEBUG_DONGLE_FTDI_FT232H enabled, and use a pair of FTDI-based adapters - FT232H and FT232BL (or just two of FT232H) - to get the coreboot logs.
More information is available at this page - "corelogs" adapter.
Improve this page
Fill this page with a lot of truly valuable information. For example:
maybe copy some info from Coreboot G505s page and other sources like coreboot subreddit or 4chan.
TODO list
1) Sleep mode does not work under Qubes. See https://www.mail-archive.com/qubes-users@googlegroups.com/msg27687.html.
2) Both XHCI options in Coreboot menu should be disabled (unless you'd like to add the XHCI firmware) or the left side ports won't work at all. These options are already disabled by default and all the ports are functioning as USB 2.0.
awokd tells:
"You may have to use irqpoll in sys-usb kernel options with Qubes OS. USB interrupts don't seem to be routing correctly in Coreboot, and the only way to use them in Qubes is with irqpoll in the kernel options."
3) A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31
vendor_id : AuthenticAMD cpu family : 21 model : 19 model name : AMD A10-5750M APU with Radeon(tm) HD Graphics stepping : 1 microcode : 0x600111f cache size : 2048 KB physical id : 0 siblings : 4 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mm> bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass bogomips : 4992.72 TLB size : 1536 4K pages clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm 100mhzsteps hwpstate cpb eff_freq_ro
4) If your model has a secondary GPU and you are NOT using the discrete GPU support patches, then you need to add
xen-pciback.hide=(02:00.0)
to boot options (02:00.0 is an example, check first!). xen-pciback.hide hides the secondary GPU from Qubes so it doesn't even attempt to initialize it.
5) If reverse engineering an OEM image, you can locate the firmware by using UEFITool and searching for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006.