blob: 1de8163dd8d11b6b0b49652cd841914cf5b8ea96 [file] [log] [blame]
***
*** THIS README CONSISTS OF THE COPY OF
*** ===> Lenovo G505S hacking
*** ===> http://dangerousprototypes.com/docs/Lenovo_G505S_hacking
*** page version as of 02 Jun 2019
***
*** Also check:
*** ===> Flashing a BIOS chip with Bus Pirate
*** ===> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
*** and
*** ===> Flashing KB9012 with Bus Pirate
*** ===> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate
***
== NEWS ==
'''csb_patcher.sh script is coming! FIRST PUBLIC VERSION - https://pastebin.com/wvYzdCDg . Soon it will replace the small patcher scripts, they are deprecated and most likely will not be updated anymore...'''
Check out the G505S-related coreboot patches I'm currently working on here - https://review.coreboot.org/q/status:open+mikeb . 31448 and 31450 patches are required for getting a discrete GPU working ''( together with [http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#AMD_GPU_AtomBIOS_blobs AMD GPU AtomBIOS blobs] )''. If you are impatient to test them, you could grab a [https://github.com/mikebdp2/coreboot-g505s-builds "02JUN2019" build here] or apply them by hand.
== Introduction ==
Lenovo G505S is the latest most powerful laptop from the [https://www.coreboot.org/Supported_Motherboards Supported Motherboards] list of coreboot open source BIOS ''( [https://www.coreboot.org/FAQ FAQ] about coreboot )'' which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU. That makes this laptop very unique and valuable to any hardware/software hacker, and hopefully this page could be of a great interest - and maybe even useful! - to you, the visitor of DangerousPrototypes.
== Current status ==
The firmware of this laptop is already 98% open source and free-as-in-freedom ; this page will describe the hacking efforts to liberate the remaining 2% as well as to make this laptop truly future-proof by collecting the described '''[http://dangerousprototypes.com/docs/Lenovo_G505S_parts Lenovo G505S parts]''' and upgrading its' various components.
== Instructions ==
'''[http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate Flashing a BIOS chip]''' and '''[http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate Flashing KB9012]'''
After flashing with coreboot once, you can use the following command for the internal flashing:
sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w coreboot.rom
To successfully compile flashrom at ubuntu-like systems ''(e.g. Trisquel 8)'' you need to install the following packages:
sudo apt-get install build-essential git libpci-dev libusb-dev libusb-1.0-0-dev libftdi-dev
'''Please take a look at [[Lenovo_G505S_.config]] after applying the [http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#Unofficial_coreboot_patches Unofficial coreboot patches].'''
== Unofficial coreboot patches ==
=== AMD microcode updates ===
Ignore that at coreboot's configuration menu the relevant option is set to ''Do not include microcode updates''. Instead, let's take a look at
'''[https://review.coreboot.org/c/coreboot/+/28425 28425: AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates]'''
These scripts will help you to securely and conveniently apply the two changes to update AMD microcodes by patching the hardcoded arrays of hex values at some .c source code files. Updated microcode is required to improve system stability - in particular, to fix Xen hardware virtualization freezes e.g. while running Qubes 4 - as well as to patch some security vulnerabilities like [https://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/ piledriver+ NMI CPU userland to root exploit] ''(if G505S's A10-5750M is affected)'' and maybe some Spectre-related vulnerabilities.
Download all 4 files of this change above. If you can't do it with your browser ''(don't want to enable JavaScript)'' or like to do it "the console way", just run this '''./ucode.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/28425
### AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates
###
rm -f ./*_ucode_patches.sh
rm -f ./sha256sums_ucode_correct.txt
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/28425/revisions/10/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_correct="40b3a3e2e0e27d0886bf4c36992a7e8c4d2990f8887107889dcf23f125384112 ./d684005.diff"
sha256sum_my=$(sha256sum ./d684005.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_correct"
if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then
echo "^^^ this is correct, will extract a microcode patching patch now..."
patch -p1 < ./d684005.diff
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./d684005.diff"
exit 1
fi
Save all 4 files of this change to
./coreboot/
Allow the execution of 3 scripts by doing
chmod +x ./*_ucode_patches.sh
then run
./get_ucode_patches.sh
to download the patches and extract them,
./check_ucode_patches.sh
to compare their checksums with
./sha256sums_ucode_correct.txt
4f4e83c000d5465f2e0672be89e9e90ee46970b1f44513498b715413617e6a79 '''./d03768f.diff'''
7cd697c4761ce0342e5c97d159fb6e58590e1a9be888fa4570f24b63f8141461 '''./8445f49.diff'''
and finally, if everything is good,
./apply_ucode_patches.sh
This will install the following AMD ucode patches:
'''[https://review.coreboot.org/c/coreboot/+/28273 28273: src/vendorcode/amd/agesa/f15tn: Update microcode to version 0x600111F 2018-03-05]''' - for CPU IDs 0x610F01/0x610F31 ''(replaces the very outdated 0x600110F [2012-01-11])''
'''[https://review.coreboot.org/c/coreboot/+/28370 28370: src/vendorcode/amd/agesa/f16kb: Update microcode to version 0x7000110 2018-02-09]''' - for CPU ID 0x700F01 ''(replaces the very outdated 0x700010B [2013-07-09])''
=== Discrete GPU support ===
'''[https://review.coreboot.org/c/coreboot/+/31929 31929: G505S dGPU support: scripts for applying the unofficial (not-merged-yet) patches]'''
These scripts will help you to securely and conveniently apply the three changes to add the discrete GPU support by patching the source code files.
Download all 4 files of this change above. If you can't do it with your browser ''(don't want to enable JavaScript)'' or like to do it "the console way", just run this '''./dgpu.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/31929
### G505S dGPU support: scripts for applying the unofficial (not-merged-yet) patches
###
rm -f ./*_dgpu_patches.sh
rm -f ./sha256sums_dgpu_correct.txt
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/31929/revisions/6/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_dgpu_correct="d3c397eb5789fb8599cd0091d4bbcc65b55861c534481aa3f8e1fa0d6a926d7b ./cdd17b3.diff"
sha256sum_dgpu_my=$(sha256sum ./cdd17b3.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_dgpu_correct"
if [ "$sha256sum_dgpu_my" = "$sha256sum_dgpu_correct" ] ; then
echo "^^^ this is correct, will extract a dgpu support patch now..."
patch -p1 < ./cdd17b3.diff
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./cdd17b3.diff"
exit 1
fi
Save all 4 files of this change to
./coreboot/
Allow the execution of 3 scripts by doing
chmod +x ./*_dgpu_patches.sh
then run
./get_dgpu_patches.sh
to download the patches and extract them,
./check_dgpu_patches.sh
to compare their checksums with
./sha256sums_dgpu_correct.txt
1e6dff37ae1b8080c431f25b7a12c561bd949dfa68f6487a1bece39941f74195 '''./f5c1e4d.diff'''
f46310d570c6700fb0d4be1a1aadb98d4d464375511174648b7affc1eb0bd785 '''./3457b7f.diff'''
5670075d9d139bb0fbc162176015695428e11060475de5f8490fdde5457543cc '''./bbe978d.diff'''
and finally, if everything is good,
./apply_dgpu_patches.sh
This will install the following dGPU support patches:
'''[https://review.coreboot.org/c/coreboot/+/31357 31357: src/mainboard/lenovo/g505s: Disable SeaBIOS options not supported by hardware]'''
'''[https://review.coreboot.org/c/coreboot/+/31448 31448: src/device/pci: Add support for discrete VGA initialization and OpROM loading]'''
'''[https://review.coreboot.org/c/coreboot/+/31450 31450: lenovo/g505s: Add the discrete VGA support for AMD Lenovo G505S laptop]'''
=== AMD GPU AtomBIOS blobs ===
'''[https://review.coreboot.org/c/coreboot/+/31944 31944: G505S AtomBIOS ROMs: known good binaries with a script to check their SHA256]'''
This change contains the known good AtomBIOS ROMs for your G505S, together with their SHA256 checksums and two scripts - to extract them from '''.rom.txt''' files by '''xxd -r''' and check their SHA256. '''NOTE:''' for my convenience I've just added two ROMs for my ASUS AM1I-A and A88XM-E boards to the same change; if you don't have these boards, please ignore their ROMs.
Download all 8 files of this change above. If you can't do it with your browser ''(don't want to enable JavaScript)'' or like to do it "the console way", just run this '''./atombios.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/31944
### G505S AtomBIOS ROMs: known good binaries with a script to check their SHA256
###
rm -f ./pci1002\,*.rom
rm -f ./pci1002\,*.rom.txt
rm -f ./*_atombios_roms.sh
rm -f ./sha256sums_atombios_correct.txt
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/31944/revisions/4/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_atombios_correct="bbd345e31128ad8ab7ce0e206c207d514e8dfeb40b0a6609e2cc8674c4705c9b ./428cc77.diff"
sha256sum_atombios_my=$(sha256sum ./428cc77.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_atombios_correct"
if [ "$sha256sum_atombios_my" = "$sha256sum_atombios_correct" ] ; then
echo "^^^ this is correct, will extract the atombios patch now..."
patch -p1 < ./428cc77.diff
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./428cc77.diff"
exit 1
fi
Save all 8 files of this change to
./coreboot/
Allow the execution of 2 scripts by doing
chmod +x ./*_atombios_roms.sh
then run
./extract_atombios_roms.sh
to extract the AtomBIOS ROMs from '''.rom.txt''' files using the '''xxd -r''' command,
./check_atombios_roms.sh
to compare their checksums with
./sha256sums_atombios_correct.txt
6104e6989ea3f494d7bfa30573bf38e830f1068bab9980caec5e890e0ccbfced '''./pci1002,990b.rom'''
6052b5def3fda2a93f6c4d55ec91b819429e212e26cdb8e0fcca54599c9c92ed '''./pci1002,6663.rom'''
15d74515332bc512de66e0dc910d8600aeb134bf715bbc34a4faac0257f4a0dc '''./pci1002,6665.rom'''
cf5ad6f562cda07c8455a5fd33aae49ee6f451561a758e9761d1788767348115 '''./pci1002,9830.rom'''
73d52887c5c0797a00c38ff1d26528f32620efe41b47c592aa295f008712d0e5 '''./pci1002,990c.rom'''
and, if everything is good, use these AtomBIOS ROMs at your coreboot [[Lenovo_G505S_.config]] :
*990b.rom = iGPU HD-8650G | *6663.rom = dGPU HD-8570M /
*6665.rom = dGPU R5-M230
Origin of these AtomBIOS ROMs, and how they have been obtained:
'''[https://github.com/g505s-opensource-researcher/g505s-atombios https://github.com/g505s-opensource-researcher/g505s-atombios]'''
pci1002,990b.rom (for iGPU HD-8650G) has been taken from G505S with R5-M230, and
despite the tiny voltage difference - it's working great for all G505S versions.
[https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/GZNWISLFHUTYN6C7RTWSQUMJIFOUHMED/ See this thread for more information.]
=== tint build system ===
'''[https://review.coreboot.org/c/coreboot/+/23856 23856: tint: introduce the new tint build system with checksum verification]'''
Just run this '''./tint.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/23856
### tint: introduce the new tint build system with checksum verification
###
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/23856/revisions/12/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_tint_correct="9ad467bc5f749d1a4701592c4bab0f978a13c7714eca8cda3d5c1479fa12f6d5 ./f2f56dd.diff"
sha256sum_tint_my=$(sha256sum ./f2f56dd.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_tint_correct"
if [ "$sha256sum_tint_my" = "$sha256sum_tint_correct" ] ; then
echo "^^^ this is correct, will install the tint build system now..."
patch -p1 < ./f2f56dd.diff
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./f2f56dd.diff"
exit 1
fi
It will install the tint build system - for more secure tint installation.
=== Unofficial SeaBIOS patches ===
'''[https://review.coreboot.org/c/coreboot/+/32351 32351: SeaBIOS - unofficial patches: advanced_bootmenu and multiple_floppies]'''
'''WARNING: it downloads the outdated revision of a patch which is broken now. ./csb_patcher.sh script (link given at the beginning of a page) doesn't have this problem.'''
Just run this '''./seabios.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/32351
### SeaBIOS - unofficial patches: advanced_bootmenu and multiple_floppies
###
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/32351/revisions/1/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_seabios_correct="71a03478e91117f4d8ad431e0dcd2c11fa6b175851dfa3350e9759f9ae14e3be ./a4a3cbd.diff"
sha256sum_seabios_my=$(sha256sum ./a4a3cbd.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_seabios_correct"
if [ "$sha256sum_seabios_my" = "$sha256sum_seabios_correct" ] ; then
echo "^^^ this is correct, will install the unofficial SeaBIOS patches now..."
patch -p1 < ./a4a3cbd.diff
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./a4a3cbd.diff"
exit 1
fi
It will install the following unofficial SeaBIOS patches:
'''[https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/thread/CKWLNTZU43SAHQ26USNFASORA2H5BXBE/ advanced_bootmenu: up to 35 entries (2 pages if >18), numpad support (console)]'''
'''[https://mail.coreboot.org/pipermail/seabios/2018-December/012670.html |PATCH v2| ramdisk: search for all available floppy images instead of one]'''
=== Sample G505S .config ===
'''[https://review.coreboot.org/c/coreboot/+/32352 32352: configs: add Lenovo G505S sample configuration (use with dGPU patches)]'''
Just run this '''./config_g505s.sh''' script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/32352
### configs: add Lenovo G505S sample configuration (use with dGPU patches)
###
rm -f ./.config
rm -f ./configs/config.lenovo_g505s_use_with_dgpu_patches
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/32352/revisions/2/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_config_g505s_correct="7c673d6fd2c6ff2f19ff964c27350b738580640d3730eb4d4bd69f89ad15fdb7 ./3ba104d.diff"
sha256sum_config_g505s_my=$(sha256sum ./3ba104d.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_config_g505s_correct"
if [ "$sha256sum_config_g505s_my" = "$sha256sum_config_g505s_correct" ] ; then
echo "^^^ this is correct, will install the unofficial G505S config now..."
patch -p1 < ./3ba104d.diff
cp ./configs/config.lenovo_g505s_use_with_dgpu_patches ./.config
exit 0
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./3ba104d.diff"
exit 1
fi
It will install the sample '''[[Lenovo_G505S_.config]]''' - which should be used only after you have installed the [http://dangerousprototypes.com/docs/Lenovo_G505S_hacking#Discrete_GPU_support Discrete GPU support] patches. '''Read important notes about this .config [http://dangerousprototypes.com/docs/Lenovo_G505S_.config here]'''.
== Useful floppies ==
They could be easily added to your coreboot's CBFS with one simple command:
./build/cbfstool ./build/coreboot.rom add -f ./yourfloppy.img -n floppyimg/nameinsidecbfs.lzma -t raw -c lzma
'''1) [http://kolibrios.org/en/ KolibriOS]''' - great x86 OS with GUI and lots of really useful apps! After the networking driver for our chip will be completed, it should become possible to access the Internet and IRC chaaat with your friends right from a BIOS chip.
'''2) [https://www.freedos.org/ FreeDOS]''' - also lots of cool apps, although many of them are proprietary and also FreeDOS might be vulnerable to DOS viruses. Their floppy seems to be only for installation and does not contain anything useful, but it should be possible to replace the installer in it with more useful stuff and extend the floppy from 1.44MB to 2.88MB - which is also supported by SeaBIOS - if needed. Luckily LZMA compression will reduce its' size significantly, allowing to still put more useful floppies instead of just FreeDOS.
'''3) [https://sourceforge.net/projects/michalos/ MichalOS]''' - really interesting OS based on MikeOS but significantly evolved, has many cool things like PLAYER.APP --> two octave piano which is using a beeper, and great for showing off to your IRL friends what your opensource BIOS can do. Currently MichalOS is much better than its' brother TachyonOS, but maybe something could be borrowed from there as well.
'''4) [http://sebastianmihai.com/snowdrop/ Snowdrop]''' - very promising OS, has some cool games and could be useful to develop something bigger on top of it.
'''5) [https://www.fiwix.org/ Fiwix]''' - quite a prominent project and also may be useful.
'''6) [http://www.memtest.org/ Memtest]''' - for testing your RAM, and much better than coreboot's poor version. A bit more work is required for it - e.g. you'd need to extend its' image to 1.44MB - so [https://mail.coreboot.org/pipermail/coreboot/2018-November/087713.html here are the instructions]
'''7) [https://github.com/tatimmer/tatOS TatOS]''' - sadly abandoned, tried contacting the author but he is not replying. Not fully explored yet but may be quite useful for research purposes and occupies just about 100KB in your CBFS when LZMA compressed.
'''8) [https://www.plop.at/ Plop Boot Manager 5.0]''' - prominent boot manager that is still proprietary, but may be possible to persuade its' author to release the source code.
'''9) [https://github.com/icebreaker/floppybird FloppyBird OS]''' - provides a FloppyBird game and occupies just ~2K bytes inside a flash chip when LZMA compressed.
== Improve this page ==
Fill this page with a lot of truly valuable information. For example:
describe the great-to-have software patches on top of the mainline code of coreboot open-source BIOS ''( hopefully we'll get our changes merged and these descriptions would not be needed )''
Maybe copy some info from [https://www.coreboot.org/Board:lenovo/g505s Coreboot G505s page] and other sources like [https://www.reddit.com/r/coreboot coreboot subreddit] or [http://4chan.org/ 4chan].
== TODO list ==
'''1)''' Sleep mode does not work under Qubes. See https://www.mail-archive.com/qubes-users@googlegroups.com/msg27687.html.
'''2)''' Both XHCI options in Coreboot menu should be disabled (unless you'd like to add the XHCI firmware) or the left side ports won't work at all. These options are already disabled by default and all the ports are functioning as USB 2.0.
'''awokd tells:'''
"You may have to use irqpoll in sys-usb kernel options with Qubes OS. USB interrupts don't seem to be routing correctly in Coreboot, and the only way to use them in Qubes is with irqpoll in the kernel options."
'''3)''' A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31
^^ Maybe post the full '''cat /proc/cpuinfo''' here?
'''4)''' If your model has a secondary GPU and you are NOT using the discrete GPU support patches, then you need to add
xen-pciback.hide=(02:00.0)
to boot options ''(02:00.0 is an example, check first!)''. xen-pciback.hide hides the secondary GPU from Qubes so it doesn't even attempt to initialize it.
'''5)''' If reverse engineering an OEM image, you can locate the firmware by using UEFITool and searching for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006.
[[Category:Parts_and_Tools]]
[[Category:Projects]]