| *** |
| *** THIS README CONSISTS OF THE COPY OF |
| *** ===> Lenovo G505S hacking |
| *** ===> http://dangerousprototypes.com/docs/Lenovo_G505S_hacking |
| *** page version as of 21 Dec 2018 |
| *** |
| *** Also check: |
| *** ===> Flashing a BIOS chip with Bus Pirate |
| *** ===> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate |
| *** and |
| *** ===> Flashing KB9012 with Bus Pirate |
| *** ===> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate |
| *** |
| |
| == Introduction == |
| |
| Lenovo G505S is the latest most powerful laptop from the |
| [https://www.coreboot.org/Supported_Motherboards Supported Motherboards] |
| list of coreboot open source BIOS ''( [https://www.coreboot.org/FAQ FAQ] about coreboot )'' |
| which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU. |
| That makes this laptop very unique and valuable to any hardware/software hacker, |
| and hopefully this page could be of a great interest - and maybe even useful! - |
| - to you, the visitor of DangerousPrototypes |
| |
| == Current status == |
| |
| The software of this laptop is already 98% open source and free-as-in-freedom ; |
| this page will describe the hacking efforts to liberate the remaining 2% as well as |
| to make this laptop truly future-proof by collecting the described spare parts and |
| upgrading its' various components |
| |
| == Future plans == |
| |
| '''1)''' Fill this page with a lot of truly valuable information ''(a bit unexpected? ;)'' |
| |
| '''2)''' Create a new "Lenovo G505S spare parts" page ''( maybe would come up with a better title )'' |
| |
| '''3)''' Describe the great-to-have software patches on top of the mainline code of coreboot open-source BIOS |
| ''( hopefully we'll get our changes merged and these descriptions would not be needed )'' |
| |
| '''...''' |
| |
| == Unofficial coreboot patches == |
| |
| === AMD microcode updates === |
| |
| Go to coreboot's configuration menu and check that " ''Chipset ---> Include CPU microcode in CBFS'' " |
| option is set to " ''Do not include microcode updates'' " - because this microcode updating procedure is broken, |
| and stupid: why load "''old''" then update to "''new''" when you could load "''new''" from the beginning? |
| Hidden ./coreboot/.config file should contain |
| # CONFIG_CPU_MICROCODE_CBFS_GENERATE is not set |
| # CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set |
| CONFIG_CPU_MICROCODE_CBFS_NONE=y |
| |
| |
| Instead, let's take a look at |
| |
| '''[https://review.coreboot.org/c/coreboot/+/28425 28425: AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates]''' |
| |
| These scripts will help you to securely and conveniently apply the two changes to update AMD microcodes |
| by patching the hardcoded arrays of hex values at some .c source code files. Updated microcode is required |
| to improve system stability - in particular, to fix Xen hardware virtualization freezes e.g. while running |
| Qubes 4 - as well as to patch some security vulnerabilities like |
| [https://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/ piledriver+ NMI CPU userland to root exploit] |
| ''(if G505S's A10-5750M is affected)'' and maybe some Spectre-related vulnerabilities. |
| |
| Download all 4 files of this change above. If you can't do it with your browser ''(don't want to enable JavaScript)'' |
| or like to do it "the console way", just run the following script: |
| |
| #!/bin/sh |
| ### |
| ### https://review.coreboot.org/c/coreboot/+/28425 |
| ### AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates |
| ### |
| rm -f ./*_ucode_patches.sh |
| rm -f ./sha256sums_correct.txt |
| rm -f ./*.diff && rm -f ./patch\?zip |
| wget https://review.coreboot.org/changes/28425/revisions/5/patch?zip |
| unzip ./patch\?zip && rm -f ./patch\?zip |
| sha256sum_correct="6f84c17436a1b33d9834878003250b053dc4f0ce8235d04ef023d5d9276501b1 ./2b158e9.diff" |
| sha256sum_my=$(sha256sum ./2b158e9.diff) |
| printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_correct" |
| if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then |
| echo "^^^ this is correct, will extract a microcode patching patch now..." |
| patch -p1 < ./2b158e9.diff |
| else |
| echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./2b158e9.diff" |
| fi |
| |
| |
| Save all 4 files of this change to |
| |
| ./coreboot/ |
| |
| |
| Allow the execution of 3 scripts by doing |
| |
| chmod +x ./*_ucode_patches.sh |
| |
| |
| then run |
| |
| ./get_ucode_patches.sh |
| |
| |
| to download the patches and extract them, |
| |
| ./check_ucode_patches.sh |
| |
| |
| to compare their checksums with |
| |
| ./sha256sums_correct.txt |
| |
| 0dcd889f1a90899b8c5852c41311a38cc6cb61622eabb5bdeec2aa96f62eecaa '''./7c771be.diff''' |
| 69dce983976e38d577b797bd802ad21cdcb1c559705c664d91ec1d0fbde9854f '''./d5107a0.diff''' |
| |
| |
| and finally, if everything is good, |
| |
| ./apply_ucode_patches.sh |
| |
| |
| This will install the following AMD ucode patches: |
| |
| '''[https://review.coreboot.org/c/coreboot/+/28273 28273: src/vendorcode/amd/agesa/f15tn: Update microcode to version 0x600111F 2018-03-05]''' - for CPU IDs 0x610F01/0x610F31 ''(replaces the very outdated 0x600110F [2012-01-11])'' |
| |
| '''[https://review.coreboot.org/c/coreboot/+/28370 28370: src/vendorcode/amd/agesa/f16kb: Update microcode to version 0x7000110 2018-02-09]''' - for CPU ID 0x700F01 ''(replaces the very outdated 0x700010B [2013-07-09])'' |
| |
| === AMD GPU AtomBIOS blobs === |
| |
| Clean [https://github.com/g505s-opensource-researcher/g505s-atombios blobs] |
| |
| == Under construction == |
| |
| This page is currently under construction and may be significantly changed without further notice ;) |
| |
| awokd's info dump: |
| |
| [https://www.coreboot.org/Board:lenovo/g505s Coreboot G505s page] |
| |
| Caveats: Sleep mode does not work under Qubes. Good to disable both XHCI options in Coreboot menu |
| or the left side ports won't work at all. Disabled they sort of function as USB 2.0 (or 1.1?) ports, |
| but you may have to use irqpoll (on sys-usb kernel options if using Qubes). |
| |
| Flashing [http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate KB9012]. |
| |
| After flashing with coreboot, you can use the following command for internal flashes: |
| |
| sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w coreboot.rom |
| |
| |
| A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31 |
| |
| If your model has a secondary GPU, need to add xen-pciback.hide=(02:00.0) to boot options (02:00.0 is an example, check first) to use with Qubes. |
| |
| To locate the firmware in the OEM image, use UEFITool and search for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006. |
| |
| [[Category:Parts_and_Tools]] |
| [[Category:Projects]] |