blob: 9fe433f5e38db8f64d7eab577d6cf4f576d79daf [file] [log] [blame]
***
*** THIS README CONSISTS OF THE COPY OF
*** ===> Lenovo G505S hacking
*** ===> http://dangerousprototypes.com/docs/Lenovo_G505S_hacking
*** page version as of 21 Dec 2018
***
*** Also check:
*** ===> Flashing a BIOS chip with Bus Pirate
*** ===> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
*** and
*** ===> Flashing KB9012 with Bus Pirate
*** ===> http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate
***
== Introduction ==
Lenovo G505S is the latest most powerful laptop from the
[https://www.coreboot.org/Supported_Motherboards Supported Motherboards]
list of coreboot open source BIOS ''( [https://www.coreboot.org/FAQ FAQ] about coreboot )''
which does not contain the Intel ME / AMD PSP hardware backdoors inside its' CPU.
That makes this laptop very unique and valuable to any hardware/software hacker,
and hopefully this page could be of a great interest - and maybe even useful! -
- to you, the visitor of DangerousPrototypes
== Current status ==
The software of this laptop is already 98% open source and free-as-in-freedom ;
this page will describe the hacking efforts to liberate the remaining 2% as well as
to make this laptop truly future-proof by collecting the described spare parts and
upgrading its' various components
== Future plans ==
'''1)''' Fill this page with a lot of truly valuable information ''(a bit unexpected? ;)''
'''2)''' Create a new "Lenovo G505S spare parts" page ''( maybe would come up with a better title )''
'''3)''' Describe the great-to-have software patches on top of the mainline code of coreboot open-source BIOS
''( hopefully we'll get our changes merged and these descriptions would not be needed )''
'''...'''
== Unofficial coreboot patches ==
=== AMD microcode updates ===
Go to coreboot's configuration menu and check that " ''Chipset ---> Include CPU microcode in CBFS'' "
option is set to " ''Do not include microcode updates'' " - because this microcode updating procedure is broken,
and stupid: why load "''old''" then update to "''new''" when you could load "''new''" from the beginning?
Hidden ./coreboot/.config file should contain
# CONFIG_CPU_MICROCODE_CBFS_GENERATE is not set
# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set
CONFIG_CPU_MICROCODE_CBFS_NONE=y
Instead, let's take a look at
'''[https://review.coreboot.org/c/coreboot/+/28425 28425: AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates]'''
These scripts will help you to securely and conveniently apply the two changes to update AMD microcodes
by patching the hardcoded arrays of hex values at some .c source code files. Updated microcode is required
to improve system stability - in particular, to fix Xen hardware virtualization freezes e.g. while running
Qubes 4 - as well as to patch some security vulnerabilities like
[https://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/ piledriver+ NMI CPU userland to root exploit]
''(if G505S's A10-5750M is affected)'' and maybe some Spectre-related vulnerabilities.
Download all 4 files of this change above. If you can't do it with your browser ''(don't want to enable JavaScript)''
or like to do it "the console way", just run the following script:
#!/bin/sh
###
### https://review.coreboot.org/c/coreboot/+/28425
### AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates
###
rm -f ./*_ucode_patches.sh
rm -f ./sha256sums_correct.txt
rm -f ./*.diff && rm -f ./patch\?zip
wget https://review.coreboot.org/changes/28425/revisions/5/patch?zip
unzip ./patch\?zip && rm -f ./patch\?zip
sha256sum_correct="6f84c17436a1b33d9834878003250b053dc4f0ce8235d04ef023d5d9276501b1 ./2b158e9.diff"
sha256sum_my=$(sha256sum ./2b158e9.diff)
printf \\n%s\\n%s\\n "=== sha256sum should be:" "$sha256sum_correct"
if [ "$sha256sum_my" = "$sha256sum_correct" ] ; then
echo "^^^ this is correct, will extract a microcode patching patch now..."
patch -p1 < ./2b158e9.diff
else
echo "^^^ ! MISMATCH ! Check sha256sum manually: sha256sum ./2b158e9.diff"
fi
Save all 4 files of this change to
./coreboot/
Allow the execution of 3 scripts by doing
chmod +x ./*_ucode_patches.sh
then run
./get_ucode_patches.sh
to download the patches and extract them,
./check_ucode_patches.sh
to compare their checksums with
./sha256sums_correct.txt
0dcd889f1a90899b8c5852c41311a38cc6cb61622eabb5bdeec2aa96f62eecaa '''./7c771be.diff'''
69dce983976e38d577b797bd802ad21cdcb1c559705c664d91ec1d0fbde9854f '''./d5107a0.diff'''
and finally, if everything is good,
./apply_ucode_patches.sh
This will install the following AMD ucode patches:
'''[https://review.coreboot.org/c/coreboot/+/28273 28273: src/vendorcode/amd/agesa/f15tn: Update microcode to version 0x600111F 2018-03-05]''' - for CPU IDs 0x610F01/0x610F31 ''(replaces the very outdated 0x600110F [2012-01-11])''
'''[https://review.coreboot.org/c/coreboot/+/28370 28370: src/vendorcode/amd/agesa/f16kb: Update microcode to version 0x7000110 2018-02-09]''' - for CPU ID 0x700F01 ''(replaces the very outdated 0x700010B [2013-07-09])''
=== AMD GPU AtomBIOS blobs ===
Clean [https://github.com/g505s-opensource-researcher/g505s-atombios blobs]
== Under construction ==
This page is currently under construction and may be significantly changed without further notice ;)
awokd's info dump:
[https://www.coreboot.org/Board:lenovo/g505s Coreboot G505s page]
Caveats: Sleep mode does not work under Qubes. Good to disable both XHCI options in Coreboot menu
or the left side ports won't work at all. Disabled they sort of function as USB 2.0 (or 1.1?) ports,
but you may have to use irqpoll (on sys-usb kernel options if using Qubes).
Flashing [http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate KB9012].
After flashing with coreboot, you can use the following command for internal flashes:
sudo flashrom -p internal:laptop=force_I_want_a_brick,amd_imc_force=yes -w coreboot.rom
A10-5750M processor is cpu fam 21/0x15, mod 19/0x13, step 1 raw 00610f31
If your model has a secondary GPU, need to add xen-pciback.hide=(02:00.0) to boot options (02:00.0 is an example, check first) to use with Qubes.
To locate the firmware in the OEM image, use UEFITool and search for your BIOS version in reverse byte order, like for version 0x06001119, search for 0x19110006.
[[Category:Parts_and_Tools]]
[[Category:Projects]]