Whitelist

[edmalho]

Can this project be expanded to whitelist cards, or even unlock overclock? I can provide the changes needed on the FL1 file.

[JCBuck]

Yup, after this I use fptw64 to dump the current uefi bios, then apply patches (such as turbo bin overclocking, bios protect, advanced menu) using uefitool and uefipatch and can reflash it with fptw64 then restart (but really any utility that can do spi flashing could work)

[pgera]

But fptw64/flashrom work with raw dumps. So everytime you want to upgrade, it has the additional step of first flashing the latest version and reading back the dump. Then you go back to old version and flash the patched dump. Is it possible to extract the relevant region from FL1 file, patching it, and flashing that with fptw64 ? That would also simplify maintaining and validating patches against FL1 files.

Edit: You mentioned bios_protect. Are you patching FLOCKDN ? If you don't patch that, but only patch BIOS_CNTL, does it allow you to flash ?

[JCBuck]

@pgera yes i believe you can extract the bios out of the FL1 file from what i read. I think somebody has just cut the part out and worked as the FL1 is the same with some header information prepended. Uefitool can read both raw dump and the FL1 i believe, but i'm no expert i'd have to do some more research. No, you must be able to prevent FLOCKDN from being set or else the protected range registers cannot be cleared and fptw64 will complain

[pgera]

I wasn't able to find where FLOCKDN is set in the bios. If someone has time to look, it would be helpful for internal switching between coreboot and lenovo bios (i.e. bios -> coreboot. Other way round is fine). Again, this is for development purposes. Not recommended to leave everything unlocked otherwise. The bios_cntl location in File_DXE_driver_2EE81ACB-64B2-41AE-8635-7030D16C4AA8_PchBiosWriteProtect.efi_body is known, but that alone won't be sufficient without FLOCKDN. I tried looking for immediate value 0x4 in same file since FLOCKDN is SPIBAR + 0x4, but I'm not sure if it's set there.

[pgera]

It was taking too long for the programmer to arrive. So I decided to flash it internally with fptw64. Everything went as expected. @edmalho 's instructions for fixing the TPM hashes were very helpful. The advanced bios menu also has an option to disable the ME. This seems to be a temporary disable mode, which is not exactly the same as the HAP/soft-disable mode. Here's the output from intelmetool:

MEI found: [8086:1e3a] 7 Series/C216 Chipset Family MEI Controller #1

ME Status   : 0x1e030185
ME Status 2 : 0x12280106

ME: FW Partition Table      : OK
ME: Bringup Loader Failure  : NO
ME: Firmware Init Complete  : NO
ME: Manufacturing Mode      : NO
ME: Boot Options Present    : NO
ME: Update In Progress      : NO
ME: Current Working State   : Normal
ME: Current Operation State : Bring up
ME: Current Operation Mode  : Soft Temporary Disable
ME: Error Code              : No Error
ME: Progress Phase          : BUP Phase
ME: Power Management Event  : Clean global reset
ME: Progress Phase State    : ME in temp disable

ME: Extend SHA-256: [long hash here]

ME: failed to become ready
ME: failed to become ready
ME: GET FW VERSION message failed

[pgera]

Just an update on the patches. I found that the hackintosh msr patch causes stability issues with linux. It causes random reboots on my w530. I had to revert it. The other two patches seem to be fine. It's either the patch itself, or something else in my environment or setup. I didn't have time or motivation to investigate it since I don't use hackintosh. Was likely something else. Also did a reset of bios settings, which might have helped.

[azanwaqas]

hi how to make patch file t440s

[ludufre]

I have created a more detailed guide teaching to reassign the BIOS: https://www.insanelymac.com/forum/topic/337333-guide-fix-insyde-h2o-bios-signature-5-beeps-on-lenovo/ @edmalho

[azanwaqas]

How to make Lenovo bios patch for Lenovo supervisor password unlock

[pgera]

@edmalho , I have noticed a downside to this approach. After patching, you cannot clear or take ownership of the tpm chip. The tpm chip continues to work in its previous configuration before patching, but you will not be able to reset it. If you want to take ownership, you need to go back to the stock bios.

[a-hurst]

Just as an update to this for anyone trying to follow along, someone's put together a very good and detailed guide on how to remove BIOS write protection from a xx30-series ThinkPad without a hardware flasher using chipsec.

The guide/process could definitely be streamlined a bit further (e.g. recommending a bootable USB Linux distro to follow along with, since the one I had installed didn't have a new enough flashrom to make a BIOS backup and I had to jump through a bunch of extra steps trying to get a newer version working), but for the most part it was pretty straightforward to follow.

What's still missing at this point is a guide/script for patching the stock Lenovo BIOS (there's a post detailing and explaining a bunch of the possible patches here). Because xx30 BIOS mods until now have required hardware flashing over the whole chip, and apparently each chip has a bit of code unique to each machine, people have had to:

1. Dump the full contents of the BIOS chip with a hardware flasher
2. Create an account on bios-mods.com, post your dumped BIOS in the x230 thread along with a list of the patches you'd like applied, and wait for one of the people there to patch it and PM it back to you
3. Flash the patched BIOS onto the chip, again using the hardware flasher

Of course, now that we've figured out removing flash protection from the stock BIOS without a flasher, it should be possible (based on my understanding, at least) to just modify the stock .FL1 file from the official Lenovo BIOS .iso and make a universal modified BIOS image that can be flashed the same way thinkpad-ec is (since the BIOS update only flashes over part of the chip and not the whole thing, so machine-specific regions aren't an issue). I guess the main work that'd need to be done here would be making sure the patches work across the BIOSes for different xx30 models and summarizing the patching / checksum fixing process into a step-by-step process (and eventually a script).

[JCBuck]

Thanks for the update. The link seems to point to the ec patch instructions instead of the bios wp bypass instructions. As for patching the bios images,the free and open source tool uefitool or uefipatch works quite well in reading in raw firmware dumps and doing byte replacements to apply fixes such as whitelists or overclocking support. Theoretically it can be automated. I don't remember exactly, but I did try to modify the stock bios, but it does require a bit of work to unpack it.

On Mon, Dec 9, 2019, 10:05 AM a-hurst notifications@github.com wrote:

Just as an update to this for anyone trying to follow along, someone's put together a very good and detailed guide https://github.com/gch1p/thinkpad-bios-software-flashing-guide/issues/1 on how to remove BIOS write protection from a xx30-series ThinkPad without a hardware flasher using chipsec.

The guide/process could definitely be streamlined a bit further (e.g. recommending a bootable USB Linux distro to follow along with, since the one I had installed didn't have a new enough flashrom to make a BIOS backup and I had to jump through a bunch of extra steps trying to get a newer version working), but for the most part it was pretty straightforward to follow.

What's still missing at this point is a guide/script for patching the stock Lenovo BIOS (there's a post detailing and explaining a bunch of the possible patches here https://www.bios-mods.com/forum/Thread-REQUEST-Modify-X230-BIOS-with-clip?pid=104503#pid104503). Because xx30 BIOS mods until now have required hardware flashing over the whole chip, and apparently each chip has a bit of code unique to each machine, people have had to:

1. Dump the full contents of the BIOS chip with a hardware flasher
2. Create an account on bios-mods.com, post your dumped BIOS in the x230 thread along with a list of the patches you'd like applied, and wait for one of the people there to patch it and PM it back to you
3. Flash the patched BIOS onto the chip, again using the hardware flasher

Of course, now that we've figured out removing flash protection from the stock BIOS without a flasher, it should be possible (based on my understanding, at least) to just modify the stock .FL1 file from the official Lenovo BIOS .iso and make a universal modified BIOS image that can be flashed the same way thinkpad-ec is (since the BIOS update only flashes over part of the chip and not the whole thing, so machine-specific regions aren't an issue). I guess the main work that'd need to be done here would be making sure the patches work across the BIOSes for different xx30 models and summarizing the patching / checksum fixing process into a step-by-step process (and eventually a script).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/hamishcoleman/thinkpad-ec/issues/70?email_source=notifications&email_token=ABI2O2Y57EEAQWO7FC22SETQXWRVPA5CNFSM4EVSYSI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGHSYEA#issuecomment-563031056, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABI2O22V6572JCLKPACECLTQXWRVPANCNFSM4EVSYSIQ .

[a-hurst]

Apologies, I believe I've fixed the link in my post. I've discovered the UEFITool/UEFIPatch utilites and have found some partial guides on how to use them, but I'm also wanting to be sure the patches posted here and elsewhere will work (and not break anything) with my particular model / BIOS version in case any of the patched code differs between models/versions (I'm being extra cautious here because I don't have a hardware flasher on hand).

As for extracting the stock BIOS from the official Lenovo image, it's actually dead-easy on Linux: just extract the DOS flashing image from the .iso with

geteltorito -o ./bios.img stock_lenovo_bios.iso

and mount the resulting bios.img, the .FL1 containing the stock image can be found in the mounted .iso's ./FLASH/G1ET93WW/ folder (the exact folder name differs between bios versions but will resemble that one).

[pgera]

@a-hurst , 1) Get a programmer first no matter what. 2) If you don't have an nvidia card, I would strongly recommend coreboot instead of patching the bios. While bios patching works, it's not a long term sustainable solution since you need to do the back and forth every time the bios is updated. Also, it breaks TPM provisioning.

[a-hurst]

@pgera I don't have an NVidia card (it's an x230 so integrated-only), but unfortunately I don't think Coreboot is an option since the one-and-only purpose for the cheap x230 I bought is to run macOS, and based on what I've read I don't think the Coreboot video blobs play nice with it (I'll do some more research though). An external programmer is definitely a good idea, I've just been reluctant to drop over 20$ + shipping on a Pomona SOIC8 clip + 10$ for a CH341A for a computer that's not really mission-critical for me (once the whitelist is gone, I'll get a macOS-compatible Wi-Fi card and it'll eventually replace my X220, but until then it's not getting used).

On another note, something else I found that's relevant to the thread is this incredible blog post, where the poster goes through the process of reverse-engineering and patching the whitelist out of the stock T430 BIOS in great detail with images from radare2 & explanations of exactly what the patch is changing in the BIOS logic.

[pgera]

You should try a single patch first that does just the wifi whitelist. The patches posted earlier in the thread are fine. It's a one line command with uefi patch. You'll get the beeps at boot, but you can deal with that later if you care about them by following the other detailed instructions. They are not essential. So your high level steps are 1) Disable write protect 2) Read from chip 3) Patch 4) Write to chip

[a-hurst]

Thanks, I'll likely attempt this over the holidays.

Actually, does anyone have known-working pre & post patch BIOS files they can share? I'm curious because I've found what appears to be a scriptable Python equivalent of UEFITool/UEFIPatch called uefi-firmware-parser, and it seems to work fine for parsing stock X230 BIOS extracted from the official Lenovo .iso, but it's not documented super-well and I want to make sure I can reproduce the working patches that UEFIPatch does before flashing anything it creates.

The major upside to this (if it works) is that Python's hashlib has built-in SHA1 support and it also has a solid regex library, meaning that we could potentially script both the patches and the SHA1 fixes to remove the beeps, making the whole process massively easier.

[coaxial]

Stock BIOS v2.73: flashregion_1_bios.tar.gz (BIOS region only)

Modified BIOS v2.73: 20180922_141118_bios.rom.tar.gz (entire ROM but I don't remember if it was with or without unlocking the ME etc regions)

Several modifications enabled in this BIOS, including whitelist bypass.

[coaxial]

To add, someone much smarter than me did a 3 part writeup about removing the whitelist:

• https://erfur.github.io/2019/01/28/down_the_rabbit_hole_pt1.html | archived version
• https://erfur.github.io/2019/02/16/down_the_rabbit_hole_pt2.html | archived version
• https://erfur.github.io/2019/03/28/down_the_rabbit_hole_pt3.html | archived version

In particular, from part 3:

I dumped the current BIOS and patched it using UEFIPatch tool. I’ve created a pattern to patch the image:

79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:0AFFFFFF:20010000

Maybe this helps?