tobias
/
tobiasmanske.de
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
tobiasmanske.de/content/posts/2018-04-07-thinkpad-coreboo...

327 lines
13 KiB
Markdown
Raw Normal View History

Umzug
2021-02-08 05:06:47 +01:00
---
title: Installing Coreboot on a Thinkpad T430s | Part 1
date: "2018-03-29"
lastmod: "2018-04-07"
categories:
- thinkpad
tags:
- hacking
- thinkpad
- hardware
- english
slug: thinkpad-coreboot-part1
aliases:
- /thinkpad-coreboot-part1
cover:
image: /images/writing-the-new-chip-e1522281795259-750x410.jpg
alias: /2018/03/29/installing-coreboot-on-a-thinkpad-t430s-part-1/
summary: I modified my Thinkpad T430s to run Coreboot.
---
## Why would you flash Coreboot?
There are several reasons why you should consider doing this. The
BIOS[^uefi] on those Laptops is quite restrictive. You're
limited to 3 rather old WiFi card models, which only support 802.11n and
are rather slow by today's standards. If you try a non-whitelisted card
it will refuse to boot until you remove the card. Also, there are no
updates released by Lenovo to mitigate several exploits to the Intel ME.
Another good point would be that you don't know what the BIOS is doing
in the background, it could send data home. Coreboot replaces the bios
and therefore solves most of these issues. There is a [python
script](https://github.com/corna/me_cleaner) to solve the Intel ME
problem.
------------------------------------------------------------------------
## Before you start
Please make sure that you understand the following things before you
start. It could be a major pain to brick your device or having to
uninstall the mod later on.
### EC modding
As far as I know, it's not possible to flash the embedded controller
without the original firmware/bios. So please apply any EC mods before
you replace your bios. Here are some things which require EC
modification, which you should really consider doing first. Thanks to
Hamish Coleman it's rather easy. Visit [his
project](https://github.com/hamishcoleman/thinkpad-ec) on GitHub!
1. [classic keyboard mod](http://www.instructables.com/id/ThinkPad-T430T430sX230-Classic-Keyboard-Mod/)
2. battery whitelist removal
### Don't turn your device into an expensive paperweight
Just to make it clear. **You're likely to turn your Thinkpad into a
brick** trying to swap the bios chip. Please remember that removing the
chip is not necessary if you [don't suck at
soldering](https://www.reddit.com/r/thinkpad/comments/7ce1q1/installing_coreboot_on_the_t430s_in_preparation/)
and manage to solder wires to the chip. I still recommend replacing the
chip, though. You can skip the whole desoldering and resoldering part if
your chip already is a SOIC8 package.
------------------------------------------------------------------------
### List of parts
During the series, I will use the following tools:
- Disassembly
- Size 1  Phillips screwdriver
- Chip removal
- Heat resistant tape
- Hot air station
- Flux
- Tweezers
- a 500°C tested working surface
- Reading and writing to the chip
- Chinese SOIC8 test clip
- Raspberry Pi[ref]You can use any other SPI programmer which is supported by flashrom, or even write your own program and use unsupported programmers. The protocol is not that complex.[/ref]
- flashrom --- software to flash and read over SPI
- Some really tiny copper cables and some jumper wires
- soldering iron
- Installing the new chip
- 25Q128FVSIG -- 3V -- SOIC8 Chip --- to replace the BIOS chip
- 60W soldering iron
- flux and solder
- Optional
- Thermal paste --- you're disassembling the whole thing, so why
not reapply some fresh paste to the CPU?
------------------------------------------------------------------------
## Disassembling the Thinkpad
For a detailed guide on how to disassemble it, you can and should look
into the [official maintenance
manual](https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles_pdf/0b48538.pdf)
from Lenovo.
Protip: Take pictures of screw placements and antenna cable routing.
### What I tried before removing the chip
The first thing I tried was to solder way too big wires to the exposed
little solder blobs. Thereby, I destroyed the solder blobs and now the
board is throwing CMOS errors upon boot. I probably should've unplugged
the CMOS battery. It still measures 3.10V though, which was slightly
worrying as I thought I had damaged the board. As it turns out I didn't.
Still, it was not a smart idea, so *disconnect your CMOS battery before
soldering*
![The voltage measurement of CMOS-Battery](/images/Multimeter-192x300.jpg#center)
Also, the bios didn't boot after I reassembled the Laptop. Reheating the
"destroyed" joints seems to have fixed this. Meaning that the BIOS chip
was not broken at this point. So I finally decided to remove it from the
board. As I didn't have a heat gun at the time, I finally ordered one.
 
## Preparing the board
We will heat the board up quite massively, as the WSON chip is connected
to the big ground plains via a rather big pad under the chip. There are
really small components around our chip which would be desoldered long
before the chip if we heat them up. Also, as we don't want them flying around, we'll tape them
off with our heat resistant tape. I used Kapton-Tape for this, which is
not optimal as it is only made to withstand up to 280°C. If you have
access to actual heat shielding tape made of aluminium or another metal,
go for it. Just make sure to take your time and fit it tightly to the
board. In my personal experience, the Kapton-tape is good enough that
you don't even desolder the small components. Well, at least they don't move if they do and resolder fine.
![Board covered in Kapton tape -- notice the dodgy solder balls around the chip](/images/IMG_20180321_152222-e1522049347702-1024x579.jpg#center)
*Board covered in Kapton tape -- notice the dodgy solder balls around the chip*
 
## Desoldering the chip
Now that you have prepared the board it's time to take your heat gun.
You cannot use a soldering iron as there is a large pad below the chip.
I set mine to around 350°C (\~660°F) and a medium airflow. Make sure to
blow the air straight at the board and not at an angle to avoid
desoldering and blowing away those tiny resistors. Cycle over the chip
and use your tweezers to test if it came loose and finally remove the
chip. Even if you never used a heat gun before, it's not that hard. Just
don't pull on the chip while there is still solder holding it down.
Remove the Kapton-Tape from the board when you're done unless you want
to use the heat gun to solder the replacement into place. Don't throw
the old one away, we'll need it later.
![The chip finally came off the board without lifting any pads. --- the Kapton-Tape has darkened a bit.](/images/desoldered-e1522272630299-1024x579.jpg#center)
*The chip finally came off the board without lifting any pads. --- the Kapton-Tape has darkened a bit.*
## Soldering the new chip
Your replacement chip is a SOIC8 package. If you soldered SMD parts
before then you should have no problem. In case you haven't: Make sure
you align the indent on the chip with the white mark on the board. The
indent tells you where PIN-1 is and the mark on the board shows you
where it should be soldered to. If there is still a rather big amount of
solder on the pads consider removing it using some solder wick. Align
the chip on the board and solder one pin to the board so it doesn't move
anymore. Then take your time soldering the other seven.
![The new chip is soldered to the board, you can clearly see the alignment of the chip in the picture.](/images/new-chip-e1522273951282-1024x579.jpg#center)
*The new chip is soldered to the board, you can clearly see the alignment of the chip in the picture.*
## Extracting the original firmware
At this point, we have a blank chip in our Thinkpad, so it won't boot.
To fix this and to be able to prepare coreboot we need to extract the
original from the chip we desoldered. To achieve this I used a Raspberry
Pi, jumper wires and some really tiny copper wire. I cut one side of the
jumper wire off and attached the tiny copper wires. then I soldered
those to our old chip. To relieve stress I used the tape to hold it
down.
![Wires soldered to the chip, make sure you know where Pin 1 is before you tape it down. Later I spaced the wires on the left side out a bit more to prevent a short.](/images/soldered-wires-1-294x300.jpg#center)
*Wires soldered to the chip, make sure you know where Pin 1 is before you tape it down. Later I spaced the wires on the left side out a bit more to prevent a short.*
------------------------------------------------------------------------
Now you have to setup your Raspberry Pi. You need to install flashrom
and enable SPI.
First install necessary tools and setup SPI
```bash
pi@raspberrypi:~ $ sudo apt install flashrom
pi@raspberrypi:~ $ sudo raspi-config
```
 
Enable "P4 SPI" under "Interfacing Options" then reboot.
### Wiring the chip to the Pi
I followed the [Winbond
datasheet](https://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf)
and the [flashrom documentation](https://www.flashrom.org/RaspberryPi)
to wire the Pi up.
| Chip Pin | Raspberry Pin | Chip Pin | Raspberry Pin |
|----------- |--------------- |---------- |--------------- |
| 1 | 24 | 5 | 19 |
| 2 | 21 | 6 | 23 |
| 3 | 17 | 7 | 17 |
| 4 | 25 | 8 | 17 |
### Flashrom
First, check if the chip gets recognized
{{< highlight bash "hl_lines=7">}}
pi@raspberrypi:~ $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000
flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi.
No operations were specified.
{{< /highlight >}}
If it doesn't look like this, try lowering the spispeed first. If it
doesn't work then, it means that you probably did wire it up wrong.
Now we read the contents at least 2 times and compare the checksums to
make sure we have a valid reading.
{{< highlight bash >}}
pi@raspberrypi:~/rom $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r 1.rom
flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi.
Reading flash... done.
{{< /highlight >}}
repeat this step at least another time, change "1.rom" to "2.rom" etc.
then compare the checksums
{{< highlight bash >}}
pi@raspberrypi:~/rom $ md5sum *.rom
ee8d5c6b4cb60fff9dbb2a359626dd96 1.rom
ee8d5c6b4cb60fff9dbb2a359626dd96 2.rom
ee8d5c6b4cb60fff9dbb2a359626dd96 3.rom
{{< /highlight >}}
Looks fine :) make sure to store one of those somewhere save! You'll need
it if you ever want to update the Embedded Controller or don't want
to use Coreboot anymore.
## Flashing and testing our new chip
Before we create a coreboot image, we'll flash our original bios to our
new chip. This way we make sure that we soldered everything correctly
and our new chip works. First, you wire up your SOIC8-clip. The wiring
is the same as in the table above. Then you clip it onto the chip on the
board, make sure that there is no battery attached to the board!
![The clip attached to the chip. Getting it to make a good connection can be hard the first times.](/images/writing-the-new-chip-e1522281795259-1024x621.jpg#center)
 
On our Raspberry Pi, we now verify that the chip gets recognized and
then flash the old firmware.
{{< highlight bash "hl_lines=1 10 18">}}
pi@raspberrypi:~ $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000
flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi.
No operations were specified.
pi@raspberrypi:~/rom $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 --write 1.rom
flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
{{< /highlight >}}
### Testing
At this point, you connect a monitor via VGA or the display to the LVDS
connector, plug in the keyboard and connect the board to power. Try to
power on, if it shows you the Thinkpad logo everything works.
(Congrats!)
If the power LED just lights up shortly, try the following. Disconnect
power then press the power button for 1 second then release for one
second. Repeat this 10 times, then keep it pressed for 30s. Now plug the
cord back in and try booting again. If it still doesn't work check your
solder joints. Sounds stupid, but worked for me.
 
## Creating a Coreboot image
<s>I'll show you how to do this in Part 2, which I just released.</s>
*The 2nd part will not be copied over to this blog as it was never really completed.
There has always been some discrepancies I don't feel comfortable with. If you need help
setting up coreboot write a message below, or use the contact buttons to the right.*
[^uefi]: I know it's actually UEFI based, but I'll keep calling it BIOS as the search term is more common.