SIDEBAR
»
S
I
D
E
B
A
R
«
Libreboot’ing an X200 using a CH341a based programmer
Jun 4th, 2019 by miki

EDIT: further images from this process were lost in a phone smash incident, sorry

Here’s a preliminary HOWTO from my recent external flashing of the BIOS ROM on a Lenovo X200 thinkpad (Wikipedia). The particular firmware flashed was a Libreboot build for this machine (instructions for X200 and details of the external flashing procedure) but anything goes (but anything may not be useful, though).

I’ll amend this HOWTO with more detailed instructions and pictures in the following days (warning: a prediction) to hopefully make it more complete and useful for the vary inhabitants of LibreBootLand.

Some parts

A programmer kit was bought on AliExpress for $4.20 containing a USB programmer board and an SOIC-8 clip which ended up not being used as the particular X200 had a SOIC-16 chip so a separately ordered SOIC-16 chip ($3.11)  was used.

“MinProgramment” aka. CH341a Programmer

Buy: https://www.aliexpress.com/item/32898599200.html @ $4.20

The programmer is based on the WCH CH341a chip which is an USB <-> seriel/parallel/uart interface. The manufacturer WCH being  WinChipHead aka. WCH (Nanjing QinHeng Electronics Co.,Ltd) (maybe also aka. WCH-IC (Jiangsu Qinheng Co., Ltd)). There are lots of options for buying board varieties based on the CH341a chip, to get you started here is a BangGood search and an AliExpress search.

Boards like this has also been described by others including a deduced schematic, EEVblog critique of the I/O pin power on similar boards (not yet confirmed whether that is true for this programmer too, I guess so, but at least one flashing done without damage) and a mention on hackaday of other board types.

There are a bunch of downloads from the WCH site regarding the chip including  a Chinese datasheet, no English language documentation seems to be available from the manufacturer however. There are some English editions of the datasheet to be found, of unknown origin. They seem plausible enough to use, though. Somebody has attempted to collect documentation about the chip in a Git repository.

The SOIC-16 Clip (aka. Pomona 5252)

Buy: https://www.aliexpress.com/item/32869145935.html @ $3.11

To attach physically to the Macronix MX25L6405D flash memory chip in a SOIC-16 package present on the X200 in question (words are that this is the norm although the board can be populated with a SOIC-8 too) a clip that matches the pins of the SOIC-16 package is needed. I bought the one mentioned above for $3.11 at random from AliExpress and this worked fine. In the pictures the wiring is hooked up correctly to the programmer to allow for flashing as described below.

WARNING: Below is still a draft made from mental notes! Ask me if you need more information or check back soon (I promise).

Connections

6405 <-> CH341a

MISO<->MIOS (label error, should be MISO)

MOSI<->MOSI

CLK <-> CLK

CS <-> SS

GND <-> GND

First tried driving the the flash chip from VDD on ch341a but this was unsuccessful, no chip could be found, so the 6405 was hooked up to external 3.3v power supply with supply GND connected to GND on CH341a to align the ground potential between ch341a I/O supply and 6405 supply (important!).

Preparations

Machine being flashed

Update Embedded Controller

To get the latest ECP (Embedded Controller Program) from Lenovo (no free alternative exists) containing software for the MCU controlling low level hardware like battery charging/keyboard/backlight stuff you need to update the BIOS which also updates the ECP. Most recent version for X200 is “BIOS: 3.22 / ECP: 1.07“. This is not needed if you already have these versions on the machine, check current versions by pressing ThinkVantage during boot and choosing “Enter Setup”.

If your system has a Windows installation download and run the “BIOS Update Utility“executeable. Else you’ll need to get the “BIOS Update Bootable CD” and somehow get it on a CD and find a CD-ROM drive. Alternatively on a Linux system the CD file system can be extracted and added to Grub to be directly bootable. Below was done on an Ubuntu 16.04 system:

$ sudo apt install genisoimage syslinux
$ wget -q https://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/6duj48us.iso
$ geteltorito 6duj48us.iso > 6duj48us.img
Booting catalog starts at sector: 20
Manufacturer of CD: NERO BURNING ROM
Image architecture: x86
Boot media type is: harddisk
El Torito image starts at sector 27 and has 75776 sector(s) of 512 Bytes
Image has been written to stdout ….
$ sudo cp 6duj48us.im /boot
$ sudo cp /usr/lib/syslinux/memdisk /boot
$ sudo nano /etc/grub.d/40_custom
<add lines below to the end of file, preserve the “exec tail…” line>
menuentry “BIOS Update” {
linux16 /memdisk
initrd16 /6duj48us.im
}
$ sudo update-grub

Reboot, press <left shift> key while booting to access Grub, choose BIOS Update menu entry and follow the Lenovo update procedure. To start flashing it requires both a connected power supply and also a working, non-exhausted battery (!) mounted in the machine. This is tiresome for owners of worn out batteries…

Some notes about the flashing process can be found in the documentation of a patch set for the Lenovo BIOS.

Machine doing the programming

Install Flashrom

sudo apt install flashrom

ch341a support in flashrom

LibreBoot

Retrieve

Download the stable LibreBoot firmware: https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/rom/grub/libreboot_r20160907_grub_x200_8mb.tar.xz

The brave will of course want to compile it themselves.

$ cd
$ wget https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/rom/grub/libreboot_r20160907_grub_x200_8mb.tar.xz
--2019-06-07 07:35:21--  https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/rom/grub/libreboot_r20160907_grub_x200_8mb.tar.xz
Resolving www.mirrorservice.org (www.mirrorservice.org)... 212.219.56.184, 2001:630:341:12::184
Connecting to www.mirrorservice.org (www.mirrorservice.org)|212.219.56.184|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1632800 (1,6M) [application/x-xz]
Saving to: ‘libreboot_r20160907_grub_x200_8mb.tar.xz’

libreboot_r20160907_grub_x200_8mb.tar.xz 100%[================================================================================>]   1,56M  --.-KB/s    in 0,1s    

2019-06-07 07:35:21 (13,9 MB/s) - ‘libreboot_r20160907_grub_x200_8mb.tar.xz’ saved [1632800/1632800]
$ tar tf libreboot_r20160907_grub_x200_8mb.tar.xz 
libreboot_r20160907_grub_x200_8mb/
libreboot_r20160907_grub_x200_8mb/x200_8mb_deqwertz_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_esqwerty_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_frazerty_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_frdvbepo_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_itqwerty_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_svenska_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_ukdvorak_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_ukqwerty_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_usdvorak_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_usqwerty_txtmode.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_deqwertz_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_esqwerty_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_frazerty_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_frdvbepo_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_itqwerty_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_svenska_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_ukdvorak_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_ukqwerty_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_usdvorak_vesafb.rom
libreboot_r20160907_grub_x200_8mb/x200_8mb_usqwerty_vesafb.rom
libreboot_r20160907_grub_x200_8mb/ChangeLog
libreboot_r20160907_grub_x200_8mb/NEWS
libreboot_r20160907_grub_x200_8mb/version
libreboot_r20160907_grub_x200_8mb/versiondate
$

Customise MAC address

As the MAC address of the ethnernet PHY is stored in the flash, yo have your X200 ethernet MAC address correspond to the sticker on the back of the machine, and also avoid a potential but improbable DHCP/ARP conflict, the MAC address from the label/ifconfig from the existing system must be embedded into the flash file that we are going to program into the flash chip.

For this a tool called ich9gen is needed, this is a part of the libreboot repository and we need to build it ourselves.

Build ich9gen

$ git clone https://notabug.org/libreboot/libreboot
Cloning into 'libreboot'...
remote: Counting objects: 29080, done.
remote: Compressing objects: 100% (9855/9855), done.
remote: Total 29080 (delta 18748), reused 27899 (delta 18057)
Receiving objects: 100% (29080/29080), 63.90 MiB | 11.13 MiB/s, done.
Resolving deltas: 100% (18748/18748), done.
Checking connectivity... done.
$ cd libreboot/projects/ich9gen/sources
$ make
gcc -I. -Wall -Wextra -g -std=c99 -c src/ich9deblob.c -o obj/ich9deblob.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/common/descriptor_gbe.c -o obj/common/descriptor_gbe.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/descriptor/descriptor.c -o obj/descriptor/descriptor.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/gbe/gbe.c -o obj/gbe/gbe.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/common/x86compatibility.c -o obj/common/x86compatibility.o
gcc -I. -Wall -Wextra -g -std=c99 obj/ich9deblob.o obj/common/descriptor_gbe.o \
	obj/common/x86compatibility.o obj/descriptor/descriptor.o obj/gbe/gbe.o \
	 -o ich9deblob
gcc -I. -Wall -Wextra -g -std=c99 -c src/ich9gen.c -o obj/ich9gen.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/ich9gen/mkdescriptor.c -o obj/ich9gen/mkdescriptor.o
gcc -I. -Wall -Wextra -g -std=c99 -c src/ich9gen/mkgbe.c -o obj/ich9gen/mkgbe.o
gcc -I. -Wall -Wextra -g -std=c99 obj/ich9gen.o obj/ich9gen/mkdescriptor.o obj/ich9gen/mkgbe.o \
 obj/common/descriptor_gbe.o \
	obj/common/x86compatibility.o obj/descriptor/descriptor.o obj/gbe/gbe.o \
	 -o ich9gen
gcc -I. -Wall -Wextra -g -std=c99 -c src/demefactory.c -o obj/demefactory.o
gcc -I. -Wall -Wextra -g -std=c99 obj/demefactory.o obj/common/descriptor_gbe.o \
	obj/common/x86compatibility.o obj/descriptor/descriptor.o obj/gbe/gbe.o \
	 -o demefactory
$

Run ich9gen

Running ich9gen itself generates the flash descriptor (fd) header including possible configuration section where the MAC address is stored for the gigabit ethernet (gbe) PHY onboard the ICH9 chipset. When run six 12 KiB files for respectively 4, 8 and 16 MiB binary images and chipsets including (gbe) and excluding (nogbe) gigabit ethernet PHY are generated.

“aa:bb:cc:dd:ee:ff” in the commandline should be replaced with the actual 12 hex digits from the label on the machine or by running ifconfig on the machine using the existing Lenovo BIOS.

$ cd ~/libreboot_r20160907_grub_x200_8mb/
$ ~/libreboot/projects/ich9gen/sources/ich9gen --macaddress aa:bb:cc:dd:ee:ff
You selected to change the MAC address in the Gbe section. This has been done.

The modified gbe region has also been dumped as src files: mkgbe.c, mkgbe.h
To use these in ich9gen, place them in src/ich9gen/ and re-build ich9gen.

descriptor and gbe successfully written to the file: ich9fdgbe_4m.bin
Now do: dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)

descriptor and gbe successfully written to the file: ich9fdgbe_8m.bin
Now do: dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)

descriptor and gbe successfully written to the file: ich9fdgbe_16m.bin
Now do: dd if=ich9fdgbe_16m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)

descriptor successfully written to the file: ich9fdnogbe_4m.bin
Now do: dd if=ich9fdnogbe_4m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)

descriptor successfully written to the file: ich9fdnogbe_8m.bin
Now do: dd if=ich9fdnogbe_8m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)

descriptor successfully written to the file: ich9fdnogbe_16m.bin
Now do: dd if=ich9fdnogbe_16m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)

Apply Flash Descriptor to Binary

$ cd ~/libreboot_r20160907_grub_x200_8mb/
$ cp -v x200_8mb_usqwerty_vesafb{,_customised}.rom
'x200_8mb_usqwerty_vesafb.rom' -> 'x200_8mb_usqwerty_vesafb_customised.rom'
$ dd if=ich9fdgbe_8m.bin of=x200_8mb_usqwerty_vesafb_customised.rom bs=1 count=12k conv=notrunc
12288+0 records in
12288+0 records out
12288 bytes (12 kB, 12 KiB) copied, 0,0299453 s, 410 kB/s
$

Procedure

Programmer Setup Validation / Lenovo BIOS backup

flashrom -p ch341a_spi -c MX25L6405D -r rom1.bin

flashrom -p ch341a_spi -c MX25L6405D -r rom2.bin

flashrom -p ch341a_spi -c MX25L6405D -r rom3.bin

flashrom -p ch341a_spi -c MX25L6405D -r rom4.bin

flashrom -p ch341a_spi -c MX25L6405D -r rom5.bin

cmp rom{1,2}.bin

cmp rom{1,3}.bin

cmp rom{1,4}.bin

cmp rom{1,5}.bin

Flashing

$ sudo flashrom -p ch341a_spi -c MX25L6405D -w ~/libreboot_r20160907_grub_x200_8mb/x200_8mb_usqwerty_vesafb_customised.rom
$

Accounts of LibreBoot Flashing

Embedded Controller (EC) information

[Danish] Stallman til Danmark i Maj 2019!
Apr 7th, 2019 by miki

Update: Jeg mødte Richard i Odense, fik lov at sponsorere FSF og fik en GNU med hjem!

Mikkel & RMS (og GNU)
SDU, Odense

Rygterne har lydt noget tid, men nu er det officielt at formand for og stifter af Free Software Foundation, den ideologiske ophavsmand til GNU-projektet og højlydt fortaler for softwarebrugeres frihed og privatliv i den digitale verden, Richard Stallman besøger Danmark med en række åbne og gratis foredrag dette forår.

Det er Stallmans dedikerede arbejde med fri software og GNU-projektet fra starten af 1980’erne, herunder udformning af softwarelicenser som GNU GPL og udviklingsværktøjer som GNU Compiler Collection (GCC) og GNU Emacs, der er grundlaget for en stor del af det der i offentligheden i dag bedst kendes som “open source”. I Stallmans og GNUs terminologi benævnes det dog retteligt “fri software” (på engelsk: “free software”) for at fremhæve at etablering og bevarelse af softwarens, og slutbrugeren af dens, frihed er det egentlige rationale for at give kildekoden fri.

Kernen Linux er frigivet under GNU GPL og er både inspireret af og anvender GNU-projektets arbejde direkte, og er en vigtig del af et komplet GNU-system (også kendt som GNU/Linux eller en “Linux-distribution”).

Stallman kommer på en veritabel Danmarksturne med start i Aalborg mandag d. 6. maj 2019 og ender i København fredag d. 10.  maj 2019. Foredragsrækken er arrangeret af innovationsnetværket for IT, InfiniIT, som inkluderer de store IT-universiteter i Danmark.

Den samlede foredragsrække er som følger:

Tidspunkt Lokation Begivenhed hos FSF Begivenhed hos InfinIT Anden omtale
Mandag d. 6. maj 2019

16:00-19:00

Aalborg Universitet
Auditoriet, Lokale 1.12
Niels Jernes Vej 8A
9220 Aalborg SØVejviser:

Richard Stallman – “Free software and your freedom” Free Software, Free Society – Richard Stallman og den frie software-bevægelse (AAU)
Tirsdag d. 7. maj 2019

16:00-19:00

Syddansk Universitet
Lokale U170
Bygning 44
Campusvej 55
5230 OdenseVejviser:

Richard Stallman – “The dangers of mass surveillance” A Free Digital Society – Richard Stallman og den frie software-bevægelse
Onsdag d. 8. maj 2019

16:00-19:00

IT-Universitetet i København
Rued Langgaards Vej 7
2300 København SVejviser:

Richard Stallman – “Free software and your freedom in computing” A Free Digital Society – Richard Stallman og den frie software-bevægelse
Torsdag d. 9. maj 2019

16:00-18:00

Københavns Universitet
Københavns Biocenter
Lundbeckfond Auditorium Ole Maaløes Vej 5
2200 København NVejviser

Richard Stallman – “Computing, freedom, and privacy” Free Software, Free Society – Richard Stallman og den frie software-bevægelse (KU)
Fredag d. 10. maj 2019

16:00-18:00

Danmarks Tekniske Universitet
Auditorium 116/81 (bygning 116)
Ved Bygningstorvet på Knuth-Wintherfeldts Allé
2800 Kongens LyngbyVejviser:

Richard Stallman – “Copyright vs Community”

(ændrede lokationsoplysninger ikke opdaterede her)

Copyright vs Community Richard Stallman og den frie software-bevægelse

Kilder: FSF: Where in the world is Richard Stallman?, InfinIT-arrangementer, IDA-søgning, PROSA-arrangementer

Begivenhederne er også tilføjet den åbne kalender GriCal: grical.org/s/?query=%40DK.

Information om Richard/GNU/FSF

De primære kilder er hovedsageligt på engelsk:

Kilder på dansk

Andre

Anden omtale

Stallman in 2012: Denmark supposedly a free country, still valid
Mar 3rd, 2017 by miki

Stumbled upon this slightly dated talk by Richard M. Stallman (aka. RMS) of GNU and FSF fame, in which my home country of Denmark is sadly referenced as only a “supposedly free country”.

Transcript

“But censorship is wrong, of course, whether it is done on the internet or not. We used to think that the internet would protect us from censorship because it was too hard to censor the internet. But thanks to the efforts of various companies in the US, The UK, France and so on, it is now possible for governments to censor the internet and also surveil it completely, they just need to put enough effort in. And this is not limited to obvious tyrannies such as China and Iran. We see a lot of supposedly free countries imposing censorship on the internet.

For instance, Denmark several years ago imposed filtering on the internet blocking a secret list of sites. The list was leaked and posted on WikiLeaks. Hooray for WikiLeaks! Whereupon Denmark blocked access to that page too. So everyone else could know what internet users in Denmark were blocked from seeing except those people.”

Sadly since this time it has not gotten any better. Most of the points RMS makes (the whole talk is worth a listen) are still valid and a grave concern from my perspective. The Danish internet (really DNS) blocking system has been broadened and the slippage that was feared has become a reality. Even though this issue has gotten some attention in the IT and rights communities the general public just doesn’t care.

The actual block is technically done through DNS blacklists that Danish ISP are legally required to implement. The list of blocked sites is available from the telecom trade organization “Telekommunikationsindustrien i Danmark” (English: Telecommunication’s Industry Association in Denmark) at teleindu.dk/brancheholdninger/blokeringer-pa-nettet/ and currently has 111 sites (csv) on active block.

As it being DNS based if you are impacted, workarounds do exist. However, my guess is that they will soon be able to actively shut down services physically located in Denmark.

Full talk

Below are links to the full talk, and an inline/embedded player courtesey of youtube. Start time of all links are at starting point of above transcript.

 

Contact me on Ring !
Apr 7th, 2016 by miki

Edit 2023-04-23: on present day Ring is known instead as GNU Jami.
Contact me using ring:f20607f4f974714ba91c664b153496fb931020e5 on the Ring distributed communication platform: ring.cx

What’s with the P in ATmega328P? (breakdown of ATmega chip naming system)
Nov 24th, 2015 by miki

Having used the Arduino prototyping platform (a loose combination of specific pieces of somewhat open/free hardware and a more open/free software stack) for some time for educational and tinkering purposes in my local hackerspace (geeklabs.dk) I have seen and studied the Arduino UNO hardware and lots of its “clones/compatibles/knockoffs” and their common MCU (MicroController Unit);

Atmel ATmega328P

I had begun wondering what the P in the microcontroller model name actually meant. So here is an attempt to decode the Atmel megaAVR chip numbering system. The other existing AVR based series UC3, tinyAVR, XMEGA, Battery & Automotive, will probably employ similar naming schemes.

The remainder of the product name following “ATmega” expresses the available flash memory and the approximate pin count of the package in an integer and optionally other features as either integer or letter (like the initial wondering of P in 328P above).

Starting with the integer, it is a concatenation of two separate integers encoding the flash size and pin count as defined below. The division of the two is non-ambiguous leaving some interpretation to be done.

1st integer: onboard flash size
8 = 4 KiB
8 = 8 KiB
16 = 16 KiB
32 = 32 KiB
64 = 64 KiB
128 = 128 KiB
256 = 256 KiB

2nd integer: total pin number
(none) = standard pin count (differs)
8=28/32-pin
4= 40/44/49-pin
5= 64-pin
0= 100-pin

Suffix (char or integer), multiple possible
P = picoPower (max. consumption 9mA@8MHz,5v vs. 12mA@8Mhz,5v for non-P)
9=LCD controller
U2 = USB controller
U4 = USB controller
A  = ?

Exceptions
Note that some of the product names are completely void of these rules. Others employ different numbering but still with a familiarity to the above.

An example:
ATmega6490A: 64KB flash, 100-pin, LCD Controller

Sources

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2023 Mikkel Kirkgaard Nielsen, contents CC BY-SA 4.0