Edit page AbridgedResume

[wiki.git] / CorebootX230

<div style="width: 1024px; margin:0 auto">

== <span style="text-align: right"> Flashing Coreboot on the Thinkpad X230</span> ==

By Bernie Innocenti \\
23 March 2014 (re-published with minor edits on 30 June 2020)

<div style="width: 640px; margin:0 auto">{{pictures/misc/x230-flashing.jpg | maxwidth=640}}</div>

Coreboot, the free PC BIOS that powers all Google Chromebooks, was recently ported to the Thinkpad X230
by the long time GRUB hacker Vladimir 'φ-coder' Serbinenko. So this week-end, just while Libre Planet was
taking place at the nearby MIT Stata Center, I decided to give a shot at it. Building a custom Coreboot
image for the X230 was relatively easy:

{{{
git clone http://review.coreboot.org/p/coreboot    cd coreboot
git submodule update --init --checkout
make crosstools-i386
# install the .config file provided by phcoder on the Coreboot wiki
make oldconfig
make
}}}

The build process generates a 12MB image containing all the board-specific code to initialize the hardware
and a "payload" program to continue the boot process. I chose SeaBIOS, a legacy PC BIOS which can boot off
hard-drives and other media.

Things get interesting at this point: until someone figures out a way to workaround for Lenovo's BIOS
write protection, flashing Coreboot requires a SPI programmer.  So I borrowed a Pirate Bus with a Pomona 5250
SOIC test clip from some friends at the [[https://www.fsf.org/ | Free Software Foundation]].
The +3.3V pin of the SOIC chip is connected to several other components on the motherboard and pulls a
lot of current while flashing (>400mA), so I had to hook it up to a beefy external power supply, being
careful not to fry the entire motherboard.

The X230 BIOS resides in two SPI flash chips of 8 and 4 megabytes that contain several things
(for the details, check the X230 flashing instructions in the Coreboot wiki). Because my Coreboot image
was small enough to fit into the top 4MB, I only had to flash one chip. From a separate machine, I used
the 'flashrom' tool to backup the original BIOS, so I could easily restore it in case I couldn't get
Coreboot to work.

{{{
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8M -c MX25L3206E -r x230-orig-4M.rom
}}}

Next, I crossed fingers and wrote my Coreboot image:

{{{
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8M -c MX25L3206E -w x230-bernie-4M.rom
}}}

The entire operation takes about 15 minutes. The Pirate Bus isn't the fastest SPI programmer on
the planet, but it costs only $30 and it's pretty reliable. Ok, now let's disconnect the clip and
power on the laptop. The leds blink a little. The machine seems alive, but the LCD panel doesn't
turn on. From the hard drive led it's evident that the system is booting, so I hook up an external
VGA monitor and see a familiar password prompt.

I already knew I was missing the VGA BIOS blob that initialize the video ports, but I wanted to see
if Linux was able to do it after boot. So I cried for help in the #coreboot IRC channel, and phcoder
pointed me at [[http://review.coreboot.org/#/c/5396/ | a patch]] floating around in Gerrit which
contains 8KB of magical numbers to initialize the flat panel.

The title photo shows the colorful result I got while trying phcoder's off-tree patch with SeaBIOS.
Phcoder hinted that a recent snapshot of GRUB2 should initialize the display properly, and then went to sleep.
Other Coreboot developers on IRC helped me debug my configuration until, finally, I powered on the laptop and
in a couple of seconds a familiar GRUB2 prompt appeared on the panel.
From there, I could easily load the OS bootmenu:

{{{
set root=(ahci,msdos1)
source /grub/grub.cfg
normal
}}}

Of course, it's also possible to build a custom grub.cfg into the Coreboot image and let the machine boot
automatically. There's also [[http://www.coreboot.org/pipermail/seabios/2014-February/007651.html | a set of SeaBIOS patches]]
which enable native VGA initialization. I got these patches to apply to my tree, but the resulting display is still messed up.
The author, Kevin O'Connor, is away from the keyboard at the moment.

Another open problem is that the S3 mode (aka sleep mode) is totally broken: instead of resuming, the machine simply reboots.
This is annoying enough to prevent me from using Coreboot on my main machine. Before I can even attempt debugging this I need
to figure out a way to get a debug console, because there are no usable serial ports on the X230. One of the Coreboot devs
on IRC said that Android phones can serve as usbdebug dongles; I guess I'll try it next week if I have time.

Note that the resulting machine is still running plenty of scary proprietary code: there's the firmware for the Embedded Controller,
a separate processor which manages power and keyboard input, and the Intel Management Engine (ME),
which runs even while the machine is sleeping, and for which interesting persistent rootkits have been demonstrated by clever
security researchers years ago.

There are no alternatives for the ME firmware at this time, but free  implementations of the EC firmware exist for various
Chromebooks and for the OLPC XO laptops. The codebase is quite board-specific, and porting it to the Thinkpad without
documentation from Lenovo isn't a trivial project.

Nevertheless, Coreboot seems to be improving rapidly in terms of usability and hardware support. There's a lively developer
community and some business participation. It's not yet something I'd recommend to casual users, but if you're a nerd with a
spare laptop and a fetish for hardware hacking, you might want to give Coreboot a try while it's still l33t 😉

</div>