16bit.io

Projects and notes

Flashing Coreboot and removing the Intel ME

For the unfamiliar, Coreboot is an open source firmware that can be installed on a very limited list of supported laptops and replaces the closed-source restricted OEM firmware. Coreboot by itself only performs the very basic hardware initialization (RAM init, CPU microcode application, TPM initialization, etc.) before launching a payload. Typically, and in my case, the default payload will be SeaBIOS. SeaBIOS aims to replicate the "original" BIOS calls and operations as accurately as possible to allow to maximum compatibility. With SeaBIOS you can also include multiple additional payloads, such as nvramcui which provides a simple UI to change firmware settings, memtest, and embedded floppy disk images (more on this later!). It is also possible to have Coreboot directly launch an embedded Linux kernel, GRUB2, and TianoCore for UEFI support.

The Lenovo BIOS maintains a “whitelist” of WLAN mini-PCIe cards, and will refuse to boot if the card is upgraded to a model that is not in this list. This prevents the use of any 802.11ac wireless chipsets, such as the Intel 7260. There are some mods to "trick" the system from detecting the WiFi card using a piece of tape, but this never worked for me. Coreboot removes these arbitrary restrictions.

One of the benefits/challenges of reflashing the BIOS was the Intel Management Engine. The Intel ME is mainly used within corporate environments to provide administrative remote control of the system without user interaction. The engine is always running independent of the OS and has full access to ALL the devices of the laptop, including its own bridged Ethernet network interface. With closed-source security implementations we have no idea if there are back doors, and the ME has already become the target of a couple major CVE's, and ThinkPwn.. Security concerns aside, the ME also takes up 5.2MB of precious space on my SPI chip, which I was able to reduce to 90kB using me_cleaner. It's important to also update your firmware layout to shrink the ME "partition" so that you can take advantage of the additional space.

In order to disable/remove the Intel Management Engine and flash Coreboot you will need to remove the WSON-8 128Mbit SPI NAND from the motherboard, and dump the contents. Unfortunately this requires the use of a heat gun or SMD rework station, as there is a pad of solder beneath the chip that makes it impossible to remove via soldering iron alone. I accidentally unsoldered SMD resistors from my stack of motherboards several times with my heat gun before purchasing a proper rework station, so be very careful. I ruined 6 T430s motherboards during this project… Thankfully they are only $30 on eBay for the i5 model.

Note that this might also be a good time to replace the stock thermal paste, which is a terrible mess. I just removed the heatsink and used isopropyl alcohol to remove the old paste and replaced it with some spare Artic Silver I had lying around. Unfortunately I didn't record my temps before/after, however the laptop feels much cooler.

Once you’ve removed the chip and soldered wires to the extremely tiny pads, use the SPI pins on a Raspberry Pi or Bus Pirate to dump the contents via Flashrom. I used both devices, however I found that the Pi was very unreliable and the Bus Pirate is extremely slow... Here is an open source firmware upgrade can improve upon the BP speed significantly. The coreboot wiki contains all of the information you need to successfully extract the contents of your BIOS and build a working version of Coreboot, so I won’t post the same information here. It’s helpful to remember that the T430S is extremely similar to the X230, for which many Coreboot guides exist. Just be sure to extract your VGA BIOS and inject it into the Coreboot firmware to avoid weird text effects within SeaBIOS, as shown below.

Since it won’t be possible to reattach the WSON-8 package, we will replace it with a SOIC-8 chip of the same size. I used the Winbond W25Q128FVSIG from Digikey. Be sure to purchase the 3-volt model, as I incorrectly purchased the wrong voltage initially. Once the replacement chip is soldered in place, we can attach a test clip onto it so that it can be programmed without having to completely remove the chip.

Success! Currently running the coreinfo secondary payload. I have since installed Linux Mint and CentOS without issues, and the Lenovo dock works great with an external 2560x1440 monitor.


Notes:

I originally started this project using an i7 model T430s with the additional Nvidia GPU and had no immediately noticable issues. Unfortunately the laptop suddenly stopped powering on one day, so I have been using the much cheaper i5 model instead. Coreboot should work on either model, with no additional considerations. I ruined way too many motherboards during this project. For those reading this; please use the X230 instead, for your own sanity.

It's possible to integrate a bootable floppy image inside the BIOS and have SeaBIOS execute it without any external storage. This makes it possible to integrate 1.44MB Assembly based OS's like Kolibri or MinuetOS. It's also possible to build a similar floppy image using FreeDOS.

During the Coreboot configuration process there is an option to use your original extracted NIC PXE BIOS image, however I highly recommend using iPXE instead due to the extended feature set. iPXE retains the same classical PXE boot support while adding support for booting OS's over HTTP. This is very useful for testing LiveCD's on bare hardware without having to create a flashdrive, or for launching recovery tools. (Shown is netboot.xyx)

References