lorenzocesana.xyz

Source code of my website, built with HUGO
Log | Files | Refs

libreboot_X220.md (8391B)

      1 ---
      2 title: "Libreboot installation on Thinkpad X220"
      3 date: 2023-09-28T10:22:33+02:00
      4 tags: ['Technology']
      5 draft: true
      6 ---
      7 
      8 In this guide I will show you (and guide you through) the process of flashing Libreboot BIOS into your Thinkpad X220!  
      9 
     10 
     11 ## But first, what is Libreboot and why using it?
     12 
     13 Well, as the name imply, Libreboot is a [Libre](https://en.wikipedia.org/wiki/Free_software) [BIOS Firmware](https://en.wikipedia.org/wiki/BIOS) (to whoever is not familiar with that, we are again talking about the [FOSS](https://en.wikibooks.org/wiki/FOSS_A_General_Introduction/Introduction) principle). 
     14 I encourage you to read more about the project as it is very interesting and to educate you on [Coreboot](https://coreboot.org) as well, since it's "the original one" and it allowed Libreboot to exist (I won't go deep into the [recent controversies](https://odysee.com/@BrodieRobertson:5/gnu-sends-cease-desist-to-libreboot:e), I'm aware that installing Libreboot on a Thinkpad X220 is virtually the same of installing Coreboot, take this guide for what it is: just a guide).  
     15 So, to keep things short, Libreboot is a software that respects our privacy and allows us to get rid of the infamous [IME](https://en.wikipedia.org/wiki/Intel_Management_Engine), the Intel Management Engine!
     16 
     17 
     18 ### Why is IME a problem?
     19 
     20 The Intel Management Engine is a proprietary firmware that is *virtually present in any* "I series" Intel Processor (i3, i5, i7 etc...) and it's designed to allow *[remote access to your machine](https://proprivacy.com/privacy-news/intel-management-engine)* without you knowing or your approval.  
     21 This is dangerous on various level:
     22 - A conspiracy theorist could say that [Big Tech](https://en.wikipedia.org/wiki/Big_Tech) is spying on us even at this exact moment (but is this reality [really that far](https://privateisland.tech/dev/spying-by-your-provider)?)
     23 - If (or to better say, *when*) an hacker finds a way to [exploit the IME](https://www.csoonline.com/article/572885/cybercriminals-look-to-exploit-intel-me-vulnerabilities-for-highly-persistent-implants.html) and target you, you would be better to go live in the woods without electricity  
     24 
     25 The IME is the literal definition of a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) and guess what? It is enabled by default and you should not be able to disable it.  
     26 Whoever has access to the IME can basically access to all computer information and actions, for an in-depth security review [read here](https://news.ycombinator.com/item?id=15742287).  
     27 
     28 P.S.  
     29 There is an AMD equivalent of the IME, so don't think you're safe by just switching to an AMD processor!
     30 
     31 
     32 ## Ok, I want to get rid of the IME, what do I need? 
     33 
     34 First things first, I have to specify that Libreboot (or Coreboot as well) does **NOT** remove *completely* the IME *from the Thinkpad X220*, the reason is fairly technical but you can find the explanation [here](https://libreboot.org/freedom-status.html) and [here](https://libreboot.org/docs/hardware/) you can find the list of supported hardware.  
     35 This is the list of the things I used to flash Libreboot:
     36 
     37 - [Raspberry Pi 3B+](https://www.raspberrypi.com/products/raspberry-pi-3-model-b-plus/)
     38 - [Pomona clip 8 PIN](https://www.ebay.it/itm/185435226670) (the number of pin varies from computer to computer, check online what you need for you *specific* model)
     39 - [Female to female jumper wire cables](https://www.ebay.it/itm/134415494864?var=433879423725) (AT LEAST 6, the shorter the better)
     40 - Thinkpad X220 (duh...)
     41 - If you are not planning to ssh into the raspberry you'll need a monitor and a keyboard to operate on that, since everything is done on the SBC  
     42 
     43 
     44 ## The setup
     45 
     46 
     47 ### Raspberry
     48 
     49 Let's start with the Raspberry; I usually use [DietPi](https://dietpi.com/) for my [SBCs](https://en.wikipedia.org/wiki/Single-board_computer), it's an highly-optimized, light and fast Debian-based distro that works wonderfully in my experience.  
     50 The [guide](https://dietpi.com/docs/) is really well done and guide you step by step.  
     51 
     52 
     53 ### Libreboot
     54 
     55 After the OS installation we can start to download the Libreboot stuff:  
     56 1. Download lbmk (Libreboot make)  
     57 > `git clone https://0xacab.org/libreboot/lbmk.git`
     58 
     59 2. Go into the directory and install the required dependencies
     60 > `cd lbmk`  
     61 > `sudo ./build dependencies debian`  
     62 
     63 Note: if running a different OS, change 'debian' in either 'ubuntu2004', 'arch' or 'void', depending on the system you are running
     64 
     65 3. Download the ROM
     66 > `curl -LO https://mirrors.mit.edu/libreboot/stable/20230625/roms/libreboot-20230625_x220_8mb.tar.xz`  
     67 
     68 4. Inject the "blobs" into the rom (propietary software **required** to make the computer work)
     69 > `./vendor inject libreboot-20230625_x220_8mb.tar.xz`  
     70 
     71 5. Select the correct ROM
     72 > `cp grub_x220_8mb_libgfxinit_txtmode_itqwerty.rom /home/admin/.X220/lbmk/libreboot.rom`
     73 
     74     Renaming for the sike of semplicity and this is the Italian layout  
     75 
     76 6. Verify the blobs, since if they are not inserted correctly and you flash the rom **you will brick your computer!**  
     77 > `./update trees -b coreboot utils`  
     78 > `./cbutils/default/cbfstool -x libreboot.rom`  
     79 > `hexdump flashregion_2_intel_me.bin`
     80 
     81 If the output it's all `0xFF` or it isn't a bunch of code, the blobs weren't inserted.  
     82 if that's not the case success! The rom to flash is ready.
     83 
     84 
     85 ### The flashing
     86 
     87 Now that everything is ready, it's time to flash the rom:  
     88 
     89 1. Open the Thinkpad by following [this video](https://support.lenovo.com/us/en/videos/pd022683) and **UNPLUG THE BATTERY**  
     90 
     91 2. Prepare the flasher by shutting down the Pi and connecting the clip, using the following diagrams as reference (which are great and taken from the blog of [Tyler Cipriani](https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/))  
     92 
     93 X220 Bios Chip pinout
     94 
     95 ![X220 Bios Chip pinout](/Libreboot-X220/schema1.webp)  
     96 
     97 Raspberry Pi 3B+ Chip pinout (**WARNING: this schema is for this specific model wich have 40 pins instead of 26, if this is not your case check the proper schema for your board**)
     98 
     99 ![Raspberry Pi 3B+ Chip pinout](/Libreboot-X220/schema2.webp)  
    100 
    101 This should be the final result:
    102 
    103 ![Flasher](/Libreboot-X220/libreboot0.webp)  
    104 
    105 3. The chip you have to flash is located on the bottom-left, under the black plastic  
    106 
    107 ![This is the chip](/Libreboot-X220/libreboot1.webp)
    108 
    109 Connect the flasher to the chip **WHILE EVERYTHING IS POWERED DOWN**, both the Raspberry and the thinkpad, there must be **NO** electricity in both, by doing this you won't fry your X220 and kill it.  
    110 Pay attention to the image: the Pomona clip makes it pretty easy to see if it's correctly connected, you have to pay attention to the golden spaces in between the blue "teeths" and be sure that they're alligned with the grey legs of the chip under that  
    111 
    112 ![Pomona clip connected](/Libreboot-X220/libreboot2.webp)  
    113 
    114 At this point you can power on the raspberry and operate on that:  
    115 
    116 ![Flashing setup completed](/Libreboot-X220/libreboot3.webp)  
    117 
    118 4. First things first enable the GPIO in your raspberry
    119 > `raspi-config`
    120 
    121 Go into "Advanced Options" and enable "SPI state", then exit and install flashrom
    122 
    123 > `dietpi-update`  
    124 > `sudo apt-get update && sudo apt-get install libftdi1 libftdi-dev libusb-dev libpci-dev subversion`  
    125 > `sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev`  
    126 > `sudo apt-get install flashrom`  
    127 
    128 At this point do *at least* (**NOT OPTIONAL**) two reads from the chip and compare their [hash](https://en.wikipedia.org/wiki/Hash_function), **ONLY if the hash is the same continue with the flashing**; if that's not the case shutdown everything, remove and reattach the clip.
    129 
    130 > `sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r flash01.bin`  
    131 > `sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r flash02.bin`  
    132 > `md5sum flash01.bin flash02.bin` <-- These two lines **MUST be the same**  
    133 
    134 Now flash the rom prepared before!  
    135 
    136 > `sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -w lbmk/libreboot.rom`  
    137 
    138 And success! You have successfully flashed the Libreboot BIOS on your computer!  
    139 In case anything went wrong and you thinkpad won't boot, just re-flash flash01.bin (the readings you have done before flashing libreboot, you have done it, right?).  
    140 
    141 If you need any help or something isn't clear feel free to contact me!