I have been promising to myself for very long time that one day I had to have a computer as much privacy focused as possible. As I cannot afford to buy a Purism laptop, I thought the best approach was to find some device where at least it was possible to disable Intel ME and maybe swap some of the peripherals with proprietary firmware for some completely open and free (as in Freedom). I recently found (and bought) an old but still reliable and enough powerful Thinkpad X230 at a very reasonable price on Ebay and I decided to start the journey of cleaning it from proprietary software. After installing GNU/Linux as my only O.S., the next step was to achieve my dream: get rid of the shipped BIOS and install Coreboot to disable Intel ME. Here I will share my experience and I will try to suggest what to do and what not to do to have a great laptop running Free Software.
First of all let me tell you that there are a lot of guides around that will explain with great level of details what to do. I will not write yet another guide that will give you the same steps to follow but I am going to share my experience and some tips.
At the very beginning I was a bit frustrated because guides found on the Internet are confusing if you do not know exactly all the steps to take, so let me start from what I have learnt…
Make your life easy!
If you have a Thinkpad X230, like mine, and you want to have Coreboot as fast as possible, do not waste your time finding how to compile coreboot, how to integrate SeaBios, how to put in between the cleaning of the memory from the Intel Management Engine (unless you want to understand every single aspect of what you are doing, as I did anyway). There is a great guy who is compiling a version of Coreboot that is specific for our beloved Thinkpad and he is also releasing a script in bash that will launch flashrom commands needed to read the original BIOS memory, make sure that the reading is correct (it reads memory 2 times and compares hashes of the dump), create a backup of the BIOS Chip and launch the erase and write process to flash the new Coreboot. I am talking about Martin Kepplinger a.k.a. Merge on Github (man, if you’ll ever read this post, thanks a lot for your amazing job!). He releases all I said before as well as great instructions on what to do on this repository:
If you use his repo, I strongly suggest to donate to him 🙂
So, I know now the question… if everything is written well there, why bothering with yet another article? Answer: because I followed his guide only partially, I did some mistakes and I want to share them so others can achieve the goal quicker than me. If you want to skip all the explanations I provide below, just skip to the end of this article for a summary of steps to follow 🙂
Preparation of the activities
Before you start for sure you need to know that you are going to touch a vital component of your motherboard. If something goes wrong the risk is that you will have to throw to the garbage the motherboard and buy a new one (it will cost you probably the same – sometimes more – as buying a complete laptop again). So you want to be really careful in what you do.
There are 2 chips you will have to deal with. One is “the bottom” chip. It’s a 8MB flash chip, model EN25QH64. It is called bottom chip because is the one that is on the bottom of the 2 chips where BIOS is installed. This is where Intel ME resides. You are not obliged to flash this one, unless you want to remove Intel ME – I know this is main reason you want to change the BIOS, isn’t it? 😀
The second chip – called top chip – is where you will install Coreboot as precompiled by Merge in his repository. This is a 4MB chip, model MX25L3206E/MX25L3208E. This is mandatory to flash. As you will read in the README files from the Github repository linked above, you will have to chose to flash it with a version that supports VGA with some proprietary software or completely free of proprietary software but with some limitation (e.g.: no boot screen logo).
Beside what you are going to chose for the TOP chip, do not forget to download the latest release and DO NOT CLONE the github repository! This for a couple of reasons: the github repository will not necessarily have a stable software in it and from the release files you will have the already compiled rom to install on the TOP chip (for the bottom one it will be just a matter of cleaning what is read during initial phase, you will not need a .rom file).
Hardware to use
We are going to flash a couple of chips that are soldered on the motherboard… you need then some hardware.
Mandatory is to buy a SOIC8 clip. It will be used to connect the flash chips and I personally bought 2 of them in different periods of time. From the Github repository readme files you will read that the recommended one is produced by a company called Pomona. To be honest I did not go for it as it was too expensive from my point of view (around 30 euro shipped or even more). I decided then to use a cheaper one from a local shop. It costed me around 1/4 of the Pomona… BUT, because of the story I will explain later, I damaged it and it was not able to stay stable on the chips (so, had to throw it). I then bough another one, even cheaper than the one from local dealer and I managed it with a lot of care to avoid to damage it again, considering that the build quality is definitely very low. My recommendation here is: if you think you will flash more than one laptop (maybe you convince some of your friends to do the same and you can borrow hardware or help them) go for the Pomona. The amount of money spent will be absolutely worth and will save you a lot of imprecations 😀 If you are only going to flash your laptop, then just handle a cheap SOIC 8 clip with a lot of care 🙂
Here a picture of my 2 SOIC clips, on the left the one I damaged and on the right the good one:
As you probably noticed from the picture above, connected to the SOIC clip we have the cables that we will use with the programmer. On the first one, after I initially failed to flash the bottom chip, I decided to solder the cables to the SOIC clip terminations and to have them very short. I read indeed that sometimes flash failures were experienced because of cables lenght. I can now tell you that this is not really the case. Even if you have cables with connectors of around 10/15cm you should be fine, I managed to flash with the second SOIC clip using full lenght cables and without soldering to the clip:
The second hardware you need is Hardware flasher that is compatible with the software called flashrom. And this is where you will get probably the best advice from myself. If you read the guide provided on Github pages of Skulls project, you will find mentioned that you can use a Raspberry Pi or a flasher based on CH341A chip.
First tip: do not go for Raspberry! I tried to use my Raspberry PI 3 and it was headache. After I enabled SPI and everything needed to flash the chips, I still had a lot of troubles in finding the chip when connected to the SOIC Clip. So it was a dance between, chip found, chip not found, start reading, failing, bla bla bla. Plus I was quite annoyed in reading the pin headers of the raspi as they are a lot of them (I admit this is my fault, I prefer to have easier connections). So I abandoned the idea of using the Raspberry as my hardware flasher.
After failing with Raspberry, I decided to….. no, not to go for a CH341A programmer as suggested on Github… too easy! I decided to give a try with a Bus Pirate, that is nowhere mentioned online to be used to flash the BIOS, even if it is one of the hardware that in list as compatible with Flashrom. I said to myself: cool, if I manage to flash the firmware with the bus pirate I will write a guide about it! Imagine what could happen after this: FAILS! FAILS EVERYWHERE!
The one above is my Bus Pirate while I was trying to flash the bottom chip. It was reading the flash without issues but when it arrived to the moment to erase and write the chip with cleaned Intel ME it was completely stuck… The first time I waited hours before realizing that it was too much and decided to disconnect… this was a very frustrating moment because I thought that I was going to have my motherboard to be replaced. Who knew what was happening? It simply got stuck while writing… the worst thing that can happen in such activity 🙁
So, let me explain a bit. Before starting to flash with Bus Pirate I modified the script that is provided by Merge in his github release called “external_install_bottom.sh”. The mod was very simple and consisted in a slight change in order to call the correct bus instead of the Raspberry. Essentially I did changes on the part of the script where the bus is called…
When I launched the script modified everything looked fine. But again all fine till it was reading. No luck to write anything.
I then decided to run flashrom commands manually. If you follow the output of the script above, you realize that it creates a local backup of the memory dump from the chip and it also creates already the modified version of the data to be written in the bottom chip. Everything is stored in a temporary directory of your GNU/Linux machine from where you flash the Thinkpad. The name of the file that is created is: “work.rom.new“. I simply tried to directly write it on the chip.
Again, after waiting a couple of hours (too much to write just 8MB!!), I decided to stop the activities.
I mounted back the keyboard of laptop and, with heart rate at 1000, I tried to turn on the PC and see what was happening.
TADAAAAAA! The BIOS has not been touched, at all! Everything boots normally!
To make this story short…. I updated the firmware of the bus pirate from the old one it was running to the newest available and tried to try again… but the SOIC clip resulted to be damaged 😐
Anyway I wanted to continue to try with the Bus Pirate (c’mon, is well known to be a splendid piece of hardware for such things!), confident that with new firmware all had to happen smoothly, so I ordered a new SOIC clip and waited for it to be delivered.
Guess what… with the new SOIC clip, Bus Pirate at latest version of its firmware and a new version of coreboot from Skulls just released… again, Bus Pirate failed the writing part!! D’OH!
The green one is a CH341A based chip programmer and the purple one is AMS1117 based, used to provide the right and stable amount of power needed to flash the chip (3.3V). This was absolutely the best option to use since the beginning. I bought everything on Aliexpress as it was not possible for me to find them in local shops 🙁
Of course it was a piece of cake to flash both bottom and top chips with the above hardware. I simply connected them with USB, connected the SOIC clip to the chips and run the 2 shell scripts from Skulls repository. In less than 1 hour I had my Coreboot and Intel ME disabled:
Conclusion: summary of steps to follow
It’s time to make a summary of the entire story. If you want to flash Coreboot and disable Intel ME on your Lenovo Thinkpad X230 start buying appropriate hardware:
- Soic8 Clip (Pomona brand if you want high quality or anything else but you have to use them with care)
- CH341A based flash programmer (buy it on Aliexpress if you cannot find it in your local store)
- AMS1117 based USB power supply (buy it on Aliexpress if you cannot find it in local store)
Once you have the hardware with you go to Skulls Github repository and:
- download latest stable release
- Follow the guide specific for your X230 with the above hardware (especially where/how to connect cables from the SOIC Pin 8 clip) following these steps:
- Open the X230 to find proper connections
- Connect CH341 based flash programmer
- Remove Intel ME and flash the bottom chip while creating a backup of original chip with command “sudo ./external_install_bottom.sh -m -k <backup-file-to-create>”
- Decide to flash one of the two precompiled versions of Coreboot that you will find in the package of the latest release (x230_coreboot_seabios_XXX_top.rom or x230_coreboot_seabios_free_XXX_top.rom) and proceed with command “sudo ./external_install_top.sh -k <backup-file-to-create>”
- Enjoy coreboot and Intel ME disabled 🙂