From b87516f9ac9b479f203f54f27e4fcb441ef12501 Mon Sep 17 00:00:00 2001 From: Nicholas Chin Date: Sun, 23 Apr 2023 06:46:45 -0600 Subject: [PATCH] Update descriptions about e6400-flash-unlock It also bypasses SMM BIOS lock protections by disabling SMIs (Dell's BIOS doesn't set a certain bit in the chipset leaving it vulnerable to this) in addition to telling the EC to set the descriptor override. --- site/docs/install/e6400.md | 18 ++++++++++-------- site/news/e6400.md | 5 +++-- site/news/libreboot20230423.md | 12 ++++++------ 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/site/docs/install/e6400.md b/site/docs/install/e6400.md index 3c1fc51..710bf29 100644 --- a/site/docs/install/e6400.md +++ b/site/docs/install/e6400.md @@ -78,14 +78,16 @@ is included in that program's directory, or you can read it online here: -Literally just run that program, and do what it says. You run it once, and -shut down, and when you do, the system brings itself back up automatically. -Then you run it and flash it unlocked. Then you run it again. The source code -is intuitive enough that you can easily get the gist of it; it's writing some -EC commands. The EC on this machine is hooked up to the `GPIO33` signal, -sometimes called `HDA_DOCK_EN`, which sets the flash descriptor override -thus disabling any flash protection by the IFD - Dell's BIOS doesn't set any -other type of protection either, such as writing to Protected Range registers. +Literally just run that program, and do what it says. You run it once, and shut +down, and when you do, the system brings itself back up automatically. Then +you run it and flash it unlocked. Then you run it again. The source code is +intuitive enough that you can easily get the gist of it; it's writing some EC +commands and changing some chipset config bits. The EC on this machine is +hooked up to the `GPIO33` signal, sometimes called `HDA_DOCK_EN`, which sets +the flash descriptor override thus disabling any flash protection by the IFD. +It also bypasses the SMM BIOS lock protection by disabling SMIs, and Dell's +BIOS doesn't set any other type of protection either such as writing to +Protected Range registers. With this method, you can probably flash it within 5 minutes. Again, zero disassembly required! diff --git a/site/news/e6400.md b/site/news/e6400.md index e835cf4..bcd5ec3 100644 --- a/site/news/e6400.md +++ b/site/news/e6400.md @@ -45,8 +45,9 @@ Software flashing possible! (no disassembly) tl;dr Nicholas is a genius, but he spent time studying the board, finding that the EC is hooked up to GPIO33 which allows for flash descriptor override. He -successfully reverse engineered a command that can be used to disable -protections, allowing installation of Libreboot. +successfully reverse engineered a command that can be used to disable IFD +protections, and discovered that the SMM BIOS lock protection could be +bypassed, allowing installation of Libreboot. This is without needing to disassemble. No clip required. diff --git a/site/news/libreboot20230423.md b/site/news/libreboot20230423.md index 4870bd4..b745644 100644 --- a/site/news/libreboot20230423.md +++ b/site/news/libreboot20230423.md @@ -86,12 +86,12 @@ Build system changes: in Parabola GNU+Linux, courtesy of Riku Viitanen (`Riku_V` on Libreboot IRC) * `util/nvmutil`: sorted includes alphabetically; `sys/` first (puffy!) * `util/e6400-flash-unlock`: New utility for Dell Latitude E6400 added, written - by Nicholas Chin (`nic3-14159` on Libreboot IRC). It writes EC commands to - unlock the flash, pulling `GPIO33`/`HDA_DOCK_EN` to a low logic state. This - disables IFD-based flash protections. On Dell E6400, the EC is hooked up to - GPIO33 and Dell's own BIOS offers no other protections, so the machine can - be flashed *entirely with software on the host CPU*, from Dell BIOS to - Libreboot! See: + by Nicholas Chin (`nic3-14159` on Libreboot IRC). It sends EC commands to + pull a GPIO connected to `GPIO33`/`HDA_DOCK_EN` in the chipset to a low logic + state, disabling IFD-based flash protections. Additionally, it bypasses the + SMM BIOS lock protection by disabling SMIs, and since Dell's own BIOS offers + no other protections, the machine can be flashed *entirely with software on + the host CPU*, from Dell BIOS to Libreboot! See: * GRUB payload: `grub.cfg` menu timeout now 30s, not 5s * `blobutil/download`: support downloading KBC1126-based EC firmware for HP