Update descriptions about e6400-flash-unlock
It also bypasses SMM BIOS lock protections by disabling SMIs (Dell's BIOS doesn't set a certain bit in the chipset leaving it vulnerable to this) in addition to telling the EC to set the descriptor override.hslick-master
parent
eccd0f2d9f
commit
b87516f9ac
|
@ -78,14 +78,16 @@ is included in that program's directory, or you can read it online here:
|
|||
|
||||
<https://browse.libreboot.org/lbmk.git/plain/util/e6400-flash-unlock/README.md>
|
||||
|
||||
Literally just run that program, and do what it says. You run it once, and
|
||||
shut down, and when you do, the system brings itself back up automatically.
|
||||
Then you run it and flash it unlocked. Then you run it again. The source code
|
||||
is intuitive enough that you can easily get the gist of it; it's writing some
|
||||
EC commands. The EC on this machine is hooked up to the `GPIO33` signal,
|
||||
sometimes called `HDA_DOCK_EN`, which sets the flash descriptor override
|
||||
thus disabling any flash protection by the IFD - Dell's BIOS doesn't set any
|
||||
other type of protection either, such as writing to Protected Range registers.
|
||||
Literally just run that program, and do what it says. You run it once, and shut
|
||||
down, and when you do, the system brings itself back up automatically. Then
|
||||
you run it and flash it unlocked. Then you run it again. The source code is
|
||||
intuitive enough that you can easily get the gist of it; it's writing some EC
|
||||
commands and changing some chipset config bits. The EC on this machine is
|
||||
hooked up to the `GPIO33` signal, sometimes called `HDA_DOCK_EN`, which sets
|
||||
the flash descriptor override thus disabling any flash protection by the IFD.
|
||||
It also bypasses the SMM BIOS lock protection by disabling SMIs, and Dell's
|
||||
BIOS doesn't set any other type of protection either such as writing to
|
||||
Protected Range registers.
|
||||
|
||||
With this method, you can probably flash it within 5 minutes. Again, zero
|
||||
disassembly required!
|
||||
|
|
|
@ -45,8 +45,9 @@ Software flashing possible! (no disassembly)
|
|||
|
||||
tl;dr Nicholas is a genius, but he spent time studying the board, finding that
|
||||
the EC is hooked up to GPIO33 which allows for flash descriptor override. He
|
||||
successfully reverse engineered a command that can be used to disable
|
||||
protections, allowing installation of Libreboot.
|
||||
successfully reverse engineered a command that can be used to disable IFD
|
||||
protections, and discovered that the SMM BIOS lock protection could be
|
||||
bypassed, allowing installation of Libreboot.
|
||||
|
||||
This is without needing to disassemble. No clip required.
|
||||
|
||||
|
|
|
@ -86,12 +86,12 @@ Build system changes:
|
|||
in Parabola GNU+Linux, courtesy of Riku Viitanen (`Riku_V` on Libreboot IRC)
|
||||
* `util/nvmutil`: sorted includes alphabetically; `sys/` first (puffy!)
|
||||
* `util/e6400-flash-unlock`: New utility for Dell Latitude E6400 added, written
|
||||
by Nicholas Chin (`nic3-14159` on Libreboot IRC). It writes EC commands to
|
||||
unlock the flash, pulling `GPIO33`/`HDA_DOCK_EN` to a low logic state. This
|
||||
disables IFD-based flash protections. On Dell E6400, the EC is hooked up to
|
||||
GPIO33 and Dell's own BIOS offers no other protections, so the machine can
|
||||
be flashed *entirely with software on the host CPU*, from Dell BIOS to
|
||||
Libreboot! See:
|
||||
by Nicholas Chin (`nic3-14159` on Libreboot IRC). It sends EC commands to
|
||||
pull a GPIO connected to `GPIO33`/`HDA_DOCK_EN` in the chipset to a low logic
|
||||
state, disabling IFD-based flash protections. Additionally, it bypasses the
|
||||
SMM BIOS lock protection by disabling SMIs, and since Dell's own BIOS offers
|
||||
no other protections, the machine can be flashed *entirely with software on
|
||||
the host CPU*, from Dell BIOS to Libreboot! See:
|
||||
<https://browse.libreboot.org/lbmk.git/tree/util/e6400-flash-unlock>
|
||||
* GRUB payload: `grub.cfg` menu timeout now 30s, not 5s
|
||||
* `blobutil/download`: support downloading KBC1126-based EC firmware for HP
|
||||
|
|
Loading…
Reference in New Issue