Merge branch 'fix-e6400-unlock-description' of nic3-14159/lbwww into master

hslick-master
Leah Rowe 2023-04-23 13:10:40 +00:00 committed by Gogs
commit e856fc014e
3 changed files with 19 additions and 16 deletions

View File

@ -78,14 +78,16 @@ is included in that program's directory, or you can read it online here:
<https://browse.libreboot.org/lbmk.git/plain/util/e6400-flash-unlock/README.md>
Literally just run that program, and do what it says. You run it once, and
shut down, and when you do, the system brings itself back up automatically.
Then you run it and flash it unlocked. Then you run it again. The source code
is intuitive enough that you can easily get the gist of it; it's writing some
EC commands. The EC on this machine is hooked up to the `GPIO33` signal,
sometimes called `HDA_DOCK_EN`, which sets the flash descriptor override
thus disabling any flash protection by the IFD - Dell's BIOS doesn't set any
other type of protection either, such as writing to Protected Range registers.
Literally just run that program, and do what it says. You run it once, and shut
down, and when you do, the system brings itself back up automatically. Then
you run it and flash it unlocked. Then you run it again. The source code is
intuitive enough that you can easily get the gist of it; it's writing some EC
commands and changing some chipset config bits. The EC on this machine is
hooked up to the `GPIO33` signal, sometimes called `HDA_DOCK_EN`, which sets
the flash descriptor override thus disabling any flash protection by the IFD.
It also bypasses the SMM BIOS lock protection by disabling SMIs, and Dell's
BIOS doesn't set any other type of protection either such as writing to
Protected Range registers.
With this method, you can probably flash it within 5 minutes. Again, zero
disassembly required!

View File

@ -45,8 +45,9 @@ Software flashing possible! (no disassembly)
tl;dr Nicholas is a genius, but he spent time studying the board, finding that
the EC is hooked up to GPIO33 which allows for flash descriptor override. He
successfully reverse engineered a command that can be used to disable
protections, allowing installation of Libreboot.
successfully reverse engineered a command that can be used to disable IFD
protections, and discovered that the SMM BIOS lock protection could be
bypassed, allowing installation of Libreboot.
This is without needing to disassemble. No clip required.

View File

@ -86,12 +86,12 @@ Build system changes:
in Parabola GNU+Linux, courtesy of Riku Viitanen (`Riku_V` on Libreboot IRC)
* `util/nvmutil`: sorted includes alphabetically; `sys/` first (puffy!)
* `util/e6400-flash-unlock`: New utility for Dell Latitude E6400 added, written
by Nicholas Chin (`nic3-14159` on Libreboot IRC). It writes EC commands to
unlock the flash, pulling `GPIO33`/`HDA_DOCK_EN` to a low logic state. This
disables IFD-based flash protections. On Dell E6400, the EC is hooked up to
GPIO33 and Dell's own BIOS offers no other protections, so the machine can
be flashed *entirely with software on the host CPU*, from Dell BIOS to
Libreboot! See:
by Nicholas Chin (`nic3-14159` on Libreboot IRC). It sends EC commands to
pull a GPIO connected to `GPIO33`/`HDA_DOCK_EN` in the chipset to a low logic
state, disabling IFD-based flash protections. Additionally, it bypasses the
SMM BIOS lock protection by disabling SMIs, and since Dell's own BIOS offers
no other protections, the machine can be flashed *entirely with software on
the host CPU*, from Dell BIOS to Libreboot! See:
<https://browse.libreboot.org/lbmk.git/tree/util/e6400-flash-unlock>
* GRUB payload: `grub.cfg` menu timeout now 30s, not 5s
* `blobutil/download`: support downloading KBC1126-based EC firmware for HP