-
Notifications
You must be signed in to change notification settings - Fork 115
/
HACKING.txt
108 lines (73 loc) · 3.63 KB
/
HACKING.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
This repository also contains number of tools and utilities for examining
and modifying Thinkpad Embedded Controller firmware.
Including:
* radare projects with partial disassembly of several thinkpads EC firmware
* scripts for downloading the ISO image and extracting the firmware
* script for patching the firmware
* documentation on the tables found in the firmware (TODO)
Radare:
-------
To use the radare projects, first install the project files:
make install.radare.projects
Then ensure you have the image file(s):
make x220.8DHT34WW.img.enc.orig x230.G2HT35WW.img x260.R02HT29W.img
Then start radare with one of these projects:
radare -p x230.G2HT35WW
Makefile targets for patching:
------------------------------
If you expect to do development work, the following make targets are
probably useful:
To list the available raw image files and FL2 files, check the
Descriptions.txt file for the list of known image names. You
can also get a list of the "*.img.d" directories that contain
patches with this make command:
make list_images
To fetch the firmware from Lenovo, extract, decrypt and patch
it, ready for more patching:
make x230.G2HT35WW.img
To just get the decrypted firmware file (with the same filename as
above), before any patches applied:
make x230.G2HT35WW.img.prepatch
To create a new FL2, ready for flashing:
make x230.G2HT35WW.s01D3000.FL2
To update your firmware, copy the FL2 file generated above and
the dosflash.exe utility to a DOS boot disk and then use a command
similar to:
dosflash /sd /ipf ec /file s01D3000.FL2
To insert the firmware image back into the bootable cdrom and boot this
in an emulator for testing:
make patched.x230.iso.test
To extract the DOS disk image from the ISO and test that in the emulator
instead:
make patched.x230.img.test
Extracting the ISO images:
--------------------------
While examining a new ISO image, it is often useful to extract its
entire contents. Due to the way these images are constructed, it is
not straight forward to get the data out.
The Lenovo ISO image is a iso9660 filesystem image with /no/ files
in it! There is a El-Torrito standard boot descriptor in this image,
and it defines a hard drive image for booting. This hard drive image
is a DOS MBR partitioned disk, with one partition. The partition is a
FAT16 filesystem, containing the actual files used in the BIOS update.
To access the FAT16 filesystem, the byte offset of the filesystem
is calculated (via a process of unwrapping and decoding each layers
described above). So far, every ISO image file from Lenovo that has been
checked has used the same offset, so this has been hardcoded in the
Makefile as the "FAT_OFFSET" variable.
To extract the files for examination, a make target is available which
can be used on any *.iso.orig or *.iso file. e.g:
make g2uj25us.iso.orig.extract
make patched.x230.iso.extract
In the case where a file needs to be modified inside the image, it is
highly recommended to use the mtools "mcopy" utility to copy files back
into the image - this is the safest method and does not require any
elevated priviledges or run the risks of mounting foreign filesystems.
If you find you do need to directly mount the filesystem, the following
command can be used as a starting point:
sudo mount -o loop,offset=$FAT_OFFSET $ISOFILE $MNTPNT
References:
-----------
http://forum.thinkpads.com/viewtopic.php?f=69&t=120776
http://www.zmatt.net/unlocking-my-lenovo-laptop-part-3/
http://plan9.stanleylieber.com/hardware/thinkpad/x230/x230.schematics.pdf