• Stars
    star
    1,033
  • Rank 44,608 (Top 0.9 %)
  • Language
    Perl
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Infrastructure for examining and patching Thinkpad embedded controller firmware

COMPATIBILTY WARNING:

As the result of CVE-2019-6171, newer Lenovo firmware update files have added a digital signature. If you upgrade to locked version you will not be able to patch your EC without downgrading it.

laptop last modifiable first protected version
t430 BIOS 2.81 (G1ETC1WW) EC 1.13 (G1HT35WW) BIOS 2.82 (G1ETC2WW) EC 1.14 (G1HT36WW)
t430s BIOS 2.75 (G7ETB5WW) EC 1.16 (G7HT39WW) BIOS 2.76 (G7ETB6WW) EC 1.16 (G7HT40WW)
t530, t530i BIOS 2.76 (G4ETB6WW) EC 1.13 (G4HT39WW) BIOS 2.77 (G4ETB7WW) EC 1.14 (G4HT40WW)
w530 BIOS 2.75 (G5ETB5WW) EC 1.13 (G4HT39WW) BIOS 2.76 (G5ETB6WW) EC 1.14 (G4HT40WW)
x230 BIOS 2.75 (G2ETB5WW) EC 1.14 (G2HT35WW) BIOS 2.77 (G2ETB7WW) EC 1.15 (G2HT36WW)
x230t BIOS 2.73 (GCETB3WW) EC 1.14 (GCHT25WW) BIOS 2.75 (GCETB5WW) EC 1.15 (GCHT26WW)

Basically, any BIOS update package where the changelog mentions CVE-2019-6171 will have this lockdown.

Lenovo is tracking their response to this CVE at: https://support.lenovo.com/gb/en/solutions/len-27764

If you upgraded your BIOS to the locked version:

  • Ensure that downgrading is possible in BIOS settings (Security/UEFI BIOS Update Option/Secure Rollback Prevention -> Disable)
  • Downgrade it to the latest supported version. EC will be automatically downgraded as well

Intro

The main purpose of this software is to patch the EC on xx30 series thinkpads to make the classic 7-row keyboards work. There are also patches included (but disabled by default) to disable the authentic battery validation check.

With the patches included here, you can install the classic keyboard hardware on many xx30 series laptops and make almost every key work properly. The only keys that are not working are Fn+F3 (Battery) and Fn+F12 (Hibernate).

The xx30 keyboards do not have a Caps Lock Indicator and the motherboard has no hardware support for a Caps Lock Indicator, so the replacement classic keyboard will never turn on the Indicator on any laptop.

Step-by-step instructions:

This software expects to be run under Linux (real Linux, not Microsoft Windows Linux subsystem). For best results, ensure you have updated your BIOS to a recent version before starting. If there is too large a difference between the BIOS and EC versions then the flash process will not complete.

A little more detail about the BIOS versions: It is not so much a question about upgrading to a recent BIOS version, but more of ensuring you are using a compatible EC firmware version. For safety, ensure that the EC version you are running is the same as the EC version used by the patched image you build. The version used to build the patch is shown at the end of the build process and during the pre-flash warning message.

  1. Ensure you have installed the minimum required packages On Debian, this can be done with:

    sudo apt-get update
    sudo apt-get install make git
    

    On Fedora, you could install it with dnf:

    sudo dnf install git mtools openssl-devel
    sudo dnf group install "C Development Tools and Libraries"
    

    On OpenSUSE, try:

    sudo zypper in git mtools libressl-devel
    
  2. Clone a copy of this repo on to your computer:

    cd ~/
    git clone https://github.com/hamishcoleman/thinkpad-ec
    
  3. Change to the directory created by the clone:

    cd ~/thinkpad-ec
    
  4. Install the prerequisite packages On Debian, this can be done with:

    sudo make build-deps
    
  5. Show the list of laptops and USB image file names:

    make list_laptops
    
  6. Choose your laptop model name from the list shown. E.G. "patched.x230.img" for a x230 laptop.

  7. Optionally, the configuration can be changed from the defaults at this point. Read the CONFIG doc for details of the available config options.

  8. Using the name chosen in the previous step, make the fully patched image for this laptop (this will download the original file from Lenovo and patch it):

    make patched.x230.img
    
  9. Insert your USB stick and determine what device name it has. (Note: chose a USB stick with nothing important on it, it will be erased in the next step) This command should help you find the right device:

    lsblk -d -o NAME,SIZE,LABEL
    

    Note: Do not mount the USB stick. If your desktop environment automatically mounts devices for you, you will need to unmount the stick. You may find that using the "Eject" option does not work as it may turn the power off to the stick, which will stop the next step from working.

  10. Write the bootable patched image onto the USB stick device (replace the "sdx" in this command with the correct name for your usb stick)

    WARNING: if you do not have the right device name, you might overwrite your hard drive!

    sudo dd if=patched.x230.img of=/dev/sdx bs=4M status=progress conv=fsync
    

Your USB stick is now ready to boot and install the patched firmware.

Notes:

  • You can also create a bootable CDROM image for burning to a disk by asking for a ".iso" file instead of the ".img" in step 6 above. Then you can use your normal CDROM burning tools to put this image on a blank cd and boot it up, skipping steps 7 and 8.

  • The configuration is applied during the building of the patched image. If you wish to change the configuration, the patched image will need to be rebuilt.

Booting the stick and flashing the firmware:

While flashing the firmware is as simple as booting the USB stick created above, there are a couple of steps that can help the process. This is more a list of issues that the community has discovered as the patch was applied in different circumstances than a hard and fast set of requirements.

The flashing process takes place in two distinct steps (these are outlined below, but explained in more detail in firmware_flashing doc)

  1. Booting the USB stick:

    • First shows a page with information about the patch, including which laptop type it was built for.
    • Then it hands the new EC update to the BIOS, "staging" it for a future flashing into the EC hardware
    • Finally it reboots the system.
  2. Under the BIOS control, during a bootup:

    • During the boot, the BIOS notices that it has a new EC update staged
    • It then checks if it is safe to flash this update to the EC.
    • If everything is safe, it will show a screen saying "Flashing EC"
    • The system will bootup normally with the new EC code running.

If you don't see this second screen with the "Flashing EC" message, your EC has not been flashed, and you should continue reading below to see what steps you can take to ensure the EC is properly flashed with the patched firmware. In this cases everything might look like it was successful but after the reboot the keys are not remapped.

  • For best results, ensure you have the power charger plugged in during the flashing process.

    • Some chargers seem to have issues with actually performing the flashing procedure after the flash process reboots. So, if you have - or can borrow - other chargers, try that.
  • The firmware flash process generally requires you to have a charged battery plugged in to the laptop before it will complete.

    • It may be possible to bypass the requirement for a charged battery if you unplug the battery completely.
    • Alternatively, it might be simply looking for any battery /and/ the power charger plugged in.

    Yes, this is contradictory, but it is worth trying both options.

  • An ultrabay battery is not considered by the update mechanism to be a suitable source of power - when trying different battery options, ensure you are trying batteries in the main battery slot.

  • Ensure your BIOS has been configured to boot from "Legacy" and not "UEFI" before trying to boot.

  • If you do normally use UEFI boot, there has been at least one case where the EC does not get flashed until the BIOS is switched back into UEFI mode - after which the EC was automatically flashed on the next reboot.

More Repositories

1

thinkpad-usbkb

Experimental hardware to convert thinkpad keyboards to usb
Makefile
37
star
2

led_sp108e

Interface with SP108E wifi LED controller from python
Python
33
star
3

thinkpad-dosflash

Attempt to Reverse Engineer the Thinkpad DOSFLASH utility
C
26
star
4

debian-minimal-builder

Tool for creating minimal installs of debian-based systems
Shell
20
star
5

macos-vmnet

Simple example for using the macos vmnet framework
C
13
star
6

esp8089

Linux Wifi Driver for ESP8089 chips (same chip as used for ESP8266)
Objective-C
12
star
7

talk-containers1

Presentation and example files for talk on building linux container images
HTML
6
star
8

cdfv2-dump

Compound File Binary Format dump tool
Perl
5
star
9

thinkpad-talk

Presentation about the creation of the thinkpad-ec project
HTML
4
star
10

spectre-tests

Working code from the Spectre white paper
C
3
star
11

vnc2hid

transparently remotely control a computer
Python
3
star
12

h264mux

Simple tools for h264 raw video and converting it for use in standard browsers
Perl
3
star
13

automated-installer

Fully automatable installer for debian and ubuntu
Shell
3
star
14

cjdns_tool

Talk to the cjdns admin interface on a super minimal debian system - without installing any packages
Perl
3
star
15

python-simpleproject

Simple python project framework (with unit tests)
Python
3
star
16

debian-installer-repack

Add a preseed.cfg to a Debian installer image
Shell
3
star
17

mtools

Manual repo of the gnu mtools software - I cannot believe that they do not have a git repo anywhere!
C
3
star
18

xpanic

C
2
star
19

cpm_wordstar33_vt100

Patch Wordstar 3.30 to work with a vt100 terminal type
Assembly
2
star
20

arduino_esp32cam_example

A demonstration of an CI builder for the arduino and ESP32 workflow
C
1
star
21

esp8089-talk

Talk slides for the attempt to make a more open ESP8266
HTML
1
star
22

zyxel_gs1900_scraper

Demonstrate automated config backup from Zyxel GW1900-24 switch
Perl
1
star
23

gps-html-map

Javascript helper to quickly make a slippy map from a gpx file
JavaScript
1
star
24

x_modeline_calculator

Some old spreadsheets that calculate X11 modeline details
SuperCollider
1
star
25

gpx-tools

Tools to organise an archive of gpx files
Perl
1
star
26

stream

Testing the Sustainable Memory Bandwidth in High Performance Computers
C
1
star
27

linux

Linux kernel - including Allwinner h2+ support patches. Warning: branches will rebase
C
1
star
28

xterm

Git mirror of xterm source, created from debian archives (See https://invisible-island.net/xterm/xterm.html and also https://github.com/ThomasDickey/xterm-snapshots)
C
1
star
29

dell-compellent-tool

Commandline tool (and one nagios test) for automating queries to Dell Compellent SAN systems
Perl
1
star
30

libhc-perl

Submodule collecting a bunch of simple functions that I often re-implement
Perl
1
star
31

originenergy-exporter

Export raw power usage data from originenergy.com.au
Perl
1
star
32

wconsd

wconsd is a single, simple, Windows program that turns any PC into a telnet to serial server
C
1
star
33

fake-mojibake

Make your text more indecypherable by not converting it to some entirely wrong other language
Perl
1
star
34

lstz

list timezones
Python
1
star
35

monitor_bt_smarthub

Download information to monitor a BT Smart Hub 2
Perl
1
star