Zerocat’s Coreboot Machines  v0.9.0
How to create Zerocat’s Coreboot Machines like the ZC-X200 and others...
How To Modify The Intel Flash Descriptor

Main Page | Related Pages | List of Files

Most Intel Machines use their onboard flash chip to hold not just BIOS firmware, instead different firmare regions are set up to give space for other firmware as well. The first 4096 Bytes of that chip hold Intel’s description table which exactly describes position, size and access restrictions of these regions. This table is called “Intel Firmware Descriptor” or “Intel Flash Descriptor”, in short: “IFD”.

Once you are dealing with coreboot or libreboot, different necessities arise to modify this description table.

Region ME Deleted

On libreboot compatible devices (i.e. X200, T400, T500, etc.), you are likely to delete region ME, the firmware region reserved to hold the proprietary firmware update for the integrated Intel Management Engine, a powerful controller on board. But with a deleted region, more space is available and should get reassigned to region BIOS, which holds your new coreboot BIOS firmware replacement.

The Libreboot project already did that work, it offers a tool called ich9gen to create a modified firmware descriptor which can just be copied into the new coreboot ROM by means of the dd command. (This tool generates firmware for region GbE in the same go, it is bundled together. However, you might use the dd command again to seperate both regions in case you need to.)

Retrieve the sources of the libreboot project:

$ git clone https://notabug.org/libreboot/libreboot.git
$ cd libreboot

Let’s checkout at the latest release:

$ git checkout r20160907
$ cd resources/utilities/ich9deblob
$ make

Use the correct MAC address of your machine. It is usually stated on a sticker at the systemboard’s second RAM socket.

$ ./ich9gen --macaddress xx:xx:xx:xx:xx:xx
Warning
Do not use option --mac-address by mistake, as this will generate a GbE Configuration with a default MAC Address without warning the user. Do not omit the colons. Replace ‘xx’ with your hexadecimal values.

This will generate some *.bin files and "How to Use" messages, i.e.:

descriptor and gbe successfully written to the file: ich9fdgbe_8m.bin
Now do: dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)

You should update your coreboot.rom with the apropriate dd command as a last action on it.

Region ME Cleaned

More recent machines (i.e. X220, X230, T430, etc.) do not allow you to delete region ME completely, unfortunately. However, the ME_Cleaner script is able to delete a signifcant number of sections of the firmware code. As a result, the IME controller boots up – but stays hang up in its Bring-Up-Phase. Hopefully it can't do any harm.

Shrink Binary of Region ME

Once ME_Cleaner cleaned the firmware, it needs to get shrinked. ME_Cleaner’s log file suggests a new size, but this seems to be even more reducable by around 3×4096 Bytes. It is a good idea to extract all regions of your first coreboot ROM by means of coreboot’s ifdtool -x. Then use hexdump -C to look for the last sector containing code in flashregion_2_intel_me.bin and determine the required minimal size. The dd command should be the right tool to create a smaller binary file of the cleaned and shrinked ime firmware.

Create and Fix Binary of Region IFD

But useless to use this binary with coreboot again without having created a new firmware descriptor binary:

Dump the flash layout with ifdtool -f and create a modified one, see Example A below.

Create a new, working flash descriptor with ifdtool -n and fix Byte Nº 0x51 (81 in decimal) with the value found in the previously extracted flash descriptor binary flashregion_0_flashdescriptor.bin, 0x1f for instance. The dd command helps you to copy that byte’s value. See Example B to see how the new flash descriptor dump should differ the default one.

Example A: Modify X230 Firmware Layout

Use ifdtool -f to extract the default layout, e.g.: X230

00000000:00000fff fd
00500000:00bfffff bios
00003000:004fffff me
00001000:00002fff gbe

Modify the layout file. This is what can be used on an X230:

00000000:00000fff fd
00001000:00002fff gbe
00003000:00196fff me
00197000:00bfffff bios

Size of ME-Region is 0x194000 instead of 0x197000 as suggested by me_cleaner.log. In comparison to the original flash layout on an X230, region BIOS has been increased – region ME has been decreased – by 0x369000 Bytes!

Example B: Compare X230 Descriptor Dumps

The diff -y command helps you to compare dumps (created with ifdtool -d) of the default descriptor and the new, fixed one. They should not differ but in four lines as listed:

Found Region Section Found Region Section
FLREG0: 0x00000000 FLREG0: 0x00000000
Flash Region 0 (Flash Descriptor): 00000000 - 00000fff Flash Region 0 (Flash Descriptor): 00000000 - 00000fff
FLREG1: 0x0bff0500 | FLREG1: 0x0bff0197
Flash Region 1 (BIOS): 00500000 - 00bfffff | Flash Region 1 (BIOS): 00197000 - 00bfffff
FLREG2: 0x04ff0003 | FLREG2: 0x01960003
Flash Region 2 (Intel ME): 00003000 - 004fffff | Flash Region 2 (Intel ME): 00003000 - 00196fff
FLREG3: 0x00020001 FLREG3: 0x00020001
Flash Region 3 (GbE): 00001000 - 00002fff Flash Region 3 (GbE): 00001000 - 00002fff
FLREG4: 0x00001fff FLREG4: 0x00001fff
Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused

Use Both Binaries with Coreboot

Both newly created binaries of region ME and region IFD should now be used as input for the coreboot configuration tool when building coreboot a second time.

Toolchain Scripts

These procedures are applied by the toolchain scripts (for instance: gen-zerocat-rom.sh) which should give you easy access to do it safely. Please check the sources.

Main Page | Related Pages | List of Files