thinkpad-ec/docs/HACKING.txt

This repository also contains number of tools and utilities for examining
and modifying Thinkpad Embedded Controller firmware.

Including:
*   radare projects with partial disassembly of several thinkpads EC firmware
*   scripts for downloading the ISO image and extracting the firmware
*   script for patching the firmware
*   documentation on the tables found in the firmware (TODO)

Radare:
-------
To use the radare projects, first install the project files:

    make install.radare.projects

Then ensure you have the image file(s):

    make x220.8DHT34WW.img.enc.orig x230.G2HT35WW.img x260.R02HT29W.img

Then start radare with one of these projects:

    radare -p x230.G2HT35WW

Makefile targets for patching:
------------------------------

If you expect to do development work, the following make targets are
probably useful:

    To list the available raw image files and FL2 files, check the
    Descriptions.txt file for the list of known image names.  You
    can also get a list of the "*.img.d" directories that contain
    patches with this make command:

        make list_images

    To fetch the firmware from Lenovo, extract, decrypt and patch
    it, ready for more patching:

        make x230.G2HT35WW.img

    To just get the decrypted firmware file (with the same filename as
    above), before any patches applied:

        make x230.G2HT35WW.img.prepatch

    To create a new FL2, ready for flashing:

        make x230.G2HT35WW.s01D3000.FL2

    To update your firmware, copy the FL2 file generated above and
    the dosflash.exe utility to a DOS boot disk and then use a command
    similar to:


        dosflash /sd /ipf ec /file s01D3000.FL2

    To insert the firmware image back into the bootable cdrom and boot this
    in an emulator for testing:

        make patched.x230.iso.test

    To extract the DOS disk image from the ISO and test that in the emulator
    instead:

        make patched.x230.img.test

Extracting the ISO images:
--------------------------

While examining a new ISO image, it is often useful to extract its
entire contents.  Due to the way these images are constructed, it is
not straight forward to get the data out.

The Lenovo ISO image is a iso9660 filesystem image with /no/ files
in it!  There is a El-Torrito standard boot descriptor in this image,
and it defines a hard drive image for booting.  This hard drive image
is a DOS MBR partitioned disk, with one partition.  The partition is a
FAT16 filesystem, containing the actual files used in the BIOS update.

To access the FAT16 filesystem, the byte offset of the filesystem
is calculated (via a process of unwrapping and decoding each layers
described above).  So far, every ISO image file from Lenovo that has been
checked has used the same offset, so this has been hardcoded in the
Makefile as the "FAT_OFFSET" variable.

To extract the files for examination, a make target is available which
can be used on any *.iso.orig or *.iso file.  e.g:

    make g2uj25us.iso.orig.extract
    make patched.x230.iso.extract

In the case where a file needs to be modified inside the image, it is
highly recommended to use the mtools "mcopy" utility to copy files back
into the image - this is the safest method and does not require any
elevated priviledges or run the risks of mounting foreign filesystems.

If you find you do need to directly mount the filesystem, the following
command can be used as a starting point:

    sudo mount -o loop,offset=$FAT_OFFSET $ISOFILE $MNTPNT


References:
-----------
    http://forum.thinkpads.com/viewtopic.php?f=69&t=120776
    http://www.zmatt.net/unlocking-my-lenovo-laptop-part-3/
    http://plan9.stanleylieber.com/hardware/thinkpad/x230/x230.schematics.pdf
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00			`This repository also contains number of tools and utilities for examining`
			`and modifying Thinkpad Embedded Controller firmware.`

			`Including:`
			`* radare projects with partial disassembly of several thinkpads EC firmware`
			`* scripts for downloading the ISO image and extracting the firmware`
			`* script for patching the firmware`
			`* documentation on the tables found in the firmware (TODO)`

			`Radare:`
			`-------`
			`To use the radare projects, first install the project files:`

			`make install.radare.projects`

			`Then ensure you have the image file(s):`

Correct x220 image documentation (See #96) 2018-11-05 01:46:25 +00:00			`make x220.8DHT34WW.img.enc.orig x230.G2HT35WW.img x260.R02HT29W.img`
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00
			`Then start radare with one of these projects:`

			`radare -p x230.G2HT35WW`

Update the docs with details on how extracting the ISO contents works. This also documents the new .extract make targets and moves the direct loopback mount option entirely into the documentation. It has been moved because I want to discourage people from using it - I consider it to be a higher risk with no good return for this risk. 2017-06-29 03:45:08 +00:00			`Makefile targets for patching:`
			`------------------------------`
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00
			`If you expect to do development work, the following make targets are`
			`probably useful:`

With the FL2 slice files gone, update some of the hacking notes 2017-06-20 06:40:43 +00:00			`To list the available raw image files and FL2 files, check the`
			`Descriptions.txt file for the list of known image names. You`
			`can also get a list of the "*.img.d" directories that contain`
			`patches with this make command:`
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00
			`make list_images`

			`To fetch the firmware from Lenovo, extract, decrypt and patch`
			`it, ready for more patching:`

			`make x230.G2HT35WW.img`

			`To just get the decrypted firmware file (with the same filename as`
With the FL2 slice files gone, update some of the hacking notes 2017-06-20 06:40:43 +00:00			`above), before any patches applied:`
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00
			`make x230.G2HT35WW.img.prepatch`

			`To create a new FL2, ready for flashing:`

			`make x230.G2HT35WW.s01D3000.FL2`

			`To update your firmware, copy the FL2 file generated above and`
			`the dosflash.exe utility to a DOS boot disk and then use a command`
			`similar to:`

Fix spelling git ls-files -z "$(git rev-parse --show-toplevel)" \| xargs --null -I '{}' find '{}' -type f -print0 \| xargs --null sed --in-place --regexp-extended 's/dependancy/dependency/g;' 2017-06-15 10:24:36 +00:00
Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00			`dosflash /sd /ipf ec /file s01D3000.FL2`

Document the qemu test targets 2016-05-20 03:17:54 +00:00			`To insert the firmware image back into the bootable cdrom and boot this`
			`in an emulator for testing:`

			`make patched.x230.iso.test`

			`To extract the DOS disk image from the ISO and test that in the emulator`
			`instead:`

			`make patched.x230.img.test`

Update the docs with details on how extracting the ISO contents works. This also documents the new .extract make targets and moves the direct loopback mount option entirely into the documentation. It has been moved because I want to discourage people from using it - I consider it to be a higher risk with no good return for this risk. 2017-06-29 03:45:08 +00:00			`Extracting the ISO images:`
			`--------------------------`

			`While examining a new ISO image, it is often useful to extract its`
			`entire contents. Due to the way these images are constructed, it is`
			`not straight forward to get the data out.`

			`The Lenovo ISO image is a iso9660 filesystem image with /no/ files`
			`in it! There is a El-Torrito standard boot descriptor in this image,`
			`and it defines a hard drive image for booting. This hard drive image`
			`is a DOS MBR partitioned disk, with one partition. The partition is a`
			`FAT16 filesystem, containing the actual files used in the BIOS update.`

			`To access the FAT16 filesystem, the byte offset of the filesystem`
			`is calculated (via a process of unwrapping and decoding each layers`
			`described above). So far, every ISO image file from Lenovo that has been`
			`checked has used the same offset, so this has been hardcoded in the`
			`Makefile as the "FAT_OFFSET" variable.`

			`To extract the files for examination, a make target is available which`
			`can be used on any .iso.orig or .iso file. e.g:`

			`make g2uj25us.iso.orig.extract`
			`make patched.x230.iso.extract`

			`In the case where a file needs to be modified inside the image, it is`
			`highly recommended to use the mtools "mcopy" utility to copy files back`
			`into the image - this is the safest method and does not require any`
			`elevated priviledges or run the risks of mounting foreign filesystems.`

			`If you find you do need to directly mount the filesystem, the following`
			`command can be used as a starting point:`

			`sudo mount -o loop,offset=$FAT_OFFSET $ISOFILE $MNTPNT`


Update instructions to simply provide a step-by-step process 2016-05-20 01:05:22 +00:00			`References:`
			`-----------`
			`http://forum.thinkpads.com/viewtopic.php?f=69&t=120776`
			`http://www.zmatt.net/unlocking-my-lenovo-laptop-part-3/`
			`http://plan9.stanleylieber.com/hardware/thinkpad/x230/x230.schematics.pdf`