harryK wrote:brchan wrote:
Now we can finally start recommending xx30 thinkpads with this bios + classic keyboard mod instead of xx20 models!
The xx20 series still has the substantial advantage of being upgradable with new wlan/wwan cards imo.
The WLAN whitelist can be removed too, but you have to write to the flash chip with an external programmer. All instructions out there make out that the BIOS is unique to a given machine, and so has to be patched rather than overwritten by a one-size-fits-all whitelisted replacement. I don't know if this is actually the case (are MAC addresses stored in there?), but it makes it a bit more involved than it needs to be - on two levels.
The BIOS write-protects that region of flash before booting - a write-once register in the Intel chipset that is only cleared by a hard reset, but then immediately re-written by the BIOS before booting. The standard update procedure writes the new image to a dummy area (RAM?) before setting a flag and rebooting. When the BIOS sees the flag, it examines the image and checks the cryptographic signature. If it matches, the BIOS will re-write itself in flash before rebooting. This also means that mis-flashing from Windows, messed up by virus scanners etc. is a thing of the past.
This is mostly done in the name of protection from virus/trojan/malware and makes sense in a modern context. It also serves to lock the whitelist better than in previous generations, which probably ticks some FCC-related box for manufacturers. If I was being unkind, I'd wonder about planned obsolescence and forced upgrades; an Ivy Bridge machine without wireless-AC support is tragic!
This BIOS update routine is entirely separate and parallel to the EC firmware update, which has been reverse engineered (amazing work by all concerned). Somehow finding the signing key for the BIOS would grant similar access to the non-EC portion of things, but it probably has more cryptographic strength to begin with.
This setup isn't unique to Lenovo, but is employed by Dell and HP too - probably driven by Intel. There are some papers published about fuzzing the update procedure to overflow and break out of the BIOS signature check, but compared to finding such flaws in the implementation or the signing key, spending 15 minutes with a Raspberry Pi and a $5 SOIC clip seems trivial.
While modifying to remove the whitelist, you could probably modify to remove the SMM write-protect lock too - risking virus/trojan BIOS installations, but making your xX30 easy to update without hardware tools in the future. It doesn't give a way to avoid hardware tools for the first flash though.
It's daunting until you work through it, but relatively low risk except for the hardware aspect. You can always reflash with the backup you take if you mess up and brick due to the software modification.
You don't even need to solder:
https://www.bios-mods.com/forum/Thread- ... 4#pid91134
https://github.com/bibanon/Coreboot-Thi ... st-Removal
https://www.coreboot.org/Board:lenovo/x230#Flashing
https://www.bios-mods.com/forum/Thread- ... o-thinkpad