Installing classic keyboard into X230 with EC firmware mod

[brchan]

Can you try running "MTOOLS_SKIP_CHECK=1 mcopy -o -i g5uj28us.iso@@71680 g5uj28us.iso.bat ::AUTOEXEC.BAT"

Thanks, that worked. Executing the qemu command on the iso also went fine.

However, I can't seem to get the laptop to boot from the iso after I burn it to a usb stick (I tried 2 different ones and set boot mode to legacy). I formated the usb sticks with gparted and created a fat32 partition, then issued the following dd command:

Code: Select all

sudo dd if=g5uj28us.iso of=/dev/sdb bs=4M && sync

. The usb stick flashes for a quick second, but the laptop returns back to the boot menu.

Testing the usb stick using qemu after burning the iso using the command:

Code: Select all

sudo qemu-system-x86_64 -hda /dev/sdb

gives a "No bootable device" message and

Code: Select all

WARNING: Image format was not specified for '/dev/sdb' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
         

warning in the terminal.

[hamish]

Can you try running "MTOOLS_SKIP_CHECK=1 mcopy -o -i g5uj28us.iso@@71680 g5uj28us.iso.bat ::AUTOEXEC.BAT"

Thanks, that worked. Executing the qemu command also went fine.

However, I can't seem to get the laptop to boot from the iso after I burn it to a usb stick (I tried 2 different ones and set boot mode to legacy). I formated the usb sticks with gparted and created a fat32 partition, then issued the following dd command:

Code: Select all

sudo dd if=g5uj28us.iso of=/dev/sdb bs=4M && sync

. The usb stick flashes for a quick second, but the laptop returns back to the boot menu.

Ah - the Lenovo updates dont work from a USB stick, you will need to actually burn a cdrom with the ISO :-S

[brchan]

Turns out that the Lenovo bios can be burned to a usb and bootable by following the instructions here: http://positon.org/lenovo-thinkpad-bios ... ux-and-usb.

That being said, the bios mod worked perfectly and all the major keys are fully functional, even page back/forward keys! Only the Fn+F2 (Lock), Fn+F3 (Battery), Fn+F12 (Hibernate) and Fn+Space are missing, like you said in a previous post. They are detected as XF86WakeUp in xbindkeys. These are only minor issues, however. I am very, very impressed!

[hamish]

Turns out that the Lenovo bios can be burned to a usb and bootable by following the instructions here: http://positon.org/lenovo-thinkpad-bios ... ux-and-usb.

That being said, the bios mod worked perfectly and all the major keys are fully functional, even page back/forward keys! Only the Fn+F2 (Lock), Fn+F3 (Battery), Fn+F12 (Hibernate) and Fn+Space are missing, like you said in a previous post. They are detected as XF86WakeUp in xbindkeys. These are only minor issues, however. I am very, very impressed!

Good news!
I can list the w530 patch as tested now

I'll have a look at that page, and might be able to add it to the options, too

[brchan]

I should also mention that

Code: Select all

sudo qemu-system-x86_64 -hda /dev/sdb

will have a missing operating system error, after extracting and burning the .img file to the usb, but once you physically boot the usb stick, it works without issue.

Now we can finally start recommending xx30 thinkpads with this bios + classic keyboard mod instead of xx20 models!

[axur-delmeria]

Now we can finally start recommending xx30 thinkpads with this bios + classic keyboard mod instead of xx20 models!

I'm pretty hyped at these recent developments.

Too bad the the local prices for a used X230 is 50% more than an X220.

[harryK]

Now we can finally start recommending xx30 thinkpads with this bios + classic keyboard mod instead of xx20 models!

The xx20 series still has the substantial advantage of being upgradable with new wlan/wwan cards imo.

[hhhd1]

Hi there, i am looking for patches for t530 and t430 for doing the battery check removal only.

I looked here:
https://github.com/hamishcoleman/thinkp ... 35WW.img.d
https://github.com/hamishcoleman/thinkp ... 39WW.img.d

and couldn't find them.

I would really appreciate if someone is able to put them

in my case i Just want to remove the battery check, without changing the keyboard.
I do not currently have a **30 series laptop, but looking to get one.

[nitrocaster]

Hi there, i am looking for patches for t530 and t430 for doing the battery check removal only.

I looked here:
https://github.com/hamishcoleman/thinkp ... 35WW.img.d
https://github.com/hamishcoleman/thinkp ... 39WW.img.d

and couldn't find them.

I would really appreciate if someone is able to put them

in my case i Just want to remove the battery check, without changing the keyboard.
I do not currently have a **30 series laptop, but looking to get one.

You should have been looking for it in zmatt blog: http://www.zmatt.net/wp-content/uploads ... -patch.zip

[hhhd1]

You should have been looking for it in zmatt blog: http://www.zmatt.net/wp-content/uploads ... -patch.zip

this patch looks to be for the x230 only, shouldn't the t530 and t430 need different patches ?

for example. it looks like the x230 vs x230t patches are different for fixing the fn keys.

[nitrocaster]

You should have been looking for it in zmatt blog: http://www.zmatt.net/wp-content/uploads ... -patch.zip

this patch looks to be for the x230 only, shouldn't the t530 and t430 need different patches ?

for example. it looks like the x230 vs x230t patches are different for fixing the fn keys.

Well, to answer that question you should get T530/T430 firmware, disassemble it, find the code that have to be patched and make sure it's at the same address as the one in X230T. Takes a time and effort.

[hamish]

Hi there, i am looking for patches for t530 and t430 for doing the battery check removal only.

I looked here:
https://github.com/hamishcoleman/thinkp ... 35WW.img.d
https://github.com/hamishcoleman/thinkp ... 39WW.img.d

and couldn't find them.

I would really appreciate if someone is able to put them

in my case i Just want to remove the battery check, without changing the keyboard.
I do not currently have a **30 series laptop, but looking to get one.

You should have been looking for it in zmatt blog: http://www.zmatt.net/wp-content/uploads ... -patch.zip

Apparently I am blind - I didnt see that zmatt had published his complete patch!

I have added his x230t patch to the repo, but not confirmed it looks OK or anything. I will try and find some time next week to look closer at that. However, I am not able to test it as I dont have any batteries that are not authentic - so I wouldnt want to add it to any patchset by default...

[harryK]

I would say the best thing to tackle next would be the wifi card whitelist. from my understanding it was a check in the EC firmware which stopped the bios whitelists from being able to pass. So with us now being able to mod the EC firmware would it be possible to edit or remove this check

The white list itself sits in the BIOS portion (.FL1 file) which is non writable. However the actual check is likely performed by the EC, as you say. Zmatt found the error messages related to the battery in LenovoVideoInitDxe.efi. Probably that's the place to start looking for the whitelist check as well.

I too lack the skills to contribute substantially. But I'll be more than happy to test things and report results

[TPFanatic]

Hello.

Is there any chance that the mod will restore the virtual numberpad functionality of the classic keyboard as well?

Thanks.

[hamish]

Hello.

Is there any chance that the mod will restore the virtual numberpad functionality of the classic keyboard as well?

Thanks.

Surprisingly, yes! Even though the x230 had no support for the virtual numberpad, they left all that functionality in the firmware. So, when we added back the keysym for the NumLock key, it all just jumped into life again.

[hamish]

To all those who were looking for fixes for the battery validation, I have ported the patches and updated the repository with them. Since I am unable to test any batteries, I have left these patches disabled for now, but all the data is there if anyone wants to test.

[hamish]

I dont think you need to isolate any pins, I have just re-examined the schematics and can see that the Fuse F5 is protecting against that short circuit. This fuse will blow the first time the laptop is turned on with the new keyboard and the short will stop.

Fuse F5 does not protect against 4 amps being sent through the keyboard connector. And so it wont blow, fortunately for backlit keyboards.

I have attached some wires to pins 25 and 27 of the keyboard (also GND and pin 21 - to make four wires)
http://www.thinkwiki.org/w/images/thumb ... idpins.jpg

Then I connected them up to an oscilloscope
http://www.thinkwiki.org/w/images/thumb ... sc_rig.jpg

Using this, I can see that there does not appear to be any differences for me with either of the two keyboards (or no keyboard) connected.

I have gone over my classic keyboard with a magnifying glass and can see no signs of any heat or blown tracks. I have no issues with any of the keys or trackpad buttons either.

I have been plugging this classic keyboard into the x230 on and off for almost two years - which means there has been plenty of time to observe issues, but it also means that if there was something to blow up, it happened a long time ago - and stayed that way.

I'm going to find some time to do some long duration power usage tests on the x230, with each of neither keyboard, the original keyboard and the classic keyboard. This should identify any extra power leakage that I have not been able to observe, but will take a while to set up and monitor.

[nitrocaster]

I have gone over my classic keyboard with a magnifying glass and can see no signs of any heat or blown tracks. I have no issues with any of the keys or trackpad buttons either.

I have been plugging this classic keyboard into the x230 on and off for almost two years - which means there has been plenty of time to observe issues, but it also means that if there was something to blow up, it happened a long time ago - and stayed that way.

I'm going to find some time to do some long duration power usage tests on the x230, with each of neither keyboard, the original keyboard and the classic keyboard. This should identify any extra power leakage that I have not been able to observe, but will take a while to set up and monitor.

You should remove metal clamp that holds internal keyboard connector to see if there's any damage. Did you test if pins 25, 27, 29 and 31 are connected inside your X220 keyboard?

[hhhd1]

To all those who were looking for fixes for the battery validation, I have ported the patches and updated the repository with them. Since I am unable to test any batteries, I have left these patches disabled for now, but all the data is there if anyone wants to test.

Thanks.

[RealBlackStuff]

While we're at it, is the Slic table (info with LenovoTP-G6) also stored in the EC?

[hamish]

While we're at it, is the Slic table (info with LenovoTP-G6) also stored in the EC?

You are out of luck - the SLIC table is part of the BIOS

[harryK]

To all those who were looking for fixes for the battery validation, I have ported the patches and updated the repository with them. Since I am unable to test any batteries, I have left these patches disabled for now, but all the data is there if anyone wants to test.

I can confirm it working. I tried an X220 29+ battery in my X230. There's no error message at POST and the battery charges fine

Guess this makes getting an X230 motherboard an even more viable option for those wanting to upgrade their X220

Thank you very much hamish

[emeraldgirl08]

I can confirm it working. I tried an X220 29+ battery in my X230. There's no error message at POST and the battery charges fine

Guess this makes getting an X230 motherboard an even more viable option for those wanting to upgrade their X220

Thank you very much hamish

This sounds very promising! Thanks for reporting harryK!

[cros]

Now we can finally start recommending xx30 thinkpads with this bios + classic keyboard mod instead of xx20 models!

The xx20 series still has the substantial advantage of being upgradable with new wlan/wwan cards imo.

The WLAN whitelist can be removed too, but you have to write to the flash chip with an external programmer. All instructions out there make out that the BIOS is unique to a given machine, and so has to be patched rather than overwritten by a one-size-fits-all whitelisted replacement. I don't know if this is actually the case (are MAC addresses stored in there?), but it makes it a bit more involved than it needs to be - on two levels.

The BIOS write-protects that region of flash before booting - a write-once register in the Intel chipset that is only cleared by a hard reset, but then immediately re-written by the BIOS before booting. The standard update procedure writes the new image to a dummy area (RAM?) before setting a flag and rebooting. When the BIOS sees the flag, it examines the image and checks the cryptographic signature. If it matches, the BIOS will re-write itself in flash before rebooting. This also means that mis-flashing from Windows, messed up by virus scanners etc. is a thing of the past.

This is mostly done in the name of protection from virus/trojan/malware and makes sense in a modern context. It also serves to lock the whitelist better than in previous generations, which probably ticks some FCC-related box for manufacturers. If I was being unkind, I'd wonder about planned obsolescence and forced upgrades; an Ivy Bridge machine without wireless-AC support is tragic!

This BIOS update routine is entirely separate and parallel to the EC firmware update, which has been reverse engineered (amazing work by all concerned). Somehow finding the signing key for the BIOS would grant similar access to the non-EC portion of things, but it probably has more cryptographic strength to begin with.

This setup isn't unique to Lenovo, but is employed by Dell and HP too - probably driven by Intel. There are some papers published about fuzzing the update procedure to overflow and break out of the BIOS signature check, but compared to finding such flaws in the implementation or the signing key, spending 15 minutes with a Raspberry Pi and a $5 SOIC clip seems trivial.

While modifying to remove the whitelist, you could probably modify to remove the SMM write-protect lock too - risking virus/trojan BIOS installations, but making your xX30 easy to update without hardware tools in the future. It doesn't give a way to avoid hardware tools for the first flash though.

It's daunting until you work through it, but relatively low risk except for the hardware aspect. You can always reflash with the backup you take if you mess up and brick due to the software modification.

You don't even need to solder:
https://www.bios-mods.com/forum/Thread- ... 4#pid91134
https://github.com/bibanon/Coreboot-Thi ... st-Removal
https://www.coreboot.org/Board:lenovo/x230#Flashing
https://www.bios-mods.com/forum/Thread- ... o-thinkpad

[hhhd1]

Lenovo have released other laptops with ivy-bridge and pheonix bios, without any protection.

I am guessing (and hoping) that they are using some simple hash checking with the BIOS, just like the EC.

If no one have actually verified this, lets not assume they are doing something like HP does with their signed BIOS.

[4bpp]

Anyway, I'll try what you said. I'm still waiting for the X220 keyboard I ordered to arrive (so I can't quite see for myself yet), but do you think the location to apply duct tape to is fairly obvious once you take it apart? (Some contact just being held together with pressure...?)

I made a 2-picture manual - see here.

So I've removed the clamp holding down the part of the assembly I assume your image depicts, but the connector still seems to be held down by a sort of sticky plastic foam contraption between two sheets of metal. Should I try to pull the bent-around part of the connector out of there (towards the bottom right of the picture) or do I need to disassemble more of it first? I'm slightly worried about breaking the wires in the plastic if I wind up bending it with too much force.

edit: I've figured it out. I'll post a real-photo guide to replicating what nitrocaster did in a bit (turns out to actually be fairly painless); for now, the last holdup for me is to sort out the palmrest situation... X220T palmrests seem to be expensive and pretty hard to come by.

[Tasurinchi]

Sorry for the dumb question, but how exactly is the patch applied to the standard ISO image? The wiki just mentions to use a tool hexpatch.pl but I can only see some coding in that file.

A step by step would be much appreciated (can be useful for non coders/programmers/dummies)

[hamish]

Sorry for the dumb question, but how exactly is the patch applied to the standard ISO image? The wiki just mentions to use a tool hexpatch.pl but I can only see some coding in that file.

A step by step would be much appreciated (can be useful for non coders/programmers/dummies)

The hexpatch.pl is a perl script that will apply a binary patch (in this case, to the Lenovo ISO file). I was unable to find any remotely standard binary patch process that would work under Windows (especially since "download this random binary from a site you have never heard of and patch your firmware with it" is a relatively untrustworthy process) so, the current best process is to use Linux.

If you are running Linux, then the following steps run the patching correctly and spit out the patched ISO file:

Code: Select all

git clone https://github.com/hamishcoleman/thinkpad-ec
cd thinkpad-ec
make list_iso
# choose the right iso for your laptop from the list
make xxxxxxxx.iso

(This is not a dumb question by the way - I spent quite a lot of time trying to work out better answers and was not able to...)

[theamdman]

hamish,

I've tested the EC mod for the T430. I finally go around to flashing it tonight, It works flawlessly. Thank you for your service.

[Tasurinchi]

If you are running Linux, then the following steps run the patching correctly and spit out the patched ISO file:

Nice! Thanks a lot hamish!

I was trying yesterday the cheapskate version of modifying a xx20 keyboard with my dremel, my intention was to patch my X230 immediately, but I couldn't figured out how...

I will then try to patch my X230 during this week following your instructions, it would be good if you could add those steps in the wiki page IMO.