[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 11/20] import util/dell-flash-unlock from lbmk 09bed9a4
|
From: |
Leah Rowe |
|
Subject: |
[PATCH 11/20] import util/dell-flash-unlock from lbmk 09bed9a4 |
|
Date: |
Sun, 14 Jan 2024 15:55:28 +0000 |
From: Leah Rowe <leah@libreboot.org>
check the readme file for instructions. this is used to unlock
the flash on various dell machines, including the e6400, to
enable internal flashing from factory bios to coreboot-based
firmware such as gnuboot
Signed-off-by: Leah Rowe <leah@libreboot.org>
---
util/dell-flash-unlock/COPYING | 19 ++
util/dell-flash-unlock/Makefile | 15 ++
util/dell-flash-unlock/README.md | 134 +++++++++++++
util/dell-flash-unlock/accessors.c | 91 +++++++++
util/dell-flash-unlock/accessors.h | 17 ++
util/dell-flash-unlock/dell_flash_unlock | Bin 0 -> 16992 bytes
util/dell-flash-unlock/dell_flash_unlock.c | 217 +++++++++++++++++++++
7 files changed, 493 insertions(+)
create mode 100644 util/dell-flash-unlock/COPYING
create mode 100644 util/dell-flash-unlock/Makefile
create mode 100644 util/dell-flash-unlock/README.md
create mode 100644 util/dell-flash-unlock/accessors.c
create mode 100644 util/dell-flash-unlock/accessors.h
create mode 100755 util/dell-flash-unlock/dell_flash_unlock
create mode 100644 util/dell-flash-unlock/dell_flash_unlock.c
diff --git a/util/dell-flash-unlock/COPYING b/util/dell-flash-unlock/COPYING
new file mode 100644
index 0000000..bf82341
--- /dev/null
+++ b/util/dell-flash-unlock/COPYING
@@ -0,0 +1,19 @@
+Copyright (c) 2023 Nicholas Chin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/util/dell-flash-unlock/Makefile b/util/dell-flash-unlock/Makefile
new file mode 100644
index 0000000..fae52de
--- /dev/null
+++ b/util/dell-flash-unlock/Makefile
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2023 Nicholas Chin
+
+CC=cc
+CFLAGS=-Wall -Wextra -Werror -O2 -pedantic
+ifeq ($(shell uname), OpenBSD)
+ CFLAGS += -l$(shell uname -p)
+endif
+SRCS=dell_flash_unlock.c accessors.c
+
+all: $(SRCS) accessors.h
+ $(CC) $(CFLAGS) $(SRCS) -o dell_flash_unlock
+
+clean:
+ rm -f dell_flash_unlock
diff --git a/util/dell-flash-unlock/README.md b/util/dell-flash-unlock/README.md
new file mode 100644
index 0000000..f7b6ae3
--- /dev/null
+++ b/util/dell-flash-unlock/README.md
@@ -0,0 +1,134 @@
+# Dell Laptop Internal Flashing
+
+This utility allows you to use flashrom's internal programmer to program the
+entire BIOS flash chip from software while still running the original Dell
+BIOS, which normally restricts software writes to the flash chip. It seems like
+this works on any Dell laptop that has an EC similar to the SMSC MEC5035 on the
+E6400, which mainly seem to be the Latitude and Precision lines starting from
+around 2008 (E6400 era).
+
+## TL;DR
+
+### Linux specific
+- On Linux, ensure you are booting with the `iomem=relaxed` kernel parameter.
+- If you get a "Function not implemented" error, ensure that your kernel has
+ "CONFIG_X86_IOPL_IOPERM" set to "y". Here are several common locations for
+ the config and how to check them:
+ - `zcat /proc/config.gz | grep IOPL`
+ - `grep IOPL /boot/config`
+ - `grep IOPL /boot/config-$(uname -r)`
+ If it says it is not set, then you will need to install or compile a kernel
+ with that option set.
+
+### OpenBSD
+- On OpenBSD, ensure you are booting with securelevel set to -1.
+
+### General
+Make sure an AC adapter is plugged into your system
+
+Run `make` to compile the utility, and then run `./dell_flash_unlock` with
+root/superuser permissions and follow the directions it outputs.
+
+## Confirmed supported devices
+- Latitude E6400, E6500
+- Latitude E6410, E4310
+- Latitude E6420, E6520
+- Latitude E6430, E6530, E5530
+- Latitude E7240
+- Precision M6800, M5800
+
+It is likely that any other Latitude/Precision laptops from the same era as
+devices specifically mentioned in the above list will work as Dell seems to use
+the same ECs in one generation.
+
+## Tested
+These systems have been tested, but were reported as not working with
+dell-flash-unlock. This could be due to user error, a bug in this utility, or
+the feature not being implemented in Dell's firmware. If you have such a
system,
+please test the utility and report whether or not it actually works for you.
+
+- Latitude E6220
+- Latitude E6330
+
+## Detailed device specific behavior
+- On GM45 era laptops, the expected behavior is that you will run the utility
+ for the first time, which will tell the EC to set the descriptor override on
+ the next boot. Then you will need to shut down the system, after which the
+ system will automatically boot up. You should then re-run the utility to
+ disable SMM, after which you can run flashrom. Finally, you should run the
+ utility a third time to reenable SMM so that shutdown works properly
+ afterwards.
+- On 1st Generation Intel Core systems such as the E6410 and newer, run the
+ utility and shutdown in the same way as the E6400. However, it seems like the
+ EC no longer automatically boots the system. In this case you should manually
+ power it on. It also seems that the firmware does not set the BIOS Lock bit
+ when the descriptor override is set, making the 2nd run after the reboot
+ technically unnecessary. There is no harm in rerunning it though, as the
+ utility can detect when the flash is unlocked and perform the correct steps
+ as necessary.
+
+## How it works
+There are several ways the firmware can protect itself from being overwritten.
+One way is the Intel Flash Descriptor (IFD) permissions. On Intel systems, the
+flash image is divided into several regions such as the IFD itself, Gigabit
+Ethernet (GBE) non-volative memory, Management Engine (ME) firmware, Platform
+Data (PD), and the BIOS. The IFD contains a section which specifies the
+read/write permissions for each SPI controller (such as the host system) and
+each region of the flash, which are enforced by the chipset.
+
+On the Latitude E6400, the host has read-only access to the IFD, no access to
+the ME region, and read-write access to the PD, GBE, and BIOS regions. In order
+for flashrom to write to the entire flash internally, the host needs full
+permissions to all of these regions. Since the IFD is read only, we cannot
+change these permissions unless we directly access the chip using an external
+programmer, which defeats the purpose of internal flashing.
+
+However, Intel chipsets have a pin strap that allows the flash descriptor
+permissions to be overridden depending on the value of the pin at power on,
+granting RW permissions to all regions. On the ICH9M chipset on the E6400, this
+pin is HDA\_DOCK\_EN/GPIO33, which will enable the override if it is sampled
+low. This pin happens to be connected to a GPIO controlled by the Embedded
+Controller (EC), a small microcontroller on the board which handles things like
+the keyboard, touchpad, LEDs, and other system level tasks. Software can send a
+certain command to the EC, which tells it to pull GPIO33 low on the next boot.
+
+Although we now have full access according to the IFD permissions, we still
+cannot flash the whole chip, due to another protection the firmware uses.
+Before software can update the BIOS, it must change the BIOS Write Enable
+(BIOSWE) bit in the chipset from 0 to 1. However, if the BIOS Lock Enable (BLE)
+bit is also set to 1, then changing the BIOSWE bit triggers a System Management
+Interrupt (SMI). This causes the processor to enter System Management Mode
+(SMM), a highly privileged x86 execution state which operates transparently to
+the operating system. The code that SMM runs is provided by the BIOS, which
+checks the BIOSWE bit and sets it back to 0 before returning control to the OS.
+This feature is intended to only allow SMM code to update the system firmware.
+As the switch to SMM suspends the execution of the OS, it appears to the OS
+that the BIOSWE bit was never set to 1. Unfortunately, the BLE bit cannot be
+set back to 0 once it is set to 1, so this functionality cannot be disabled
+after it is first enabled by the BIOS.
+
+Older versions of the E6400 BIOS did not set the BLE bit, allowing flashrom to
+flash the entire flash chip internally after only setting the descriptor
+override. However, more recent versions do set it, so we may have hit a dead
+end unless we force downgrade to an older version (though there is a more
+convenient method, as we are about to see).
+
+What if there was a way to sidestep the BIOS Lock entirely? As it turns out,
+there is, and it's called the Global SMI Enable (GBL\_SMI\_EN) bit. If it's set
+to 1, then the chipset will generate SMIs, such as when we change BIOSWE with
+BLE set. If it's 0, then no SMI will be generated, even with the BLE bit set.
+On the E6400, GBL\_SMI\_EN is set to 1, and it can be changed back to 0, unlike
+the BLE bit. But there still might be one bit in the way, the SMI\_LOCK bit,
+which prevents modifications to GBL\_SMI\_EN when SMI\_LOCK is 1. Like the BLE
+bit, it cannot be changed back to 0 once it set to 1. But we are in luck, as
+the vendor E6400 BIOS leaves SMI\_LOCK unset at 0, allowing us to clear
+GBL\_SMI\_EN and disable SMIs, bypassing the BIOS Lock protections.
+
+There are other possible protection mechanisms that the firmware can utilize,
+such as Protected Range Register settings, which apply access permissions to
+address ranges of the flash, similar to the IFD. However, the E6400 vendor
+firmware does not utilize these, so they will not be discussed.
+
+## References
+- Open Security Training: Advanced x86: BIOS and SMM Internals - SMI
Suppression
+ -
https://opensecuritytraining.info/IntroBIOS_files/Day1_XX_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SMI%20Suppression.pdf
diff --git a/util/dell-flash-unlock/accessors.c
b/util/dell-flash-unlock/accessors.c
new file mode 100644
index 0000000..6fca281
--- /dev/null
+++ b/util/dell-flash-unlock/accessors.c
@@ -0,0 +1,91 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#if defined(__linux__)
+#include <sys/io.h>
+#endif
+
+#if defined(__OpenBSD__)
+#include <machine/sysarch.h>
+#include <sys/types.h>
+#if defined(__amd64__)
+#include <amd64/pio.h>
+#elif defined(__i386__)
+#include <i386/pio.h>
+#endif /* __i386__ */
+#endif /* __OpenBSD__ */
+
+#include <errno.h>
+
+#include "accessors.h"
+
+uint32_t
+pci_read_32(uint32_t dev, uint8_t reg)
+{
+ sys_outl(PCI_CFG_ADDR, dev | reg);
+ return sys_inl(PCI_CFG_DATA);
+}
+
+void
+pci_write_32(uint32_t dev, uint8_t reg, uint32_t value)
+{
+ sys_outl(PCI_CFG_ADDR, dev | reg);
+ sys_outl(PCI_CFG_DATA, value);
+}
+
+void
+sys_outb(unsigned int port, uint8_t data)
+{
+ #if defined(__linux__)
+ outb(data, port);
+ #endif
+ #if defined(__OpenBSD__)
+ outb(port, data);
+ #endif
+}
+
+void
+sys_outl(unsigned int port, uint32_t data)
+{
+ #if defined(__linux__)
+ outl(data, port);
+ #endif
+ #if defined(__OpenBSD__)
+ outl(port, data);
+ #endif
+}
+
+uint8_t
+sys_inb(unsigned int port)
+{
+ #if defined(__linux__) || defined (__OpenBSD__)
+ return inb(port);
+ #endif
+ return 0;
+}
+
+uint32_t
+sys_inl(unsigned int port)
+{
+ #if defined(__linux__) || defined (__OpenBSD__)
+ return inl(port);
+ #endif
+ return 0;
+}
+
+int
+sys_iopl(int level)
+{
+#if defined(__linux__)
+ return iopl(level);
+#endif
+#if defined(__OpenBSD__)
+#if defined(__i386__)
+ return i386_iopl(level);
+#elif defined(__amd64__)
+ return amd64_iopl(level);
+#endif /* __amd64__ */
+#endif /* __OpenBSD__ */
+ errno = ENOSYS;
+ return -1;
+}
diff --git a/util/dell-flash-unlock/accessors.h
b/util/dell-flash-unlock/accessors.h
new file mode 100644
index 0000000..a19f215
--- /dev/null
+++ b/util/dell-flash-unlock/accessors.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#include <stdint.h>
+
+#define PCI_CFG_ADDR 0xcf8
+#define PCI_CFG_DATA 0xcfc
+#define PCI_DEV(bus, dev, func) (1u << 31 | bus << 16 | dev << 11 | func << 8)
+
+uint32_t pci_read_32(uint32_t dev, uint8_t reg);
+void pci_write_32(uint32_t dev, uint8_t reg, uint32_t value);
+
+int sys_iopl(int level);
+void sys_outb(unsigned int port, uint8_t data);
+void sys_outl(unsigned int port, uint32_t data);
+uint8_t sys_inb(unsigned int port);
+uint32_t sys_inl(unsigned int port);
diff --git a/util/dell-flash-unlock/dell_flash_unlock
b/util/dell-flash-unlock/dell_flash_unlock
new file mode 100755
index
0000000000000000000000000000000000000000..1c24dd6b21fb6820f818dd8e0f1cf331e05c416a
GIT binary patch
literal 16992
zcmeHOeQ;FQb-ycwEn}jUF{FGr=9!op9JEL_5MhV1LLaPBVF(hjT|0TKcAuoJ_p7^a
z5%Nd9bitDy4`a3CNiuQTQCfFGlenR&ha}X21vw7&xUNV$wWiK=)YO?-)nG_X2(b;@
z-?{gm)!UbqJLw;t{;^l{_T2kBANSnz?z_78-FKht>g}%ccm$_;;&%j<_AXM0Uo*z<
z(HRiGXcHg7?@Dp2xDMrdi7CEc5pY$Ss;i_88lMMBdP^x&h2ElI!IV8DN_ump<n@Zf
zR5YnF>CLCCF1zVjY6ucj=9lX;BwGj<{hl-`1XHITnVf7^dXrl!>3$uTF-=*IiljHK
z^`^C6nUX`q*OcQ)F`=tX$J0#>@F*GbR|vP>16t2bJGDGhs)JJB&+PF3roLTTFS|<F
zanlzSESPeApMjpfMOxy+3E$@3y1u#YLyL|-Qyo^ZJ{lR=v|)WT+#HR>Gy9wOw{2?P
zw8587`0kPwlV4N^-Tv+O?GbfZQ6P-<DZdyOg_Zcfe_>zzwNLdYuUq!{#mE1-Vco-%
zYwuwjq(d^4NS?a{l_|dv7s;shA3#oFM9*5U$B53AehUo!C|8KI&4H(Z8x@kOK=oI%
z(=!K7zE+ce2DpLCo$dorO`fo7_@4ncaJkcs0IJEa1+KeXrAjhmr$r=@jEYP;YFSB<
zNLq1Wnz;WVGi?V`wiydX2np>EnuC#eFdBK(LeWa4;t4aF2nFp(A}(UFU{U}Rq)7c_
zli1$dv#rCt%XgP=V>y5K24VK}?=Ztw${LEKZ7bEkqa&J#Tm8X-D489KCE~hXQ;Aj;
zq@FPky<(pHQ&jz`=6S&1jVwP0ndOlisCPZAu^0dNi?~H~VpvCm$0r^a{5LDclpcQ=
z7aI5b6`ye~7q%*#?mzVzPG=mr9%>|O(t+!tTjEm=d;uE)op#{#T$Gbv<;Vs-Gn^Xy
zDn~dyZ=9O^Do3~;!X>cOfve|D$r%ou+f1A_4jch4rxpiJeX^En5vWC=7J*s>Y7wYK
zpcaAuFA)gj&NT#{p8v!3LIe&K?7GrqAop^^MA^O4##g~At$q!^-j#mjs60&knduVJ
z>eE!Fsou<_EFY&bO~Gagviuz?)0A)Ks4Rbj$}|<58JFchr!q~!X2xXsD^#Yb*GyKH
z??HKR3}u=2oFr3y<aUu3M7b*^@4+RgK5)1>>J_5(a%&-wzfgQ0y7>voy$#$G7ol}h
zToKvgr%~4lKNs^qEN%wSo}X#YPko=7k(<sQCwf9asI}C7;NJxrGMJx#8yqR#0=t3y
z{Es0Ykk<biqL;Jtv7RzAJ;i1;>`)=IwzX7D$*lL_-$Ed8c+1V0i5FkLRw@<0kDsTZ
z{c^)YpPMK?C&lb75cvX$d=uQa-z?T6g1Lgnd+<+``df|QJp*2Aq4)rJ5dRfHkCXVf
zPLjh#n&1K-B{N~dpDpeH2^`+o2GOV6p!x*L#Wn?YGdN7(#|g~8Bc<*qV3CsQh1AI>
zVE#vfeqm!XaW7q!hL`*rcLlhEKJUtd5Ef#r^?XnM?B@gdp9XSoUEI~*)mmu%d-%8!
zQl%wZ@si`xtT6R2@css9;PCu!5ZQdiUV`p<E9KEWZzxTBS7yoZgr<-`AmukcN@VS|
zK>lLj)H_=Pr>@KkcwPydy=E_lf%EH>frirbpm$~Gtp2;+Ti?rW*#cdW`NW<;Zp*8X
z6oLHD?1h1+w@|&sQ8cv}hQF`OUxKpdbEvyqKk3hmfXV()$9&@h8Jy>_K&cGfH82L9
z4Hoe2ENb+AH(QS`G<d4`k=(RrVpe3&4`930*ZL;)_`@6il)|d|@gJcV<WHaa&!!`u
zU;fzJ`S$7$N<tj?X%ki<n@`(!<R(11_v<sS<*t_OTMln{;ULT$zX?pK?e`wLT-*x_
zt>>vD=8NcxGA?^gETS67$`6Wo)YOyqSxBD1B~Frs;&xKJEQN~q66<?q);bjFK5BOE
zyr;MfkkVUEIkK9cDBg@v9DLKRKXm@de>!yDzMh|lzoY&$+y1`%yYTgws;+-TH}@WU
zR~mb0<`ha}ds;6mKlATP896X~-62=}3JSCK9DW@DL;3Y3%4xqId%wD0^nBpH@0pE?
zjF-b+YuVm*hrLfY?B%X{mKAhE9sT9RPs%s-1?1%Db7YmhHh0D|%kmzZEPfl@S)`an
z5xpgUI<E$8ihE!FeeZX-?7I`3AGH);hXjg4DCSS+rmy8*^&EOL|1aLoi^LsM+#W6b
zHDzw|)I;893*KV|bO=9&sdEjmuv*JJ0U2rlbyC@W+?-dAUqMH|;mU>MAAp{paNNDY
zG2-XXR!HQ}T$sQ^s0N7q#r%8kIQl!4!7dLV`S;E_4UXmCtEgaX=DA;$(C?+6<k$rA
zwN#5hEdsR&)FM!eKrI5b2-G4lcLZpks6P_35*gbV8ID9PV<Z@{Bk>_)Fp)C4I&Kpk
ziA*$X#1pm=427(8+UVJ7Bois@nyn98`_{*-m_r1cV8-r_ZSA5X7{9|N8zaF~*yvfm
z)36gp@2(DqY&eppJujngM^E}T_OQ>2hpG1N&YebLANJECVao_5u)7uylZmbl^&vuc
zG?*SXI<0gl6-nA~btem3ak3irE$ACYo5G2axUnXjAa7FEKq6tUMO#LE3l{VbTd-!t
zf}=(-V<(!4XC&fAIuWys^eDFGV(EL0$e?VxJ#57x8qWly(NQ#i#7aTdx4^ic7~pCR
zgRG=cQz}DnByD8uNHk)PlJD3&jKJwk9GixZppiZ_ni_BDNQ8YxPaHdf*kUvWseKfP
z^stQoNFw!!a@=SigiKjr9V%<CR-1~0j4u3KlSVXTFyPZbW@u;>w;Qg@`hzK}?891h
zCscgNf9Wm7^Fw{3wosDx%D3RbM8*gO<K#FRq8*rx7L+_I=G{ws{Y!9-pT|@lODE%<
zQfUon3n+ajF@2#_ngoCHVyWZ@E`DAr^^+VZy?Gh~9i#Gpl}ayx`a!2akAl*B6!C7U
zMC;OBpq-%OptSZafF1#z27L)sTtYpdO`vaq8lYD|TR<0L)#?W|Kq=AQJ|)kiyM<?e
zlV`=k>l?;A*EbPP->fvi=T#)2Q+0VEZU>*_zkIG#%93njQ+MOiPkV11X~>GL%kRDO
z?%Smq(#LBHaS?LP{YSj(k$bvd;QBfnn+QwddLGzEK`Bu^wBkAn>=6Rm8=Ic0LshwX
z-Hk@wgN;i&8k^c18`gmJEnHV1cc?74i{v^XH@u*6DKsJ2exq0l{uHi<abH$y*&Ixf
ze`MzpuD#&JH1Dap0NMFn*!hgp4*6!_emxJ_p0cd;4Rt=oHOiO=Aom*NdPxp#t=rz%
zKz{56UXOktad?=ktLr33C~l8~*9P7St<wj_I^>@Pe)R29=`TSY@t}5|cKSzZ6w{X>
z*91Fy3tVE<&u#%m-&s&1xpTnQ0OS2*!Z6H=+g;dVVAO}}iH}5bYk-kGC-x~|OM%f#
z(psuTpca8z1ZokeMW7aeS_Iq?;P3YMJ3X4(P};4C{FYQ^<)lR5J8qTE=!xPoUFPor
z<(vr^&FLsDS48l4fi!oe#Qa}eD<!BruII_+Ig8Hloal_^FCbwg+Ciek-^$UPjuNd4
zoJp&RqW%sLQzMy<Xv*_!{+5vEWoLB7j5p{q`(4ob*xr(f>&NbmY!5&wid`UCp3?2X
zu9_@!oG~?(W&R!<yA!g^erxmp=Y+o>cUQbg_k(UtKdb4Wru#H~O4BcD%69yImD}FY
zagVX4(;A3ixz|eHytXvAZdj|cEdA@0;#Q9Zots1V!2{0YI&g*-pt*N7`8$Bu39s0t
zC+DlQJiRTbCf}vy$7s9Lk+vgGb_y>1_cYGW6{{qX@!+Wl_!Ywa;BkpBDL*HQE5u(Q
zL-xzhsb+jz$}blD+_60E;8pW~u6F&av~#m~aWz|*rPb^drTj;QyMO##sx1=yeLh>M
zM*}@r`SJ6|_;TQjC~o=zlxsdPe_P|@`o74uC-6^dyhT6Ya@_}ftHjyrEPZ$md{o=X
zYCCfM2ere%jal__t_cH%A(n|Ye;JaQztVQb^f<`l)ORFaDNCgZE$`Rzye6bAYKp^A
zjq^J04d6|vm-`7@{5O)XYZ5&EGX9pd!=+jJ3vGYgW&i3N@{MRO)$4BW3K@r4yPUfd
z_)T@ogx}AIqMsxjf5K2@ZdW&OYVTg{50AHf60fvDrI41NbltC%#tYhx9$v*`z?<-V
z?e$mMqP4TES3jq#G&`&DtiB=IoOlK}*>T7JIW2!wk8AQ>0BntGd|dZu`F;cV3lgvN
zg-Y~w1o>m=3i<!$KLEc8^*-QNI{g3U4Z;y;w?F>@+)$zwzgM+=`GN_YLz>%w@saHB
z@+$yhGI@co(s?Jj6ZoRKg%pg6)IvD?&uag<|8JIfg{Ug@g;I8_FM$&a!GVZr2Zu!1
zibhTO-qKVr4SgYz#_L?u3Yno;*q6jv3SWzWUfRy!BY_Y!_-un|$IK8NgGj?*IAIP&
z69d7h8OEF4v>D9o7kCAnj9NC{L$*|xpraWPGnh&RM@=hkr$)tKDj2iOa3&TTg^HtO
zLej1fRd2RY7o0N9?%nM>y3DToI!&Cw=zQ?L_8mPPfN?~}><VaZpmVn{xA*Sc*4}IG
z?C$RC>Noq_xAk_J&L)e{uoZg5j3z@k?-5FbEkQ5W5f4~%oiFk8VG%kY;yPPW=FveC
zWpW^rNSh<6h;5;<A9|t$Z?a9i+>Z)6=u%-R8H$)GD;PHKzDtl)Bpwx}6%N`#A%iK8
zv{Yy)sR4Ohrh<Wc1~qkT1@2d#VKKw$ggK1&_jJCcXD6iahTqJjt*{^$R4d>EUiMcQ
zO<T4(G!Qk@u?RI%R!--1PzZ}5FbC05a6-q<P^TG4r*-}ExQ>oZ2rV3vM|vtuleWWj
zDl`x@W3dSJW*o=iTTkb7xPw-l(m{tN=TN^$#s-3EI=ACI9aK@5>}}F}+=c;t%BVs@
z_|l^>J2(JprxYFLT!c0RlER1m7t1#k&-jul98gNxqYh{w6TvyPNLWMd+j^Smd6eSA
z*hUb(@Ms)WC~Bt^2m2*yI=Cdobio8KWkrLepmWKnEqwIA2p_V(p#(CvwI9Fqz(FV>
zdyLN-){oe57)H3HRMoSlG&qkMg0V;l)hBGS4Ckol`EVbFk2ZYp5LX#?ep86XVf<^v
zoJ*yp7|$p%<@Jj~l`Q9pejFFA8Cbtf>oYaLb0!|&8QX-6Q~v?2&-8W{)Rh0PGEDO#
zr#{bznHnspsayYk;FqxmVgGqu#+2*l@!su!5c;$xV|`w?F>RyZB9V`jWqn>hMSxM0
zSzqu!c1?NR2N9XHIWCGnK#tZ}tk3HzrpvV?`_FPr{}6myvvHZ%ZA@FVzT1Bdi^IrJ
zOj*CYZqyYPv>?~-ZvU6G{x&Vg>rkdg9QqV9xBl0FQB2r=`Tw^5|IPC)ZASXad7@v%
z<<vK{9@8udITB9`n0_5Rr~bHRFlB$)1eci}b?Ngwi|LYb!;}TCm+c*M>GM39DXkNo
z$=&~70+amb`zH)7t?83xhQirzEhSz?#;MQiA*L^~pr-Enf9%q4qX7kpY4(4p|0j@b
z#HELg^7@d^GrRreGSeb-y$*eTZ!^^l5Q*hfX|~MxB{1j~as9kbET2!O;2_cSLy7hH
zK7JDziLgGO4=t=GX|+$Na_X1$nO+6#)aP|)QS0w=DkIN&Os|8oQ=ivCZ7oWX{bVz&
z$K{1kCXD^(`FcR>^Ek)yZvC5d{aT#G1ncv<f*Is1B`0-t5y>Cc1}F76`Z1uiRN?yB
mFM2-Mcd4j<+UOq>Qm>22^(ro{EvoAu+^i&M-S14UqWEu~pbCZn
literal 0
HcmV?d00001
diff --git a/util/dell-flash-unlock/dell_flash_unlock.c
b/util/dell-flash-unlock/dell_flash_unlock.c
new file mode 100644
index 0000000..174a1c9
--- /dev/null
+++ b/util/dell-flash-unlock/dell_flash_unlock.c
@@ -0,0 +1,217 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#include <sys/mman.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "accessors.h"
+
+int get_fdo_status(void);
+int check_lpc_decode(void);
+void ec_set_fdo();
+void write_ec_reg(uint8_t index, uint8_t data);
+void send_ec_cmd(uint8_t cmd);
+int wait_ec(void);
+int check_bios_write_en(void);
+int set_gbl_smi_en(int enable);
+int get_gbl_smi_en(void);
+
+#define EC_INDEX 0x910
+#define EC_DATA 0x911
+#define EC_ENABLE_FDO 2
+
+#define LPC_DEV PCI_DEV(0, 0x1f, 0)
+
+#define RCBA_MMIO_LEN 0x4000
+
+/* Register offsets */
+#define SPIBAR 0x3800
+#define HSFS_REG 0x04
+#define SMI_EN_REG 0x30
+
+volatile uint8_t *rcba_mmio;
+uint16_t pmbase;
+
+int
+main(int argc, char *argv[])
+{
+ int devmemfd;
+ (void)argc;
+ (void)argv;
+
+ if (sys_iopl(3) == -1)
+ err(errno, "Could not access IO ports");
+ if ((devmemfd = open("/dev/mem", O_RDONLY)) == -1)
+ err(errno, "/dev/mem");
+
+ /* Read RCBA and PMBASE from the LPC config registers */
+ long int rcba = pci_read_32(LPC_DEV, 0xf0) & 0xffffc000;
+ pmbase = pci_read_32(LPC_DEV, 0x40) & 0xff80;
+
+ /* FDO pin-strap status bit is in RCBA mmio space */
+ rcba_mmio = mmap(0, RCBA_MMIO_LEN, PROT_READ, MAP_SHARED, devmemfd,
+ rcba);
+ if (rcba_mmio == MAP_FAILED)
+ err(errno, "Could not map RCBA");
+
+ if (get_fdo_status() == 1) { /* Descriptor not overridden */
+ if (check_lpc_decode() == -1)
+ err(errno = ECANCELED, "Can't forward I/O to LPC");
+
+ printf("Sending FDO override command to EC:\n");
+ ec_set_fdo();
+ printf("Flash Descriptor Override enabled.\n"
+ "Shut down (don't reboot) now.\n\n"
+ "The EC may auto-boot on some systems; if not then "
+ "manually power on.\n When the system boots rerun "
+ "this utility to finish unlocking.\n");
+ } else if (check_bios_write_en() == 0) {
+ /* SMI locks in place, try disabling SMIs to bypass them */
+ if (set_gbl_smi_en(0)) {
+ printf("SMIs disabled. Internal flashing should work "
+ "now.\n After flashing, re-run this utility "
+ "to enable SMIs.\n (shutdown is buggy when "
+ "SMIs are disabled)\n");
+ } else {
+ err(errno = ECANCELED, "Could not disable SMIs!");
+ }
+ } else { /* SMI locks not in place or bypassed */
+ if (get_gbl_smi_en()) {
+ /* SMIs are still enabled, assume this is an Exx10
+ * or newer which don't need the SMM bypass */
+ printf("Flash is unlocked.\n"
+ "Internal flashing should work.\n");
+ } else {
+ /* SMIs disabled, assume this is an Exx00 after
+ * unlocking and flashing */
+ set_gbl_smi_en(1);
+ printf("SMIs enabled.\n"
+ "You can now shutdown the system.\n");
+ }
+ }
+ return errno;
+}
+
+int
+get_fdo_status(void)
+{
+ return (*(uint16_t*)(rcba_mmio + SPIBAR + HSFS_REG) >> 13) & 1;
+}
+
+int
+check_lpc_decode(void)
+{
+ /* Check that at a Generic Decode Range Register is set up to
+ * forward I/O ports 0x910 and 0x911 over LPC for the EC */
+ int i = 0;
+ int gen_dec_free = -1;
+ for (; i < 4; i++) {
+ uint32_t reg_val = pci_read_32(LPC_DEV, 0x84 + 4*i);
+ uint16_t base_addr = reg_val & 0xfffc;
+ uint16_t mask = ((reg_val >> 16) & 0xfffc) | 0x3;
+
+ /* Bit 0 is the enable for each decode range. If disabled, note
+ * this register as available to add our own range decode */
+ if ((reg_val & 1) == 0)
+ gen_dec_free = i;
+
+ /* Check if the current range register matches port 0x910.
+ * 0x911 doesn't need to be checked as the LPC bridge only
+ * decodes at the dword level, and thus a check is redundant */
+ if ((0x910 & ~mask) == base_addr) {
+ return 0;
+ }
+ }
+
+ /* No matching range found, try setting a range in a free register */
+ if (gen_dec_free != -1) {
+ /* Set up an I/O decode range from 0x910-0x913 */
+ pci_write_32(LPC_DEV, 0x84 + 4 * gen_dec_free, 0x911);
+ return 0;
+ } else {
+ return -1;
+ }
+}
+
+void
+ec_set_fdo()
+{
+ /* EC FDO command arguments for reference:
+ * 0 = Query EC FDO status
+ * 2 = Enable FDO for next boot
+ * 3 = Disable FDO for next boot */
+ write_ec_reg(0x12, EC_ENABLE_FDO);
+ send_ec_cmd(0xb8);
+}
+
+void
+write_ec_reg(uint8_t index, uint8_t data)
+{
+ sys_outb(EC_INDEX, index);
+ sys_outb(EC_DATA, data);
+}
+
+void
+send_ec_cmd(uint8_t cmd)
+{
+ sys_outb(EC_INDEX, 0);
+ sys_outb(EC_DATA, cmd);
+ if (wait_ec() == -1)
+ err(errno = ECANCELED, "Timeout while waiting for EC!");
+}
+
+int
+wait_ec(void)
+{
+ uint8_t busy;
+ int timeout = 1000;
+ do {
+ sys_outb(EC_INDEX, 0);
+ busy = sys_inb(EC_DATA);
+ timeout--;
+ usleep(1000);
+ } while (busy && timeout > 0);
+ return timeout > 0 ? 0 : -1;
+}
+
+int
+check_bios_write_en(void)
+{
+ uint8_t bios_cntl = pci_read_32(LPC_DEV, 0xdc) & 0xff;
+ /* Bit 5 = SMM BIOS Write Protect Disable (SMM_BWP)
+ * Bit 1 = BIOS Lock Enable (BLE)
+ * If both are 0, then there's no write protection */
+ if ((bios_cntl & 0x22) == 0)
+ return 1;
+
+ /* SMM protection is enabled, but try enabling writes
+ * anyway in case the vendor SMM code doesn't reset it */
+ pci_write_32(LPC_DEV, 0xdc, bios_cntl | 0x1);
+ return pci_read_32(LPC_DEV, 0xdc) & 0x1;
+}
+
+int
+set_gbl_smi_en(int enable)
+{
+ uint32_t smi_en = sys_inl(pmbase + SMI_EN_REG);
+ if (enable) {
+ smi_en |= 1;
+ } else {
+ smi_en &= ~1;
+ }
+ sys_outl(pmbase + SMI_EN_REG, smi_en);
+ return (get_gbl_smi_en() == enable);
+}
+
+int
+get_gbl_smi_en(void)
+{
+ return sys_inl(pmbase + SMI_EN_REG) & 1;
+}
--
2.39.2
- [PATCH 01/20] Use GRUB 2.12, Leah Rowe, 2024/01/14
- [PATCH 03/20] GRUB: Force scancode set 2 with translation, Leah Rowe, 2024/01/14
- [PATCH 05/20] GRUB: Avoid printing frivilous error messages, Leah Rowe, 2024/01/14
- [PATCH 04/20] GRUB: Don't spew "Unknown key 0xFF", Leah Rowe, 2024/01/14
- [PATCH 02/20] Argon2 KDF support in GRUB 2.12, Leah Rowe, 2024/01/14
- [PATCH 06/20] GRUB: Use reduced set of modules, Leah Rowe, 2024/01/14
- [PATCH 07/20] grub.cfg: support ESP, btrfs subvols and extlinux, Leah Rowe, 2024/01/14
- [PATCH 09/20] build/boot/roms: skip building gnat on fam15h, Leah Rowe, 2024/01/14
- [PATCH 11/20] import util/dell-flash-unlock from lbmk 09bed9a4,
Leah Rowe <=
- [PATCH 10/20] NEW MAINBOARD: Dell Latitude E6400, Leah Rowe, 2024/01/14
- [PATCH 14/20] build/boot/roms: support "normal" seabios configs, Leah Rowe, 2024/01/14
- [PATCH 13/20] use seabios revision from canoeboot 20231103, Leah Rowe, 2024/01/14
- [PATCH 12/20] import util/nvmutil from lbmk 09bed9a4, Leah Rowe, 2024/01/14
- [PATCH 15/20] coreboot/e6400_4mb: enable the grub payload, Leah Rowe, 2024/01/14
- [PATCH 08/20] Use newer coreboot revision from canoeboot 102ce12, Leah Rowe, 2024/01/14
- [PATCH 17/20] build/module/grub: disable -Werror on builds, Leah Rowe, 2024/01/14
- [PATCH 18/20] coreboot/fam15h: fix binutils build error on gcc13, Leah Rowe, 2024/01/14
- [PATCH 16/20] cache cbfstool and ifdtool builds, Leah Rowe, 2024/01/14
- [PATCH 19/20] use memtest86plus 6.x instead of 5.x, Leah Rowe, 2024/01/14