Harrowing Story Of Installing Libreboot On ThinkPad

As an Apple user, I’ve become somewhat disillusioned over the past few years. Maybe it’s the spirit of Steve Jobs slowly vanishing from the company, or that Apple seems to care more about keeping up with expensive trends lately rather than setting them, or the nagging notion Apple doesn’t have my best interests as a user in mind.

Whatever it is, I was passively on the hunt for a new laptop with the pipe dream that one day I could junk my Apple for something even better. One that could run a *nix operating system of some sort, be made with quality hardware, and not concern me over privacy issues. I didn’t think that those qualities existed in a laptop at all, and that my 2012 MacBook Pro was the “lesser of evils” that I might as well keep using. But then, we published a ThinkPad think piece that had two words in it that led me on a weeks-long journey to the brand-new, eight-year-old laptop I’m currently working from. Those two words: “install libreboot”.

Libreboot is a piece of free software that replaces proprietary BIOS firmware on some modern computers. This has, surprisingly, become increasingly difficult to do as Intel ramps up deployment of the Intel Management Engine. In a nutshell, the IME is a separate processor that can monitor or even take over everything happening in a computer and send that information out over the network to anyone (or any company) that has control of it. It does so without any knowledge of the user and is (obviously) a huge security vulnerability. Since Intel’s competitors do similar things, there’s almost no escape unless you can replace the IME with something like libreboot or coreboot.

Not as Easy as You’d Think

quote-what-is-librebootWhen I started researching libreboot, I assumed that it would be a simple process: download it and run some installer on my computer that would re-flash the BIOS. It couldn’t take any more than a half hour! Especially since the original article simply said “install libreboot” as if it was something that a child could do in between naps. The reality of what I was about to dive into, however, was much different.

First of all, libreboot only works on a handful of older ThinkPads. Newer models have fallen victim to a new strategy by Intel of checking the firmware loaded on the BIOS chip and disabling the computer if an unapproved firmware is discovered. Apparently Intel thinks that fixing security flaws or modifying something that you own is ridiculous and unacceptable. Anyway, I picked up an eight-year-old X200 on eBay for $65 shipped. I’m a simple guy who enjoys simple but reliable things even if they’re getting along in years, so the age of the computer wasn’t too much of a concern for me. Thinking I was doing pretty well for myself, I took a look at the installation instructions for the new firmware.

Some Disassembly Required

This is a step I probably should have taken before ordering the computer. Not that it would have stopped me from doing this, but it probably would have given me a better idea of what I should expect from this process. First of all, I found out that to flash the chip, disassembly and soldering would be required. The firmware has to be programmed directly. Anytime something like this is done, bricking the device is a real possibility. At least I would only be out $65.

The tiny chip to the left of the Intel-branded processor is the source of the problem.

Then, I learned that the BeagleBone Black is the preferred device to use to flash the new firmware to the ThinkPad. I have three Raspberry Pis lying around, but I went ahead and suspiciously ordered a BeagleBone for $40. Couldn’t hurt, I told myself, and I’ll have a new tool to use for other stuff in the future. But it did seem weird that there wasn’t an option to use a Raspberry Pi.

The next hurdle was figuring out exactly what type of firmware chip I had in my laptop, because there are different SOIC clips for different types of chips, and the only way to find out which sized chip I had was to get the laptop and take it apart. This set me back a few days (and another $10) waiting on the correct clip to arrive. During this process I also learned that there is no free software that will run on Intel’s proprietary WiFi card in these computers, so I also ordered an Atheros card to install ($15) since I had the laptop taken apart already.

img_1044
New Atheros WiFi card installed.

Moving along, the BeagleBone had to be configured in a very particular way. I had never interacted with one of these before, and it’s not quite as straightforward as a Raspberry Pi. This process took me a few hours over the course of two days. I also learned through a third-party tutorial that Libreboot actually can be flashed with a Raspberry Pi, but this is one (among many) situations where the libreboot folks will go to great lengths to use free and open source software when they can. The BeagleBone fits their requirements, the Pi does not, and they do not mention this. I could easily have saved myself the $40 and used a Pi, but in the spirit of libreboot (and the fact that I was too far along to switch) I pressed on.

Navigating Libreboot’s Install Process

Most of the problem I had setting up the BeagleBone is with libreboot’s files and instructions. For example, at one point I had to patch the libreboot ROM file with a MAC address descriptor specific to the Ethernet card in my laptop. It wasn’t immediately clear which script out of the many provided would do this. Even then, the different ROMs that are available were all in a single folder, and unless you realize this immediately you’ll fill the memory of the BeagleBone when you unzip the archive. In general, it felt like I needed multiple degrees in computer science to make sense of their instructions on the first try. This can be a common plague of free software: alienating people through documentation that doesn’t relate to those with less knowledge and experience. And I’m not exactly an amateur, either. I have a degree in electrical engineering and passable knowledge of what’s going on, but even then I felt like I was blindly charging through a dark jungle of jargon.

Anyway, the BeagleBone Black I received didn’t have a display output (that I could find; I’ve never used one before and might have been missing something) and I had some difficulty getting it to work over the USB link to my Mac. That meant getting it on the network via Ethernet, and since my router is in the kitchen I set up shop there. After soldering some wires to the SOC clip, I was finally ready to start flashing some firmware. At this point, I’ve had the X200 for almost three weeks, all spent waiting on parts I couldn’t have known I needed and programming the BeagleBone to act as a programmer.

img_1042
My libreboot flashing station in the kitchen. Complete with janky power supply.

The actual flashing only took me about an hour and a half, though. Once I figured out which ROM to use and hooked up my 3.3V power supply (luckily I had one of these cobbled together already) it was a fairly simple process to back up the factory ROM, verify it, and start flashing libreboot. There was one major hiccup at this point, though. I attempted this process four times, and each time the new firmware couldn’t be verified. Error messages appeared everywhere, which is not something you’d want to see at this point in the process. The BeagleBone wrote the firmware successfully but afterwards, for some reason, couldn’t verify it. After getting a little anxious that I might have failed after all of this work, I decided to stick the battery in the laptop to see if it would boot up. I saw the picture of Tux and Gnu hanging out on my BIOS screen, and made the executive decision that libreboot was successfully installed. I went ahead and installed Ubuntu to make sure everything would work correctly since I already had an Ubuntu live-USB stick lying around. Even the new WiFi card seems to work well (except it doesn’t have a 5 GHz antenna like the Intel card did, but that’s not too big of a deal).

Not an ideal place to get stuck.
Not an ideal place to get stuck.

Free software aficionados will note that Ubuntu isn’t really the pinnacle of the free software movement. It’s been criticized for including proprietary software, binary blobs, and other issues. That being said, after the initial Ubuntu test installation, I did try to install Trisquel (crashed during the install because it got confused that the X200 doesn’t have an optical drive), a version of Arch called Parabola (wouldn’t boot from a USB stick) and another Debian-based distribution called gNewSense (you have to chuckle at the terrible name), but I found all of them to be difficult to install, unusable, or both.

For now, I’m happy just to have neutralized Intel’s Big Brother and I’ll probably keep using Ubuntu until the libre distributions have improved a little more (or I get really bored one day and decide to try again). Even though the process to install libreboot was tedious, it is possible. I would recommend having a libreboot computer to anyone who cares about privacy, security, or freedom. Even if you don’t want to throw your Apple in the garbage.

59 thoughts on “Harrowing Story Of Installing Libreboot On ThinkPad

      1. There are a lot of projects like this where the author makes assumptions about knowledge the other person has, which are quite often incorrect.

        When writing a technical procedure document, either include *absolutely everything* a person coming to it cold needs to know, or link to other resources and make certain those resources together have absolutely everything required.

        I’ve over 30 years computer experience yet still trying to scrape together the info on how to get Lubuntu installed to the eMMC of an Orange Pi Plus 2E. I’ve the file downloaded, installed Ubuntu on an old laptop and just today got a USB to RS232 cable that has four individual header plugs.

        1. Hi Galane
          You can do this to a Orange?
          I have a lot of them. Because I liked the price.
          And they just barely do what I want them to do.
          Do you think you could add some links to get me started.
          or if anyone else that would be great. Im going to start looking now.
          But the more info the better. And besides I would trust some more on H.A.D. then the web.

          Thanks

    1. CH341a would be the cheapest of those options: $3 for a programmer with a ZIF socket and little PCB adaptors for the various different footprints or $9 for a kit with a chip clip.

      1. A note about the CH341 programmers to anyone who might wander down here in the wild future year of 2024 – I would avoid getting one of the purpose built flash-programmer ones with the fancy ZIF socket – they have a design issue. There’s probably a few different designs for them floating around, but the schematics / reverse engineering from photos I did confirmed that a lot of them power the CH341 chip from USB 5v, which is.. not correct for programming 3.3v flash chips. If you use those, it will send 5v logic into the 3.3v flash, unless you verify for CERTAIN that the CH341 chip is not powered by the 5v from USB. Your chip might make it out alive, but I’d not take the risk.

        However, there is a different design of CH341 dongle out there that doesn’t have this problem, because it’s highly configurable by jumpers. It doesn’t look like a flash programmer, it’s just got a 2×8 header with soldered pins, a couple jumpers, a couple 10-pin unsoldered pin headers. I usually see it with a blue PCB. For those, you can use the jumpers to choose where the CH341 chip is powered from, either the USB bus voltage or the regulator onboard the dongle. If you have to use a chip clip anyway to program the BIOS, I’d highly recommend one of those, it’s safer for the chip, though you might have to break out an image of the pinout for SPI flash to make sure everything is connected up correctly. It’s also a more generally useful device IMO, you can use it as a serial adapter and there’s also an out-of-tree kernel module on Github that’s pretty functional for SPI and I2C functionality.

      1. Criminals and corporations? Intel is intel. Government has a legal monopoly on the use of force,and the intelligence agencies have the right to install whatever spyware they want into the communications infrastructure, e.g., CALEA of 1994, or the corporations go out of business and their executives to jail as “criminals”, e.g., Joseph Nacchio. Does Big Brother need to make a profit, as do corporations, or to fear going to jail as a criminal, no matter how criminal the acts of Big Brother may be?

    1. Except this is more like buying a house. “It has a panic room, but it’s locked for your own protection, we won’t tell you what is inside it.” “Is that one way glass into every room of the house, even the toilets?” “Yes.” “Can I cover them with a curtain when I have a bath?” “No, the floors will tip you out of the house and the doors will lock themselves.”

    2. Does it though? Most of us aren’t worried about an advanced firmware bound rootkit from an adware drive-by. We already have UEFI secure boot to prevent that. If that’s even a likely threat; the cost is very high and targeting is limited.

      It’s as easy as a single NSL/Court order to Intel/Lenovo/Dell and the NSA/CIA/TLA can get the private keys and bypass Boot guard entirely because its rootkit is “official”. User controlled Secure Boot that provides the same functionality on the other hand uses USER generated/managed keys no one else has, including the OEM. No one for nation states to compel for the private keys.

      1. Thats not protecting you at all. Intel me lives in the hardware deep. It can be alive when you system is off. It can access all your memory, regardless of os amd protection. It can extract all the keys.

        http://hackaday.com/2016/11/28/neutralizing-intels-management-engine/ very intrestibg to read, we can let it sit idle forever.

        Your basicly saying that to find the terrorists, it fine to give up privacy. Now how many terrorist where there now? And how many guns do americans own?

        Dont answer that, read again how scary intel ME and AMD TrustZone realy are. But i get it, at first i though, just remove the firmware and done… 30 minutes reset… F u intel, i decide what i run, not some US big company… Risc-v is on my list, but they arent realy desktop pc right?

        1. Unless you’re planning on designing and fabbing your own chips (preferably in your own fab), RISC-V isn’t going to change anything. The best you can do is decap and reverse-engineer from die photos, and the only thing that will tell you is if the chip you just destroyed had anything unexpected in it.

          TPM is what protects you from evil maids.

  1. This sounds like every simple project I’ve ever done.

    They always start out with me thinking “I’ve got some free time this weekend ” and wind up a month later with $100 on my credit card.

    Please follow up with how to do it on th Pi!?

        1. image.bin is whatever it is you want to flash to the chip. First, you read from the chip twice, to make sure SPI works (and that what you read makes sense), then you write your desired image to it.

  2. I replaced the WiFi card in an old thinkpad X61 last year. I had no idea I was in for an adventure in bios flashing or how difficult it would be when the tools available don’t match the systems you have on hand. I didn’t have to directly access the bios and I was able to use Middleton’s BIOS but the process did involve me downloading a windows 7 ISO and spinning up a VM so I could use some the software.

    The end result is a new BIOS screen that proudly displays that it has been “hacked” and a working wifi card.

  3. “The Story of Stress-Free Installation of Linux on a Thinkpad”

    1. Buy a (refurbished) T420 Thinkpad from a reputable dealer. Mine comes from A*n (for USD 180.00) and has–compared with “more modern” machines–great specs, including an optical drive, and Win7 for those times when I absolutely, positively must have a win OS.
    2. When you turn the computer on, you’ll see a message in the start-up splash screen which states “To interrupt normal start-up, press press the blue “ThinkVantage” button” [on the keyboard].
    3. Install Linux Mint 17.3 from the boot thumb drive or DVD which you’ve created
    4. Twenty minutes later, or a little later if you use DVD, you’ll have a dual-boot Linux computer which also, by the way, runs one of the last almost-acceptable versions of windows.
    Suggestions–
    1.Don’t try to use Libreboot if you have an option. I took the route outlined here BECAUSE I read what I needed to do in order to use Libreboot on my existing hardware, and I did NOT have a computer which I wanted to salvage, come Hell or high water; nor do I have the temperament to make a career out of upgrading computers.
    2. Do NOT use any version of Mint Linux past 17.3. All reports (from me, too) are that Mint 17.3 is rock-solid and a joy–a real joy–to use, and that later versions are not, due to the builds being associated with the later “buggy” versions of Ubuntu (cf. OCS-Mag, Dedoimedo, Darkduck).

  4. “This can be a common plague of free software: alienating people through documentation that doesn’t relate to those with less knowledge and experience.”

    Related to the difference between computer science and software engineering. Good projects need people to oversee the entire experience, so it’s not just aimed at developers…

          1. No takesies-backsies! Anyway, if she wanted protection of her project, she should’ve A. found out what she was getting into by joining GNU, and B. trademarked the name.

            Not to mention C. don’t start a shitstorm without so much as getting the allegedly discriminated-against person to come forward.

  5. X400 is supported, I may have to ask my team leader at work about the one I gave back to him after I decided it was unusable, ya know, for hacking sake.

    It should help unlock the GSM module bay for any card.

    The only thing concerning me is the KBC/EC has a binary blob and that, AFAIK, is where the CPU throttling is coming from.

    Currently the one at work likes to run at minimum frequency and maximum voltage for some reason (C2D, NOT a Celeron/Pentium/etc. By the way).

    For battery life: Can Libreboot override the EC’s actions by disabling C-States and does it have voltage scaling support when changing CPU frequency?

    1. Sorry: T400.

      Idea for edit button: only allow one word change. That way we keep the LOLs but stop above mistakes, even after proof reading.

      Keep forgetting if T or X all the time. Question above still valid for T400 instead….

      1. Found some of my answer in the coreboot site.
        The thermal table for throttling can be edited in source for coreboot.
        Still not sure what overrides in the EC are though and presumably at a higher execution ring than the main BIOS, i.e. System management ring or similar/higher or similar to how the ME firmware would control things?

        Either way, turn Monday I’ll probably find out.

          1. Dunno why I’m replying since this is now an old post…. a day passed before you commented so I missed the main opportunity…

            However if you do see this thread again:
            In my Dell, the EC is connected to some interrupt lines and I recall some #reset lines also.(where did I save those schematics?)

            The EC will interrupt the CPU and call SMM functions when entering a thermal debug mode…

            Holding Shift and FN then typing 15324 enables EC into a kind of debug mode and FN + R or FN + T pauses Ring 0 (OS Kernel, my mental memory is stale about ring levels though) execution and shoves some payload into the memory (SMBIOS? BIOS-reserved?) area to display the thermal debug pages (EC controls all thermal and SMBUS in the laptop)

            If the EC is completely seperate and thus has no hypervisor capability then explain this.

            P.s. works on older Intel architecture where those CPU control lines are exposed between the CPU and the Northbridge (MCH/PCH in some systems).
            The newer embedded core i# don’t seem to show the pages confirming the missing control lines even though the LED flashes to indicate the EC has entered this mode.

            A lot can be learnt from schematics (if available for your current model)

          2. Systems management mode can be entered via an external pin, but why do you assume that the external controller is injecting code, rather than the functionality being present in the BIOS (which is responsible for setting up the SMM handler in the first place)?

            Lenovo’s choices of embedded controllers are well documented on sites like ThinkWiki etc.

    2. With regards to clock throttling on C2D thinkpads, on some units when plugged into the 65W adapter, will throttle clockspeed when also plugged into a bad battery. Can be forced to full speed with throttlestop, plugging into a 90W adapter instead, getting a good battery, or all three.
      Cheers

    1. Another method for getting non-graphic output from a BBB is the 6-pin serial header that can output even the OS boot messages through a USB/serial dongle. It’s that thin row of unlabeled (of course) pins near one of the female headers along one side of the BBB. If you don’t need graphics, it’s definitely the way to go.

  6. “Apple doesn’t have my best interests as a user in mind”
    In that case I think that the spirit of Steve Jobs is alive and well at Apple. He show’ed the industry two things. People want form over function and that having a walled garden is a great way to make a LOT of money.

    1. So is taking credit for other people’s work, going back to when Jobs was passing off Wozniak’s hardware wizardry as his own to Atari.

      Think how different things would be if Woz had gotten fed up with Jobs and split before they started Apple.

  7. I have a chromebook xe550c22 with libreboot and linux. upgraded the mSATA / RAM too. Was a pretty simple process, just had to trip the write protect pins on the mobo and it was finished in an hour or two.

  8. I’ve been slowly following this same adventure myself for several on/off months. Most of my headache has been the same story – piss-poor documentation that takes great assumptions in the reader’s prior knowledge, linux being linux (awful distro I won’t use, distro I would use won’t install, distro I knew worked stopped working, etc), complete ambiguity of what the next step is at several points. Trying to do it all from within windows before making the jump to linux might well just be a pipe-dream. Glad to see a post about coreboot/libreboot on HAD at least though, thanks for the write-up

  9. I’m assuming this could be flashed with a SPI programmer such as a DediProg? http://www.dediprog.com They’re a little pricey but we use them at work for flashing BIOS images and firmware images on network cards, they’ll work through an SPI header or you can clip them directly to the chip itself (They also have programming interfaces with sockets on them for socketed chips)

  10. I think this kind of article is only going to put people off trying something new interesting and fun, certainly for the kinds of people who browse this website you should have enjoyed yourself. learning new things. I’ve thoroughly enjoyed the process so far and can’t wait to get my own completely personal configuration up and running. yes it’s not easy but that’s the fun of it.

    I couldn’t help but laugh at some of these problems you had, I mean there are so many wiki’s and youtube tutorials that will explain everything to you in the simplest terms. like how to make a bootable parabola usb, It sounds like you used unetbootin or something.

  11. So just to be clear: There’s no way to get this done on a T-420 / T-430 / T-450? I guess I’m stuck then. I wonder if Coreboot would work on these machines? (I do so love the 420’s 430’s and 450’s…they’re the perfect blend of power and ruggedness!) I guess I’ll just have to keep using Tor and VPN-ing everything I do online. Still though, it would have been nice to get this up and running on a Thinkpad aside from the X220. I wonder if there are companies / communities / people who would voluntarily do this for you…for a fee?…..Hmm….methinks I have some research to do!

  12. The Beagle Bone Black has 3.3v rails already on it, which work fine; you just need a breadboard and your extra wires to share the line. Libreboot project is weird, in that, they instruct you to use an external PSU for those 3.3v lines, while they are already present on your beagle bone. The beagle bone works great for chip flashing though, once you get it set up right.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.