Installing osboot onto ThinkPad X200 that has Lenovo BIOS

Edit this page -- Back to previous index

Flash the same ROM whether it’s X200, X200S or X200 Tablet.

NOTE: this guide does NOT work for ThinkPad X200S or X200Tablet. For those, please refer to index.html#x200st.

This guide is for those who want osboot on their ThinkPad X200 while they still have the original Lenovo BIOS present. This guide can also be followed (adapted) if you brick your X200, to know how to recover.

X200/X200S/X200Tablet laptops with libreboot/osboot pre-installed

If you don’t want to install osboot/Libreboot yourself, companies exist that sell these laptops with libreboot or osboot pre-installed, along with a free GNU+Linux distribution (and they may also provide BSD installs).

Refer to these links:

https://osboot.org/suppliers.html

https://libreboot.org/suppliers.html

Flash chip size

Run this command on x200 to find out flash chip model and its size:

sudo flashrom -p internal

If you have a Macronix flash chip (chip name beginning with MX), please note that flashrom as supplied by Libreboot or osboot will be unreliable on certain flashers such as Raspberry Pi.

For those Macronix chips, use this modified version of Flashrom:

https://vimuser.org/hackrom.tar.xz

This is based on Flashrom version 0.9.9 and contains a special patch. A binary is supplied in that tar archive, which will work on Raspberry Pi and it is compiled from the included source code.

If using this version, on a Macronix flash chip, pass the following argument to your flashrom command: --workaround-mx

Example (write):

sudo flashrom -p linux_spi:spidev=/dev/spidev0.0,spispeed=32768 --workaround-mx -w your.rom

Example (read):

sudo flashrom -p linux_spi:spidev=/dev/spidev0.0,spispeed=32768 --workaround-mx -w your.rom

Sometimes, the flash chip won’t even be detected (if Macronix) without passing this argument, so as a general rule you should try with and without it.

Flashing on Macronix chips for X200 more or less requires this argument.

MAC address

The MAC address for your Intel GbE NIC is encoded into the GbE region of the boot flash. To modify it, please consult the following document:

ich9utils.html#ich9gen

The procedure

This section is for the X200. This does not apply to the X200S or X200 Tablet (for those systems, you have to remove the motherboard completely, since the flash chip is on the other side of the board).

This video shows how to flash the chip: https://www.youtube.com/watch?v=NLvTTtZQM6U

If you don’t like non-free javascript, here’s an invidious link: https://invidious.snopyta.org/watch?v=NLvTTtZQM6U

Now, you should be ready to install osboot.

Flashrom is included in the osboot build system, in the git repository, which you can by doing:

./download flashrom
./build module flashrom

For build dependencies, a script is supplied that works on Ubuntu 20.04 and similar distributions, which you can run by doing:

./build dependencies ubuntu2004

NOTE: If using Raspberry Pi, use the hackrom version of flashrom linked above. It will be much easier than building from source.

Use this wiring diagram for your raspberry pi:

How to program 25XX NOR flash using SPI header on Raspberry Pi

The flash chip is just underneath the palm rest.

The flash chip will look like this, where pin 1 is the pin with the dot in the corner on the chip housing/plastic:

SOIC8:

SOIC16:

Test that flashrom works:

# ./flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32768

NOTE: spispeed=32768 should work, just keep your wires within 10cm and all at the same length. However, you can try lower speeds down to 4096 or so if you need to, for stability.

Do not connect the 3.3v power rail until the test clip is connected. When you’re done, disconnect the 3.3v power rail before removing the test clip.

If you see something like this, where flashrom detects multiple chips:

flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6406E/MX25L6436E" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6445E/MX25L6473E" (8192 kB, SPI) on linux_spi.
Multiple flash chip definitions match the detected chip(s): "MX25L6405(D)", "MX25L6406E/MX25L6436E", "MX25L6445E/MX25L6473E"
Please specify which chip definition to use with the -c <chipname> option.

If you see the above, pass this argument in flashrom: -c "MX25L6405(D)"

Here is how to backup factory.rom:

sudo ./flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32768 -r factory.rom
sudo ./flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32768 -r factory1.rom

Now compare the two images:

sha512sum factory*.rom

If the hashes match and if hex editor (like dhex) shows that they have valid contents (eg. it’s not filled entirely with 0x00/0xFF), then just copy one of them (the factory.rom) to a safe place, backed up on several storage mediums. This is useful for reverse engineering work, if there is a desirable behaviour in the original firmware that could be replicated in coreboot.

It is strongly recommended that you make a backup of the original ROM contents before flashing a new ROM, regardless of what the current contents are. So, this advice applies even if you’re already running some variant of coreboot (e.g. libreboot, osboot).

Follow the instructions at ich9utils.html#ich9gen to change the MAC address inside the osboot ROM image, before flashing it. Although there is a default MAC address inside the ROM image, this is not what you want. Make sure to always change the MAC address to one that is correct for your system.

Technically, any valid MAC address is OK but if you have multiple machines with the same MAC address on the same network then you will get MAC address conflicts that interfere with networking protocols.

You might see errors, but if it says Verifying flash... VERIFIED at the end, then it’s flashed and should boot. If you see errors, try again (and again, and again); the message Chip content is identical to the requested image is also an indication of a successful installation.

Example output from running the command (see above):

flashrom v0.9.7-r1854 on Linux 3.8.13-bone47 (armv7l)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405(D)" (8192 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x00001000! Expected=0xff, Found=0x00, failed byte count from 0x00000000-0x0000ffff: 0xd716
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
Erase/write done.
Verifying flash... VERIFIED.

Wifi

The X200 typically comes with an Intel wifi chipset, which does not work without proprietary software. For a list of wifi chipsets that work without proprietary software, see ../hardware/#recommended_wifi.

Some X200 laptops come with an Atheros chipset, but this is 802.11g only.

It is recommended that you install a new wifi chipset. This can only be done after installation, because the original firmware has a whitelist of approved chips, and it will refuse to boot if you use an ‘unauthorized’ wifi card.

Wifi is easily removed. Look to the right of the flash chip, at the edge of the board and you will see the mini PCIe connectors. There may already be a card connected in the slot. It’s the bottom slot that you should use; the upper slot, closer to the screen, is actually USB not PCIe (even though the connector looks the same).

WWAN

If you have a WWAN/3G card and/or sim card reader, remove them permanently. The WWAN-3G card has proprietary firmware inside; the technology is identical to what is used in mobile phones, so it can also track your movements.

Not to be confused with wifi (wifi is fine).

This is the slot that looks like a mPCIe connector, but it’s not. It’s closer to the screen that the other slot.

Intel Turbo Memory

Some X200 devices were sold with Intel Turbo Memory installed in the top-most mini PCI-e slot. This has been shown to be ineffective at disk caching or battery saving in most use cases. While there are Linux drivers available, it is blacklisted in at least GNU+Trisquel, and possibly other free operating systems. It should probably be removed.

The Turbo Memory slot is closest to the screen (closer than the WWAN slot), to the left of the SATA connector your for HDD/SSD.

Memory

You need DDR3 SODIMM PC3-8500 RAM installed, in matching pairs (speed/size). Non-matching pairs won’t work. You can also install a single module (meaning, one of the slots will be empty) in slot 0.

NOTE: according to users repors, non matching pairs (e.g. 1+2 GiB) might work in some cases.

Make sure that the RAM you buy is the 2Rx8 density.

NOTE: Higher speeds up to 1600MHz are also tested and confirmed working.

RAM is very unreliable on this machine, so please try other modules if you have problems.

You can access the RAM via 2 screws on the bottom of the machine, and then a door can be removed, giving you RAM access.

Boot it!

Now install GNU+Linux.

Or BSD

Other operating systems may also work, but they are untested.

X200S and X200 Tablet users: GPIO33 trick will not work.

sgsit found out about a pin called GPIO33, which can be grounded to disable the flashing protections by the descriptor and stop the ME from starting (which itself interferes with flashing attempts). The theory was proven correct; however, it is still useless in practise.

Look just above the 7 in TP37 (that’s GPIO33):

By default we would see this in lenovobios, when trying flashrom -p internal -w rom.rom:

FREG0: Warning: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
FREG2: Warning: Management Engine region (0x00001000-0x005f5fff) is locked.

With GPIO33 grounded during boot, this disabled the flash protections as set by descriptor, and stopped the ME from starting. The output changed to:

The Flash Descriptor Override Strap-Pin is set. Restrictions implied by
the Master Section of the flash descriptor are NOT in effect. Please note
that Protected Range (PR) restrictions still apply.

The part in bold is what got us. This was still observed:

PR0: Warning: 0x007e0000-0x01ffffff is read-only.
PR4: Warning: 0x005f8000-0x005fffff is locked.

It is actually possible to disable these protections. Lenovobios does, when updating the BIOS (proprietary one). One possible way to go about this would be to debug the BIOS update utility from Lenovo, to find out how it’s disabling these protections. Some more research is available here: http://www.coreboot.org/Board:lenovo/x200/internal_flashing_research

Edit this pageLicenseTemplateAuthorsDonateBuy preinstalled

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License Version 1.3 or any later version published by the Free Software Foundation with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts. A copy of this license is found in /docs/fdl-1.3.html