move resources/scripts/ to script/

Signed-off-by: Leah Rowe <leah@libreboot.org>

4 files changed, 1184 insertions, 0 deletions

diff --git a/script/update/blobs/download b/script/update/blobs/download
new file mode 100755
index 00000000..3df460d4
--- /dev/null
+++ b/script/update/blobs/download
@@ -0,0 +1,516 @@
+#!/usr/bin/env sh
+
+# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+# SPDX-FileCopyrightText: 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
+# SPDX-FileCopyrightText: 2023 Leah Rowe <info@minifree.org>
+# SPDX-License-Identifier: GPL-3.0-only
+
+. "include/err.sh"
+
+agent="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+
+ec_url=""
+ec_url_bkup=""
+ec_hash=""
+dl_hash=""
+dl_url=""
+dl_url_bkup=""
+dl_path=""
+e6400_vga_dl_hash=""
+e6400_vga_dl_url=""
+e6400_vga_dl_url_bkup=""
+e6400_vga_offset=""
+e6400_vga_romname=""
+sch5545ec_dl_url=""
+sch5545ec_dl_url_bkup=""
+sch5545ec_dl_hash=""
+
+cbdir="coreboot/default"
+cbcfgsdir="resources/coreboot"
+boarddir=""
+blobdir="blobs"
+appdir="${blobdir}/app"
+_7ztest="a"
+mecleaner="$(pwd)/me_cleaner/me_cleaner.py"
+e6400_unpack="$(pwd)/bios_extract/dell_inspiron_1100_unpacker.py"
+me7updateparser="$(pwd)/resources/blobs/me7_update_parser.py"
+kbc1126_ec_dump="$(pwd)/${cbdir}/util/kbc1126/kbc1126_ec_dump"
+board=""
+pfs_extract="$(pwd)/biosutilities/Dell_PFS_Extract.py"
+uefiextract="$(pwd)/uefitool/uefiextract"
+_b="" # board shorthand without e.g. _4mb (avoid duplication per flash size)
+
+CONFIG_HAVE_MRC=""
+CONFIG_HAVE_IFD_BIN=""
+CONFIG_HAVE_ME_BIN=""
+CONFIG_HAVE_GBE_BIN=""
+CONFIG_KBC1126_FIRMWARE=""
+CONFIG_BOARD_DELL_E6400=""
+CONFIG_VGA_BIOS_FILE=""
+CONFIG_INCLUDE_SMSC_SCH5545_EC_FW=""
+CONFIG_SMSC_SCH5545_EC_FW_FILE=""
+
+main()
+{
+	[ $# -gt 0 ] || \
+		err "No argument given"
+
+	board="${1}"
+	boarddir="${cbcfgsdir}/${board}"
+
+	[ -d "${boarddir}" ] || \
+		err "Board target, ${board}, not defined"
+	[ -f "${boarddir}/target.cfg" ] || \
+		err "Target missing target.cfg"
+
+	no_config="printf \"No config for target, %s\\n\" ${board} 1>&2; exit 0"
+	for x in "${boarddir}"/config/*; do
+		[ -f "${x}" ] && no_config=""
+	done
+	eval "${no_config}"
+
+	detect_firmware || exit 0
+	scan_sources_config
+
+	build_dependencies
+	download_blobs
+}
+
+detect_firmware()
+{
+	set -- "${boarddir}/config/"*
+	. "${1}"
+	. "${boarddir}/target.cfg"
+
+	[ "${CONFIG_HAVE_MRC}" = "y" ] && needs="${needs} MRC"
+	[ "${CONFIG_HAVE_IFD_BIN}" = "y" ] && needs="${needs} IFD"
+	[ "${CONFIG_HAVE_ME_BIN}" = "y" ] && needs="${needs} ME"
+	[ "${CONFIG_HAVE_GBE_BIN}" = "y" ] && needs="${needs} GBE"
+	[ "${CONFIG_KBC1126_FIRMWARE}" = "y" ] && needs="${needs} EC"
+	[ "${CONFIG_BOARD_DELL_E6400}" = "y" ] && \
+	    [ "${CONFIG_VGA_BIOS_FILE}" != "" ] && needs="${needs} E6400VGA"
+	[ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" = "y" ] && \
+	    needs="${needs} SCH5545EC"
+	[ -z ${needs+x} ] && \
+		printf "No binary blobs needed for this board\n" && \
+		return 1
+	printf "Firmware needed for board '%s':\n%s\n" "${board}" "${needs}"
+}
+
+scan_sources_config()
+{
+	# Shorthand (avoid duplicating configs per flash size)
+	_b=${board%%_*mb}
+
+	awkstr=" /\{.*${_b}.*}{/ {flag=1;next} /\}/{flag=0} flag { print }"
+
+	while read -r line ; do
+		case ${line} in
+		EC_url_bkup*)
+			set ${line}
+			ec_url_bkup=${2} ;;
+		EC_url*)
+			set ${line}
+			ec_url=${2} ;;
+		EC_hash*)
+			set ${line}
+			ec_hash=${2} ;;
+		DL_hash*)
+			set ${line}
+			dl_hash=${2} ;;
+		DL_url_bkup*)
+			set ${line}
+			dl_url_bkup=${2} ;;
+		DL_url*)
+			set ${line}
+			dl_url=${2} ;;
+		E6400_VGA_DL_hash*)
+			set ${line}
+			e6400_vga_dl_hash=${2} ;;
+		E6400_VGA_DL_url_bkup*)
+			set ${line}
+			e6400_vga_dl_url_bkup=${2} ;;
+		E6400_VGA_DL_url*)
+			set ${line}
+			e6400_vga_dl_url=${2} ;;
+		E6400_VGA_offset*)
+			set ${line}
+			e6400_vga_offset=${2} ;;
+		E6400_VGA_romname*)
+			set ${line}
+			e6400_vga_romname=${2} ;;
+		SCH5545EC_DL_hash*)
+			set ${line}
+			sch5545ec_dl_hash=${2} ;;
+		SCH5545EC_DL_url_bkup*)
+			set ${line}
+			sch5545ec_dl_url_bkup=${2} ;;
+		SCH5545EC_DL_url*)
+			set ${line}
+			sch5545ec_dl_url=${2} ;;
+		esac
+	done << EOF
+	$(eval "awk '${awkstr}' resources/blobs/sources")
+EOF
+}
+
+build_dependencies()
+{
+	[ -d ${cbdir} ] || \
+		./fetch_trees coreboot ${cbdir##*/} || \
+		    err "build_dependencies: can't fetch ${cbdir}"
+	for d in uefitool biosutilities bios_extract me_cleaner; do
+		[ -d "${d}" ] && continue
+		./fetch "${d}" || \
+		    err "build_dependencies: can't fetch ${d}"
+	done
+	[ -f uefitool/uefiextract ] || \
+		./handle make file -b uefitool || \
+		    err "build_dependencies: can't build uefitool"
+	if [ ! -f "${cbdir}/util/kbc1126/kbc1126_ec_dump" ]; then
+		make -BC "${cbdir}/util/kbc1126" || \
+		    err "build_dependencies: can't build kbc1126_ec_dump"
+	fi
+}
+
+download_blobs()
+{
+	for need in ${needs}; do
+		case ${need} in
+		*ME*)
+			download_blob_intel_me || _failed="${_failed} me" ;;
+		*SCH5545EC*)
+			download_sch5545ec || failed="${_failed} sch5545ec" ;;
+		*EC*)
+			download_ec || _failed="${_failed} ec" ;;
+		*E6400VGA*)
+			download_e6400vga || _failed="${_failed} e6400vga" ;;
+		*MRC*)
+			./update blobs mrc || _failed="${_failed} mrc" ;;
+		esac
+	done
+	
+	if [ ! -z ${_failed+x} ]; then
+		err "download_blobs: can't download blobs: ${_failed}\n"
+	fi
+}
+
+download_blob_intel_me()
+{
+	printf "Downloading neutered ME for board: %s\n" ${board}
+
+	fetch_update me || return 1
+	extract_blob_intel_me || return 1
+}
+
+extract_blob_intel_me()
+{
+	printf "Extracting neutered ME for ${board}\n"
+
+	_me_destination=${CONFIG_ME_BIN_PATH#../../}
+
+	[ -d "${_me_destination%/*}" ] || \
+		mkdir -p "${_me_destination%/*}" || \
+		    err "extract_blob_intel_me: mkdir ${_me_destination%/*}"
+	[ ! -d "${appdir}" ] || \
+		rm -Rf "${appdir}" || \
+		    err "extract_blob_intel_me: can't rm -Rf \"${appdir}\""
+	if [ -f "${_me_destination}" ]; then
+		printf "Intel ME firmware already downloaded\n" 1>&2
+		return 0
+	fi
+
+	printf "Extracting and stripping Intel ME firmware\n"
+
+	innoextract "${dl_path}" -d "${appdir}" || \
+	    7z x "${dl_path}" -o"${appdir}" || \
+	    unar "${dl_path}" -o "${appdir}" || \
+	    err "extract_blob_intel_me: could not extract vendor update"
+
+	bruteforce_extract_blob_intel_me "$(pwd)/${_me_destination}" \
+	    "$(pwd)/${appdir}" || \
+	    err "extract_blob_intel_me: could not extract Intel ME firmware"
+
+	[ -f "${_me_destination}" ] || \
+		err "extract_blob_intel_me, ${board}: me.bin missing"
+
+	printf "Truncated and cleaned me output to: %s\n" "${_me_destination}"
+}
+
+# cursed, carcinogenic code. TODO rewrite it better
+bruteforce_extract_blob_intel_me()
+{
+	_me_destination="${1}"
+	cdir="${2}" # must be an absolute path, not relative
+
+	[ -f "${_me_destination}" ] && return 0
+
+	sdir="$(mktemp -d)"
+	mkdir -p "${sdir}" || return 1
+
+	(
+	printf "Entering %s\n" "${cdir}"
+	cd "${cdir}" || \
+	    err "bruteforce_extract_blob_intel_me: can't cd \"${cdir}\""
+	for i in *; do
+		if [ -f "${_me_destination}" ]; then
+			# me.bin found, so avoid needless further traversal
+			break
+		elif [ -L "${i}" ]; then
+			# symlinks are a security risk, in this context
+			continue
+		elif [ -f "${i}" ]; then
+			"${mecleaner}" -r -t -O "${sdir}/vendorfile" \
+			    -M "${_me_destination}" "${i}" \
+			    && break # (we found me.bin)	
+			"${mecleaner}" -r -t -O "${_me_destination}" "${i}" \
+			    && break # (we found me.bin)
+			"${me7updateparser}" -O "${_me_destination}" "${i}" \
+			    && break # (we found me.bin)
+			_7ztest="${_7ztest}a"
+			7z x "${i}" -o"${_7ztest}" \
+			    || innoextract "${i}" -d "${_7ztest}" \
+			    || unar "${i}" -o "${_7ztest}" \
+			    || continue
+			bruteforce_extract_blob_intel_me "${_me_destination}" \
+			    "${cdir}/${_7ztest}"
+		elif [ -d "$i" ]; then
+			bruteforce_extract_blob_intel_me "${_me_destination}" \
+			    "${cdir}/${i}"
+		else
+			printf "SKIPPING: %s\n" "${i}"
+			continue
+		fi
+		cdir="${1}"
+		cd "${cdir}" # audit note: we already checked this (see above)
+	done
+	)
+
+	rm -Rf "${sdir}" || \
+	    err "bruteforce_extract_blob_intel_me: can't rm -Rf \"${sdir}\""
+}
+
+download_ec()
+{
+	printf "Downloading KBC1126 EC firmware for HP laptop\n"
+
+	fetch_update ec || return 1
+	extract_blob_kbc1126_ec || return 1
+}
+
+extract_blob_kbc1126_ec()
+{
+	printf "Extracting KBC1126 EC firmware for board: %s\n" ${board}
+
+	_ec_destination=${CONFIG_KBC1126_FW1#../../}
+
+	[ -d "${_ec_destination%/*}" ] || \
+		mkdir -p "${_ec_destination%/*}" || \
+		    err "extract_blob_kbc1126_ec: !mkdir ${_ec_destination%/*}"
+	[ ! -d "${appdir}" ] || \
+		rm -Rf "${appdir}" || \
+		    err "extract_blob_kbc1126_ec: !rm -Rf ${appdir}"
+	if [ -f "${_ec_destination}" ]; then
+		printf "KBC1126 EC firmware already downloaded\n" 1>&2
+		return 0
+	fi
+
+	unar "${dl_path}" -o "${appdir}" || \
+	    err "extract_blob_kbc1126_ec: !unar \"${dl_path}\" -o \"${appdir}\""
+
+	(
+	cd "${appdir}/${dl_path##*/}" || \
+	    err "extract_blob_kbc1126_ec: !cd \"${appdir}/${dl_path##*/}\""
+
+	mv Rompaq/68*.BIN ec.bin || :
+	if [ ! -f ec.bin ]; then
+		unar -D ROM.CAB Rom.bin || \
+		    unar -D Rom.CAB Rom.bin || \
+		    unar -D 68*.CAB Rom.bin || \
+		    err "extract_blob_kbc1126_ec: can't extract ec.bin"
+		mv Rom.bin ec.bin || \
+		    err "extract_blob_kbc1126_ec: *didn't* extract ec.bin"
+	fi
+	[ -f ec.bin ] || \
+	    err "extract_blob_kbc1126_ec: ${board}: can't extract ec.bin"
+
+	"${kbc1126_ec_dump}" ec.bin || \
+	    err "extract_blob_kbc1126_ec: ${board}: can't extract ecfw1/2.bin"
+	)
+
+	ec_ex="y"
+	for i in 1 2; do
+		[ -f "${appdir}/${dl_path##*/}/ec.bin.fw${i}" ] || ec_ex="n"
+	done
+	[ "${ec_ex}" = "y" ] || \
+	    err "extract_blob_kbc1126_ec: ${board}: didn't extract ecfw1/2.bin"
+
+	cp "${appdir}/${dl_path##*/}"/ec.bin.fw* "${_ec_destination%/*}/" || \
+	    err "extract_blob_kbc1126_ec: cant mv ecfw1/2 ${_ec_destination%/*}"
+}
+
+download_e6400vga()
+{
+	printf "Downloading Nvidia VGA ROM for Dell Latitude E6400\n"
+
+	fetch_update e6400vga || return 1
+	extract_e6400vga || return 1
+}
+
+extract_e6400vga()
+{
+	printf "Extracting Nvidia VGA ROM for ${board}\n"
+
+	_vga_destination=${CONFIG_VGA_BIOS_FILE#../../}
+
+	if [ -f "${_vga_destination}" ]; then
+		printf "extract_e6400vga: vga rom already downloaded\n" 1>&2
+		return 0
+	fi
+	[ -d "${_vga_destination%/*}" ] || \
+		mkdir -p "${_vga_destination%/*}" || \
+		    err "extract_e6400vga: can't mkdir ${_vga_destination%/*}"
+	[ ! -d "${appdir}" ] || \
+		rm -Rf "${appdir}" || \
+		    err "extract_e6400vga: can't rm -Rf ${appdir}"
+
+	mkdir -p "${appdir}" || \
+	    err "extract_e6400vga: can't mkdir ${appdir}"
+	cp "${dl_path}" "${appdir}" || \
+	    err "extract_e6400vga: can't copy vendor update"
+
+	[ "${e6400_vga_offset}" = "" ] && \
+		err "extract_e6400vga: E6400 VGA offset not defined"
+	[ "${e6400_vga_romname}" = "" ] && \
+		err "extract_e6400vga: E6400 VGA ROM name not defined"
+
+	(
+	cd "${appdir}" || \
+	    err "extract_e6400vga: can't cd ${appdir}"
+	tail -c +${e6400_vga_offset} "${dl_path##*/}" | gunzip > bios.bin || \
+	    err "extract_e6400vga: can't gunzip > bios.bin"
+
+	[ -f "bios.bin" ] || \
+		err "extract_e6400vga: can't extract bios.bin from update"
+	"${e6400_unpack}" bios.bin || printf "TODO: fix dell extract util\n"
+	[ -f "${e6400_vga_romname}" ] || \
+		err "extract_e6400vga: can't extract vga rom from bios.bin"
+	)
+
+	cp "${appdir}"/"${e6400_vga_romname}" "${_vga_destination}" || \
+	    err "extract_e6400vga: can't copy vga rom to ${_vga_destination}"
+
+	printf "E6400 Nvidia ROM saved to: %s\n" "${_vga_destination}"
+}
+
+download_sch5545ec()
+{
+	printf "Downloading SMSC SCH5545 Environment Controller firmware\n"
+
+	fetch_update sch5545ec || return 1
+	extract_sch5545ec || return 1
+}
+
+# TODO: this code is cancer. hardcoded is bad, and stupid.
+# TODO: make it *scan* (based on signature, in each file)
+extract_sch5545ec()
+{
+	printf "Extracting SCH5545 Environment Controller firmware for '%s'\n" \
+	    ${board}
+
+	_sch5545ec_destination=${CONFIG_SMSC_SCH5545_EC_FW_FILE#../../}
+
+	if [ -f "${_sch5545ec_destination}" ]; then
+		printf "sch5545 firmware already downloaded\n" 1>&2
+		return 0
+	fi
+
+	[ ! -d "${appdir}" ] || rm -Rf "${appdir}" || \
+	    err "extract_sch5545ec: can't remove ${appdir}"
+
+	mkdir -p "${appdir}/" || err "extract_sch5545ec: !mkdir ${appdir}"
+	cp "${dl_path}" "${appdir}/" || \
+	    err "extract_sch5545ec: can't copy vendor update file"
+	python "${pfs_extract}" "${appdir}/${dlsum}" -e || \
+	    err "extract_sch5545ec: can't extract from vendor update"
+
+	# full system ROM (UEFI), to extract with UEFIExtract:
+	_bios="${appdir}/${dlsum}_extracted/Firmware"
+	_bios="${_bios}/1 ${dlsum} -- 1 System BIOS vA.28.bin"
+
+	# this is the SCH5545 firmware, inside of the extracted UEFI ROM:
+	_sch5545ec_fw="${_bios}.dump/4 7A9354D9-0468-444A-81CE-0BF617D890DF"
+	_sch5545ec_fw="${_sch5545ec_fw}/54 D386BEB8-4B54-4E69-94F5-06091F67E0D3"
+	_sch5545ec_fw="${_sch5545ec_fw}/0 Raw section/body.bin" # <-- this!
+
+	# this makes the file defined by _sch5545ec_fw available to copy
+	"${uefiextract}" "${_bios}" || \
+	    err "extract_sch5545ec: cannot extract from uefi image"
+
+	cp "${_sch5545ec_fw}" "${_sch5545ec_destination}" || \
+	    err "extract_sch5545ec: cannot copy sch5545ec firmware file"
+}
+
+fetch_update()
+{
+	printf "Fetching vendor update for board: %s\n" "${board}"
+
+	fw_type="${1}"
+	dl=""
+	dl_bkup=""
+	dlsum=""
+	if [ "${fw_type}" = "me" ]; then
+		dl=${dl_url}
+		dl_bkup=${dl_url_bkup}
+		dlsum=${dl_hash}
+	elif [ "${fw_type}" = "ec" ]; then
+		dl=${ec_url}
+		dl_bkup=${ec_url_bkup}
+		dlsum=${ec_hash}
+	elif [ "${fw_type}" = "e6400vga" ]; then
+		dl=${e6400_vga_dl_url}
+		dl_bkup=${e6400_vga_dl_url_bkup}
+		dlsum=${e6400_vga_dl_hash}
+	elif [ "${fw_type}" = "sch5545ec" ]; then
+		dl="${sch5545ec_dl_url}"
+		dl_bkup="${sch5545ec_dl_url_bkup}"
+		dlsum="${sch5545ec_dl_hash}"
+	else
+		err "fetch_update: Unsupported download type: ${fw_type}"
+	fi
+
+	[ -z "${dl_url+x}" ] && [ "${fw_type}" != "e6400vga" ] && \
+		err "fetch_update ${fw_type}: dl_url unspecified for: ${board}"
+
+	dl_path="${blobdir}/cache/${dlsum}"
+	mkdir -p "${blobdir}/cache" || err "fetch_update: !mkdir ${blobdir}/cache"
+
+	dl_fail="y"
+	vendor_checksum "${dlsum}" && dl_fail="n"
+	for x in "${dl}" "${dl_bkup}"; do
+		[ "${dl_fail}" = "n" ] && break
+		[ -z "${x}" ] && continue
+		rm -f "${dl_path}" || \
+		    err "fetch_update ${fw_type}: !rm -f ${dl_path}"
+		wget -U "${agent}" "${x}" -O "${dl_path}" || continue
+		vendor_checksum "${dlsum}" && dl_fail="n"
+	done
+	if [ "${dl_fail}" = "y" ]; then
+		printf "ERROR: invalid vendor updates for: %s\n" "${board}" 1>&2
+		err "fetch_update ${fw_type}: matched vendor update unavailable"
+	fi
+}
+
+vendor_checksum()
+{
+	if [ ! -f "${dl_path}" ]; then
+		printf "Vendor update not found on disk for: %s\n" "${board}" \
+		    1>&2
+		return 1
+	elif [ "$(sha1sum ${dl_path} | awk '{print $1}')" != "${1}" ]; then
+		printf "Bad checksum on vendor update for: %s\n" "${board}" 1>&2
+		return 1
+	fi
+}
+
+main $@
diff --git a/script/update/blobs/extract b/script/update/blobs/extract
new file mode 100755
index 00000000..fa76dfb5
--- /dev/null
+++ b/script/update/blobs/extract
@@ -0,0 +1,122 @@
+#!/usr/bin/env sh
+# script to automate extracting blobs from an existing vendor bios
+
+# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+# SPDX-FileCopyrightText: 2023 Leah Rowe <leah@libreboot.org>
+# SPDX-License-Identifier: GPL-3.0-only
+
+. "include/err.sh"
+
+sname=""
+board=""
+vendor_rom=""
+
+cbdir="coreboot/default"
+cbcfgsdir="resources/coreboot"
+ifdtool="${cbdir}/util/ifdtool/ifdtool"
+mecleaner="me_cleaner/me_cleaner.py"
+me7updateparser="resources/blobs/me7_update_parser.py"
+
+boarddir=""
+
+CONFIG_HAVE_MRC=""
+CONFIG_ME_BIN_PATH=""
+CONFIG_GBE_BIN_PATH=""
+CONFIG_IFD_BIN_PATH=""
+
+_me_destination=""
+_gbe_destination=""
+_ifd_destination=""
+
+main()
+{
+	sname=${0}
+	[ $# -lt 2 ] && err "Missing arguments (fewer than two)."
+
+	board="${1}"
+	vendor_rom="${2}"
+	boarddir="${cbcfgsdir}/${board}"
+
+	check_board
+	build_dependencies
+	extract_blobs
+}
+
+check_board()
+{
+	if [ ! -f "${vendor_rom}" ]; then
+		err "check_board: ${board}: file does not exist: ${vendor_rom}"
+	elif [ ! -d "${boarddir}" ]; then
+		err "check_board: ${board}: target not defined"
+	elif [ ! -f "${boarddir}/target.cfg" ]; then
+		err "check_board: ${board}: missing target.cfg"
+	fi
+}
+
+build_dependencies()
+{
+	if [ ! -d me_cleaner ]; then
+		./fetch me_cleaner || \
+		    err "build_dependencies: can't fetch me_cleaner"
+	elif [ ! -d "${cbdir}" ]; then
+		./fetch_trees coreboot default || \
+		    err "build_dependencies: can't fetch coreboot"
+	elif [ ! -f "${ifdtool}" ]; then
+		make -C "${ifdtool%/ifdtool}" || \
+		    err "build_dependencies: can't build ifdtool"
+	fi
+}
+
+extract_blobs()
+{
+	printf "extracting blobs for %s from %s\n" ${board} ${vendor_rom}
+
+	set -- "${boarddir}/config/"*
+	. "${1}"
+	. "${boarddir}/target.cfg"
+
+	[ "$CONFIG_HAVE_MRC" != "y" ] || \
+		./update blobs mrc || err "extract_blobs: can't fetch mrc"
+
+	_me_destination=${CONFIG_ME_BIN_PATH#../../}
+	_gbe_destination=${CONFIG_GBE_BIN_PATH#../../}
+	_ifd_destination=${CONFIG_IFD_BIN_PATH#../../}
+
+	extract_blob_intel_me
+	extract_blob_intel_gbe_nvm
+
+	# Cleans up other files extracted with ifdtool
+	rm -f flashregion*.bin || err "extract_blobs: !rm -f flashregion*.bin"
+
+	[ -f "${_ifd_destination}" ] || err "extract_blobs: Cannot extract IFD"
+	printf "gbe, ifd, and me extracted to %s\n" "${_me_destination%/*}"
+}
+
+extract_blob_intel_me()
+{
+	printf "extracting clean ime and modified ifd\n"
+
+	"${mecleaner}" -D "${_ifd_destination}" \
+		-M "${_me_destination}" "${vendor_rom}" -t -r -S || \
+	    "${me7updateparser}" \
+		-O "${_me_destination}" "${vendor_rom}" || \
+	    err "extract_blob_intel_me: cannot extract from vendor rom"
+}
+
+extract_blob_intel_gbe_nvm()
+{
+	printf "extracting gigabit ethernet firmware"
+	./"${ifdtool}" -x "${vendor_rom}" || \
+	    err "extract_blob_intel_gbe_nvm: cannot extract gbe.bin from rom"
+	mv flashregion*gbe.bin "${_gbe_destination}" || \
+	    err "extract_blob_intel_gbe_nvm: cannot move gbe.bin"
+}
+
+print_help()
+{
+	printf "Usage: ./update blobs extract {boardname} {path/to/vendor_rom}\n"
+	printf "Example: ./update blobs extract x230 12mb_flash.bin\n"
+	printf "\nYou need to specify exactly 2 arguments\n"
+}
+
+main $@
diff --git a/script/update/blobs/inject b/script/update/blobs/inject
new file mode 100755
index 00000000..bc6b55c9
--- /dev/null
+++ b/script/update/blobs/inject
@@ -0,0 +1,362 @@
+#!/usr/bin/env sh
+
+# SPDX-FileCopyrightText: 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+# SPDX-FileCopyrightText: 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
+# SPDX-FileCopyrightText: 2023 Leah Rowe <info@minifree.org>
+# SPDX-License-Identifier: GPL-3.0-only
+
+. "include/err.sh"
+
+sname=""
+archive=""
+_filetype=""
+rom=""
+board=""
+modifygbe=""
+new_mac=""
+release=""
+releasearchive=""
+
+cbdir="coreboot/default"
+cbcfgsdir="resources/coreboot"
+ifdtool="cbutils/default/ifdtool"
+cbfstool="cbutils/default/cbfstool"
+nvmutil="util/nvmutil/nvm"
+boarddir=""
+pciromsdir="pciroms"
+
+CONFIG_HAVE_MRC=""
+CONFIG_HAVE_ME_BIN=""
+CONFIG_ME_BIN_PATH=""
+CONFIG_KBC1126_FIRMWARE=""
+CONFIG_KBC1126_FW1=""
+CONFIG_KBC1126_FW1_OFFSET=""
+CONFIG_KBC1126_FW2=""
+CONFIG_KBC1126_FW2_OFFSET=""
+CONFIG_VGA_BIOS_FILE=""
+CONFIG_VGA_BIOS_ID=""
+CONFIG_GBE_BIN_PATH=""
+CONFIG_INCLUDE_SMSC_SCH5545_EC_FW=""
+CONFIG_SMSC_SCH5545_EC_FW_FILE=""
+
+main()
+{
+	sname="${0}"
+
+	[ $# -lt 1 ] && err "No options specified."
+	[ "${1}" = "listboards" ] && \
+		./build command options resources/coreboot && exit 0
+
+	archive="${1}"
+
+	while getopts r:b:m: option
+	do
+		case "${option}" in
+		r)
+			rom=${OPTARG} ;;
+		b)
+			board=${OPTARG} ;;
+		m)
+			modifygbe=true
+			new_mac=${OPTARG} ;;
+		esac
+	done
+
+	check_board
+	build_dependencies
+	inject_blobs
+
+	printf "Friendly reminder (this is *not* an error message):\n"
+	printf "Please always ensure that the files were inserted correctly.\n"
+	printf "Read: https://libreboot.org/docs/install/ivy_has_common.html\n"
+}
+
+check_board()
+{
+	if ! check_release "${archive}" ; then
+		[ -f "${rom}" ] || \
+			err "check_board: \"${rom}\" is not a valid path"
+		[ -z ${rom+x} ] && \
+			err "check_board: no rom specified"
+		[ ! -z ${board+x} ] || \
+			board=$(detect_board "${rom}")
+	else
+		release=true
+		releasearchive="${archive}"
+		board=$(detect_board "${archive}")
+	fi
+
+	boarddir="${cbcfgsdir}/${board}"
+	if [ ! -d "${boarddir}" ]; then
+		err "check_board: board ${board} not found"
+	fi
+}
+
+check_release()
+{
+	[ -f "${archive}" ] || return 1
+	[ "${archive##*.}" = "xz" ] || return 1
+	printf "%s\n" "Release archive ${archive} detected"
+}
+
+# This function tries to determine the board from the filename of the rom.
+# It will only succeed if the filename is not changed from the build/download
+detect_board()
+{
+	path="${1}"
+	filename=$(basename ${path})
+	case ${filename} in
+	grub_*)
+		board=$(echo "${filename}" | cut -d '_' -f2-3) ;;
+	seabios_withgrub_*)
+		board=$(echo "${filename}" | cut -d '_' -f3-4) ;;
+	*.tar.xz)
+		_stripped_prefix=${filename#*_}
+		board="${_stripped_prefix%.tar.xz}" ;;
+	*)
+		err "detect_board: could not detect board type"
+	esac	
+	[ -d "${boarddir}/" ] || \
+	    err "detect_board: dir, ${boarddir}, doesn't exist"
+	printf '%s\n' "${board}"
+}
+
+build_dependencies()
+{
+	[ -d "${cbdir}" ] || ./fetch_trees coreboot default
+	./build coreboot utils default || \
+	    err "build_dependencies: could not build cbutils"
+	./update blobs download ${board} || \
+	    err "build_dependencies: Could not download blobs for ${board}"
+}
+
+inject_blobs()
+{
+	if [ "${release}" = "true" ]; then
+		printf "patching release file\n"
+		patch_release_roms
+	else
+		patch_rom "${rom}" || \
+		    err "inject_blobs: could not patch ${x}"
+	fi
+}
+
+patch_release_roms()
+{
+	_tmpdir=$(mktemp -d "/tmp/${board}_tmpXXXX")
+	tar xf "${releasearchive}" -C "${_tmpdir}" || \
+	    err "patch_release_roms: could not extract release archive"
+
+	for x in "${_tmpdir}"/bin/*/*.rom ; do
+		echo "patching rom $x"
+		patch_rom "${x}" || err "patch_release_roms: could not patch ${x}"
+	done
+
+	(
+	cd "${_tmpdir}"/bin/*
+	sha1sum --status -c blobhashes || \
+	    err "patch_release_roms: ROMs did not match expected hashes"
+	)
+
+	if [ "${modifygbe}" = "true" ]; then
+		for x in "${_tmpdir}"/bin/*/*.rom ; do
+			modify_gbe "${x}"
+		done
+	fi
+
+	[ -d bin/release ] || mkdir -p bin/release || \
+	    err "patch_release_roms: !mkdir -p bin/release"
+	mv "${_tmpdir}"/bin/* bin/release/ || \
+	    err "patch_release_roms: !mv ${_tmpdir}/bin/* bin/release/"
+
+	printf "Success! Your ROMs are in bin/release\n"
+
+	rm -Rf "${_tmpdir}" || err "patch_release_roms: !rm -Rf ${_tmpdir}"
+}
+
+patch_rom()
+{
+	rom="${1}"
+
+	no_config="printf \"No configs on target, %s\\n\" ${board} 1>&2; exit 1"
+	for x in "${boarddir}"/config/*; do
+		[ -f "${x}" ] && no_config=""
+	done
+	eval "${no_config}"
+
+	[ -f "${boarddir}/target.cfg" ] || \
+	    err "patch_rom: file missing: ${boarddir}/target.cfg"
+
+	set -- "${boarddir}/config/"*
+	. "${1}"
+	. "${boarddir}/target.cfg"
+
+	[ "$CONFIG_HAVE_MRC" = "y" ] && \
+		inject_blob_intel_mrc "${rom}"
+	[ "${CONFIG_HAVE_ME_BIN}" = "y" ] && \
+		inject_blob_intel_me "${rom}"
+	[ "${CONFIG_KBC1126_FIRMWARE}" = "y" ] && \
+		inject_blob_hp_kbc1126_ec "${rom}"
+	[ "${CONFIG_VGA_BIOS_FILE}" != "" ] && \
+	    [ "${CONFIG_VGA_BIOS_ID}" != "" ] && \
+		inject_blob_dell_e6400_vgarom_nvidia
+	[ "${CONFIG_INCLUDE_SMSC_SCH5545_EC_FW}" = "y" ] && \
+	    [ "${CONFIG_SMSC_SCH5545_EC_FW_FILE}" != "" ] && \
+		inject_blob_smsc_sch5545_ec "${rom}"
+	[ "${modifygbe}" = "true" ] && ! [ "${release}" = "true" ] && \
+		modify_gbe "${rom}"
+
+	printf "ROM image successfully patched: %s\n" "${rom}"
+}
+
+inject_blob_intel_mrc()
+{
+	rom="${1}"
+
+	printf 'adding mrc\n'
+
+	# mrc.bin must be inserted at a specific offset. the only
+	# libreboot platform that needs it, at present, is haswell
+
+	# in cbfstool, -b values above 0x80000000 are interpreted as
+	# top-aligned x86 memory locations. this is converted into an
+	# absolute offset within the flash, and inserted accordingly
+	# at that offset into the ROM image file
+
+	# coreboot's own build system hardcodes the mrc.bin offset
+	# because there is only one correct location in memory, but
+	# it would be useful for lbmk if it could be easily scanned
+	# from Kconfig, with the option to change it where in practise
+	# it is not changed
+
+	# the hardcoded offset below is based upon reading of the coreboot
+	# source code, and it is *always* correct for haswell platform.
+	# TODO: this logic should be tweaked to handle more platforms
+
+	"${cbfstool}" "${rom}" add -f mrc/haswell/mrc.bin -n mrc.bin -t mrc \
+	    -b 0xfffa0000 || err "inject_blob_intel_mrc: cannot insert mrc.bin"
+}
+
+inject_blob_intel_me()
+{
+	printf 'adding intel management engine\n'
+
+	rom="${1}"
+	[ -z ${CONFIG_ME_BIN_PATH} ] && \
+		err "inject_blob_intel_me: CONFIG_ME_BIN_PATH not set"
+
+	_me_location=${CONFIG_ME_BIN_PATH#../../}
+	[ ! -f "${_me_location}" ] && \
+		err "inject_blob_intel_me: per CONFIG_ME_BIN_PATH: file missing"
+
+	"${ifdtool}" -i me:"${_me_location}" "${rom}" -O "${rom}" || \
+	    err "inject_blob_intel_me: cannot insert me.bin"
+}
+
+inject_blob_hp_kbc1126_ec()
+{
+	rom="${1}"
+
+	_ec1_location="${CONFIG_KBC1126_FW1#../../}"
+	_ec1_offset="${CONFIG_KBC1126_FW1_OFFSET}"
+	_ec2_location="${CONFIG_KBC1126_FW2#../../}"
+	_ec2_offset="${CONFIG_KBC1126_FW2_OFFSET}"
+
+	printf "adding hp kbc1126 ec firmware\n"
+
+	if [ "${_ec1_offset}" = "" ] || [ "${_ec1_offset}" = "" ]; then
+		err "inject_blob_hp_kbc1126_ec: ${board}: offset not declared"
+	fi
+	if [ "${_ec1_location}" = "" ] || [ "${_ec2_location}" = "" ]; then
+		err "inject_blob_hp_kbc1126_ec: ${board}: EC path not declared"
+	fi
+	if [ ! -f "${_ec1_location}" ] || [ ! -f "${_ec2_location}" ]; then
+		err "inject_blob_hp_kbc1126_ec: ${board}: ecfw not downloaded"
+	fi
+
+	"${cbfstool}" "${rom}" add -f "${_ec1_location}" -n ecfw1.bin \
+	    -b ${_ec1_offset} -t raw || \
+	    err "inject_blob_hp_kbc1126_ec: cannot insert ecfw1.bin"
+	"${cbfstool}" "${rom}" add -f "${_ec2_location}" -n ecfw2.bin \
+	    -b ${_ec2_offset} -t raw || \
+	    err "inject_blob_hp_kbc1126_ec: cannot insert ecfw2.bin"
+}
+
+inject_blob_dell_e6400_vgarom_nvidia()
+{
+	rom="${1}"
+
+	_vga_location="${CONFIG_VGA_BIOS_FILE#../../}"
+	_vga_dir="${_vga_location%/*}"
+	_vga_filename="${_vga_location##*/}"
+
+	printf "adding pci option rom\n"
+
+	if [ "${_vga_dir}" != "${pciromsdir}" ]; then
+		err "inject_blob_dell_e6400vga: invalid pcirom dir: ${_vga_dir}"
+	fi
+	if [ ! -f "${_vga_location}" ]; then
+		err "inject_blob_dell_e6400vga: ${_vga_location} doesn't exist"
+	fi
+
+	"${cbfstool}" "${rom}" add -f "${_vga_location}" \
+	    -n "pci${CONFIG_VGA_BIOS_ID}.rom" -t optionrom || \
+	    err "inject_blob_dell_e6400vga: cannot insert vga oprom"
+}
+
+inject_blob_smsc_sch5545_ec()
+{
+	rom="${1}"
+
+	_sch5545ec_location="${CONFIG_SMSC_SCH5545_EC_FW_FILE#../../}"
+
+	if [ ! -f "${_sch5545ec_location}" ]; then
+		err "inject_blob_smsc_sch5545_ec: SCH5545 fw missing"
+	fi
+
+	"${cbfstool}" "${rom}" add -f "${_sch5545ec_location}" \
+	    -n sch5545_ecfw.bin -t raw || \
+	    err "inject_blob_smsc_sch5545_ec: can't insert sch5545_ecfw.bin"
+}
+
+modify_gbe()
+{
+	printf "changing mac address in gbe to ${new_mac}\n"
+
+	rom="${1}"
+
+	[ -z ${CONFIG_GBE_BIN_PATH} ] && \
+		err "modify_gbe: ${board}: CONFIG_GBE_BIN_PATH not set"
+
+	_gbe_location=${CONFIG_GBE_BIN_PATH#../../}
+
+	[ -f "${_gbe_location}" ] || \
+		err "modify_gbe: CONFIG_GBE_BIN_PATH points to missing file"
+	[ -f "${nvmutil}" ] || \
+		make -C util/nvmutil || err "modify_gbe: couldn't build nvmutil"
+
+	_gbe_tmp=$(mktemp -t gbeXXXX.bin)
+	cp "${_gbe_location}" "${_gbe_tmp}"
+	"${nvmutil}" "${_gbe_tmp}" setmac "${new_mac}" || \
+	    err "modify_gbe: ${board}: failed to modify mac address"
+
+	"${ifdtool}" -i GbE:"${_gbe_tmp}" "${rom}" -O "${rom}" || \
+	    err "modify_gbe: ${board}: cannot insert modified gbe.bin"
+
+	rm -f "${_gbe_tmp}"
+}
+
+usage()
+{
+	cat <<- EOF
+	USAGE: ./update blobs inject -r [rom path] -b [boardname] -m [macaddress]
+	Example: ./update blobs inject -r x230_12mb.rom -b x230_12mb
+
+	Adding a macadress to the gbe is optional.
+	If the [-m] parameter is left blank, the gbe will not be touched.
+
+	Type './update blobs inject listboards' to get a list of valid boards
+	EOF
+}
+
+main $@
diff --git a/script/update/blobs/mrc b/script/update/blobs/mrc
new file mode 100755
index 00000000..c069e678
--- /dev/null
+++ b/script/update/blobs/mrc
@@ -0,0 +1,184 @@
+#!/usr/bin/env sh
+
+# Download Intel MRC images
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, version 2 of the License.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+[ "x${DEBUG+set}" = 'xset' ] && set -v
+set -u -e
+
+. "include/err.sh"
+
+export PATH="${PATH}:/sbin"
+
+# This file is forked from util/chromeos/crosfirmware.sh in coreboot cfc26ce278
+# Changes to it in *this version* are copyright 2021 and 2023 Leah Rowe, under
+# the same license as above.
+
+# use updated manifest from wayback machine, when updating mrc.bin,
+# and update the other variables below accordingly. current manifest used:
+# https://web.archive.org/web/20210211071412/https://dl.google.com/dl/edgedl/chromeos/recovery/recovery.conf
+
+# the wayback machine is used so that we get the same manifest. google
+# does not seem to version the manifest, but archives are available
+
+# variables taken from that manifest:
+
+_board="peppy"
+_file="chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin"
+_url="https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
+_url2="https://web.archive.org/web/20200516070928/https://dl.google.com/dl/edgedl/chromeos/recovery/chromeos_12239.92.0_peppy_recovery_stable-channel_mp-v3.bin.zip"
+_sha1sum="cd5917cbe7f821ad769bf0fd87046898f9e175c8"
+_mrc_complete_hash="d18de1e3d52c0815b82ea406ca07897c56c65696"
+_mrc_complete="mrc/haswell/mrc.bin"
+
+cbdir="coreboot/default"
+cbfstool="cbutils/default/cbfstool"
+
+sname=""
+
+main()
+{
+	sname=${0}
+	printf "Downloading Intel MRC blobs\n"
+
+	check_existing || return 0
+	build_dependencies
+	fetch_mrc || err "could not fetch mrc.bin"
+}
+
+check_existing()
+{
+	[ -f "${_mrc_complete}" ] || \
+		return 0
+	printf 'found existing mrc.bin\n'
+	[ "$(sha1sum "${_mrc_complete}" | awk '{print $1}')" \
+	    = "${_mrc_complete_hash}" ] && \
+		return 1
+	printf 'hashes did not match, starting over\n'
+}
+
+build_dependencies()
+{
+	[ -d "${cbdir}/" ] || ./fetch_trees coreboot default || \
+	    err "build_dependencies: cannot fetch coreboot/default"
+	./build coreboot utils default || \
+	    err "build_dependencies: cannot build cbutils/default"
+}
+
+fetch_mrc()
+{
+	mkdir -p mrc/haswell/ || err "fetch_mrc: !mkdir mrc/haswell"
+
+	(
+	cd mrc/haswell/ || err "fetch_mrc: !cd mrc/haswell"
+
+	download_image "${_url}" "${_file}" "${_sha1sum}"
+	[ -f ${_file} ] || \
+		download_image "${_url2}" "${_file}" "${_sha1sum}"
+	[ -f $_file ] || \
+		err "fetch_mrc: ${_file} not downloaded / verification failed."
+
+	extract_partition ROOT-A "${_file}" root-a.ext2
+	extract_shellball root-a.ext2 chromeos-firmwareupdate-${_board}
+
+	extract_coreboot chromeos-firmwareupdate-${_board}
+
+	../../"${cbfstool}" coreboot-*.bin extract -f mrc.bin -n mrc.bin \
+	    -r RO_SECTION || err "fetch_mrc: could not fetch mrc.bin"
+	rm -f "chromeos-firmwareupdate-${_board}" coreboot-*.bin \
+	    "${_file}" "root-a.ext2" || err "fetch_mrc: cannot remove files"
+
+	printf "\n\nmrc.bin saved to ${_mrc_complete}\n\n"
+	)
+}
+
+download_image()
+{
+	url=${1}
+	_file=${2}
+	_sha1sum=${3}
+
+	printf "Downloading recovery image\n"
+	curl "$url" > "$_file.zip" || err "download_image: curl failed"
+	printf "Verifying recovery image checksum\n"
+	if [ "$(sha1sum "${_file}.zip" | awk '{print $1}')" = "${_sha1sum}" ]
+	then
+		unzip -q "${_file}.zip" || err "download_image: cannot unzip"
+		rm -f "${_file}.zip" || err "download_image: can't rm zip {1}"
+		return 0
+	fi
+	rm -f "${_file}.zip" || err "download_image: bad hash, and can't rm zip"
+	err "download_image: Bad checksum. Recovery image deleted"
+}
+
+extract_partition()
+{
+	NAME=${1}
+	FILE=${2}
+	ROOTFS=${3}
+	_bs=1024
+
+	printf "Extracting ROOT-A partition\n"
+	ROOTP=$( printf "unit\nB\nprint\nquit\n" | \
+	    parted "${FILE}" 2>/dev/null | grep "${NAME}" )
+
+	START=$(( $( echo ${ROOTP} | cut -f2 -d\ | tr -d "B" ) ))
+	SIZE=$(( $( echo ${ROOTP} | cut -f4 -d\ | tr -d "B" ) ))
+
+	dd if="${FILE}" of="${ROOTFS}" bs=${_bs} skip=$(( ${START} / ${_bs} )) \
+	    count=$(( ${SIZE} / ${_bs} )) || \
+	    err "extract_partition: can't extract root file system"
+}
+
+extract_shellball()
+{
+	ROOTFS=${1}
+	SHELLBALL=${2}
+
+	printf "Extracting chromeos-firmwareupdate\n"
+	printf "cd /usr/sbin\ndump chromeos-firmwareupdate ${SHELLBALL}\nquit" \
+	    | debugfs "${ROOTFS}" || err "extract_shellball: debugfs"
+}
+
+extract_coreboot()
+{
+	_shellball=${1}
+	_unpacked=$( mktemp -d )
+
+	printf "Extracting coreboot image\n"
+
+	[ -f "${_shellball}" ] || \
+	    err "extract_coreboot: shellball missing in google peppy image"
+
+	sh "${_shellball}" --unpack "${_unpacked}" || \
+	    err "extract_coreboot: shellball exits with non-zero status"
+
+	# TODO: audit the f* out of that shellball, for each mrc version.
+	# it has to be updated for each mrc update. we should ideally
+	# implement the functionality ourselves.
+
+	[ -f "${_unpacked}/VERSION" ] || \
+	    err "extract_coreboot: VERSION file missing on google coreboot rom"
+
+	_version=$( cat "${_unpacked}/VERSION" | grep BIOS\ version: | \
+	    cut -f2 -d: | tr -d \  )
+
+	cp "${_unpacked}/bios.bin" "coreboot-${_version}.bin" || \
+	    err "extract_coreboot: cannot copy google peppy rom"
+	rm -Rf "${_unpacked}" || \
+	    err "extract_coreboot: cannot remove extracted google peppy archive"
+}
+
+main $@