diff options
| -rw-r--r-- | util/e6400-flash-unlock/Makefile | 8 | ||||
| -rw-r--r-- | util/e6400-flash-unlock/README.md | 35 | ||||
| -rw-r--r-- | util/e6400-flash-unlock/accessors.c | 91 | ||||
| -rw-r--r-- | util/e6400-flash-unlock/accessors.h | 17 | ||||
| -rw-r--r-- | util/e6400-flash-unlock/e6400_flash_unlock.c | 182 |
5 files changed, 277 insertions, 56 deletions
diff --git a/util/e6400-flash-unlock/Makefile b/util/e6400-flash-unlock/Makefile index cf8e7845..41a90482 100644 --- a/util/e6400-flash-unlock/Makefile +++ b/util/e6400-flash-unlock/Makefile @@ -3,9 +3,13 @@ CC=cc CFLAGS=-Wall -Wextra -Werror -O2 -pedantic +ifeq ($(shell uname), OpenBSD) + CFLAGS += -l$(shell uname -p) +endif +SRCS=e6400_flash_unlock.c accessors.c -all: e6400_flash_unlock.c - $(CC) $(CFLAGS) e6400_flash_unlock.c -o e6400_flash_unlock +all: $(SRCS) accessors.h + $(CC) $(CFLAGS) $(SRCS) -o e6400_flash_unlock clean: rm -f e6400_flash_unlock diff --git a/util/e6400-flash-unlock/README.md b/util/e6400-flash-unlock/README.md index 410a807a..bc9dd9f9 100644 --- a/util/e6400-flash-unlock/README.md +++ b/util/e6400-flash-unlock/README.md @@ -1,13 +1,44 @@ -# Dell Latitude E6400 Internal Flashing +# Dell Laptop Internal Flashing This utility allows you to use flashrom's internal programmer to program the entire BIOS flash chip from software while still running the original Dell -BIOS, which normally restricts software writes to the flash chip. +BIOS, which normally restricts software writes to the flash chip. It seems like +this works on any Dell laptop that has an EC similar to the SMSC MEC5035 on the +E6400, which mainly seem to be the Latitude and Precision lines starting from +around 2008 (E6400 era). ## TL;DR Run `make` to compile the utility, and then run `sudo ./e6400_flash_unlock` and follow the directions it outputs. +## Confirmed supported devices +- Latitude E6400 +- Latitude E6410 +- Latitude E4310 +- Latitude E6430 +- Precision M6800 + +It is likely that any other Latitude/Precision laptops from the same era as +devices specifically mentioned in the above list will work as Dell seems to use +the same ECs in one generation. + +## Detailed device specific behavior +- On GM45 era laptops, the expected behavior is that you will run the utility + for the first time, which will tell the EC to set the descriptor override on + the next boot. Then you will need to shut down the system, after which the + system will automatically boot up. You should then re-run the utility to + disable SMM, after which you can run flashrom. Finally, you should run the + utility a third time to reenable SMM so that shutdown works properly + afterwards. +- On 1st Generation Intel Core systems such as the E6410 and newer, run the + utility and shutdown in the same way as the E6400. However, it seems like the + EC no longer automatically boots the system. In this case you should manually + power it on. It also seems that the firmware does not set the BIOS Lock bit + when the descriptor override is set, making the 2nd run after the reboot + technically unnecessary. There is no harm in rerunning it though, as the + utility can detect when the flash is unlocked and perform the correct steps + as necessary. + ## How it works There are several ways the firmware can protect itself from being overwritten. One way is the Intel Flash Descriptor (IFD) permissions. On Intel systems, the diff --git a/util/e6400-flash-unlock/accessors.c b/util/e6400-flash-unlock/accessors.c new file mode 100644 index 00000000..6fca2817 --- /dev/null +++ b/util/e6400-flash-unlock/accessors.c @@ -0,0 +1,91 @@ +/* SPDX-License-Identifier: MIT */ +/* SPDX-FileCopyrightText: 2023 Nicholas Chin */ + +#if defined(__linux__) +#include <sys/io.h> +#endif + +#if defined(__OpenBSD__) +#include <machine/sysarch.h> +#include <sys/types.h> +#if defined(__amd64__) +#include <amd64/pio.h> +#elif defined(__i386__) +#include <i386/pio.h> +#endif /* __i386__ */ +#endif /* __OpenBSD__ */ + +#include <errno.h> + +#include "accessors.h" + +uint32_t +pci_read_32(uint32_t dev, uint8_t reg) +{ + sys_outl(PCI_CFG_ADDR, dev | reg); + return sys_inl(PCI_CFG_DATA); +} + +void +pci_write_32(uint32_t dev, uint8_t reg, uint32_t value) +{ + sys_outl(PCI_CFG_ADDR, dev | reg); + sys_outl(PCI_CFG_DATA, value); +} + +void +sys_outb(unsigned int port, uint8_t data) +{ + #if defined(__linux__) + outb(data, port); + #endif + #if defined(__OpenBSD__) + outb(port, data); + #endif +} + +void +sys_outl(unsigned int port, uint32_t data) +{ + #if defined(__linux__) + outl(data, port); + #endif + #if defined(__OpenBSD__) + outl(port, data); + #endif +} + +uint8_t +sys_inb(unsigned int port) +{ + #if defined(__linux__) || defined (__OpenBSD__) + return inb(port); + #endif + return 0; +} + +uint32_t +sys_inl(unsigned int port) +{ + #if defined(__linux__) || defined (__OpenBSD__) + return inl(port); + #endif + return 0; +} + +int +sys_iopl(int level) +{ +#if defined(__linux__) + return iopl(level); +#endif +#if defined(__OpenBSD__) +#if defined(__i386__) + return i386_iopl(level); +#elif defined(__amd64__) + return amd64_iopl(level); +#endif /* __amd64__ */ +#endif /* __OpenBSD__ */ + errno = ENOSYS; + return -1; +} diff --git a/util/e6400-flash-unlock/accessors.h b/util/e6400-flash-unlock/accessors.h new file mode 100644 index 00000000..a19f2152 --- /dev/null +++ b/util/e6400-flash-unlock/accessors.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: MIT */ +/* SPDX-FileCopyrightText: 2023 Nicholas Chin */ + +#include <stdint.h> + +#define PCI_CFG_ADDR 0xcf8 +#define PCI_CFG_DATA 0xcfc +#define PCI_DEV(bus, dev, func) (1u << 31 | bus << 16 | dev << 11 | func << 8) + +uint32_t pci_read_32(uint32_t dev, uint8_t reg); +void pci_write_32(uint32_t dev, uint8_t reg, uint32_t value); + +int sys_iopl(int level); +void sys_outb(unsigned int port, uint8_t data); +void sys_outl(unsigned int port, uint32_t data); +uint8_t sys_inb(unsigned int port); +uint32_t sys_inl(unsigned int port); diff --git a/util/e6400-flash-unlock/e6400_flash_unlock.c b/util/e6400-flash-unlock/e6400_flash_unlock.c index d18970be..174a1c92 100644 --- a/util/e6400-flash-unlock/e6400_flash_unlock.c +++ b/util/e6400-flash-unlock/e6400_flash_unlock.c @@ -1,7 +1,6 @@ /* SPDX-License-Identifier: MIT */ /* SPDX-FileCopyrightText: 2023 Nicholas Chin */ -#include <sys/io.h> #include <sys/mman.h> #include <err.h> @@ -10,67 +9,93 @@ #include <stdint.h> #include <stdio.h> #include <stdlib.h> +#include <unistd.h> -enum -EC_FDO_CMD { - QUERY = 0, - SET_OVERRIDE = 2, - UNSET_OVERRIDE = 3 -}; +#include "accessors.h" int get_fdo_status(void); -void ec_fdo_command(enum EC_FDO_CMD arg); +int check_lpc_decode(void); +void ec_set_fdo(); void write_ec_reg(uint8_t index, uint8_t data); void send_ec_cmd(uint8_t cmd); -void wait_ec(void); -int get_gbl_smi_en(void); +int wait_ec(void); +int check_bios_write_en(void); int set_gbl_smi_en(int enable); +int get_gbl_smi_en(void); #define EC_INDEX 0x910 #define EC_DATA 0x911 -#define PMBASE 0x1000 -#define SMI_EN_REG (PMBASE + 0x30) +#define EC_ENABLE_FDO 2 -/* Assume this is the same on all vendor BIOS versions */ -#define RCBA 0xfed18000 +#define LPC_DEV PCI_DEV(0, 0x1f, 0) #define RCBA_MMIO_LEN 0x4000 + +/* Register offsets */ #define SPIBAR 0x3800 #define HSFS_REG 0x04 +#define SMI_EN_REG 0x30 volatile uint8_t *rcba_mmio; +uint16_t pmbase; int main(int argc, char *argv[]) { - int devmemfd; (void)argc; (void)argv; + int devmemfd; + (void)argc; + (void)argv; - if ((ioperm(EC_INDEX, 2, 1) == -1) || (ioperm(SMI_EN_REG, 4, 1) == -1)) + if (sys_iopl(3) == -1) err(errno, "Could not access IO ports"); if ((devmemfd = open("/dev/mem", O_RDONLY)) == -1) err(errno, "/dev/mem"); + /* Read RCBA and PMBASE from the LPC config registers */ + long int rcba = pci_read_32(LPC_DEV, 0xf0) & 0xffffc000; + pmbase = pci_read_32(LPC_DEV, 0x40) & 0xff80; + /* FDO pin-strap status bit is in RCBA mmio space */ rcba_mmio = mmap(0, RCBA_MMIO_LEN, PROT_READ, MAP_SHARED, devmemfd, - RCBA); + rcba); if (rcba_mmio == MAP_FAILED) err(errno, "Could not map RCBA"); - if (get_fdo_status() == 1) { - ec_fdo_command(SET_OVERRIDE); - printf("Flash Descriptor Override enabled. Shut down now. The " - "EC will auto-boot the system and set the override.\n" - "Upon boot, re-run this utility to unlock flash.\n"); - } else if (get_gbl_smi_en()){ - set_gbl_smi_en(0); - printf("SMIs disabled. Internal flashing should work now.\n" - "After flashing, re-run this utility to enable SMIs.\n" - "(shutdown is buggy when SMIs are disabled)\n"); - } else { - set_gbl_smi_en(1); - printf("SMIs enabled, you can now shutdown the system.\n"); + if (get_fdo_status() == 1) { /* Descriptor not overridden */ + if (check_lpc_decode() == -1) + err(errno = ECANCELED, "Can't forward I/O to LPC"); + + printf("Sending FDO override command to EC:\n"); + ec_set_fdo(); + printf("Flash Descriptor Override enabled.\n" + "Shut down (don't reboot) now.\n\n" + "The EC may auto-boot on some systems; if not then " + "manually power on.\n When the system boots rerun " + "this utility to finish unlocking.\n"); + } else if (check_bios_write_en() == 0) { + /* SMI locks in place, try disabling SMIs to bypass them */ + if (set_gbl_smi_en(0)) { + printf("SMIs disabled. Internal flashing should work " + "now.\n After flashing, re-run this utility " + "to enable SMIs.\n (shutdown is buggy when " + "SMIs are disabled)\n"); + } else { + err(errno = ECANCELED, "Could not disable SMIs!"); + } + } else { /* SMI locks not in place or bypassed */ + if (get_gbl_smi_en()) { + /* SMIs are still enabled, assume this is an Exx10 + * or newer which don't need the SMM bypass */ + printf("Flash is unlocked.\n" + "Internal flashing should work.\n"); + } else { + /* SMIs disabled, assume this is an Exx00 after + * unlocking and flashing */ + set_gbl_smi_en(1); + printf("SMIs enabled.\n" + "You can now shutdown the system.\n"); + } } - return errno; } @@ -80,60 +105,113 @@ get_fdo_status(void) return (*(uint16_t*)(rcba_mmio + SPIBAR + HSFS_REG) >> 13) & 1; } -/* - * arg: - * 0 = Query EC FDO status - TODO - * 2 = Enable FDO for next boot - * 3 = Disable FDO for next boot - TODO - */ +int +check_lpc_decode(void) +{ + /* Check that at a Generic Decode Range Register is set up to + * forward I/O ports 0x910 and 0x911 over LPC for the EC */ + int i = 0; + int gen_dec_free = -1; + for (; i < 4; i++) { + uint32_t reg_val = pci_read_32(LPC_DEV, 0x84 + 4*i); + uint16_t base_addr = reg_val & 0xfffc; + uint16_t mask = ((reg_val >> 16) & 0xfffc) | 0x3; + + /* Bit 0 is the enable for each decode range. If disabled, note + * this register as available to add our own range decode */ + if ((reg_val & 1) == 0) + gen_dec_free = i; + + /* Check if the current range register matches port 0x910. + * 0x911 doesn't need to be checked as the LPC bridge only + * decodes at the dword level, and thus a check is redundant */ + if ((0x910 & ~mask) == base_addr) { + return 0; + } + } + + /* No matching range found, try setting a range in a free register */ + if (gen_dec_free != -1) { + /* Set up an I/O decode range from 0x910-0x913 */ + pci_write_32(LPC_DEV, 0x84 + 4 * gen_dec_free, 0x911); + return 0; + } else { + return -1; + } +} + void -ec_fdo_command(enum EC_FDO_CMD arg) +ec_set_fdo() { - write_ec_reg(0x12, arg); + /* EC FDO command arguments for reference: + * 0 = Query EC FDO status + * 2 = Enable FDO for next boot + * 3 = Disable FDO for next boot */ + write_ec_reg(0x12, EC_ENABLE_FDO); send_ec_cmd(0xb8); } void write_ec_reg(uint8_t index, uint8_t data) { - outb(index, EC_INDEX); - outb(data, EC_DATA); + sys_outb(EC_INDEX, index); + sys_outb(EC_DATA, data); } void send_ec_cmd(uint8_t cmd) { - outb(0, EC_INDEX); - outb(cmd, EC_DATA); - wait_ec(); + sys_outb(EC_INDEX, 0); + sys_outb(EC_DATA, cmd); + if (wait_ec() == -1) + err(errno = ECANCELED, "Timeout while waiting for EC!"); } -void +int wait_ec(void) { uint8_t busy; + int timeout = 1000; do { - outb(0, EC_INDEX); - busy = inb(EC_DATA); - } while (busy); + sys_outb(EC_INDEX, 0); + busy = sys_inb(EC_DATA); + timeout--; + usleep(1000); + } while (busy && timeout > 0); + return timeout > 0 ? 0 : -1; } int -get_gbl_smi_en(void) +check_bios_write_en(void) { - return inl(SMI_EN_REG) & 1; + uint8_t bios_cntl = pci_read_32(LPC_DEV, 0xdc) & 0xff; + /* Bit 5 = SMM BIOS Write Protect Disable (SMM_BWP) + * Bit 1 = BIOS Lock Enable (BLE) + * If both are 0, then there's no write protection */ + if ((bios_cntl & 0x22) == 0) + return 1; + + /* SMM protection is enabled, but try enabling writes + * anyway in case the vendor SMM code doesn't reset it */ + pci_write_32(LPC_DEV, 0xdc, bios_cntl | 0x1); + return pci_read_32(LPC_DEV, 0xdc) & 0x1; } int set_gbl_smi_en(int enable) { - uint32_t smi_en = inl(SMI_EN_REG); + uint32_t smi_en = sys_inl(pmbase + SMI_EN_REG); if (enable) { smi_en |= 1; } else { smi_en &= ~1; } - outl(smi_en, SMI_EN_REG); + sys_outl(pmbase + SMI_EN_REG, smi_en); return (get_gbl_smi_en() == enable); } +int +get_gbl_smi_en(void) +{ + return sys_inl(pmbase + SMI_EN_REG) & 1; +} |