10 files changed, 1412 insertions, 1046 deletions

diff --git a/include/get.sh b/include/get.sh
new file mode 100644
index 00000000..a3328454
--- /dev/null
+++ b/include/get.sh
@@ -0,0 +1,162 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright (c) 2020-2021,2023-2025 Leah Rowe <leah@libreboot.org>
+# Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+
+eval "`setvars "" loc url bkup_url subcurl subhash subgit subgit_bkup \
+    depend subcurl_bkup repofail`"
+
+tmpgit="$xbloc/gitclone"
+tmpgitcache="$XBMK_CACHE/tmpgit"
+
+fetch_targets()
+{
+	[ -d "src/$project/$tree" ] || git_prep "$url" "$bkup_url" \
+	    "$xbmkpwd/$configdir/$tree/patches" "src/$project/$tree" submod; :
+}
+
+fetch_project()
+{
+	eval "`setvars "" xtree`"
+	eval "`setcfg "config/git/$project/pkg.cfg"`"
+
+	chkvars url bkup_url && [ -n "$xtree" ] && x_ ./mk -f coreboot "$xtree"
+	[ -z "$depend" ] || for d in $depend ; do
+		x_ ./mk -f $d
+	done
+	clone_project
+}
+
+clone_project()
+{
+	loc="$XBMK_CACHE/clone/$project" && singletree "$project" && \
+	    loc="src/$project"
+
+	e "$loc" d missing && remkdir "${tmpgit%/*}" && git_prep \
+	    "$url" "$bkup_url" "$xbmkpwd/config/$project/patches" "$loc"; :
+}
+
+git_prep()
+{
+	printf "Creating code directory, src/%s/%s\n" "$project" "$tree"
+
+	_patchdir="$3"
+	_loc="$4" # $1 and $2 are gitrepo and gitrepo_backup
+
+	chkvars rev
+	xbget git "$1" "$2" "$tmpgit" "$rev" "$_patchdir"
+	if singletree "$project" || [ $# -gt 4 ]; then
+		dx_ fetch_submodule "$mdir/module.list"
+	fi
+
+	[ "$_loc" = "${_loc%/*}" ] || x_ mkdir -p "${_loc%/*}"
+	x_ mv "$tmpgit" "$_loc"
+}
+
+fetch_submodule()
+{
+	mcfgdir="$mdir/${1##*/}"; eval \
+	    "`setvars "" subhash subgit subgit_bkup subcurl subcurl_bkup st`"
+	eval "`setcfg "$mcfgdir/module.cfg" 0`"
+
+	for xt in git curl; do
+		_seval="if [ -n \"\$sub$xt\" ] || [ -n \"\$sub${xt}_bkup\" ]"
+		eval "$_seval; then st=\"\$st \$xt\"; fi"
+	done
+
+	st="${st# }" && [ "$st" = "git curl" ] && err "$mdir: git+curl defined"
+	[ -z "$st" ] && return 0 # subgit/subcurl not defined
+	chkvars "sub${st}" "sub${st}_bkup" "subhash"
+
+	[ "$st" = "git" ] && x_ rm -Rf "$tmpgit/$1"
+	eval xbget "$st" "\$sub$st" "\$sub${st}_bkup" "$tmpgit/$1" \
+	    "$subhash" "$mdir/${1##*/}/patches"
+}
+
+xbget()
+{
+	[ "$1" = "curl" ] || [ "$1" = "copy" ] || [ "$1" = "git" ] || \
+	    err "Bad dlop (arg 1): xbget $*"
+
+	echk="f" && [ "$1" = "git" ] && echk="d"
+
+	for url in "$2" "$3"; do
+		[ -n "$url" ] || err "empty URL given in: xbget $*"
+		try_file "$url" "$@" || continue
+		eval "[ -$echk \"$4\" ] || continue"
+		return 0 # successful download/copy
+	done
+	err "$1 $2 $3 $4: not downloaded"; :
+}
+
+try_file()
+{
+	cached="file/$6" && [ "$2" = "git" ] && cached="clone/${3##*/}" && \
+	    cached="${cached%.git}" # always the main repo as basis for naming,
+					# in case the backup has another name
+	cached="$XBMK_CACHE/$cached"
+	x_ mkdir -p "${5%/*}" "${cached%/*}"
+
+	echk="d" && [ "$2" != "git" ] && echk="f" && \
+	    bad_checksum "$6" "$cached" 2>/dev/null && x_ rm -f "$cached"
+
+	evalchk="[ -$echk \"$cached\" ] || " && [ "$2" = "git" ] && evalchk=""
+	eval "${evalchk}try_$2 \"\$cached\" \"\$@\" || return 1"
+	[ "$2" != "git" ] && [ -f "$5" ] && \
+	    bad_checksum "$6" "$5" 2>/dev/null && x_ cp "$cached" "$5"
+	eval "[ -$echk \"$cached\" ] || return 1"
+
+	if [ "$2" = "git" ]; then
+		[ -d "$5" ] || tmpclone "$cached" "$5" "$6" "$7" || \
+		    err "Can't clone final repo in command: try_file $*"; :
+	else
+		bad_checksum "$6" "$cached" && x_ rm -f "$cached" && return 1
+		[ "$cached" != "$5" ] && x_ cp "$cached" "$5"
+		bad_checksum "$6" "$5" && x_ rm -f "$5" && return 1; :
+	fi
+
+	eval "[ -$echk \"$5\" ] || return 1"
+}
+
+try_curl()
+{
+	_ua="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
+	( x_ curl --location --retry 3 -A "$_ua" "$2" -o "$1" ) || \
+	    ( x_ wget --tries 3 -U "$_ua" "$2" -O "$1" ) || return 1; :
+}
+
+try_copy()
+{
+	e "$2" f missing && return 1; :
+	( x_ cp "$2" "$1" ) || return 1; :
+}
+
+try_git()
+{
+	gitdest="`findpath "$1"`" || err "Can't get readpath for '$1'"
+	x_ rm -Rf "$tmpgitcache"
+
+	[ -d "$gitdest" ] || ( x_ git clone "$2" "$tmpgitcache" ) || return 1
+	[ -d "$gitdest" ] || x_ mkdir -p "${gitdest%/*}"
+	[ -d "$gitdest" ] || x_ mv "$tmpgitcache" "$gitdest"
+
+	( x_ git -C "$gitdest" remote remove main ) || :
+	( x_ git -C "$gitdest" remote remove backup ) || :
+	x_ git -C "$gitdest" remote add main "$4"
+	x_ git -C "$gitdest" remote add backup "$5"
+	( x_ git -C "$gitdest" pull --all ) || :; :
+}
+
+bad_checksum()
+{
+	e "$2" f missing && return 0
+	csum="$(x_ sha512sum "$2" | awk '{print $1}')" || err "!sha512 '$2' $1"
+	[ "$csum" = "$1" ] && return 1; x_ rm -f "$2"
+	printf "BAD SHA512 %s, '%s'; need '%s'\n" "$csum" "$2" "$1" 1>&2
+}
+
+tmpclone()
+{
+	( x_ git clone "$1" "$2" ) || return 1
+	( x_ git -C "$2" reset --hard "$3" ) || return 1
+	( fx_ "eval x_ git -C \"$2\" am" find "$4" -type f ) || return 1; :
+}
diff --git a/include/git.sh b/include/git.sh
deleted file mode 100644
index 21a1f3b7..00000000
--- a/include/git.sh
+++ /dev/null
@@ -1,154 +0,0 @@
-# SPDX-License-Identifier: GPL-3.0-or-later
-# Copyright (c) 2020-2021,2023-2025 Leah Rowe <leah@libreboot.org>
-# Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com>
-
-eval "`setvars "" loc url bkup_url subfile subhash subrepo subrepo_bkup \
-    depend subfile_bkup repofail`"
-
-fetch_targets()
-{
-	[ -n "$tree_depend" ] && [ "$tree_depend" != "$tree" ] && \
-		x_ ./mk -f "$project" "$tree_depend"
-	e "src/$project/$tree" d && return 0
-
-	printf "Creating %s tree %s\n" "$project" "$tree"
-	git_prep "$loc" "$loc" "$PWD/$configdir/$tree/patches" \
-	    "src/$project/$tree" u; nuke "$project/$tree" "$project/$tree"
-}
-
-fetch_project()
-{
-	eval "`setvars "" xtree tree_depend`"
-	eval "`setcfg "config/git/$project/pkg.cfg"`"
-
-	chkvars url
-
-	[ -n "$xtree" ] && x_ ./mk -f coreboot "$xtree"
-	[ -z "$depend" ] || for d in $depend ; do
-		printf "'%s' needs '%s'; grabbing '%s'\n" "$project" "$d" "$d"
-		x_ ./mk -f $d
-	done
-	clone_project
-
-	for x in config/git/*; do
-		[ -d "$x" ] && nuke "${x##*/}" "src/${x##*/}" 2>/dev/null
-	done; return 0
-}
-
-clone_project()
-{
-	loc="$XBMK_CACHE/repo/$project" && singletree "$project" && \
-	    loc="src/$project"
-	printf "Downloading project '%s' to '%s'\n" "$project" "$loc"
-
-	e "$loc" d missing && remkdir "${tmpgit%/*}" && git_prep \
-	    "$url" "$bkup_url" "$PWD/config/$project/patches" "$loc"; :
-}
-
-git_prep()
-{
-	_patchdir="$3"; _loc="$4" # $1 and $2 are gitrepo and gitrepo_backup
-
-	chkvars rev; tmpclone "$1" "$2" "$tmpgit" "$rev" "$_patchdir"
-	if singletree "$project" || [ $# -gt 4 ]; then
-		prep_submodules "$_loc"; fi
-
-	[ "$project" = "coreboot" ] && [ -n "$xtree" ] && [ $# -gt 2 ] && \
-	    [ "$xtree" != "$tree" ] && link_crossgcc "$_loc"
-	[ "$XBMK_RELEASE" = "y" ] && \
-	    [ "$_loc" != "$XBMK_CACHE/repo/$project" ] && rmgit "$tmpgit"
-
-	move_repo "$_loc"
-}
-
-prep_submodules()
-{
-	[ -f "$mdir/module.list" ] && while read -r msrcdir; do
-		fetch_submodule "$msrcdir"
-	done < "$mdir/module.list"; return 0
-}
-
-fetch_submodule()
-{
-	mcfgdir="$mdir/${1##*/}"
-	eval "`setvars "" subhash subrepo subrepo_bkup subfile subfile_bkup \
-	    st`"
-	[ ! -f "$mcfgdir/module.cfg" ] || . "$mcfgdir/module.cfg" || \
-	    $err "! . $mcfgdir/module.cfg"
-
-	for xt in repo file; do
-		_seval="if [ -n \"\$sub$xt\" ] || [ -n \"\$sub${xt}_bkup\" ]"
-		eval "$_seval; then st=\"\$st \$xt\"; fi"
-	done
-	st="${st# }" && [ "$st" = "repo file" ] && $err "$mdir: repo+file"
-
-	[ -z "$st" ] && return 0 # subrepo/subfile not defined
-	chkvars "sub${st}" "sub${st}_bkup" "subhash"
-
-	[ "$st" = "file" ] && download "$subfile" "$subfile_bkup" \
-	    "$tmpgit/$1" "$subhash" && return 0
-	rm -Rf "$tmpgit/$1" || $err "!rm '$mdir' '$1'"
-	tmpclone "$subrepo" "$subrepo_bkup" "$tmpgit/$1" "$subhash" \
-	    "$mdir/${1##*/}/patches"
-}
-
-tmpclone()
-{
-	livepull="n" && [ "$repofail" = "y" ] && \
-	    printf "Cached clone failed; trying online.\n" 1>&2 && livepull="y"
-
-	repofail="n"
-
-	[ $# -lt 6 ] || rm -Rf "$3" || $err "git retry: !rm $3 ($1)"
-	repodir="$XBMK_CACHE/repo/${1##*/}" && [ $# -gt 5 ] && repodir="$3"
-	mkdir -p "$XBMK_CACHE/repo" || $err "!rmdir $XBMK_CACHE/repo"
-
-	if [ "$livepull" = "y" ] && [ ! -d "$repodir" ]; then
-		git clone "$1" "$repodir" || git clone $2 "$repodir" || \
-		    $err "!clone $1 $2 $repodir $4 $5" #
-	elif [ -d "$repodir" ] && [ $# -lt 6 ]; then
-		git -C "$repodir" pull || sleep 3 || git -C "$repodir" pull \
-		    || sleep 3 || git -C "$repodir" pull || :
-	fi
-	(
-	[ $# -gt 5 ] || git clone "$repodir" "$3" || $err "!clone $repodir $3"
-	git -C "$3" reset --hard "$4" || $err "!reset $1 $2 $3 $4 $5"
-	git_am_patches "$3" "$5"
-	) || repofail="y"
-
-	[ "$repofail" = "y" ] && [ $# -lt 6 ] && tmpclone "$@" retry
-	[ "$repofail" = "y" ] && $err "!clone $1 $2 $3 $4 $5"; :
-}
-
-git_am_patches()
-{
-	for p in "$2/"*; do
-		[ -L "$p" ] && continue; [ -e "$p" ] || continue
-		[ -d "$p" ] && git_am_patches "$1" "$p" && continue
-		[ ! -f "$p" ] || git -C "$1" am "$p" || $err "$1 $2: !am $p"
-	done; return 0
-}
-
-link_crossgcc()
-{
-	(
-	x_ cd "$tmpgit/util" && x_ rm -Rf crossgcc
-	ln -s "../../$xtree/util/crossgcc" crossgcc || $err "$1: !xgcc link"
-	) || $err "$1: !xgcc link"
-}
-
-move_repo()
-{
-	[ "$1" = "${1%/*}" ] || x_ mkdir -p "${1%/*}"
-	mv "$tmpgit" "$1" || $err "git_prep: !mv $tmpgit $1"
-}
-
-# can delete from multi- and single-tree projects.
-# called from script/trees when downloading sources.
-nuke()
-{
-	e "config/${1%/}/nuke.list" f missing || while read -r nukefile; do
-		rmf="src/${2%/}/$nukefile" && [ -L "$rmf" ] && continue
-		e "$rmf" e missing || rm -Rf "$rmf" || $err "!rm $rmf, ${2%/}"
-	done < "config/${1%/}/nuke.list"; return 0
-}
diff --git a/include/init.sh b/include/init.sh
new file mode 100644
index 00000000..bc5a62b6
--- /dev/null
+++ b/include/init.sh
@@ -0,0 +1,218 @@
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+# Copyright (c) 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
+# Copyright (c) 2020-2025 Leah Rowe <leah@libreboot.org>
+# Copyright (c) 2025 Alper Nebi Yasak <alpernebiyasak@gmail.com>
+
+export LC_COLLATE=C
+export LC_ALL=C
+
+projectname="libreboot"
+projectsite="https://libreboot.org/"
+
+[ -z "${PATH+x}" ] && \
+    export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+
+eval "`setvars "" _nogit board reinstall versiondate aur_notice configdir \
+    datadir version xbmkpwd relname xbmkpwd xbtmp python pyver xbloc \
+    xbmklock cvxbmk cvchk xbmkpath`"
+
+xbmk_init()
+{
+	xbmkpwd="`pwd`" || err "Cannot generate PWD"
+	xbloc="$xbmkpwd/tmp"
+	xbmklock="$xbmkpwd/lock"
+
+	export PWD="$xbmkpwd"
+
+	[ $# -gt 0 ] && [ "$1" = "dependencies" ] && x_ xbmkpkg "$@" && exit 0
+
+	id -u 1>/dev/null 2>/dev/null || err "suid check failed (id -u)"
+	[ "$(id -u)" != "0" ] || err "this command as root is not permitted"
+
+	for init_cmd in get_version set_env set_threads git_init child_exec; do
+		xbmk_$init_cmd "$@" || break
+	done
+}
+
+xbmkpkg()
+{
+	[ $# -lt 2 ] && err "fewer than two arguments"
+	[ $# -gt 2 ] && reinstall="$3"
+
+	eval "`setcfg "config/dependencies/$2"`"
+
+	chkvars pkg_add pkglist
+	x_ $pkg_add $pkglist
+
+	[ -n "$aur_notice" ] && \
+	    printf "You need AUR packages: %s\n" "$aur_notice" 1>&2; :
+}
+
+xbmk_get_version()
+{
+	[ ! -f ".version" ] || read -r version < ".version" || err
+	[ ! -f ".versiondate" ] || read -r versiondate < ".versiondate" || err
+	[ ! -f ".version" ] || chkvars version
+	[ ! -f ".versiondate" ] || chkvars versiondate
+
+	[ ! -e ".git" ] && [ ! -f ".version" ] && version="unknown"
+	[ ! -e ".git" ] && [ ! -f ".versiondate" ] && versiondate="1716415872"
+
+	[ -n "$version" ] && relname="$projectname-$version"; :
+}
+
+xbmk_set_env()
+{
+	is_child="n"
+
+	xbmkpath="$PATH"
+
+	# unify all temporary files/directories in a single TMPDIR
+	[ -z "${TMPDIR+x}" ] || [ "${TMPDIR%_*}" = "/tmp/xbmk" ] || \
+	    unset TMPDIR
+	[ -n "${TMPDIR+x}" ] && export TMPDIR="$TMPDIR" && xbtmp="$TMPDIR"
+	[ -z "${TMPDIR+x}" ] || is_child="y" # child instance, so return
+
+	if [ "$is_child" = "y" ]; then
+		[ -z "${XBMK_CACHE+x}" ] && err "XBMK_CACHE unset on child"
+		[ -z "${XBMK_THREADS+x}" ] && xbmk_set_threads
+		e "lock" f missing && err "lock file absent on child"
+		return 1
+	fi
+
+	[ -f "$xbmklock" ] && err "'$xbmklock' exists. Is a build running?"
+	touch "$xbmklock" || err "cannot create '$xbmklock'"; :
+
+	# parent instance of xbmk, so don't return. set up TMPDIR
+	export TMPDIR="/tmp"
+	export TMPDIR="$(mktemp -d -t xbmk_XXXXXXXX)"
+	xbtmp="$TMPDIR"
+
+	export XBMK_CACHE="$xbmkpwd/cache"
+	[ -L "$XBMK_CACHE" ] && [ "$XBMK_CACHE" = "$xbmkpwd/cache" ] && \
+	    err "cachedir '$xbmkpwd/cache' is a symlink"
+	[ ! -e "$XBMK_CACHE" ] || \
+	    [ -d "$XBMK_CACHE" ] || err "cachedir '$XBMK_CACHE' is a file"; :
+
+	export PATH="$XBMK_CACHE/xbmkpath:$XBMK_CACHE/gnupath:$PATH"
+	xbmkpath="$PATH"
+
+	# if "y": a coreboot target won't be built if target.cfg says release="n"
+	# (this is used to exclude certain build targets from releases)
+	[ -z "${XBMK_RELEASE+x}" ] && export XBMK_RELEASE="n"
+	[ "$XBMK_RELEASE" = "Y" ] && export XBMK_RELEASE="y"
+	[ "$XBMK_RELEASE" = "y" ] || export XBMK_RELEASE="n"
+
+	xbmk_set_version
+	export LOCALVERSION="-$projectname-${version%%-*}"
+
+	remkdir "$xbtmp" "$xbloc" "$XBMK_CACHE/gnupath" "$XBMK_CACHE/xbmkpath"
+
+	xbmk_set_pyver
+}
+
+xbmk_set_threads()
+{
+	[ -z "${XBMK_THREADS+x}" ] && export XBMK_THREADS=1
+	expr "X$XBMK_THREADS" : "X-\{0,1\}[0123456789][0123456789]*$" \
+	    1>/dev/null 2>/dev/null || export XBMK_THREADS=1
+}
+
+xbmk_set_version()
+{
+	version_="$version"
+	[ ! -e ".git" ] || version="$(git describe --tags HEAD 2>&1)" || \
+	    version="git-$(git rev-parse HEAD 2>&1)" || version="$version_"
+	versiondate_="$versiondate"
+	[ ! -e ".git" ] || versiondate="$(git show --no-patch --no-notes \
+	    --pretty='%ct' HEAD)" || versiondate="$versiondate_"
+
+	chkvars version versiondate
+	update_xbmkver "."
+
+	relname="$projectname-$version"
+}
+
+xbmk_set_pyver()
+{
+	pyv="import sys; print(sys.version_info[:])"
+	python="python3"
+	pybin python3 1>/dev/null || python="python"
+	pyver="2" && [ "$python" = "python3" ] && pyver="3"
+	pybin "$python" 1>/dev/null || pyver=""
+	[ -z "$pyver" ] || "`pybin "$python"`" -c "$pyv" 1>/dev/null \
+	    2>/dev/null || err "Cannot detect host Python version."
+	[ -n "$pyver" ] && \
+	    pyver="$("$(pybin "$python")" -c "$pyv" | awk '{print $1}')" && \
+	    pyver="${pyver#(}" && pyver="${pyver%,}"
+	[ "${pyver%%.*}" = "3" ] || err "Bad python version (must by 3.x)"
+
+	(
+	# set up python v3.x in PATH, in case it's not set up correctly.
+	# see code above that detected the correct python3 command.
+	x_ cd "$XBMK_CACHE/xbmkpath"
+	x_ ln -s "`pybin "$python"`" python
+	) || err "Can't set up python symlink in $XBMK_CACHE/xbmkpath"; :
+}
+
+# Use direct path, to prevent a hang if Python is using a virtual environment,
+# not command -v, to prevent a hang when checking python's version
+# See: https://docs.python.org/3/library/venv.html#how-venvs-work
+pybin()
+{
+	py="import sys; quit(1) if sys.prefix == sys.base_prefix else quit(0)"
+
+	venv=1
+	command -v "$1" 1>/dev/null 2>/dev/null || venv=0
+	[ $venv -lt 1 ] || "$1" -c "$py" 1>/dev/null 2>/dev/null || venv=0
+
+	# ideally, don't rely on PATH or hardcoded paths if python venv.
+	# use the *real*, direct executable linked to by the venv symlink
+	if [ $venv -gt 0 ] && [ -L "`command -v "$1" 2>/dev/null`" ]; then
+		pypath="$(findpath \
+		    "$(command -v "$1" 2>/dev/null)" 2>/dev/null || :)"
+		[ -e "$pypath" ] && [ ! -d "$pypath" ] && \
+		    [ -x "$pypath" ] && printf "%s\n" "$pypath" && return 0; :
+	fi
+
+	# if python venv: fall back to common PATH directories for checking
+	[ $venv -gt 0 ] && for pypath in "/usr/local/bin" "/usr/bin"; do
+		[ -e "$pypath/$1" ] && [ ! -d "$pypath/$1" ] && \
+		    [ -x "$pypath/$1" ] && printf "%s/%s\n" "$pypath" "$1" && \
+		    return 0
+	done && return 1
+
+	# Defer to normal command -v if not a venv
+	command -v "$1" 2>/dev/null || return 1
+}
+
+xbmk_git_init()
+{
+	for gitarg in "--global user.name" "--global user.email"; do
+		gitcmd="git config $gitarg"; $gitcmd 1>/dev/null 2>/dev/null \
+		    || err "Run this first: $gitcmd \"your ${gitcmd##*.}\""
+	done
+
+	[ -L ".git" ] && err "'$xbmkpwd/.git' is a symlink"
+	[ -e ".git" ] && return 0
+	eval "`setvars "$(date -Rud @$versiondate)" cdate _nogit`"
+
+	x_ git init 1>/dev/null 2>/dev/null
+	x_ git add -A . 1>/dev/null 2>/dev/null
+	x_ git commit -m "$projectname $version" --date "$cdate" \
+	    --author="xbmk <xbmk@example.com>" 1>/dev/null 2>/dev/null
+	x_ git tag -a "$version" -m "$projectname $version" 1>/dev/null \
+	    2>/dev/null; :
+}
+
+xbmk_child_exec()
+{
+	xbmk_rval=0
+	( x_ ./mk "$@" ) || xbmk_rval=1
+	( x_ rm -Rf "$xbloc" "$xbtmp" ) || xbmk_rval=1
+	( x_ rm -f "$xbmklock" ) || xbmk_rval=1
+	exit $xbmk_rval
+}
+
+xbmk_init "$@"
diff --git a/include/inject.sh b/include/inject.sh
new file mode 100644
index 00000000..795b2c70
--- /dev/null
+++ b/include/inject.sh
@@ -0,0 +1,148 @@
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com>
+# Copyright (c) 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
+# Copyright (c) 2023-2025 Leah Rowe <leah@libreboot.org>
+
+cbcfgsdir="config/coreboot"
+tmpromdel="$XBMK_CACHE/DO_NOT_FLASH"
+nvm="util/nvmutil/nvm"
+ifdtool="elf/coreboot/default/ifdtool"
+
+cv="CONFIG_GBE_BIN_PATH"
+[ -n "$cvxbmk" ] && cv="$cv $cvxbmk"
+[ -n "$cvchk" ] && cv="$cv $cvchk"
+
+eval "`setvars "" archive boarddir IFD_platform ifdprefix tree new_mac \
+    tmpromdir board xchanged $cv`"
+
+inject()
+{
+	remkdir "$tmpromdel"
+
+	set +u +e
+	[ $# -lt 1 ] && err "No options specified"
+	eval "`setvars "" nuke new_mac xchanged`"
+
+	archive="$1";
+	new_mac="xx:xx:xx:xx:xx:xx"
+
+	[ $# -gt 1 ] && case "$2" in
+	nuke)
+		new_mac=""
+		nuke="nuke" ;;
+	setmac)
+		[ $# -gt 2 ] && new_mac="$3" && \
+		    [ -z "$new_mac" ] && err "Empty MAC address specified" ;;
+	*)
+		err "Unrecognised inject mode: '$2'"
+	esac
+	[ "$new_mac" = "keep" ] && new_mac=""
+
+	check_release
+	check_target && patch_release
+
+	[ "$xchanged" = "y" ] && remktar
+
+	xnot=" NOT" && [ "$xchanged" = "y" ] && xnot=""
+	printf "\n'%s' was%s modified\n" "$archive" "$xnot" 1>&2
+
+	x_ rm -Rf "$tmpromdel"
+}
+
+check_release()
+{
+	[ -L "$archive" ] && err "'$archive' is a symlink"
+	e "$archive" f missing && err "'$archive' missing"
+
+	archivename="`basename "$archive"`" || err "Can't get '$archive' name"
+	[ -z "$archivename" ] && err "Can't determine archive name"
+
+	case "$archivename" in
+	*_src.tar.xz)
+		err "'$archive' is a src archive, silly!" ;;
+	grub_*|seagrub_*|custom_*|seauboot_*|seabios_withgrub_*)
+		err "'$archive' is a ROM image (it must be a tarball)" ;;
+	*.tar.xz) _stripped_prefix="${archivename#*_}"
+		board="${_stripped_prefix%.tar.xz}" ;;
+	*)
+		err "'$archive': could not detect board type" ;;
+	esac; :
+}
+
+check_target()
+{
+	[ "$board" = "${board#serprog_}" ] || return 1
+	boarddir="$cbcfgsdir/$board"
+
+	eval "`setcfg "$boarddir/target.cfg"`"
+	chkvars tree && x_ ./mk -d coreboot "$tree"
+
+	ifdtool="elf/coreboot/$tree/ifdtool"
+	[ -n "$IFD_platform" ] && ifdprefix="-p $IFD_platform"; :
+}
+
+patch_release()
+{
+	[ "$nuke" = "nuke" ] || x_ ./mk download "$board"
+
+	has_hashes="n"
+	tmpromdir="$tmpromdel/bin/$board"
+
+	remkdir "${tmpromdir%"/bin/$board"}"
+	x_ tar -xf "$archive" -C "${tmpromdir%"/bin/$board"}"
+
+	for _hashes in "vendorhashes" "blobhashes"; do
+		e "$tmpromdir/$_hashes" f && \
+		    has_hashes="y" && hashfile="$_hashes" && break; :
+	done
+
+	readkconfig || exit 0
+
+	[ -n "$new_mac" ] && [ -n "$CONFIG_GBE_BIN_PATH" ] && modify_mac; :
+}
+
+readkconfig()
+{
+	x_ rm -f "$xbtmp/cbcfg"
+	fx_ scankconfig x_ find "$boarddir/config" -type f
+	eval "`setcfg "$xbtmp/cbcfg" 1`"
+	setvfile "$@" || return 1; :
+}
+
+scankconfig()
+{
+	for cbc in $cv; do
+		grep "$cbc" "$1" 1>>"$xbtmp/cbcfg" 2>/dev/null || :
+	done
+}
+
+modify_mac()
+{
+	x_ cp "${CONFIG_GBE_BIN_PATH##*../}" "$xbloc/gbe"
+	[ -n "$new_mac" ] && [ "$new_mac" != "restore" ] && \
+	    x_ make -C util/nvmutil clean && x_ make -C util/nvmutil && \
+	    x_ "$nvm" "$xbloc/gbe" setmac "$new_mac"
+
+	fx_ newmac x_ find "$tmpromdir" -maxdepth 1 -type f -name "*.rom"
+
+	printf "\nThe following GbE NVM data will be written:\n"
+	x_ "$nvm" "$xbloc/gbe" dump | grep -v "bytes read from file" || :
+}
+
+newmac()
+{
+	e "$1" f && xchanged="y" && x_ \
+	    "$ifdtool" $ifdprefix -i GbE:"$xbloc/gbe" "$1" -O "$1"; :
+}
+
+remktar()
+{
+	(
+	x_ cd "${tmpromdir%"/bin/$board"}"
+	printf "Re-building tar archive (please wait)\n"
+	mkrom_tarball "bin/$board" 1>/dev/null
+	) || err "Cannot re-generate '$archive'"
+
+	mv "${tmpromdir%"/bin/$board"}/bin/${relname}_${board}.tar.xz" \
+	    "$archive" || err "'$archive' -> Can't overwrite"; :
+}
diff --git a/include/lib.sh b/include/lib.sh
index a9a292c2..b40772fa 100644
--- a/include/lib.sh
+++ b/include/lib.sh
@@ -2,52 +2,35 @@
 # Copyright (c) 2022 Caleb La Grange <thonkpeasant@protonmail.com>
 # Copyright (c) 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
 # Copyright (c) 2020-2025 Leah Rowe <leah@libreboot.org>
+# Copyright (c) 2025 Alper Nebi Yasak <alpernebiyasak@gmail.com>
 
-export LC_COLLATE=C
-export LC_ALL=C
+cbfstool="elf/coreboot/default/cbfstool"
+rmodtool="elf/coreboot/default/rmodtool"
 
-_ua="Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
-
-ifdtool="elf/ifdtool/default/ifdtool"
-cbfstool="elf/cbfstool/default/cbfstool"
-rmodtool="elf/cbfstool/default/rmodtool"
-tmpgit="$PWD/tmp/gitclone"
-grubdata="config/data/grub"
-err="err_"
-
-err_()
+remkdir()
 {
-	printf "ERROR %s: %s\n" "$0" "$1" 1>&2; exit 1
+	x_ rm -Rf "$@"
+	x_ mkdir -p "$@"
 }
 
-setvars()
+mkrom_tarball()
 {
-	_setvars="" && [ $# -lt 2 ] && $err "setvars: too few arguments"
-	val="$1" && shift 1 && for var in "$@"; do
-		_setvars="$var=\"$val\"; $_setvars"
-	done; printf "%s\n" "${_setvars% }"
+	update_xbmkver "$1"
+	mktarball "$1" "${1%/*}/${relname}_${1##*/}.tar.xz"
+	x_ rm -Rf "$1"
 }
-chkvars()
+
+update_xbmkver()
 {
-	for var in "$@"; do
-		eval "[ -n \"\${$var+x}\" ] || \$err \"$var unset\""
-		eval "[ -n \"\$$var\" ] || \$err \"$var unset\""
-	done; return 0
+	printf "%s\n" "$version" > "$1/.version" || err "$1 !version"; :
+	printf "%s\n" "$versiondate" > "$1/.versiondate" || err "$1 !vdate"; :
 }
 
-eval "`setvars "" _nogit board reinstall versiondate projectsite projectname \
-    aur_notice configdir datadir version relname xbmk_parent`"
-
-for fv in projectname projectsite version versiondate; do
-	eval "[ ! -f \"$fv\" ] || read -r $fv < \"$fv\" || :"
-done; chkvars projectname projectsite
-
-setcfg()
+mktarball()
 {
-	[ $# -gt 1 ] && printf "e \"%s\" f missing && return %s;\n" "$1" "$2"
-	[ $# -gt 1 ] || \
-		printf "e \"%s\" f not && %s \"Missing config\";\n" "$1" "$err"
-	printf ". \"%s\" || %s \"Could not read config\";\n" "$1" "$err"
+	printf "Creating tar archive '%s' from directory '%s'\n" "$2" "$1"
+	[ "${2%/*}" = "$2" ] || x_ mkdir -p "${2%/*}"
+	x_ tar -c "$1" | xz -T$XBMK_THREADS -9e > "$2" || err "mktarball2, $1"
 }
 
 e()
@@ -57,218 +40,85 @@ e()
 	estr="[ -$es_t \"\$1\" ] || return 1"
 	[ $# -gt 2 ] && estr="[ -$es_t \"\$1\" ] && return 1" && es2="missing"
 
-	eval "$estr"; printf "%s %s\n" "$1" "$es2" 1>&2
-}
-
-install_packages()
-{
-	[ $# -lt 2 ] && $err "fewer than two arguments"
-	[ $# -gt 2 ] && reinstall="$3"
-
-	eval "`setcfg "config/dependencies/$2"`"
-
-	chkvars pkg_add pkglist
-	$pkg_add $pkglist || $err "Cannot install packages"
-
-	[ -n "$aur_notice" ] && \
-	    printf "You need AUR packages: %s\n" "$aur_notice" 1>&2; :
-}
-if [ $# -gt 0 ] && [ "$1" = "dependencies" ]; then
-	install_packages "$@" || exit 1
-	exit 0
-fi
-
-pyver="2"
-python="python3"
-command -v python3 1>/dev/null || python="python"
-command -v $python 1>/dev/null || pyver=""
-[ -n "$pyver" ] && pyver="$($python --version | awk '{print $2}')"
-if [ "${pyver%%.*}" != "3" ]; then
-	printf "Wrong python version, or python missing. Must be v 3.x.\n" 1>&2
-	exit 1
-fi
-
-id -u 1>/dev/null 2>/dev/null || $err "suid check failed (id -u)"
-[ "$(id -u)" != "0" ] || $err "this command as root is not permitted"
-
-# XBMK_CACHE is a directory, for caching downloads and git repositories
-[ -z "${XBMK_CACHE+x}" ] && export XBMK_CACHE="$PWD/cache"
-[ -z "$XBMK_CACHE" ] && export XBMK_CACHE="$PWD/cache"
-[ -L "$XBMK_CACHE" ] && [ "$XBMK_CACHE" = "$PWD/cache" ] && \
-    $err "cachedir is default, $PWD/cache, but it exists and is a symlink"
-[ -L "$XBMK_CACHE" ] && export XBMK_CACHE="$PWD/cache"
-[ -f "$XBMK_CACHE" ] && $err "cachedir '$XBMK_CACHE' exists but it's a file"
-
-# unify all temporary files/directories in a single TMPDIR
-[ -z "${TMPDIR+x}" ] || [ "${TMPDIR%_*}" = "/tmp/xbmk" ] || unset TMPDIR
-[ -n "${TMPDIR+x}" ] && export TMPDIR="$TMPDIR"
-if [ -z "${TMPDIR+x}" ]; then
-	[ -f "lock" ] && $err "$PWD/lock exists. Is a build running?"
-	export TMPDIR="/tmp"
-	export TMPDIR="$(mktemp -d -t xbmk_XXXXXXXX)"
-	touch lock || $err "cannot create 'lock' file"
-	rm -Rf "$XBMK_CACHE/xbmkpath" || $err "cannot remove xbmkpath"
-	mkdir -p "$XBMK_CACHE/xbmkpath" || $err "cannot create xbmkpath"
-	export PATH="$XBMK_CACHE/xbmkpath:$PATH" || \
-	    $err "Can't create xbmkpath"
-	xbmk_parent="y"
-fi
-
-# if "y": a coreboot target won't be built if target.cfg says release="n"
-# (this is used to exclude certain build targets from releases)
-[ -z "${XBMK_RELEASE+x}" ] && export XBMK_RELEASE="n"
-[ "$XBMK_RELEASE" = "y" ] || export XBMK_RELEASE="n"
-
-[ -z "${XBMK_THREADS+x}" ] && export XBMK_THREADS=1
-expr "X$XBMK_THREADS" : "X-\{0,1\}[0123456789][0123456789]*$" \
-    1>/dev/null 2>/dev/null || export XBMK_THREADS=1 # user gave a non-integer
-
-x_() {
-	[ $# -lt 1 ] || "$@" || \
-	    $err "Unhandled non-zero exit: $(echo "$@")"; return 0
+	eval "$estr"
+	printf "%s %s\n" "$1" "$es2" 1>&2
 }
 
-[ -e ".git" ] || [ -f "version" ] || printf "unknown\n" > version || \
-    $err "Cannot generate unknown version file"
-[ -e ".git" ] || [ -f "versiondate" ] || printf "1716415872\n" > versiondate \
-    || $err "Cannot generate unknown versiondate file"
-
-version_="$version"
-[ ! -e ".git" ] || version="$(git describe --tags HEAD 2>&1)" || \
-    version="git-$(git rev-parse HEAD 2>&1)" || version="$version_"
-versiondate_="$versiondate"
-[ ! -e ".git" ] || versiondate="$(git show --no-patch --no-notes \
-    --pretty='%ct' HEAD)" || versiondate="$versiondate_"
-for p in projectname version versiondate projectsite; do
-	chkvars "$p"; eval "x_ printf \"%s\\n\" \"\$$p\" > $p"
-done
-relname="$projectname-$version"
-export LOCALVERSION="-$projectname-${version%%-*}"
-
-check_defconfig()
-{
-	[ -d "$1" ] || $err "Target '$1' not defined."
-	for x in "$1"/config/*; do
-		[ -f "$x" ] && printf "%s\n" "$x" && return 1
-	done; return 0
-}
-
-remkdir()
-{
-	rm -Rf "$1" || $err "remkdir: !rm -Rf \"$1\""
-	mkdir -p "$1" || $err "remkdir: !mkdir -p \"$1\""
-}
-
-mkrom_tarball()
-{
-	printf "%s\n" "$version" > "$1/version" || $err "$1 !version"
-	printf "%s\n" "$versiondate" > "$1/versiondate" || $err "$1 !vdate"
-	printf "%s\n" "$projectname" > "$1/projectname" || $err "$1 !pname"
-
-	mktarball "$1" "${1%/*}/${relname}_${1##*/}.tar.xz"; x_ rm -Rf "$1"; :
-}
-
-mktarball()
+setvars()
 {
-	if [ "${2%/*}" != "$2" ]; then
-		mkdir -p "${2%/*}" || $err "mk, !mkdir -p \"${2%/*}\""
+	_setvars=""
+	if [ $# -lt 2 ]; then
+		printf "err \"setvars: too few args\\n\""
+		return 0
 	fi
-	tar -c "$1" | xz -T$XBMK_THREADS -9e > "$2" || $err "mktarball 2, $1"
+	val="$1"
+	shift 1
+	while [ $# -gt 0 ]; do
+		printf "%s=\"%s\"\n" "$1" "$val"
+		shift 1
+	done
 }
 
-mksha512sum()
+setcfg()
 {
-	(
-	[ "${1%/*}" != "$1" ] && x_ cd "${1%/*}"
-	sha512sum ./"${1##*/}" >> "$2" || $err "!sha512sum \"$1\" > \"$2\""
-	) || $err "failed to create tarball checksum"
+	[ $# -gt 1 ] && printf "e \"%s\" f missing && return %s;\n" "$1" "$2"
+	[ $# -gt 1 ] || \
+		printf "e \"%s\" f not && err \"Missing config\";\n" "$1"
+	printf ". \"%s\" || err \"Could not read config\";\n" "$1"
 }
 
-rmgit()
+chkvars()
 {
-	(
-	cd "$1" || $err "!cd gitrepo $1"
-	find . -name ".git" -exec rm -Rf {} + || $err "!rm .git $1"
-	find . -name ".gitmodules" -exec rm -Rf {} + || $err "!rm .gitmod $1"
-	) || $err "Cannot remove .git/.gitmodules in $1"
+	while [ $# -gt 0 ]; do
+		eval "[ -n \"\${$1+x}\" ] || err \"$1 unset\""
+		eval "[ -n \"\$$1\" ] || err \"$1 unset\"; shift 1; :"
+	done; :
 }
 
 # return 0 if project is single-tree, otherwise 1
 # e.g. coreboot is multi-tree, so 1
 singletree()
 {
-	for targetfile in "config/${1}/"*/target.cfg; do
-		[ -e "$targetfile" ] && [ -f "$targetfile" ] && return 1; :
-	done; return 0
+	( fx_ "eval exit 1 && err" find "config/$1/"*/ -type f \
+	    -name "target.cfg" ) || return 1; :
 }
 
-# can grab from the internet, or copy locally.
-# if copying locally, it can only copy a file.
-download()
+findpath()
 {
-	_dlop="curl" && [ $# -gt 4 ] && _dlop="$5"
-	cached="$XBMK_CACHE/file/$4"
-	dl_fail="n" # 1 url, 2 url backup, 3 destination, 4 checksum
-	vendor_checksum "$4" "$cached" 2>/dev/null && dl_fail="y"
-	[ "$dl_fail" = "n" ] && e "$3" f && return 0
-	mkdir -p "${3%/*}" "$XBMK_CACHE/file" || \
-	    $err "!mkdir '$3' '$XBMK_CACHE/file'"
-	for url in "$1" "$2"; do
-		[ "$dl_fail" = "n" ] && break
-		[ -z "$url" ] && continue
-		rm -f "$cached" || $err "!rm -f '$cached'"
-		if [ "$_dlop" = "curl" ]; then
-			curl --location --retry 3 -A "$_ua" "$url" \
-			    -o "$cached" || wget --tries 3 -U "$_ua" "$url" \
-			    -O "$cached" || continue
-		elif [ "$_dlop" = "copy" ]; then
-			[ -L "$url" ] && \
-				printf "dl %s %s %s %s: '%s' is a symlink\n" \
-				    "$1" "$2" "$3" "$4" "$url" 1>&2 && continue
-			[ ! -f "$url" ] && \
-				printf "dl %s %s %s %s: '%s' not a file\n" \
-				    "$1" "$2" "$3" "$4" "$url" 1>&2 && continue
-			cp "$url" "$cached" || continue
-		else
-			$err "$1 $2 $3 $4: Unsupported dlop type: '$_dlop'"
-		fi
-		vendor_checksum "$4" "$cached" || dl_fail="n"
-	done; [ "$dl_fail" = "y" ] && $err "$1 $2 $3 $4: not downloaded"
-	[ "$cached" = "$3" ] || cp "$cached" "$3" || $err "!d cp $cached $3"; :
+	[ $# -gt 0 ] || err "findpath: No arguments provided"
+	while [ $# -gt 0 ]; do
+		found="`readlink -f "$1" 2>/dev/null`" || return 1; :
+		[ -n "$found" ] || found="`realpath "$1" 2>/dev/null`" || \
+		    return 1; :
+		printf "%s\n" "$found"
+		shift 1
+	done
 }
 
-vendor_checksum()
+fx_()
 {
-	[ "$(sha512sum "$2" | awk '{print $1}')" != "$1" ] || return 1
-	printf "Bad checksum for file: %s\n" "$2" 1>&2; rm -f "$2" || :; :
+	fd="`mktemp`" && x_ rm -f "$fd" && x_ touch "$fd"
+	xx="$1" && shift 1
+	"$@" 2>/dev/null | sort 1>"$fd" 2>/dev/null || err "FATAL: !sort fx_"
+	dx_ "$xx" "$fd" || break
+	x_ rm -f "$fd"
 }
 
-cbfs()
+dx_()
 {
-	fRom="$1" # image to operate on
-	fAdd="$2" # file to add
-	fName="$3" # filename when added in CBFS
-
-	ccmd="add-payload" && [ $# -gt 3 ] && [ $# -lt 5 ] && ccmd="add"
-	lzma="-c lzma" && [ $# -gt 3 ] && [ $# -lt 5 ] && lzma="-t $4"
-
-	# hack. TODO: do it better. this whole function is cursed
-	if [ $# -gt 4 ]; then
-		# add flat binary for U-Boot (u-boot.bin) on x86
-		if [ "$5" = "0x1110000" ]; then
-			ccmd="add-flat-binary"
-			lzma="-c lzma -l 0x1110000 -e 0x1110000"
-		fi
-	fi
+	[ ! -f "$2" ] || while read -r fx; do
+		$1 "$fx" || return 1; :
+	done < "$2" || err "dx_ $*: cannot read '$2'"; :
+}
 
-	"$cbfstool" "$fRom" $ccmd -f "$fAdd" -n "$fName" $lzma || \
-	    $err "CBFS fail: $fRom $ccmd -f '$fAdd' -n '$fName' $lzma"; :
+x_()
+{
+	[ $# -lt 1 ] || [ -n "$1" ] || err "Empty first arg: x_ $(echo "$@")"
+	[ $# -lt 1 ] || "$@" || err "Unhandled error for: $(echo "$@")"; :
 }
 
-mk()
+err()
 {
-	mk_flag="$1" || $err "No argument given"
-	shift 1 && for mk_arg in "$@"; do
-		./mk $mk_flag $mk_arg || $err "./mk $mk_flag $mk_arg"; :
-	done; :
+	[ $# -lt 1 ] || printf "ERROR %s: %s\n" "$0" "$1" 1>&2 || :
+	exit 1
 }
diff --git a/include/mrc.sh b/include/mrc.sh
index f5db2ff0..775831f8 100644
--- a/include/mrc.sh
+++ b/include/mrc.sh
@@ -1,11 +1,31 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Logic based on util/chromeos/crosfirmware.sh in coreboot cfc26ce278.
-# Modifications in this version are Copyright 2021, 2023 and 2024 Leah Rowe.
+# Modifications in this version are Copyright 2021,2023-2025 Leah Rowe.
 # Original copyright detailed in repo: https://review.coreboot.org/coreboot/
 
 eval "`setvars "" MRC_url MRC_url_bkup MRC_hash MRC_board SHELLBALL`"
 
+extract_refcode()
+{
+	extract_mrc
+
+	# cbfstool after coreboot 4.13 changed the stage file attribute scheme,
+	# and refcode is extracted from an image using the old scheme. we use
+	# cbfstool from coreboot 4.11_branch, the tree used by ASUS KGPE-D16
+	chkvars cbfstoolref
+	x_ mkdir -p "${_pre_dest%/*}"
+
+	x_ "$cbfstoolref" "$appdir/bios.bin" extract \
+	    -m x86 -n fallback/refcode -f "$appdir/ref" -r RO_SECTION
+
+	# enable the Intel GbE device, if told by offset MRC_refcode_gbe
+	[ -z "$MRC_refcode_gbe" ] || x_ dd if="config/ifd/hp820g2/1.bin" \
+	    of="$appdir/ref" bs=1 seek=$MRC_refcode_gbe count=1 conv=notrunc; :
+
+	x_ mv "$appdir/ref" "$_pre_dest"
+}
+
 extract_mrc()
 {
 	chkvars "MRC_board" "CONFIG_MRC_FILE"
@@ -15,12 +35,10 @@ extract_mrc()
 	x_ cd "$appdir"
 	extract_partition "${MRC_url##*/}"
 	extract_archive "$SHELLBALL" .
-	) || $err "mrc download/extract failure"
+	) || err "mrc download/extract failure"
 
-	"$cbfstool" "$appdir/"bios.bin extract -n mrc.bin \
-	    -f "$_dest" -r RO_SECTION || $err "extract_mrc: !$cbfstool $_dest"
-
-	[ -n "$CONFIG_REFCODE_BLOB_FILE" ] && extract_refcode; return 0
+	x_ "$cbfstool" "$appdir/"bios.bin extract -n mrc.bin \
+	    -f "${_pre_dest%/*}/mrc.bin" -r RO_SECTION
 }
 
 extract_partition()
@@ -32,30 +50,9 @@ extract_partition()
 	START=$(( $( echo $ROOTP | cut -f2 -d\ | tr -d "B" ) ))
 	SIZE=$(( $( echo $ROOTP | cut -f4 -d\ | tr -d "B" ) ))
 
-	dd if="${1%.zip}" of="root-a.ext2" bs=1024 skip=$(( $START / 1024 )) \
-	    count=$(( $SIZE / 1024 )) || $err "ex dd ${1%.zip}, root-a.ext2"
-
-	printf "cd /usr/sbin\ndump chromeos-firmwareupdate $SHELLBALL\nquit" \
-	    | debugfs "root-a.ext2" || $err "can't extract shellball"
-}
-
-extract_refcode()
-{
-	_refdest="${CONFIG_REFCODE_BLOB_FILE##*../}"
-	e "$_refdest" f && return 0
-
-	# cbfstool changed the attributes scheme for stage files,
-	# incompatible with older versions before coreboot 4.14,
-	# so we need coreboot 4.13 cbfstool for certain refcode files
-	chkvars cbfstoolref
-	mkdir -p "${_refdest%/*}" || $err "ref: !mkdir -p ${_refdest%/*}"
+	x_ dd if="${1%.zip}" of="root-a.ext2" bs=1024 skip=$(( $START / 1024 )) \
+	    count=$(( $SIZE / 1024 ))
 
-	"$cbfstoolref" "$appdir/bios.bin" extract \
-	    -m x86 -n fallback/refcode -f "$_refdest" -r RO_SECTION \
-	    || $err "extract_refcode $board: !cbfstoolref $_refdest"
-
-	# enable the Intel GbE device, if told by offset MRC_refcode_gbe
-	[ -z "$MRC_refcode_gbe" ] || dd if="config/ifd/hp820g2/1.bin" \
-	    of="$_refdest" bs=1 seek=$MRC_refcode_gbe count=1 conv=notrunc || \
-	    $err "extract_refcode $_refdest: byte $MRC_refcode_gbe"; return 0
+	printf "cd /usr/sbin\ndump chromeos-firmwareupdate %s\nquit" \
+	    "$SHELLBALL" | debugfs "root-a.ext2" || err "!extract shellball"
 }
diff --git a/include/release.sh b/include/release.sh
new file mode 100644
index 00000000..912687dc
--- /dev/null
+++ b/include/release.sh
@@ -0,0 +1,88 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright (c) 2023-2025 Leah Rowe <leah@libreboot.org>
+
+eval "`setvars "" reldir reldest vdir rsrc relmode`"
+
+release()
+{
+	export XBMK_RELEASE="y"
+
+	reldir="release"
+
+	while getopts d:m: option; do
+		[ -z "$OPTARG" ] && err "empty argument not allowed"
+		case "$option" in
+		d) reldir="$OPTARG" ;;
+		m) relmode="$OPTARG" ;;
+		*) err "invalid option '-$option'" ;;
+		esac
+	done
+
+	reldest="$reldir/$version"
+	[ -e "$reldest" ] && \
+	    err "already exists: \"$reldest\""
+
+	vdir="$XBMK_CACHE/relpwd/${xbtmp##*/}/$version"
+	rsrc="$vdir/${relname}_src"
+
+	remkdir "$vdir"
+	x_ git clone . "$rsrc"
+	update_xbmkver "$rsrc"
+
+	prep_release src
+	prep_release tarball
+	[ "$relmode" = "src" ] || prep_release bin
+	x_ rm -Rf "$rsrc"
+
+	x_ mkdir -p "$reldir"
+	x_ mv "$vdir" "$reldir"
+	x_ rm -Rf "${vdir%"/$version"}"
+
+	printf "\n\nDONE! Check release files under %s\n" "$reldest"
+}
+
+prep_release()
+{
+	x_ touch "$rsrc/lock"
+	(
+	[ "$1" = "tarball" ] || x_ cd "$rsrc"
+	prep_release_$1
+	) || err "can't prep release $1"
+}
+
+prep_release_src()
+{
+	x_ ./mk -f
+	fx_ "x_ rm -Rf" x_ find . -name ".git"
+	fx_ "x_ rm -Rf" x_ find . -name ".gitmodules"
+	( fx_ nuke x_ find config -type f -name "nuke.list" ) || err; :
+}
+
+nuke()
+{
+	r="$rsrc/src/${1#config/}"
+	[ -d "${r%/*}" ] && x_ cd "${r%/*}" && \
+	    dx_ "eval [ -L \"\$fx\" ] || x_ rm -Rf" "$rsrc/$1"; :
+}
+
+prep_release_tarball()
+{
+	git log --graph --pretty=format:'%Cred%h%Creset %s %Creset' \
+	    --abbrev-commit > "$rsrc/CHANGELOG" || err "!log $rsrc"
+	x_ rm -f "$rsrc/lock"
+	x_ rm -Rf "$rsrc/cache" "$rsrc/tmp"
+	(
+	x_ cd "${rsrc%/*}"
+	x_ mktarball "${rsrc##*/}" "${rsrc##*/}.tar.xz"
+	) || err "can't create src tarball"; :
+}
+
+prep_release_bin()
+{
+	x_ ./mk -d coreboot
+	fx_ "x_ ./mk -b" printf \
+	    "coreboot\npico-serprog\nstm32-vserprog\npcsx-redux\n"
+
+	fx_ mkrom_tarball x_ find bin -maxdepth 1 -type d -name "serprog_*"
+	x_ mv bin ../roms
+}
diff --git a/include/rom.sh b/include/rom.sh
index 2a7bc837..c1b78c75 100644
--- a/include/rom.sh
+++ b/include/rom.sh
@@ -5,40 +5,29 @@
 # Copyright (c) 2022-2023 Alper Nebi Yasak <alpernebiyasak@gmail.com>
 # Copyright (c) 2023-2024 Riku Viitanen <riku.viitanen@protonmail.com>
 
-mkserprog()
+grubdata="config/data/grub"
+
+buildser()
 {
-	[ "$_f" = "-d" ] && return 0 # dry run
-	basename -as .h "$serdir/"*.h > "$TMPDIR/ser" || $err "!mk $1 $TMPDIR"
-
-	while read -r sertarget; do
-		[ "$1" = "pico" ] &&
-		    x_ rm -rf "$sersrc/build" \
-		    && (pt=$(x_ grep "pico_cmake_set" \
-		          "$picosdk/src/boards/include/boards/$sertarget.h" \
-		        | grep "PICO_PLATFORM" | cut -d= -f2 | tr -d [:blank:])
-		        mkdir -p "$sersrc/build_$pt"
-			ln -srf "$sersrc/build_$pt/" "$sersrc/build") \
-		    && x_ cmake -DPICO_BOARD="$sertarget" \
-		    -DPICO_SDK_PATH="$picosdk" -B "$sersrc/build" "$sersrc" \
-		    && x_ cmake --build "$sersrc/build"
-		[ "$1" = "stm32" ] && x_ make -C "$sersrc" \
-		    libopencm3-just-make BOARD=$sertarget && x_ make -C \
-		    "$sersrc" BOARD=$sertarget; x_ mkdir -p "bin/serprog_$1"
-		x_ mv "$serx" "bin/serprog_$1/serprog_$sertarget.${serx##*.}"
-	done < "$TMPDIR/ser"
-
-	[ "$XBMK_RELEASE" = "y" ] && mkrom_tarball "bin/serprog_$1"; return 0
+	[ "$1" = "pico" ] && x_ cmake -DPICO_BOARD="$2" \
+	    -DPICO_SDK_PATH="$picosdk" -B "$sersrc/build" "$sersrc" && \
+	    x_ cmake --build "$sersrc/build"
+	[ "$1" = "stm32" ] && x_ make -C "$sersrc" libopencm3-just-make \
+	    BOARD=$2 && x_ make -C "$sersrc" BOARD=$2
+	x_ mkdir -p "bin/serprog_$1"
+	x_ mv "$serx" "bin/serprog_$1/serprog_$2.${serx##*.}"
 }
 
 copyps1bios()
 {
-	x_ rm -Rf bin/playstation
-	x_ mkdir -p bin/playstation
+	[ "$dry" = ":" ] && return 0; :
+
+	remkdir "bin/playstation"
 	x_ cp src/pcsx-redux/src/mips/openbios/openbios.bin bin/playstation
 
 	printf "MIT License\n\nCopyright (c) 2019-2024 PCSX-Redux authors\n\n" \
-	    > bin/playstation/COPYING.txt || $err "!pcsx-redux copyright"
-	cat config/snippet/mit >>bin/playstation/COPYING.txt || $err "!pcsx MIT"
+	    > bin/playstation/COPYING.txt || err "!pcsx-redux copyright"
+	cat config/snippet/mit >>bin/playstation/COPYING.txt || err "!pcsx MIT"
 }
 
 mkpayload_grub()
@@ -46,83 +35,69 @@ mkpayload_grub()
 	eval "`setvars "" grub_modules grub_install_modules`"
 	$dry eval "`setcfg "$grubdata/module/$tree"`"
 	$dry x_ rm -f "$srcdir/grub.elf"; $dry \
-	"$srcdir/grub-mkstandalone" --grub-mkimage="$srcdir/grub-mkimage" \
+	x_ "$srcdir/grub-mkstandalone" --grub-mkimage="$srcdir/grub-mkimage" \
 	    -O i386-coreboot -o "$srcdir/grub.elf" -d "${srcdir}/grub-core/" \
 	    --fonts= --themes= --locales=  --modules="$grub_modules" \
 	    --install-modules="$grub_install_modules" \
 	    "/boot/grub/grub_default.cfg=${srcdir}/.config" \
-	    "/boot/grub/grub.cfg=$grubdata/memdisk.cfg" || \
-	    $err "$tree: cannot build grub.elf"; return 0
+	    "/boot/grub/grub.cfg=$grubdata/memdisk.cfg"; :
 }
 
-mkvendorfiles()
+corebootpremake()
 {
-	[ -z "$mode" ] && $dry cook_coreboot_config
-	check_coreboot_utils "$tree"
+	[ -n "$mode" ] || [ ! -f "$srcdir/.config" ] || $dry printf \
+	    "CONFIG_CCACHE=y\n" >> "$srcdir/.config" || err "$srcdir: !cook"; :
+	fx_ check_coreboot_util printf "cbfstool\nifdtool\n"
 	printf "%s\n" "${version%%-*}" > "$srcdir/.coreboot-version" || \
-	    $err "!mk $srcdir .coreboot-version"
+	    err "!mk $srcdir .coreboot-version"
 	[ -z "$mode" ] && [ "$target" != "$tree" ] && \
-	    x_ ./mk download "$target"; return 0
-}
-
-cook_coreboot_config()
-{
-	[ -f "$srcdir/.config" ] || return 0
-	printf "CONFIG_CCACHE=y\n" >> "$srcdir/.config" || \
-	    $err "$srcdir/.config: Could not enable ccache"
-	make -C "$srcdir" oldconfig || $err "Could not cook $srcdir/.config"; :
+	    x_ ./mk download "$target"; :
 }
 
-check_coreboot_utils()
+check_coreboot_util()
 {
-	for util in cbfstool ifdtool; do
-		[ "$badhash" = "y" ] && x_ rm -f "elf/$util/$1/$util"
-		e "elf/$util/$1/$util" f && continue
-
-		utilelfdir="elf/$util/$1"
-		utilsrcdir="src/coreboot/$1/util/$util"
-
-		utilmode="" && [ -n "$mode" ] && utilmode="clean"
-		x_ make -C "$utilsrcdir" $utilmode -j$XBMK_THREADS $makeargs
-		if [ -z "$mode" ] && [ ! -f "$utilelfdir/$util" ]; then
-			x_ mkdir -p "$utilelfdir"
-			x_ cp "$utilsrcdir/$util" "$utilelfdir"
-			[ "$util" = "cbfstool" ] || continue
-			x_ cp "$utilsrcdir/rmodtool" "$utilelfdir"
-		elif [ -n "$mode" ]; then
-			x_ rm -Rf "$utilelfdir"
-		fi; continue
-	done; return 0
+	[ "$badhash" = "y" ] && x_ rm -f "elf/coreboot/$tree/$1"
+	e "elf/coreboot/$tree/$1" f && return 0
+
+	utilelfdir="elf/coreboot/$tree"
+	utilsrcdir="src/coreboot/$tree/util/$1"
+
+	utilmode="" && [ -n "$mode" ] && utilmode="clean"
+	x_ make -C "$utilsrcdir" $utilmode -j$XBMK_THREADS $makeargs
+	[ -n "$mode" ] && x_ rm -Rf "$utilelfdir" && return 0
+	[ -z "$mode" ] || return 0
+	[ -f "$utilelfdir/$1" ] && return 0
+
+	x_ mkdir -p "$utilelfdir"
+	x_ cp "$utilsrcdir/$1" "$utilelfdir"
+	[ "$1" = "cbfstool" ] || return 0
+	x_ cp "$utilsrcdir/rmodtool" "$utilelfdir"
 }
 
 mkcorebootbin()
 {
 	[ "$target" = "$tree" ] && return 0
 
-	tmprom="$TMPDIR/coreboot.rom"
+	tmprom="$xbtmp/coreboot.rom"
 	$dry x_ cp "$srcdir/build/coreboot.rom" "$tmprom"
 
-	initmode="${defconfig##*/}"; displaymode="${initmode##*_}"
+	initmode="${defconfig##*/}"
+	displaymode="${initmode##*_}"
 	[ "$displaymode" = "$initmode" ] && displaymode="" # "normal" config
 	initmode="${initmode%%_*}"
-	cbfstool="elf/cbfstool/$tree/cbfstool"
+	cbfstool="elf/coreboot/$tree/cbfstool"
 
-	[ "$payload_uboot_i386" = "y" ] && \
-	    [ "$payload_uboot_amd64" = "y" ] && \
-		$err "'$target' enables 32- and 64-bit x86 U-Boot"
+	[ -z "$payload_uboot" ] || [ "$payload_uboot" = "amd64" ] || \
+	    [ "$payload_uboot" = "i386" ] || [ "$payload_uboot" = "arm64" ] \
+		|| err "'$target' defines bad u-boot type '$payload_uboot'"
 
-	if [ "$payload_uboot_i386" = "y" ] || \
-	    [ "$payload_uboot_amd64" = "y" ]; then
-		printf "'%s' has x86 U-Boot; assuming SeaBIOS=y\n" \
-		    "$target" 1>&2
+	[ -z "$payload_uboot" ] || [ "$payload_uboot" = "arm64" ] || \
 		payload_seabios="y"
-	fi
 
 	[ -n "$uboot_config" ] || uboot_config="default"
-	[ "$payload_uboot" = "y" ] || payload_seabios="y"
 	[ "$payload_grub" = "y" ] && payload_seabios="y"
-	[ "$payload_seabios" = "y" ] && [ "$payload_uboot" = "y" ] && \
-	    $dry $err "$target: U-Boot(arm64) and SeaBIOS/GRUB both enabled."
+	[ "$payload_seabios" = "y" ] && [ "$payload_uboot" = "arm64" ] && \
+	    $dry err "$target: U-Boot(arm64) and SeaBIOS/GRUB both enabled."
 
 	[ -z "$grub_scan_disk" ] && grub_scan_disk="nvme ahci ata"
 
@@ -139,27 +114,27 @@ mkcorebootbin()
 	if $dry grep "CONFIG_PAYLOAD_NONE=y" "$defconfig"; then
 		[ "$payload_seabios" = "y" ] && pname="seabios" && \
 		    $dry add_seabios
-		[ "$payload_uboot" = "y" ] && pname="uboot" && $dry add_uboot
+		[ "$payload_uboot" = "arm64" ] && pname="uboot" && \
+		    $dry add_uboot; :
 	else
-		pname="custom" && $dry cprom; :
+		pname="custom"
+		$dry cprom
 	fi; :
 }
 
 add_seabios()
 {
-	if [ "$payload_uboot_i386" = "y" ] || \
-	    [ "$payload_uboot_amd64" = "y" ]; then
-		$dry add_uboot
-	fi
+	[ -z "$payload_uboot" ] || [ "$payload_uboot" = "arm64" ] || \
+	    $dry add_uboot
 
 	_seabioself="elf/seabios/default/$initmode/bios.bin.elf"
-
 	_seaname="fallback/payload" && [ "$payload_grubsea" = "y" ] && \
 	    _seaname="seabios.elf"
+
 	cbfs "$tmprom" "$_seabioself" "$_seaname"
 	x_ "$cbfstool" "$tmprom" add-int -i 3000 -n etc/ps2-keyboard-spinup
 
-	_z="2"; [ "$initmode" = "vgarom" ] && _z="0"
+	_z="2" && [ "$initmode" = "vgarom" ] && _z="0"
 	x_ "$cbfstool" "$tmprom" add-int -i $_z -n etc/pci-optionrom-exec
 	x_ "$cbfstool" "$tmprom" add-int -i 0 -n etc/optionroms-checksum
 	[ "$initmode" = "libgfxinit" ] && \
@@ -171,7 +146,7 @@ add_seabios()
 	[ "$payload_grub" = "y" ] && add_grub
 
 	[ "$payload_grubsea" != "y" ] && cprom
-	[ "$payload_uboot_amd64" = "y" ] && [ "$displaymode" != "txtmode" ] && \
+	[ "$payload_uboot" = "amd64" ] && [ "$displaymode" != "txtmode" ] && \
 	    [ "$initmode" != "normal" ] && [ "$payload_grubsea" != "y" ] && \
 	    pname="seauboot" && cprom "seauboot"
 	[ "$payload_grub" = "y" ] && pname="seagrub" && mkseagrub; :
@@ -183,8 +158,8 @@ add_grub()
 	    _grubname="fallback/payload"
 	cbfs "$tmprom" "$grubelf" "$_grubname"
 	printf "set grub_scan_disk=\"%s\"\n" "$grub_scan_disk" \
-	    > "$TMPDIR/tmpcfg" || $err "$target: !insert scandisk"
-	cbfs "$tmprom" "$TMPDIR/tmpcfg" scan.cfg raw
+	    > "$xbtmp/tmpcfg" || err "$target: !insert scandisk"
+	cbfs "$tmprom" "$xbtmp/tmpcfg" scan.cfg raw
 	[ "$initmode" != "normal" ] && [ "$displaymode" != "txtmode" ] && \
 	    cbfs "$tmprom" "$grubdata/background/background1280x800.png" \
 	    "background.png" raw; :
@@ -192,14 +167,10 @@ add_grub()
 
 mkseagrub()
 {
-	if [ "$payload_grubsea" = "y" ]; then
-		pname="grub"
-	else
-		cbfs "$tmprom" "$grubdata/bootorder" bootorder raw
-	fi
-	for keymap in config/data/grub/keymap/*.gkb; do
-		[ -f "$keymap" ] && cprom "${keymap##*/}"; :
-	done; :
+	[ "$payload_grubsea" = "y" ] && pname="grub"
+	[ "$payload_grubsea" = "y" ] || \
+	    cbfs "$tmprom" "$grubdata/bootorder" bootorder raw
+	fx_ cprom x_ find "$grubdata/keymap" -type f -name "*.gkb"
 }
 
 add_uboot()
@@ -222,14 +193,13 @@ add_uboot()
 	ubpath="fallback/payload"
 	ubtarget="$target"
 	# override for x86/x86_64 targets:
-	if [ "$payload_uboot_i386" = "y" ] || \
-	    [ "$payload_uboot_amd64" = "y" ]; then
+	if [ -n "$payload_uboot" ] && [ "$payload_uboot" != "arm64" ]; then
 		ubcbfsargs="-l 0x1110000 -e 0x1110000" # 64-bit and 32-bit
 			# on 64-bit, 0x1120000 is the SPL, and stub before that
 		ubpath="img/u-boot" # 64-bit
 		ubtarget="amd64coreboot"
-		[ "$payload_uboot_i386" = "y" ] && ubpath="u-boot" # 32-bit
-		[ "$payload_uboot_i386" = "y" ] && ubtarget="i386coreboot"; :
+		[ "$payload_uboot" = "i386" ] && ubpath="u-boot" # 32-bit
+		[ "$payload_uboot" = "i386" ] && ubtarget="i386coreboot"; :
 	fi
 
 	ubdir="elf/u-boot/$ubtarget/$uboot_config"
@@ -238,36 +208,52 @@ add_uboot()
 	ubootelf="$ubdir/u-boot.elf" && [ ! -f "$ubootelf" ] && \
 	    ubootelf="$ubdir/u-boot"
 	# override for x86/x86_64 targets:
-	[ "$payload_uboot_i386" = "y" ] && ubootelf="$ubdir/u-boot-dtb.bin"
-	[ "$payload_uboot_amd64" = "y" ] && \
+	[ "$payload_uboot" = "i386" ] && ubootelf="$ubdir/u-boot-dtb.bin"
+	[ "$payload_uboot" = "amd64" ] && \
 	    ubootelf="$ubdir/u-boot-x86-with-spl.bin" # EFI-compatible
 
-	[ -f "$ubootelf" ] || $err "cb/$ubtarget: Can't find u-boot"
 	cbfs "$tmprom" "$ubootelf" "$ubpath" $ubcbfsargs
 	[ "$payload_seabios" = "y" ] || cprom; :
 }
 
 cprom()
 {
-	newrom="bin/$target/${pname}_${target}_$initmode.rom"
+	cpcmd="cp"
+
+	tmpnew=""; newrom="bin/$target/${pname}_${target}_$initmode.rom"
 	[ -n "$displaymode" ] && newrom="${newrom%.rom}_$displaymode.rom"
-	[ $# -gt 0 ] && [ "$1" != "seauboot" ] && \
-	    newrom="${newrom%.rom}_${1%.gkb}.rom"
+	[ $# -gt 0 ] && [ "${1%.gkb}" != "$1" ] && tmpnew="${1##*/}" && \
+	    newrom="${newrom%.rom}_${tmpnew%.gkb}.rom"
 
-	x_ mkdir -p "bin/$target"
-	x_ cp "$tmprom" "$newrom" && [ $# -gt 0 ] && [ "$1" != "seauboot" ] && \
-	    cbfs "$newrom" "config/data/grub/keymap/$1" keymap.gkb raw
+	irom="$tmprom"
+	[ $# -lt 1 ] || irom="`mktemp`" || err "!mk irom, $(echo "$@")"
+	[ $# -gt 0 ] && x_ cp "$tmprom" "$irom" && cpcmd="mv"
+
+	[ $# -gt 0 ] && [ "${1%.gkb}" != "$1" ] && \
+	    cbfs "$irom" "$grubdata/keymap/$tmpnew" keymap.gkb raw
 	[ $# -gt 0 ] && [ "$1" = "seauboot" ] && \
-	    cbfs "$newrom" "config/data/grub/bootorder_uboot" bootorder raw; :
+	    cbfs "$irom" "$grubdata/bootorder_uboot" bootorder raw; :
+
+	printf "Creating new %s image: '%s'\n" "$projectname" "$newrom"
+	x_ mkdir -p "bin/$target"
+	x_ $cpcmd "$irom" "$newrom"
+}
+
+cbfs()
+{
+	ccmd="add-payload" && [ $# -gt 3 ] && [ $# -lt 5 ] && ccmd="add"
+	lzma="-c lzma" && [ $# -gt 3 ] && [ $# -lt 5 ] && lzma="-t $4"
+
+	[ $# -gt 4 ] && [ "$5" = "0x1110000" ] && \
+	    ccmd="add-flat-binary" && \
+	    lzma="-c lzma -l 0x1110000 -e 0x1110000"
+
+	x_ "$cbfstool" "$1" $ccmd -f "$2" -n "$3" $lzma
 }
 
 mkcoreboottar()
 {
-	[ "$target" = "$tree" ] && return 0
-	[ "$XBMK_RELEASE" = "y" ] || return 0
-	[ "$release" != "n" ] || return 0
-	$dry mkrom_tarball "bin/$target"
-	$dry ./mk inject "bin/${relname}_${target}.tar.xz" nuke || \
-	    $err "Can't delete vendorfiles in 'bin/${relname}_$target.tar.xz'"
-	return 0
+	[ "$target" != "$tree" ] && [ "$XBMK_RELEASE" = "y" ] && \
+	    [ "$release" != "n" ] && $dry mkrom_tarball "bin/$target" && \
+	    $dry x_ ./mk inject "bin/${relname}_${target}.tar.xz" nuke; :
 }
diff --git a/include/tree.sh b/include/tree.sh
new file mode 100644
index 00000000..85f97101
--- /dev/null
+++ b/include/tree.sh
@@ -0,0 +1,343 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright (c) 2022-2023 Alper Nebi Yasak <alpernebiyasak@gmail.com>
+# Copyright (c) 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
+# Copyright (c) 2023-2025 Leah Rowe <leah@libreboot.org>
+
+eval "`setvars "" xarch srcdir premake gnatdir xlang mode makeargs elfdir cmd \
+    project target target_dir targets xtree _f release bootstrapargs mkhelper \
+    autoconfargs listfile autogenargs btype rev build_depend gccdir cmakedir \
+    defconfig postmake mkhelpercfg dry dest_dir mdir cleanargs gccver gccfull \
+    gnatver gnatfull do_make badhash tree`"
+
+trees()
+{
+	flags="f:b:m:u:c:x:s:l:n:d:"
+
+	while getopts $flags option; do
+		[ -n "$_f" ] && err "only one flag is permitted"
+		_f="$1"
+
+		case "$_f" in
+		-d) dry=":" ;;
+		-b) : ;;
+		-u) mode="oldconfig" ;;
+		-m) mode="menuconfig" ;;
+		-c) mode="distclean" ;;
+		-x) mode="crossgcc-clean" ;;
+		-f)
+			do_make="n"
+			dry=":" ;;
+		-s) mode="savedefconfig" ;;
+		-l) mode="olddefconfig" ;;
+		-n) mode="nconfig" ;;
+		*) err "invalid option '-$option'" ;;
+		esac
+
+		if [ -z "${OPTARG+x}" ]; then
+			shift 1
+			break
+		fi
+
+		project="${OPTARG#src/}"
+		project="${project#config/git/}"
+		shift 2
+	done
+	[ -z "$_f" ] && err "missing flag ($flags)"
+	[ -z "$project" ] && fx_ "x_ ./mk $_f" x_ ls -1 config/git && return 1
+
+	[ -f "config/git/$project/pkg.cfg" ] || \
+	    err "config/git/$project/pkg.cfg missing"
+
+	for d in "elf" "config/data" "config" "src"; do
+		eval "${d#*/}dir=\"$d/$project\""
+	done
+	dest_dir="$elfdir"
+
+	listfile="$datadir/build.list"
+	[ -f "$listfile" ] || listfile="" # optional on all projects
+
+	mkhelpercfg="$datadir/mkhelper.cfg"
+	if e "$mkhelpercfg" f missing; then
+		mkhelpercfg="$xbtmp/mkhelper.cfg"
+		x_ touch "$mkhelpercfg"
+	fi
+
+	targets="$*"
+	cmd="build_targets $targets"
+	singletree "$project" && cmd="build_project"
+
+	remkdir "${tmpgit%/*}"
+}
+
+build_project()
+{
+	configure_project "$configdir" || return 0
+	[ ! -f "$listfile" ] || $dry elfcheck || return 0
+
+	[ "$mode" = "distclean" ] && mode="clean"
+	run_make_command || return 0
+
+	[ -n "$mode" ] || $dry copy_elf; :
+}
+
+build_targets()
+{
+	[ -d "$configdir" ] || err "directory, $configdir, does not exist"
+	[ $# -gt 0 ] || targets="$(ls -1 "$configdir")" || err "!o $configdir"
+
+	for x in $targets; do
+		unset CROSS_COMPILE
+		export PATH="$xbmkpath"
+		[ "$x" = "list" ] && x_ ls -1 "config/$project" && \
+		    listfile="" && break
+
+		target="$x"
+		printf "'make %s', '%s', '%s'\n" "$mode" "$project" "$target"
+		x_ handle_defconfig
+
+		[ -n "$mode" ] || x_ $postmake
+	done; :
+}
+
+handle_defconfig()
+{
+	target_dir="$configdir/$target"
+
+	[ -f "CHANGELOG" ] || fetch_project "$project"
+	configure_project "$target_dir" || return 0
+
+	chkvars tree
+	srcdir="src/$project/$tree"
+
+	[ "$mode" = "${mode%clean}" ] && [ ! -d "$srcdir" ] && return 0
+
+	[ -z "$mode" ] && for _xarch in $xarch; do
+		$dry check_cross_compiler "$_xarch"
+	done; :
+
+	for y in "$target_dir/config"/*; do
+		[ "$_f" = "-d" ] || [ -f "$y" ] || continue
+		[ "$_f" = "-d" ] || defconfig="$y"
+
+		[ -n "$mode" ] || check_defconfig || continue
+		handle_makefile
+		[ -n "$mode" ] || $dry copy_elf
+	done; :
+}
+
+configure_project()
+{
+	eval "`setvars "" cleanargs build_depend autoconfargs xtree postmake \
+	    makeargs btype mkhelper bootstrapargs premake release xlang xarch \
+	    badhash`"
+	_tcfg="$1/target.cfg"
+	[ -f "$_tcfg" ] || btype="auto"
+	e "$datadir/mkhelper.cfg" f && eval "`setcfg "$datadir/mkhelper.cfg"`"
+
+	while e "$_tcfg" f || [ "$cmd" != "build_project" ]; do
+		eval "`setvars "" rev tree`"
+		eval "`setcfg "$_tcfg"`"
+		printf "Loading %s config: %s\n" "$project" "$_tcfg"
+
+		[ "$_f" = "-d" ] && build_depend="" # dry run
+		[ "$cmd" = "build_project" ] && break
+		[ "$do_make" != "n" ] && break
+
+		[ "${_tcfg%/*/target.cfg}" = "${_tcfg%"/$tree/target.cfg"}" ] \
+		    && break
+		_tcfg="${_tcfg%/*/target.cfg}/$tree/target.cfg"
+	done
+	[ "$XBMK_RELEASE" = "y" ] && [ "$release" = "n" ] && return 1
+	[ -z "$btype" ] || [ "${mode%config}" = "$mode" ] || return 1
+	[ -z "$mode" ] && $dry build_dependencies
+
+	mdir="$xbmkpwd/config/submodule/$project"
+	[ -n "$tree" ] && mdir="$mdir/$tree"
+	[ -f "CHANGELOG" ] || check_project_hashes
+
+	if [ "$do_make" = "n" ]; then
+		[ -f "CHANGELOG" ] || fetch_${cmd#build_}
+		return 1
+	fi
+	x_ ./mk -f "$project" "$target"
+}
+
+build_dependencies()
+{
+	for bd in $build_depend; do
+		bd_p="${bd%%/*}"
+		bd_t="${bd##*/}"
+		[ -z "$bd_p" ] && $dry err "$project/$tree: !bd '$bd'"
+		[ "${bd##*/}" = "$bd" ] && bd_t=""
+		[ -z "$bd_p" ] || $dry x_ ./mk -b $bd_p $bd_t; :
+	done; :
+}
+
+check_project_hashes()
+{
+	old_pjhash="" && x_ mkdir -p "$XBMK_CACHE/hash"
+	[ ! -f "$XBMK_CACHE/hash/$project$tree" ] || \
+	    read -r old_pjhash < "$XBMK_CACHE/hash/$project$tree" || \
+	    err "old_pjhash: Can't read '$XBMK_CACHE/hash/$project$tree'"
+
+	fx_ "x_ sha512sum" find "$datadir" "$configdir/$tree" "$mdir" \
+	    -type f -not -path "*/.git*/*" | awk '{print $1}' > \
+	    "$xbtmp/project.hash" || err "!h $project $tree"
+
+	pjhash="$(x_ sha512sum "$xbtmp/project.hash" | awk '{print $1}' || \
+	    err)" || err "pjhash: Can't read sha512 of '$xbtmp/project.hash'"
+	[ "$pjhash" != "$old_pjhash" ] && badhash="y"
+	[ -f "$XBMK_CACHE/hash/$project$tree" ] || badhash="y"
+
+	printf "%s\n" "$pjhash" > "$XBMK_CACHE/hash/$project$tree" || \
+	    err "!mk $XBMK_CACHE/hash/$project$tree"
+
+	[ "$badhash" != "y" ] || x_ rm -Rf "src/$project/$tree" \
+	    "elf/$project/$tree" "elf/$project/$target"; :
+}
+
+check_cross_compiler()
+{
+	cbdir="src/coreboot/$tree"
+	[ "$project" != "coreboot" ] && cbdir="src/coreboot/default"
+	[ -n "$xtree" ] && cbdir="src/coreboot/$xtree"
+
+	x_ ./mk -f coreboot "${cbdir#src/coreboot/}"
+
+	export PATH="$xbmkpwd/$cbdir/util/crossgcc/xgcc/bin:$PATH"
+	export CROSS_COMPILE="${xarch% *}-"
+	[ -n "$xlang" ] && export BUILD_LANGUAGES="$xlang"
+
+	# match gnat-X to gcc
+	check_gnu_path gcc gnat || x_ check_gnu_path gnat gcc
+
+	xfix="${1%-*}" && [ "$xfix" = "x86_64" ] && xfix="x64"
+	xgccargs="crossgcc-$xfix UPDATED_SUBMODULES=1 CPUS=$XBMK_THREADS"
+	make -C "$cbdir" $xgccargs || x_ make -C "$cbdir" $xgccargs
+
+	# we only want to mess with hostcc to build xgcc
+	remkdir "$XBMK_CACHE/gnupath"
+}
+
+# fix mismatching gcc/gnat versions on debian trixie/sid. as of december 2024,
+# trixie/sid had gnat-13 as gnat and gcc-14 as gcc, but has gnat-14 in apt. in
+# some cases, gcc 13+14 and gnat-13 are present; or gnat-14 and gcc-14, but
+# gnat in PATH never resolves to gnat-14, because gnat-14 was "experimental"
+check_gnu_path()
+{
+	command -v "$1" 1>/dev/null || err "Host '$1' unavailable"
+
+	eval "`setvars "" gccver gccfull gnatver gnatfull gccdir gnatdir`"
+	x_ gnu_setver "$1" "$1" || err "Command '$1' unavailable."
+	gnu_setver "$2" "$2" || :
+
+	eval "[ -z \"\$$1ver\" ] && err \"Cannot detect host '$1' version\""
+	[ "$gnatfull" = "$gccfull" ] && return 0
+
+	eval "$1dir=\"$(dirname "$(command -v "$1")")\""
+	eval "_gnudir=\"\$$1dir\"; _gnuver=\"\$$1ver\""
+	for _bin in "$_gnudir/$2-"*; do
+		[ "${_bin#"$_gnudir/$2-"}" = "$_gnuver" ] && [ -x "$_bin" ] \
+		    && _gnuver="${_bin#"$_gnudir/$2-"}" && break; :
+	done
+	gnu_setver "$2" "$_gnudir/$2-$_gnuver" || return 1
+	[ "$gnatfull" = "$gccfull" ] || return 1
+
+	(
+	remkdir "$XBMK_CACHE/gnupath" && x_ cd "$XBMK_CACHE/gnupath"
+	for _gnubin in "$_gnudir/$2"*"-$_gnuver"; do
+		_gnuutil="${_gnubin##*/}" && [ -e "$_gnubin" ] && \
+		    x_ ln -s "$_gnubin" "${_gnuutil%"-$_gnuver"}"
+	done
+	) || err "Cannot create $2-$_gnuver link in $_gnudir"; :
+}
+
+gnu_setver()
+{
+	eval "$2 --version 1>/dev/null 2>/dev/null || return 1"
+	eval "$1ver=\"`"$2" --version 2>/dev/null | head -n1`\""
+	eval "$1ver=\"\${$1ver##* }\""
+	eval "$1full=\"\$$1ver\""
+	eval "$1ver=\"\${$1ver%%.*}\""; :
+}
+
+check_defconfig()
+{
+	[ -f "$defconfig" ] || $dry err "$project/$target: missing defconfig"
+	dest_dir="$elfdir/$target/${defconfig#"$target_dir/config/"}"
+
+	$dry elfcheck || return 1; : # skip build if a previous one exists
+}
+
+elfcheck()
+{
+	# TODO: *STILL* very hacky check. do it properly (based on build.list)
+	( fx_ "eval exit 1 && err" find "$dest_dir" -type f ) || return 1; :
+}
+
+handle_makefile()
+{
+	$dry check_makefile "$srcdir" && \
+	    $dry x_ make -C "$srcdir" $cleanargs clean
+
+	[ -f "$defconfig" ] && x_ cp "$defconfig" "$srcdir/.config"
+
+	run_make_command || err "handle_makefile $srcdir: no makefile!"
+
+	_copy=".config" && [ "$mode" = "savedefconfig" ] && _copy="defconfig"
+	[ "${mode%config}" = "$mode" ] || \
+	    $dry x_ cp "$srcdir/$_copy" "$defconfig"
+
+	[ -e "$srcdir/.git" ] && [ "$project" = "u-boot" ] && \
+	    [ "$mode" = "distclean" ] && \
+		$dry x_ git -C "$srcdir" $cleanargs clean -fdx; :
+}
+
+run_make_command()
+{
+	[ -n "$mode" ] || x_ $premake
+
+	$dry check_cmake "$srcdir" && [ -z "$mode" ] && \
+	    $dry check_autoconf "$srcdir"
+	$dry check_makefile "$srcdir" || return 1
+
+	$dry x_ make -C "$srcdir" $mode -j$XBMK_THREADS $makeargs
+	[ -n "$mode" ] || x_ $mkhelper
+
+	check_makefile "$srcdir" || return 0
+	[ "$mode" != "clean" ] || \
+	    $dry make -C "$srcdir" $cleanargs distclean || \
+	    $dry x_ make -C "$srcdir" $cleanargs clean; :
+}
+
+check_cmake()
+{
+	[ -z "$cmakedir" ] || $dry check_makefile "$1" || cmake -B "$1" \
+	    "$1/$cmakedir" || $dry x_ check_makefile "$1"
+	[ -z "$cmakedir" ] || $dry x_ check_makefile "$1"; :
+}
+
+check_autoconf()
+{
+	(
+	x_ cd "$1"
+	[ -f "bootstrap" ] && x_ ./bootstrap $bootstrapargs
+	[ -f "autogen.sh" ] && x_ ./autogen.sh $autogenargs
+	[ -f "configure" ] && x_ ./configure $autoconfargs; :
+	) || err "can't bootstrap project: $1"; :
+}
+
+check_makefile()
+{
+	[ -f "$1/Makefile" ] || [ -f "$1/makefile" ] || \
+	    [ -f "$1/GNUmakefile" ] || return 1; :
+}
+
+copy_elf()
+{
+	[ -f "$listfile" ] && x_ mkdir -p "$dest_dir"
+	[ ! -f "$listfile" ] || while read -r f; do
+		[ -f "$srcdir/$f" ] && x_ cp "$srcdir/$f" "$dest_dir"; :
+	done < "$listfile" || err "copy_elf $*: cannot read '$listfile'"; :
+	x_ make clean -C "$srcdir" $cleanargs
+}
diff --git a/include/vendor.sh b/include/vendor.sh
index 7fc283b8..55373913 100644
--- a/include/vendor.sh
+++ b/include/vendor.sh
@@ -3,261 +3,204 @@
 # Copyright (c) 2022 Ferass El Hafidi <vitali64pmemail@protonmail.com>
 # Copyright (c) 2023-2025 Leah Rowe <leah@libreboot.org>
 
-e6400_unpack="$PWD/src/bios_extract/dell_inspiron_1100_unpacker.py"
-me7updateparser="$PWD/util/me7_update_parser/me7_update_parser.py"
-pfs_extract="$PWD/src/biosutilities/Dell_PFS_Extract.py"
-uefiextract="$PWD/elf/uefitool/uefiextract"
+# These are variables and functions, extending the functionality of
+# inject.sh, to be used with lbmk; they are kept separate here, so that
+# the main inject.sh can be as similar as possible between lbmk and cbmk,
+# so that cherry-picking lbmk patches into cbmk yields fewer merge conflicts.
+
+# When reading this file, you should imagine that it is part of inject.sh,
+# with inject.sh concatenated onto vendor.sh; they are inexorably intertwined.
+# The main "mk" script sources vendor.sh first, and then inject.sh, in lbmk.
+
+e6400_unpack="$xbmkpwd/src/bios_extract/dell_inspiron_1100_unpacker.py"
+me7updateparser="$xbmkpwd/util/me7_update_parser/me7_update_parser.py"
+pfs_extract="$xbmkpwd/src/biosutilities/Dell_PFS_Extract.py"
+uefiextract="$xbmkpwd/elf/uefitool/uefiextract"
 vendir="vendorfiles"
 appdir="$vendir/app"
-cbcfgsdir="config/coreboot"
-hashfiles="vendorhashes blobhashes" # blobhashes for backwards compatibility
-dontflash="!!! AN ERROR OCCURED! Please DO NOT flash if injection failed. !!!"
-vfix="DO_NOT_FLASH_YET._FIRST,_INJECT_BLOBS_VIA_INSTRUCTIONS_ON_LIBREBOOT.ORG_"
-vguide="https://libreboot.org/docs/install/ivy_has_common.html"
-tmpromdel="$PWD/tmp/DO_NOT_FLASH"
-
-cv="CONFIG_HAVE_ME_BIN CONFIG_ME_BIN_PATH CONFIG_INCLUDE_SMSC_SCH5545_EC_FW \
-    CONFIG_SMSC_SCH5545_EC_FW_FILE CONFIG_KBC1126_FIRMWARE CONFIG_KBC1126_FW1 \
-    CONFIG_KBC1126_FW2 CONFIG_KBC1126_FW1_OFFSET CONFIG_KBC1126_FW2_OFFSET \
-    CONFIG_VGA_BIOS_FILE CONFIG_VGA_BIOS_ID CONFIG_BOARD_DELL_E6400 \
-    CONFIG_HAVE_MRC CONFIG_MRC_FILE CONFIG_HAVE_REFCODE_BLOB \
-    CONFIG_REFCODE_BLOB_FILE CONFIG_GBE_BIN_PATH CONFIG_IFD_BIN_PATH \
-    CONFIG_LENOVO_TBFW_BIN CONFIG_FSP_FD_PATH CONFIG_FSP_M_FILE \
-    CONFIG_FSP_S_FILE CONFIG_FSP_S_CBFS CONFIG_FSP_M_CBFS CONFIG_FSP_USE_REPO \
-    CONFIG_FSP_FULL_FD"
+vfix="DO_NOT_FLASH_YET._FIRST,_INJECT_FILES_VIA_INSTRUCTIONS_ON_LIBREBOOT.ORG_"
 
+# lbmk-specific extension to the "cv" variable (not suitable for cbmk)
+cvchk="CONFIG_INCLUDE_SMSC_SCH5545_EC_FW CONFIG_HAVE_MRC CONFIG_HAVE_ME_BIN \
+    CONFIG_LENOVO_TBFW_BIN CONFIG_VGA_BIOS_FILE CONFIG_FSP_M_FILE \
+    CONFIG_FSP_S_FILE CONFIG_KBC1126_FW1 CONFIG_KBC1126_FW2"
+
+# lbmk-specific extensions to the "cv" variable (not suitable for cbmk)
+cvxbmk="CONFIG_ME_BIN_PATH CONFIG_SMSC_SCH5545_EC_FW_FILE CONFIG_FSP_FULL_FD \
+    CONFIG_KBC1126_FW1_OFFSET CONFIG_KBC1126_FW2_OFFSET CONFIG_FSP_USE_REPO \
+    CONFIG_VGA_BIOS_ID CONFIG_BOARD_DELL_E6400 CONFIG_FSP_S_CBFS \
+    CONFIG_HAVE_REFCODE_BLOB CONFIG_REFCODE_BLOB_FILE CONFIG_FSP_FD_PATH \
+    CONFIG_IFD_BIN_PATH CONFIG_MRC_FILE CONFIG_FSP_M_CBFS"
+
+# lbmk-specific extensions; mostly used for downloading vendor files
 eval "`setvars "" has_hashes EC_hash DL_hash DL_url_bkup MRC_refcode_gbe vcfg \
     E6400_VGA_DL_hash E6400_VGA_DL_url E6400_VGA_DL_url_bkup E6400_VGA_offset \
-    E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest tree \
-    mecleaner kbc1126_ec_dump MRC_refcode_cbtree new_mac _dl SCH5545EC_DL_url \
-    archive EC_url boarddir rom cbdir DL_url nukemode cbfstoolref FSPFD_hash \
-    _7ztest ME11bootguard ME11delta ME11version ME11sku ME11pch tmpromdir \
-    IFD_platform ifdprefix cdir sdir _me _metmp mfs TBFW_url_bkup TBFW_url \
-    TBFW_hash TBFW_size hashfile xromsize xchanged EC_url_bkup $cv`"
-
-vendor_download()
-{
-	[ $# -gt 0 ] || $err "No argument given"; export PATH="$PATH:/sbin"
-	board="$1"; readcfg && readkconfig && bootstrap && getfiles; :
-}
-
-readkconfig()
+    E6400_VGA_romname SCH5545EC_DL_url_bkup SCH5545EC_DL_hash _dest mecleaner \
+    kbc1126_ec_dump MRC_refcode_cbtree _dl SCH5545EC_DL_url EC_url rom DL_url \
+    nuke cbfstoolref FSPFD_hash _7ztest ME11bootguard ME11delta xromsize \
+    ME11version ME11sku ME11pch _me _metmp mfs TBFW_url_bkup TBFW_url cbdir \
+    TBFW_hash TBFW_size hashfile EC_url_bkup FSPM_bin_hash FSPS_bin_hash \
+    EC_FW1_hash EC_FW2_hash ME_bin_hash MRC_bin_hash REF_bin_hash _dl_bin \
+    SCH5545EC_bin_hash TBFW_bin_hash E6400_VGA_bin_hash _pre_dest`"
+
+download()
 {
-	check_defconfig "$boarddir" 1>"$TMPDIR/vendorcfg.list" && return 1
-
-	rm -f "$TMPDIR/tmpcbcfg" || $err "!rm $TMPDIR/tmpcbcfg - $dontflash"
-	while read -r cbcfgfile; do
-		for cbc in $cv; do
-			rm -f "$TMPDIR/tmpcbcfg2" || \
-			    $err "!rm $TMPDIR/tmpcbcfg2 - $dontflash"
-			grep "$cbc" "$cbcfgfile" 1>"$TMPDIR/tmpcbcfg2" \
-			    2>/dev/null || :
-			[ -f "$TMPDIR/tmpcbcfg2" ] || continue
-			cat "$TMPDIR/tmpcbcfg2" >> "$TMPDIR/tmpcbcfg" || \
-			    $err "!cat $TMPDIR/tmpcbcfg2 - $dontflash"
-		done
-	done < "$TMPDIR/vendorcfg.list"
-
-	eval "`setcfg "$TMPDIR/tmpcbcfg"`"
-
-	for c in CONFIG_HAVE_MRC CONFIG_HAVE_ME_BIN CONFIG_KBC1126_FIRMWARE \
-	    CONFIG_VGA_BIOS_FILE CONFIG_INCLUDE_SMSC_SCH5545_EC_FW \
-	    CONFIG_LENOVO_TBFW_BIN CONFIG_FSP_M_FILE CONFIG_FSP_S_FILE; do
-		eval "[ \"\${$c}\" = \"/dev/null\" ] && continue"
-		eval "[ -z \"\${$c}\" ] && continue"
-		eval "`setcfg "config/vendor/$vcfg/pkg.cfg"`"; return 0
-	done
-	printf "Vendor files not needed for: %s\n" "$board" 1>&2; return 1
-}
-
-bootstrap()
-{
-	x_ ./mk -f coreboot ${cbdir##*/}
-	mk -b uefitool biosutilities bios_extract
-	[ -d "${kbc1126_ec_dump%/*}" ] && x_ make -C "$cbdir/util/kbc1126"
-	[ -n "$MRC_refcode_cbtree" ] && \
-	    cbfstoolref="elf/cbfstool/$MRC_refcode_cbtree/cbfstool" && \
-	    x_ ./mk -d coreboot "$MRC_refcode_cbtree"; return 0
+	[ $# -gt 0 ] || err "No argument given"
+	export PATH="$PATH:/sbin"
+	board="$1" && check_target && readkconfig download
 }
 
 getfiles()
 {
 	[ -z "$CONFIG_HAVE_ME_BIN" ] || fetch intel_me "$DL_url" \
-	    "$DL_url_bkup" "$DL_hash" "$CONFIG_ME_BIN_PATH"
+	    "$DL_url_bkup" "$DL_hash" "$CONFIG_ME_BIN_PATH" curl "$ME_bin_hash"
 	[ -z "$CONFIG_INCLUDE_SMSC_SCH5545_EC_FW" ] || fetch sch5545ec \
 	    "$SCH5545EC_DL_url" "$SCH5545EC_DL_url_bkup" "$SCH5545EC_DL_hash" \
-	    "$CONFIG_SMSC_SCH5545_EC_FW_FILE"
-	[ -z "$CONFIG_KBC1126_FIRMWARE" ] || fetch kbc1126ec "$EC_url" \
-	    "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW1"
+	    "$CONFIG_SMSC_SCH5545_EC_FW_FILE" "curl" "$SCH5545EC_bin_hash"
+	[ -z "$CONFIG_KBC1126_FW1" ] || fetch kbc1126ec "$EC_url" \
+	    "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW1" curl "$EC_FW1_hash"
+	[ -z "$CONFIG_KBC1126_FW2" ] || fetch kbc1126ec "$EC_url" \
+	    "$EC_url_bkup" "$EC_hash" "$CONFIG_KBC1126_FW2" curl "$EC_FW2_hash"
 	[ -z "$CONFIG_VGA_BIOS_FILE" ] || fetch e6400vga "$E6400_VGA_DL_url" \
-	  "$E6400_VGA_DL_url_bkup" "$E6400_VGA_DL_hash" "$CONFIG_VGA_BIOS_FILE"
+	    "$E6400_VGA_DL_url_bkup" "$E6400_VGA_DL_hash" \
+	    "$CONFIG_VGA_BIOS_FILE" "curl" "$E6400_VGA_bin_hash"
 	[ -z "$CONFIG_HAVE_MRC" ] || fetch "mrc" "$MRC_url" "$MRC_url_bkup" \
-	    "$MRC_hash" "$CONFIG_MRC_FILE"
+	    "$MRC_hash" "$CONFIG_MRC_FILE" "curl" "$MRC_bin_hash"
+	[ -z "$CONFIG_REFCODE_BLOB_FILE" ] || fetch "refcode" "$MRC_url" \
+	    "$MRC_url_bkup" "$MRC_hash" "$CONFIG_REFCODE_BLOB_FILE" "curl" \
+	    "$REF_bin_hash"
 	[ -z "$CONFIG_LENOVO_TBFW_BIN" ] || fetch "tbfw" "$TBFW_url" \
-	    "$TBFW_url_bkup" "$TBFW_hash" "$CONFIG_LENOVO_TBFW_BIN"
-	#
-	# in the future, we might have libre fsp-s and then fsp-m.
-	# therefore, handle them separately, in case one of them is libre; if
-	# one of them was, the path wouldn't be set.
-	#
-	[ -z "$CONFIG_FSP_M_FILE" ] || fetch "fspm" "$CONFIG_FSP_FD_PATH" \
-	    "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_M_FILE" copy
-	[ -z "$CONFIG_FSP_S_FILE" ] || fetch "fsps" "$CONFIG_FSP_FD_PATH" \
-	    "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_S_FILE" copy; :
+	    "$TBFW_url_bkup" "$TBFW_hash" "$CONFIG_LENOVO_TBFW_BIN" "curl" \
+	    "$TBFW_bin_hash"
+	[ -z "$CONFIG_FSP_M_FILE" ] || fetch "fsp" "$CONFIG_FSP_FD_PATH" \
+	    "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_M_FILE" "copy" \
+	    "$FSPM_bin_hash"
+	[ -z "$CONFIG_FSP_S_FILE" ] || fetch "fsp" "$CONFIG_FSP_FD_PATH" \
+	    "$CONFIG_FSP_FD_PATH" "$FSPFD_hash" "$CONFIG_FSP_S_FILE" "copy" \
+	    "$FSPS_bin_hash"; :
 }
 
 fetch()
 {
-	dl_type="$1"; dl="$2"; dl_bkup="$3"; dlsum="$4"; _dest="${5##*../}"
-	[ "$5" = "/dev/null" ] && return 0; _dl="$XBMK_CACHE/file/$dlsum"
-	if [ "$dl_type" = "fspm" ] || [ "$dl_type" = "fsps" ]; then
-		# HACK: if grabbing fsp from coreboot, fix the path for lbmk
-		for _cdl in dl dl_bkup; do
-			eval "$_cdl=\"\${$_cdl##*../}\"; _cdp=\"\$$_cdl\""
-			[ -f "$_cdp" ] || _cdp="$cbdir/$_cdp"
-			[ -f "$_cdp" ] && eval "$_cdl=\"$_cdp\""
-		done
-	fi
-
-	dlop="curl" && [ $# -gt 5 ] && dlop="$6"
-	download "$dl" "$dl_bkup" "$_dl" "$dlsum" "$dlop"
-
-	rm -Rf "${_dl}_extracted" || $err "!rm ${_ul}_extracted. $dontflash"
-	e "$_dest" f && return 0
-
-	mkdir -p "${_dest%/*}" || \
-	    $err "mkdirs: !mkdir -p ${_dest%/*} - $dontflash"
-	remkdir "$appdir"; extract_archive "$_dl" "$appdir" "$dl_type" || \
-	    [ "$dl_type" = "e6400vga" ] || \
-	    $err "mkd $_dest $dl_type: !extract. $dontflash"
+	dl_type="$1"
+	dl="$2"
+	dl_bkup="$3"
+	dlsum="$4"
+	_dest="${5##*../}"
+	_pre_dest="$XBMK_CACHE/tmpdl/check" || err "!fetch, mktemp, $*"
+	dlop="$6"
+	binsum="$7"
+
+	[ "$5" = "/dev/null" ] && return 0
+	_dl="$XBMK_CACHE/file/$dlsum" # internet file to extract from e.g. .exe
+	_dl_bin="$XBMK_CACHE/file/$binsum" # extracted file e.g. me.bin
+
+	# an extracted vendor file will be placed in pre_dest first, for
+	# verifying its checksum. if it matches, it is later moved to _dest
+	remkdir "${_pre_dest%/*}" "$appdir"
+
+	# HACK: if grabbing fsp from coreboot, fix the path for lbmk
+	[ "$dl_type" = "fsp" ] && for _cdl in dl dl_bkup; do
+		eval "$_cdl=\"\${$_cdl##*../}\"; _cdp=\"\$$_cdl\""
+		[ -f "$_cdp" ] || _cdp="$cbdir/$_cdp"
+		[ -f "$_cdp" ] && eval "$_cdl=\"$_cdp\""; :
+	done; :
+
+	# download the file (from the internet) to extract from
+	xbget "$dlop" "$dl" "$dl_bkup" "$_dl" "$dlsum"
+	x_ rm -Rf "${_dl}_extracted"
+
+	# skip extraction if a cached extracted file exists
+	( xbget copy "$_dl_bin" "$_dl_bin" "$_dest" "$binsum" 2>/dev/null ) || :
+	[ -f "$_dest" ] && return 0
+
+	x_ mkdir -p "${_dest%/*}"
+	[ "$dl_type" = "fsp" ] || extract_archive "$_dl" "$appdir" || \
+	    [ "$dl_type" = "e6400vga" ] || err "$_dest $dl_type: !extract"
+
+	x_ extract_$dl_type "$_dl" "$appdir"
+	set -u -e
+
+	# some functions don't output directly to the given file, _pre_dest.
+	# instead, they put multiple files there, but we need the one matching
+	# the given hashsum. So, search for a matching file via bruteforce:
+	( fx_ "eval mkdst \"$binsum\"" x_ find "${_pre_dest%/*}" -type f ) || :
+
+	bad_checksum "$binsum" "$_dest" || [ ! -f "$_dest" ] || return 0
+	[ -z "$binsum" ] && printf "'%s': checksum undefined\n" "$_dest" 1>&2
+	[ -L "$_dest" ] && printf "WARNING: '%s' is a link!\n" "$_dest" 1>&2
+	[ -L "$_dest" ] || x_ rm -f "$_dest"
+	err "Could not safely extract '$_dest', for board '$board'"
+}
 
-	eval "extract_$dl_type"; set -u -e
-	e "$_dest" f missing && $err "!extract_$dl_type. $dontflash"; :
+mkdst()
+{
+	bad_checksum "$1" "$2" && x_ rm -f "$2" && return 0
+	x_ mv "$2" "$_dl_bin"
+	x_ cp "$_dl_bin" "$_dest"
+	exit 1
 }
 
 extract_intel_me()
 {
-	e "$mecleaner" f not && $err "$cbdir: me_cleaner missing. $dontflash"
+	e "$mecleaner" f not && err "$cbdir: me_cleaner missing"
 
-	cdir="$PWD/$appdir"
-	_me="$PWD/$_dest"
-	_metmp="$PWD/tmp/me.bin"
+	_7ztest="$xbloc/metmp/a"
+	_metmp="$xbloc/me.bin"
+	x_ rm -f "$_metmp" "$xbloc/a"
 
 	mfs="" && [ "$ME11bootguard" = "y" ] && mfs="--whitelist MFS" && \
 	    chkvars ME11delta ME11version ME11sku ME11pch
 	[ "$ME11bootguard" = "y" ] && x_ ./mk -f deguard
 
-	x_ mkdir -p tmp
+	set +u +e
+	x_ rm -Rf "$xbmkpwd/metmp"
+	( fx_ find_me x_ find "$xbmkpwd/$appdir" -type f ) || :
+	[ "$ME11bootguard" != "y" ] && x_ mv "$_metmp" "$_pre_dest" && return 0
 
-	extract_intel_me_bruteforce
-	if [ "$ME11bootguard" = "y" ]; then
-		apply_me11_deguard_mod
-	else
-		mv "$_metmp" "$_me" || $err "!mv $_metmp $_me - $dontflash"
-	fi
+	(
+	x_ cd src/deguard/
+	x_ ./finalimage.py --delta "data/delta/$ME11delta" --version \
+	    "$ME11version" --pch "$ME11pch" --sku "$ME11sku" \
+	    --fake-fpfs data/fpfs/zero --input "$_metmp" --output "$_pre_dest"
+	) || err "Error running deguard for $_dest"; :
 }
 
-extract_intel_me_bruteforce()
+find_me()
 {
-	[ $# -gt 0 ] && cdir="$1"
+	[ -f "$_metmp" ] && exit 1
+	[ -L "$1" ] && return 0
 
-	e "$_metmp" f && return 0
+	_7ztest="${_7ztest}a" && _r="-r" && [ -n "$mfs" ] && _r=""
 
-	[ -z "$sdir" ] && sdir="$(mktemp -d)"
-	mkdir -p "$sdir" || \
-	    $err "extract_intel_me: !mkdir -p \"$sdir\" - $dontflash"
+	"$mecleaner" $mfs $_r -t -O "$xbloc/a" -M "$_metmp" "$1" || \
+	    "$mecleaner" $mfs $_r -t -O "$_metmp" "$1" || "$me7updateparser" \
+	    -O "$_metmp" "$1" || extract_archive "$1" "$_7ztest" || return 0
 
-	set +u +e
-	(
-	[ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}"
-	cd "$cdir" || $err "extract_intel_me: !cd \"$cdir\" - $dontflash"
-	for i in *; do
-		[ -f "$_metmp" ] && break
-		[ -L "$i" ] && continue
-		if [ -f "$i" ]; then
-			_r="-r" && [ -n "$mfs" ] && _r=""
-			"$mecleaner" $mfs $_r -t -O "$sdir/vendorfile" \
-			    -M "$_metmp" "$i" && break
-			"$mecleaner" $mfs $_r -t -O "$_metmp" "$i" && break
-			"$me7updateparser" -O "$_metmp" "$i" && break
-			_7ztest="${_7ztest}a"
-			extract_archive "$i" "$_7ztest" || continue
-			extract_intel_me_bruteforce "$cdir/$_7ztest"
-		elif [ -d "$i" ]; then
-			extract_intel_me_bruteforce "$cdir/$i"
-		else
-			continue
-		fi
-		cdir="$1"; [ "${cdir#/a}" != "$cdir" ] && cdir="${cdir#/}"
-		cd "$cdir" || :
-	done
-	)
-	rm -Rf "$sdir" || $err "extract_intel_me: !rm -Rf $sdir - $dontflash"
-}
-
-apply_me11_deguard_mod()
-{
-	(
-	x_ cd src/deguard/
-	./finalimage.py --delta "data/delta/$ME11delta" \
-	    --version "$ME11version" \
-	    --pch "$ME11pch" --sku "$ME11sku" --fake-fpfs data/fpfs/zero \
-	    --input "$_metmp" --output "$_me" || \
-	    $err "Error running deguard for $_me - $dontflash"
-	) || $err "Error running deguard for $_me - $dontflash"
+	[ -f "$_metmp" ] && exit 1
+	( fx_ find_me x_ find "$_7ztest" -type f ) || exit 1; :
 }
 
 extract_archive()
 {
-	if [ $# -gt 2 ]; then
-		if [ "$3" = "fspm" ] || [ "$3" = "fsps" ]; then
-			decat_fspfd "$1" "$2"
-			return 0
-		fi
-	fi
-
 	innoextract "$1" -d "$2" || python "$pfs_extract" "$1" -e || 7z x \
 	    "$1" -o"$2" || unar "$1" -o "$2" || unzip "$1" -d "$2" || return 1
 
-	[ ! -d "${_dl}_extracted" ] || cp -R "${_dl}_extracted" "$2" || \
-	    $err "!mv '${_dl}_extracted' '$2' - $dontflash"; :
-}
-
-decat_fspfd()
-{
-	_fspfd="$1"
-	_fspdir="$2"
-	_fspsplit="$cbdir/3rdparty/fsp/Tools/SplitFspBin.py"
-
-	$python "$_fspsplit" split -f "$_fspfd" -o "$_fspdir" -n "Fsp.fd" || \
-	    $err "decat_fspfd '$1' '$2': Can't de-concatenate; $dontflash"; :
+	[ ! -d "${_dl}_extracted" ] || x_ cp -R "${_dl}_extracted" "$2"; :
 }
 
 extract_kbc1126ec()
 {
-	e "$kbc1126_ec_dump" f missing && \
-	    $err "$cbdir: kbc1126 util missing - $dontflash"
 	(
-	x_ cd "$appdir/"; mv Rompaq/68*.BIN ec.bin || :
-	if [ ! -f "ec.bin" ]; then
-		unar -D ROM.CAB Rom.bin || unar -D Rom.CAB Rom.bin || \
-		    unar -D 68*.CAB Rom.bin || \
-		    $err "can't extract Rom.bin - $dontflash"
-		x_ mv Rom.bin ec.bin
-	fi
-	[ -f ec.bin ] || \
-	    $err "extract_kbc1126_ec $board: can't extract - $dontflash"
-	"$kbc1126_ec_dump" ec.bin || \
-	    $err "!1126ec $board extract ecfw - $dontflash"
-	) || $err "can't extract kbc1126 ec firmware - $dontflash"
-
-	e "$appdir/ec.bin.fw1" f not && \
-	    $err "$board: kbc1126ec fetch failed - $dontflash"
-	e "$appdir/ec.bin.fw2" f not && \
-	    $err "$board: kbc1126ec fetch failed - $dontflash"
-
-	cp "$appdir/"ec.bin.fw* "${_dest%/*}/" || \
-	    $err "!cp 1126ec $_dest - $dontflash"; :
+	x_ cd "$appdir/"
+	mv Rompaq/68*.BIN ec.bin || unar -D ROM.CAB Rom.bin || unar -D \
+	    Rom.CAB Rom.bin || unar -D 68*.CAB Rom.bin || err "!kbc1126 unar"
+	[ -f "ec.bin" ] || x_ mv Rom.bin ec.bin
+	x_ e ec.bin f && x_ "$kbc1126_ec_dump" ec.bin
+	) || err "$board: can't extract kbc1126 ec firmware"
+
+	x_ e "$appdir/ec.bin.fw1" f && x_ e "$appdir/ec.bin.fw2" f
+	x_ cp "$appdir/"ec.bin.fw* "${_pre_dest%/*}/"
 }
 
 extract_e6400vga()
@@ -267,12 +210,10 @@ extract_e6400vga()
 	tail -c +$E6400_VGA_offset "$_dl" | gunzip > "$appdir/bios.bin" || :
 	(
 	x_ cd "$appdir"
-	[ -f "bios.bin" ] || \
-	    $err "extract_e6400vga: can't extract bios.bin - $dontflash"
+	x_ e "bios.bin" f
 	"$e6400_unpack" bios.bin || printf "TODO: fix dell extract util\n"
-	) || $err "can't extract e6400 vga rom - $dontflosh"
-	cp "$appdir/$E6400_VGA_romname" "$_dest" || \
-	    $err "extract_e6400vga $board: can't cp $_dest - $dontflash"; :
+	) || err "can't extract e6400 vga rom"
+	x_ cp "$appdir/$E6400_VGA_romname" "$_pre_dest"
 }
 
 extract_sch5545ec()
@@ -284,391 +225,178 @@ extract_sch5545ec()
 	_sch5545ec_fw="$_sch5545ec_fw/54 D386BEB8-4B54-4E69-94F5-06091F67E0D3"
 	_sch5545ec_fw="$_sch5545ec_fw/0 Raw section/body.bin" # <-- this!
 
-	"$uefiextract" "$_bios" || $err "sch5545 !extract - $dontflash"
-	cp "$_sch5545ec_fw" "$_dest" || \
-	    $err "$_dest: !sch5545 copy - $dontflash"; :
+	x_ "$uefiextract" "$_bios"
+	x_ cp "$_sch5545ec_fw" "$_pre_dest"
 }
 
 # Lenovo ThunderBolt firmware updates:
 # https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t480-type-20l5-20l6/20l5/solutions/ht508988
 extract_tbfw()
 {
-	chkvars TBFW_size # size in bytes, matching TBFW's flash IC
-	x_ mkdir -p tmp
-	x_ rm -f tmp/tb.bin
-	find "$appdir" -type f -name "TBT.bin" > "tmp/tb.txt" || \
-	    $err "extract_tbfw $_dest: Can't extract TBT.bin - $dontflash"
-	while read -r f; do
-		[ -f "$f" ] || continue
-		[ -L "$f" ] && continue
-		cp "$f" "tmp/tb.bin" || \
-		    $err "extract_tbfw $_dest: Can't copy TBT.bin - $dontflash"
-		break
-	done < "tmp/tb.txt"
-	dd if=/dev/null of=tmp/tb.bin bs=1 seek=$TBFW_size || \
-	    $err "extract_tbfw $_dest: Can't pad TBT.bin - $dontflash"
-	cp "tmp/tb.bin" "$_dest" || \
-	    $err "extract_tbfw $_dest: copy error - $dontflash "; :
+	chkvars TBFW_size
+	fx_ copytb x_ find "$appdir" -type f -name "TBT.bin"
 }
 
-extract_fspm()
+copytb()
 {
-	copy_fsp M; :
+	[ -f "$1" ] && [ ! -L "$1" ] && x_ dd if=/dev/null of="$1" bs=1 \
+	    seek=$TBFW_size && x_ mv "$1" "$_pre_dest" && return 1; :
 }
 
-extract_fsps()
+extract_fsp()
 {
-	copy_fsp S; :
+	x_ python "$cbdir/3rdparty/fsp/Tools/SplitFspBin.py" split -f "$1" \
+	    -o "${_pre_dest%/*}" -n "Fsp.fd"
 }
 
-# this copies the fsp s/m; re-base is handled by ./mk inject
-copy_fsp()
+setvfile()
 {
-	cp "$appdir/Fsp_$1.fd" "$_dest" || \
-	    $err "copy_fsp: Can't copy $1 to $_dest - $dontflash"; :
+	[ -n "$vcfg" ] && for c in $cvchk; do
+		vcmd="[ \"\${$c}\" != \"/dev/null\" ] && [ -n \"\${$c}\" ]"
+		eval "$vcmd && getvfile \"\$@\" && return 0"
+	done && return 1; :
 }
 
-fail_inject()
+getvfile()
 {
-	[ -L "$tmpromdel" ] || [ ! -d "$tmpromdel" ] || \
-	    rm -Rf "$tmpromdel" || :
-	printf "\n\n%s\n\n" "$dontflash" 1>&2
-	printf "WARNING: File '%s' was NOT modified.\n\n" "$archive" 1>&2
-	printf "Please MAKE SURE vendor files are inserted before flashing\n\n"
-	fail "$1"
+	eval "`setcfg "config/vendor/$vcfg/pkg.cfg" 1`"
+	bootstrap && [ $# -gt 0 ] && getfiles && return 0 # download
+	fx_ prep x_ find "$tmpromdir" -maxdepth 1 -type f -name "*.rom"
+	( check_vendor_hashes ) || err "$archive: Can't verify hashes"; :
 }
 
-vendor_inject()
-{
-	_olderr="$err"
-	err="fail_inject"
-	remkdir "$tmpromdel"
-
-	set +u +e; [ $# -lt 1 ] && $err "No options specified. - $dontflash"
-	eval "`setvars "" nukemode new_mac xchanged`"
-
-	archive="$1";
-	[ $# -gt 1 ] && case "$2" in
-	nuke) nukemode="nuke" ;;
-	setmac)
-		new_mac="??:??:??:??:??:??"
-		[ $# -gt 2 ] && new_mac="$3" ;;
-	*) $err "Unrecognised inject mode: '$2'"
-	esac
-
-	check_release "$archive" || \
-	    $err "You must run this script on a release archive. - $dontflash"
-	if readcfg; then
-		[ "$nukemode" = "nuke" ] || x_ ./mk download "$board"
-		patch_release_roms
-	else
-		printf "Tarball '%s' (board '%s) doesn't need vendorfiles.\n" \
-		    "$archive" "$board"
-		err="$_olderr"
-		return 0
-	fi
-
-	xtype="patched" && [ "$nukemode" = "nuke" ] && xtype="nuked"
-	[ "$xchanged" = "y" ] || \
-		printf "\nRelease archive '%s' was not modified.\n" "$archive"
-	[ "$xchanged" = "y" ] && \
-		printf "\nRelease archive '%s' successfully %s.\n" \
-		    "$archive" "$xtype"
-	[ "$xchanged" = "y" ] && [ "$nukemode" = "nuke" ] && \
-		printf "!!!WARNING!!! -> Vendor files removed. DO NOT FLASH.\n"
-	err="$_olderr"
-	return 0
-}
-
-check_release()
-{
-	[ -L "$archive" ] && \
-	    $err "'$archive' is a symlink, not a file - $dontflash"
-	[ -f "$archive" ] || return 1
-	archivename="`basename "$archive"`"
-	[ -z "$archivename" ] && \
-	    $err "Cannot determine archive file name - $dontflash"
-
-	case "$archivename" in
-	*_src.tar.xz)
-		$err "'$archive' is a src archive, silly!" ;;
-	grub_*|seagrub_*|custom_*|seauboot_*|seabios_withgrub_*)
-		return 1 ;;
-	*.tar.xz) _stripped_prefix="${archivename#*_}"
-		board="${_stripped_prefix%.tar.xz}" ;;
-	*) $err "'$archive': could not detect board type - $dontflash"
-	esac; :
-}
-
-readcfg()
+bootstrap()
 {
-	if [ "$board" = "serprog_rp2040" ] || \
-	    [ "$board" = "serprog_stm32" ] || \
-	    [ "$board" = "serprog_pico" ]; then
-		return 1
-	fi; boarddir="$cbcfgsdir/$board"
-	eval "`setcfg "$boarddir/target.cfg"`"
-	[ -z "$vcfg" ] && return 1
-	chkvars tree
-
 	cbdir="src/coreboot/$tree"
-	cbfstool="elf/cbfstool/$tree/cbfstool"
-	rmodtool="elf/cbfstool/$tree/rmodtool"
-	mecleaner="$PWD/$cbdir/util/me_cleaner/me_cleaner.py"
-	kbc1126_ec_dump="$PWD/$cbdir/util/kbc1126/kbc1126_ec_dump"
-	cbfstool="elf/cbfstool/$tree/cbfstool"
-	ifdtool="elf/ifdtool/$tree/ifdtool"
-	[ -n "$IFD_platform" ] && ifdprefix="-p $IFD_platform"
-
-	x_ ./mk -d coreboot "$tree"
-}
-
-patch_release_roms()
-{
-	has_hashes="n"
-
-	tmpromdir="tmp/DO_NOT_FLASH/bin/$board"
-	remkdir "${tmpromdir%"/bin/$board"}"
-	tar -xf "$archive" -C "${tmpromdir%"/bin/$board"}" || \
-		$err "Can't extract '$archive'"
-
-	for _hashes in $hashfiles; do
-		[ -L "$tmpromdir/$_hashes" ] && \
-		    $err "'$archive' -> the hashfile is a symlink. $dontflash"
-		[ -f "$tmpromdir/$_hashes" ] && has_hashes="y" && \
-		    hashfile="$_hashes" && break; :
-	done
-
-	x_ mkdir -p "tmp"; [ -L "tmp/rom.list" ] && \
-	    $err "'$archive' -> tmp/rom.list is a symlink - $dontflash"
-	x_ rm -f "tmp/rom.list" "tmp/zero.1b"
-	x_ dd if=/dev/zero of=tmp/zero.1b bs=1 count=1
-
-	find "$tmpromdir" -maxdepth 1 -type f -name "*.rom" > "tmp/rom.list" \
-	    || $err "'$archive' -> Can't make tmp/rom.list - $dontflash"
-
-	if readkconfig; then
-		while read -r _xrom ; do
-			process_release_rom "$_xrom" || break
-		done < "tmp/rom.list"
-		rm -f "$tmpromdir/README.md" || :
-		[ "$nukemode" != "nuke" ] || \
-		    printf "Make sure you inserted vendor files: %s\n" \
-		    "$vguide" > "$tmpromdir/README.md" || :
-	else
-		printf "Skipping vendorfiles on '%s'\n" "$archive" 1>&2
-	fi
-
-	(
-	cd "$tmpromdir" || $err "patch '$archive': can't cd $tmpromdir"
-	# NOTE: For compatibility with older rom releases, defer to sha1
-	if [ "$has_hashes" = "y" ] && [ "$nukemode" != "nuke" ]; then
-		sha512sum --status -c "$hashfile" || \
-		    sha1sum --status -c "$hashfile" || \
-		    $err "'$archive' -> Can't verify vendor hashes. $dontflash"
-		rm -f "$hashfile" || \
-		    $err "$archive: Can't rm hashfile. $dontflash"
-	fi
-	) || $err "'$archive' -> Can't verify vendor hashes. $dontflash"
-
-	if [ -n "$new_mac" ]; then
-		if ! modify_mac_addresses; then
-			printf "\nNo GbE region defined for '%s'\n" "$board" \
-			    1>&2
-			printf "Therefore, changing the MAC is impossible.\n" \
-			    1>&2
-			printf "This board probably lacks Intel ethernet.\n" \
-			    1>&2
-		fi
-	fi
+	mecleaner="$xbmkpwd/$cbdir/util/me_cleaner/me_cleaner.py"
+	kbc1126_ec_dump="$xbmkpwd/$cbdir/util/kbc1126/kbc1126_ec_dump"
+	cbfstool="elf/coreboot/$tree/cbfstool"
+	rmodtool="elf/coreboot/$tree/rmodtool"
 
-	[ "$xchanged" = "y" ] || rm -Rf "$tmpromdel" || :
-	[ "$xchanged" = "y" ] || return 0
-	(
-		cd "${tmpromdir%"/bin/$board"}" || \
-		    $err "Can't cd '${tmpromdir%"/bin/$board"}'; $dontflash"
-		# ../../ is the root of lbmk
-		mkrom_tarball "bin/$board"
-	) || $err "Cannot re-generate '$archive' - $dontflash"
-
-	mv "${tmpromdir%"/bin/$board"}/bin/${relname}_${board}.tar.xz" \
-	    "$archive" || \
-	    $err "'$archive' -> Cannot overwrite - $dontflash"; :
+	x_ ./mk -f coreboot "${cbdir##*/}"
+	fx_ "x_ ./mk -b" printf "uefitool\nbiosutilities\nbios_extract\n"
+	[ -d "${kbc1126_ec_dump%/*}" ] && x_ make -C "$cbdir/util/kbc1126"
+	[ -n "$MRC_refcode_cbtree" ] && \
+	    cbfstoolref="elf/coreboot/$MRC_refcode_cbtree/cbfstool" && \
+	    x_ ./mk -d coreboot "$MRC_refcode_cbtree"; :
 }
 
-process_release_rom()
+prep()
 {
-	_xrom="$1"; _xromname="${1##*/}"
-	[ -L "$_xrom" ] && \
-	    $err "$archive -> '${_xrom#"tmp/DO_NOT_FLASH/"}' is a symlink"
-	[ -f "$_xrom" ] || return 0
+	_xrom="$1"
+	_xromname="${1##*/}"
+	_xromnew="${_xrom%/*}/${_xromname#"$vfix"}"
+	[ "$nuke" = "nuke" ] && _xromnew="${_xrom%/*}/$vfix${_xrom##*/}"
+
+	e "$_xrom" f missing && return 0
+	[ -z "${_xromname#"$vfix"}" ] && err "$_xromname / $vfix: name match"
 
-	[ -z "${_xromname#"$vfix"}" ] && \
-	    $err "'$_xromname'->'"${_xromname#"$vfix"}"' empty. $dontflash"
 	# Remove the prefix and 1-byte pad
-	if [ "$nukemode" != "nuke" ] && \
+	if [ "$nuke" != "nuke" ] && \
 	    [ "${_xromname#"$vfix"}" != "$_xromname" ]; then
-		_xromnew="${_xrom%/*}/${_xromname#"$vfix"}"
-
-		# Remove the 1-byte padding
-		stat -c '%s' "$_xrom" > "tmp/rom.size" || \
-		    $err "$_xrom: Can't get rom size. $dontflash"
-		read -r xromsize < "tmp/rom.size" || \
-		    $err "$_xrom: Can't read rom size. $dontflash"
-
-		expr "X$xromsize" : "X-\{0,1\}[0123456789][0123456789]*$" \
-		    1>/dev/null 2>/dev/null || $err "$_xrom size non-integer"
-		[ $xromsize -lt 2 ] && $err \
-		    "$_xrom: Will not create empty file. $dontflash"
-
-		# TODO: check whether the size would be a multiple of 64KB
-		# the smallest rom images we do are 512kb	
-		xromsize="`expr $xromsize - 1`"
-		[ $xromsize -lt 524288 ] && \
-		    $err "$_xrom size too small; likely not a rom. $dontflash"
+		xromsize="$(expr $(stat -c '%s' "$_xrom") - 1)" || err "!int"
+		[ $xromsize -lt 524288 ] && err "too small, $xromsize: $_xrom"
 
-		dd if="$_xrom" of="$_xromnew" bs=$xromsize count=1 || \
-		    $err "$_xrom: Can't resize. $dontflash"
-		rm -f "$_xrom" || $err "Can't rm $_xrom - $dontflash"
+		x_ dd if="$_xrom" of="$_xromnew" bs=$xromsize count=1
+		x_ rm -f "$_xrom"
 
 		_xrom="$_xromnew"
 	fi
 
-	[ "$nukemode" = "nuke" ] && \
-		mksha512sum "$_xrom" "vendorhashes"
+	[ "$nuke" != "nuke" ] || ( mksha512 "$_xrom" "vendorhashes" ) || err
 
-	patch_rom "$_xrom" || return 1 # if break return, can still change MAC
-	[ "$nukemode" != "nuke" ] && return 0
+	add_vfiles "$_xrom" || return 1 # if break return, can still change MAC
+	[ "$nuke" != "nuke" ] && return 0
 
 	# Rename the file, prefixing a warning saying not to flash
-	# the target image, which now has vendor files removed. Also
-	# pad it so that flashprog returns an error if the user tries
-	# to flash it, due to mismatching ROM size vs chip size
-	cat "$_xrom" tmp/zero.1b > "${_xrom%/*}/$vfix${_xrom##*/}" || \
-	    $err "'$archive' -> can't pad/rename '$_xrom'. $dontflash"
-	rm -f "$_xrom" || $err "'$archive' -> can't rm '$_xrom'. $dontflash"
+	cat "$_xrom" config/data/coreboot/0 > "$_xromnew" || err "!pad $_xrom"
+	x_ rm -f "$_xrom"
 }
 
-patch_rom()
+mksha512()
+{
+	[ "${1%/*}" != "$1" ] && x_ cd "${1%/*}"
+	sha512sum ./"${1##*/}" >> "$2" || err "!sha512sum \"$1\" > \"$2\""
+}
+
+add_vfiles()
 {
 	rom="$1"
 
-	if [ "$has_hashes" != "y" ] && [ "$nukemode" != "nuke" ]; then
-		printf "inject: '%s' has no hash file. Skipping.\n" \
-		    "$archive" 1>&2
+	if [ "$has_hashes" != "y" ] && [ "$nuke" != "nuke" ]; then
+		printf "'%s' has no hash file. Skipping.\n" "$archive" 1>&2
+		return 1
+	elif [ "$has_hashes" = "y" ] && [ "$nuke" = "nuke" ]; then
+		printf "'%s' has a hash file. Skipping nuke.\n" "$archive" 1>&2
 		return 1
 	fi
 
-	[ -n "$CONFIG_HAVE_REFCODE_BLOB" ] && inject "fallback/refcode" \
+	[ -n "$CONFIG_HAVE_REFCODE_BLOB" ] && vfile "fallback/refcode" \
 	    "$CONFIG_REFCODE_BLOB_FILE" "stage"
-	[ "$CONFIG_HAVE_MRC" = "y" ] && inject "mrc.bin" "$CONFIG_MRC_FILE" \
+	[ "$CONFIG_HAVE_MRC" = "y" ] && vfile "mrc.bin" "$CONFIG_MRC_FILE" \
 	    "mrc" "0xfffa0000"
-	[ "$CONFIG_HAVE_ME_BIN" = "y" ] && inject IFD "$CONFIG_ME_BIN_PATH" me
-	[ "$CONFIG_KBC1126_FIRMWARE" = "y" ] && inject ecfw1.bin \
-	    "$CONFIG_KBC1126_FW1" raw "$CONFIG_KBC1126_FW1_OFFSET" && inject \
-	    ecfw2.bin "$CONFIG_KBC1126_FW2" raw "$CONFIG_KBC1126_FW2_OFFSET"
+	[ "$CONFIG_HAVE_ME_BIN" = "y" ] && vfile IFD "$CONFIG_ME_BIN_PATH" me
+	[ -n "$CONFIG_KBC1126_FW1" ] && vfile ecfw1.bin \
+	    "$CONFIG_KBC1126_FW1" raw "$CONFIG_KBC1126_FW1_OFFSET"
+	[ -n "$CONFIG_KBC1126_FW2" ] && vfile ecfw2.bin \
+	    "$CONFIG_KBC1126_FW2" raw "$CONFIG_KBC1126_FW2_OFFSET"
 	[ -n "$CONFIG_VGA_BIOS_FILE" ] && [ -n "$CONFIG_VGA_BIOS_ID" ] && \
-	  inject "pci$CONFIG_VGA_BIOS_ID.rom" "$CONFIG_VGA_BIOS_FILE" optionrom
+	  vfile "pci$CONFIG_VGA_BIOS_ID.rom" "$CONFIG_VGA_BIOS_FILE" optionrom
 	[ "$CONFIG_INCLUDE_SMSC_SCH5545_EC_FW" = "y" ] && \
 	    [ -n "$CONFIG_SMSC_SCH5545_EC_FW_FILE" ] && \
-		inject sch5545_ecfw.bin "$CONFIG_SMSC_SCH5545_EC_FW_FILE" raw
-	#
-	# coreboot adds FSP-M first. so we shall add it first, then S:
-	# NOTE:
-	# We skip the fetch if CONFIG_FSP_USE_REPO or CONFIG_FSP_FULL_FD is set
-	# but only for inject/nuke. we still run fetch (see above) because on
-	# _fsp targets, coreboot still needs them, but coreboot Kconfig uses
-	# makefile syntax and puts $(obj) in the path, which makes no sense
-	# in sh. So we modify the path there, but lbmk only uses the file
-	# in vendorfiles/ if neither CONFIG_FSP_USE_REPO nor CONFIG_FSP_FULL_FD
-	# are set
-	#
+		vfile sch5545_ecfw.bin "$CONFIG_SMSC_SCH5545_EC_FW_FILE" raw
 	[ -z "$CONFIG_FSP_USE_REPO" ] && [ -z "$CONFIG_FSP_FULL_FD" ] && \
 	   [ -n "$CONFIG_FSP_M_FILE" ] && \
-		inject "$CONFIG_FSP_M_CBFS" "$CONFIG_FSP_M_FILE" fsp --xip
+		vfile "$CONFIG_FSP_M_CBFS" "$CONFIG_FSP_M_FILE" fsp --xip
 	[ -z "$CONFIG_FSP_USE_REPO" ] && [ -z "$CONFIG_FSP_FULL_FD" ] && \
 	   [ -n "$CONFIG_FSP_S_FILE" ] && \
-		inject "$CONFIG_FSP_S_CBFS" "$CONFIG_FSP_S_FILE" fsp
-	# TODO: modify gbe *after checksum verification only*
-	# TODO: insert default gbe if doing -n nuke
+		vfile "$CONFIG_FSP_S_CBFS" "$CONFIG_FSP_S_FILE" fsp
 
 	printf "ROM image successfully patched: %s\n" "$rom"
 	xchanged="y"
 }
 
-inject()
+vfile()
 {
-	[ $# -lt 3 ] && $err "$*, $rom: usage: inject name path type (offset)"
 	[ "$2" = "/dev/null" ] && return 0
 
-	eval "`setvars "" cbfsname _dest _t _offset`"
-	cbfsname="$1"; _dest="${2##*../}"; _t="$3"
+	cbfsname="$1"
+	_dest="${2##*../}"
+	_t="$3"
 
-	if [ "$_t" = "fsp" ]; then
-		[ $# -gt 3 ] && _offset="$4"
-	else
-		[ $# -gt 3 ] && _offset="-b $4" && [ -z "$4" ] && \
-		    $err "inject $*, $rom: offset given but empty (undefined)"
+	_offset=""
+
+	if [ "$_t" = "fsp" ] && [ $# -gt 3 ]; then
+		_offset="$4"
+	elif [ $# -gt 3 ] && _offset="-b $4" && [ -z "$4" ]; then
+		err "vfile $*, $rom: offset given but empty (undefined)"
 	fi
 
-	e "$_dest" f n && [ "$nukemode" != "nuke" ] && $err "!inject $dl_type"
+	[ "$nuke" = "nuke" ] || x_ e "$_dest" f
 
 	if [ "$cbfsname" = "IFD" ]; then
-		[ "$nukemode" = "nuke" ] || "$ifdtool" $ifdprefix -i \
-		    $_t:$_dest "$rom" -O "$rom" || \
-		    $err "failed: inject '$_t' '$_dest' on '$rom'"
-		[ "$nukemode" != "nuke" ] || "$ifdtool" $ifdprefix --nuke $_t \
-		    "$rom" -O "$rom" || $err "$rom: !nuke IFD/$_t"
-		xchanged="y"
-		return 0
-	elif [ "$nukemode" = "nuke" ]; then
-		"$cbfstool" "$rom" remove -n "$cbfsname" || \
-		    $err "inject $rom: can't remove $cbfsname"
-		xchanged="y"
-		return 0
-	fi
-	if [ "$_t" = "stage" ]; then # the only stage we handle is refcode
-		x_ mkdir -p tmp; x_ rm -f "tmp/refcode"
-		"$rmodtool" -i "$_dest" -o "tmp/refcode" || "!reloc refcode"
-		"$cbfstool" "$rom" add-stage -f "tmp/refcode" -n "$cbfsname" \
-		    -t stage || $err "$rom: !add ref"
+		[ "$nuke" = "nuke" ] || x_ "$ifdtool" $ifdprefix -i \
+		    $_t:$_dest "$rom" -O "$rom"
+		[ "$nuke" != "nuke" ] || x_ "$ifdtool" $ifdprefix --nuke \
+		    $_t "$rom" -O "$rom"
+	elif [ "$nuke" = "nuke" ]; then
+		x_ "$cbfstool" "$rom" remove -n "$cbfsname"
+	elif [ "$_t" = "stage" ]; then # the only stage we handle is refcode
+		x_ rm -f "$xbloc/refcode"
+		x_ "$rmodtool" -i "$_dest" -o "$xbloc/refcode"
+		x_ "$cbfstool" "$rom" add-stage -f "$xbloc/refcode" \
+		    -n "$cbfsname" -t stage
 	else
-		"$cbfstool" "$rom" add -f "$_dest" -n "$cbfsname" \
-		    -t $_t $_offset || $err "$rom !add $_t ($_dest)"
-	fi; xchanged="y"; :
+		x_ "$cbfstool" "$rom" add -f "$_dest" -n "$cbfsname" \
+		    -t $_t $_offset
+	fi
+	xchanged="y"; :
 }
 
-modify_mac_addresses()
+check_vendor_hashes()
 {
-	[ "$nukemode" = "nuke" ] && \
-	    $err "Cannot modify MAC addresses while nuking vendor files"
-
-	# chkvars CONFIG_GBE_BIN_PATH
-	[ -n "$CONFIG_GBE_BIN_PATH" ] || return 1
-	e "${CONFIG_GBE_BIN_PATH##*../}" f n && $err "missing gbe file"
-
-	x_ make -C util/nvmutil
-	x_ mkdir -p tmp
-	[ -L "tmp/gbe" ] && $err "tmp/gbe exists but is a symlink"
-	[ -d "tmp/gbe" ] && $err "tmp/gbe exists but is a directory"
-	if [ -e "tmp/gbe" ]; then
-		[ -f "tmp/gbe" ] || $err "tmp/gbe exists and is not a file"
-	fi
-	x_ cp "${CONFIG_GBE_BIN_PATH##*../}" "tmp/gbe"
-
-	x_ "util/nvmutil/nvm" "tmp/gbe" setmac "$new_mac"
-
-	find "$tmpromdir" -maxdepth 1 -type f -name "*.rom" > "tmp/rom.list" \
-	    || $err "'$archive' -> Can't make tmp/rom.list - $dontflash"
-
-	while read -r _xrom; do
-		[ -L "$_xrom" ] && continue
-		[ -f "$_xrom" ] || continue
-		"$ifdtool" $ifdprefix -i GbE:"tmp/gbe" "$_xrom" -O \
-		    "$_xrom" || $err "'$_xrom': Can't insert new GbE file"
-		xchanged="y"
-	done < "tmp/rom.list"
-	printf "\nThe following GbE NVM words were written in '%s':\n" \
-	    "$archive"
-	x_ util/nvmutil/nvm tmp/gbe dump
+	x_ cd "$tmpromdir"
+	[ "$has_hashes" = "n" ] || [ "$nuke" = "nuke" ] || sha512sum \
+	    --status -c "$hashfile" || x_ sha1sum --status -c "$hashfile"
+	x_ rm -f "$hashfile"
 }