summaryrefslogtreecommitdiff
path: root/util/e6400-flash-unlock
diff options
context:
space:
mode:
Diffstat (limited to 'util/e6400-flash-unlock')
-rw-r--r--util/e6400-flash-unlock/COPYING19
-rw-r--r--util/e6400-flash-unlock/Makefile28
-rw-r--r--util/e6400-flash-unlock/README.md71
-rw-r--r--util/e6400-flash-unlock/e6400_flash_unlock.c169
4 files changed, 287 insertions, 0 deletions
diff --git a/util/e6400-flash-unlock/COPYING b/util/e6400-flash-unlock/COPYING
new file mode 100644
index 00000000..bf82341a
--- /dev/null
+++ b/util/e6400-flash-unlock/COPYING
@@ -0,0 +1,19 @@
+Copyright (c) 2023 Nicholas Chin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/util/e6400-flash-unlock/Makefile b/util/e6400-flash-unlock/Makefile
new file mode 100644
index 00000000..7d350932
--- /dev/null
+++ b/util/e6400-flash-unlock/Makefile
@@ -0,0 +1,28 @@
+# Copyright (c) 2023 Nicholas Chin
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+CC=cc
+CFLAGS=-Wall -Wextra -Werror -O2 -pedantic
+
+all: e6400_flash_unlock.c
+ $(CC) $(CFLAGS) e6400_flash_unlock.c -o e6400_flash_unlock
+
+clean:
+ rm -f e6400_flash_unlock
diff --git a/util/e6400-flash-unlock/README.md b/util/e6400-flash-unlock/README.md
new file mode 100644
index 00000000..410a807a
--- /dev/null
+++ b/util/e6400-flash-unlock/README.md
@@ -0,0 +1,71 @@
+# Dell Latitude E6400 Internal Flashing
+
+This utility allows you to use flashrom's internal programmer to program the
+entire BIOS flash chip from software while still running the original Dell
+BIOS, which normally restricts software writes to the flash chip.
+
+## TL;DR
+Run `make` to compile the utility, and then run `sudo ./e6400_flash_unlock` and
+follow the directions it outputs.
+
+## How it works
+There are several ways the firmware can protect itself from being overwritten.
+One way is the Intel Flash Descriptor (IFD) permissions. On Intel systems, the
+flash image is divided into several regions such as the IFD itself, Gigabit
+Ethernet (GBE) non-volative memory, Management Engine (ME) firmware, Platform
+Data (PD), and the BIOS. The IFD contains a section which specifies the
+read/write permissions for each SPI controller (such as the host system) and
+each region of the flash, which are enforced by the chipset.
+
+On the Latitude E6400, the host has read-only access to the IFD, no access to
+the ME region, and read-write access to the PD, GBE, and BIOS regions. In order
+for flashrom to write to the entire flash internally, the host needs full
+permissions to all of these regions. Since the IFD is read only, we cannot
+change these permissions unless we directly access the chip using an external
+programmer, which defeats the purpose of internal flashing.
+
+However, Intel chipsets have a pin strap that allows the flash descriptor
+permissions to be overridden depending on the value of the pin at power on,
+granting RW permissions to all regions. On the ICH9M chipset on the E6400, this
+pin is HDA\_DOCK\_EN/GPIO33, which will enable the override if it is sampled
+low. This pin happens to be connected to a GPIO controlled by the Embedded
+Controller (EC), a small microcontroller on the board which handles things like
+the keyboard, touchpad, LEDs, and other system level tasks. Software can send a
+certain command to the EC, which tells it to pull GPIO33 low on the next boot.
+
+Although we now have full access according to the IFD permissions, we still
+cannot flash the whole chip, due to another protection the firmware uses.
+Before software can update the BIOS, it must change the BIOS Write Enable
+(BIOSWE) bit in the chipset from 0 to 1. However, if the BIOS Lock Enable (BLE)
+bit is also set to 1, then changing the BIOSWE bit triggers a System Management
+Interrupt (SMI). This causes the processor to enter System Management Mode
+(SMM), a highly privileged x86 execution state which operates transparently to
+the operating system. The code that SMM runs is provided by the BIOS, which
+checks the BIOSWE bit and sets it back to 0 before returning control to the OS.
+This feature is intended to only allow SMM code to update the system firmware.
+As the switch to SMM suspends the execution of the OS, it appears to the OS
+that the BIOSWE bit was never set to 1. Unfortunately, the BLE bit cannot be
+set back to 0 once it is set to 1, so this functionality cannot be disabled
+after it is first enabled by the BIOS.
+
+Older versions of the E6400 BIOS did not set the BLE bit, allowing flashrom to
+flash the entire flash chip internally after only setting the descriptor
+override. However, more recent versions do set it, so we may have hit a dead
+end unless we force downgrade to an older version (though there is a more
+convenient method, as we are about to see).
+
+What if there was a way to sidestep the BIOS Lock entirely? As it turns out,
+there is, and it's called the Global SMI Enable (GBL\_SMI\_EN) bit. If it's set
+to 1, then the chipset will generate SMIs, such as when we change BIOSWE with
+BLE set. If it's 0, then no SMI will be generated, even with the BLE bit set.
+On the E6400, GBL\_SMI\_EN is set to 1, and it can be changed back to 0, unlike
+the BLE bit. But there still might be one bit in the way, the SMI\_LOCK bit,
+which prevents modifications to GBL\_SMI\_EN when SMI\_LOCK is 1. Like the BLE
+bit, it cannot be changed back to 0 once it set to 1. But we are in luck, as
+the vendor E6400 BIOS leaves SMI\_LOCK unset at 0, allowing us to clear
+GBL\_SMI\_EN and disable SMIs, bypassing the BIOS Lock protections.
+
+There are other possible protection mechanisms that the firmware can utilize,
+such as Protected Range Register settings, which apply access permissions to
+address ranges of the flash, similar to the IFD. However, the E6400 vendor
+firmware does not utilize these, so they will not be discussed.
diff --git a/util/e6400-flash-unlock/e6400_flash_unlock.c b/util/e6400-flash-unlock/e6400_flash_unlock.c
new file mode 100644
index 00000000..88ba2e98
--- /dev/null
+++ b/util/e6400-flash-unlock/e6400_flash_unlock.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 2023 Nicholas Chin
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <sys/io.h>
+#include <sys/mman.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+enum
+EC_FDO_CMD {
+ QUERY = 0,
+ SET_OVERRIDE = 2,
+ UNSET_OVERRIDE = 3
+};
+
+int get_fdo_status(void);
+uint8_t ec_fdo_command(enum EC_FDO_CMD arg);
+void write_ec_reg(uint8_t index, uint8_t data);
+void send_ec_cmd(uint8_t cmd);
+void wait_ec(void);
+int get_gbl_smi_en(void);
+int set_gbl_smi_en(int enable);
+/* uint8_t read_ec_reg(uint8_t index); */
+
+#define EC_INDEX 0x910
+#define EC_DATA 0x911
+#define PMBASE 0x1000
+#define SMI_EN_REG (PMBASE + 0x30)
+
+/* Assume this is the same on all vendor BIOS versions */
+#define RCBA 0xfed18000
+
+#define RCBA_MMIO_LEN 0x4000
+#define SPIBAR 0x3800
+#define HSFS_REG 0x04
+
+volatile uint8_t *rcba_mmio;
+
+int
+main(int argc, char *argv[])
+{
+ int devmemfd;
+ (void)argc;
+ (void)argv;
+
+ if ((ioperm(EC_INDEX, 2, 1) == -1) || (ioperm(SMI_EN_REG, 4, 1) == -1))
+ err(errno, "Could not access IO ports");
+ if ((devmemfd = open("/dev/mem", O_RDONLY)) == -1)
+ err(errno, "/dev/mem");
+
+ /* FDO pin-strap status bit is in RCBA mmio space */
+ rcba_mmio = mmap(0, RCBA_MMIO_LEN, PROT_READ, MAP_SHARED, devmemfd,
+ RCBA);
+ if (rcba_mmio == MAP_FAILED)
+ err(errno, "Could not map RCBA");
+
+ if (get_fdo_status() == 1) {
+ ec_fdo_command(SET_OVERRIDE);
+ printf("Flash Descriptor Override enabled. Shut down now. The "
+ "EC will auto-boot the system and set the override.\n"
+ "Upon boot, re-run this utility to unlock flash.\n");
+ } else if (get_gbl_smi_en()){
+ set_gbl_smi_en(0);
+ printf("SMIs disabled. Internal flashing should work now.\n"
+ "After flashing, re-run this utility to enable SMIs.\n"
+ "(shutdown is buggy when SMIs are disabled)\n");
+ } else {
+ set_gbl_smi_en(1);
+ printf("SMIs enabled, you can now shutdown the system.\n");
+ }
+ return errno;
+}
+
+int
+get_fdo_status(void)
+{
+ return (*(uint16_t*)(rcba_mmio + SPIBAR + HSFS_REG) >> 13) & 1;
+}
+
+/*
+ * arg:
+ * 0 = Query EC FDO status - TODO
+ * 2 = Enable FDO for next boot
+ * 3 = Disable FDO for next boot - TODO
+ */
+uint8_t
+ec_fdo_command(enum EC_FDO_CMD arg)
+{
+ write_ec_reg(0x12, arg);
+ send_ec_cmd(0xb8);
+ return 1;
+}
+
+void
+write_ec_reg(uint8_t index, uint8_t data)
+{
+ outb(index, EC_INDEX);
+ outb(data, EC_DATA);
+}
+
+void
+send_ec_cmd(uint8_t cmd)
+{
+ outb(0, EC_INDEX);
+ outb(cmd, EC_DATA);
+ wait_ec();
+}
+
+void
+wait_ec(void)
+{
+ uint8_t busy;
+ do {
+ outb(0, EC_INDEX);
+ busy = inb(EC_DATA);
+ } while (busy);
+}
+
+int
+get_gbl_smi_en(void)
+{
+ return inl(SMI_EN_REG) & 1;
+}
+
+int
+set_gbl_smi_en(int enable)
+{
+ uint32_t smi_en = inl(SMI_EN_REG);
+ if (enable) {
+ smi_en |= 1;
+ } else {
+ smi_en &= ~1;
+ }
+ outl(smi_en, SMI_EN_REG);
+ return (get_gbl_smi_en() == enable);
+}
+
+/*
+uint8_t
+read_ec_reg(uint8_t index)
+{
+ outb(index, EC_INDEX);
+ return inb(EC_DATA);
+}
+*/