NOTE: LibreBoot (status of 2018) can NOT boot Windows X-D (who cares). So i guess you want to use LibreBoot with Linux and Linux only.

even when CoreBoot is a 10 year old project… replacing your BIOS with LINUX can be a major hack on some devices… not anymore on the Lenovo X60 and X60S, which are not the fastest devices out there (Core2Duo 32Bit, 2GB RAM) but with Linux it still kick some ass and can be bought pretty cheap at ebay for below 100€. (as a matter of fact this article is written with a liberated X60S! GOOD JOB GUYS! 🙂

you can download the bench_cpu.sh script here. (it uses sysbench so you will need to have this preinstalled)

manpage: man.sysbench.txt

x60

time /scripts/bench_cpu.sh 
============ CPU MIPS and FLOPS
model		: 14
model name	: Intel(R) Core(TM) Duo CPU      L2500  @ 1.83GHz
model		: 14
model name	: Intel(R) Core(TM) Duo CPU      L2500  @ 1.83GHz
bogomips	: 3657.28
bogomips	: 3657.28
============ CPU BENCHMARK
sysbench 0.4.12:  multi-threaded system evaluation benchmark

Running the test with following options:
Number of threads: 2

Doing CPU performance benchmark

Threads started!
Done.

Maximum prime number checked in CPU test: 20000


Test execution summary:
    total time:                          34.5435s
    total number of events:              10000
    total time taken by event execution: 69.0438
    per-request statistics:
         min:                                  5.78ms
         avg:                                  6.90ms
         max:                                 43.96ms
         approx.  95 percentile:              13.76ms

Threads fairness:
    events (avg/stddev):           5000.0000/86.00
    execution time (avg/stddev):   34.5219/0.01


real	0m34.929s

The keyboard of the X60S takes time to get used to, especially this F1 button is kind of misplaced (in vim you need ESC a lot but not F1 X-D)

If you want to have faster and more stylisch (what is more stylish than retro hardware? X-D) hardware, best idea is probably to buy a Purism 15 laptop, if you can afford it (2018: $1,599.00, the price of freedom is high) that comes with LibreBoot pre installed.

long story:

(you can skip to „LETS DO IT!“)

researchers at the University of Michigan haven’t just imagined that computer security nightmare; they’ve built and proved it works. In a study that won the “best paper” award at last week’s IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn’t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.

“Detecting this with current techniques would be very, very challenging if not impossible,” says Todd Austin, one of the computer science professors at the University of Michigan who led the research. “It’s a needle in a mountain-sized haystack.” Or as Google engineer Yonatan Zunger wrote after reading the paper: “This is the most demonically clever computer security attack I’ve seen in years.”

The “demonically clever” feature of the Michigan researchers’ backdoor isn’t just its size, or that it’s hidden in hardware rather than software. It’s that it violates the security industry’s most basic assumptions about a chip’s digital functions and how they might be sabotaged. Instead of a mere change to the “digital” properties of a chip—a tweak to the chip’s logical computing functions—the researchers describe their backdoor as an “analog” one: a physical hack that takes advantage of how the actual electricity flowing through the chip’s transistors can be hijacked to trigger an unexpected outcome. Hence the backdoor’s name: A2, which stands for both Ann Arbor, the city where the University of Michigan is based, and “Analog Attack.”

A2 Analog Malicious Hardware Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, Dennis Sylvester Department of Electrical Engineering and Computer Science University of Michigan Ann Arbor, MI, USA { kaiyuan, mdhicks, qingdong, austin, dmcs } @umich.edu

download the study: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf?token=N4pJSSoqL4kE4V4JXpTwx7qDRX4%3D

mirror: A2 Analog Malicious Hardware Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, Dennis Sylvester Department of Electrical Engineering and Computer Science University of Michigan.pdf

https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/

computrace – root kit by factory

https://blog.maschinenraum.tk/2018/03/19/libreboot-installation-auf-einem-thinkpad-x200/

„However security researchers at Kaspersky Lab are standing by their warning that Absolute Software’s Computrace anti-theft technology poses a hidden threat that might be abused by hackers and cyberspies to plant malware – or worse.

Absolute’s Computrace agent resides in the firmware, or ROM BIOS (Basic Input/Output System), of millions of laptops and desktop PCs from manufacturers including Dell, Fujitsu, HP, Lenovo, Samsung, and Toshiba.“

https://www.theregister.co.uk/2014/02/17/kaspersky_computrace/

„Libreboot is a custom distribution of coreboot that removes all proprietary software from the BIOS. Instead of proprietary BIOS boot selector, for instance, Libreboot boots straight into its own GRUB menu that you can use to load your own underlying OS. In addition, Libreboot has automated a lot of the difficult processes around installing coreboot and provides custom scripts and pre-build ROMs for its officially supported hardware.“

„Although the Purism 15 laptop seems to be a viable choice for those who want a free software laptop, at the time of this writing, the crowdfunding campaign is still in process, and even after it completes, it will take some time until they ship. Plus, a new laptop like that doesn’t come cheap, and many people who may want a laptop that runs 100% free software may not have $1,600+ to spend on it. I’ve been able to find used ThinkPad X60 laptops on auction sites as cheap as $30, so if you are willing to live with some of the limitations of hardware that old, it is an inexpensive route to a decent machine that runs only free software.“

„When I first attempted to flash an X60 with coreboot a few months ago, the process involved disassembling the laptop to inspect the underside of the motherboard with a magnifying glass so I could determine which of two BIOS chip types I had. I used that information to hand-patch the flashrom software with custom code and compiled a special version just to unlock my BIOS. Then I downloaded, configured and compiled a custom coreboot BIOS image for my laptop and went through a two-phase flash. In the end, I got it working; however, I needed to strip out and include the proprietary video firmware from my proprietary BIOS to get any video at boot time—useful when you want to select between hard drive and USB boot.“

„There are two primary ways you can brick your laptop during the process. First, you could have a bad flash during the initial bootstrapping flash phase. If that happens but you were using one of the Libreboot-supplied ROMs, all you should have to do is shut off the machine, unplug the CMOS battery for a few seconds, reconnect it and power on your machine to get back to the original BIOS.

If you flash during the initial bootstrapping phase with a custom ROM like I tried one time, lose power during the process, attempt this on incompatible hardware or otherwise encounter a worst-case scenario, you could end up with a completely unbootable machine. Because you can’t boot back to your OS, you can’t attempt to reflash, so you are stuck with a bricked laptop unless you buy hardware that can flash your BIOS chip, such as a BusPirate or a Raspberry Pi running custom software.“

src: https://www.linuxjournal.com/content/libreboot-x60-part-i-setup

LET’S DO IT!

confidence: this video should give you confidence: https://youtu.be/SEgxCg3pSyU
Yes, YOU can do it! 🙂

  1. flash stage 1
  2. poweroff, wait 10 seconds, poweron
  3. flash stage 2
  4. congratulations!

notice: THERE IS A LOT OF OUTDATED TUTORIALS/HOWTOS OUT THERE!

this one is recent in 2018-06.

outdated: https://www.linuxjournal.com/content/libreboot-x60-part-ii-installation

official documentation (outdated?)

not so outdated, but maybe not very clear to all users: https://libreboot.org/docs/install/#flashrom_lenovobios

requirements:

If you can, make sure that RTC battery is not discharged. Discharged RTC battery may lead to brick due to not holding BUC register value.

Native gpu initialization (‘native graphics’) which replaces the proprietary VGA Option ROM (‘Video BIOS’ or ‘VBIOS’), all known LCD panels are currently compatible:

To find what LCD panel you have, see: ../misc/#get_edid_panelname.

  • TMD-Toshiba LTD121ECHB: #
  • CMO N121X5-L06: #
  • Samsung LTN121XJ-L07: #
  • BOE-Hydis HT121X01-101: #

download libreBoot/CoreBoot pre compiled roms and utilities: https://libreboot.org/download.html

the amount of stuff there can be confusing, so i packed all you need for X60S in this file:

https://dwaves.org/software/LibreBoot_20160907_for_Lenovo_X60S.sha512sum.txt
https://dwaves.org/software/LibreBoot_20160907_for_Lenovo_X60S.tar.gz

#system used
hostnamectl 
   Static hostname: debian
Icon name: computer-laptop
           Chassis: laptop
  Operating System: Debian GNU/Linux 8 (jessie)
            Kernel: Linux 3.16.0-4-686-pae
      Architecture: x86

# find out what GPU you have (mostly intel)
lspci -nn | grep VGA
00:02.0 VGA compatible controller [0300]: Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller [8086:27a2] (rev 03)

# find out what SCREEN / Screen / Display / TFT / LCD you have
cat /sys/class/drm/card0-LVDS-1/edid | strings
&!PT!
aC2aC(
LTD121ECHB

# what is my BIOS ROM size?
dmidecode | grep ROM\ Size
ROM Size: 2048 kB

# download
wget --no-check-certificate https://dwaves.org/software/LibreBoot_20160907_for_Lenovo_X60S.tar.gz
wget --no-check-certificate https://dwaves.org/software/LibreBoot_20160907_for_Lenovo_X60S.sha512sum.txt

# verify
sha512sum -c LibreBoot_20160907_for_Lenovo_X60S.sha512sum.txt

tar fxvz LibreBoot_Lenovo_X60S.tar.gz; # unpack

# backup existing BIOS (one of this should work)

# this failed me
./LibreBoot_Lenovo_X60S/libreboot_r20160907_util/flashrom/i686/flashrom_lenovobios_sst -p internal -r factory.bin

# works
./LibreBoot_Lenovo_X60S/libreboot_r20160907_util/flashrom/i686/flashrom_lenovobios_macronix -p internal -r factory.bin

# result was:
flashrom v0.9.9-unknown on Linux 3.16.0-4-686-pae (i686)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
Found Macronix flash chip "MX25L1605D/MX25L1608D/MX25L1673E" (2048 kB, SPI) mapped at physical address 0xffe00000.
Reading flash... done.

# now the flashing

# run bucts flipping the register so that the value is high (1)
./bucts/i686/bucts 1

bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is untranslated
Updated BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped

# rerun
./bucts/i686/bucts 1
bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped
Not writing BUC register since TS is already correct.

# make sure to get the rom with a proper keyboard layout

./flash i945lenovo_firstflash x60_deqwertz_vesafb.rom
Mode selected: i945lenovo_firstflash
bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped
Not writing BUC register since TS is already correct.
flashrom v0.9.9-unknown on Linux 3.16.0-4-686-pae (i686)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.
flashrom v0.9.9-unknown on Linux 3.16.0-4-686-pae (i686)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
Found Macronix flash chip "MX25L1605D/MX25L1608D/MX25L1673E" (2048 kB, SPI) mapped at physical address 0xffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... spi_block_erase_20 failed during command execution at address 0x0
Reading current flash chip contents... done. Looking for another erase function.
Transaction error!
spi_block_erase_d8 failed during command execution at address 0x1f0000
Reading current flash chip contents... done. Looking for another erase function.
spi_chip_erase_60 failed during command execution
Reading current flash chip contents... done. Looking for another erase function.
spi_chip_erase_c7 failed during command execution
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Apparently at least some data has changed.
Your flash chip is in an unknown state.
Get help on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org with the subject "FAILED: "!
-------------------------------------------------------------------------------
DO NOT REBOOT OR POWEROFF!

despite the horrific messages above: power down the system but do not remove power, especially RTC battery! with:

init 0;

Wait a few seconds, and then press power button;

DADA!

you should be greeted with the a lovely GNU boot screen 🙂

libreboot is running, but there is a 2nd procedure needed.

When you have booted up again, you must flash second stage:

./flash i945lenovo_secondflash x60_deqwertz_vesafb.rom

Mode selected: i945lenovo_secondflash
flashrom v0.9.9-unknown on Linux 3.16.0-4-686-pae (i686)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
coreboot table found at 0x7be9f000.
Found chipset "Intel ICH7M".
Enabling flash write... OK.
Found Macronix flash chip "MX25L1605D/MX25L1608D/MX25L1673E" (2048 kB, SPI) mapped at physical address 0xffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped
Updated BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is untranslated

####################################################
If flashing fails at this stage, try the following:

./flashrom/i686/flashrom -p internal:laptop=force_I_want_a_brick -w x60_deqwertz_vesafb.rom

You should see within the output the following:

Updated BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is
untranslated
You should also see within the output the following:

Verifying flash... VERIFIED.

amazing

it is definitely booting up faster and looks pretty cool 🙂

for me almost everything worked out of the box… (no problem with wifi)

no sound?

acpi sound muted problem

cat /proc/acpi/ibm/volume
level: 0
mute: on

that is an easy one X-D in the top left corner, the thinkpad has volume mute/down/up buttons. press volume up and you should get sound 🙂 (have to redo this every boot?)

you might want to change:

vim /etc/default/grub

this line:

GRUB_CMDLINE_LINUX_DEFAULT=“quiet“

into this line:

GRUB_CMDLINE_LINUX_DEFAULT=“acpi_enforce_resources=lax“

# and then run to manifest the changes

update-grub2

if you want to compile coreboot from source: https://github.com/coreboot/coreboot

you will need those packages:

apt install libpci-dev
apt install libncurses5-dev

complete liberation:

if you want to get rid of all binary non open source blobs: you will have to remove all hardware that does not work/come with open source drivers.

such as the Intel Wifi Adapter preinstalled in Thinkpad X60S and replace it with an Atheros Chip: https://www.ebay.de/sch/i.html?&_nkw=Atheros+Wireless-N+mPCI+card

(yes those backdoors are ALL OVER THE PLACE/EVERYWHERE/EVERY CHIP!)

IT IS NOT EASY to find a network card/wifi adapter that runs on Open Source drivers… even harder it gets with graphic-cards / GPU, why is that so?

is debian ath9k driver free software? Does not seem like it!

it is a CATASTROPHIC mess, to find out what wifi-chipsets come with free open source drivers…

„This package contains the binary firmware for USB wireless network and Bluetooth cards supported by the ar5523, ath3k, ath6kl_sdio, ath6kl_usb, ath9k_htc or ath10k drivers.“

https://wiki.debian.org/Firmware

https://wiki.debian.org/WiFi

Many devices require a firmware to operate. Historically, firmware were built-into the device’s ROM or Flash memory, but more and more often, the firmware has to be loaded into the device by the driver during the device initialization.

Some of these firmware are free and open-source, and some of them are non-free, which means that you need to add the non-free and contrib components to /etc/apt/sources.list; see sources.list(5) and Debian archive basics (Debian Reference) for more information.

package: ath10k https://packages.debian.org/sid/firmware-atheros

Package: firmware-atheros (20161130-3) [non-free?]

Available devices

if shit happens: unbrick

might not be possible without specialized hardware (rom flasher)

https://libreboot.org/docs/install/x60_unbrick.html

Links:

https://tehnoetic.com/laptops

https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html

https://minifree.org/

admin