Flashing Coreboot on the Thinkpad X230

By Bernie Innocenti
23 March 2014 (re-published with minor edits on 30 June 2020)

x230-flashing

Coreboot, the free PC BIOS that powers all Google Chromebooks, was recently ported to the Thinkpad X230 by the long time GRUB hacker Vladimir 'φ-coder' Serbinenko. So this week-end, just while Libre Planet was taking place at the nearby MIT Stata Center, I decided to give a shot at it. Building a custom Coreboot image for the X230 was relatively easy:

git clone http://review.coreboot.org/p/coreboot    cd coreboot
git submodule update --init --checkout
make crosstools-i386
# install the .config file provided by phcoder on the Coreboot wiki
make oldconfig
make

The build process generates a 12MB image containing all the board-specific code to initialize the hardware and a "payload" program to continue the boot process. I chose SeaBIOS, a legacy PC BIOS which can boot off hard-drives and other media.

Things get interesting at this point: until someone figures out a way to workaround for Lenovo's BIOS write protection, flashing Coreboot requires a SPI programmer.  So I borrowed a Pirate Bus with a Pomona 5250 SOIC test clip from some friends at the Free Software Foundation. The +3.3V pin of the SOIC chip is connected to several other components on the motherboard and pulls a lot of current while flashing (>400mA), so I had to hook it up to a beefy external power supply, being careful not to fry the entire motherboard.

The X230 BIOS resides in two SPI flash chips of 8 and 4 megabytes that contain several things (for the details, check the X230 flashing instructions in the Coreboot wiki). Because my Coreboot image was small enough to fit into the top 4MB, I only had to flash one chip. From a separate machine, I used the 'flashrom' tool to backup the original BIOS, so I could easily restore it in case I couldn't get Coreboot to work.

sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8M -c MX25L3206E -r x230-orig-4M.rom

Next, I crossed fingers and wrote my Coreboot image:

sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=8M -c MX25L3206E -w x230-bernie-4M.rom

The entire operation takes about 15 minutes. The Pirate Bus isn't the fastest SPI programmer on the planet, but it costs only $30 and it's pretty reliable. Ok, now let's disconnect the clip and power on the laptop. The leds blink a little. The machine seems alive, but the LCD panel doesn't turn on. From the hard drive led it's evident that the system is booting, so I hook up an external VGA monitor and see a familiar password prompt.

I already knew I was missing the VGA BIOS blob that initialize the video ports, but I wanted to see if Linux was able to do it after boot. So I cried for help in the #coreboot IRC channel, and phcoder pointed me at a patch floating around in Gerrit which contains 8KB of magical numbers to initialize the flat panel.

The title photo shows the colorful result I got while trying phcoder's off-tree patch with SeaBIOS. Phcoder hinted that a recent snapshot of GRUB2 should initialize the display properly, and then went to sleep. Other Coreboot developers on IRC helped me debug my configuration until, finally, I powered on the laptop and in a couple of seconds a familiar GRUB2 prompt appeared on the panel. From there, I could easily load the OS bootmenu:

set root=(ahci,msdos1)
source /grub/grub.cfg
normal

Of course, it's also possible to build a custom grub.cfg into the Coreboot image and let the machine boot automatically. There's also a set of SeaBIOS patches which enable native VGA initialization. I got these patches to apply to my tree, but the resulting display is still messed up. The author, Kevin O'Connor, is away from the keyboard at the moment.

Another open problem is that the S3 mode (aka sleep mode) is totally broken: instead of resuming, the machine simply reboots. This is annoying enough to prevent me from using Coreboot on my main machine. Before I can even attempt debugging this I need to figure out a way to get a debug console, because there are no usable serial ports on the X230. One of the Coreboot devs on IRC said that Android phones can serve as usbdebug dongles; I guess I'll try it next week if I have time.

Note that the resulting machine is still running plenty of scary proprietary code: there's the firmware for the Embedded Controller, a separate processor which manages power and keyboard input, and the Intel Management Engine (ME), which runs even while the machine is sleeping, and for which interesting persistent rootkits have been demonstrated by clever security researchers years ago.

There are no alternatives for the ME firmware at this time, but free  implementations of the EC firmware exist for various Chromebooks and for the OLPC XO laptops. The codebase is quite board-specific, and porting it to the Thinkpad without documentation from Lenovo isn't a trivial project.

Nevertheless, Coreboot seems to be improving rapidly in terms of usability and hardware support. There's a lively developer community and some business participation. It's not yet something I'd recommend to casual users, but if you're a nerd with a spare laptop and a fetish for hardware hacking, you might want to give Coreboot a try while it's still l33t 😉