It may be malformatted and could contain errors
Why would you flash Coreboot?
There are several reasons why you should consider doing this. The BIOS1 on those Laptops is quite restrictive. You're limited to 3 rather old wifi card models, which only support 802.11n and are rather slow by today's standards. If you try a non-whitelisted card it will refuse to boot until you remove the card. Also, there are no updates released by Lenovo to mitigate several exploits to the Intel ME. Another good point would be that you don't know what the BIOS is doing in the background, it could send data home. Coreboot replaces the bios and therefore solves most of these issues. There is a python script to solve the Intel ME problem.
Before you start
Please make sure that you understand the following things before you start. It could be a major pain to brick your device or having to uninstall the mod later on.
As far as I know, it's not possible to flash the embedded controller without the original firmware/bios. So please apply any EC mods before you replace your bios. Here are some things which require EC modification, which you should really consider doing first. Thanks to Hamish Coleman it's rather easy. Visit his project on Github!
- classic keyboard mod
- battery whitelist removal
Don't turn your device into an expensive paperweight
Just to make it clear. You're likely to turn you Thinkpad into a brick trying to swap the bios chip. Please remember that removing the chip is not necessary if you don't suck at soldering and manage to solder wires to the chip. I still recommend replacing the chip, though. You can skip the whole desoldering and resoldering part if your chip already is a SOIC8 package.
List of parts
During the series, I will use the following tools:
- Size 1 Phillips screwdriver
- Chip removal
- Heat resistant tape
- Hot air station
- a 500°C tested working surface
- Reading and writing to the chip
- Chinese SOIC8 test clip
- Raspberry Pi2
- flashrom --- software to flash and read over SPI
- Some really tiny copper cables and some jumper wires
- soldering iron
- Installing the new chip
- 25Q128FVSIG -- 3V -- SOIC8 Chip --- to replace the BIOS chip
- 60W soldering iron
- flux and solder
- Thermal paste --- you're disassembling the whole thing, so why not reapply some fresh paste to the CPU?
Disassembling the Thinkpad
For a detailed guide on how to disassemble it, you can and should look into the official maintenance manual from Lenovo.
Protip: Take pictures of screw placements and antenna cable routing.
What I tried before removing the chip
The first thing I tried was to solder way too big wires to the exposed little solder blobs. Thereby I destroyed the solder blobs and now the board is throwing CMOS errors upon boot. Probably should've unplugged the CMOS battery. It still measures 3.10V though, which was slightly worrying as I thought I had damaged the board. As it turns out I didn't. Still, it was not a smart idea, so disconnect your CMOS battery before soldering
Voltage measurement of the CMOS-Battery
Also, the Bios didn't boot after I reassembled the Laptop. Reheating the "destroyed" joints seems to have fixed this. Meaning that the BIOS chip was not broken at this point. So I finally decided to remove it from the board. As I didn't have a heat gun at the time, I finally ordered one.
Preparing the board
We will heat the board up quite massively, as the WSON chip is connected to the big ground plains via a rather big pad under the chip. There are really small components around our chip which will be desoldered long before the chip. As we don't want them flying around, we'll tape them off with our heat resistant tape. I used Kapton-Tape for this, which is not optimal as it is only made to withstand up to 280°C. If you have access to actual heat shielding tape made of aluminium or another metal, go for it. Just make sure to take your time and fit it tightly to the board. In my personal experience, the Kapton-tape is good enough that you don't even desolder the small components.
Board covered in Kapton tape -- notice the dodgy solder balls around the chip
Desoldering the chip
Now that you have prepared the board it's time to take your heat gun. You cannot use a soldering iron as there is a large pad below the chip. I set mine to around 350°C (\~660°F) and a medium airflow. Make sure to blow the air straight at the board and not at an angle to avoid desoldering and blowing away those tiny resistors. Cycle over the chip and use your tweezers to test if it came loose and finally remove the chip. Even if you never used a heat gun before, it's not that hard. Just don't pull on the chip while there is still solder holding it down. Remove the Kapton-Tape from the board when you're done unless you want to use the heat gun to solder the replacement into place. Don't throw the old one away, we'll need it later.
Soldering the new chip
Your replacement chip is a SOIC8 package. If you soldered SMD parts before then you should have no problem. In case you haven't: Make sure you align the indent on the chip with the white mark on the board. The indent tells you where PIN-1 is and the mark on the board shows you where it should be soldered to. If there is still a rather big amount of solder on the pads consider removing it using some solder wick. Align the chip on the board and solder one pin to the board so it doesn't move anymore. Then take your time soldering the other seven.
Extracting the original firmware
At this point, we have a blank chip in our Thinkpad, so it won't boot. To fix this and to be able to prepare coreboot we need to extract the original from the chip we desoldered. To achieve this I used a Raspberry Pi, jumper wires and some really tiny copper wire. I cut one side of the jumper wire off and attached the tiny copper wires. then I soldered those to our old chip. To relieve stress I used the tape to hold it down.
Wires soldered to the chip, make sure you know where Pin 1 is before you tape it down. Later I spaced the wires on the left side out a bit more to prevent a short.
Now you have to setup your Raspberry Pi. You need to install flashrom and enable SPI.
First install necessary tools and setup SPI
pi@raspberrypi:~ $ sudo apt install flashrom pi@raspberrypi:~ $ sudo raspi-config
Enable "P4 SPI" under "Interfacing Options" then reboot.
Wiring the chip to the Pi
|Chip Pin||Raspberry Pin||Chip Pin||Raspberry Pin|
First, check if the chip gets recognized
1 2 3 4 5 6 7 8
pi@raspberrypi:~ $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi. No operations were specified.
If it doesn't look like this, try lowering the spispeed first. If it doesn't work then, it means that you probably did wire it up wrong.
Now we read the contents at least 2 times and compare the checksums to make sure we have a valid reading.
1 2 3 4 5 6 7 8
pi@raspberrypi:~/rom $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 -r 1.rom flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi. Reading flash... done.
repeat this step at least another time, change "1.rom" to "2.rom" etc.
then compare the checksums
1 2 3 4 5
pi@raspberrypi:~/rom $ md5sum *.rom ee8d5c6b4cb60fff9dbb2a359626dd96 1.rom ee8d5c6b4cb60fff9dbb2a359626dd96 2.rom ee8d5c6b4cb60fff9dbb2a359626dd96 3.rom
Looks fine :) make sure to store one of those somewhere save! You'll need it if you ever want to update the Embedded Controller or don't want to use Coreboot anymore.
Flashing and testing our new chip
Before we create a coreboot image, we'll flash our original bios to our new chip. This way we make sure that we soldered everything correctly and our new chip works. First, you wire up your SOIC8-clip. The wiring is the same as in the table above. Then you clip it onto the chip on the board, make sure that there is no battery attached to the board!
On our Raspberry Pi, we now verify that the chip gets recognized and then flash the old firmware.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
pi@raspberrypi:~ $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi. No operations were specified. pi@raspberrypi:~/rom $ sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=30000 --write 1.rom flashrom v0.9.9-r1954 on Linux 4.9.80-v7+ (armv7l) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Winbond flash chip "W25Q128.V" (16384 kB, SPI) on linux_spi. Reading old flash chip contents... done. Erasing and writing flash chip... Erase/write done. Verifying flash... VERIFIED.
At this point, you connect a monitor via VGA or the display to the LVDS connector, plug in the keyboard and connect the board to power. Try to power on, if it shows you the Thinkpad logo everything works. (Congrats!)
If the power LED just lights up shortly, try the following. Disconnect power then press the power button for 1 second then release for one second. Repeat this 10 times, then keep it pressed for 30s. Now plug the cord back in and try booting again. If it still doesn't work check your solder joints. Sounds stupid, but worked for me.
Creating a Coreboot image
I'll show you how to do this in Part 2, which I just released.
The 2nd part will not be copied over to this blog as it was never really completed. There has always been some discrepencies I don't feel comfortable with. If you need help setting up coreboot write a message below, or use the contact buttons to the right.
- I know it's actually UEFI based, but I'll keep calling it BIOS as the search term is more common. ↩
- You can use any other SPI programmer which is supported byflashrom, or even write your own program and use unsupportedprogrammers. The protocol is not that complex. ↩