1vyrain — An xx30 ThinkPad Jailbreak

Gee (https://n4ru.it)
7 min readFeb 20, 2020

--

d888                                    d8b          
d8888 Y8P
888
888 888 888 888 888 888d888 8888b. 888 88888b.
888 888 888 888 888 888P" "88b 888 888 "88b
888 Y88 88P 888 888 888 .d888888 888 888 888
888 Y8bd8P Y88b 888 888 888 888 888 888 888
8888888 Y88P "Y88888 888 "Y888888 888 888 888
888
Y8b d88P
"Y88P"

This is a longer form FAQ to accompany the 1vyrain xx30 jailbreak project.

I want to self-build!

Okay, fine. Be that guy. Check this post.

I have an X330

Use the X330 option in the main menu. All machines detected as an X230 now have a new option, zero, in Revision 4, which will prevent you from going blind after flashing. All this does is disable the default LVDS option.

How do I downgrade without Windows?

There’s a ton of tutorials. Just extract the disc image and run the command before burning it to the USB drive.

Battery Mod / Classic Keyboard Mod

This mod does NOT flash the Embedded Controller. Do NOT ask about flashing the EC. The mod is fully compatible with EC modifications, but it must be flashed before you use 1vyrain to update your BIOS. If you have already flashed 1vyrain, you can use IVPrep to downgrade and do the EC mod before flashing back with 1vyrain. Your EC state will persist.

Supporting New Machines

If you are on a Haswell device or older and you have downgraded your BIOS as low as possible (pre-June 2015 usually at the very least), you can run 1vyrain to test for compatibility.

If the exploit fails, you’re out of luck. Do not pass GO, do not create a GitHub issue, I will close it. If the exploit succeeds but you are not currently compatible, please do create a Github issue with the details printed. I will get back to you letting you know if existing patches work with your machine. If they don’t, you are on your own unless we find time to investigate.

Testing Existing Patches on a new device

If you have free time and know what you’re doing, feel free to self-patch by extracting your machine BIOS from its FL1 (see below), then run the patcher using the patches at the bottom of this page. The resulting (exactly 4MB) image can be flashed if you know the layout of your BIOS exactly (don’t wing this, you’ll brick). Pad your image ( dd from /dev/null, then cat the files in the right order) so the bios region is in the correct place, then upload your BIOS somewhere and download it to the machine.

Once you successfully run the exploit, but the script exits due to no compatibility, you can download your BIOS, then run the following:

/root/flashrom/flashrom -p internal:laptop=force_I_want_a_brick -w /root/bios.rom --ifd -i bios -N

Please make sure you’re flashing the right file when you run the above command. If you don’t know what you are doing and are not comfortable with Unix or don’t have a hardware flasher, do not mess with the above section. You will brick, and I will not help you if it is clear you are doing this blind.

Why do I need to downgrade / can I upgrade again?

1vyrain requires you to be on a specific vulnerable BIOS version. From there, it upgrade you to the latest BIOS pushed to the patched-bios repo.

TDP Limits and Battery Life

Ivy Bridge does not allow for undervolting, but TDP configuration can be unlocked using the Advanced Menu. Under “Processor Power Management”, setting “Lock TDP setting” to Disabled unlocks MSR_CONFIG_TDP_CONTROL, and allows you to configure your TDP within the BIOS, or use ThrottleStop or XTU to set lower (or higher) limits on your power draw within the OS and create power profiles. This will let you limit the clock speeds achievable under load, increasing your battery life. Inversely, higher end chips with their TDP increased allows higher sustained clock speeds under load (mostly useful for 38xxQM series and above).

Disabling Intel ME slows boot time

We are not sure why this happens since Intel ME is a black box, but disabling Intel ME through the Advanced Menu (or any other method) will significantly increase your time to POST from the BIOS by about 5 extra seconds.

Missing Date & Time in BIOS

This is a side effect of the Advanced Menu needing to go somewhere. You’re not blind. The Date & Time tab is gone. If you really need it, flash a fresh BIOS. You probably don’t though. Setting this in the OS propagates it to the BIOS, in both Windows and (all?) flavors of Linux.

I get power cycling and a CRC error after flashing

Don’t be alarmed if your ThinkPad/ThinkLight power cycles a few times after a flash, or you get a CRC Security error. That is normal and will go away after another restart!

Limiting Active Cores is non-functional

This is an issue with the Advanced Menu built into the BIOS. Myself and multiple other sources can confirm that this function of the Advanced Menu doesn’t seem to do anything, so steer clear of it in case it has unintended side effects.

Overclocking

You can overclock with the following software once unlocked;

  • Windows: Intel XTU, ThrottleStop
  • Linux: MSR 0x1AD, there are scripts to do this hanging around on github and such

Supported CPUs

Intel only allows overclocking on some IvyBridge CPUs, those being;

  • 3720QM through 3840QM, which can increase their multipliers by +4.
  • Extreme mobile chips (3920XM, 3940XM) are fully unlocked.
  • Some engineering Samples (QBC1, QBZU, others?) are fully unlocked.

QM chips likely need Intel ME enabled for them to overclock (unconfirmed).

Why am I being asked for a password after flashing?

You, or somebody else, fucked up. Your machine had a password at one point, but it was not properly cleared. Flashing 1vyrain resets your BIOS settings and may cause “old” passwords to pop back up. Before flashing, make 100% sure you know the password to your machine, even if you’ve cleared it. If you are unsure, try clearing, enabling then disabling the supervisor/BIOS password.

If you run into this issue, it is known that writing all zeroes to the EEPROM (a 1MB flash chip, compatible with SOIC8 clips) will remove the password and all related settings, and give you access to the machine again. There is no known way to software write to the EEPROM.

Restoring your BIOS

You don’t need a backup. Nobody needs a backup, really. Except to preserve your settings, but passwords are not stored in the BIOS itself anyway (though they can trigger them if they’re in the EC).

You can grab the 4MB BIOS image from any recent Lenovo update for the main line of Ivybridge products (T/W/X series) by running this on the FL1 file (WSL works too):

dd if=BIOS.FL1 bs=1 of=4MB skip=464 count=4194304

The resulting file is a fresh BIOS image that is safe to write to chip, and is our preferred method of “rescuing” machines bricked by software or bad flashes.

How is Intel ME disabled?

Intel ME is disabled through the software Advanced Menu in the BIOS. There are three known ways of disabling Intel ME. Advanced Menu is one of them. The other way is by completely stripping non-essential ME components out of the image itself, or using the AltMeDisable Bit. The Advanced Menu disable is closer to the latter, which doesn’t strip any of ME but just turns it “off”.

What’s the best WLAN card I can buy?

AX200HMW

What about AES unlock, eGPU 16GB bug, etc?

None of those are relevant to you. The former was only locked in the first few BIOS revisions and was fixed by Lenovo. eGPU bug is xx20 only.

How fast can I run my RAM?

Depending on how good your IMC is, you can run as high as 2133MHz. Few CPUs can actually reach that speed. 1866MHz runs fine across the board, but you might be able to overclock somewhere in between. Make sure you’re familiar with memory training. I’m not going to answer queries about “bricks” that were just your memory not being trained after changing RAM/SPD or if you’ve bricked by setting your memory to 1066MHz.

Just get an 1866MHz kit if you want to avoid the IMC lottery, or clock down.

If you get a golden chip, 2400MHz is possible, and has been confirmed.

Why can’t I flash a larger coreboot image?

The exploit only unlocks the bios and gbe regions for writing. ifd is readable but not writable, so you cannot modify the boot block. Modifying the boot block is required in order to allow you to, you guessed it, boot from a different sized image, since the BIOS is set to always be read from a specific block (the ifd region is the “Intel Flash Descriptor”, which describes the layout of the chips containing the BIOS, Intel ME, itself, and the GbE.

Since we are unable to modify the ifd, we can only overwrite the BIOS region with images that are identically sized. This means Coreboot images of a size larger than the default 4MB cannot be flashed. Luckily, any laptop with Coreboot support can have the image resized to 4MB, and any payloads you want to include that would increase the size of the image, can instead be chain loaded off of the disk.

Patch Documentation

Here’s a quick overview of the individual patches. These patches are ONLY tested to work on the latest BIOS revisions, and in at least one case they will cause a soft-brick if applied to a BIOS revision that is too old (machine will not boot with WLAN card inserted).

This documentation is for BIOS versions released after September 2019.

Advanced Menu

32442D09-1D11-4E27-8AAB-90FE6ACB0489 10 O:02A0:778B1D826D24964E8E103467D56AB1BA

Self explanatory. Replaces Date & Time with Advanced Menu.

Overclock and 0x194 Unlock

F7731B4C-58A2-4DF4-8980-5645D39ECE58 10 P:44243080fb0175080fbae80f89442430:44243080fb01eb080fbae80f89442430
F7731B4C-58A2-4DF4-8980-5645D39ECE58 10 P:30488b4338f6000874080fba6c243014:30488b4338f60008eb080fba6c243014

Stops the stock BIOS from locking MSR 0x194, which allows overclocking.

Whitelist Removal (except T430s & X230t)

79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:C8390F0F84:C8390F90E9
79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:C8390F7516:C8390F7500
79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:C8394F0474:C8394F04EB

Handles WLAN card whitelist removal in the EFI module.

Whitelist Removal (T430s & X230t)

79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:41390C240F84:41390C2490E9
79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:41390C240F858D:41390C240F8500
79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:41394C24047577:41394C24047500
79E0EDD7-9D1D-4F41-AE1A-F896169E5216 10 P:413AED0F8497FEFFFF:413AED0F8400000000

The T430s and X230t use different EFI modules to handle their WLAN cards. Don’t ask me why. I have no idea why these models are snowflakes.

--

--