Creating ones own Insurgo

[Catacombs]

I purchased a refurbished Lenovo X 230 Core I5, 4 GB RAM, and a spinning hard drive, Windows 7 Pro for $228.00.

I ordered 16 GB RAM for about a hundred dollars. I thought the RAM would be less expensive.

My first mistake was to raise the BIOS/EFI to 2.77. Turns out Intel encrypts something to prevent one from rolling back the BIOS/EFI.

The option I had before was to run a jailbreak on the Lenovo that should allow me to neutralize the Intel Management Engines ability to get updates from Intel. Intel also had a whitelist that limits which WiFi chip it will allow to be used. I guess to make sure the Intel Management Engine can talk to the mothership. That jailbreak does not one to take apart the laptop. The jailbreak is on github 1vyrain. The site says do not attempt to use the jailbreak unless one has the allowed, correct, lower version of BIOS/EFI or it will brick it. As I write this I see some folks who say (Lenovo Forum) they have -done something - to roll back BIOS/EFI to 2.6. So they could use 1vyrain. Jailbreak 1vyrain actually accomplishes two of the big items I require. Prevent Intel from changing my X230 to something I do not want. And allow me to use another WiFi chip.

Flashing the Lenovo X230 BIOS/EFI w
ith an EEPROM is git hub Skulls. Which requires I spend money. And the documentation for doing that is not obvious, and old.

I decided I should buy a PI to program the X230. I started to buy one from Amazon and cancelled that when I saw the voltage on the power supply was 2.5 volts and someone said not use 3.3 Or less as the flash might not work correctly. Someone suggested ADA Fruit for the Pi. But the more complete ones are not
In stock. I am waiting on Corona money to buy one so I wil keep looking. I had a link once suggested by Insurgo. But it came from China, and took many weeks before the Corona started.

My first questions. I had thought while looking at the Skulls there would be an option for Core I5 versus Core I7. I haven’t seen it so far. Does that matter?

Clearly states to remove the battery, but did not say the coin CMOS battery. In fact I have not found that little turkey.

I want to have enough in my bank account to afford a replacement MOBO if I brick this one and can’t unbrick it.

Mostly the available documentation might have some flaw I am not experienced enough to catch.


One thing is obvious, while I my income may be to low to buy one, Insurgo products are not overpriced. This project is a lot of trouble. Parts. Tools. are not free.

Anyone have recent experience with flashing Skulls onto Lenovo X230?

[David Hobach]

On 4/15/20 6:05 PM, Catacombs wrote:
> I purchased a refurbished Lenovo X 230 Core I5, 4 GB RAM, and a spinning hard drive, Windows 7 Pro for $228.00.
>
> I ordered 16 GB RAM for about a hundred dollars. I thought the RAM would be less expensive.
>
> My first mistake was to raise the BIOS/EFI to 2.77. Turns out Intel encrypts something to prevent one from rolling back the BIOS/EFI.
>
> The option I had before was to run a jailbreak on the Lenovo that should allow me to neutralize the Intel Management Engines ability to get updates from Intel. Intel also had a whitelist that limits which WiFi chip it will allow to be used. I guess to make sure the Intel Management Engine can talk to the mothership. That jailbreak does not one to take apart the laptop. The jailbreak is on github 1vyrain. The site says do not attempt to use the jailbreak unless one has the allowed, correct, lower version of BIOS/EFI or it will brick it. As I write this I see some folks who say (Lenovo Forum) they have -done something - to roll back BIOS/EFI to 2.6. So they could use 1vyrain. Jailbreak 1vyrain actually accomplishes two of the big items I require. Prevent Intel from changing my X230 to something I do not want. And allow me to use another WiFi chip.

The jailbreak doesn't even require hardware access. So no pi, Pomona etc.

However it cannot disable Intel ME if I recall correctly. Just check
their site.

> Flashing the Lenovo X230 BIOS/EFI w
> ith an EEPROM is git hub Skulls. Which requires I spend money. And the documentation for doing that is not obvious, and old.
>
> I decided I should buy a PI to program the X230. I started to buy one from Amazon and cancelled that when I saw the voltage on the power supply was 2.5 volts and someone said not use 3.3 Or less as the flash might not work correctly. Someone suggested ADA Fruit for the Pi. But the more complete ones are not
> In stock. I am waiting on Corona money to buy one so I wil keep looking. I had a link once suggested by Insurgo. But it came from China, and took many weeks before the Corona started.
>
> My first questions. I had thought while looking at the Skulls there would be an option for Core I5 versus Core I7. I haven’t seen it so far. Does that matter?

For coreboot it doesn't matter which CPU you have.

For Qubes OS i7 quad core is usually a lot better than i5 dual core on
these old platforms. The latter might make Qubes OS almost unusable.

However you'll have to make sure the CPU supports VT-d. There are some
which don't - usually the gamer models. Check ark.intel for that.

> Clearly states to remove the battery, but did not say the coin CMOS battery. In fact I have not found that little turkey.

I'd recommend to also remove that. Check the tons of youtube videos on
X230 disassembly on where to find it. There's also a Lenovo hardware
maintenance manual describing all steps.

> I want to have enough in my bank account to afford a replacement MOBO if I brick this one and can’t unbrick it.

There's probably even youtube videos flashing the X230 out there.

And usually unbricking always works with hardware access to the
firmware/BIOS chip.

> Mostly the available documentation might have some flaw I am not experienced enough to catch.
>
>
> One thing is obvious, while I my income may be to low to buy one, Insurgo products are not overpriced. This project is a lot of trouble. Parts. Tools. are not free.

True.

> Anyone have recent experience with flashing Skulls onto Lenovo X230?

I didn't try skulls (it's just coreboot pre-compiled for the X230 if I
recall correctly) as I don't like flashing some untrusted binaries from
the Internet.

But I have some coreboot flashing experience (!= X230 though).

[Catacombs]

As I read on the git hub Skulls page. There is an individual who bricked his Lenovo X230 with trying to install CoreBoot. and can not reinstall his back up of his original BIOS/EFI. Not a lot of advice on that board.

Day before yesterday I put a spinning hard drive into my X230 to experiment with. For any of you not familiar with the physical layout of an X230, replacing the drive is super easy. One screw removes the plate covering drive. Drive slides out, has soft rubber slides that pop off either side of drive. Put them on replacement drive. Slide it in. Put side plate on. Tighten down screw.

I experimented by installing the Pure OS. I have an iPhone, on which I am typing this, which has unlimited data. And came with a gift of ten GBs HotSpot. I plugged the cable between the iPhone and X230 pure USB port to use data. Pure is like Debian in that it is FOSS and does not have driver for the already installed Intel Wireless. I spent several hours trying to get a Real Tek USB WiFi to install. Didn’t work for me. So I installed QUBES onto the spinning drive. Works.

Point of all this being. If I could keep the Intel Management Engine from from phoning home. And use the Wireless of my choice. I might not itch so much to install Core Boot Skulls. I know that Qubes will let me see connections with a wireless dongle. Maybe I should just disable driver for Intel WiFi, and just toddle along. I am guessing that would be in the Xen Hypervisor.

So my question is how do I disable the Intel WiFi driver. Might easier to just open back of computer and remove chip. Maybe the Intel Whitelist of WiFi is just a hoax. I should just try the Atheros chip. Probably lead to two hours of re installing QUBES. Any thoughts?

[Sven Semmler]

On Thu, Apr 16, 2020 at 09:16:40AM -0700, Catacombs wrote:
> As I read on the git hub Skulls page. There is an individual who bricked his Lenovo X230 with trying to install CoreBoot. and can not reinstall his back up of his original BIOS/EFI. Not a lot of advice on that board.

I share your reluctance, which is why my ME remains for now.

> So my question is how do I disable the Intel WiFi driver. Might easier to just open back of computer and remove chip. Maybe the Intel Whitelist of WiFi is just a hoax. I should just try the Atheros chip. Probably lead to two hours of re installing QUBES. Any thoughts?

The ME runs on a separate processor with it's own OS. Absolutely nothing
you do in your installed OS has any effect whatsoever on ME.

/Sven

--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

[awokd]

Sven Semmler:

> On Thu, Apr 16, 2020 at 09:16:40AM -0700, Catacombs wrote:
>> As I read on the git hub Skulls page. There is an individual who bricked his Lenovo X230 with trying to install CoreBoot. and can not reinstall his back up of his original BIOS/EFI. Not a lot of advice on that board.
>
> I share your reluctance, which is why my ME remains for now.
>
>> So my question is how do I disable the Intel WiFi driver. Might easier to just open back of computer and remove chip. Maybe the Intel Whitelist of WiFi is just a hoax. I should just try the Atheros chip. Probably lead to two hours of re installing QUBES. Any thoughts?
>
> The ME runs on a separate processor with it's own OS. Absolutely nothing
> you do in your installed OS has any effect whatsoever on ME.

True, but he should be able to use a non-Intel USB wifi adapter for
networking and disable the on-board Intel wifi in BIOS config or remove
the card entirely. It's unlikely (but not impossible) ME has drivers
built in that support networking over a 3rd party USB adapter.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[Sven Semmler]

On Thu, Apr 16, 2020 at 07:14:39PM +0000, 'awokd' via qubes-users wrote:
> True, but he should be able to use a non-Intel USB wifi adapter for
> networking and disable the on-board Intel wifi in BIOS config or remove
> the card entirely. It's unlikely (but not impossible) ME has drivers
> built in that support networking over a 3rd party USB adapter.

Can't say either way. I would assume that if you can connect, the ME can
connect. On the other hand, for most peoples thread scenario a zero-day
exploit of the ME is probably not very high on the list. Just like XEN
virtualization escapes.

Qubes brings you very far in terms of security even when running on top
of ME. Important here is proper compartmentalization and having
sensitive data in offline qubes only.

Beyond that social engineering is probably your biggest worry. But I am
getting rapidly off topic. Sorry.

[unman]

On Thu, Apr 16, 2020 at 04:04:03PM -0500, Sven Semmler wrote:
> On Thu, Apr 16, 2020 at 07:14:39PM +0000, 'awokd' via qubes-users wrote:
> > True, but he should be able to use a non-Intel USB wifi adapter for
> > networking and disable the on-board Intel wifi in BIOS config or remove
> > the card entirely. It's unlikely (but not impossible) ME has drivers
> > built in that support networking over a 3rd party USB adapter.
>
> Can't say either way. I would assume that if you can connect, the ME can
> connect.

I don't think this is so - Intel states that the IME requires a supported
adapter, and I recall from my days as a network admin that remote
administration tools (which leverage the IME) could be stymied by
injudicious change of adapters.

It's also worth pointing out that no one (as far as I am aware) has ever
identified the IME "phoning home" to Intel, or anyone else, as OP seems
to think. I cant believe this is for lack of observation.
What *is* true is that the IME is not open to scrutiny, has
significant capabilities, and that exploits are out there.

[unman]

On Thu, Apr 16, 2020 at 09:16:40AM -0700, Catacombs wrote:

> As I read on the git hub Skulls page. There is an individual who bricked his Lenovo X230 with trying to install CoreBoot. and can not reinstall his back up of his original BIOS/EFI. Not a lot of advice on that board.
>
> Day before yesterday I put a spinning hard drive into my X230 to experiment with. For any of you not familiar with the physical layout of an X230, replacing the drive is super easy. One screw removes the plate covering drive. Drive slides out, has soft rubber slides that pop off either side of drive. Put them on replacement drive. Slide it in. Put side plate on. Tighten down screw.
>

> I experimented by installing the Pure OS. I have an iPhone, on which I am typing this, which has unlimited data. And came with a gift of ten GBs HotSpot. I plugged the cable between the iPhone and X230 pure USB port to use data. Pure is like Debian in that it is FOSS and does not have driver for the already installed Intel Wireless. I spent several hours trying to get a Real Tek USB WiFi to install. Didn???t work for me. So I installed QUBES onto the spinning drive. Works.

>
> Point of all this being. If I could keep the Intel Management Engine from from phoning home. And use the Wireless of my choice. I might not itch so much to install Core Boot Skulls. I know that Qubes will let me see connections with a wireless dongle. Maybe I should just disable driver for Intel WiFi, and just toddle along. I am guessing that would be in the Xen Hypervisor.
>
> So my question is how do I disable the Intel WiFi driver. Might easier to just open back of computer and remove chip. Maybe the Intel Whitelist of WiFi is just a hoax. I should just try the Atheros chip. Probably lead to two hours of re installing QUBES. Any thoughts?
>

If you install an unsupported (non Intel) WiFi adapter without clearing
the whitelist your Lenovo will not boot.
You will see a message telling you to remove the unsupported adapter.