diff --git a/Descriptions.txt b/Descriptions.txt index 948f278..797553c 100644 --- a/Descriptions.txt +++ b/Descriptions.txt @@ -46,7 +46,7 @@ x230t.GCHT25WW.s01DA000.FL2.orig 854d2b6a75060b9c8257cffc72f101e0b98e205b x230t x250.N10HT17W.s01E5000.FL2.orig 0732e80cddd0efcca9ba72dcfbdd0110d3c29dae x250 EC 1.16 Flash File (unpatched) x260.R02HT29W.s0AR0200.FL2.orig 35a9b0d623fea82a440aae816a91da2cb18f6801 x260 EC 1.11 Flash File (unpatched) -# The actual firmware extracted from the firmware file +# The actual EC firmware extracted from the BIOS firmware file t430.G1HT34WW.img.orig d3fde28cbdcb628da23ff30ee6c4a57d976700bf t430 EC 1.12 (decrypted) t430.G1HT35WW.img.orig 08ab64a0e61865781466fb2bfd97210fe0651bc8 t430 EC 1.13 (decrypted) t430s.G7HT39WW.img.orig 6e68545a76b42d534c8a4b24a63bf7bece996522 t430s EC 1.15 (decrypted) diff --git a/Makefile b/Makefile index 66dc5ad..1437e9b 100644 --- a/Makefile +++ b/Makefile @@ -187,7 +187,7 @@ $(DEPSDIR)/slice.insert.deps: Makefile # Generate all the orig images so that we can diff against them later -# a the generic binary extractor +# A generic binary extractor %.orig: %.slice scripts/slice.extract ./scripts/slice.extract $< $@ @@ -195,7 +195,7 @@ $(DEPSDIR)/slice.insert.deps: Makefile mec-tools/mec_encrypt -d $< $@ scripts/checksum --rm_on_fail $@ -# a generic encryptor +# A generic encryptor %.img.enc: %.img scripts/xx30.encrypt ./scripts/xx30.encrypt $< $@ @@ -214,7 +214,7 @@ $(DEPSDIR)/slice.insert.deps: Makefile ./scripts/hexpatch.pl $@ $@.d/*.patch # using both __DIR and __FL2 is a hack to get around needing to quote the -# DOS path separator. It feels like there should be a beter way if I put +# DOS path separator. It feels like there should be a better way if I put # my mind to it.. # %.iso.bat: %.iso.orig autoexec.bat.template diff --git a/docs/HACKING.txt b/docs/HACKING.txt index eecaa1d..f982fef 100644 --- a/docs/HACKING.txt +++ b/docs/HACKING.txt @@ -15,7 +15,7 @@ To use the radare projects, first install the project files: Then ensure you have the image file(s): - make x220.8DHT34WW.img x230.G2HT35WW.img x260.R02HT29W.img + make x220.8DHT34WW.img x230.G2HT35WW.img x260.R02HT29W.img Then start radare with one of these projects: @@ -49,7 +49,7 @@ probably useful: the dosflash.exe utility to a DOS boot disk and then use a command similar to: - + dosflash /sd /ipf ec /file s01D3000.FL2 To insert the firmware image back into the bootable cdrom and boot this @@ -67,4 +67,3 @@ References: http://forum.thinkpads.com/viewtopic.php?f=69&t=120776 http://www.zmatt.net/unlocking-my-lenovo-laptop-part-3/ http://plan9.stanleylieber.com/hardware/thinkpad/x230/x230.schematics.pdf - diff --git a/docs/firmware_flashing.txt b/docs/firmware_flashing.txt index 79b4dfc..501b38d 100644 --- a/docs/firmware_flashing.txt +++ b/docs/firmware_flashing.txt @@ -2,7 +2,7 @@ Much of this is educated guesswork from the observed steps, but it might provide a starting point for further investigation. Some of it could also be just plain wrong. -My current undetstanding on how the EC flash process (as opposed to +My current understanding on how the EC flash process (as opposed to the BIOS one) works are as follows: 1) dosflash loads firmware and does some validations @@ -21,4 +21,3 @@ the BIOS one) works are as follows: it sends itself a reset signal and reboots into the new EC firmware. 9) The BIOS gets confirmation from the EC that it is back up and running and allows the boot sequence to continue. - diff --git a/docs/firmware_layout.txt b/docs/firmware_layout.txt index 3825046..bde1c93 100644 --- a/docs/firmware_layout.txt +++ b/docs/firmware_layout.txt @@ -3,7 +3,7 @@ that have been examined. For this description, the firmwares that were examined are: * x220 - Checked the major structures compared to x230 -* x230 - intense dissassembly, with lesser checks on the rest of the +* x230 - intense disassembly, with lesser checks on the rest of the xx30 series confirming the same details * x250 and x260 EC firmware - cursory checks @@ -11,7 +11,7 @@ For this description, the firmwares that were examined are: Encryption: ----------- -Two parts of the firmware are encrypted - the interupt vector table at the +Two parts of the firmware are encrypted - the interrupt vector table at the start of the image and area that has the encryption keys. See zmatt's blog post[1] for more details. diff --git a/docs/table_fnkeys.txt b/docs/table_fnkeys.txt index 80e658c..909b7ec 100644 --- a/docs/table_fnkeys.txt +++ b/docs/table_fnkeys.txt @@ -1,5 +1,5 @@ -The EC firmware has at leat two tables that control the Fn+key combinations. +The EC firmware has at least two tables that control the Fn+key combinations. There is some evidence that there is a third table, but the table itself has not been found. @@ -12,7 +12,7 @@ keycode from the second byte is substituted (with possible modifier keys from the third byte) The table is big enough to hold 11 key replacements, and in the standard -firmare all but one of these are already used. +firmware all but one of these are already used. This structure of this table was identical in both the x220 and x230 firmware, just the contents differed. The classic keyboard patch simply @@ -27,13 +27,13 @@ patched the exact values from the x220 firmware into place. (source: x230 EC firmware version G2HT35WW, offset 0x21898) The address of this table and the number of entries contained in it are -located in a pointer object. +located in a pointer object. ; x220 simple replacement table ptr org 0x1f058 dw 11 ; number of entries dd 0x1f05e ; address of simple replacement table - + (source: x220 EC firmware version 8DHT34WW, offset 0x1f058) ; x230 simple replacement table ptr diff --git a/docs/table_matrix.txt b/docs/table_matrix.txt index 5fb3315..8f89657 100644 --- a/docs/table_matrix.txt +++ b/docs/table_matrix.txt @@ -12,8 +12,8 @@ modification. ThinkPad x220 matrix: --------------------- -This table is arranged in a array of bytes that is 16 columns by 17 rows, -with the second half of each row being unused (except for one anomaly) +This table is arranged in an array of bytes that is 16 columns by 17 rows, +with the second half of each row being unused (except for one anomaly). This corresponds to the physical hardware, which uses 16 "drive" lines and 8 "sense" lines - with one extra row, probably for some software keys. @@ -37,9 +37,9 @@ matrix[10]: 4c 7a 9a 99 98 97 a0 54 Del F11 Vol+ Vol- Mute IBM Mic Down matrix[11]: 55 56 00 00 9c 00 89 8a PgUp PgDn Menu PgBk PgFd matrix[12]: 50 51 00 00 00 53 7e 4f Home End Up Paus Left matrix[13]: 00 7c 7d 00 00 3c 00 3e PrSc ScLk AltL AltR -matrix[14]: 00 00 00 2c 00 00 39 00 SftL SftR +matrix[14]: 00 00 00 2c 00 00 39 00 SftL SftR matrix[15]: 3a 00 00 00 00 00 40 00 CtlL CtlR - + matrix[15][15] = 0x96 ?? matrix[16]: 00 9d 00 9e 9f 4a 3a 00 WinR? Pwr? Slp? Wak? CtlL @@ -98,4 +98,3 @@ controller scancode of the key pressed (Note that this scancode is internal to the EC - it is not the same as the BIOS scancode) (source: x230 EC firmware version G2HT35WW, offset 0x219e8) - diff --git a/scripts/slice.extract b/scripts/slice.extract index de60319..0b7f665 100755 --- a/scripts/slice.extract +++ b/scripts/slice.extract @@ -1,11 +1,11 @@ #!/bin/bash # -# Quick and dirty extracter to slice out a section of a binary file +# Quick and dirty extractor to slice out a section of a binary file # Copyright (C) 2016 Hamish Coleman # # TODO: # - a tool that is portable to Windows -# - should output dependancy information +# - should output dependency information INFOFILE="$1" if [ ! -r "$INFOFILE" ]; then @@ -25,4 +25,3 @@ read SOURCE OFFSET LENGTH <"$INFOFILE" set -x dd status=none iflag=count_bytes,skip_bytes if=$SOURCE skip=$[$OFFSET] count=$[$LENGTH] of="$OUT" - diff --git a/scripts/slice.insert b/scripts/slice.insert index bcb398c..9d19a54 100755 --- a/scripts/slice.insert +++ b/scripts/slice.insert @@ -5,7 +5,7 @@ # # TODO: # - a tool that is portable to Windows -# - should output dependancy information +# - should output dependency information INFOFILE="$1" if [ ! -r "$INFOFILE" ]; then diff --git a/scripts/xx30.encrypt b/scripts/xx30.encrypt index c9e1f40..89d857a 100755 --- a/scripts/xx30.encrypt +++ b/scripts/xx30.encrypt @@ -5,7 +5,7 @@ # # TODO: # - a tool that is portable to Windows -# - should output dependancy information +# - should output dependency information INP="$1" if [ -z "$INP" ]; then