From 155dd623bdfa17f019ef113bedf993c12e7d8924 Mon Sep 17 00:00:00 2001 From: nestire Date: Mon, 10 Nov 2025 15:46:58 +0100 Subject: [PATCH 1/3] add GbE perserving external flashing to t480 install Signed-off-by: nestire --- .../Flashing-Guides/T480-maximized.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Installing-and-Configuring/Flashing-Guides/T480-maximized.md b/Installing-and-Configuring/Flashing-Guides/T480-maximized.md index 2eee860..ecef2c2 100644 --- a/Installing-and-Configuring/Flashing-Guides/T480-maximized.md +++ b/Installing-and-Configuring/Flashing-Guides/T480-maximized.md @@ -101,12 +101,22 @@ diff <(hexdump -C t480_original_bios.bin) <(hexdump -C t480_original_bios_1.bin) If the files differ or the chip content does not match the dump, try reconnecting your programmer to the SPI flash chip and make sure your flashrom/flashprog software is up-to-date. -If they are the same, then write `T480-hotp-maximized.rom` to the SPI flash chip: +If they are the same, you can then write `T480-hotp-maximized.rom` to the SPI flash chip: ```shell sudo flashrom -p ch341a_spi -c YYY -w ~/heads/build/x86/T480-hotp-maximized/T480-hotp-maximized.rom ``` +If you want to perserve the orignal ethernet mac adress you would need to extract GbE from the original firmware and insert that into the heads firmware. Otherwise the ethernet will have the general mac: 00:DE:AD:C0:FF:EE. The orignal mac adress is a identifier of you laptop which can be used to track you in local network, otherwise in networks with other heads devices with the same mac you will have connectivty problems. You need the [ifdtool](https://doc.coreboot.org/util/ifdtool/binary_extraction.html) from coreboot for that. +To extract and insert the GbE into heads run: + +```shell +ifdtool -x t480_original_bios.bin +ifdtool -i GbE:flashregion_3_gbe.bin ~/heads/build/x86/T480-hotp-maximized/T480-hotp-maximized.rom +``` + +this will create `T480-hotp-maximized.rom.new` which you then can write directly to the SPI flash chip (see above). + Here is a successful attempt. Be patient, it may take a while. ![erase/write done]({{ site.baseurl }}/images/T480/9_flash.jpg) From 1316285eb7a19ef193ec42843c40c104ce0eeb55 Mon Sep 17 00:00:00 2001 From: nestire Date: Tue, 11 Nov 2025 11:33:45 +0100 Subject: [PATCH 2/3] dont use ifdtool to perserve mac adress Signed-off-by: nestire --- .../Flashing-Guides/T480-maximized.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Installing-and-Configuring/Flashing-Guides/T480-maximized.md b/Installing-and-Configuring/Flashing-Guides/T480-maximized.md index ecef2c2..538062e 100644 --- a/Installing-and-Configuring/Flashing-Guides/T480-maximized.md +++ b/Installing-and-Configuring/Flashing-Guides/T480-maximized.md @@ -101,21 +101,18 @@ diff <(hexdump -C t480_original_bios.bin) <(hexdump -C t480_original_bios_1.bin) If the files differ or the chip content does not match the dump, try reconnecting your programmer to the SPI flash chip and make sure your flashrom/flashprog software is up-to-date. -If they are the same, you can then write `T480-hotp-maximized.rom` to the SPI flash chip: +If they are the same, you can then write `T480-hotp-maximized.rom` to the SPI flash chip. ```shell sudo flashrom -p ch341a_spi -c YYY -w ~/heads/build/x86/T480-hotp-maximized/T480-hotp-maximized.rom ``` -If you want to perserve the orignal ethernet mac adress you would need to extract GbE from the original firmware and insert that into the heads firmware. Otherwise the ethernet will have the general mac: 00:DE:AD:C0:FF:EE. The orignal mac adress is a identifier of you laptop which can be used to track you in local network, otherwise in networks with other heads devices with the same mac you will have connectivty problems. You need the [ifdtool](https://doc.coreboot.org/util/ifdtool/binary_extraction.html) from coreboot for that. -To extract and insert the GbE into heads run: +On boards with Intel-based Ethernet, such as the T480, this will also overwrite the GbE region in the BIOS, which stores the MAC address of the chip, with a forged one (MAC: 00:DE:AD:C0:FF:EE). This has the privacy benefit that the chip uses this shared MAC so it can't be used as a personal identifier for this exact board. The downside is that this can create connectivity problems on local networks if other heads boards with the same MAC address are present. To preserve the original MAC address of the board, use: ```shell -ifdtool -x t480_original_bios.bin -ifdtool -i GbE:flashregion_3_gbe.bin ~/heads/build/x86/T480-hotp-maximized/T480-hotp-maximized.rom +sudo flashrom -p ch341a_spi -c YYY --ifd -i bios -i me -i fd -w ~/heads/build/x86/T480-hotp-maximized/T480-hotp-maximized.rom ``` -this will create `T480-hotp-maximized.rom.new` which you then can write directly to the SPI flash chip (see above). Here is a successful attempt. Be patient, it may take a while. ![erase/write done]({{ site.baseurl }}/images/T480/9_flash.jpg) From c05112f01c4f6e3f014b73ac88841ebe18acae29 Mon Sep 17 00:00:00 2001 From: nestire Date: Wed, 19 Nov 2025 16:53:06 +0100 Subject: [PATCH 3/3] general change to mac adress perserving flashing Signed-off-by: nestire --- About/Historical-Legacy-Migration.md | 10 +++++++++- Installing-and-Configuring/Upgrading.md | 13 +++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/About/Historical-Legacy-Migration.md b/About/Historical-Legacy-Migration.md index f90ed0e..d9ea13e 100644 --- a/About/Historical-Legacy-Migration.md +++ b/About/Historical-Legacy-Migration.md @@ -99,10 +99,18 @@ mount-usb flashprog -p internal -w /media/PathToMaximizedRom.rom ``` +on board with Intel based Ethernet you might want to use: + +``` +sudo flashrom -p internal --ifd -i bios -i me -i fd -w /media/PathToMaximizedRom.rom +``` + +to perserve the orignal mac adresse + **Note**: Use `flashprog` on newer Heads firmware (2025+) or `flashrom` on older firmware versions, depending on what is available in your Heads system. On next reboot, Heads would guide you into factory resetting your USB Security dongle or import your previously generated public key matching your USB Security dongle's private key. It would then regenerate a TOTP/HOTP secret and sign /boot content. You would then have to define a new default boot and optionally renew/change your Disk Unlock Key to be released to to OS to unlock your encrypted OS installation to move forward. -In the case nothing was found installed on your disk, Heads would propose you to boot from USB to install a new Operating System, prior of being able to do the above steps prior of booting into your system. \ No newline at end of file +In the case nothing was found installed on your disk, Heads would propose you to boot from USB to install a new Operating System, prior of being able to do the above steps prior of booting into your system. diff --git a/Installing-and-Configuring/Upgrading.md b/Installing-and-Configuring/Upgrading.md index 90b4f78..c9021d0 100644 --- a/Installing-and-Configuring/Upgrading.md +++ b/Installing-and-Configuring/Upgrading.md @@ -64,6 +64,16 @@ If you are installing Heads for the first time, you will need to perform an exte - Verifying file integrity. - Preparing for external flashing. +You can use this command +```shell + sudo flashrom -p ch341a_spi -c YYY -w [HEADS_ROM] +``` +On boards with Intel-based Ethernet, this will also overwrite the GbE region in the BIOS, which stores the MAC address of the chip, with a forged one (MAC: 00:DE:AD:C0:FF:EE). This has the privacy benefit that the chip uses this shared MAC so it can't be used as a personal identifier for this exact board. The downside is that this can create connectivity problems on local networks if other heads boards with the same MAC address are present. To preserve the original MAC address of the board, use: + +```shell + sudo flashrom -p ch341a_spi -c YYY --ifd -i bios -i me -i fd -w [HEADS_ROM] +``` + **Note**: This process is only required for the initial installation of Heads. --- @@ -121,8 +131,7 @@ If you need to validate the current firmware integrity against the last flashed **Note on `CONFIG_FLASH_OPTIONS`**: - The `CONFIG_FLASH_OPTIONS` variable specifies the board-specific flash options to ensure proper handling of SPI regions during flashing. These options are defined in the board's configuration file. - Boards may specify different SPI regions to flash. For example: - - The `novacustom-v540tu` board preserves the `GBE` (Gigabit Ethernet) region, ensuring the manufacturing MAC address remains intact. - - The `x230-hotp-maximized` board overwrites the entire SPI flash, including the `GBE` region, replacing it with a generic configuration. + - All boards with intel based ethernet chips preserves the `GBE` (Gigabit Ethernet) region, ensuring the MAC address remains intact. - To inspect the flash options for your board, use the `env` command in the recovery shell: ```shell env