Free Hardware: a new guide to liberate old Thinkpads in twelve steps.

You want Liberty. And you want Safety. Well, you might be in a dilemma, for as Benjamin Franklin said, ‘Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety’.

But you use computers. And, luckily, there is no dilemma here. Liberty and Safety, Freedom and Security, go hand by hand. Security requires Open Source, because what you cannot study you cannot trust. And then full trust requires Libre Software, because the freedom to reuse it makes it so much likely that other programmers will look at it and detect vulnerabilities, and in case of trouble anyone could deliver a fix.

So, you install Libre Software on your computer. You got it! But you are not satisfied yet, You want Free Hardware too. Now that is harder to get. Manufacturers sell their machines with software stored into integrated circuits, what is called firmware. You want this firmware to be Free too. But firmware is harder to replace. In order to do that, you need to rewrite the EEPROM containing it, a delicate operation. But the harder part is to provide a replacement – the manufacturers typically keep the source code to themselves, so you do not know what is inside it, and even if you were a programmer you would experience difficulties in learning what to replace in the first place.

Now let’s focus on Thinkpads. Thinkpads have firmware both in the motherboard and in the hard drive. Let’s focus on the the motherboard firmware in particular, for it presents many Security and Freedom issues:
a) It contains the firmware for the Intel Management Engine (IME), an autonomous subsystem incorporated in all of Intel’s processors chipsets since 2006. There is no way to disable the IME, that keeps working as long as the computer is receiving power, be it from a plug or from the battery, even if the computer is turned off. The IME has access to memory, screen, keyboard, mouse and network. The IME contains known vulnerabilities that make the computer vulnerable to remote and local attackers. The IME can be used as a backdoor, therefore is a backdoor.
b) It has a whitelist for Wi-Fi cards, meaning it will refuse to work with any Wi-Fi card that is
not on the list.
c) In older models it does not allow for booting from USB thumb drives.
d) In some models it does not allow for software rewrite of the Motherboard Firmware, which means that the only possible way to perform the rewrite entails opening the laptop and connecting wires to the Motherboard Chip from a Flasher Computer.

There is a way to fix these issues – the Libreboot and Canoeboot distributions of the Coreboot Libre BIOS:
-Libreboot: https://libreboot.org/
-Canoeboot: https://canoeboot.org/

Now there is a crucial difference between older and newer Thinkpads:
a) In newer Thinkpads X220, X220 Tablet, T420, T420s, T430, T520, X230, T430, T530, W530, X230 Tablet, T480, T480s, T440p, W540, W541, the IME cannot be disabled completely. If it does not run at boot time, the computer will either fail to boot or shut down automatically after 30 minutes. The firmware can still be replaced in part with a Libre alternative that disables the IME during operation, but the IME still needs to run during boot up, and therefore the IME blob needs to be a part of the replacement . But remember, this blob is proprietary, so it is not redistributable, and therefore no firmware replacement containing it can be redistributable either. The workaround to solve this conundrum is to have a build system that, when launched by you, automatically downloads the blob files directly from the hardware vendor, copies them into the ROM image during build time, and automatically deletes them before generating the modified ROM image that is to be rewritten into the motherboard flash chip. Smart move! Still, using a blob makes the resulting firmware non-Libre.

b) In older Thinkpads X200, X200S, X200 Tablet, R400, T400, T400S, R500,
T500, W500, X60, X60S, X60 Tablet, and some T60, the IME can be disabled completely. The firmware stored in the motherboard flash chip can be replaced with a Libre alternative, with the exception of a part named the Embedded Controller. So, you are left with the Embedded Controller unchanged, but at least you replace the BIOS with a Libre alternative and disable the IME completely! Now, you can also update the Firmware Interface Table that contains the microcode updates for the Intel microprocessor – but wait, this microcode is proprietary. So you get two choices for these older Thinkpads: use Libreboot, which in turn gives you the choice to update the microcode and therefore is not strictly Libre, or use Canoeboot, which does not update the microcode and is strictly Libre.

There is already extensive documentation for Libreboot and Canoeboot on their websites. For these older Thinkpads in particular the documentation it is presented in a disperse way, so I just wrote a new guide explaining how to liberate these older Thinkpads in twelve steps. Well, yes, some steps consist in a single action, and some consist in a number of sub-steps.

Nacho Agulló's Node in English: How to liberate an old Thinkpad
https://www.grafotema.com/agullo/articulos/thinkpad/How_to_liberate_an_old_thinkpad.html

Kind regards,
Ignacio Agulló.