G1ETC2WW (2.82) with the 1vyrain mod: https://1vyra.in/
After 1vyrain mod you have to re-enable Intel Virtualization & VT-d!
TPM activated in BIOS, but I didn’t test it with AEM yet.
Qubes-HCL-LENOVO-2347FY7-20230127-014255.yml (926 Bytes)
Thank you @iamroot for your HCL report, which is online now!
I’ve moved your post into this machine thread, so all the posts regarding the T430 are in one place.
@Sven I’ve read that you have two T430 each with the i7-3840qm.
In 1vyrain there’s the option to limit the TDP of the T430. Have you, or anyone else, tried something similar in Heads (like underclocking) to reduce the heat that’s coming from the CPU?
Nope, I don’t think that’s necessary either. The fans seem to handle it just fine (using a Thinkfan profile to make it less annoying).
I do have noticed though that R4.1 appears to need a lot more resources than R4.0. I’ll post about that soon.
Definitely looking forward to your post!
Thinking about upgrading my T430 (fhd upgrade + i7 = ~$300), but I came to the conclusion that maybe a Lenovo P50 would be a better investment in terms of CPU and especially memory…Not to forget the incredibly fast NVMe drive slots! Most importantly it seems to work well with Qubes too.
But I’ll never give up my T430 
Self-flashed t430 with heads-hotp-maximized. The Nitrokey USB dongle works great with this machine. Using edited thinkfan profile so the fans reach full-tilt when temps reach 70 degrees.
Big thanks to Sven’s write-ups and https://osresearch.net/
Thank you @Litter_Box for your HCL report, which is online now!
While I very much agree with your remark and link, the HCL is not the place for it.
Is there any protection against specter/meltdown in T430 processors? Xen/Coreboot probably can’t mitigate these vulnerabilities, do I understand correctly?
Thank you all so much for all the information provided in this thread.
I am at the moment in the process of building and costumizing my own Thinkpad T430.
In this context I have a non-Qubes-specific question I cant find information on and wondered if someone here might be able to help.
At the moment I have flashed Skulls via 1vyrain and am not finding information whether this also removes the Wlan-Whitelist.
Has someone flashed their Thinkpad via 1vyrain with Skulls and replaced the Wlan-Card with something better like the AX200HMW and can report whether or not the card works?
I am at the moment in the process of building and costumizing my own
Thinkpad T430.
Bravo and best regards. Please report back your successes or failures.
In this context I have a non-Qubes-specific question I cant find
information on and wondered if someone here might be able to help.
Tip: Lenovo T430 | Heads - Wiki
At the moment I have flashed Skulls via 1vyrain and am not finding
information whether this also removes the Wlan-Whitelist.
I believe it should, but have no real experience with 1vyrain or Skulls.
“* Whitelist removal to use any WLAN/WWAN adapter”
Has someone flashed their Thinkpad via 1vyrain with Skulls and replaced
the Wlan-Card with something better like the AX200HMW and can report
whether or not the card works?
Sorry can’t help here, I’ve used neither 1vyrain with Skulls or
experimented with an AX200HMW. Maybe @Sven will have better tips.
Reference for the brave:
https://medium.com/@p0358/removing-wlan-wwan-bios-whitelist-on-a-lenovo-laptop-to-use-a-custom-wi-fi-card-f6033a5a5e5a
AFAIK, the EC is involved only into battery whitelisting removal, and coreboot replacement removes the whitelisting of Intel wlan cards only.
A quick search validates the hypothesis Removing whitelists? T430 T420 etc · Issue #85 · hamishcoleman/thinkpad-ec · GitHub
You also need to flash the EC if you want to use the classic 7-row keyboard from the x220 on the x230
I heard that 5(,5)V is only a problem if you always hardware flash every update, not for one time flashing,as from then one software flashing is possible
Thanks for the tip! I tried it and had some issues, this is what I used:
# Heads T430 build
distrobox-create Coreboot -i docker.io/library/debian:stable
distrobox-enter Debian
sudo apt install nala
sudo nala install build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python3 wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev doxygen graphviz udev libudev1 libudev-dev automake libtool rsync innoextract
mkdir Download
git clone https://github.com/osresearch/heads
wget https://raw.githubusercontent.com/corna/me_cleaner/master/me_cleaner.py
wget https://download.lenovo.com/pccbbs/mobiles/g1rg24ww.exe
sha256sum me_cleaner.py
sha256sum g1rg24ww.exe
#f60e1990e2da2b7efa58a645502d22d50afd97b53a092781beee9b0322b61153 g1rg24ww.exe
#28e9c1904690a39d9bbb913ddfde38f6f6a6428654105be3ca911fd53866b27a me_cleaner.py
innoextract g1rg24ww.exe -d heads/blobs/xx30
python3 me_cleaner.py -r -t -O heads/blobs/xx30/me.bin heads/blobs/xx30/app/ME8_5M_Production.bin
cd heads
make BOARD=t430-maximized CPUS=$(nproc)
cd ..
python3 me_cleaner.py -s heads/build/t430-maximized/heads-t430-maximized-*-bottom.rom
# flashing
sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -r t430-8mb.rom
sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-bottom.rom
sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -r t430-4mb.rom
sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-top.rom
I want to convert this to a script that fails when one thing in the chain fails. For that it would be great to also have the test with reading the bios image and comparing the diff or some hashsums like sha256.
Also, there is no python python2 in debian, as well as no python command, at least for me. I used python3 instead and it worked.
Now when trying to build the image I get the error:
Makefile:170: *** "t430-maximized: neither CONFIG_COREBOOT nor CONFIG_LINUXBOOT is set?". Stop.
How and what config would I use here?
This means your docker build cannot find the coreboot config file pointed by the board configuration file. This is relative path to local heads directory, not sure what is happening with docker there.
hm, I am not using Docker but podman in Distrobox. Not sure if this is a difference. The Distrobox containers have full homedir access.
Lol… I think I burnt my programmer? tried to measure some voltages while plugged in, and I may have bridged some wrong things? Now its not showing up in lsusb anymore and flashrom doesnt work.
I guess I will get “the blue variant” then, but what is that? This one? It looks completely different from mine
You want it to look like this one CH341A Programmer V1.7 1.8V Level Conversion W25Q64FW W25Q128FW GD25LQ64 | eBay
Or this one 1 Pcs Metal Ch341A Programmer V1.7 1.8V Level W25Q64Fw W25Q128Fw Parts I4J9h 4711512691209 | eBay
See the voltage selector and the round thing not present on older board revision? Any suggestions welcome at Add in place programmer's flashing "best practices" and refer to ch341a rev 1.6+ · Issue #120 · osresearch/heads-wiki · GitHub
For docker, sorry but cannot support all methods nor OSes as of now until Heads upstreams fixes the issue by binding with nixos layer with fixated packages list, creating the exact host layer needed to build reproducibility. Tired of fixing things that breaks again later on because packages upgrades on host images. Then a docker/podman might be created, but goal is to create reproducible host builds tack to create reproducible output. Until then, only debian 11 is supported where CircleCI config can be reviewed to install debian 11 needed tools to build reproducible and even then its not yet perfect.
Podman/docker/container: same thing in my opinion.
Hey there, I’ve been following the community hardware list and certified builds for a few weeks, looking at all options. I’m just wondering if you’re going to be updating your website with new options in the near future?