Lenovo ThinkPad T430 / Nitrokey NitroPad T430

Do you run Qubes OS on USB slot?

No. I am running it on the internal hard drive (SSD). I fear we have a language problem.

I have ordered a Lenovo T430.

I see guides to flash the ROM. https://github.com/merge/skulls/blob/master/t430/README.m

and I see, https://medium.com/@n4ru/the-definitive-t430-modding-guide-3dff3f6a8e2e

By George Kushnir who says he has created 1vyrain to do a lot of the things that ROM Flash would do. Since the guide from George Kushnir does not mention it. I am guessing that 1vyrain does not have a path to install Heads, and verify that the computer has not been tampered with. Nor does it mention 'Anti-Evil Maid." which I think there is some independent way to do, besides ROM Flashing.

Kushnir mentions replacing screen, keyboard, Wireless adapter.

Of course Memory. Up to 16 GB and SSD, which I notice Sven said to use something on the par with Samsung Pro.

Since if I am going to fail on doing a ROM Flash, I would rather not put more dollars into hardware first. Like a Screen. I need to determine whether the ROM Flash is the best route, and whether we have progressed to the point we can do through Software what a CH341 Flasher, programmer can do?

Any other suggestions as to how to proceed? Order to proceed?

don’t get me wrong, but the T430 is a very old hardware with known and unpatchable (CPU) flaws and very limitied hardware resources (low RAM and lack of nvme)
I would not invest a single penny to this thing - if you serious about security.
Of course, it is still valuable - if your goal to learn things…

Please provide references.
But isn’t it being ‘very old’ in this context a benefit? Modern Intel ME cannot be removed. You can start here, https://twitter.com/_markel___, to see how modern intel platforms have far greater attack surface from the start.

What’s your alternative?

I wouldn’t use ivyrain, I’d actually flash heads and remove Intel ME while you’re at it.

My reccommendations:
Remove microphone
Remove webcam
Remove wireless/bluetooth*

*Use a usb wireless adapter/compute-stick, (Added benefit you can now use a non-intel non-x86 device, and you can enforce a vpn tunnel on that device for redundancy). Also t430 has multiple usb controllers, so you can dedicate one usb port to sys-usb-net, which brings multiple benefits.

Zrubi, In several ways, you are quite correct. I bought it because is amazingly low price.

The Modding includes fixing some of the firmware attack surface.

The intent of Qubes OS, is for security. Older hardware has all its problems well known. True, it can run much slower than today’s latest processors and … But those pieces of hardware are likely to have completely unknown risks.

What I am trying to recreate, is like one of what is described as Qubes “Certified Hardware.” Most likely to be secure.

Can be amazingly slow compared to an Intel 12th generation I7.

Certified Hardware is like the Nitro Pad. NitroPad T430 | www.nitrokey.com

Which I would directly buy instead of DIY, if I had the money.

I had hoped someone had solved the problem of fixing the BIOS/EFI by software rather me having to take the thing apart, and Flashing with a hardware programmer.

Quser59, I will keep in mind your suggestions. When you say remove the Microphone, Computer Camera, I take it you mean to physically removed them. Sounds similar to a project for an Iphone to prevent the cell Iphone being used to spy on me.

1vyraine now removes the unpleasant parts of ME. I know Intel furnishes supposed fixed to neutralize something in the Management Engine.

I had hoped Ivyraine had taken the last step, and could be used to install Heads. Freeing me from using hardware programmer to get a version of Core Boot on computer that would allow me to install Heads next. I have read that if one is going to use Heads. Do that instead of doing other things, which might conflict with hardware programing. and Gork Mobo.

Someone knowledgeable wrote a better reply. In this thread, Sven’s reply.

https://forum.qubes-os.org/t/intel-me-real-threat-for-ordinary-persons/7693/2

Moved this thread into the T430 thread in the ‘HCL Reports’ section. The idea is to have all conversations about a particular machine in one big thread.

Just make sure you backup the original ROM contents before writing, so you can always restore.

1. place clip and do not touch it again until the end
2. read ROM (first run)
3. read ROM again (second run)
4. check that both reads are identical with sha256sum (connection is good)
5. write your new contents

For the chip marked U49 (MX25L6406E / 8MB)…

sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -r t430-8mb.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
Reading flash... done.

sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-bottom.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

For the chip marked U99 (MX25L3206E / 4MB)…

sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -r t430-4mb.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L3206E/MX25L3208E" (4096 kB, SPI) on ch341a_spi.
Reading flash... done

sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-top.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L3206E/MX25L3208E" (4096 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

I tried not to answer, but I can’t

This assertion makes no sense to me. Without spending days researching each and every unpatched vulnerability, I hope it is fair to summarize all of them as side-channel-attacks ala meltdown/spectre. In that case:

• more modern CPU have even more (potentially undiscovered) flaws of this nature
• Qubes OS / XEN implement countermeasures
• hyperthreading is off by default
• any attack of this nature will be noticeable (CPU load, fan patterns)
• there are easy behavioral countermeasures like shutting down less trusted / online qubes when running stuff in a critical qube

So any exposure resulting from the fact that the CPU is Ivy Bridge is of a nature that is still true for more modern CPU if not more so. However as others have already pointed out, this older architecture allows for the near complete removal of IME which is not possible with newer CPU.

Looking at the balance, I come to the exact opposite conclusion: if you are serious about security, this clearly is the way to go.

About the performance: this is of course an issue depending on ones use cases. If one does a lot of video/photo editing, gaming or needs to run multiple Windows 10 qubes a machine of this age will be very uncomfortable. However, for more boring use cases like office documents, email/web/messenger communications, even most software/embedded development the T430 packs more than enough punch and has plenty of room. I routinely run 14+ qubes based on minimal templates concurrently and have no issues at all. So, clearly: it depends.

One of my problems with doing the Flash Rom is setting the clip. Old Eyes. One can barely see the bottom of the clip while putting it on.

I was looking at using a Micro Hook from the CH341A to the ROM Chips. I am not sure if the hook ends can find onto the feet of the Integrated Circuit, without over touching. Or on the programmer leads.

Anyone have any experience with this?

Thanks for any information

It always takes me 2-3 tries to get it right. In my experience the tool just fails to read if the clip doesn’t sit well.

That’s why 2 reads to check and then the write without touching the clip in between.

Ponoma 5250 clip is recommended. Also, look in to getting the shortest breadboard cables you can (10cm female to female if you can). This has an impact on the reliability of the read.

It’s also worth asking whether your CH341a is a blue one or a black one. This has an effect on the voltage which can cause issues, so it’s worth looking in to.

I found the Ponoma clip to be very easy to attach. Very strong hold, no issues. Wasn’t fiddly at all.

Like an absolute IDIOT I hooked up my cables in reverse (gnd, miso 3.3v etc.). Fortunately it didn’t brick anything. There is a mark on the board itself to give you an indication about how the wires are laid out, to let you know where to attach what to your ch341a

I must say external flashing seems far more intimidating from the outside until you actually do it. It’s worth doing imo, just use the guide on osresearch.net (depending on your laptop model) use a good clip & wires, ideally a blue ch341a, and you should be fine. I’m by no means a tech wizzard and I got it done without issue.

As Sven said, you read from the card twice & it verifies that the readings are the same, ensuring you have a solid connection.

An issue you might run into with old eyes is reading what chip you have from the top of the SPI ROM chips. I used a camera in macro mode, and that helped.

Yeah, OK it is really depends how you think about security

For modding the firmware - surely the older is ‘better’ - as more have done it and you will be not alone in the path.

But for me that is really questionable. As I can’t do it alone, I would need someone I trust to replace the all the flash roms…
Same for the Intel ME ‘removal’ - as the true removal is jut not possible. you can achieve ‘only’ partial results.

So the ‘serious about security’ means for me that you can - and willing to - spend a lot of money to eliminate the compromise you surely have with an old/outdated/modedd/DIY hardware. And this is very likely means multiple devices for different tasks.

If I would able to choose, I would prefer the System76 machines with open firmware.

But in practice there is always some compromise. So the individual must make the decision about what to give up from their ‘original’ goals.

So referring back the the original post I was replying to:
If you have a cheap T430 (as you will pay with your time) AND you are able (and willing to) successfully replace all the firmware then you may and up with a decent hardware for sure.

I also have a T430 at home (still with the original firmware) But for me even just to upgrade the memory and replace the old and - nearly dead - battery make it not feasible.

I have a black CH341A. What is the difference to the black, blue, green CH341A?

I take the advice to use short wires to be relevant. I will buy something shorter than I have. I suspect that having fluorescent lights, and LED lights might have EMF problems. I may try to do flash on front porch. Lots of light as well. Now to find a teenager who dreams of being an engineer. All my coffee drinking buddies are old.

The two Pomona clips I purchased previously might have been counterfeit, the blue part quickly crumbled away from being reset, stress, The SOIC clip which came with the programmer is like epoxy, quite sturdy.

I would guess the hooks must never be allowed to brush up against two legs of the IC at the same time. So buying exactly the correct size would be important. Also don’t plug programmer in until the all the hooks are set. I am not sure which I should attempt.

If the Flash works, I thought, I don’t need to know which Chip I have. Annoying that it is so difficult to find out exactly which ROM Chip I have. As if I know the correct ROM chip number I could get the original ROM to Flash. My experience with an Lenovo X230 ROM chips, they had adhesive from the black plastic cover. After I used alcohol to clean it off, even in the sunlight my camera could not come up with numbers I could read.

But if the first Flash works, I don’t really need to know.

Sven, I recall that when the Flash seemed to be working, the information provided came rather quickly. Meaning a 'insufficient Contact" becomes clear in like thirty second, nothing happens, reset SOIC, or Hooks. Is that Correct?

Zrubi, the T430 I purchased was refurbished, which increases likely hood the T430 will continue to work. unless I mess up the Flash. I will need more RAM for it. A better WiFi adapter, the original one in the X230 was not nearly as fast as the replacement. Suggested by Sven, a top of the line SSD. For a hundred something I could get a better screen. I already have a Librem Key. So yeah, there are more expenses to get to where I want to be. I can do them at a hundred a month or so.

All of you, Thanks for the help.

On many lenovos, it makes little difference which chip set you choose,
either for reading or writing.
You can confirm this yourself by reading using different chip sets - you
will get the same result.
The same for writing.

Generally, if you clean the chip with alcohol swab you can see enough
of the identifier to work out which chip it is. But it really isnt
necessary.

It felt even faster than that. Like 2-3 seconds maybe.

Unman, thank you for your reply. When one is first reading through the check list a lot of details would be too much. but right now, Knowing what I can expect, is comforting to anticipate what is likely to happen.

Like wise, Thank you Sven.

I have been looking at the github Skulls:

Has check list/documentation for installing Core Boot - either X230 or T430- on separate pages–… From what I read. I can use this to do hardware Flash, and come back later and from software- with the laptop closed up, install Heads, and get my Librem Key to be used for checkup at start. The Heads website does not have a list for T430.

Interestingly, the github Skulls page suggests one use a CH341A set to five volts, saying 3.3 Volts is not powerful enough… That would be a black CH341A.

I will test the machine for a few days. To verify if it seems functional before doing the Flash. If the Flash went bad, I don’t think it fair to return it for being dysfunctional. Which means if any of you have any other suggestions, there is time.

Thanks all of you…

Doesn’t it say they use an external power supply, they mention using the AMS1117 which they probably set to 3.3V, the chip isn’t designed to handle 5v vcc.

The CH341A can only do 5V logic signals, which is an issue, but using 5v vcc could destroy the chip.