Do you run Qubes OS on USB slot?
No. I am running it on the internal hard drive (SSD). I fear we have a language problem.
1 Like
I have ordered a Lenovo T430.
I see guides to flash the ROM. https://github.com/merge/skulls/blob/master/t430/README.m
and I see, https://medium.com/@n4ru/the-definitive-t430-modding-guide-3dff3f6a8e2e
By George Kushnir who says he has created 1vyrain to do a lot of the things that ROM Flash would do. Since the guide from George Kushnir does not mention it. I am guessing that 1vyrain does not have a path to install Heads, and verify that the computer has not been tampered with. Nor does it mention 'Anti-Evil Maid." which I think there is some independent way to do, besides ROM Flashing.
Kushnir mentions replacing screen, keyboard, Wireless adapter.
Of course Memory. Up to 16 GB and SSD, which I notice Sven said to use something on the par with Samsung Pro.
Since if I am going to fail on doing a ROM Flash, I would rather not put more dollars into hardware first. Like a Screen. I need to determine whether the ROM Flash is the best route, and whether we have progressed to the point we can do through Software what a CH341 Flasher, programmer can do?
Any other suggestions as to how to proceed? Order to proceed?
donât get me wrong, but the T430 is a very old hardware with known and unpatchable (CPU) flaws and very limitied hardware resources (low RAM and lack of nvme)
I would not invest a single penny to this thing - if you serious about security.
Of course, it is still valuable - if your goal to learn thingsâŚ
Please provide references.
But isnât it being âvery oldâ in this context a benefit? Modern Intel ME cannot be removed. You can start here, https://twitter.com/markel__, to see how modern intel platforms have far greater attack surface from the start.
Whatâs your alternative?
I wouldnât use ivyrain, Iâd actually flash heads and remove Intel ME while youâre at it.
My reccommendations:
Remove microphone
Remove webcam
Remove wireless/bluetooth*
*Use a usb wireless adapter/compute-stick, (Added benefit you can now use a non-intel non-x86 device, and you can enforce a vpn tunnel on that device for redundancy). Also t430 has multiple usb controllers, so you can dedicate one usb port to sys-usb-net, which brings multiple benefits.
Zrubi, In several ways, you are quite correct. I bought it because is amazingly low price.
The Modding includes fixing some of the firmware attack surface.
The intent of Qubes OS, is for security. Older hardware has all its problems well known. True, it can run much slower than todayâs latest processors and ⌠But those pieces of hardware are likely to have completely unknown risks.
What I am trying to recreate, is like one of what is described as Qubes âCertified Hardware.â Most likely to be secure.
Can be amazingly slow compared to an Intel 12th generation I7.
Certified Hardware is like the Nitro Pad. NitroPad T430 | www.nitrokey.com
Which I would directly buy instead of DIY, if I had the money.
I had hoped someone had solved the problem of fixing the BIOS/EFI by software rather me having to take the thing apart, and Flashing with a hardware programmer.
Quser59, I will keep in mind your suggestions. When you say remove the Microphone, Computer Camera, I take it you mean to physically removed them. Sounds similar to a project for an Iphone to prevent the cell Iphone being used to spy on me.
1vyraine now removes the unpleasant parts of ME. I know Intel furnishes supposed fixed to neutralize something in the Management Engine.
I had hoped Ivyraine had taken the last step, and could be used to install Heads. Freeing me from using hardware programmer to get a version of Core Boot on computer that would allow me to install Heads next. I have read that if one is going to use Heads. Do that instead of doing other things, which might conflict with hardware programing. and Gork Mobo.
Someone knowledgeable wrote a better reply. In this thread, Svenâs reply.
1 Like
Moved this thread into the T430 thread in the âHCL Reportsâ section. The idea is to have all conversations about a particular machine in one big thread.
Just make sure you backup the original ROM contents before writing, so you can always restore.
- place clip and do not touch it again until the end
- read ROM (first run)
- read ROM again (second run)
- check that both reads are identical with
sha256sum(connection is good) - write your new contents
For the chip marked U49 (MX25L6406E / 8MB)âŚ
sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -r t430-8mb.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
Reading flash... done.
sudo flashrom --programmer ch341a_spi -c "MX25L6406E/MX25L6408E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-bottom.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
For the chip marked U99 (MX25L3206E / 4MB)âŚ
sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -r t430-4mb.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L3206E/MX25L3208E" (4096 kB, SPI) on ch341a_spi.
Reading flash... done
sudo flashrom --programmer ch341a_spi -c "MX25L3206E/MX25L3208E" -w heads-t430-hotp-maximized-v0.2.0-1150-g0670bcd-top.rom
flashrom v1.2 on Linux 4.19.213-1.pvops.qubes.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Macronix flash chip "MX25L3206E/MX25L3208E" (4096 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
1 Like
I tried not to answer, but I canât 
This assertion makes no sense to me. Without spending days researching each and every unpatched vulnerability, I hope it is fair to summarize all of them as side-channel-attacks ala meltdown/spectre. In that case:
- more modern CPU have even more (potentially undiscovered) flaws of this nature
- Qubes OS / XEN implement countermeasures
- hyperthreading is off by default
- any attack of this nature will be noticeable (CPU load, fan patterns)
- there are easy behavioral countermeasures like shutting down less trusted / online qubes when running stuff in a critical qube
So any exposure resulting from the fact that the CPU is Ivy Bridge is of a nature that is still true for more modern CPU if not more so. However as others have already pointed out, this older architecture allows for the near complete removal of IME which is not possible with newer CPU.
Looking at the balance, I come to the exact opposite conclusion: if you are serious about security, this clearly is the way to go.
About the performance: this is of course an issue depending on ones use cases. If one does a lot of video/photo editing, gaming or needs to run multiple Windows 10 qubes a machine of this age will be very uncomfortable. However, for more boring use cases like office documents, email/web/messenger communications, even most software/embedded development the T430 packs more than enough punch and has plenty of room. I routinely run 14+ qubes based on minimal templates concurrently and have no issues at all. So, clearly: it depends.
1 Like
One of my problems with doing the Flash Rom is setting the clip. Old Eyes. One can barely see the bottom of the clip while putting it on.
I was looking at using a Micro Hook from the CH341A to the ROM Chips. I am not sure if the hook ends can find onto the feet of the Integrated Circuit, without over touching. Or on the programmer leads.
Anyone have any experience with this?
Thanks for any information
It always takes me 2-3 tries to get it right. In my experience the tool just fails to read if the clip doesnât sit well.
Thatâs why 2 reads to check and then the write without touching the clip in between.
Ponoma 5250 clip is recommended. Also, look in to getting the shortest breadboard cables you can (10cm female to female if you can). This has an impact on the reliability of the read.
Itâs also worth asking whether your CH341a is a blue one or a black one. This has an effect on the voltage which can cause issues, so itâs worth looking in to.
I found the Ponoma clip to be very easy to attach. Very strong hold, no issues. Wasnât fiddly at all.
Like an absolute IDIOT I hooked up my cables in reverse (gnd, miso 3.3v etc.). Fortunately it didnât brick anything. There is a mark on the board itself to give you an indication about how the wires are laid out, to let you know where to attach what to your ch341a
I must say external flashing seems far more intimidating from the outside until you actually do it. Itâs worth doing imo, just use the guide on osresearch.net (depending on your laptop model) use a good clip & wires, ideally a blue ch341a, and you should be fine. Iâm by no means a tech wizzard and I got it done without issue.
As Sven said, you read from the card twice & it verifies that the readings are the same, ensuring you have a solid connection.
An issue you might run into with old eyes is reading what chip you have from the top of the SPI ROM chips. I used a camera in macro mode, and that helped.
Yeah, OK it is really depends how you think about security 
For modding the firmware - surely the older is âbetterâ - as more have done it and you will be not alone in the path.
But for me that is really questionable. As I canât do it alone, I would need someone I trust to replace the all the flash romsâŚ
Same for the Intel ME âremovalâ - as the true removal is jut not possible. you can achieve âonlyâ partial results.
So the âserious about securityâ means for me that you can - and willing to - spend a lot of money to eliminate the compromise you surely have with an old/outdated/modedd/DIY hardware. And this is very likely means multiple devices for different tasks.
If I would able to choose, I would prefer the System76 machines with open firmware.
But in practice there is always some compromise. So the individual must make the decision about what to give up from their âoriginalâ goals.
So referring back the the original post I was replying to:
If you have a cheap T430 (as you will pay with your time) AND you are able (and willing to) successfully replace all the firmware then you may and up with a decent hardware for sure.
I also have a T430 at home (still with the original firmware) But for me even just to upgrade the memory and replace the old and - nearly dead - battery make it not feasible.
I have a black CH341A. What is the difference to the black, blue, green CH341A?
I take the advice to use short wires to be relevant. I will buy something shorter than I have. I suspect that having fluorescent lights, and LED lights might have EMF problems. I may try to do flash on front porch. Lots of light as well. Now to find a teenager who dreams of being an engineer. All my coffee drinking buddies are old.
The two Pomona clips I purchased previously might have been counterfeit, the blue part quickly crumbled away from being reset, stress, The SOIC clip which came with the programmer is like epoxy, quite sturdy.
I would guess the hooks must never be allowed to brush up against two legs of the IC at the same time. So buying exactly the correct size would be important. Also donât plug programmer in until the all the hooks are set. I am not sure which I should attempt.
If the Flash works, I thought, I donât need to know which Chip I have. Annoying that it is so difficult to find out exactly which ROM Chip I have. As if I know the correct ROM chip number I could get the original ROM to Flash. My experience with an Lenovo X230 ROM chips, they had adhesive from the black plastic cover. After I used alcohol to clean it off, even in the sunlight my camera could not come up with numbers I could read.
But if the first Flash works, I donât really need to know.
Sven, I recall that when the Flash seemed to be working, the information provided came rather quickly. Meaning a 'insufficient Contact" becomes clear in like thirty second, nothing happens, reset SOIC, or Hooks. Is that Correct?
Zrubi, the T430 I purchased was refurbished, which increases likely hood the T430 will continue to work. unless I mess up the Flash. I will need more RAM for it. A better WiFi adapter, the original one in the X230 was not nearly as fast as the replacement. Suggested by Sven, a top of the line SSD. For a hundred something I could get a better screen. I already have a Librem Key. So yeah, there are more expenses to get to where I want to be. I can do them at a hundred a month or so.
All of you, Thanks for the help.
1 Like
On many lenovos, it makes little difference which chip set you choose,
either for reading or writing.
You can confirm this yourself by reading using different chip sets - you
will get the same result.
The same for writing.
Generally, if you clean the chip with alcohol swab you can see enough
of the identifier to work out which chip it is. But it really isnt
necessary.
1 Like
It felt even faster than that. Like 2-3 seconds maybe.
Unman, thank you for your reply. When one is first reading through the check list a lot of details would be too much. but right now, Knowing what I can expect, is comforting to anticipate what is likely to happen.
Like wise, Thank you Sven.
I have been looking at the github Skulls:
Has check list/documentation for installing Core Boot - either X230 or T430- on separate pagesâ⌠From what I read. I can use this to do hardware Flash, and come back later and from software- with the laptop closed up, install Heads, and get my Librem Key to be used for checkup at start. The Heads website does not have a list for T430.
Interestingly, the github Skulls page suggests one use a CH341A set to five volts, saying 3.3 Volts is not powerful enough⌠That would be a black CH341A.
I will test the machine for a few days. To verify if it seems functional before doing the Flash. If the Flash went bad, I donât think it fair to return it for being dysfunctional. Which means if any of you have any other suggestions, there is time.
Thanks all of youâŚ
Doesnât it say they use an external power supply, they mention using the AMS1117 which they probably set to 3.3V, the chip isnât designed to handle 5v vcc.
The CH341A can only do 5V logic signals, which is an issue, but using 5v vcc could destroy the chip.