maff's site!

on the web!

Bypassing a bone-headed battery block

Windows ThinkPad X40 ThinkPad Software Lenovo IBM Hardware Hacking Firmware

Note: This article discusses mechanisms for updating the BIOS and Embedded Controller of computers that haven't been made in almost 20 years. Exercise an abundance of caution when attempting to follow, reproduce or build off of my findings. These computers only get more rare over time, and while a bad BIOS flash may be recoverable, I have no idea whether a bad EC flash can be recovered.

Introduction: Enter the ThinkPad

Some time ago, I picked up an IBM ThinkPad X40 for a pretty decent price. It's a nice machine, came in relatively good condition (some cosmetic wear, but nothing actually broken), and doesn't have the worst specs. It has an amber ThinkLight, which I find quite charming.

This was a fairly good machine when it came out, featuring (in my case) WiFi, Bluetooth, IrDA, Gigabit Ethernet and 56k fax modem connectivity. It also has one (1) single CardBus slot, and an SD slot that supports SDIO.

The battery it came with was, predictably for a machine of its age, dead. I didn't really intend on this being a machine I'd carry about, and the battery casing was cracked enough that I was able to just open it up and remove all the cells and circuitry, leaving a nice blank. This, however, would be a problem when doing any firmware updates.

It also came with its original 1.8" IDE hard drive (blessedly, this used the standard 2.5" interface rather than the other 1.8" interface I've seen, which used ribbon connectors instead and are vastly easier to plug in the wrong way..), and the drive even still worked. For a bit of fun, I wanted to start off with as close to factory configuration as possible for this machine.

This unit originally shipped with Windows XP, and some kind soul has made all seven (7!) recovery CDs available on archive.org. This is especially lucky because the only alternatives are to either attempt to order a set of recovery discs from Lenovo directly, or to appeal to the hoarders on the ThinkPad forum who think it's completely okay to hoard recovery media and provide access only on request by individuals who have met their bizarre criteria. No thanks.

Google dot com how do I upgrade BIOS

Sometimes I'd observe that the X40 doesn't boot without manually selecting an option (ie. setup). My initial suspicion was that the HDD was failing, and I wanted to replace it with an mSATA SSD anyway, so I switched out the HDD (temporarily) for an mSATA to IDE 2.5" adapter to get the OS reinstalled, but I discovered the drive simply wasn't being detected. I'd been informed by my friends over at the Vintage Tech Nerds telegram group that IBM was famous for locking their firmware down to only accept their own HDDs, so my first port of call was upgrading the BIOS to the latest version and then looking for a modified version (or modifying it myself) to permit other drives to be used.

ThinkWiki's matrix of BIOS and Embedded Controller versions for all ThinkPads noted that the final version was BIOS 2.08 and Embedded Controller firmware 1.62 - my device had BIOS 2.06 and EC 1.61, so an update was my first step. I downloaded the updates from the links on ThinkWiki (funnily, there's a bold notice on ThinkWiki noting that all the download links are broken and have been since 2015, but none of the ones I needed were broken).

The advice on ThinkWiki was to upgrade the Embedded Controller first, then upgrade the BIOS, so I ran the update program. It advised to keep the laptop undocked, connected to AC power, and have a fully-charged battery connected. I didn't have a working battery at all, so I went ahead with the understanding that this was simply an advisory. The update program rebooted the computer, and a lovely text-mode IBM logo came up, followed by a menu with options to view a README or initiate the firmware upgrade. The problem began when I tried to initiate the firmware upgrade.

It came up with confirmation messages stating that the laptop must be undocked (fine), connected to AC power (also fine), and have a fully charged battery connected (not fine). I continued, thinking this was just a second advisory, but woe betide, the upgrade program actually checks that you have a fully-charged battery connected, and refuses to continue without it.

Initial google searches indicated I could pass the command-line argument -sp to the update program to have it ignore the battery requirements, but this must have been added in firmware update programs newer than the X40, because it had no effect, and later analysis of the program showed that there was no such functionality in the program.

Searches also indicated I could use a program called WinPhlash (which I downloaded from the apparently legitimate website "wim's bios") to flash the EC and BIOS firmwares. I was able to take a full backup of the BIOS before doing anything, but was unable to use it to flash the Embedded Controller firmware, so it seems I -have- to use the official software for the EC part.

Put your balaclava on, it's time for crime

At this point it was obvious I'd need to work out how the firmware update process worked, and then hack it in some way to remove the battery check. The downloaded update files from Lenovo were standard InstallShield programs, and the actual update programs were extracted and run from %temp% - the currently-logged in user's temporary files directory. Both the BIOS and the Embedded Controller updates had the same file structure for the most part. I found it interesting that there was an IMG file, so I inspected that first using 7-Zip (because hey, did you know that 7-Zip can open pretty much anything? You can even open raw disks with it.)

Opening the IMG file revealed that it was.. a floppy image. A regular 3.5" high-density 1.44MB floppy diskette image.

What was in the image was pretty interesting. The biggest file was $019B000.FL2, which was obviously the Embedded Controller firmware itself. At a later date I might inspect it and see what fun crimes can be done with it, but for now I just wanna grill for god's sake. There were some interesting other things in the image, though: A minimal copy of IBM PC-DOS 5.00, with some additional software specific to flashing the Embedded Controller firmware.

I verified what this was by running ibmdos.com through IDA Free 5.0 (the last version to support 16-bit binaries, blessedly preserved by the ScummVM folks) and confirming that it was, in fact, IBM DOS 5.00. To double-check, I opened up command.com as well, but found that it was actually the program responsible for the text-mode IBM logo and the menu that's presented afterwards.

I spent a while in IDA trying to work out if I could simply patch out the battery check in updtflsh.exe - the program called by the menu when initiating the EC flash procedure - but I couldn't locate where this was actually happening, and I have very little experience with reverse-engineering 16-bit software. IDA Free 5.0's interface is also..quite a bit harder to get to grips with than the more modern software I'm used to.

It occurred to me, however, that I knew what the startup program was, and I knew what version of IBM DOS was being used. Could I simply replace the custom command.com with the equivalent from a retail copy of IBM PC-DOS 5.00? As it turns out, yes! I swapped the files in the floppy image, ran the EC firmware update program, it rebooted Windows and warm-booted into the floppy image, and I was immediately presented with the current date and time, and a prompt to change them should I wish.

Finally, I was able to update the Embedded Controller's firmware by running the command QKFLASH.EXE $019B000.FL2 - as documented in the "extremely last resort" section of ThinkWiki's article on updating the BIOS, qkflash.exe is the program that actually performs the flashing.

After this completed, the laptop completely shut down. I left it for a few seconds, then powered up, and it booted right back up. I then used WinPhlash to flash the BIOS itself, and when I rebooted into the BIOS setup, it confirmed I was now running BIOS 2.08 and EC 1.62. Success!

Where now?

I stopped here, because it was a small victory and I was tired, but I want to do more with this. It brought up some interesting questions, namely:

  • Can I fiddle with the Embedded Controller firmware, and perhaps enable some new functionality or fiddle with the keyboard mappings?
  • Can I modify the BIOS to disable the hard drive DRM? Existing modifications are only available for the X41 and newer.
  • How does the firmware update program manage to load a floppy disk image into memory and warm-reboot the computer directly into it?
  • Can I wholesale replace this with a different floppy image? What state is the computer actually in? What could you do with this?
  • Are there any other limitations IBM placed on this machine that I could perhaps lift?