Coreboot installation on Chromebook ASUS C201PA

Goal

In this manual I will try to explain how to install Coreboot (2018 year version) on the Chromebook ASUS C201PA (later referred in the manual simply as C201) with the Paper build system. At the time of writing up this manual (Q1 2018), Libreboot didn’t have any updated sources for this laptop, so I decided it would be better to use Coreboot.

Introduction

There exists a Libreboot Chromebook ASUS C201 installation guide, and I would suggest you to read that first for easier understanding and detailed insight about what we’ll be trying to achieve through this manual. The steps are not identical, you will actually be installing Coreboot, which is a different project, but it might give you some ideas first about similar hardware and software being used here. I suggest that you read more about the Coreboot project, before proceeding with the installation. First of all before proceeding with anything you should already have a working GNU/Linux operating system on the C201. This manual does not explain how to install a GNU/Linux distribution on the C201, so you will need to find this information elsewhere. At the time of trying out this Coreboot installation I had a working GNU/Linux Debian 9 Stretch operating system on the SD card and Chrome operating system on the eMMC internal flash drive. This is my review of the summary by Paul Kocialkowski’s sets of instructions. Paul is a Libreboot and Coreboot developer who was willing to assist me getting this properly installed on my computer. The summary of all performed commands is written into a text file, so make sure to double check that, because this website wrongly renders and displays some of the characters.

Requirements

  • Secondary laptop (the same laptop could also be used)
  • USB key
  • Thin piece of plastic (guitar pick) for laptop disassembly
  • Installation of additional programs “apt-get install flashrom gnupg”

Laptop disassembly instructions

First step that you need to do is removing the write protect screw, which is inside the laptop. Refer to the similar Libreboot manual to read more about it. First you need to unscrew 8 screws which are holding the laptop together. Two of them are below the plastic caps/stands. Use something like a sharp piece of plastic to slide below them and remove them. You will need to open up the chasis of the C201. Best thing that can help you with that is by using some very thin piece of plastic, something like a guitar pick would be good. I did not have that and have used a credit card which was already a bit too thick to slide inside. You need to divide the shiny silver upper part and the lower blue part of the C201 by placing a piece of plastic in between and sliding it all around the lower part of the laptop. Beware that inside the laptop are the plastic clips which are holding the two parts together so don’t go too deep with the piece of plastic, not to break those clips. When you manage to divide the bottom and upper part of the laptop you need to beware not to divide those two parts up completelly, because inside there are two striped connectors (one black wider one for keyboard and one white thin one for touchpad), so be carefull when detaching those straps not to tear them apart (you don’t really need to detach them, you can also line up the parts). When you have opened up the laptop put it into such position. Then you unscrew the inner screw which is being marked inside of the white circle on the photo. That screw is the write protection screw for Coreboot, so without it you will be able to install Coreboot. When that is done, just assemble the laptop back together by pushing both parts (shiny silver upper part and bottom blue part) and save the screw.

Installation

Boot into Chrome OS. You will need some storage to transfer the files from Chrome OS to your other computer, an USB key is fine. You need to be in Chrome OS developer mode. Log in as root user into Chrome OS. This is done with Ctrl + Alt + F1 (top right arrow). Sometimes the root doesn’t have the password set, so just use the enter key to bypass password. You should see a visible # as a prompt. Insert the USB key. It will probably automatically mount itself, in my case it has mounted under /media/removable/USBDRIVE . If the USB key doesn’t automatically mount, you will need to perform the mounting commands. You need to put a file (flash.img) on the USB key. Go to the USB key directory.

  • # cd /media/removable/USBDRIVE
  • # flashrom -p host -r flash.img

Copy file flash.img to USB key. Power off the computer and stick the USB key into another computer. Boot into your favourite GNU/Linux distribution. Install Paul Kocialkowski’s gnupg public key (fingerprint 01B7 0C5D 940C B63D 5FA6 12C2 84FD C1EA 8FEE 950C) for verifying the installer. Create a directory on the PC and copy file flash.img from USB key there. Run the following commands as normal user (non-root) on another computer:

  • gpg –recv-keys 8FEE950C
  • export DOWNLOAD_URL=http://jp.si/C201/paper-release-20180102/
  • wget “$DOWNLOAD_URL/tools/x86_64/libreboot-release/libreboot-release”
  • chmod a+x libreboot-release
  • ./libreboot-release prepare cros-scripts vboot-tools coreboot-depthcharge-veyron-speedy

You should see an output similar to this. Then continue with the following commands:

  • VBOOT_TOOLS_PATH=tools/x86_64/vboot/vboot-tools tools/x86_64/cros-scripts/cros-scripts/cros-firmware-prepare vpd flash.img extract vpd.bin
  • VBOOT_TOOLS_PATH=tools/x86_64/vboot/vboot-tools tools/x86_64/cros-scripts/cros-scripts/cros-firmware-prepare vpd images/coreboot/coreboot-depthcharge-veyron-speedy/coreboot.rom replace vpd.bin
  • cp images/coreboot/coreboot-depthcharge-veyron-speedy/coreboot.rom .

You should see an output similar to this. Copy coreboot.rom file to the USB key. Power up C201 again and boot into Chrome OS. Insert the USB key and go into USB key directory, then type as root:

  • # flashrom -p host -w coreboot.rom

You should see a message like this:

erasing and writing flash chip…..Verifying flash….VERIFIED

SUCCESS

Then check the output of the crossystem command

  • # crossystem | grep dev_boot

If you see:

dev_boot_usb=1 , dev_boot_legacy=0 , dev_boot_signed_only=0

Then it is OK to reboot the C201. And that’s it. Commands that can be used during the Coreboot boot menu are:

  • Ctrl+h = Pauses the screen
  • Ctrl+u = Boots the GNU/Linux distribution (default is ChromeOS)

Disclaimer

Be sure to read the disclaimer before proceeding with the installation.

Libreboot with Debian on Chromebook C201

libreboot logo
Libreboot logo made by Marcus Moeller (2014) – Creative Commons license CC0 1.0 Universal

A few months back I obtained a Google Chromebook Asus C201. It arrived preinstalled with Chrome OS as default operating system. This laptop was listed as one of the possible laptop models that can use Libreboot. Free Software developer Paul Kocialkowski has ported Libreboot to this Chromebook. Libreboot is a free BIOS or UEFI replacement (free as in freedom); libre boot firmware that initializes the hardware and starts a bootloader for your operating system. It’s also an open source BIOS, but open source fails to promote freedom; please call libreboot free software. Since I know Paul K. from the Internet, he helped me with the guidelines about creating bootable Debian image to be used on this laptop. In my next blog post I plan to describe how to successfully create these bootable Debian images. This laptop has three possibilities about using a secondary operating system.

  • First possibility is to install the system on internal storage and replace the default Chrome OS.
  • Second possibility is to use an external USB key and have it stored there and the
  • third possibility (which I have chosen) was to install Debian on the Micro-SD card.

With my current setup I prefer to keep Chrome OS on internal storage and I can select secondary booting method to boot up Debian from Micro-SD card. I used Debian stable (Jessie) image and afterwards I have upgraded to Debian testing (stretch) to use more recent Debian packages. Just a short info for people that don’t know about Debian. Debian has one of the best designed release methods amongst GNU/Linux distributions, and their “main” software pool contains only free software. The “main” pool is also the only software pool that I will use on this laptop. Currently there are no other suitable FSF authorised distributions that would run on this laptop, next possible ports will include the Guix system distribution and Paul Kocialkowski is working on porting the Parabola GNU/Linux-libre distribution. My goal is to use only free software on this laptop, but there are some limitations. First the BIOS needs to be replaced with Libreboot, and the integrated Wi-Fi chipset would only work with proprietary software. Therefore for this purpose I have purchased a free hardware replacement – Qualcomm Atheros external USB Wi-Fi card, that uses AR9271 chipset, which is known to operate with free software. The model of this access point card is Sophos AP 5 Rev. 1. More about the recommended steps will follow up soon …

GNU is 33 years old

heckert_gnu-small
GNU logo made by Aurelio A. Hackert – Creative Commons Attribution-ShareAlike 2.0 license

GNU is an operating system and an extensive collection of computer software. GNU is composed wholly of free software, most of which is licensed under GNU’s own GPL.

GNU is a recursive acronym for “GNU’s Not Unix!”, chosen because GNU’s design is Unix-like, but differs from Unix by being free software and containing no Unix code. The GNU project includes an operating system kernel, GNU HURD, which was the original focus of the Free Software Foundation (FSF). However, non-GNU kernels, most famously Linux, can also be used with GNU software; and since the kernel is the least mature part of GNU, this is how it is usually used. The combination of GNU software and the Linux kernel is commonly known as Linux (or less frequently GNU/Linux; see GNU/Linux naming controversy).

Development of the GNU operating system was initiated by Richard Stallman at the Massachusetts Institute of Technology (MIT) Artificial Intelligence Laboratory as a project called the GNU Project which was publicly announced on September 27, 1983, on the net.unix-wizards and net.usoft newsgroups by Richard Stallman.

More about GNU in the links below:

I will buy a Lemote Yeeloong laptop

Yeeloong2Chinese company by the name Lemote produced a few batches of FSF endorsed laptops called Lemote Yeeloong back in 2010 – 2012. First Yeeloong was the model 8089B with a 8.9″ screen, followed by 8101B with a 10.1″ screen size. These laptops are now out of sale and only obtainable on a second hand market. If you happen to know the information where these laptops would still be obtainable from or you have one available from second hand yourself and are willing to sell it, please contact me on my e-mail (or just use the comment section in the blog form). I would be interested to order one for my personal use. Regarding the shipping, I live in Slovenia, Europe. Regarding the payment we could discuss various possibilities. Thank you !

Free hardware designs

Yeeloong2In the recent years the Free Software Foundation has encouraged (computer) hardware manufacturers to start producing free (free as in freedom) hardware. Most hardware produced and sold today has proprietary design (Apple, Intel, etc.) and is therefore restricted/encrypted and hard to use with free software, requiring programmers to use reverse engineering methods and write the code to free up parts of the hardware and optimize it for the use with free software. Free Software Foundation maintains a list of the high priority reverse engineering projects. Free hardware would be optimized for the use with free user respecting GNU+Linux software and should be released under the GNU General Public License (GPL), version 3 or later. Currently there are few alternatives around free hardware designs. In 2012 the Free Software Foundation started a project with the Chinese manufacturer Jiangsu Lemote Technology Corporation Limited for the production of the Lemote Yeeloong netbook. Yeeloong’s used the early Loongson 2F, a single core MIPS3-compatible 64-bit CPU with some custom ISA extensions (not all used in software), therefore a lot of customized software still had to be written for it. For that purpose a special customized GNU+Linux distribution gNewSense has seen the light of day. Since then we have seen other alternatives to free up parts of the hardware. The project Libreboot has written replacements for the standard BIOS using reverse engineering on Lenovo Thinkpad models, such as X60, T60 and X200 which are all obtainable from the U.K. store Gluglug. Another crowd funding initiative called Purism has raised funds and started with the production of the free modern laptops. Michał Tomasz Masłowski has written about Laptops and free software in 2013. There are also Replicant, a free operating system that works as a replacement for Android based devices and libreCMC a free replacement operating system for wireless routers. There are videos (with Slovene translations) from the Libreplanet 2013 conference, where Dr. Richard Stallman talks about the free hardware designs (video part 1) (video part 2) and also explains the idea in his recent articles “Why we need free digital hardware designs” and “How to make hardware designs free“.

Encrypting external USB drive in GNU/Linux

I recently bought an external USB drive and while setting it up with an encrypted filesystem I thought I could blog about it. The procedure that I will use involves Logical Volume Manager (LVM) and luks0pen encryption. The procedure is being done with Trisquel GNU/Linux, but it will also work for Ubuntu Linux and other GNU/Linux systems.

  1. First you will need to open a terminal (xterm) and log in as a root user, use “su” and enter your root password.
  2. You can open another terminal and watch the system log with “tail -f /var/log/messages
  3. Then you will need some programs to make it work with encryption, you will need to install Logical Volume Manager tools (LVM) with “aptitude install lvm2 e2fsprogs cryptsetup“.
  4. Attach the USB drive into the computer’s USB slot, you can check “/var/log/messages” or type “dmesg” to see how the drive appears up in your computer. Mine shows up as “/dev/sdb“. Keep in mind that your drive might show up differently as “/dev/sdc” or “/dev/sdd” depending on your setup, so I will continue with the manual as the drive being set up for “/dev/sdX“, please consider changing X to another letter which matches your drive.
  5. Check the drive for bad blocks (takes a couple of hours): “badblocks -c 10240 -s -w -t random -v /dev/sdX“. For a 3 Terabyte drive it took a bit over 5 hours to finish.
  6. Write random data to the entire drive. This step took less than 12 hours to finish, but it ensures that never-written drive space can’t be differentiated from encrypted data if someone ever tries to crack the drive. (If you’re going to do this, you might as well do it right). Use “shred -v -n 1 /dev/sdX
  7. Create one big LVM partition on the drive using fdisk. Set up one big primary partition /dev/sdX1, set the tag to system id “8e” LVM, and write the changes to disk:
    fdisk /dev/sdX
    Note: sector size is 4096 (not 512)
    Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
    Building a new DOS disklabel with disk identifier 0x4a8d1c8d.
    Changes will remain in memory only, until you decide to write them.
    After that, of course, the previous content won't be recoverable.
    
    Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
    
    Command (m for help): p
    
    Disk /dev/sdb: 3000.6 GB, 3000592982016 bytes
    255 heads, 63 sectors/track, 45600 cylinders, total 732566646 sectors
    Units = sectors of 1 * 4096 = 4096 bytes
    Sector size (logical/physical): 4096 bytes / 4096 bytes
    I/O size (minimum/optimal): 4096 bytes / 4096 bytes
    Disk identifier: 0x4a8d1c8d
    
       Device Boot      Start         End      Blocks   Id  System
    
    Command (m for help): n
    Partition type:
       p   primary (0 primary, 0 extended, 4 free)
       e   extended
    Select (default p): p
    Partition number (1-4, default 1): 1
    First sector (256-732566645, default 256): [ENTER]
    Using default value 256
    Last sector, +sectors or +size{K,M,G} (256-732566645, default 732566645): [ENTER]
    Using default value 732566645
    
    Command (m for help): t
    Selected partition 1
    Hex code (type L to list codes): 8e
    Changed system type of partition 1 to 8e (Linux LVM)
    
    Command (m for help): p
    
    Disk /dev/sdb: 3000.6 GB, 3000592982016 bytes
    255 heads, 63 sectors/track, 45600 cylinders, total 732566646 sectors
    Units = sectors of 1 * 4096 = 4096 bytes
    Sector size (logical/physical): 4096 bytes / 4096 bytes
    I/O size (minimum/optimal): 4096 bytes / 4096 bytes
    Disk identifier: 0x4a8d1c8d
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sdb1             256   732566645  2930265560   8e  Linux LVM
    
    Command (m for help): w
    The partition table has been altered!
    
    Calling ioctl() to re-read partition table.
    Syncing disks.
  8. Use cryptsetup to encrypt the drive: 
    "cryptsetup --verbose --verify-passphrase luksFormat /dev/sdX1"
  9. WARNING!
    ========
    This will overwrite data on /dev/sdX1 irrevocably.Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase: <Your password here>
    Verify passphrase: <Repeat your password>
    Command successful.
  10. Unlock the drive: (We will call this drive backupexternal, but you can choose a different name)
  11. “cryptsetup luksOpen /dev/sdX1 backupexternal” . Enter passphrase for /dev/sdX1: <Enter your password here>
  12. Create the LVM physical volume: “pvcreate /dev/mapper/backupexternal” , Physical volume “/dev/mapper/backupexternal” successfully created
  13. Create the LVM volume group: (We will call it usbbackup, but you can choose a different name) “vgcreate usbbackup /dev/mapper/backupexternal” , Volume group “usbbackup” successfully created.
  14. Create a logical volume within the volume group: “lvcreate -L 900G -n backupvol /dev/usbbackup“, Logical volume “backupvol” created.
  15. At this point you have a device named /dev/usbbackup/backupvol, so create a filesystem on the logical volume: “mkfs.ext4 /dev/usbbackup/backupvol”
  16. mke2fs 1.42 (29-Nov-2011)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    Stride=0 blocks, Stripe width=0 blocks
    58982400 inodes, 235929600 blocks
    11796480 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=4294967296
    7200 block groups
    32768 blocks per group, 32768 fragments per group
    8192 inodes per group
    Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
    102400000, 214990848Allocating group tables: done
    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information: done
  17. Create a mount directory on computer drive “mkdir /mnt/backup
  18. Mount the volume: “mount /dev/usbbackup/backupvol /mnt/backup
  19. To get the volume to mount automatically at boot time add this line to your /etc/fstab file:
    "/dev/usbbackup/backupvol      /mnt/backup     ext4    defaults        0 5"
  20. To be prompted for the decryption key / passphrase at boot time first get the drive’s UUID: “ls -l /dev/disk/by-uuid” (In my example I use the UUID for /dev/sdb1)
  21. Then add this line to the /etc/cryptab file: “ext_drive /dev/disk/by-uuid/[the UUID of the drive] none luks

That’s it. You now have an external, encrypted hard drive with LVM installed. You’ve created one 900GB volume that uses half the disk, leaving 2100GB free for other volumes, or for expanding the first volume.

Hope you find this useful.

P. S. If you have tried this procedure and found any errors or know about the improvements, you are welcome to comment on the post and I will be glad to fix the article !

International Human Rights Day reminds us about Free Software

Free_Software4The Free Software Foundation (FSF) is a nonprofit organisation with a worldwide mission to promote computer user freedom and to defend the rights of all free software users.

As our society grows more dependent on computers, the software we run is of critical importance to securing the future of a free society. Free software is about having control over the technology we use in our homes, schools and businesses, where computers work for our individual and communal benefit, not for proprietary software companies who might seek to restrict us.

The Free Software Foundation is working to secure freedom for computer users by promoting the development and use of free (as in freedom) software and documentation — particularly the GNU operating system — and by campaigning against threats to computer user freedom like Digital Restrictions Management (DRM) and software patents.

FSF has sister organisations in Europe , France , Latin America and India.

Do a good thing TODAY ! Help the FSFE reach their 2015 budget goal of €420,000 by donating until December 31.

 

 

libreCMC on TP-LINK TL-WR741ND

I was lucky that I already had TP-LINK TL-WR741ND ( version 1.8 ) previously installed with OpenWRT (libreCMC strips down OpenWRT to remove non-free software and binary blobs from the code) so that I could test out the libreCMC. At this stage the router seems to be (fully) functional with wired and wireless networking enabled. Here are the instructions how to install libreCMC on this router :

First check if your router version is compatible with libreCMC.

  • Versions supported : v1 – v2, v4.20 – 4.27
  • Version not supported : v2.1 – v3.1 + v4.0

If you still have default TP-LINK firmware, there are several methods to flash it into OpenWRT. I did use the “mtd write” procedure to get it from a functional OpenWRT to libreCMC, so I would recommend that you do that first in order to avoid mistakes. Default OpenWRT IP of the router will become 192.168.1.1 and you can telnet there without the password. Once you have a functional OpenWRT you can proceeed with “mtd flashing” over telnet.

Download the pre-built libreCMC ( version 1.2.1 ) firmware image to the wireless router

  • # cd /tmp/
  • # wget http://downloads.librecmc.org/snapshot/v1.2.1/ar71xx/librecmc-ar71xx-generic-tl-wr741nd-v1-squashfs-factory.bin

Download and compare md5sum

  • # wget http://downloads.librecmc.org/snapshot/v1.2.1/ar71xx/md5sums
  • # grep “librecmc-ar71xx-generic-tl-wr741nd-v1-squashfs-factory.bin” md5sums

If you did it right you should see the md5sum result which is 3933e76b3da872bcc0773965c9ad2e72

Check the md5sum of your image (should be identical)

  • # md5sum librecmc-ar71xx-generic-tl-wr741nd-v1-squashfs-factory.bin

Rename the image to TP-LINK compatible file

  • # cd /tmp/
  • # mv librecmc-ar71xx-generic-tl-wr741nd-v1-squashfs-factory.bin tplink.bin

Go back into the root directory

  • # cd /

Now you are ready to proceed with flashing.

  • # mtd -r write /tmp/tplink.bin firmware

When this is done, your router should automatically reboot and default into 192.168.1.1 with telnet access. You can also access it through “Luci” (GUI) with your web server on http://192.168.1.1

Happy hacking ! 🙂

 

 

 

libreCMC

libreCMC is a FSF endorsed embedded GNU/Linux distribution replacement for your wireless router which does not contain non-free software or binary blobs. The project’s goal is to provide an embedded distro that respects user freedoms and allows users to control what their hardware does. Since libreCMC is 100% free software, it allows the user to use supported platforms as a way to host their own services, like email, chat or file sharing; learn about how the device works. libreCMC is designed for users who would like to run 100% free software on their embedded device (routers) or would like to have more control over what their embedded device does. Future uses will expand to servers and HPC applications in a few years.

Currently supported (wireless) devices are :

  • TP-LINK TL-MR3010 v1
  • TP-LINK TL-WR741ND
  • TP-LINK TL-WR841ND
  • NETGEAR WNDR3800
  • XBURST BEN NANONOTE

Two-step verification from Google

Google offers Two-step verification for some time now, but I have only discovered it recently, when my Gmail account notified me with the warning :

  • State-sponsored attackers may be attempting to compromise your account

The warning doesn’t say “which” state attackers and there don’t seem to be any information or logs from break-in attempts in the account, or if this is just a Google integrated default warning for many users to enable their Two-step verification. But a Two-step verification is usefull in many ways. Let me explain you why : It gives another layer on protecting your password and doesn’t compromise your account if that password gets stolen or revealed. Here is just a basic example – many of you have probably used a public computer on some occassion to log into Gmail to read your E-mails either on a journey or while being at some public place, where you can never tell if your password was captured or not. There are different methods for capturing your password, most basic ones would be with a keylogger device or software. You can never be secure enough in a public place if your computer is protected. With Two-step verification from Google, you add another layer of protection by enabling SMS text code or voice message to your mobile phone number, which is always different and unique. Just a warning that with this method your phone number will be verified and linked to your existing Google/Gmail account ! Here is an article explaining how to make it work: