Introduction

Aaaah, BIOS failures, one of those things that are easy to cause, but such a pain to fix. To supplement my student income, I fix computers. One machine that came to me was an IBM thinkpad which, when booted, halts with the following error:

"0175: bad crc1, stop post task"

Lots and lots of googling around, and I work out that this generally means that either a) the CMOS battery on your laptop is dead or b) The BIOS has been corrupted.

Alas, in my case it wasn't the CMOS battery, so the only recourse I have is to replace the motherboard, which I did, and gave the laptop back to it's original owner.

But I still have the motherboard, and I suspect that it might be possible to bring it back to life. If the problem is a corrupted BIOS, then the solution is to reflash the BIOS, but how to do that when the machine won't boot?

Well, the BIOS is stored in some memory, on a chip in your PC. Once apon a time these were ROM, but nowadays they are stored in flash ram (to that you can update your bios quite easily). The machines CPU reads the data in the BIOS and executes it, which bootstraps the machine and then loads the OS bootloader from a specified area.

Surely if the BIOS is stored in normal flash memory, it can be read and written to? Chances are that the memory is a standard flash chip (cheaper then custom chips), so there is probably a lot of info on how to read/write to the chips.

This page will document my attempts and any successes while doing this, but I can't say when it will be done, as this is a hobby of mine, and I don't have much free time nowadays :(

 

Finding the Chip

Well, we know that the Flash will be in some sort of IC, but which one? Your motherboard has many of them. I find that usually the Bios has a label stuck on it from the manufacturer, specifying the revision and date of the original BIOS. In the case of the T23, two such chips can be found under the RAM slots:

 

What you need to do is remove the labels and read the chip numbers from underneath. In my case the two chips are: H8/3437 and 28F004B5. Searching online we find out that the "H8/3437" is a microcontroller (probably the embedded controller to manage the fans etc...) and the "28F004B5" is in fact flash ram. Yay! It looks like we found it!

The flash chip is an Intel "SMART 5 BOOT BLOCK, FAMILY" and comes in either  2, 4 or 8 MBit size. The datasheet is available for free online, so we shall have a look and see if there is anything useful to glean from it. 

 

What we've found out

 Update: 15 April 2009

Digging around further, I've found out that there is a secondary eeprom, a ATMEL 24RF08, which has a flaw that will cause corruption and BIOS CRC errors. I found this out from lm-sensors, which apparently can mess up your bios when probing:

**** WARNING: IBM Thinkpad users should not install lm_sensors! ****

The eeprom of some IBM Thinkpads have been corrupted after installing lm_sensors.
In our releases through 2.6.4, sensors-detect (our userspace detection script) corrupts the Atmel 24RF08 eeprom.

We have verified this in testing. After the eeprom is corrupted, the checksum verification in the BIOS will fail and the Thinkpad will not boot. The 24RF08 is an 8K eeprom appearing at addresses 0x54 - 0x57 with an additional "access protection page" at address 0x5c.

This is an unusual eeprom that contains a RFID (Radio Frequency ID) port for wireless access, and elaborate access protection mechanisms. The 24RF08 gets confused (presumably due to a state machine flaw) by the 'quick write 0' (*) probes our package uses for detection. This behavior is in violation of the I2C specification.

This corruption mechanism has never been reported to us on any other eeprom, Atmel or otherwise.

It could have been that this eeprom is the cause of the CRC errors, and as the Atmel eeprom also holds the supervisor and user bios passwords, there is a lot of info about interfacing to it, as well as reading and writing to the chip (including software to do it). As such this is probably the first thing I will try to interface to in order to see if it is the problem.

Some links for now:

http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/

http://www.thinkwiki.org/wiki/Maintenance#Recovering_BIOS_passwords

 

References

http://sodoityourself.com/hacking-ibm-thinkpad-bios-password/

http://www.datasheetcatalog.com/datasheets_pdf/2/8/F/0/28F004B5.shtml

http://america.renesas.com/fmwk.jsp?cnt=h83437_root.jsp&fp=/products/mpumcu/h8_family/h8300_series/h83437_group/