Lenovo X220 and Lenovo X230 keyboard connector candidates part2

I still don’t know which connector do they use. I made a list of the connectors they could have used but didn’t use.
A guy took those photos (he connected it to the T60 but by USB not using the connector)

Jae 0.50mm Board to Board Connector products

but those pages are nowhere to be found on that PDF.
AA01A…………………………………………… 0.50mm (.020″) pag 29
IL-312……………………………………………..0.50mm (.020″) pag 30
WR…………………………………………………0.50mm (.020″) pag 31 – 32
WB3 ……………………………………………….0.50mm (.020 “) pag 33


AA01A is no longer on sale and it is similar but it not that one:
(this one has metalic borders and a strange ending)
The old thinkpad T60 used the JAE AA01B-P040VA1

IL-312 connector looks similar but the borders are different.

The WR connector looks very similar but I got samples and saw they’re not the same.

Ok the WB3 is very different so it is not this one.

So maybe it is not made by JAE (or, the worst case, it is but it is a private connector)

Molex makes this and it is very similar but it is not the same.
Molex slimstack connector: http://www.mouser.com/pdfdocs/Molex_SlimStack.PDF
( 55650-XX88 )

They’re not Panasonic AXK5F-6F connectors.

They’re not Morethanall connectors (and some look very similar)

UPDATE: I’ll try the molex ones. Update2: I still haven’t tried the molex ones but I made another post here

Lenovo X220 and Lenovo X230 keyboard connector candidates

The old T43 style keyboard connectors don’t work anymore.

I found those candidates (I’ve to check them first but they’re available)

Searched with:
Manufacturer JAE.
Found generic name: WR-40P-VF-N1-ND

Those look like good candidates:
WR-40P-VF-N1 same as the x220/x230 keyboard
Datasheet picture: http://jae-connector.com/en/pdf/SJ100338.pdf

WR-40S-VF-N1 same as the x220/x230 motherboard
Datasheet picture: http://jae-connector.com/en/pdf/SJ100337.pdf

This Chinese-English-Spanish web page has nice photos of the connectors:

UPDATE: The WR-40P-VF-N1 and WR-40S-VF-N1 look very similar to the ones Lenovo is using but they’re not the same. The pin spacing is correct but the connector doesn’t fit. Those WR connectors are not as long the one on the keyboard. Now I have no idea which connector does it use because this seemed like a good candidate.

The X220 keyboard has those part numbers written below:
Parts NO: 0B35709
FRU NO: 04W2753

It might be usefull later that it also says: DC 5v / 25mA max

Parts NO: 45N2106
FRU NO: 45N2141

I also received another barely used keyboard from Israel. It looks the same as the previous one but this Kósher keyboard 😉 requires less energy. DC 5V /7.0mA

Update: The keyboard itself will consume the same since it doesn’t have any chips on it but the trackpoint does so I guess they’ve a different trackpoint version but the wiring is the same and I feel them the same way.

Other laptos also have the same keyboard numbers:
IBM/Lenovo Thinkpad T410, T410i, T410S, T410Si, T510, W510 …

Blackhat the film and locating devices in datacenters

A few days ago a friend told me about Blackhat, the film.


A really shity film. It has some plausible things on it and a lot of rubbish. My friend asked me how could the guy know where the server was located in a datacenter.

Well it could ask using SNMP, LLDP, Take it from the DHCP option 82 or if it was connected to a Cisco switch, simply read it from the network with:

tshark -i eth0 -V -f “ether host 01:00:0c:cc:cc:cc” -c 1 | grep ‘Port ID:\|Device ID:’
Device ID: RACK_C_SW1
Device ID: RACK_C_SW1
Port ID: GigabitEthernet0/9

That part was actually common stuff.

Lenovo X230 and Lenovo X220 keyboard bios hack part 2

A glipse about what is going on with Lenovo BIOSes

I am not interested in the PC BIOS part itself since I can use coreboot but I wanted to know what is available.


but the file L_PROCESS_TOOLS_NEW_STRUCTURE.rar is nowhere to be found 😦

Note: Carefull with the BIOS versions, the old ones don’t allow to go back to and old version (without using external hardware)

– If the UEFI BIOS has been updated to version 2.56 or higher, it is no longer
able to roll back to the version before 2.56 for degrading security function.

This makes sense after reading this scary paper (and the ones referenced on it) http://www.legbacore.com/Research_files/2015_ShmooCon_BIOSBugs.pdf
Media coverage:

I’ve absolutely no idea compared to those guys but I’ll still try to change the keyboard.

The embedded firmware part I am interested in is this one

If bios backdoors were not enough, there are also “Backdooring Embedded Controllers – rpw”
Video: http://media.ccc.de/browse/congress/2010/27c3-4174-en-the_hidden_nemesis.html

At least is in a place you can expect, not like this one

I took some interesting advice from the first one

* The microcontroller is Powered when laptop has power (laptop may be turned off)
* IDA Pro Advanced has support for the H8S (I’ve yet to see which MCU does it use. Update: it uses a 8051 variant. I’ve put the datasheet at the end of this blog entry)
* There is commented code for an old model. It doesn’t say where but I found it here:


It seems there was some software support for the EC on thinkpads but it doesn’t work on gen3 processors (Ivy Bridge boards)

x230 iker ~ $ sudo dmidecode

BIOS Information
Vendor: LENOVO
Version: G2ET95WW (2.55 ) <— I can still upload old bioses but it would be easy to hack my bios in bad ways.
Release Date: 07/09/2013
Address: 0xE0000
Runtime Size: 128 kB
ROM Size: 12288 kB
PCI is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
EDD is supported
3.5″/720 kB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 2.55
Firmware Revision: 1.12

Handle 0x0042, DMI type 140, 15 bytes
OEM-specific Type
Header and Data:
8C 0F 42 00 4C 45 4E 4F 56 4F 0B 07 01 01 02

x230 iker ~ $ sudo superiotool -d
superiotool r6637
Found SMSC FDC37N972 (id=0x0b, rev=0x03) at 0x4e
Register dump:
idx 02 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
val 00 0b 03 00 00 04 00 00 00 3a 00 00 00 00 00 00 00
def 00 0b 00 00 00 04 04 NA NA 00 00 00 00 00 00 00 00
LDN 0x00 (Floppy)
idx 30 60 61 70 74 f0 f1 f2 f3 f4 f5
val 00 00 00 00 00 00 00 00 00 00 00
def 00 03 f0 06 02 0e 00 ff RR 00 00
LDN 0x01 (Power management (PM1))
idx 30 60 61
val 01 00 00
def 00 00 00
LDN 0x03 (Parallel port)
idx 30 60 61 70 74 f0 f1
val 00 00 00 00 00 00 00
def 00 00 00 00 04 3c 00
LDN 0x04 (COM1)
idx 30 60 61 70 f0
val 00 00 00 00 00
def 00 00 00 00 00
LDN 0x05 (COM2)
idx 30 60 61 62 63 70 74 f0 f1 f2 f7 f8
val 00 00 00 00 00 00 00 00 00 00 00 00
def 00 00 00 00 00 00 04 00 02 03 00 00
LDN 0x06 (Real-time clock (RTC))
idx 30 60 61 62 63 70 f0 f1
val 00 00 00 00 00 00 00 00
def 00 00 70 00 74 00 00 NA
LDN 0x07 (Keyboard)
idx 30 60 61 70 72 f0
val 00 00 00 00 00 00
def 00 00 00 00 00 00
LDN 0x08 (Embedded controller (EC))
idx 30 60 61
val 00 00 00
def 00 00 62
LDN 0x09 (Mailbox)
idx 30 60 61
val 00 00 00
def 00 00 00

Datasheet for the SMSC FDC37N972:

UPDATE: the Dasher-2 (Lenovo x230) datasheet names the EC MEC1619 and it includes an ARC 625D microcontroller instead of a 8051. I’ve not reversed the code for the embedded controller but it should not be hard to distinguish a 8051 (like the one inside the SMSC and the ARC like the one inside the MEC1619). Now both embedded controllers are sold by Microchip to Lenovo so the Dasher-2 might have changed the Embedded microcontroller during its lifetime but not once shipped because the firmwares should be different and they’re not. Conclussion: I’ve no idea about anything but it can be known with this data.






Microchip acquired SMSC in August 2012. Microchip is investing heavily in the technology to continue the proud history of leadership in integrated circuit products for computing applications.

I also found this very interesting. It details how the mailboxes work on a 8051 SMSC superio controller:





Lenovo X230 keyboard Lenovo X220 keyboard BIOS mod blue Enter – Part 1

Two songs,

* Rolling Stones Paint It Black
* Eiffel 65 – I’m Blue

Well to the point, I have a Lenovo x230 and i _HATE_ the keyboard. I can put the x220 keyboard on it. I like the layout, I like the keys and I want my blue Enter but some keys have a different mapping and the keyboard controller firmware is inside the BIOS. It has nothing to do with the normal BIOS, it just shares space inside the same flash.

May people put the old keyboard intead of the new one but none hacked the bios (and published) so they had to map some keys via software and couldn’t map other keys because the BIOS doesn’t recognize those keycodes at all (the new keyboards have fewer keys).

X220 next to a X230:

Keyboard dissasembly:

Beautifull mod and comments:

Another similar mod very detailled, thanks yttrium tyclief I began this quest after seeing that post.

So I Downloaded a X220 BIOS Image:
just to give a look at how it looks like.
I found ThinkPad_x220_1.39_8duj25us_NWL.rar here:

Coreboot :
Now both the x220 and the x230 have coreboot. The x230 had it first. But coreboot doesn’t touch the keyboard mapping part.

According to the coreboot wiki they’re distributed like this (but it makes no sense for the x220 if it only has 8M to be distributed this way, someone made a mistake copying from the x230 wiki page)

X220 has 1 flash chip of 8M. It’s subdivided in roughly in 3 parts:

Descriptor (12K)
ME firmware (5M-12K)
System flash (7M)

X230 has 2 flash chips of 8M and 4M. They’re concatenated to one virtual flash chip of 12M which is itself subdivided in roughly in 3 parts:

Descriptor (12K)
ME firmware (5M-12K)
System flash (7M)

Let’s rock:

I began analizyng the ThinkPad_x220_1.39_8duj25us_NWL.rar file and found the logo straight away. It is useless but it marks a beggining in this BIOS hacking journey. I attach it here, it is a GIF89a, the first thing the computer shows at boot taken straight from the BIOS image. Offset: 0x541fc1 / 0x820fff


Fixed bitmap font on Xwindows/ Linux / Debian howto

I’ve got a Lenovo x230 and it has a crappy 1366×768 screen. I remember macbook retinas when mines are burning. I didn’t even buy the IPS version because I’ve a 3M privacy filter (it makes the IPS screen pointless) and because I bought it second hand so It came with it.

I wanted crystal clear fonts like on Windows 9x. Windows uses 96dpi fixed fonts (per default) and I also have them on Linux but they do not show up on the font menus.

xterm uses “Fixed SemiCondensed 10 bitmap font” and no other monospace font looks great on my screen. I wanted to use other tabbed terminals with the same font.

I tested envy-r, inconsolata, consolas, droid… they all take more space than the fixed semicondensed or/and are unreadable when using the same size.
I tried all those and more ( http://www.webupd8.org/2010/07/7-of-best-ubuntu-terminal-fixed-width.html )

This is how to make the Fixed SemiCondensed font available to all programs on Debian 8. Then you can choose when to use it, it doesn’t make it the default font, it just leaves it available.

I put that font to nearly everything and I love it. I only need other fonts inside the web browser

# cat /etc/fonts/conf.d/70-no-bitmaps.conf

patelt name=”scalable” false

# mv /etc/fonts/conf.d/70-no-bitmaps.conf ~/

# fc-cache -f -v

Most programs will see the font instantly without X logout but some wont.

Nvidia Jetson SDK on Debian 8

This shit doesn’t work. Lets see what it does look like from miles above:
I’m trying it on a virtualized debian machine.

x230 iker ~/Descargas $ file JetPackTK1-1.1-cuda6.5-linux-x64.run
JetPackTK1-1.1-cuda6.5-linux-x64.run: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

x230 iker ~/Descargas $ strings JetPackTK1-1.1-cuda6.5-linux-x64.run | head

Ok it seems compressed/packed using UPX

x230 iker ~/Descargas $ sudo apt-get install upx-ucl

x230 iker ~/Descargas/reversing $ upx --file-info JetPackTK1-1.1-cuda6.5-linux-x64.run
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013

JetPackTK1-1.1-cuda6.5-linux-x64.run [amd64-linux.elf, linux/ElfAMD]
14895249 bytes, not compressed by UPX

I still think it is a upx file and I’ve many options now but I am a bit upset with NVidia, ¿WHY?

Option 1) manually unpack the upx file
cons: This is like going back 15 years to the past and I am lazy now.
note: That pdf seems to be a uncredited rip off from other public sources but it is easier to link.

Option 2)
Give a quick look using strace and lsof
open(“/tmp/.bitrock_iker/.tmp_6743_9666236/wmImage.png”, O_RDONLY) = 10
Went there and saw the nvidia logo. They don’t even delete de file afterwards.
ok it seems they’re using a commercial packer called bitrock that probably uses an upx variant.

Option X) I’m lazy now.


Option 2 is much faster now, let’s try it first.

x230 iker /tmp/.bitrock_iker $ ls -la
drwxr-xr-x 2 iker iker 20480 jur 0 16:12 .tmp_6657_50973
drwxr-xr-x 2 iker iker 20480 jur 0 16:13 .tmp_6743_9666236
drwxr-xr-x 2 iker iker 20480 jur 0 16:15 .tmp_6788_5332916

The tmp numbers increase as time increases. It does not pretend to be random.

Ok it does leave a log here:

x230 iker /tmp $ ls -l bitrock_installer*
-rw------- 1 iker iker 1893 jur 0 16:12 bitrock_installer_6657.log
-rw------- 1 iker iker 1893 jur 0 16:13 bitrock_installer_6743.log
-rw------- 1 iker iker 1893 jur 0 16:15 bitrock_installer_6788.log

And the log explains what it is doing to check the version:

Setting variable ubuntu_version from /bin/bash -c " awk 'NF {print \$2}' /etc/issue | cut -b 1-5 "
Script exit code: 0

Script output:

So let’s see:

x230 iker /tmp $ cat /etc/issue
Debian GNU/Linux 8 \n \l

Let’s see what ubuntu says to common OS questions (taken from the web, I didn’t check them, just to get an idea)

ubuntu $ cat /etc/issue
Ubuntu 12.04.2 LTS \n \l

ubuntu $ cat /etc/issue.net
Ubuntu 12.04.2 LTS

ubuntu $ cat /etc/lsb-release

ubuntu $ cat /etc/os-release
VERSION="12.04.2 LTS, Precise Pangolin"
PRETTY_NAME="Ubuntu precise (12.04.2 LTS)"

ubuntu $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise

We’ll I don’t have enough space on the hard disk to install it yet but the install GUI appears as on Ubuntu if I change /etc/issue


It begins well until it gives an error with:

Failed to install one or more of the following packages:

cuda-toolkit-6-5 cuda-cross-armhf-6-5

Please make sure they are correctly installed with apt-get command before continuing installation.

x230 iker ~ $ apt-cache search cuda-toolkit-6-5
cuda-toolkit-6-5 - CUDA Toolkit 6.5 meta-package

x230 iker ~ $ apt-cache search cuda-cross-armhf-6-5
cuda-cross-armhf-6-5 - CUDA 6.5 cross-platform meta-package

The compilers and the libgomp are missing.
The installer finishes and leaves that error to be handled later so I did this:

ref: https://wiki.debian.org/CrossToolchains

x230 iker ~ $ curl http://emdebian.org/tools/debian/emdebian-toolchain-archive.key | sudo apt-key add -

x230 iker ~ $ sudo vim /etc/apt/sources.list.d/crosstools.list
deb http://emdebian.org/tools/debian/ jessie main

x230 iker ~ $ sudo dpkg --add-architecture armhf
x230 iker ~ $ sudo apt-get update
x230 iker ~ $ sudo apt-get install crossbuild-essential-armhf

Configurando libgomp1:armhf (4.9.2-10) ...
Configurando gcc-arm-linux-gnueabihf (4.9.2-10.1) ...
Configurando g++-arm-linux-gnueabihf (4.9.2-10.1) ...

x230 iker ~ $ ls -l /usr/bin/arm-linux-gnueabihf-g++
lrwxrwxrwx 1 root root 27 ene 17 06:10 /usr/bin/arm-linux-gnueabihf-g++ -> arm-linux-gnueabihf-g++-4.9