Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Lenovo ThinkPad T580 — Coreboot Flash Guide

Flashing coreboot with EDK2/UEFI payload to the Lenovo ThinkPad T580, including Intel Boot Guard bypass via deguard, Intel ME neutering, and PXE/Network Boot support.

Author: chrisf4lc0n

Status: Tested and working — flashed via Raspberry Pi 4 using flashprog with linux_spi.

Upstream docs: doc.coreboot.org — T470s/T480/T480s/T580/X280

Overview

FeatureValue
CPUIntel 8th Gen Core (Kaby Lake Refresh — i5-8250U / i7-8550U / i7-8650U)
ChipsetIntel Sunrise Point LP (100-series PCH-LP)
DRAM2× SO-DIMM DDR4-2400, max 32 GB (no soldered RAM)
Intel MEv11.x (Skylake/Kaby Lake family) — deguard required
Boot GuardEnabled by Lenovo — must be bypassed with deguard
Flash chip1× Winbond W25Q128.V (16 MiB, SOIC-8)
Thunderbolt flash1× separate SOIC-8 (~1 MiB, near board edge)
SoC coreboot dirsoc/intel/skylake
Mainboard coreboot dirmainboard/lenovo/t580
PayloadMrChromebox EDK2 (UEFI) with PXE/Network Boot

Flash Layout (Vendor)

00000000:00000fff  flash descriptor (fd)
00001000:00002fff  gbe
00003000:006fffff  me
00700000:00ffffff  bios

Coreboot Status

Working: Intel UHD 620 (libgfxinit), internal display (eDP), Mini DisplayPort, Alpine Ridge Thunderbolt 3 (USB data + PCIe via lower USB-C), USB 3.0/2.0, USB-C (charge + DP alt), Gigabit Ethernet, WiFi, Bluetooth, WWAN slot, SATA, NVMe, M.2 B+M key NVMe in WWAN slot, keyboard, TrackPoint, TrackPad, touchscreen (if equipped), S3 suspend/resume, VT-x, VT-d, internal flashing (after initial flash with unlocked IFD).

Note: Thunderbolt support requires DRIVERS_INTEL_DTBT and the T580-specific GPIO changes. This was enabled for T580 in Gerrit change by Krzysztof Sokol, following the T480/T480s/X280 enablement in commit 1f12249ec0 by Matt DeVillier. If building from a coreboot revision before this patch was merged, apply the changes manually — see the Notes section.

Known issues: Some Fn+F{1-12} key mappings, headphone jack auto-detection (both outputs work with manual PulseAudio selection), Nvidia dGPU support is finicky on models that have it.

What You Need

For SPI programmer setup (Raspberry Pi or Pico), flashprog installation, GPIO wiring, and parts lists see Tools — SPI Programmers.

This guide was tested with a Raspberry Pi 4 using linux_spi. The T580 has a single 16 MiB flash chip — no dual-chip complications.

T580-Specific Notes

  • The main flash chip is a single SOIC-8 (W25Q128.V, 16 MiB) near the memory slots
  • There is a separate smaller SOIC-8 for the Thunderbolt controller (~1 MiB, near the board edge by the hinges) — physically narrower than the main chip, extra care seating the clip
  • If you accidentally clip the wrong chip, flashprog will report an unexpected flash size — just move the clip
  • Phillips screwdriver for bottom panel removal

For build dependencies and cross-compiler see Tools — Build Dependencies and Tools — Cross-Compiler.

Step 1 — Disassembly

  1. Power off completely. Disconnect the AC adapter.
  2. Remove all screws from the bottom panel and gently pry off the chassis.
  3. Disconnect the internal battery connector.
  4. Remove the CMOS battery (yellow coin cell).

⚠️ ALL power sources must be disconnected before clipping onto any chip. With power connected, the controllers may be active and interfere with reads/writes.

Refer to the Lenovo T580 Hardware Maintenance Manual for detailed disassembly photos.

Step 2 — Read the Vendor Firmware

Clip onto the main system flash chip (the larger 16 MiB SOIC-8). See Tools — Triple-Read Methodology for the general procedure.

flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -r stock_t580_1.bin
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -r stock_t580_2.bin
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -r stock_t580_3.bin

sha512sum stock_t580_*.bin
# All three checksums MUST match.

⚠️ Do NOT proceed if checksums don’t match. Reseat the clip, check wiring, and dump again. Try spispeed=512 if you get inconsistent reads. See Tools — /WP and /HOLD Troubleshooting if problems persist.

Keep these stock dumps safe. They are your recovery path if anything goes wrong.

Step 3 — Extract Blobs from Vendor Firmware

On your build machine (not the Pi), extract the flash regions from one of the verified dumps. Build ifdtool if you haven’t already — see Tools — ifdtool.

3.1 — Clone the Coreboot Repository

git clone https://review.coreboot.org/coreboot.git
cd coreboot
git submodule update --init --checkout

Updating an existing checkout:

cd coreboot
git checkout main
git pull
git submodule update --init --checkout

This tracks the rolling main branch. If you prefer a stable snapshot, checkout a release tag: git checkout 26.03 (check available tags with git tag -l | sort -V | tail -5).

3.2 — Extract Regions

mkdir -p binaries
cp /path/to/stock_t580_1.bin binaries/bios.bin

make -C util/ifdtool
util/ifdtool/ifdtool -x -p sklkbl binaries/bios.bin

This produces:

  • flashregion_0_flashdescriptor.bin → rename to binaries/ifd.bin
  • flashregion_1_bios.bin (not needed — coreboot replaces this)
  • flashregion_2_intel_me.bin (used as input for deguard — see below)
  • flashregion_3_gbe.bin → rename to binaries/gbe.bin
mv flashregion_0_flashdescriptor.bin binaries/ifd.bin
mv flashregion_3_gbe.bin binaries/gbe.bin

Step 4 — Deguard (Boot Guard Bypass)

The T580 has Intel Boot Guard enabled. The deguard utility exploits CVE-2017-5705 in Intel ME v11.x to disable Boot Guard by replacing fused FPF configuration with zeroed values.

4.1 — Clone deguard

cd ..
git clone "https://review.coreboot.org/deguard"

4.2 — Download and Extract the Donor ME Binary

The donor ME binary comes from a Dell firmware updater. Download from the Internet Archive mirror:

wget -O Inspiron_5468_1.3.0.exe \
  "https://web.archive.org/web/20241110222323/https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe"

Extract using Dell_PFS_Extract.py:

pip install --break-system-packages pefile
python3 Dell_PFS_Extract.py Inspiron_5468_1.3.0.exe

The file you need from the extracted output is 1 -- 3 Intel Management Engine (Non-VPro) Update v11.6.0.1126.bin:

  • File size: 2,031,616 bytes (0x1f0000)
  • SHA256: 912271bb3ff2cf0e2e27ccfb94337baaca027e6c90b4245f9807a592c8a652e1
sha256sum 'Inspiron_5468_1.3.0.exe_extracted/1 -- 3 Intel Management Engine (Non-VPro) Update v11.6.0.1126.bin'

Copy it to the binaries folder:

cp 'Inspiron_5468_1.3.0.exe_extracted/1 -- 3 Intel Management Engine (Non-VPro) Update v11.6.0.1126.bin' \
  coreboot/binaries/me_donor.bin

4.3 — Generate the Deguarded ME Image

cd deguard

./finalimage.py \
  --delta data/delta/thinkpad_t580 \
  --version 11.6.0.1126 \
  --pch LP \
  --sku 2M \
  --fake-fpfs data/fpfs/zero \
  --input ../coreboot/binaries/me_donor.bin \
  --output ../coreboot/binaries/me_deguarded.bin

Note: The --delta must match your exact model. If data/delta/thinkpad_t580 doesn’t exist in your checkout, generate it from your vendor dump:

./generatedelta.py --input ../coreboot/binaries/bios.bin --output data/delta/thinkpad_t580

Then discard /home/secureboot from the delta and re-run finalimage.py.

4.4 — Set the HAP Bit on the IFD

The deguarded ME requires the HAP bit enabled in the flash descriptor, or the system will not boot:

cd ../coreboot
util/ifdtool/ifdtool -p sklkbl -M 1 binaries/ifd.bin
mv binaries/ifd.bin binaries/ifd.bin.orig
mv binaries/ifd.bin.new binaries/ifd.bin

4.5 — (Optional) Expand BIOS Region

You can safely skip this step. The deguarded ME (2 MB) fits within the stock ME region (7 MB) — it just leaves unused space. The layout expansion reclaims that space for a larger CBFS, but can fail with “Regions would overlap” on some IFDs.

If you want to try it, save this as layout.txt:

00000000:00000fff fd
001f4000:00ffffff bios
00003000:001f3fff me
00001000:00002fff gbe

Then apply it:

util/ifdtool/ifdtool -p sklkbl -n layout.txt binaries/ifd.bin
mv binaries/ifd.bin.new binaries/ifd.bin

If this succeeds, add CONFIG_CBFS_SIZE=0xE0C000 to your defconfig. If it fails, carry on — the stock layout works fine.

Step 5 — Build Coreboot

Install build dependencies and cross-compiler if not done already — see Tools — Build Dependencies and Tools — Cross-Compiler.

5.1 — Configure with defconfig

Create defconfig in the coreboot root:

CONFIG_VENDOR_LENOVO=y
CONFIG_BOARD_LENOVO_T580=y
CONFIG_IFD_BIN_PATH="binaries/ifd.bin"
CONFIG_ME_BIN_PATH="binaries/me_deguarded.bin"
CONFIG_GBE_BIN_PATH="binaries/gbe.bin"
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y
CONFIG_PAYLOAD_EDK2=y
CONFIG_EDK2_NETWORK_STACK=y
CONFIG_EDK2_IPXE_OPTION_NAME="Network Boot"
CONFIG_EDK2_BOOTSPLASH_FILE=""
CONFIG_EDK2_FOLLOW_BGRT_SPEC=y
CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="ThinkPad T580"

Note: No need to specify CONFIG_EDK2_REPOSITORY or CONFIG_EDK2_TAG_OR_REV — coreboot’s built-in defaults point to the correct MrChromebox EDK2 branch. Overriding these can cause version mismatches.

Load it:

cp defconfig .config
make olddefconfig

5.2 — (Optional) Fine-Tune with menuconfig

make menuconfig

Key paths to verify:

Mainboard --->
  Mainboard vendor: Lenovo
  Mainboard model: ThinkPad T580
  ROM chip size: 16 MiB

Chipset --->
  [*] Enable Hyperthreading
  [*] Enable VMX

Payload --->
  Add a payload: edk2
  edk2 payload --->
    (leave Repository and Revision at defaults)
    [*] Enable Network in EDK2
    iPXE boot option name: Network Boot

EDK2 includes: UEFI Shell, memory test, NVRAM configuration, Secure Boot, and TPM 2.0 support. PXE/HTTP network boot must be explicitly enabled via CONFIG_EDK2_NETWORK_STACK=y and CONFIG_EDK2_IPXE_OPTION_NAME="Network Boot" — not on by default.

5.3 — Build

make -j$(nproc)

Verify:

ls -la build/coreboot.rom
# Should be exactly 16 MiB (16777216 bytes)

build/cbfstool build/coreboot.rom print

Step 6 — Set MAC Address

The GbE region contains the Ethernet MAC address. Since you extracted gbe.bin from your own T580’s vendor firmware, it already has the correct MAC — no action needed.

If you sourced the GbE blob elsewhere, use Libreboot’s nvmutil:

git clone https://codeberg.org/libreboot/lbmk.git
cd lbmk/util/nvmutil && make
./nvm /path/to/build/coreboot.rom setmac XX:XX:XX:XX:XX:XX

Step 7 — Flash Coreboot

Transfer the ROM to the Pi and flash the main chip (16 MiB):

scp build/coreboot.rom pi@raspi4flasher:~/

On the Pi, with the clip on the main system flash:

flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -w coreboot.rom

Wait for VERIFIED. — if verification fails, do NOT unclip, reflash. Try spispeed=2000 if it fails repeatedly.

Step 8 — Thunderbolt Firmware Update (Recommended)

Older TB3 firmware has a bug where debug logging fills the TB flash, eventually bricking the Thunderbolt controller. Lenovo released a firmware update. The Libreboot project also provides a patched tb.bin in their vendor files.

8.1 — Dump TB Chip

Clip onto the smaller TB chip (near the board edge). This chip is physically narrower — extra care seating all 8 pins. Start at lower speed:

flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r tbt_backup_1.bin
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r tbt_backup_2.bin
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r tbt_backup_3.bin
sha512sum tbt_backup_*.bin
# All three MUST match.

8.2 — Erase, Zero, Boot, Flash

# Erase the TB chip
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -E

# Write zeroes
dd if=/dev/zero of=null.bin bs=1M count=1
flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -w null.bin

Unclip, reconnect power, boot the machine. Wait for the UEFI boot menu (be patient — the TB controller reinitialising on blank flash takes a while). Confirm the system boots, then shut down and disconnect all power.

Re-clip onto the TB chip and flash the updated firmware:

flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=2000 -w tb.bin

The intermediate boot with blank flash is critical — the TB controller needs to reinitialise before accepting new firmware.

Step 9 — First Boot and Verification

  1. Unclip the programmer.
  2. Reconnect the CMOS battery.
  3. Reconnect the internal battery.
  4. Replace the bottom panel.
  5. Connect AC power and boot.

You should see the coreboot/EDK2 splash and then the UEFI boot menu.

Verify from the OS

# Coreboot running
sudo dmidecode -t bios
# Should show "coreboot" as BIOS vendor

# ME disabled (HAP bit set)
sudo dmesg | grep -i "mei\|heci"
# ME in disabled/non-functional state

# PXE/Network Boot available
# Enter UEFI setup (Escape/F2 at boot) → Boot Manager
# "UEFI PXEv4" and/or "UEFI HTTPv4" entries should be visible

Subsequent Internal Flashing

See Tools — Internal Re-Flashing. For the T580, flash the BIOS region only:

sudo flashrom -p internal -w /path/to/build/coreboot.rom --ifd -i bios -N

This leaves the descriptor, ME, and GbE untouched.

Quick Reference — What Goes Where

FileSourceDestination
ifd.binifdtool -x of vendor dump + HAP bit setbinaries/ifd.bin
gbe.binifdtool -x of vendor dumpbinaries/gbe.bin
me_deguarded.bindeguard finalimage.py from Dell donor MEbinaries/me_deguarded.bin
FSP-M, FSP-Sgit submodule (auto)3rdparty/fsp/KabylakeFspBinPkg/
Microcodegit submodule (auto)3rdparty/intel-microcode/

Full .config Reference

Click to expand full .config for T580 + EDK2 + Network Boot 
#
# coreboot — ThinkPad T580 with EDK2/UEFI + PXE Network Boot
#

# Mainboard
CONFIG_VENDOR_LENOVO=y
CONFIG_BOARD_LENOVO_T580=y
CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="ThinkPad T580"

# Blob paths
CONFIG_IFD_BIN_PATH="binaries/ifd.bin"
CONFIG_ME_BIN_PATH="binaries/me_deguarded.bin"
CONFIG_GBE_BIN_PATH="binaries/gbe.bin"
CONFIG_HAVE_IFD_BIN=y
CONFIG_HAVE_ME_BIN=y
CONFIG_HAVE_GBE_BIN=y

# CBFS — only add this if you successfully expanded the IFD layout (Step 4.5):
# CONFIG_CBFS_SIZE=0xE0C000

# Chipset
CONFIG_HAVE_INTEL_FIRMWARE=y

# CPU
CONFIG_SKYLAKE_SOC_MODEL_KABYLAKE_REFRESH=y
CONFIG_HYPERTHREADING=y
CONFIG_INTEL_VMX=y

# Graphics
CONFIG_MAINBOARD_HAS_LIBGFXINIT=y
CONFIG_DRIVERS_INTEL_GMA_HAVE_VBT=y

# Payload — MrChromebox EDK2 with Network Boot
CONFIG_PAYLOAD_EDK2=y
CONFIG_EDK2_NETWORK_STACK=y
CONFIG_EDK2_IPXE_OPTION_NAME="Network Boot"
CONFIG_EDK2_BOOTSPLASH_FILE=""
CONFIG_EDK2_FOLLOW_BGRT_SPEC=y

# TPM
CONFIG_TPM2=y

Note: Some Kconfig symbols are auto-selected by the board config. The EDK2 repository and branch are handled by coreboot’s built-in defaults — do not override unless you have a specific reason. Run cp defconfig .config && make olddefconfig followed by make menuconfig to see the full resolved config.

Troubleshooting

Flash Chip Not Detected

  1. Check clip contact — ensure solid seating on all 8 pins.
  2. Verify pin 1 alignment (dot on chip → pin 1 on clip).
  3. Try different /WP and /HOLD states — see Tools — /WP and /HOLD Troubleshooting.
  4. Try lower SPI speed: spispeed=512.

System Won’t Boot After Flash

  1. Reconnect the external programmer.
  2. Flash back the original backup: flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -w stock_t580_1.bin
  3. Verify deguard ME was generated correctly — wrong delta or missing HAP bit will brick.
  4. Disconnect all power for 60 seconds (including CMOS) then retry.

Black Screen / No Display

  1. Ensure libgfxinit is enabled in coreboot config.
  2. Try an external display via Mini DisplayPort.
  3. If you have a dGPU model, check the known issues.

PXE Boot Not Showing

  1. Verify CONFIG_EDK2_NETWORK_STACK=y and CONFIG_EDK2_IPXE_OPTION_NAME="Network Boot" were set before build.
  2. Check UEFI Boot Manager (Escape at boot) for UEFI PXEv4 / UEFI HTTPv4 entries.
  3. Ensure Ethernet cable is connected — PXE entries only appear with link detected.

Headphone Jack / Audio Issues

Both headphone jack and speakers work, but auto-detection doesn’t switch automatically. Use PulseAudio/PipeWire to manually select the output device.

Recovery

External flash recovery is always possible:

  1. Reconnect the SOIC-8 clip and external programmer.
  2. Flash the original vendor backup: flashprog -p linux_spi:dev=/dev/spidev0.0,spispeed=4000 -w stock_t580_1.bin
  3. Once coreboot is installed, internal recovery via flashrom -p internal also works for non-catastrophic issues.

Notes

  • No CPU whitelist under coreboot — any Kaby Lake Refresh CPU works (i5-8250U, i5-8350U, i7-8550U, i7-8650U).
  • me_cleaner warning: On some Skylake/KBL ThinkPads (notably T470s), truncating the ME with me_cleaner can disable PCIe devices (NVMe, WLAN, WWAN). The deguard approach already disables ME post-boot without truncation — additional me_cleaner is optional and should be tested carefully.
  • Thunderbolt controller is on the Alpine Ridge chip with its own separate SPI flash — independent of the main coreboot flash.
  • EC firmware is separate from the SPI flash and is not affected by coreboot flashing. For EC UART debugging, EC firmware version 1.22 (N24HT37W) is needed — corresponding to BIOS versions 1.39 to 1.54. Install via Lenovo’s BIOS updater before flashing coreboot.
  • HyperThreading is enabled in this config. Libreboot disables it by default for Spectre/Meltdown mitigation. Set CONFIG_HYPERTHREADING=n if you want the same.

References

Changelog

  • 2026-04-03: Added Thunderbolt 3 support — T580 TBT enablement patch submitted to coreboot Gerrit. GPIO and Kconfig changes mirroring T480/T480s/X280.
  • 2026-04-02: Initial guide — coreboot with EDK2/MrChromebox, deguard, PXE/Network Boot, TB firmware update.