Canoebooting a Thinkpad X60 + debloat + hardening.

Go back

I. Requirements and preface (READ)

• You will need a functional Thinkpad X60 (not the tablet or X60s version).
• An ethernet cable/Atheros Wifi card. Or a USB drive with a write-protect switch with the required payload and tools.
• And a small phillips head screwdriver.
• You will not need any external flashing equipment, as X60 laptops can be flashed internally (unless the BIOS is locked) due to a Lenovo bug.
• The official canoeboot website has a set of instructions to follow https://canoeboot.org/docs/install/#thinkpad-t60x60x60tabletx60s, but for some reason they are overly complex and actually didn't work for me. I reworked the flashing procedure for this reason.
• From my experience, sadly OpenBSD doesn't seem to work with any canoeboot payload (it works fine with libreboot+SeaBIOS). There is a critical problem right at boot time and the machine gets stuck in an infinite loop trying to load the CSPRNG. I know that the fed fears the fish, but there are other BSD projects that work... Also Parabola Linux exists.
• Read this entire guide before following it!

II. Hardware checking (very generalized, if you are paranoid then i am sure you will do this by your own needs)

• Once you have the X60 on your table, remove the battery, remove the storage device (there's a plastic cover that slides off with difficulty on the right side, then pull the black plastic tag to remove the drive) and remove all the screws from the belly of the laptop.
• You should remove the RAM cover and take out the RAM sticks, at least verify that you were not ripped off and that they are present.
• Turn the laptop around and remove the keyboard (press down and push it towards the direction of the screen), carefully lift it up and disconnect the board-to-board connector (the orange ribbon).
• Remove the smaller board-to-board connector near the CMOS battery, you can now take off the side/handrest plastic cover.
• Disconnect and remove the Wifi card (can be replaced with an Atheros one). Disconnect, unscrew and remove the Bluetooth card. Remove the speaker (optional if you wont need it). Cover all the cable ends with electrical tape so no shorts occur.
• Optionally disasemble the rest of the laptop and check the motherboard for any damage/glowieware desu.
• Reassemble the laptop (you should know which things to re-connect by now!)

III. BIOS flashing preparations

• Connect the ethernet cable, or have an Atheros card installed. Or have the USB drive with the required payload and tools already verified with GPG.
• I recommend you install Debian for the flashing procedure. Normal GNOME setup is fine.
• Set up the sudoers file.
• Once you have done that, run this in the terminal:
• sudo nano /etc/default/grub
• find:
• GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
• and edit it to:
• GRUB_CMDLINE_LINUX_DEFAULT="iomem=relaxed quiet splash"
• then write the changes and exit nano.
• Next run:
• sudo update-grub
• reboot now.
• Go here:
• https://mirror-hk.koddos.net/libreboot/old/stable/20160907
• download:
• libreboot_r20160907_util.tar.xz
• now go here:
• https://mirror-hk.koddos.net/libreboot/canoeboot/25.06/roms
• download:
• canoeboot-25.06_x60.tar.xz
• check. the. signatures.
• Extract both files.

IV. Bricking your motherboard

• Ensure that you followed the previous instructions undubitably, or else risk unforseen consequences.
• Remember to rewrite /user/ to whatever your username is in the following directory locations.
• Go to:
• /home/user/Downloads/libreboot_r20160907_util/bucts/i686/bucts
• run:
• sudo ./bucts 1
• It might spit out a bunch of errors, don't worry about those, it will work either way.
• Now move:
• /home/user/Downloads/bin/x60/seabios_x60_libgfxinit_txtmode.rom
• to:
• /home/user/Downloads/libreboot_r20160907_util
• say your prayers,
• in this directory, with the .rom image and flash tool run:
• sudo ./flash i945lenovo_firstflash seabios_x60_libgfxinit_txtmode.rom
• you will get a ton of error messages and warnings.
• Once the computer says: "DO NOT REBOOT OR POWEROFF!" then it's time to power it off.
• If the message doesn't say that exact line, but the command finished executing, still power it off, there is nothing to worry about.
• Keep it turned off for a few seconds, then turn it back on. Canoeboot should now be flashed instead of the Lenovo BIOS.
• Go back to this directory:
• /home/user/Downloads/libreboot_r20160907_util
• in this directory, run:
• sudo ./flash i945lenovo_secondflash seabios_x60_libgfxinit_txtmode.rom
• Ideally, it should say that the chip data was the same. Power-off again. Congratulations, you now have canoeboot flashed. Power-on again.
• Lastly, go to:
• /home/user/Downloads/libreboot_r20160907_util/bucts/i686/bucts
• run:
• sudo ./bucts 0
• It's done.

V. Hardening

• The default .rom image comes preconfigured with its settings, in case you want to change them, use the NVRAM tool and re-flash the image by following the guide again.
• Remember to remove the iomem relaxation in the GRUB files, if you plan on keeping GRUB installed on your disk.
• You can write-protect the chip, however there exist no instructions how to do so (for now).
• There really is not much to harden at this point, besides the OS you decide to install now.

VI. Troubleshooting

• Something wrong? Contact me. Or check the official website https://canoeboot.org/faq.html, however chances are that your issue won't be listed anywhere on the internet and you'll have to figure things out yourself (which is good on one hand), speaking from experience... I suggest the former.