Protectli Vault FW6 series

This page describes how to run coreboot on the Protectli FW6.

Stock firmware

The stock firmware contains only the firmware descriptor, BIOS and Management Engine. The EC firmware is not present on the SPI chip.

Using ifdtool, a full layout can be obtained along with the ME and FD flash regions.

Required proprietary blobs

To build a minimal working coreboot image some blobs are required (assuming only the BIOS region is being modified).

Binary file

Apply

Required / Optional

FSP-M, FSP-S

Intel Firmware Support Package

Required

microcode

CPU microcode

Required

vgabios

VGA Option ROM

Optional

FSP-M and FSP-S are obtained after splitting the Kaby Lake FSP binary (done automatically by the coreboot build system and included into the image) from the 3rdparty/fsp submodule.

Microcode updates are automatically included into the coreboot image by build system from the 3rdparty/intel-microcode submodule.

VGA Option ROM is not required to boot, but if one needs graphics in pre-OS stage, it should be included (if not using libgfxinit).

Flashing coreboot

Internal programming

The main SPI flash can be accessed using flashrom. The first version supporting the chipset is flashrom v1.1. Firmware an be easily flashed with internal programmer (either BIOS region or full image).

The stock firmware can be dumped using flashrom or downloaded from Protectli’s official website.

External programming

The system has an internal flash chip which is a 8 MiB soldered SOIC-8 chip. This chip is located on the bottom side of the case (the radiator side). One has to remove all screws (in order): 4 top cover screws, 4 side cover screws (one side is enough), 4 mainboard screws, 4 CPU screws (under DIMMs). Lift up the mainboard and turn around it. The flash chip is near the SoC on the DIMM slots side. Use a clip (or solder the wires) to program the chip. Specifically, it’s a Macronix MX25L6406E (3.3V) -datasheet.

Known issues

  • After flashing with external programmer it is always required to reset RTC with jumper or disconnect coin cell temporarily. Only then the platform will boot after flashing.

  • FW6A does not always work reliably with all DIMMs. Linux happens to hang or gives many panics. This issue was present also with vendor BIOS.

  • Sometimes FSPMemoryInit return errors or hangs (especially with 2 DIMMs connected). A workaround is to power cycle the board (even a few times) or temporarily disconnect DIMM when platform is powered off.

  • When using libgfxinit and SeaBIOS bootsplash, the red color is dim.

Untested

Not all mainboard’s peripherals and functions were tested because of lack of the cables or not being populated on the board case.

  • Internal USB 2.0 headers

Working

  • USB 3.0 front ports (SeaBIOS and Linux)

  • 6 Ethernet ports

  • HDMI port with libgfxinit and VGA Option ROM

  • flashrom

  • PCIe WiFi

  • SATA and mSATA

  • Super I/O serial port 0 (RS232 via front RJ45 connector)

  • SMBus (reading SPD from DIMMs)

  • Initialization with KBL FSP 2.0 (with MemoryInit issues)

  • SeaBIOS payload (version rel-1.12.1)

  • Mini PCIe debug card connected to mSATA (mSATA slot has LPC signals routed)

  • Reset switch

  • Booting Debian, Ubuntu, FreeBSD, Proxmox

  • PCIe passthrough for NICs and iGPU

  • Boot with cleaned ME

Technology

There are 3 variants of FW6 boards: FW6A, FW6B and FW6C. They differ only in used SoC.

  • FW6A:

CPU

Intel Celeron 3865U

PCH

Kaby Lake U w/ iHDCP2.2 Base

Super I/O, EC

ITE IT8772E

Coprocessor

Intel Management Engine

  • FW6B:

CPU

Intel Core i3-7100U

PCH

Kaby Lake U w/ iHDCP2.2 Premium

Super I/O, EC

ITE IT8772E

Coprocessor

Intel Management Engine

  • FW6C:

CPU

Intel Core i5-7200U

PCH

Kaby Lake U w/ iHDCP2.2 Premium

Super I/O, EC

ITE IT8772E

Coprocessor

Intel Management Engine

Other compatible boards

As Protectli licenses and uses Yanling appliances with no modifications to the actual hardware, any compatible Yanling appliances would work. Specifically, look for hardware with the same CPU and NIC and coreboot should be able to compile and boot with no modifications required.