..

Flashing ROMs
=============

Prerequistes
------------

 * BusPirate v3.6a
 * SOIC clip
 * Winbond 25Q128FV or any other SPI ROM

Hooking up the ROM
------------------

Clip the Winbond 25Q128FV between the SOIC clip. Using the text on the ROM, we can orient the pins on the other side of the clip. The ones on the top from left to right are:

 * Chip Select (CS)
 * Data Output (DO)
 * Write Protect (WP)
 * Ground (GND)

The pins on the bottom from left to right are (i.e. the opposite side):

 * Power Supply (VCC)
 * /HOLD or /RESET
 * Clock (CLK)
 * Data Input (DI)

Using the colour codes of the wires, we should hook up the pins as follows:

 * CS <-> White <-> CS
 * MISO <-> Black <-> DO
 * GND <-> Brown <-> GND
 * 5V <-> Orange <-> VCC
 * CLK <-> Purple <-> CLK
 * MOSI <-> Grey <-> DI

.. code::
        
         VCC H/R CLK  DI
        +-|---|---|---|-+
        |               |
        |    Winbond    |
        |   W25Q128.V   |
        |O              |
        +-|---|---|---|-+
         CS  DO  WP  GND

Google Flashrom
---------------

Unlike the mainline version of flashrom, Google's version has two flags to get the name and the
size of the Flash chip:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --flash-name
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        vendor="Macronix" name="MX25L6406E"
        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        8388608

With the ``layout.txt`` file, we can tag certain regions in the ROM with a custom name:

.. code::

        000000:00ffff rw
        7e0000:7fffff ro

Then we can create two random blobs to verify that the ROM works:

.. code::
        dd if=/dev/urandom of=rw.dat count=64K bs=1
        dd if=/dev/urandom of=ro.dat count=64K bs=1

Finally, we can write these two blobs to the two ROM regions by specifying their names.
We also disable parsing the fmap and verifying the unmodified ROM regions to speed up the process.
To maintain an optimal stability an SPI speed of no more than 2 MHz is recommended when using a
BusPirate:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate -l layout.txt -i ro:ro.dat rw:rw.dat -w --ignore-fmap --fast-verify

Now that the blobs have been written, we can look at the write-protect ranges supported by the chip:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-list
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        Valid write protection ranges:
        start: 0x000000, length: 0x000000
        start: 0x7e0000, length: 0x020000
        start: 0x7c0000, length: 0x040000
        start: 0x7a0000, length: 0x080000
        start: 0x700000, length: 0x100000
        start: 0x600000, length: 0x200000
        start: 0x400000, length: 0x400000
        start: 0x000000, length: 0x800000
        start: 0x000000, length: 0x800000
        start: 0x000000, length: 0x400000
        start: 0x000000, length: 0x600000
        start: 0x000000, length: 0x700000
        start: 0x000000, length: 0x780000
        start: 0x000000, length: 0x7c0000
        start: 0x000000, length: 0x7e0000
        start: 0x000000, length: 0x800000

For instance, we can set the write-protect range to be ``0x7e0000`` - ``0x810000``:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-range 0x7e0000 0x020000

After setting the range, we are still able to modify the contents of the entire ROM.
To protect the range, we have to enable write protection as follows:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-enable

``WP#`` must be pulled down for the write protect to be effective, i.e. it must be connected to GND.
This prevents the user from disabling the write protection, changing the write-protected range and
from writing to the write-protected region.
For example, writing a different blob to the region tagged as ``rw`` does work:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i rw:ro.dat --write --ignore-fmap --fast-verify
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        delay loop is unreliable, trying to continue Block protection could not be disabled!
        Erasing and writing flash chip... Verifying flash... VERIFIED.          
        SUCCESS

While writing a different blob to the region tagged as ``ro`` does not work, as it cannot be erased
due to write-protection:

.. code::

        ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i ro:rw.dat --write --ignore-fmap --fast-verify
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        delay loop is unreliable, trying to continue Block protection could not be disabled!
        Erasing and writing flash chip... ERASE FAILED at 0x007e0000! Expected=0xff, Read=0x15, failed byte count from 0x007e0000-0x007e0fff: 0xff1
        ERASE FAILED!
        Reading current flash chip contents...

Furthermore, changing the range is not possible either as long as ``WP#`` is pulled down:

.. code::

        ./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-range 0x000000 0x000000
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        expected=0x80, but actual=0x9a.
        FAILED

Finally, disabling the write-protection feature is not possible either as long as ``WP#`` is pulled
down:

.. code::

        ./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-disable
        flashrom v0.9.4  : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
        generic_disable_writeprotect(): error=-1.
        FAILED

References
----------

 * http://dangerousprototypes.com/docs/SPI
 * https://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf
 * https://www.pjrc.com/teensy/W25Q128FV.pdf
 * https://learn.sparkfun.com/tutorials/bus-pirate-v36a-hookup-guide
 * https://www.chromium.org/chromium-os/packages/cros-flashrom
 * http://www.tnhh.net/posts/unbricking-chromebook-with-beaglebone.html