flashrom.rst 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. ..
  2. Flashing ROMs
  3. =============
  4. Prerequistes
  5. ------------
  6. * BusPirate v3.6a
  7. * SOIC clip
  8. * Winbond 25Q128FV or any other SPI ROM
  9. Hooking up the ROM
  10. ------------------
  11. Clip the Winbond 25Q128FV between the SOIC clip. Using the text on the ROM, we can orient the pins on the other side of the clip. The ones on the top from left to right are:
  12. * Chip Select (CS)
  13. * Data Output (DO)
  14. * Write Protect (WP)
  15. * Ground (GND)
  16. The pins on the bottom from left to right are (i.e. the opposite side):
  17. * Power Supply (VCC)
  18. * /HOLD or /RESET
  19. * Clock (CLK)
  20. * Data Input (DI)
  21. Using the colour codes of the wires, we should hook up the pins as follows:
  22. * CS <-> White <-> CS
  23. * MISO <-> Black <-> DO
  24. * GND <-> Brown <-> GND
  25. * 5V <-> Orange <-> VCC
  26. * CLK <-> Purple <-> CLK
  27. * MOSI <-> Grey <-> DI
  28. .. code::
  29. VCC H/R CLK DI
  30. +-|---|---|---|-+
  31. | |
  32. | Winbond |
  33. | W25Q128.V |
  34. |O |
  35. +-|---|---|---|-+
  36. CS DO WP GND
  37. Google Flashrom
  38. ---------------
  39. Unlike the mainline version of flashrom, Google's version has two flags to get the name and the
  40. size of the Flash chip:
  41. .. code::
  42. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --flash-name
  43. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  44. vendor="Macronix" name="MX25L6406E"
  45. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
  46. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  47. 8388608
  48. With the ``layout.txt`` file, we can tag certain regions in the ROM with a custom name:
  49. .. code::
  50. 000000:00ffff rw
  51. 7e0000:7fffff ro
  52. Then we can create two random blobs to verify that the ROM works:
  53. .. code::
  54. dd if=/dev/urandom of=rw.dat count=64K bs=1
  55. dd if=/dev/urandom of=ro.dat count=64K bs=1
  56. Finally, we can write these two blobs to the two ROM regions by specifying their names.
  57. We also disable parsing the fmap and verifying the unmodified ROM regions to speed up the process.
  58. To maintain an optimal stability an SPI speed of no more than 2 MHz is recommended when using a
  59. BusPirate:
  60. .. code::
  61. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate -l layout.txt -i ro:ro.dat rw:rw.dat -w --ignore-fmap --fast-verify
  62. Now that the blobs have been written, we can look at the write-protect ranges supported by the chip:
  63. .. code::
  64. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-list
  65. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  66. Valid write protection ranges:
  67. start: 0x000000, length: 0x000000
  68. start: 0x7e0000, length: 0x020000
  69. start: 0x7c0000, length: 0x040000
  70. start: 0x7a0000, length: 0x080000
  71. start: 0x700000, length: 0x100000
  72. start: 0x600000, length: 0x200000
  73. start: 0x400000, length: 0x400000
  74. start: 0x000000, length: 0x800000
  75. start: 0x000000, length: 0x800000
  76. start: 0x000000, length: 0x400000
  77. start: 0x000000, length: 0x600000
  78. start: 0x000000, length: 0x700000
  79. start: 0x000000, length: 0x780000
  80. start: 0x000000, length: 0x7c0000
  81. start: 0x000000, length: 0x7e0000
  82. start: 0x000000, length: 0x800000
  83. For instance, we can set the write-protect range to be ``0x7e0000`` - ``0x810000``:
  84. .. code::
  85. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-range 0x7e0000 0x020000
  86. After setting the range, we are still able to modify the contents of the entire ROM.
  87. To protect the range, we have to enable write protection as follows:
  88. .. code::
  89. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-enable
  90. ``WP#`` must be pulled down for the write protect to be effective, i.e. it must be connected to GND.
  91. This prevents the user from disabling the write protection, changing the write-protected range and
  92. from writing to the write-protected region.
  93. For example, writing a different blob to the region tagged as ``rw`` does work:
  94. .. code::
  95. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i rw:ro.dat --write --ignore-fmap --fast-verify
  96. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  97. delay loop is unreliable, trying to continue Block protection could not be disabled!
  98. Erasing and writing flash chip... Verifying flash... VERIFIED.
  99. SUCCESS
  100. While writing a different blob to the region tagged as ``ro`` does not work, as it cannot be erased
  101. due to write-protection:
  102. .. code::
  103. ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i ro:rw.dat --write --ignore-fmap --fast-verify
  104. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  105. delay loop is unreliable, trying to continue Block protection could not be disabled!
  106. Erasing and writing flash chip... ERASE FAILED at 0x007e0000! Expected=0xff, Read=0x15, failed byte count from 0x007e0000-0x007e0fff: 0xff1
  107. ERASE FAILED!
  108. Reading current flash chip contents...
  109. Furthermore, changing the range is not possible either as long as ``WP#`` is pulled down:
  110. .. code::
  111. ./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-range 0x000000 0x000000
  112. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  113. expected=0x80, but actual=0x9a.
  114. FAILED
  115. Finally, disabling the write-protection feature is not possible either as long as ``WP#`` is pulled
  116. down:
  117. .. code::
  118. ./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-disable
  119. flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
  120. generic_disable_writeprotect(): error=-1.
  121. FAILED
  122. References
  123. ----------
  124. * http://dangerousprototypes.com/docs/SPI
  125. * https://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf
  126. * https://www.pjrc.com/teensy/W25Q128FV.pdf
  127. * https://learn.sparkfun.com/tutorials/bus-pirate-v36a-hookup-guide
  128. * https://www.chromium.org/chromium-os/packages/cros-flashrom
  129. * http://www.tnhh.net/posts/unbricking-chromebook-with-beaglebone.html