You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
tbm-docs/flashrom.rst

176 lines
6.8 KiB

..
Flashing ROMs
=============
Prerequistes
------------
* BusPirate v3.6a
* SOIC clip
* Winbond 25Q128FV or any other SPI ROM
Hooking up the ROM
------------------
Clip the Winbond 25Q128FV between the SOIC clip. Using the text on the ROM, we can orient the pins on the other side of the clip. The ones on the top from left to right are:
* Chip Select (CS)
* Data Output (DO)
* Write Protect (WP)
* Ground (GND)
The pins on the bottom from left to right are (i.e. the opposite side):
* Power Supply (VCC)
* /HOLD or /RESET
* Clock (CLK)
* Data Input (DI)
Using the colour codes of the wires, we should hook up the pins as follows:
* CS <-> White <-> CS
* MISO <-> Black <-> DO
* GND <-> Brown <-> GND
* 5V <-> Orange <-> VCC
* CLK <-> Purple <-> CLK
* MOSI <-> Grey <-> DI
.. code::
VCC H/R CLK DI
+-|---|---|---|-+
| |
| Winbond |
| W25Q128.V |
|O |
+-|---|---|---|-+
CS DO WP GND
Google Flashrom
---------------
Unlike the mainline version of flashrom, Google's version has two flags to get the name and the
size of the Flash chip:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --flash-name
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
vendor="Macronix" name="MX25L6406E"
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
8388608
With the ``layout.txt`` file, we can tag certain regions in the ROM with a custom name:
.. code::
000000:00ffff rw
7e0000:7fffff ro
Then we can create two random blobs to verify that the ROM works:
.. code::
dd if=/dev/urandom of=rw.dat count=64K bs=1
dd if=/dev/urandom of=ro.dat count=64K bs=1
Finally, we can write these two blobs to the two ROM regions by specifying their names.
We also disable parsing the fmap and verifying the unmodified ROM regions to speed up the process.
To maintain an optimal stability an SPI speed of no more than 2 MHz is recommended when using a
BusPirate:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate -l layout.txt -i ro:ro.dat rw:rw.dat -w --ignore-fmap --fast-verify
Now that the blobs have been written, we can look at the write-protect ranges supported by the chip:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-list
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
Valid write protection ranges:
start: 0x000000, length: 0x000000
start: 0x7e0000, length: 0x020000
start: 0x7c0000, length: 0x040000
start: 0x7a0000, length: 0x080000
start: 0x700000, length: 0x100000
start: 0x600000, length: 0x200000
start: 0x400000, length: 0x400000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x400000
start: 0x000000, length: 0x600000
start: 0x000000, length: 0x700000
start: 0x000000, length: 0x780000
start: 0x000000, length: 0x7c0000
start: 0x000000, length: 0x7e0000
start: 0x000000, length: 0x800000
For instance, we can set the write-protect range to be ``0x7e0000`` - ``0x810000``:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-range 0x7e0000 0x020000
After setting the range, we are still able to modify the contents of the entire ROM.
To protect the range, we have to enable write protection as follows:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-enable
``WP#`` must be pulled down for the write protect to be effective, i.e. it must be connected to GND.
This prevents the user from disabling the write protection, changing the write-protected range and
from writing to the write-protected region.
For example, writing a different blob to the region tagged as ``rw`` does work:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i rw:ro.dat --write --ignore-fmap --fast-verify
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
delay loop is unreliable, trying to continue Block protection could not be disabled!
Erasing and writing flash chip... Verifying flash... VERIFIED.
SUCCESS
While writing a different blob to the region tagged as ``ro`` does not work, as it cannot be erased
due to write-protection:
.. code::
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i ro:rw.dat --write --ignore-fmap --fast-verify
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
delay loop is unreliable, trying to continue Block protection could not be disabled!
Erasing and writing flash chip... ERASE FAILED at 0x007e0000! Expected=0xff, Read=0x15, failed byte count from 0x007e0000-0x007e0fff: 0xff1
ERASE FAILED!
Reading current flash chip contents...
Furthermore, changing the range is not possible either as long as ``WP#`` is pulled down:
.. code::
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-range 0x000000 0x000000
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
expected=0x80, but actual=0x9a.
FAILED
Finally, disabling the write-protection feature is not possible either as long as ``WP#`` is pulled
down:
.. code::
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-disable
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
generic_disable_writeprotect(): error=-1.
FAILED
References
----------
* http://dangerousprototypes.com/docs/SPI
* https://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf
* https://www.pjrc.com/teensy/W25Q128FV.pdf
* https://learn.sparkfun.com/tutorials/bus-pirate-v36a-hookup-guide
* https://www.chromium.org/chromium-os/packages/cros-flashrom
* http://www.tnhh.net/posts/unbricking-chromebook-with-beaglebone.html