You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
176 lines
6.8 KiB
176 lines
6.8 KiB
..
|
|
|
|
Flashing ROMs
|
|
=============
|
|
|
|
Prerequistes
|
|
------------
|
|
|
|
* BusPirate v3.6a
|
|
* SOIC clip
|
|
* Winbond 25Q128FV or any other SPI ROM
|
|
|
|
Hooking up the ROM
|
|
------------------
|
|
|
|
Clip the Winbond 25Q128FV between the SOIC clip. Using the text on the ROM, we can orient the pins on the other side of the clip. The ones on the top from left to right are:
|
|
|
|
* Chip Select (CS)
|
|
* Data Output (DO)
|
|
* Write Protect (WP)
|
|
* Ground (GND)
|
|
|
|
The pins on the bottom from left to right are (i.e. the opposite side):
|
|
|
|
* Power Supply (VCC)
|
|
* /HOLD or /RESET
|
|
* Clock (CLK)
|
|
* Data Input (DI)
|
|
|
|
Using the colour codes of the wires, we should hook up the pins as follows:
|
|
|
|
* CS <-> White <-> CS
|
|
* MISO <-> Black <-> DO
|
|
* GND <-> Brown <-> GND
|
|
* 5V <-> Orange <-> VCC
|
|
* CLK <-> Purple <-> CLK
|
|
* MOSI <-> Grey <-> DI
|
|
|
|
.. code::
|
|
|
|
VCC H/R CLK DI
|
|
+-|---|---|---|-+
|
|
| |
|
|
| Winbond |
|
|
| W25Q128.V |
|
|
|O |
|
|
+-|---|---|---|-+
|
|
CS DO WP GND
|
|
|
|
Google Flashrom
|
|
---------------
|
|
|
|
Unlike the mainline version of flashrom, Google's version has two flags to get the name and the
|
|
size of the Flash chip:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --flash-name
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
vendor="Macronix" name="MX25L6406E"
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
8388608
|
|
|
|
With the ``layout.txt`` file, we can tag certain regions in the ROM with a custom name:
|
|
|
|
.. code::
|
|
|
|
000000:00ffff rw
|
|
7e0000:7fffff ro
|
|
|
|
Then we can create two random blobs to verify that the ROM works:
|
|
|
|
.. code::
|
|
dd if=/dev/urandom of=rw.dat count=64K bs=1
|
|
dd if=/dev/urandom of=ro.dat count=64K bs=1
|
|
|
|
Finally, we can write these two blobs to the two ROM regions by specifying their names.
|
|
We also disable parsing the fmap and verifying the unmodified ROM regions to speed up the process.
|
|
To maintain an optimal stability an SPI speed of no more than 2 MHz is recommended when using a
|
|
BusPirate:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate -l layout.txt -i ro:ro.dat rw:rw.dat -w --ignore-fmap --fast-verify
|
|
|
|
Now that the blobs have been written, we can look at the write-protect ranges supported by the chip:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-list
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
Valid write protection ranges:
|
|
start: 0x000000, length: 0x000000
|
|
start: 0x7e0000, length: 0x020000
|
|
start: 0x7c0000, length: 0x040000
|
|
start: 0x7a0000, length: 0x080000
|
|
start: 0x700000, length: 0x100000
|
|
start: 0x600000, length: 0x200000
|
|
start: 0x400000, length: 0x400000
|
|
start: 0x000000, length: 0x800000
|
|
start: 0x000000, length: 0x800000
|
|
start: 0x000000, length: 0x400000
|
|
start: 0x000000, length: 0x600000
|
|
start: 0x000000, length: 0x700000
|
|
start: 0x000000, length: 0x780000
|
|
start: 0x000000, length: 0x7c0000
|
|
start: 0x000000, length: 0x7e0000
|
|
start: 0x000000, length: 0x800000
|
|
|
|
For instance, we can set the write-protect range to be ``0x7e0000`` - ``0x810000``:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-range 0x7e0000 0x020000
|
|
|
|
After setting the range, we are still able to modify the contents of the entire ROM.
|
|
To protect the range, we have to enable write protection as follows:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-enable
|
|
|
|
``WP#`` must be pulled down for the write protect to be effective, i.e. it must be connected to GND.
|
|
This prevents the user from disabling the write protection, changing the write-protected range and
|
|
from writing to the write-protected region.
|
|
For example, writing a different blob to the region tagged as ``rw`` does work:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i rw:ro.dat --write --ignore-fmap --fast-verify
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
delay loop is unreliable, trying to continue Block protection could not be disabled!
|
|
Erasing and writing flash chip... Verifying flash... VERIFIED.
|
|
SUCCESS
|
|
|
|
While writing a different blob to the region tagged as ``ro`` does not work, as it cannot be erased
|
|
due to write-protection:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --layout layout.txt -i ro:rw.dat --write --ignore-fmap --fast-verify
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
delay loop is unreliable, trying to continue Block protection could not be disabled!
|
|
Erasing and writing flash chip... ERASE FAILED at 0x007e0000! Expected=0xff, Read=0x15, failed byte count from 0x007e0000-0x007e0fff: 0xff1
|
|
ERASE FAILED!
|
|
Reading current flash chip contents...
|
|
|
|
Furthermore, changing the range is not possible either as long as ``WP#`` is pulled down:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-range 0x000000 0x000000
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
expected=0x80, but actual=0x9a.
|
|
FAILED
|
|
|
|
Finally, disabling the write-protection feature is not possible either as long as ``WP#`` is pulled
|
|
down:
|
|
|
|
.. code::
|
|
|
|
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --layout layout.txt --wp-disable
|
|
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
|
|
generic_disable_writeprotect(): error=-1.
|
|
FAILED
|
|
|
|
References
|
|
----------
|
|
|
|
* http://dangerousprototypes.com/docs/SPI
|
|
* https://www.winbond.com/resource-files/w25q128fv_revhh1_100913_website1.pdf
|
|
* https://www.pjrc.com/teensy/W25Q128FV.pdf
|
|
* https://learn.sparkfun.com/tutorials/bus-pirate-v36a-hookup-guide
|
|
* https://www.chromium.org/chromium-os/packages/cros-flashrom
|
|
* http://www.tnhh.net/posts/unbricking-chromebook-with-beaglebone.html
|
|
|