####Disabling SPI write protection
Put the Chromebook in developer-mode:
- With machine powered off, hold down Esc and Refresh(F3) while hitting power button
- At warning prompt, hit Control+D, then Enter at prompt about enabling developer mode
- Machine will format itself
Now remove the write-protect screw to enable flashrom
to flash new Coreboot/Libreboot.
Flip powered-off machine over and remove 8 philips-head screws. 2 are located under rubber feet.
With a plastic spudger/guitar pick, separate the blue case from the silver keyboard/trackpad tray. Slide the spudger along the outer seam to separate it (you'll hear a bunch of clicks).
Don't pull the bottom piece off or you'll pull out the cables to the keyboard.
Once the bottom piece is completely separated, flip the laptop over and open the lid. The keyboard should be loose. Pick it up just enough to flip it over without separating the cables.
Locate the write-protect screw on the left side (highlighted in red here).
Remove the screw.
Flip the keyboard back over so you can type, and power the machine on. Hit Control+D at the boot screen.
Click "Sign-in as guest", hit Control+Alt+T to open crosh
, then shell
, sudo sh
, and flashrom --wp-disable
.
It should report success. flashrom --wp-status
should confirm that write protection is disabled.
halt -p
to power down, snap keyboard tray back in, put screws and rubber feet back.
####Reflashing new coreboot/libreboot
From the Chromebook, make a backup of your entire ROM before doing anything, and scp
it off the machine to some place else.
# flashrom -r asus_c201_factory_flash.rom
flashrom v0.9.4 : 15e4dc9 : Apr 02 2015 22:53:02 UTC on Linux 3.14.0 (armv7l), built with libpci 3.1.10, GCC 4.9.x-google 20150123 (prerelease), little endian
Reading flash... SUCCESS
fmap_decode
will show how the ROM is layed out:
# fmap_decode asus_c201_factory_flash.rom
fmap_signature="0x5f5f464d41505f5f" fmap_ver_major="1" fmap_ver_minor="0" fmap_base="0x0000000000000000" fmap_size="0x400000" fmap_name="FMAP" fmap_nareas="22"
area_offset="0x00000000" area_size="0x00200000" area_name="WP_RO" area_flags_raw="0x01" area_flags="static"
area_offset="0x00000000" area_size="0x001f0000" area_name="RO_SECTION" area_flags_raw="0x01" area_flags="static"
area_offset="0x00000000" area_size="0x00100000" area_name="COREBOOT" area_flags_raw="0x01" area_flags="static"
area_offset="0x00100000" area_size="0x00001000" area_name="FMAP" area_flags_raw="0x01" area_flags="static"
area_offset="0x00101000" area_size="0x000eef00" area_name="GBB" area_flags_raw="0x01" area_flags="static"
area_offset="0x001eff00" area_size="0x00000100" area_name="RO_FRID" area_flags_raw="0x01" area_flags="static"
area_offset="0x001f0000" area_size="0x00010000" area_name="RO_VPD" area_flags_raw="0x01" area_flags="static"
area_offset="0x00200000" area_size="0x00078000" area_name="RW_SECTION_A" area_flags_raw="0x01" area_flags="static"
area_offset="0x00200000" area_size="0x00002000" area_name="VBLOCK_A" area_flags_raw="0x01" area_flags="static"
area_offset="0x00202000" area_size="0x00056000" area_name="FW_MAIN_A" area_flags_raw="0x01" area_flags="static"
area_offset="0x00258000" area_size="0x0001ff00" area_name="EC_MAIN_A" area_flags_raw="0x01" area_flags="static"
area_offset="0x00277f00" area_size="0x00000100" area_name="RW_FWID_A" area_flags_raw="0x01" area_flags="static"
area_offset="0x00278000" area_size="0x00004000" area_name="RW_SHARED" area_flags_raw="0x01" area_flags="static"
area_offset="0x00278000" area_size="0x00004000" area_name="SHARED_DATA" area_flags_raw="0x01" area_flags="static"
area_offset="0x0027c000" area_size="0x00004000" area_name="RW_ELOG" area_flags_raw="0x01" area_flags="static"
area_offset="0x00280000" area_size="0x00078000" area_name="RW_SECTION_B" area_flags_raw="0x01" area_flags="static"
area_offset="0x00280000" area_size="0x00002000" area_name="VBLOCK_B" area_flags_raw="0x01" area_flags="static"
area_offset="0x00282000" area_size="0x00056000" area_name="FW_MAIN_B" area_flags_raw="0x01" area_flags="static"
area_offset="0x002d8000" area_size="0x0001ff00" area_name="EC_MAIN_B" area_flags_raw="0x01" area_flags="static"
area_offset="0x002f7f00" area_size="0x00000100" area_name="RW_FWID_B" area_flags_raw="0x01" area_flags="static"
area_offset="0x002f8000" area_size="0x00008000" area_name="RW_VPD" area_flags_raw="0x01" area_flags="static"
area_offset="0x00300000" area_size="0x00100000" area_name="RW_LEGACY" area_flags_raw="0x01" area_flags="static"
#####Compile your coreboot/libreboot:
You'll need a separate build machine for this. I used a 10G Ubuntu 14 virtual machine in VMware.
TODO
#####Preparing the new image to write
Only the first megabyte of your new coreboot ROM will be used, so you need to copy the other 3 megs from the backup.
From your build machine:
~/chros/coreboot$ dd if=build/coreboot.rom bs=1024 count=1024 of=firstmeg.rom
~/chros/coreboot$ dd if=asus_c201_factory_flash.rom bs=1024 skip=1024 of=latermegs.rom
~/chros/coreboot$ cat firstmeg.rom latermegs.rom > final.rom
You can verify with fmap_decode
that your new ROM still looks like the old one.
Now scp
it to your Chromebook and flash it:
# flashrom -w final.rom
flashrom v0.9.4 : e6a7ca8 : May 12 2015 18:14:00 UTC on Linux 3.14.0 (armv7l), built with libpci 3.1.10, GCC 4.9.x-google 20150123 (prerelease), little endian
Erasing and writing flash chip... Verifying flash... VERIFIED.
SUCCESS
Reboot and hope it worked. If not, continue reading.
####Unbricking
If your flashing went bad, you'll be unable to boot. To fix this, you'll have to reflash your backup from another machine. You can do this fairly easily with a Bus Pirate, an SOIC8 test clip, and some cables to connect pins between the two.
Use the instructions above to remove the keyboard. Remove the 8 or so screws holding the large heatsink to the case over the motherboard, exposing the battery connector. Unplug the battery.
Attach your test clip to the flash chip located just to the left of the write-protect screw, noting the dot on the lower left of the chip marking pin 1.
Connect wires from pins of the Bus Pirate to the pins on the test clip. The SPI chip pins are as follows, with the dot in the lower left.
VCC
| HOLD
| | SCLK
8 7 6 5-MOSI
+-------+
| |
|o |
+-------+
1 2 3 4-GND
| | WP
| MISO
CS
- Bus Pirate GND -> SPI pin 4 (GND)
- Bus Pirate 3V3 -> SPI pin 8 (VLK)
- Bus Pirate CLK -> SPI pin 6 (SCLK)
- Bus Pirate MOSI -> SPI pin 5 (MOSI)
- Bus Pirate CS -> SPI pin 1 (CS)
- Bus Pirate MISO -> SPI pin 2 (MISO)
If your build machine doesn't have it already, install flashrom (apt-get install flashrom
on Ubuntu).
Once wired up, run flashrom -p buspirate_spi:dev=/dev/ttyUSB0
with no file argument to make sure it can detect the SPI flash chip on the Chromebook through your Bus Pirate.
If wired properly, it should find the GigaDevice chip.
If it reports an error or a generic chip (0x00
), your clip is not on properly or is wired up wrong.
~/chros/flashrom-0.9.8$ sudo ./flashrom -p buspirate_spi:dev=/dev/ttyUSB0
flashrom v0.9.8-r1888 on Linux 3.19.0-25-generic (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Found GigaDevice flash chip "GD25Q32(B)" (4096 kB, SPI) on buspirate_spi.
No operations were specified.
Now just flash the backup you made before reflashing, using the command above with asus_c201_factory_flash.rom
.
If you lost your backup, you can download the backup I made, but no guarantees that it will work on your machine:
https://jcs.org/tmp/asus_c201_factory_flash.rom - MD5 e4478311e77745a1aff0a1117cc65010
If all went well, after about 10 minutes of erasing and flashing, it should report success. Remove the test clip, reattach the battery, plug the power cable in, and it should boot to the Chrome "OS verification is OFF" screen.
####References