Hi,
I am following the instruction found in the flashrom -V output. I want to attempt replacing the evil RSA signed Insyde BIOS that stops me from installing PCIe Mini cards of my choice.
I do not fully understand yet all the output of flashrom and why the flash chip autodetection is limited to a very small subset of the supported chips but I have taken a look on the motherboard and I have spotted a Winbond W25Q16 chip on it.
I have started to modify inteltool and msrtool in order to support my processor (Intel Atom N455). I will probably join your dev mailing list to offer my patches when they are ready and also ask advices for my coreboot project.
Thank you,
On Thu, 24 Jan 2013 22:42:22 -0500 Olivier Langlois olivier@olivierlanglois.net wrote:
I am following the instruction found in the flashrom -V output. I want to attempt replacing the evil RSA signed Insyde BIOS that stops me from installing PCIe Mini cards of my choice.
I do not fully understand yet all the output of flashrom and why the flash chip autodetection is limited to a very small subset of the supported chips but I have taken a look on the motherboard and I have spotted a Winbond W25Q16 chip on it.
Because...
Found chipset "Intel NM10" with PCI ID 8086:27bc. Enabling flash write... … GCS = 0x5d0c60: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x3 (LPC)
The chipset is configured to boot via LPC, hence we do only probe for LPC chips. But your chip is SPI, how does that fit together? The solution of this apparent contradiction is that the superio is translating between LPC on the host side and SPI on the flash side. This is (or was) a common scheme in laptops and one of the reasons why adding support for them is so hard (the superio datasheets are often hard to come by). There is nobody working on adding support for your superio ATM, but Carl-Daniel might have a further developed patch on his harddisk or be able to give you more details about it.
I have started to modify inteltool and msrtool in order to support my processor (Intel Atom N455). I will probably join your dev mailing list to offer my patches when they are ready and also ask advices for my coreboot project.
I am looking forward to it :) For most other coreboot-related topics there is the coreboot@coreboot.org mailing list, and all none-flashrom patches should be submitted via gerrit, see http://www.coreboot.org/Git
Because...
Found chipset "Intel NM10" with PCI ID 8086:27bc. Enabling flash write... … GCS = 0x5d0c60: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x3 (LPC)
The chipset is configured to boot via LPC, hence we do only probe for LPC chips. But your chip is SPI, how does that fit together? The solution of this apparent contradiction is that the superio is translating between LPC on the host side and SPI on the flash side. This is (or was) a common scheme in laptops and one of the reasons why adding support for them is so hard (the superio datasheets are often hard to come by). There is nobody working on adding support for your superio ATM, but Carl-Daniel might have a further developed patch on his harddisk or be able to give you more details about it.
This stuff is so fun! I kid you not, I spent only 1 evening with your tools and I am already seeing dmesg output much differently then yesterday :-)
I will be working on my superio if necessary. Hopefully, I'll be able to get some assistance from you.
That being said, I am a little bit surprised by your diagnostic because I have gathered information as suggested on
http://www.coreboot.org/Laptop
and superiotool has reported:
Found ITE IT8502E/TE/G (id=0x8502, rev=0x1) at 0x4e
Since the first entry in the Laptop survey table on the same page is reporting a successful installation with the same superio, I was hoping that my quest would be trivial. Apparently things aren't that simple
So the same superio chip can be configured to work with LPC or SPI flash?
For my flash chip, god I think I'll need a magnifying glass. On the chip, it is written:
25Q168VSIC 1120 or maybe it is 25Q16BVSIG 1120
I have downloaded the W25Q16BV chip datasheet. Does someone know if it is the same than the W25Q16 supported by flashrom?
Carl-Daniel: You are welcome to directly communicate with me if you have information to share concerning the superio chip.
Greetings, Olivier
On Fri, 25 Jan 2013 01:40:20 -0500 Olivier Langlois olivier@olivierlanglois.net wrote:
Because...
Found chipset "Intel NM10" with PCI ID 8086:27bc. Enabling flash write... … GCS = 0x5d0c60: BIOS Interface Lock-Down: disabled, Boot BIOS Straps: 0x3 (LPC)
The chipset is configured to boot via LPC, hence we do only probe for LPC chips. But your chip is SPI, how does that fit together? The solution of this apparent contradiction is that the superio is translating between LPC on the host side and SPI on the flash side. This is (or was) a common scheme in laptops and one of the reasons why adding support for them is so hard (the superio datasheets are often hard to come by). There is nobody working on adding support for your superio ATM, but Carl-Daniel might have a further developed patch on his harddisk or be able to give you more details about it.
This stuff is so fun! I kid you not, I spent only 1 evening with your tools and I am already seeing dmesg output much differently then yesterday :-)
I will be working on my superio if necessary. Hopefully, I'll be able to get some assistance from you.
Maybe not from me because I am not very familiar with the SPI-LPC-translation of ECs, but you are welcomed to ask (also in the IRC channels #coreboot and #flashrom). First of all you should get the datasheet for the EC. I dont have it, but if you can not google it, someone else in the channel might have it.
That being said, I am a little bit surprised by your diagnostic because I have gathered information as suggested on
http://www.coreboot.org/Laptop
and superiotool has reported:
Found ITE IT8502E/TE/G (id=0x8502, rev=0x1) at 0x4e
Since the first entry in the Laptop survey table on the same page is reporting a successful installation with the same superio, I was hoping that my quest would be trivial. Apparently things aren't that simple
But in that case the flash IS LPC not SPI so no translation is needed. I am not sure if the flash chip is attached to the SB directly or shared with the EC, but the bus difference alone would explain the difference.
So the same superio chip can be configured to work with LPC or SPI flash?
I am not sure about that, but I think so. The main question in general is though if the firmware for the host (usually a BIOS) shares the same flash chip with the firmware for the EC. Since most(?) ECs execute the code directly from flash it is of course not a good idea to erase the flash while the EC fetches instructions from it... :) The host needs to tell the EC to stop executing that code before flashing and reenable it afterwards, see also: http://flashrom.org/Laptops http://flashrom.org/Laptop_enable
For my flash chip, god I think I'll need a magnifying glass. On the chip, it is written:
25Q168VSIC 1120 or maybe it is 25Q16BVSIG 1120
Good light helps tremendously, glasses too. It is most probably B in this case.
I have downloaded the W25Q16BV chip datasheet. Does someone know if it is the same than the W25Q16 supported by flashrom?
Yes it is the same, the differences are not of concern to flashrom. You can pretty much forget the flash chip. It is well supported and wont be a problem for you, but the path between the host and the flash chip is/will.
Carl-Daniel: You are welcome to directly communicate with me if you have information to share concerning the superio chip.
He is very busy usually, but I'll try to poke him a bit regarding this.
That being said, I am a little bit surprised by your diagnostic because I have gathered information as suggested on
http://www.coreboot.org/Laptop
and superiotool has reported:
Found ITE IT8502E/TE/G (id=0x8502, rev=0x1) at 0x4e
Since the first entry in the Laptop survey table on the same page is reporting a successful installation with the same superio, I was hoping that my quest would be trivial. Apparently things aren't that simple
But in that case the flash IS LPC not SPI so no translation is needed. I am not sure if the flash chip is attached to the SB directly or shared with the EC, but the bus difference alone would explain the difference.
I have induced you in error. The person that has been able to successfully flash his laptop had a ITE8510. Similar names, probably totally different beasts.
So the same superio chip can be configured to work with LPC or SPI flash?
I am not sure about that, but I think so. The main question in general is though if the firmware for the host (usually a BIOS) shares the same flash chip with the firmware for the EC. Since most(?) ECs execute the code directly from flash it is of course not a good idea to erase the flash while the EC fetches instructions from it... :) The host needs to tell the EC to stop executing that code before flashing and reenable it afterwards, see also: http://flashrom.org/Laptops http://flashrom.org/Laptop_enable
I have read these links and I have now a much better understanding of the size of the task waiting me than I did when I sent my first e-mail to the list!
Among other things, now that I realized that the bios contains EC code for which no public doc exists, it seems improbable that coreboot ever 'officially' support my hardware as the only way to support it would be to extract the EC code from a vendor BIOS and copy it.
There is no way you can come up with original code without doc or maybe I am not creative enough to see ways.
I have a copy of my vendor BIOS. The file is exactly 2MB so this boosts my confidence level that the flash chip that I saw is the good one.
I'll study it a little bit to see if I can extract some insights. How about analyzing the vendor flash utility? Can that be useful?
I was considering getting myself an external programmer. paraflash sounds really cool but unfortunately not very useful with SPI.
From my research for now, my best option seems to be a Bus pirate. It
seems like the most versatile choice. On top of being a programmer, you can apparently use it for sniffing and program flash without unsoldering the chip.
Should that be enough or should I consider to mod my board by installing a SOIC-8 socket on my board?
One last question. Where could I get some info about usual BIOS file format and disassembly tools?
The tool that I have used to decrypt the bios file creates a dump of the BIOS consisting of 20-25 small bin files having a UUID as name. Is this a pure invention of the tool that I have used or UUIDs are really commonly used to delimitate the different BIOS sections?
I am using objdump as dissembler. I saw a reference to IDAPRo on flashrom.org. Is there other alternative? For having done some disassembly reading 10-15 years ago, one feature that I really liked from the tool that I did use is that it was replacing/annotating instructions with an address with the string value if the address was pointing on a string.
It was also replacing function address with a symbol name when possible. Those 2 small features made a huge difference in the readability of the output for inexperienced eyes....
On 28/01/13 06:59, Olivier Langlois wrote:
Among other things, now that I realized that the bios contains EC code for which no public doc exists, it seems improbable that coreboot ever 'officially' support my hardware as the only way to support it would be to extract the EC code from a vendor BIOS and copy it.
Indeed. But this is a flashrom mailing list; getting flashrom working and doing a coreboot port are two very different issues.
There is no way you can come up with original code without doc or maybe I am not creative enough to see ways.
I have a copy of my vendor BIOS. The file is exactly 2MB so this boosts my confidence level that the flash chip that I saw is the good one.
Good.
I'll study it a little bit to see if I can extract some insights. How about analyzing the vendor flash utility? Can that be useful?
The flash utility will probably be little use. The code to actually access the flash device is probably in the main firmware image.
I was considering getting myself an external programmer. paraflash sounds really cool but unfortunately not very useful with SPI.
From my research for now, my best option seems to be a Bus pirate. It seems like the most versatile choice. On top of being a programmer, you can apparently use it for sniffing and program flash without unsoldering the chip.
Should that be enough or should I consider to mod my board by installing a SOIC-8 socket on my board?
Your choice as to how you want to connect to the device. You may find the socket useful but it is probably not essential.
One last question. Where could I get some info about usual BIOS file format and disassembly tools?
The tool that I have used to decrypt the bios file creates a dump of the BIOS consisting of 20-25 small bin files having a UUID as name. Is this a pure invention of the tool that I have used or UUIDs are really commonly used to delimitate the different BIOS sections?
It is not a BIOS at all but in fact UEFI firmware. UEFI uses UUIDs for various purposes including identifying different drivers etc.
I am using objdump as dissembler. I saw a reference to IDAPRo on flashrom.org. Is there other alternative? For having done some disassembly reading 10-15 years ago, one feature that I really liked from the tool that I did use is that it was replacing/annotating instructions with an address with the string value if the address was pointing on a string.
It was also replacing function address with a symbol name when possible. Those 2 small features made a huge difference in the readability of the output for inexperienced eyes....
IDA is really good. You can probably still find the last version that was free to use on the 'net.
Andrew
-
Andrew Goodbody -
Olivier Langlois -
Stefan Tauner