[coreboot] ENE KB3940Q-A1 embedded controller custom firmware
Youness Alaoui
kakaroto at kakaroto.homelinux.net
Mon Mar 5 21:00:37 CET 2018
On Sun, Mar 4, 2018 at 4:50 AM, Paul Kocialkowski <contact at paulk.fr> wrote:
> Hi,
>
> Le vendredi 16 février 2018 à 14:09 -0500, Youness Alaoui a écrit :
>> > > Sure, you can trust hardware flashing more than software flashing,
>> > > but
>> > > I really need software flashing. If it was just for me, yeah, I
>> > > could
>> > > fiddle with it to flash it by hardware for my personal needs, but
>> > > when
>> > > it's about deploying it to all our customer base, that's another
>> > > story, the only solution is software flashing. Obviously, it would
>> > > have to work in coreboot, so whatever coreboot is doing wrong (or
>> > > AMI
>> > > is doing right.. my guess is that it's probably something with the
>> > > EC
>> > > ACPI code), we'd have to figure that out first in order to get the
>> > > read/write support.
>> >
>> > Either way, since the EC firmware resides in the SPI flash, it'll be
>> > no
>> > issue to reflash it both by software and hardware.
>>
>> On the librems, the EC firmware resides in a separate 64KB SPI flash,
>> it's not shared with the bios, and I haven't found a way to access it.
>
> Is it really only 64 KiB? The chip definitely supports more and it seems
> a bit small to fit the whole firmware.
>
Yes, it's a MX25L512. I can send you the firmwares that were on it if
you're curious (each machine revision had a different firmware, even
though it's the same ene chip in all of them, I don't know enough
about the EC to know if that's normal).
The cool thing is that I was able to flash the chip externally, but
only when I corrupted the EC firmware (I erased the first page and the
laptop crashed before I finished re-programming it by software). I
reproduced it twice again, if the EC firmware has crashed, it stops
accessing the SPI flash and we can program it with an external
flasher, otherwise, the EC prevents us from accessing it. So I think
it might be possible to simply short the MOSI/MISO to VCC to cause the
firmware to be unreadable, so the EC doesn't boot, then we should be
able to read/write from the EC with a pomona clip.
More information about the coreboot
mailing list