[coreboot] ENE KB3940Q-A1 embedded controller custom firmware

Mike Banon mikebdp2 at gmail.com
Mon Mar 5 22:04:14 CET 2018


> otherwise, the EC prevents us from accessing it
Maybe KB3940Q has the same protection as KB9012 : unless the EC's
ground pin has been shortened with motherboard's ground _before_ you
have powered a motherboard, you would not have any access; otherwise,
EC will go into debug mode and you'll have the full access to its'
internal memory. To avoid the soldering, you could look through the
instructions described here -
http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate ;
in short : use a keyboard flex cable to reach EC spi pins as well as
its' ground, and a test hook clip to easily get a ground of your
motherboard

On Mon, Mar 5, 2018 at 11:00 PM, Youness Alaoui
<kakaroto at kakaroto.homelinux.net> wrote:
> On Sun, Mar 4, 2018 at 4:50 AM, Paul Kocialkowski <contact at paulk.fr> wrote:
>> Hi,
>>
>> Le vendredi 16 février 2018 à 14:09 -0500, Youness Alaoui a écrit :
>>> > > Sure, you can trust hardware flashing more than software flashing,
>>> > > but
>>> > > I really need software flashing. If it was just for me, yeah, I
>>> > > could
>>> > > fiddle with it to flash it by hardware for my personal needs, but
>>> > > when
>>> > > it's about deploying it to all our customer base, that's another
>>> > > story, the only solution is software flashing. Obviously, it would
>>> > > have to work in coreboot, so whatever coreboot is doing wrong (or
>>> > > AMI
>>> > > is doing right.. my guess is that it's probably something with the
>>> > > EC
>>> > > ACPI code), we'd have to figure that out first in order to get the
>>> > > read/write support.
>>> >
>>> > Either way, since the EC firmware resides in the SPI flash, it'll be
>>> > no
>>> > issue to reflash it both by software and hardware.
>>>
>>> On the librems, the EC firmware resides in a separate 64KB SPI flash,
>>> it's not shared with the bios, and I haven't found a way to access it.
>>
>> Is it really only 64 KiB? The chip definitely supports more and it seems
>> a bit small to fit the whole firmware.
>>
>
> Yes, it's a MX25L512. I can send you the firmwares that were on it if
> you're curious (each machine revision had a different firmware, even
> though it's the same ene chip in all of them, I don't know enough
> about the EC to know if that's normal).
>
> The cool thing is that I was able to flash the chip externally, but
> only when I corrupted the EC firmware (I erased the first page and the
> laptop crashed before I finished re-programming it by software). I
> reproduced it twice again, if the EC firmware has crashed, it stops
> accessing the SPI flash and we can program it with an external
> flasher, otherwise, the EC prevents us from accessing it. So I think
> it might be possible to simply short the MOSI/MISO to VCC to cause the
> firmware to be unreadable, so the EC doesn't boot, then we should be
> able to read/write from the EC with a pomona clip.



More information about the coreboot mailing list