[flashrom] Flashrom current trunk is to circument password protections on laptops?

Wed Jan 13 09:56:17 CET 2010

Already reported this in IRC, but was asked to send it to the mailing list:

I managed to flash a password protected BIOS on an HP TC4400 without 
actually knowing the password, resulting in a complete erase of  the 
whole Eeprom, including it's password and all system related 
information(serial number, model, etc.).

The vendor tools both for DOS(rompaq) and Windows(hpqflash) won't let me 
do it without having to enter the password, thus I gave flashrom a try. 
Here's what I did(not a very elegant approach, though it worked)

1. Get Ubuntu onto USB the usual way(see System --> Sysem management --> 
Create
2. Create a FreeDOS floppy disk with peritools on it. Here's one 
containing it: http://stashbox.org/665101/DIYVDock-conf.RAR
3. Boot into Ubuntu
4. sudo setpci -s 0:1f.0 f0
5. sudo setpci -s 0:1f.0 f1
6. sudo setpci -s 0:1f.0 f2
7. sudo setpci -s 0:1f.0 f3
8. f3+f2+f1+f0 = Offset for RBCA, e.g. 0xFED90001
9. Feature flags are at RBCA+0x3418, e.g. 0xFED93418
10. Boot from floppy
11. pt MEM read 4 RBCAOffset, e.g.: pt MEM read 4 0xFED93418
12. Sample Output: 0x003400E9
13. Bit 4 from right is for SMBus --> Change to 0x003400E1:
14. pt MEM write 4 0xFED93418 0x003400E1
15. Chainload Ubuntu from FreeDOS:
16. edit A:\grub.cfg
17. add line: title Ubuntu USB
18. add line: root (hd0,0)
19. add line: kernel /casper/vmlinuz noprompt cdrom-detect/try-usb=true 
persistent file=/cdrom/preseed/ubuntu.seed boot=casper quiet
20. add line: initrd /casper/initrd.lz
21. start grub: grub --config-file=grubmenu.cfg
22. Boot Ubuntu by selecting it from the menu
23. sudo apt-get install subversion
24. sudo apt-get install pcilib-dev
25. Build flashrom from svn, instructions: http://www.flashrom.org/Downloads
26. flashrom -w rom.bin -V

Explanations for all steps:

1: Designated for running flashrom
2: Used with a certain software(peritool) to change some contents in 
memory before chainbooting Ubuntu
3-14: Enable the SMBus controller. Usually, the Embedded Controller 
disables it, preventing certain SPI communication. In detail:
3-9: Determine offset for the Function Disable Register
10-14: Read out the current register value and change the Bit 3 to 0 
(means SMBus enabled)
15-22: Chainload Ubuntu
23-25: Build current flashrom trunk
26: Flash the BIOS

For backround information and an alternative, floppyless method regards 
3-14, see here: 
http://forum.notebookreview.com/showpost.php?p=5479271&postcount=283

The most interesting part was that flashrom v0.9.1-r706 didn't do the 
job. It's the version which installs via apt-get install flashrom. Only 
the trunk version was able to do it. It failed at first try, however it 
used a different function to erase the Eeprom, and then was able to 
write it.

It looks like the Embedded Controller it's doing it's job to block the 
usual erase function, but not the second one. That's a pretty ugly flaw. 
Maybe 3-14 weren't necessary at all, however I wanted to make sure 
there's no missing part for SPI communication. Maybe someone could 
verify this with another laptop.

I've attached verbose output from both flashrom versions.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flashrom v0.9.1-r706.txt
URL: <http://www.flashrom.org/pipermail/flashrom/attachments/20100113/87760fa2/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flashrom v0.9.1-r862.txt
URL: <http://www.flashrom.org/pipermail/flashrom/attachments/20100113/87760fa2/attachment-0001.txt>