[flashrom] FAILED: HM77 (Macbook Pro retina)

Trammell Hudson hudson at osresearch.net
Mon Dec 31 21:02:51 CET 2012 

On Dec 31 2012 11:13 AM, Stefan Tauner wrote:
> Trammell Hudson <hudson at osresearch.net> wrote:
>> No changes were written to the executable portions of the ROM.  The
>> data regions at 0x2000-0x2FFF, 0x6400-0x67FF, 0xC000-0x14FFF, 
>> 0x1C000,
>> 0x3C000, 0x40000-0x4BFFF were overwritten correctly.  My firmware 
>> image
>> differed only in those regions below 0x190000, so it might have
>> successfully written to the entire 0x0-0x4BFFF (or even higher) 
>> space.
>
> The terms executable and data region are not very accurate. The ME
> region (0x00001000 - 0x0018ffff) is executed by the embedded 
> controller
> embedded in the PCH.

Interesting.  Is the ME region common to all motherboards?  On this 
Macbook part of that region (starting at offset 0x2000) appear to be 
re-written on almost every boot and is perhaps used to store some sort 
of OSX related data.  It is written/erased in 4KB chunks and starts with 
the magic number 0x474F4C46 ("FLOG").  The previously written portion is 
erased with 0xFF and possibly some bookkeeping data.  There is a 
different region in the flashrom (around offset 0x670000) that OSX uses 
to store the nvram data in an EFI firmware volume and is also rewritten 
on most boots.

On Macbooks it appears that the EFI firmware volumes with executables 
start at 0x190000, so I had mentally written off everything below that 
as data; my understanding of how the ROM is split up is inexact and is 
based only on my observations of what I've seen with this motherboard.


>> The ROM image that I was writing had changes in the executable 
>> firmware
>> volume starting at 0x190000.
>
> This contradicts what you wrote in the first paragraph (but is in 
> line
> with the log).

I was unclear, sorry.  I had made changes in the executable code stored 
in the EFI firmware volume at 0x190000 (length 0x1A0000) and was 
attempting to write them to the chip with flashrom, but as you can see 
in the logs, that portion of the ROM was unchanged.  I have since 
successfully flashed the changes via my own SPI hardware device.

-- 
Trammell

More information about the flashrom mailing list