[flashrom] Broadwell-DE SoC
Ed Swierk
eswierk at skyportsystems.com
Tue Aug 2 21:34:53 CEST 2016
With Nico's patches, I am able to read the BIOS portion of the flash
(0x08000000-0x10000000) on a Camelback Mountain board with the stock
BIOS.
I haven't been able to write the BIOS portion of the flash, though, as
it fails to erase the very first block. Despite the warning, the flash
is left untouched.
$ sudo ./flashrom -p internal -l 16mb.xml -i bios -w coreboot.rom -A -V
flashrom v0.9.9-r1954 on Linux 4.2.0-16-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
flashrom was built with libpci 3.2.1, GCC 4.8.4, little endian
Command line (10 args): ./flashrom -p internal -l 16mb.xml -i bios -w
coreboot.rom -A -V
romlayout 00800000 - 00ffffff named bios
Using region: "bios".
Calibrating delay loop... OS timer resolution is 1 usecs, 1995M loops
per second, 10 myus = 10 us, 100 myus = 100 us, 1000 myus = 1006 us,
10000 myus = 10008 us, 4 myus = 4 us, OK.
Initializing internal programmer
No coreboot table found.
Using Internal DMI decoder.
DMI string chassis-type: "Rack Mount Chassis"
DMI string system-manufacturer: "Intel Corp."
DMI string system-product-name: "GRANGEVILLE"
DMI string system-version: "E63448-400"
DMI string baseboard-manufacturer: "Intel Corp."
DMI string baseboard-product-name: "GRANTLEY"
DMI string baseboard-version: "E63448-400"
Found chipset "Intel C224" with PCI ID 8086:8c54.
This chipset is marked as untested. If you are using an up-to-date version
of flashrom *and* were (not) able to successfully update your firmware with it,
then please email a report to flashrom at flashrom.org including a
verbose (-V) log.
Thank you!
Enabling flash write... Root Complex Register Block address = 0xfed1c000
GCS = 0xc21: BIOS Interface Lock-Down: enabled, Boot BIOS Straps: 0x3 (SPI)
Top Swap: not enabled
0xfff80000/0xffb80000 FWH IDSEL: 0x0
0xfff00000/0xffb00000 FWH IDSEL: 0x0
0xffe80000/0xffa80000 FWH IDSEL: 0x1
0xffe00000/0xffa00000 FWH IDSEL: 0x1
0xffd80000/0xff980000 FWH IDSEL: 0x2
0xffd00000/0xff900000 FWH IDSEL: 0x2
0xffc80000/0xff880000 FWH IDSEL: 0x3
0xffc00000/0xff800000 FWH IDSEL: 0x3
0xff700000/0xff300000 FWH IDSEL: 0x4
0xff600000/0xff200000 FWH IDSEL: 0x5
0xff500000/0xff100000 FWH IDSEL: 0x6
0xff400000/0xff000000 FWH IDSEL: 0x7
0xfff80000/0xffb80000 FWH decode enabled
0xfff00000/0xffb00000 FWH decode enabled
0xffe80000/0xffa80000 FWH decode enabled
0xffe00000/0xffa00000 FWH decode enabled
0xffd80000/0xff980000 FWH decode enabled
0xffd00000/0xff900000 FWH decode enabled
0xffc80000/0xff880000 FWH decode enabled
0xffc00000/0xff800000 FWH decode enabled
0xff700000/0xff300000 FWH decode enabled
0xff600000/0xff200000 FWH decode enabled
0xff500000/0xff100000 FWH decode enabled
0xff400000/0xff000000 FWH decode enabled
Maximum FWH chip size: 0x100000 bytes
SPI Read Configuration: prefetching enabled, caching enabled,
BIOS_CNTL = 0x2b: BIOS Lock Enable: enabled, BIOS Write Enable: enabled
Warning: BIOS region SMM protection is enabled!
Warning: Setting Bios Control at 0xdc from 0x2a to 0x09 failed.
New value is 0x2b.
SPIBAR = 0x00007fedd2c71000 + 0x3800
0x04: 0xf008 (HSFS)
HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=1, FDV=1, FLOCKDN=1
Warning: SPI Configuration Lockdown activated.
Reading OPCODES... done
0x06: 0x3f00 (HSFC)
HSFC: FGO=0, FCYCLE=0, FDBC=63, SME=0
0x50: 0x00005a7b (FRAP)
BMWAG 0x00, BMRAG 0x00, BRWA 0x5a, BRRA 0x7b
0x54: 0x00000000 FREG0: Warning: Flash Descriptor region
(0x00000000-0x00000fff) is read-only.
0x58: 0x0fff0800 FREG1: BIOS region (0x00800000-0x00ffffff) is read-write.
0x5C: 0x07ff0023 FREG2: Warning: Management Engine region
(0x00023000-0x007fffff) is locked.
0x60: 0x00020001 FREG3: Gigabit Ethernet region
(0x00001000-0x00002fff) is read-write.
0x64: 0x00120003 FREG4: Platform Data region (0x00003000-0x00012fff)
is read-write.
Not all flash regions are freely accessible by flashrom. This is most likely
due to an active ME. Please see https://flashrom.org/ME for details.
0x90: 0x84 (SSFS)
SSFS: SCIP=0, FDONE=1, FCERR=0, AEL=0
0x91: 0xfc0000 (SSFC)
SSFC: SCGO=0, ACS=0, SPOP=0, COP=0, DBC=0, SME=0, SCF=4
0x94: 0x5006 (PREOP)
0x96: 0x4ed0 (OPTYPE)
0x98: 0x0201009f (OPMENU)
0x9C: 0xc705d803 (OPMENU+4)
0xA0: 0x00000000 (BBAR)
0xC4: 0x80802025 (LVSCC)
LVSCC: BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=1
0xC8: 0x8000d817 (UVSCC)
UVSCC: BES=0x3, WG=1, WSR=0, WEWS=1, EO=0xd8
0xD0: 0x50444653 (FPB)
OK.
The following protocols are supported: FWH, SPI.
Probing for AMIC A25L05PT, 64 kB: probe_spi_rdid_generic: id1 0xef, id2 0x4018
...
Found Winbond flash chip "W25Q128.V" (16384 kB, SPI).
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
coreboot last image size (not ROM size) is 16777216 bytes.
Manufacturer: Intel
Mainboard ID: Camelback Mountain CRB
Reading old flash chip contents... done.
Erasing and writing flash chip... Trying erase function 0...
0x800000-0x800fff:EInvalid OPCODE 0x06, will not execute.
spi_block_erase_20 failed during command execution at address 0x800000
Reading current flash chip contents... done. Looking for another erase function.
Trying erase function 1... 0x800000-0x807fff:EInvalid OPCODE 0x06,
will not execute.
spi_block_erase_52 failed during command execution at address 0x800000
Reading current flash chip contents... done. Looking for another erase function.
Trying erase function 2... 0x800000-0x80ffff:ETransaction error!
SSFS: SCIP=0, FDONE=1, FCERR=1, AEL=0
SSFC: SCGO=0, ACS=1, SPOP=0, COP=5, DBC=0, SME=0, SCF=4
Running OPCODE 0xd8 failed at address 0x800000 (payload length was 0).
spi_block_erase_d8 failed during command execution at address 0x800000
Reading current flash chip contents... done. Looking for another erase function.
Trying erase function 3... 0x000000-0xffffff:RTransaction error!
SSFS: SCIP=0, FDONE=1, FCERR=1, AEL=0
SSFC: SCGO=0, ACS=0, SPOP=0, COP=4, DBC=63, SME=0, SCF=4
Running OPCODE 0x03 failed at address 0x023000 (payload length was 64).
Can't read! Aborting.
FAILED!
Uh oh. Erase/write failed.
Your flash chip is in an unknown state.
Get help on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom at flashrom.org with the subject "FAILED: <your board name>"!
-------------------------------------------------------------------------------
DO NOT REBOOT OR POWEROFF!
Restoring MMIO space at 0x7fedd2c748a0
Restoring PCI config space for 00:1f:0 reg 0xdc
On Tue, Aug 2, 2016 at 12:09 PM, Wen Wang <wen.wang at adiengineering.com> wrote:
> Nico,
>
> I reran the test and log is blow. You are right, flashrom did get into ME region but timed out in the middle. I also noticed that the timeout location seems to be random, different runs failed in different places. We did have an case open with Intel. It is currently being investigated.
>
> We will give your patches a try.
>
> Thanks,
>
> Wen
>
> ++++++++++++++++++++++
>
> flashrom v0.9.9-r1954 on Linux 4.2.8-200.fc22.x86_64 (x86_64)
> flashrom was built with libpci 3.3.0, GCC 5.3.1 20151207 (Red Hat 5.3.1-2), little endian
> Command line (7 args): ./flashrom -p internal -r backup.bin -V -o log.txt
> Calibrating delay loop... OS timer resolution is 1 usecs, 795M loops per second, 10 myus = 10 us, 100 myus = 100 us, 1000 myus = 1001 us, 10000 myus = 9999 us, 4 myus = 4 us, OK.
> Initializing internal programmer
> Found candidate at: 00000500-00000510
> Found coreboot table at 0x00000500.
> Error accessing high tables, 0x100000 bytes at 0x000000007efcf000
> /dev/mem mmap failed: Resource temporarily unavailable
> Failed getting access to coreboot high tables.
> Using Internal DMI decoder.
> DMI string chassis-type: "Desktop"
> DMI string system-manufacturer: "ADI Engineering"
> DMI string system-product-name: "BCC"
> DMI string system-version: "1.0"
> DMI string baseboard-manufacturer: "ADI Engineering"
> DMI string baseboard-product-name: "BCC"
> DMI string baseboard-version: "1.0"
> Found chipset "Intel C224" with PCI ID 8086:8c54.
> This chipset is marked as untested. If you are using an up-to-date version
> of flashrom *and* were (not) able to successfully update your firmware with it,
> then please email a report to flashrom at flashrom.org including a verbose (-V) log.
> Thank you!
> Enabling flash write... Root Complex Register Block address = 0xfed1c000
> GCS = 0xc21: BIOS Interface Lock-Down: enabled, Boot BIOS Straps: 0x3 (SPI)
> Top Swap: enabled (A16(+) inverted)
> 0xfff80000/0xffb80000 FWH IDSEL: 0x0
> 0xfff00000/0xffb00000 FWH IDSEL: 0x0
> 0xffe80000/0xffa80000 FWH IDSEL: 0x1
> 0xffe00000/0xffa00000 FWH IDSEL: 0x1
> 0xffd80000/0xff980000 FWH IDSEL: 0x2
> 0xffd00000/0xff900000 FWH IDSEL: 0x2
> 0xffc80000/0xff880000 FWH IDSEL: 0x3
> 0xffc00000/0xff800000 FWH IDSEL: 0x3
> 0xff700000/0xff300000 FWH IDSEL: 0x4
> 0xff600000/0xff200000 FWH IDSEL: 0x5
> 0xff500000/0xff100000 FWH IDSEL: 0x6
> 0xff400000/0xff000000 FWH IDSEL: 0x7
> 0xfff80000/0xffb80000 FWH decode enabled
> 0xfff00000/0xffb00000 FWH decode enabled
> 0xffe80000/0xffa80000 FWH decode enabled
> 0xffe00000/0xffa00000 FWH decode enabled
> 0xffd80000/0xff980000 FWH decode enabled
> 0xffd00000/0xff900000 FWH decode enabled
> 0xffc80000/0xff880000 FWH decode enabled
> 0xffc00000/0xff800000 FWH decode enabled
> 0xff700000/0xff300000 FWH decode enabled
> 0xff600000/0xff200000 FWH decode enabled
> 0xff500000/0xff100000 FWH decode enabled
> 0xff400000/0xff000000 FWH decode enabled
> Maximum FWH chip size: 0x100000 bytes
> SPI Read Configuration: prefetching enabled, caching enabled,
> BIOS_CNTL = 0x09: BIOS Lock Enable: disabled, BIOS Write Enable: enabled
> SPIBAR = 0x00007efebe8f2000 + 0x3800
> 0x04: 0xd009 (HSFS)
> HSFS: FDONE=1, FCERR=0, AEL=0, BERASE=1, SCIP=0, FDOPSS=0, FDV=1, FLOCKDN=1
> Warning: SPI Configuration Lockdown activated.
> The Flash Descriptor Override Strap-Pin is set. Restrictions implied by
> the Master Section of the flash descriptor are NOT in effect. Please note
> that Protected Range (PR) restrictions still apply.
> Reading OPCODES... done
> OP Type Pre-OP
> op[0]: 0x00, read w/o addr, none
> op[1]: 0x00, read w/o addr, none
> op[2]: 0x00, read w/o addr, none
> op[3]: 0x00, read w/o addr, none
> op[4]: 0x00, read w/o addr, none
> op[5]: 0x00, read w/o addr, none
> op[6]: 0x00, read w/o addr, none
> op[7]: 0x00, read w/o addr, none
> Pre-OP 0: 0x00, Pre-OP 1: 0x00
> 0x06: 0x3f00 (HSFC)
> HSFC: FGO=0, FCYCLE=0, FDBC=63, SME=0
> 0x08: 0x0001f080 (FADDR)
> 0x50: 0x0000ffff (FRAP)
> BMWAG 0x00, BMRAG 0x00, BRWA 0xff, BRRA 0xff
> 0x54: 0x00000000 FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-write.
> 0x58: 0x0fff0e00 FREG1: BIOS region (0x00e00000-0x00ffffff) is read-write.
> 0x5C: 0x0dff0001 FREG2: Management Engine region (0x00001000-0x00dfffff) is read-write.
> 0x60: 0x00007fff FREG3: Gigabit Ethernet region is unused.
> 0x64: 0x00007fff FREG4: Platform Data region is unused.
> 0x74: 0x00000000 (PR0 is unused)
> 0x78: 0x00000000 (PR1 is unused)
> 0x7C: 0x00000000 (PR2 is unused)
> 0x80: 0x00000000 (PR3 is unused)
> 0x84: 0x00000000 (PR4 is unused)
> 0x90: 0x80 (SSFS)
> SSFS: SCIP=0, FDONE=0, FCERR=0, AEL=0
> 0x91: 0xf80000 (SSFC)
> SSFC: SCGO=0, ACS=0, SPOP=0, COP=0, DBC=0, SME=0, SCF=0
> 0x94: 0x0000 (PREOP)
> 0x96: 0x0000 (OPTYPE)
> 0x98: 0x00000000 (OPMENU)
> 0x9C: 0x00000000 (OPMENU+4)
> 0xA0: 0x00000000 (BBAR)
> 0xC4: 0x80800000 (LVSCC)
> LVSCC: BES=0x0, WG=0, WSR=0, WEWS=0, EO=0x0, VCL=1
> 0xC8: 0x00000000 (UVSCC)
> UVSCC: BES=0x0, WG=0, WSR=0, WEWS=0, EO=0x0
> 0xD0: 0x50444653 (FPB)
> Reading flash descriptors mapped by the chipset via FDOC/FDOD...read_ich_descriptors_via_fdo: number of regions too high (6) - failed
> Enabling hardware sequencing because some important opcode is locked.
> OK.
> The following protocols are supported: FWH, Programmer-specific.
> Probing for Programmer Opaque flash chip, 0 kB: Hardware sequencing reports 1 attached SPI flash chip with a density of 16384 kB.
> The flash address space (0x000000 - 0xffffff) is divided at address 0x653000 in two partitions.
> The first partition ranges from 0x000000 to 0x652fff.
> In that range are 1619 erase blocks with 4096 B each.
> The second partition ranges from 0x653000 to 0xffffff.
> In that range are 2477 erase blocks with 4096 B each.
> Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific) mapped at physical address 0x0000000000000000.
> Probing for Atmel AT49LH002, 256 kB: probe_82802ab: id1 0xff, id2 0xff, id1 parity violation, id1 is normal flash content, id2 is normal flash content
> Probing for Atmel AT49LH00B4, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Atmel AT49LH004, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Intel 82802AB, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Intel 82802AC, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for PMC Pm49FL002, 256 kB: probe_jedec_common: id1 0xff, id2 0xff, id1 parity violation, id1 is normal flash content, id2 is normal flash content
> Probing for PMC Pm49FL004, 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Sharp LHF00L04, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF002A/B, 256 kB: probe_jedec_common: id1 0xff, id2 0xff, id1 parity violation, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF003A/B, 384 kB: probe_jedec_common: id1 0x13, id2 0x8c, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF004A/B, 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF004C, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF008A, 1024 kB: probe_jedec_common: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF008C, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for SST SST49LF016C, 2048 kB: probe_82802ab: id1 0x4c, id2 0x41, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FLW040A, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FLW040B, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FLW080A, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FLW080B, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FW002, 256 kB: probe_82802ab: id1 0xff, id2 0xff, id1 parity violation, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FW016, 2048 kB: probe_82802ab: id1 0x4c, id2 0x41, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FW040, 512 kB: probe_82802ab: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for ST M50FW080, 1024 kB: probe_82802ab: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W39V040FA, 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W39V040FB, 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W39V040FC, 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W49V002FA, 256 kB: probe_jedec_common: id1 0xff, id2 0xff, id1 parity violation, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W39V080FA, 1024 kB: probe_jedec_common: id1 0x75, id2 0xef, id1 is normal flash content, id2 is normal flash content
> Probing for Winbond W39V080FA (dual mode), 512 kB: probe_jedec_common: id1 0x02, id2 0x58, id1 is normal flash content, id2 is normal flash content
> Found Programmer flash chip "Opaque flash chip" (16384 kB, Programmer-specific).
> Reading flash... Reading 16777216 bytes starting at 0x000000.
> Timeout error between offset 0x000384c0 and 0x000384ff (= 0x000384c0 + 63)!
> HSFS: FDONE=0, FCERR=0, AEL=0, BERASE=1, SCIP=1, FDOPSS=0, FDV=1, FLOCKDN=1
> HSFC: FGO=0, FCYCLE=0, FDBC=63, SME=0
> Read operation failed!
> FAILED.
> Restoring MMIO space at 0x7efebe8f58a0
> Restoring PCI config space for 00:1f:0 reg 0xdc
>
> -----Original Message-----
> From: Nico Huber [mailto:nico.huber at secunet.com]
> Sent: Tuesday, August 2, 2016 8:03 AM
> To: Wen Wang <wen.wang at adiengineering.com>; flashrom at flashrom.org
> Subject: Re: [flashrom] Broadwell-DE SoC
>
> Hi Wen,
>
> On 01.08.2016 21:29, Wen Wang wrote:
>> Has anybody tried flashrom on Broadwell-DE SoC? Intel has upstreamed
>> coreboot support. But we are having trouble with flashrom. The ME
>> region does not seem to be accessible. We cannot read the entire
>> flash (fails when reading ME) even though we enabled all reads in
>> Master Access Section in FITC. We also tried to set FDO, it did not help either.
> Your problem doesn't look related to an ME section lock. The address where flashrom fails:
>> Timeout error between offset 0x00014400 and 0x0001443f (= 0x00014400 + 63)!
> resides already inside the ME region. So it looks to me as if flashrom succeeds in reading the start of the ME region.
>
> Sadly your log looks incomplete, did you miss to capture stderr? You can also save the whole log to a file with the -o parameter.
>
>> We would like to at least be able to update the BIOS region. However,
>> flashrom performs a full read prior to doing partial write.
> As told above, I don't think that this is your issue. Anyway this fea- ture has been requested for a long time and there have been different approaches to implement it in flashrom. Unfortunately, nothing has been merged yet. Patches can be found in patchwork:
> http://patchwork.coreboot.org/project/flashrom/list/
> My work on that matter seems to be the most current but also most invasive. It's the 14 patches from 2016-05-04.
>
> Regards,
> Nico
>
>
> _______________________________________________
> flashrom mailing list
> flashrom at flashrom.org
> https://www.flashrom.org/mailman/listinfo/flashrom
More information about the flashrom
mailing list