Discussion:
[flashrom] reading the flash image of my Celsius H265
David Hendricks
2018-05-11 16:00:51 UTC
Permalink
actually, I don't see a BIOS in there at all. ...
If you want to hunt more clues nevertheless, you can send us the output
of `flashrom -p internal:laptop=force_I_want_a_brick -V`. IIRC, it
also tells from which bus the BIOS was loaded.
I think the ME has some logging enabled and simply writes to the flash.
Nico
If this is the case, then you will need to figure out how to prevent
the EC from reading/writing the ROM at the same time as flashrom.
This could be as simple as disabling your OS's power management daemon
to avoid stimulating it, or ...
Here comes the verbose output of flashrom as attachement.
- and see the newly loaded rom images do not differ any more (though the
time between taking both images has been less this time).
Glad that seems to have worked for reading. However as Nico said we really
can't recommend attempting to write using flashrom. At least not unless you
can get a full understanding of how this works and how to safely disable
the EC for updates, and have a method for recovery (e.g. an external
programmer). Anything that interacts with the EC (power, thermal, input
events, maybe other things) can wake it up and put your system in a bad
(possibly bricked) state.
wget https://www.elstel.org/uploads/celsius3.rom
wget https://www.elstel.org/uploads/celsius4.rom
Is it true that these flash images do not contain a BIOS?
It appears true. As Nico said it appears this chip is only for ME firmware
and configuration data. There is almost certainly another SPI flash on the
motherboard for the BIOS. You may need to (de-)assert some GPIO or send a
special command to the EC to select it.
If it still contains all ME regions that should be enough for disabling
ME? How to do that - I have heard that me_cleaner only works on gen2 and
gen3 MEs but that my ME would be gen1?
I'm not an expert on me_cleaner, but the long story short is that ME is a
complicated beast that changes frequently and is very intertwined with how
the system works. me_cleaner can remove some (many?) modules but can't
disable it completely since ME controls some functions needed to bring-up
the CPU. I'm sure they'd appreciate your help demystifying your ME's
generation!
David Hendricks
2018-05-10 21:24:18 UTC
Permalink
When I boot with iomem=relaxed and enable flash writing in my BIOS I get
flashrom -p internal:laptop=force_I_want_a_brick --read celsius2.rom
flashrom p1.0-74-g2568357 on Linux 4.17.0-rc3+ (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
========================================================================
WARNING! You seem to be running flashrom on an unsupported laptop.
Laptops, notebooks and netbooks are difficult to support and we
recommend to use the vendor flashing utility. The embedded controller
(EC) in these machines often interacts badly with flashing.
See the manpage and https://flashrom.org/Laptops for details.
If flash is shared with the EC, erase is guaranteed to brick your laptop
and write may brick your laptop.
Read and probe may irritate your EC and cause fan failure, backlight
failure and sudden poweroff.
You have been warned.
========================================================================
Proceeding anyway because user forced us to.
Found chipset "Intel ICH9M-E".
Enabling flash write... OK.
Found Winbond flash chip "W25X32" (4096 kB, SPI) mapped at physical
address 0x00000000ffc00000.
Reading flash... done.
wget https://www.elstel.org/uploads/celsius.rom
wget https://www.elstel.org/uploads/celsius2.rom
Using vbindiff I can see that quite a lot is different between both
images. - which would be difficult to achieve if the firmware was changed
while I am running my computer. The image may be somehow corrupted as
python ../me_cleaner/me_cleaner.py -S -O celsius-no-me.rom celsius.rom
Unknown image
See also the dmidecode that I have attached.
How can it be that both images are different?
Do you think that the images are corrupted?
If so what could we do about it?
There is probably an embedded controller (EC) connected to the SPI ROM that
is accessing the ROM at the same time as flashrom. See
https://flashrom.org/Laptops for details.

If this is the case, then you will need to figure out how to prevent the EC
from reading/writing the ROM at the same time as flashrom. This could be as
simple as disabling your OS's power management daemon to avoid stimulating
it, or it may require sending a command to the EC (likely a sequence of
OUTBs) to put it into an update or recovery mode to prevent it from
accessing the firmware ROM.
Elmar Stellnberger
2018-05-26 14:16:51 UTC
Permalink
Hi attendees of the flashrom list,
Hi Nicola Corna,

Today I have tried to write an image to the rom of my Celsius H265
and see it has worked without any problems (see for the attachement).

flashrom -V -p internal:laptpop=force_I_want_a_brick --write
celsius3-me_cleaned.rom

https://www.elstel.org/uploads/celsius3-me_cleaned.rom
https://www.elstel.org/uploads/celsius3.rom

The image was produced with the dev-branch of me_cleaner by:
./me_cleaner.py -d -O celsius3-me_cleaed.rom celsius3.rom. Flash reading
has been successfully tested before.

Regards,
Elmar

Loading...