Create a gist now

Instantly share code, notes, and snippets.

@jcs /asus c201.md
Last active May 27, 2017

What would you like to do?
Disabling SPI write protection, reflashing, and unbricking an Asus Chromebook C201

####Disabling SPI write protection

Put the Chromebook in developer-mode:

  • With machine powered off, hold down Esc and Refresh(F3) while hitting power button
  • At warning prompt, hit Control+D, then Enter at prompt about enabling developer mode
  • Machine will format itself

Now remove the write-protect screw to enable flashrom to flash new Coreboot/Libreboot.

Flip powered-off machine over and remove 8 philips-head screws. 2 are located under rubber feet.

https://i.imgur.com/zlA6JsFl.jpg

https://i.imgur.com/o76SuTyl.jpg

With a plastic spudger/guitar pick, separate the blue case from the silver keyboard/trackpad tray. Slide the spudger along the outer seam to separate it (you'll hear a bunch of clicks).

Don't pull the bottom piece off or you'll pull out the cables to the keyboard.

Once the bottom piece is completely separated, flip the laptop over and open the lid. The keyboard should be loose. Pick it up just enough to flip it over without separating the cables.

Locate the write-protect screw on the left side (highlighted in red here).

https://i.imgur.com/NWCJu1nl.jpg

Remove the screw.

https://i.imgur.com/H6caZiSl.jpg

Flip the keyboard back over so you can type, and power the machine on. Hit Control+D at the boot screen.

Click "Sign-in as guest", hit Control+Alt+T to open crosh, then shell, sudo sh, and flashrom --wp-disable. It should report success. flashrom --wp-status should confirm that write protection is disabled.

https://i.imgur.com/NzYNPzml.jpg

halt -p to power down, snap keyboard tray back in, put screws and rubber feet back.

####Reflashing new coreboot/libreboot

From the Chromebook, make a backup of your entire ROM before doing anything, and scp it off the machine to some place else.

# flashrom -r asus_c201_factory_flash.rom
flashrom v0.9.4  : 15e4dc9 : Apr 02 2015 22:53:02 UTC on Linux 3.14.0 (armv7l), built with libpci 3.1.10, GCC 4.9.x-google 20150123 (prerelease), little endian
Reading flash... SUCCESS

fmap_decode will show how the ROM is layed out:

# fmap_decode asus_c201_factory_flash.rom
fmap_signature="0x5f5f464d41505f5f" fmap_ver_major="1" fmap_ver_minor="0" fmap_base="0x0000000000000000" fmap_size="0x400000" fmap_name="FMAP" fmap_nareas="22" 
area_offset="0x00000000" area_size="0x00200000" area_name="WP_RO" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00000000" area_size="0x001f0000" area_name="RO_SECTION" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00000000" area_size="0x00100000" area_name="COREBOOT" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00100000" area_size="0x00001000" area_name="FMAP" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00101000" area_size="0x000eef00" area_name="GBB" area_flags_raw="0x01" area_flags="static" 
area_offset="0x001eff00" area_size="0x00000100" area_name="RO_FRID" area_flags_raw="0x01" area_flags="static" 
area_offset="0x001f0000" area_size="0x00010000" area_name="RO_VPD" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00200000" area_size="0x00078000" area_name="RW_SECTION_A" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00200000" area_size="0x00002000" area_name="VBLOCK_A" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00202000" area_size="0x00056000" area_name="FW_MAIN_A" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00258000" area_size="0x0001ff00" area_name="EC_MAIN_A" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00277f00" area_size="0x00000100" area_name="RW_FWID_A" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00278000" area_size="0x00004000" area_name="RW_SHARED" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00278000" area_size="0x00004000" area_name="SHARED_DATA" area_flags_raw="0x01" area_flags="static" 
area_offset="0x0027c000" area_size="0x00004000" area_name="RW_ELOG" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00280000" area_size="0x00078000" area_name="RW_SECTION_B" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00280000" area_size="0x00002000" area_name="VBLOCK_B" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00282000" area_size="0x00056000" area_name="FW_MAIN_B" area_flags_raw="0x01" area_flags="static" 
area_offset="0x002d8000" area_size="0x0001ff00" area_name="EC_MAIN_B" area_flags_raw="0x01" area_flags="static" 
area_offset="0x002f7f00" area_size="0x00000100" area_name="RW_FWID_B" area_flags_raw="0x01" area_flags="static" 
area_offset="0x002f8000" area_size="0x00008000" area_name="RW_VPD" area_flags_raw="0x01" area_flags="static" 
area_offset="0x00300000" area_size="0x00100000" area_name="RW_LEGACY" area_flags_raw="0x01" area_flags="static" 

#####Compile your coreboot/libreboot:

You'll need a separate build machine for this. I used a 10G Ubuntu 14 virtual machine in VMware.

TODO

#####Preparing the new image to write

Only the first megabyte of your new coreboot ROM will be used, so you need to copy the other 3 megs from the backup.

From your build machine:

~/chros/coreboot$ dd if=build/coreboot.rom bs=1024 count=1024 of=firstmeg.rom
~/chros/coreboot$ dd if=asus_c201_factory_flash.rom bs=1024 skip=1024 of=latermegs.rom
~/chros/coreboot$ cat firstmeg.rom latermegs.rom > final.rom

You can verify with fmap_decode that your new ROM still looks like the old one. Now scp it to your Chromebook and flash it:

# flashrom -w final.rom
flashrom v0.9.4  : e6a7ca8 : May 12 2015 18:14:00 UTC on Linux 3.14.0 (armv7l), built with libpci 3.1.10, GCC 4.9.x-google 20150123 (prerelease), little endian
Erasing and writing flash chip... Verifying flash... VERIFIED.          
SUCCESS

Reboot and hope it worked. If not, continue reading.

####Unbricking

If your flashing went bad, you'll be unable to boot. To fix this, you'll have to reflash your backup from another machine. You can do this fairly easily with a Bus Pirate, an SOIC8 test clip, and some cables to connect pins between the two.

Use the instructions above to remove the keyboard. Remove the 8 or so screws holding the large heatsink to the case over the motherboard, exposing the battery connector. Unplug the battery.

http://i.imgur.com/TzjWRODl.jpg

Attach your test clip to the flash chip located just to the left of the write-protect screw, noting the dot on the lower left of the chip marking pin 1.

http://i.imgur.com/MOQDeK0l.jpg

Connect wires from pins of the Bus Pirate to the pins on the test clip. The SPI chip pins are as follows, with the dot in the lower left.

   VCC
   | HOLD
   | | SCLK
   8 7 6 5-MOSI
  +-------+
  |       |
  |o      | 
  +-------+
   1 2 3 4-GND
   | | WP
   | MISO
   CS
  • Bus Pirate GND -> SPI pin 4 (GND)
  • Bus Pirate 3V3 -> SPI pin 8 (VLK)
  • Bus Pirate CLK -> SPI pin 6 (SCLK)
  • Bus Pirate MOSI -> SPI pin 5 (MOSI)
  • Bus Pirate CS -> SPI pin 1 (CS)
  • Bus Pirate MISO -> SPI pin 2 (MISO)

If your build machine doesn't have it already, install flashrom (apt-get install flashrom on Ubuntu).

Once wired up, run flashrom -p buspirate_spi:dev=/dev/ttyUSB0 with no file argument to make sure it can detect the SPI flash chip on the Chromebook through your Bus Pirate. If wired properly, it should find the GigaDevice chip. If it reports an error or a generic chip (0x00), your clip is not on properly or is wired up wrong.

~/chros/flashrom-0.9.8$ sudo ./flashrom -p buspirate_spi:dev=/dev/ttyUSB0
flashrom v0.9.8-r1888 on Linux 3.19.0-25-generic (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Found GigaDevice flash chip "GD25Q32(B)" (4096 kB, SPI) on buspirate_spi.
No operations were specified.

Now just flash the backup you made before reflashing, using the command above with asus_c201_factory_flash.rom.

If you lost your backup, you can download the backup I made, but no guarantees that it will work on your machine:

https://jcs.org/tmp/asus_c201_factory_flash.rom - MD5 e4478311e77745a1aff0a1117cc65010

If all went well, after about 10 minutes of erasing and flashing, it should report success. Remove the test clip, reattach the battery, plug the power cable in, and it should boot to the Chrome "OS verification is OFF" screen.

####References

dimkr commented Sep 5, 2015

Wow, great work! Looking forward to the Coreboot/Libreboot building guide.

Ypnose commented Sep 6, 2015

Nice/awesome "HowTo" @jsc

Does it boot OpenBSD yet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment