Zerocat Chipflasher  v0.4.2 (board-edition-1)
Flash free firmware to BIOS chips, kick the Manageability Engine.
How To Use

Welcome

Thank you for purchasing — or having built — the Zerocat Chipflasher. We hope you will enjoy this cute tiny tool. Your feedback will be very much appreciated. Please contact zerocat@posteo.de for any questions or feedback and keep up to date with the Zerocat Chipflasher Git Repository.

The Zerocat Chipflasher is your free-design hardware tool for flashing free firmware to BIOS chips. Especially the chips, that are located on libreboot or coreboot compatible hardware are hopefully supported. See Supported Devices for details.

IMG_8014.jpeg
Zerocat Chipflasher, flashing a fully equipped Gigabyte GA-G41M-ES2L Desktop Board

Hardware Features

Typical Setup

For now, the chipflasher board doesn't provide its USB port for data, it is used for power only. So, the typical setup is with a host that has an RS232 serial port available. We recommend to use a ThinkPad X60s with preflashed libreboot (done with flashrom) and docking station.

A typical setup looks like this:

  1. Computer with RS232 port, i.e.:
    • ThinkPad X60 with Docking Station and libreboot-firmware
    • Intel D945GCLF board with coreboot, no blobs required (not fully tested)
    • other blobless desktop boards like GA-945GCM-S2L and GA-G41M-ES2L (untested)
  2. The Zerocat Chipflasher
  3. supported SPI flash chip, a single one or one soldered in place on its sysboard (see Supported Devices)
  4. external USB-Power-Adapter (5V @ 1000mA) or at least two USB-ports from the computer.

You will use three cables for connection:

Setup with external USB power adapter

+------------+                +-------------+           +·············+
| Host, i.e. |                | Zerocat     |           +---------+   :
|  ZC-X60 +  |                | Chipflasher |---+3.3V-->| SPI     |   :
|   Docking  |<--RS232-data-->|             |<---SPI--->|  Chip   |   :
|            |                | firmware:   |           +---------+   :
| software:  |      +--+5V--->|  'kick'     |           :             :
| 'connect'  |      |         +-------------+           : Systemboard :
+------------+      |                                   : without     :
                +--------------------+                  : Battery     :
                | External USB Power |                  : nor Power   :
                |  5V @ 1000mA       |                  +·············+
                +--------------------+

Setup with non-standard Y-USB-cable

+------------+                +-------------+           +·············+
| Host, i.e. |                | Zerocat     |           +---------+   :
|  ZC-X60 +  |<--RS232 data-->| Chipflasher |---+3.3V-->| SPI     |   :
|   Docking  |                |             |<---SPI--->|  Chip   |   :
|            |----+-+5V-USB-->| firmware:   |           +---------+   :
| software:  |   /            |  'kick'     |           :             :
| 'connect'  |--+             +-------------+           : Systemboard :
|            |                                          : without     :
+----------- +                                          : Battery     :
                                                        : nor Power   :
                                                        +·············+
IMG_8020.jpeg
Zerocat Chipflasher, typical setup with an Y-USB-Cable

Power Setup

Warning
Proceed on your own risk. You will brick your hardware. You will kill yourself.
  1. Discharge your body (touch any grounded metal like a water pipe) and make sure your are not electrostatically charged.
  2. If you are flashing a sysboard:
    • Do not power the sysboard on, nor connect any power plug.
    • Remove the main battery, but keep the small coin-battery attached.
  3. Power and GND will be applied to the SPI-chip by the chipflasher board only.
    Make sure you have not mixed these wires! See cables.sch.png for pinouts.
  4. To power the chipflasher:
    • You may safely use your computer’s USB port according to official specs if you are going to flash a single desoldered chip.
    • In case of flashing chips in situ, soldered onto sysboards, please use an external USB-Power-Adapter (5VDC @ 1.000mA).
    • As a workaround, you may try a non-standard Y-USB-Cable which should work well in many cases, as the maximal requested current per USB port typically won't exceed 500mA.

Clock Quality

The Zerocat Chipflasher is a handmade tool with long wires that may generate or catch electromagnetic interference. To give you an idea about clock pulse quality and speed, we probed the signals right at the test-clip for you. The maximal SPI clock speed is about 2.5MHz.

IMG_5716-small.jpg
Zerocat Chipflasher, typical clock pulse quality (100ns/500mV per div), here: 2.2MHz

Prerequisites

You should have installed all essential tools according to README, section “Prerequisites”.

Get Started

Connect host and chipflasher with each other, i.e. attach the Y-USB-power-cable to two USB-Ports, attach the RS232-data-cable.

Attach the SPI-cable, but omit the target board (or chip) for now!

  1. Open a terminal and enter the chipflasher repository, i.e:

    $ cd ~/zerocat/projects/chipflasher/

  2. Change into firmware/src/.
  3. To build the software, type make all.
  4. Switch on the chipflasher board and verify that the power status LED is bright.
  5. Type make -f Startfile.mk startram in order to initiate the firmware upload into the onboard EEPROM, and start immediatly.

    Note
    Root priviledges are not required on debian based operating systems, as long as you are a fully priviledged member of the dialout group. Otherwise, you should use sudo make ... instead.

    The Zerocat Chipflasher menu should appear on screen.
    Success! Your setup is ready.

    Hit “q” to quit and switch off the chipflasher board.

    invocation-example.png
    Invocation Example with immediate quit.

Prepare your Custom ROM File

As default, the flasher uses the files chip2file.txt and file2chip.txt for data input/output.

In most cases, this flasher will be used to flash a newly created Coreboot or Libreboot ROM file which generally is available as binary data. Before you can flash it, you will need to convert your custom ROM into the file2chip.txt text file, preferable organized in lines of the Motorola S-Record format.

See Data Transfer and learn how to do that! Alternatively, see whether host/src/bin2srec.sh would be a suitable utility.

Sometimes, a coreboot ROM requires to extract binary blobs from the original vendor firmware. In that case host/src/srec2bin.sh will hopefully help you to convert your chip2file.txt into a binary image for further processing.

Try a Real Target

Note
Please create backups between read operations in order to not loose your data!
The software connect and the firmware kick are talking to each other via the serial RS232 lines. Occasional transmission errors will be repaired automatically. However, if you encounter severe connection problems that render you helpless when trying to verify your data, boot the host with WLAN and network switched off, make sure that no other resource demanding process will start up (e.g. browser), and try again.
As long as the SPI status LED (red) is not active, the SPI-Chip is not powered and you may feel free to connect/disconnect your target. However, if the LED is active, don't touch the connection!
If the system hangs for any reason, you should be save to kill the chipflasher’s power, because all SPI bus pins are configured to enter a harmless tristate mode right at brown-out or power-off.
  1. Use a screwdriver to adjust the flasher’s CE# pull-up resistor to its CW-most position, that is to its biggest value.
  2. Attach the free pinheader connectors of the SPI-cable to the SPI-Chip...

    • by using a test-clip for chips in situ,
    • by using the 8-pin DIL-socket,
    • or by soldering some flying wires to some extra pinheaders.
    Warning
    You must not mix wires! See cables.sch.png and check pinouts in advance.
  3. Open a terminal and change into firmware/src/.

    Now switch the chipflasher board on.

    Type make -f Startfile.mk loadram in order to upload the firmware into the flasher’s onboard free-design RAM.

    Then type...

    1. make -f Startfile.mk start or
    2. alternatively change into folder host/src/ and type: ./connect chip2file.txt file2chip.txt /dev/ttyS0 B115200

    The menu should arise on screen.

  4. Choose “[d] detect chip” in order to probe the BIOS-chip.
    If not succesful, use a screwdriver in CCW direction to adjust the CE# pull-up resistor to smaller values and try again.

    If successful, you may now use the menu for dumping, erasing, flashing and verifying your chip.

    Warning
    Proceed with care! You may brick your machine!

    Try “[r] show status register” to see the chip’s current configuration.

    • In order to get chip’s content onto disk, just select “[c] read chip”. The data will be stored in chip2file.txt, for example.
    • In order to flash the content of file file2chip.txt, typical steps are:
      1. Create a backup of chip’s content, just select “[c] read chip”.
        Rename the file and read the chip once again.
        Then diff the files, i.e.: diff backup.txt chip2file.txt.
        Warning
        Do not proceed until files match.
      2. Clear block protection bits in the status register with menu option “[W] set status register”,
        or use “[X] global sector unprotect” if provided.
      3. Clear the chip with option “[C] erase chip”.
      4. Flash the chip with option “[I] flash file”.
      5. Dump the chip’s content and verify the data using the diff command after having converted file2chip.txt and chip2file.txt into the same layout with srec_cat. See Data Transfer for details and examples or see whether host/src/diff-srec.sh would be a helpful utility to accomplish this task.

    Wait until your choosen procedure finishes. With “[q] (SPI off)/cancel/quit” you may cancel it at any time.

  5. Hit “q” in order to quit connect.

    Note
    In case the SPI bus has been left powered after chip detection due to volatile bits in status registers, it is powered off as an intermediate step before you actually quit the program with an additional “q”.
  6. Power off the chipflasher board and detach the SPI-cables from the target SPI-chip.

    Done!

Make Use of Onboard EEPROM

Until now, we have taken care to always start from RAM using commands like

The pre-flashed firmware in the onboard EEPROM has not been touched, yet.

If you want to try the pre-flashed firmware, just issue a single

If you want to upload a newly built firmware and make things permanent, just use

From then on, you may start your flasher with a single command:

The latter command would allow you to pass individual parameters to ./connect.
Script utilities like bin2srec.sh, srec2bin.sh and diff-srec.sh would be available in the same folder, host/src/.