Zerocat Chipflasher  v0.4.10-732-9a3cc90b
Flash free firmware to BIOS chips, kick the Management Engine.
Power Profiles

Preliminary Conclusion

Zerocat’s Chipflasher is designed for flashing BIOS chips reversely, that is: Power is applied to the chip, thus sending currents into the sysboard backwards.

Note that the power traces around the BIOS chip surely are not designed for the currents that some sysboards (X60, T60) will draw. If we power the BIOS chip, some target sysboards will draw much more current that would probably be needed to flash successfully. Therefor, we need kind of current limiting circuit. Examples: X60, T60

The only current limit 'control' we do have right now, is:

  • the Polyfuse
  • the capability of the regulator in use
  • the scope of the incoming power

The Polyfuse seems to get hot for currents above its hold current, thus already limiting the current. Higher currents make the device to shut down the board after a while, thus leaving a small time window where we can take action (i.e. T60).

This time window could be used multiple times if we allow the fuse to cool down in between. This is very annoying and makes that flashing procedure slow as we are flashing sector by sector, but note the main goal should be not to damage the target sysboard!

Unfortunately, the chip’s supply voltage of a T60 doesn't reach its minimal value of 2.7V with supply currents below 2 Ampères – bigger currents would probably destroy the board and doesn't seem to help anyway.

Therefore, we won't be able to flash a T60 safely within specs by driving power backwards into the sysboard :-(

However, when using a combination of an LD1117-3.3 (800mA) voltage regulator, 1000µF power capacitor and a Polyfuse RXEF075, we can flash and read the T60 in one go with a chip supply voltage around 2.5V, which is not too bad!

We should be able to boot coreboot and then flash a second time from user space, within specs.

Todo:
Let’s try Peter Stuge’s method as well.
Todo:
Monitor the overall current or Polyfuse heat or even better add a dedicated current limiting circuit for the SPI Bus.

Standard Setup

  • LD1117-3.3 voltage regulator (designed for 800mA, typical maximum is 1000mA)
  • Capacitor 1000µF
  • Polyfuse RXEF075
  • Power Shunt 0.025Ohms (available on development board only)

Voltage across PowerShunt 0.025R +-1% during read operation

The power shunt in board-dev.sch allows us to monitor the overall return current.

Current = Voltage across Power Shunt / Power Shunt’s Resistor Value

If not otherwise noted, the CE# pull-up is adjusted to its maximal value (245Ohms).

Note
Note that the selected Polyfuse RXEF075 is getting hot beyond 0.019V and would trip immediatly at 0.038V (1500mA). However, the voltage regulator in use is not capable of supplying more than 1000mA.
  • overall current up to 1000mA
    • T60-2MB-Atmel (SOIC8): 0.0245V; Vdd_SPI = 2.7V –› 2.55V ––› 2.49V –––› 2.47V
    • X60s-2MB-SST (SOIC8): 0.023V; Vdd_SPI >= 3.0V
  • overall current up to 500mA
    • GA-G41M-ES2L (SOIC8): 0.0125V
    • T500-Winbond-8MB (SOIC16): 0.0075V; CE# pull-up approx. 100Ohms
    • T400-Macronix-8MB (SOIC16): 0.0075V; CE# pull-up approx. 100Ohms
    • X200-Atmel-4MB (SOIC8): 0.0068V; CE# pull-up approx. 100Ohms
    • X220-8MB-Winbond (SOIC8): 0.0065V
    • X200-Macronix-8MB (SOIC16): 0.0065V;
    • X200-Winbond-8MB (SOIC16): 0.0063V; CE# pull-up approx. 145Ohms
  • overall current up to 200mA
    • D945GCLF (SOIC8): 0.0039V
    • X230-Macronix-8MB-4MB (2x SOIC8): 0.002V

USB Power Specs

As we are using USB ports as unclassified devices, we are not allowed to draw more than 100mA per port (200mA in total) if we want to stay within official USB specs. Thus the chipflasher needs to be self-powered through an external power supply for targets that take more current.

However, if we don't care about official USB specs, using two USB ports with a non-standard Y-USB-Cable works just fine as well on a ThinkPad X60.

X60-Docking

This docking station seems to have very robust USB-Ports which can deliver up to 2.2Amps before a crowbar protection gets active. Then they are dead until you reboot after a while.