For anyone lacking a valid backup of their original Chrome OS firmware, I've constructed a ROM image with an invalid serial number from my C710-2847 (the launch model).
C710 Firmware.zip
I've included instructions on how to modify the image to match your actual device before you flash it, which I strongly recommend. I can't predict how Google functionality may be effected by an invalid serial number or the default firmware hardware ID.
Also, please note that these instructions may be specific for the C710-2847 so pay attention if you have another model. There's only one recovery image for the C710, so I'm confident the firmware will work on all models. But, you may need to change more than 8 digits of the serial number with other models, IDK.
[Edit] If you have a C710-842G32ii, then I recommend using the BIOS.BIN contained in the shellball (which is also included). For an explanation & discussion of the implications - see the comments below - specifically, my conversation with Schokobecher.
Wednesday, November 6, 2013
Friday, October 18, 2013
C720 News
According to Jay Lee (Author of the Chrubuntu Script), "Ron Minnich has confirmed all the post-Pixel x86 Chrome devices should do SeaBIOS CTRL+L legacy boot." Reference
Makes one wonder why the pre-Pixel 3rd generation Intel devices haven't been given this ability. I realize that upgrading the firmware isn't something most people would want to do, but the slot in the C710 firmware was left full of zeros anyway, so ... why not?
Makes one wonder why the pre-Pixel 3rd generation Intel devices haven't been given this ability. I realize that upgrading the firmware isn't something most people would want to do, but the slot in the C710 firmware was left full of zeros anyway, so ... why not?
Monday, October 14, 2013
General Advice on Flashing Firmware
I guess relatively few people are as paranoid as I am, but given the ease and speed of flashing from CrOS or Linux on the C710 itself, I suggest the following process:
1. Before you flash an image, create a backup (BACKUP.BIN) of the current firmware and generate an md5sum for it.
2. Now, generate an md5sum for the image you're about to flash, let's say NEW_FW.BIN.
3. Flash the image.
4. Even if everything appears to go perfectly, create a backup of the firmware again, i.e. READBACK.BIN and either compare it to NEW_FW.BIN or (I prefer to) generate an md5sum for READBACK.BIN and compare the md5sums of the two.
This will allow you to revert to the state of the firmware before you started (with your BACKUP.BIN) and guarantee that the EEPROM now contains what you intended.
1. Before you flash an image, create a backup (BACKUP.BIN) of the current firmware and generate an md5sum for it.
2. Now, generate an md5sum for the image you're about to flash, let's say NEW_FW.BIN.
3. Flash the image.
4. Even if everything appears to go perfectly, create a backup of the firmware again, i.e. READBACK.BIN and either compare it to NEW_FW.BIN or (I prefer to) generate an md5sum for READBACK.BIN and compare the md5sums of the two.
This will allow you to revert to the state of the firmware before you started (with your BACKUP.BIN) and guarantee that the EEPROM now contains what you intended.
Sunday, October 13, 2013
How To ... Reconstruct your Firmware from an Invalid Backup
If you're stuck with an invalid backup of your factory firmware because you followed some other geek's flawed instructions ;), the best solution is to reconstruct your firmware by replacing the first 2 MB of code in your backup ROM image with the first 2 MB of code from the default C710 firmware (bios.bin in the shellball). This replaces the Intel Management Engine, which is the part that's trashed in the backup, but keeps the rest of your original ROM intact.
You want to keep the rest intact because the firmware contains the serial number of your C710 which is used by Google in some manner - I don't know exactly how. So, anyway, here's the Intel Management Engine:
Download
You want to keep the rest intact because the firmware contains the serial number of your C710 which is used by Google in some manner - I don't know exactly how. So, anyway, here's the Intel Management Engine:
Download
Un-zipped, this file should be exactly 2048 kb or 2 MB. You need to replace the first 2 MB of your ROM backup with this 2 MB. So, the resulting COMBINED.ROM file will still be 8 MB in size. Then you can flash the COMBINED.ROM and you should be back to factory (or close enough).
There are many ways to accomplish this, I used a Hex Editor to open my BACKUP.ROM and 01_SI_ALL.BIN, selected all of 01_SI_ALL.BIN, copied it to the clipboard, pasted it over the first 2 MB of BACKUP.ROM and then saved the new combined file as COMBINED.ROM. Describing the process was more difficult than performing it, trust me. And there are much simpler methods using the command line, but I hate typing, so you're on your own there! ;)
Special thanks to Chusheng Zheng for giving me a push to finally document this stuff!
Special thanks to Chusheng Zheng for giving me a push to finally document this stuff!
Monday, September 23, 2013
Promote C7 Development Efforts
If you can spare a few bucks for the cause, John Lewis is accepting donations for the purchase of an Acer C7 and other gear in his Coreboot+SeaBIOS project. He's already come a long way in his quest to "open up" Chromebooks and is certainly deserving of our support. If you'd like to have the option of using your Chromebook as a more all-purpose laptop, he's definitely the horse to bet on in this race!
http://johnlewis.ie/
http://johnlewis.ie/
Friday, September 20, 2013
How To ... Turn a Brick back into a Chromebook!
As long as you have a valid backup of your original firmware, you can restore your C7 by following these instructions.
But, before you go any further, double check the contents of your backup at address 0x00001000 (like with a Hex Editor). If that byte contains 0xFF, then your backup is invalid and will brick your C7 again, so STOP! I will address this situation in another post soon.
OK now, first of all, you'll need the following gear:
1. A Bus Pirate
2. A Bus Pirate Probe cable
3. A Pomona 5250 SOIC Clip
Do not substitute the 3M part for the Pomona, as it won't work. The Bus Pirate is an inexpensive hacker's tool that can serve as an external chip programmer. It's supported by flashrom and although painfully slow, it does the job quite well. It all cost me ~$60 including shipping.
This presentation will provide a good step-by-step guide to disassembling your C7 to get access to the EEPROM which is on the top side of the motherboard (MB), under the keyboard. It looks like a horrible nightmare, but thanks to these guys, it really isn't too difficult. However, I do recommend disconnecting both the keyboard and the trackpad, their cables and connectors are too fragile to risk leaving connected, IMHO. I will admit that reconnecting them is a royal PITA, though.
https://docs.google.com/file/d/0Bzig09VSdjW1azRKaEtqZk5MZW8/edit?usp=sharing
Here's an ASCII diagram detailing how to connect the Bus Pirate (BP) to the C7's EEPROM.
TXT
PNG
On my MB, the chip is a Macronix MX25L6406E, but yours might differ. You should also be aware that there's more than one probe cable design and the color schemes vary. I'm using the Seeed Studio probe cable design. For more info on the BP, consult:
http://dangerousprototypes.com/docs/Bus_Pirate
For instructions on programming the EEPROM, consult this authority:
http://johnlewis.ie/unbricking-a-samsung-series-5-550-chromebook/
He's using a Samsung 550 Chromebook, but the procedure is the same. The C7's battery pack is, of course, removable. So, as long as the battery is disconnected, it's already "cut."
But, before you go any further, double check the contents of your backup at address 0x00001000 (like with a Hex Editor). If that byte contains 0xFF, then your backup is invalid and will brick your C7 again, so STOP! I will address this situation in another post soon.
OK now, first of all, you'll need the following gear:
1. A Bus Pirate
2. A Bus Pirate Probe cable
3. A Pomona 5250 SOIC Clip
Do not substitute the 3M part for the Pomona, as it won't work. The Bus Pirate is an inexpensive hacker's tool that can serve as an external chip programmer. It's supported by flashrom and although painfully slow, it does the job quite well. It all cost me ~$60 including shipping.
This presentation will provide a good step-by-step guide to disassembling your C7 to get access to the EEPROM which is on the top side of the motherboard (MB), under the keyboard. It looks like a horrible nightmare, but thanks to these guys, it really isn't too difficult. However, I do recommend disconnecting both the keyboard and the trackpad, their cables and connectors are too fragile to risk leaving connected, IMHO. I will admit that reconnecting them is a royal PITA, though.
https://docs.google.com/file/d/0Bzig09VSdjW1azRKaEtqZk5MZW8/edit?usp=sharing
Here's an ASCII diagram detailing how to connect the Bus Pirate (BP) to the C7's EEPROM.
PNG
On my MB, the chip is a Macronix MX25L6406E, but yours might differ. You should also be aware that there's more than one probe cable design and the color schemes vary. I'm using the Seeed Studio probe cable design. For more info on the BP, consult:
http://dangerousprototypes.com/docs/Bus_Pirate
For instructions on programming the EEPROM, consult this authority:
http://johnlewis.ie/unbricking-a-samsung-series-5-550-chromebook/
He's using a Samsung 550 Chromebook, but the procedure is the same. The C7's battery pack is, of course, removable. So, as long as the battery is disconnected, it's already "cut."
Tuesday, September 17, 2013
Important Discovery to Prevent Bricking
Through rigorous application of the experimental method, I have discovered that (at least on the C7) a valid backup of the firmware is only possible with hardware (HW) write-protect (WP) disabled. In this context, software (SW) WP seems to be irrelevant.
To clarify, if you use flashrom to read the EEPROM without bridging the WP jumper on the motherboard first, that backup copy of the firmware will be invalid. If you subsequently flash that backup (or a modded version of it) onto the EEPROM, it will brick the device.
Does this make any sense? No, but it appears to be a fact. Apparently, with HW WP enabled flashrom just silently (no error messages) fails to read the Intel Management Engine (and possibly other) code in the firmware image. I have found references to the fact that Google patched flashrom so that it would not crash under these conditions, but have no idea why. I would have preferred that it crash, rather than silently create an invalid image of the firmware. Of course, I must acknowledge that these tools were never intended for use by the consumer.
With this knowledge, I have successfully enabled the Dev Mode Boot Screen bypass with the stock firmware. So I can now confirm that "the hack" can be performed safely, as long as you keep this fact in mind. But, be aware that some of the instructions on the web do not take this into account and if followed to the letter, will brick your C7. I recommend only this source:
http://johnlewis.ie/neutering-the-developer-mode-screen-on-your-chromebook/
John's information was essential in my effort to de-brick my C7. He's using a Samsung 550 Chromebook, but the platforms are similar enough in this case.
To clarify, if you use flashrom to read the EEPROM without bridging the WP jumper on the motherboard first, that backup copy of the firmware will be invalid. If you subsequently flash that backup (or a modded version of it) onto the EEPROM, it will brick the device.
Does this make any sense? No, but it appears to be a fact. Apparently, with HW WP enabled flashrom just silently (no error messages) fails to read the Intel Management Engine (and possibly other) code in the firmware image. I have found references to the fact that Google patched flashrom so that it would not crash under these conditions, but have no idea why. I would have preferred that it crash, rather than silently create an invalid image of the firmware. Of course, I must acknowledge that these tools were never intended for use by the consumer.
With this knowledge, I have successfully enabled the Dev Mode Boot Screen bypass with the stock firmware. So I can now confirm that "the hack" can be performed safely, as long as you keep this fact in mind. But, be aware that some of the instructions on the web do not take this into account and if followed to the letter, will brick your C7. I recommend only this source:
http://johnlewis.ie/neutering-the-developer-mode-screen-on-your-chromebook/
John's information was essential in my effort to de-brick my C7. He's using a Samsung 550 Chromebook, but the platforms are similar enough in this case.
Subscribe to:
Posts (Atom)