[Tool] Flashrom v1.2 [DOS]

headkaze · August 31, 2021, 8:08pm

1

$ sudo python3 chipsec_util.py mmio dump SPI

################################################################
## ##
## CHIPSEC: Platform Hardware Security Assessment Framework ##
## ##
################################################################
[CHIPSEC] Version : 1.7.0
[CHIPSEC] OS : Linux 5.14.0-custom #1 SMP Tue Aug 31 00:25:42 EDT 2021 x86_64
[CHIPSEC] Python : 3.9.5 (64-bit)

****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] API mode: using CHIPSEC kernel module API
[!] Unknown PCH: VID = 0x1022, DID = 0x790E, RID = 0xFF; Using Default.
[!] Results from this system may be incorrect.
[CHIPSEC] Helper : LinuxHelper (/home/***/Programming/chipsec/chipsec/helper/linux/chipsec.ko)
[CHIPSEC] Platform: Renoir Root Complex
[CHIPSEC] VID: 1022
[CHIPSEC] DID: 1630
[CHIPSEC] RID: 00
[CHIPSEC] PCH : Default PCH
[CHIPSEC] VID: FFFF
[CHIPSEC] DID: FFFF
[CHIPSEC] RID: FF
[CHIPSEC] Executing command 'mmio' with args ['dump', 'SPI']

[CHIPSEC] Dumping SPI MMIO space..
[mmio] MMIO register range [0x00000000FEC10000:0x00000000FEC10000+000000FF]:
+00000000: 4F0C2105
+00000004: 00000000
+00000008: 00000600
+0000000C: 02000000
+00000010: 04042006
+00000014: 059F0406
+00000018: 020A0B03
+0000001C: 0206B8FF
+00000020: 10330713
+00000024: 20202008
+00000028: 0E06140C
+0000002C: 800054C0
+00000030: 460814CC
+00000034: 00000003
+00000038: FCFCFCFC
+0000003C: 000088FC
+00000040: EBBB6B3B
+00000044: 00000500
+00000048: 02000001
+0000004C: 00030002
+00000050: 0C131200
+00000054: ECBC6C3C
+00000058: 00004608
+0000005C: 00000000
+00000060: 00000000
+00000064: 000000FD
+00000068: 00000000
+0000006C: 00000000
+00000070: 00000000
+00000074: 00000000
+00000078: 00000000
+0000007C: 00000000
+00000080: 05000000
+00000084: DA001123
+00000088: 300665B1
+0000008C: C95F17BB
+00000090: 870ED138
+00000094: 0324F3C3
+00000098: F01DFA28
+0000009C: 95E8B95B
+000000A0: D75105C2
+000000A4: 82FEDDA5
+000000A8: 5CE01B8E
+000000AC: 8CF1F388
+000000B0: 07614F3A
+000000B4: 9D89E91B
+000000B8: 84145D79
+000000BC: 81DC60B7
+000000C0: FF765F24
+000000C4: 00000000
+000000C8: 00000000
+000000CC: 00000000
+000000D0: 00000000
+000000D4: 00000000
+000000D8: 00000000
+000000DC: 00000000
+000000E0: 00000000
+000000E4: 00000000
+000000E8: 00000000
+000000EC: 00000000
+000000F0: 00000000
+000000F4: 00000000
+000000F8: 00000000
[CHIPSEC] (mmio) time elapsed 0.002

1
2

sudo python3 chipsec_util.py mmio read SPI 0x0 0x4
[CHIPSEC] Read SPI + 0x0: 0x4F0C2105

0x4F0C2105 | (1 << 22) | (1 << 23) = 0x4FCC2105

1
2

sudo python3 chipsec_util.py mmio write SPI 0x0 0x4 0x4FCC2105
[CHIPSEC] Write SPI + 0x0: 0x4FCC2105

1
2

sudo python3 chipsec_util.py mmio read SPI 0x0 0x4
[CHIPSEC] Read SPI + 0x0: 0x4F0C2105

I guess it was worth a try!

Fernando · August 31, 2021, 9:27pm

@headkaze :
Please give us some additional information about your recent python tests while running Linux:
1. What exactly was the sense of your tests?
2. Which conclusions do you draw from the test results?
3. What have your python tests to do with the topic of this thread? Is the usage of python an alternative to the Flashrom tool?

Please put the python results into “spoilers” to save space.

headkaze · August 31, 2021, 9:58pm

Post #7 tells you the flash protection is SpiAccessRomEn (bit 22) and SpiHostAccessRomEn (bit 23) being cleared in the SPICntrl0 register (sudo python3 chipsec_util.py mmio dump SPI + 0x00). There’s a tool called chipsec which can read and write registers.

First I read the register sudo python3 chipsec_util.py mmio dump SPI + 0x0 which has a value of 0x4F0C2105, then I set bits 22 and 23, which gives 0x4FCC2105 and write this value back. Reading it again gives the original value of 0x4F0C2105. It demonstrates that these "clear-once protection bits" cannot be set again to remove the protection (as expected).

DarkPoe · October 11, 2021, 7:29am

So, no solution to this? I would like to flash a modded BIOS with updated components… None of the other methods work so far

Fernando · October 11, 2021, 11:02am

@DarkPoe
What about the usage of a programmer?

DarkPoe · October 11, 2021, 7:27pm

@Fernando Well that would be the last resort, but I don’t think that would be practical for everyone though

Fernando · October 11, 2021, 8:09pm

@DarkPoe : Depending on the mainboard manufacturer it becomes more and more difficult to get a modded BIOS flashed the easy way.

headkaze · December 9, 2021, 4:20pm

chipsec has finally merged @kerneis-anssi’s amd updates.

So now you can run the following:

1

$ sudo python3 chipsec_util.py reg read SPICntrl0

Which will output something like the following:

1
2
3
4
5
6
7
8
9
10
11

[CHIPSEC] SPICntrl0=0x4F0C2105
[*] SPICntrl0 = 0x4F0C2105 << SPI_Cntrl0. Reset: 0FC0_0000h.
    [18] SpiReadMode[0]   = 1 << Read-write. Reset: 0. Bit[0] of SpiReadMode. See the definition of SpiReadMode[2:1] in this register. SpiReadMode = {SpiReadMode[2:1],SpiReadMode[0]}. 
    [21] IllegalAccess    = 0 << Read-only. Reset: 0. 0=Legal index mode access. 1=Illegal index mode access. 
    [22] SpiAccessRomEn   = 0 << Read,Write-0-only. Reset: 1. 0=Software cannot access MAC's portion of the ROM space   (lower 512 KB). 1=Software can access MAC's portion of the ROM space. This is a clear-once protection bit. Once set, some SPI registers can't be written and discards a SPI request if it is an illegal request. 
    [23] SpiHostAccessRomEn = 0 << Read,Write-0-only. Reset: 1. 0=MAC cannot access BIOS ROM space (upper 512 KB). 1=MAC can access BIOS ROM space. This is a clear-once protection bit. Once set, some SPI registers can't be written and discards a SPI request if it is an illegal request. 
    [24] ArbWaitCount     = 7 << Read-write. Reset: 7h. Specifies the amount of wait time the SPI controller asserts HOLD# before it should access the SPI ROM, under ROM sharing mode with the MAC. This time is to allow the MAC to sample HOLD#. 
    [27] SpiBridgeDisable = 1 << Read-write. Reset: 1. Setting this bit disables the SPI bridge mode (SB acts as a SPI-LPC bridge to the MAC). 
    [28] SpiClkGate       = 0 << Read-write. Reset: 0. 1=Skip the 8th SPI clock at the end data when doing read. 
    [29] SpiReadMode[2:1] = 2 << Read-write. Reset: 0h. Description: See Table 78 [SpiReadMode[2:0]]. NOTE: SPI modes supported are listed below, 
    [31] SpiBusy          = 0 << Read-only. Reset: 0. 0=SPI bus is idle. 1=SPI bus is busy.

Now you can clearly see that SpiAccessRomEn and SpiHostAccessRomEn are both set to 0. This means the BIOS ROM space is protected.

@DarkPoe the only way around this would be to remove the appropriate modules from the BIOS before upgrading as mentioned in my previous post.

I have yet to hear if anyone has done this successfully.

DarkPoe · December 9, 2021, 5:35pm

Well… I am tempted to buy a chip programmer because I believe it won’t be easier from here now on…

But yeah, it would be hard to find someone with pre-1.2.0.0 here (maybe a new Mobo?) that can try that

Rubio85 · February 3, 2023, 12:29pm

I tryed 2 days with efiflash 0.87 mod it dosent work with capsule …this tool works perkekt for my capsule gigabyte ga-ax370m-ds3h. I Love You.

i activated rezisabel Bar

BootGuardisEvil · March 17, 2023, 9:34pm

IT WORKED!
I can confirm that after removing the DXE driver AmdSpiRomProtectDxe using UEFITool 0.28.0 flashrom can read the SPI again.

Tested on my Asrock Deskmini X300 bios version P1.80A

Koekieezz · March 18, 2023, 10:30am

Hello, so by removing AmdSpiRomProtectDxe from the bios, any agesa 1.2.x.x could use flashrom in any means? is it only AmdSpiRomProtectDxe, or the entire AmsSpiRomProtect modules (normal, dxe, and Pei)?

BootGuardisEvil · March 18, 2023, 3:32pm

Well the other modules don’t exist (i searched for the GUID) in the SPI flash image so i just removed the only one that exist and flashrom worked again.The bios P1.80A of the deskmini X300 has AGESA 1.2.0.7 so that it should work on any AGESA 1.2.x.x but when i can get my hands on the hardware i need to flash a WSON8 chip i can also test this on a Asus X570I motherboard.
Here is what CHIPSEC say after removing AmdSpiRomProtectDxe:

Koekieezz · March 19, 2023, 4:49pm

i am wondering if removing the amdspiromprotectpei is necessary too for the bios that have it

papele · March 27, 2023, 11:49am

Good morning everyone! i am looking for the latest version of dos flashrom ch341a can you help me? thanks.

Fernando · March 27, 2023, 2:32pm

@papele
What sort of tool is “dos flashrom ch341a” and where did you see it?

papele · March 27, 2023, 2:39pm

I mean the one that starts from prompt or windows. I’m looking for a more current version.

Fernando · March 27, 2023, 3:02pm

@papele
For the latest flashrom version you should better look >here<.
By the way - what has the tool to do with the CH341A programmer?

papele · March 27, 2023, 3:55pm

because it works with the ch341a programmer. I have seen but there is nothing.

topway · May 26, 2023, 8:23am

Do you have Flashrom v1.3 compiled version