I’ve got a Chromebox and I really enjoy this piece of hardware. It is beautiful, powerful and yet very cheap x86 computer. I bought one at Amazon for 139$ and I doubt you can find better computer for this price (eBay has a lot of interesting Chromebox offers). What attracts me is that this computer has open firmware and this is a good chance for me to learn more about it. ChromeOS version of coreboot is freely available in ChromeOS repository.
But before doing any firmware development one should understand that recovering bricked computer is slightly more complicated than recovering broken operation system. Once your computer FW corrupted you cannot boot your computer neither from disk nor from USB stick. One should physically connect to ROM chip pins and write new firmware using a programmer. And today I’ll show show to disassemble the chromebox, connect to its ROM chip, read and write the firmware code. Disclaimer: opening device voids its warranty.
To connect to SPI flash you need following hardware:
- SOIC 8 test clip to connect to SPI flash chip (I use Pomona 5250).
- ROM programmer that provides interface between host computer and the chip that uses SPI protocol. I use Bus Pirate that is powerful piece of hardware but you can use any other programmer.
- Bunch of jumper cables
Ok, let’s start vivisection. Remove four rubber pads at the bottom of the device
Remove four screws and accurately remove the bottom plastic case cover
Now you need to remove the metal shield. For that gently detach metal net glued to the metal shield
Remove 5 screws that attach shield to the case and then carefully remove the metallic shield. Now you see the motherboard, but there is no SPI flash here 😦 it must be at the other side of the board.
Remove 5 more screws that keep the motherboard to the case. Remove small metal shield from top of the power connector and then pull the motherboard out of the case. Be careful as there is a cable that attaches MB to the case sensors.
Now attach the BusPirate pins and the test clip pins as
Bus Pirate Flash chip
MISO DO (IO1)
MOSI DI (IO0)
Refer to Winbod W25Q64 datasheet for flash pins location.
Attach BusPirate to your host computer and then run flashrom from the host. Reading 8M over SPI takes a while (about 10 minutes).
$ flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r chromebox_fw.bin
flashrom v0.9.7-r1711 on Linux 3.18.2-2-ARCH (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org
Calibrating delay loop… OK.
Found Winbond flash chip “W25Q64.V” (8192 kB, SPI) on buspirate_spi.
Reading flash… done.
Here we are. We were able to read the ROM chip content. To write saved firmware to the chip use -w key for flashrom.