[flashrom] FAILED: HM77 (Macbook Pro retina)
Trammell Hudson
hudson at osresearch.net
Mon Dec 31 21:02:51 CET 2012
On Dec 31 2012 11:13 AM, Stefan Tauner wrote:
> Trammell Hudson <hudson at osresearch.net> wrote:
>> No changes were written to the executable portions of the ROM. The
>> data regions at 0x2000-0x2FFF, 0x6400-0x67FF, 0xC000-0x14FFF,
>> 0x1C000,
>> 0x3C000, 0x40000-0x4BFFF were overwritten correctly. My firmware
>> image
>> differed only in those regions below 0x190000, so it might have
>> successfully written to the entire 0x0-0x4BFFF (or even higher)
>> space.
>
> The terms executable and data region are not very accurate. The ME
> region (0x00001000 - 0x0018ffff) is executed by the embedded
> controller
> embedded in the PCH.
Interesting. Is the ME region common to all motherboards? On this
Macbook part of that region (starting at offset 0x2000) appear to be
re-written on almost every boot and is perhaps used to store some sort
of OSX related data. It is written/erased in 4KB chunks and starts with
the magic number 0x474F4C46 ("FLOG"). The previously written portion is
erased with 0xFF and possibly some bookkeeping data. There is a
different region in the flashrom (around offset 0x670000) that OSX uses
to store the nvram data in an EFI firmware volume and is also rewritten
on most boots.
On Macbooks it appears that the EFI firmware volumes with executables
start at 0x190000, so I had mentally written off everything below that
as data; my understanding of how the ROM is split up is inexact and is
based only on my observations of what I've seen with this motherboard.
>> The ROM image that I was writing had changes in the executable
>> firmware
>> volume starting at 0x190000.
>
> This contradicts what you wrote in the first paragraph (but is in
> line
> with the log).
I was unclear, sorry. I had made changes in the executable code stored
in the EFI firmware volume at 0x190000 (length 0x1A0000) and was
attempting to write them to the chip with flashrom, but as you can see
in the logs, that portion of the ROM was unchanged. I have since
successfully flashed the changes via my own SPI hardware device.
--
Trammell
More information about the flashrom
mailing list