Process description:
The general idea taken from thaGH05T's tutorial. You should read the chip into the firmware dump file and process it with the 'scan-n-patch' script which replaces a SVS area and creates a cleaned firmware file. With modified firmware you can flash a chip, but not entire. Actually you need remove password only and you can do it with 'flashrom'. The 'scan-n-patch' script will create a layout file and prints a command-line arguments for partial chip flashing. It is more safe approach because you will touch only small piece of the chip content, firmware itself and your settings will unchanged.
Requirements:
- Raspberry PI or other SPI device and SOIC-8 clip or Easy Flash clip.
- If your SPI device is not Raspberry PI then ability to run the Perl script is needed.
- Working 'flashrom' utility.
- scan-n-patch fileset (Google Drive link).
Scan-n-Patch script.
'scan-n-patch' is Perl script which reads file specified as command-line argument. It looking for data signatures and can replace a portion of file content by another data.
Right now it can be launched in two modes:
- 'SCANONLY' mode. In this mode it will search SVS area and print its parsed content, so you can see each password's record and state is active it or not.
- 'SILENT' mode. In this mode script will skip printing some information. This mode is used for if you want analyze several files.
To specify the mode you should set SCANONLY and/or SILENT variables in the environment. Example:
SCANONLY=1 ./scan-n-patch.pl <file_name>
or
SCANONLY=1 SILENT=1 ./scan-n-patch.pl <file_name>
Instruction:
1. Read a chip and save its content to the file.
For RP command like this:
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r <file_name>
Note: For Macronix flash you need specify a chip. Use '-c' option.
2. Check that chip has been correctly read.
You can read a chip 2-3 times and check results with 'md5' tool or you can do that check with 'flashrom' like this:
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -v <file_name>
3. Run 'scan-n-patch' with your dump file specified as command line argument.
./scan-n-patch.pl ./<file_name>
Note that scanning process takes alot of time on RP approx. 20-25 minutes... So, be patient.
If your dump has a password, its hash will be printed as well as how much times it was set. Make sure that 'RFT' variable has been defined. 'RFT' is a Record Format Type, it may have value 1 or 2 in other cases patching will be incorrect.
To confirm patching press 'Enter'.
In result you will get:
- Modified firmware file named as <file_name>.modified and placed into one directory with original dump.
- Layout file for 'flashrom', placed into current directory.
- Additional command line arguments for 'flashrom'
4. Apply patch to the chip.
On step 3 you have got an additional command line arguments for 'flashrom' like this:
--layout ./flashrom.layout --image SVS -w ./<file_name>
To apply changes on the chip you need specify it to 'flashrom' tool:
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 --layout ./flashrom.layout --image SVS -w ./<file_name>.modified
5. Shutdown RP after 'flashrom' finish, disconnect a clip and power on your Mac.