[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[James Feeney]

ok!  One problem identified and resolved - the "No EEPROM/flash device found."

It turns-out that no on-board circuitry was damaged in connecting the external 
flash programmer.  Instead, this Samsung Chromebook 4, model XE310XBA-K01US, 
revision 1.0 motherboard, is *missing* the four series resistors connecting the 
H1B2C Google Security Chip to the GigaDevice 25LQ128D boot flash memory device. 
 Consequently, the Serial-Out line always remains in the pulled-up high state, 
and the GSC sees all 1's.  Only the Gemini Lake SOC SPI bus is connected to the 
boot flash device.  The simplest solution is to solder-bridge the pads for 
these 0402 size resistors, which then allows Closed Case Debugging to function 
as expected.

More generally, it seems that manufacturer implementations of Google reference 
designs can be quite variable.  Some boards do not include the separate SPI bus 
multiplexer chip shown in presentations on the GSC, and instead, directly 
connect the GSC and SOC tri-state GPIO lines and provide pull-up resistors.  
And, as in this case, some manufacturers do not even connect the GSC to the 
boot flash memory device.

As I understand, manufacturers are not suppose to leave the GSC disconnected 
from the SPI bus to the flash device.  However, also, apparently there are no 
legal constraints associated with the "Chromebook" trade name requiring Closed 
Case Debugging to be functional.  It would be useful to keep track of these 
"problem" Chromebooks.

I haven't discovered the cause of my difficulty with the external flash 
programmer.  I note that the Not-Write-Protect and Not-Hold lines are not part 
of the basic 4-wire SPI bus, and I have not found documentation about how these 
lines are driven.  It may be that their default state depends upon the Closed 
Case Debugging permissions.  But now, with CCD working, the external programmer 
is not needed.

So, I can get back to debugging my u-boot payload.

James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[James Feeney]

On 7/23/21 1:58 PM, Matt DeVillier wrote:
>> Ironically, the inability to attach a flash programmer in-circuit to a 
>> Chromebook having Google's H1 security chip represents a kind of security 
>> failure.  Specifically, how is the boot flash content to be verified with 
>> the certainty that the true content has not been hidden by Cr50, or by, for 
>> instance, flashrom running from eMMC root, when the AP is used to read the 
>> boot flash?

> Inability? due to it being a WSON-8 chip or? Every Chromebook since
> ~2013 has supported ISP, AFAIK. And up until recently, most used a
> clippable SOIC-8 chip.
> 

Lucky for me, the Chromebook 4 still uses the SOP8 208MIL package.  Or, it 
might be argued, unlucky for me, that I would bother the boot flash chip.

"Inability" only based upon the theory that maybe the Chromebook multiplexer 
was damaged when I connected the TUMPA to the flash chip.

Of course, I still don't really know what the problem is.  It might be the 
result of the way I connected the TUMPA - operator error.  It may be that this 
Chromebook was already defective upon receipt.  Or, there may be some obscure 
bug in my current build of Google flashrom.  Or, it might just be some unlucky 
unlikely random hardware glitch.

So, "inability" may be inappropriate here, and I'm in a mood, feeling 
frustrated.  But I do appreciate your help.  Something will work out - one step 
at a time.

James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[Matt DeVillier]

On Fri, Jul 23, 2021 at 12:13 PM James Feeney  wrote:
>
> On 7/23/21 8:07 AM, Matt DeVillier wrote:
>
> Thanks for your review.
>
> >> Are there any other things to try, before heating-up the soldering iron?  
> >> Is there any way to cross-check what flashrom is seeing?  Is there any way 
> >> for Cr50 to directly access the AP boot flash memory itself and then 
> >> report through the Cr50 console, without involving flashrom?
> > I don't believe so, someone from Google would likely be able to better 
> > answer
> >
>
> That seems like shortsightedness from Google, not providing some kind of 
> internal test/verification function for some hardware I/O.
>
> >> As to the "broken hardware" theory, have you ever heard of anyone 
> >> attaching a flash programmer to a Google octopus board and successfully 
> >> reading flash memory content *in circuit*?
> > never tried since CCD option is available, but in theory it should be 
> > possible.
> >
>
> Hmm - tentatively, it might be useful to other people to offer the advise 
> "NEVER attach an in-circut flash programmer to an octopus board!"  I don't 
> know that anyone would want to actually test this conjecture with their own 
> hardware.  It looks like I may have to buy the service manual from Samsung, 
> but they refuse to tell me whether it includes the schematics.
>
> Ironically, the inability to attach a flash programmer in-circuit to a 
> Chromebook having Google's H1 security chip represents a kind of security 
> failure.  Specifically, how is the boot flash content to be verified with the 
> certainty that the true content has not been hidden by Cr50, or by, for 
> instance, flashrom running from eMMC root, when the AP is used to read the 
> boot flash?

Inability? due to it being a WSON-8 chip or? Every Chromebook since
~2013 has supported ISP, AFAIK. And up until recently, most used a
clippable SOIC-8 chip.

>
> It cannot be verified.  The only alternative is to unsolder the flash chip, 
> and read it externally.  Of course, if Cr50 has been compromised, verifying 
> boot flash may not matter.  But then, in the end, this is Google's "Security 
> by Obscurity - just hide it in hardware" strategy, since I don't know that 
> there is any way to verify the Cr50 code running in the H1 chip.  You'd think 
> that, by now, people would have given-up on the "Security by Obscurity" 
> strategy - but I suppose that marketing and management have still not 
> caught-up, gotten the memo, whatever - "Intellectual Property Rights", "Trade 
> Secrets", "National Security", blah, blah, blah.
>
> Also ironically, the actual cost to provide circuit protection for in-circuit 
> flash programming is approximately "zero" - the cost of a few resistors and 
> maybe a diode.  I found this interesting:
>
> "Integrity Enhancements for Embedded Linux Devices", David Safford
> https://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf
>
> It looks like the maximum current on a typical ARM SC300 GPIO, as used for 
> the H1, is about 4mA.  Compare this to the maximum current available from a 
> typical buffer output, as from a flash programmer, of about 50mA, if these 
> circuits were to be directly connected.
>
> 
>
> James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[James Feeney]

On 7/23/21 8:07 AM, Matt DeVillier wrote:

Thanks for your review.

>> Are there any other things to try, before heating-up the soldering iron?  Is 
>> there any way to cross-check what flashrom is seeing?  Is there any way for 
>> Cr50 to directly access the AP boot flash memory itself and then report 
>> through the Cr50 console, without involving flashrom?
> I don't believe so, someone from Google would likely be able to better answer
> 

That seems like shortsightedness from Google, not providing some kind of 
internal test/verification function for some hardware I/O.

>> As to the "broken hardware" theory, have you ever heard of anyone attaching 
>> a flash programmer to a Google octopus board and successfully reading flash 
>> memory content *in circuit*?
> never tried since CCD option is available, but in theory it should be 
> possible.
> 

Hmm - tentatively, it might be useful to other people to offer the advise 
"NEVER attach an in-circut flash programmer to an octopus board!"  I don't know 
that anyone would want to actually test this conjecture with their own 
hardware.  It looks like I may have to buy the service manual from Samsung, but 
they refuse to tell me whether it includes the schematics.

Ironically, the inability to attach a flash programmer in-circuit to a 
Chromebook having Google's H1 security chip represents a kind of security 
failure.  Specifically, how is the boot flash content to be verified with the 
certainty that the true content has not been hidden by Cr50, or by, for 
instance, flashrom running from eMMC root, when the AP is used to read the boot 
flash?

It cannot be verified.  The only alternative is to unsolder the flash chip, and 
read it externally.  Of course, if Cr50 has been compromised, verifying boot 
flash may not matter.  But then, in the end, this is Google's "Security by 
Obscurity - just hide it in hardware" strategy, since I don't know that there 
is any way to verify the Cr50 code running in the H1 chip.  You'd think that, 
by now, people would have given-up on the "Security by Obscurity" strategy - 
but I suppose that marketing and management have still not caught-up, gotten 
the memo, whatever - "Intellectual Property Rights", "Trade Secrets", "National 
Security", blah, blah, blah.

Also ironically, the actual cost to provide circuit protection for in-circuit 
flash programming is approximately "zero" - the cost of a few resistors and 
maybe a diode.  I found this interesting:

"Integrity Enhancements for Embedded Linux Devices", David Safford
https://selinuxproject.org/~jmorris/lss2013_slides/safford_embedded_lss_slides.pdf

It looks like the maximum current on a typical ARM SC300 GPIO, as used for the 
H1, is about 4mA.  Compare this to the maximum current available from a typical 
buffer output, as from a flash programmer, of about 50mA, if these circuits 
were to be directly connected.



James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[Matt DeVillier]

On Thu, Jul 22, 2021 at 7:29 PM James Feeney  wrote:
>
> On 7/22/21 3:53 PM, Matt DeVillier wrote:
> ...
> >> I get "No EEPROM/flash device found".  Running with -V, I see flashrom is 
> >> just reading all 1's.
> >
> > you need to open the CCD first. With the battery disconnected, from a
> > terminal attached to /dev/ttyUSB0, run:
> > ccd open
> > ccd reset factory
> > ccd
> >
> > that should show the ccd state as open, with all capabilities in
> > column 1 set to 'Y'.
> >
> > then flashrom will be able to detect / read / write the flash chip
> >
>
> I believe that I have already done all of that.  But please, check to see if 
> I know what I'm doing here:
>

LGTM

>
> > ccd
> State: Opened
> Password: none
> Flags: 0x45
> Capabilities: 5500
>   UartGscRxAPTx   Y 1=Always
>   UartGscTxAPRx   Y 1=Always
>   UartGscRxECTx   Y 1=Always
>   UartGscTxECRx   Y 1=Always
>   FlashAP Y 1=Always
>   FlashEC Y 1=Always
>   OverrideWP  Y 1=Always
>   RebootECAP  Y 1=Always
>   GscFullConsole  Y 1=Always
>   UnlockNoReboot  Y 1=Always
>   UnlockNoShortPP Y 1=Always
>   OpenNoTPMWipe   Y 1=Always
>   OpenNoLongPPY 1=Always
>   BatteryBypassPP Y 1=Always
>   UpdateNoTPMWipe Y 1=Always
>   I2C Y 1=Always
>   FlashRead   Y 1=Always
>   OpenNoDevMode   Y 1=Always
>   OpenFromUSB Y 1=Always
>   OverrideBattY 1=Always
> read_tpm_nvmem: object at 0x100a not found
> [50.223548 Console unlock allowed]
> read_tpm_nvmem: object at 0x1007 not found
> TPM:
> Capabilities are modified.
> Use 'ccd help' to print subcommands
>
> > ccd testlab
> CCD test lab mode enabled
>

I've never used testlab mode, looks like it just disables the need for
physical presence so shouldn't be an issue

>
> >
> > see above, the ccd being closed w/default capabilities set is
> > preventing the flash chip from being visible/read/written.
> >
> > I've used ccd to read/write many an AP flash, including APL/GLK Chromebooks.
> >
>
> Including a Samsung octopus board?  Samsung didn't "cut corners" on the 
> design implementation?

Not a Samsung one, but considering they are all built from the same
reference board, it's unlikely Samsung somehow broke CR50 AP access.
Then again, they did manage to screw up the HPET (among other things)
on CELES. Still, I would consider that a pretty low possibility. I
have an Asus octopus/AMPTON board here that I've flashed 100x via ccd.

>
> I'm hoping very much that the problem is something simple.  But still:
>
> $ sudo ./flashrom -p raiden_debug_spi:target=AP
> flashrom abb3b091 on Linux 5.12.14-arch1-1 (x86_64)
> flashrom is free software, get the source code at https://flashrom.org
>
> Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
> Raiden target: 2
> No EEPROM/flash device found.
> Note: flashrom can never write if the flash chip isn't found automatically.
>

that's definitely the issue, I'm just not sure offhand what else could
cause the AP flash to not be available.

>
> After running flashrom, the machine appears always to reboot.  The Cr50 
> console says:

this is expected, since the CR50 switches modes to enable flash
access. It will reboot when exiting SPI mux mode regardless of the
flash operation.

>
> [631.035522 enable_spi_pinmux: AP]
> [631.106361 usb_spi_board_disable]
> [631.668071 AP UART on]
> [631.669563 CCD state: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX]
> [631.884475 deferred_tpm_rst_isr]
> [631.885501 AP on]
> [631.886077 tpm_reset_request(0, 0)]
> [631.886932 tpm_reset_now(0)]
> [631.890377 tpm_init]
> tpm_manufactured: manufactured
> [631.892402 tpm_reset_now: done]
> [632.031471 AC: R-]
>
>
> Are there any other things to try, before heating-up the soldering iron?  Is 
> there any way to cross-check what flashrom is seeing?  Is there any way for 
> Cr50 to directly access the AP boot flash memory itself and then report 
> through the Cr50 console, without involving flashrom?

I don't believe so, someone from Google would likely be able to better answer

>
> I see something called "spihash", which gives:
>
> > spihash ap
> [1396.457412 enable_spi_pinmux: AP]
> [1396.460723 spi_hash_pp_done: AP]
> >
>
> Then, there is a delay, followed spontaneously by:
>
> [1456.460903 spi_hash_disable]
> [1457.020969 AP UART on]
> [1457.022476 CCD state: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX]
> [1457.237365 deferred_tpm_rst_isr]
> [1457.238426 AP on]
> [1457.239028 tpm_reset_request(0, 0)]
> [1457.239898 tpm_reset_now(0)]
> [1457.243381 tpm_init]
> tpm_manufactured: manufactured
> [1457.245449 tpm_reset_now: done]
> [1457.384220 AC: R-]
>
>
> It doesn't look like "spihash ap" is returning anything.  But then, from what 
> little I've been able to find, the hash is only suppose to perform some kind 
> of security validation.  And "spihash ec" acts about the same.

never used those functions / not familiar, but assume they are vboot related

>
> As to the "broken hardware" theory, have you ever heard of anyone attaching a 
> flash 

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[James Feeney]

On 7/22/21 3:53 PM, Matt DeVillier wrote:
...
>> I get "No EEPROM/flash device found".  Running with -V, I see flashrom is 
>> just reading all 1's.
> 
> you need to open the CCD first. With the battery disconnected, from a
> terminal attached to /dev/ttyUSB0, run:
> ccd open
> ccd reset factory
> ccd
> 
> that should show the ccd state as open, with all capabilities in
> column 1 set to 'Y'.
> 
> then flashrom will be able to detect / read / write the flash chip
> 

I believe that I have already done all of that.  But please, check to see if I 
know what I'm doing here:


> ccd
State: Opened
Password: none
Flags: 0x45
Capabilities: 5500
  UartGscRxAPTx   Y 1=Always
  UartGscTxAPRx   Y 1=Always
  UartGscRxECTx   Y 1=Always
  UartGscTxECRx   Y 1=Always
  FlashAP Y 1=Always
  FlashEC Y 1=Always
  OverrideWP  Y 1=Always
  RebootECAP  Y 1=Always
  GscFullConsole  Y 1=Always
  UnlockNoReboot  Y 1=Always
  UnlockNoShortPP Y 1=Always
  OpenNoTPMWipe   Y 1=Always
  OpenNoLongPPY 1=Always
  BatteryBypassPP Y 1=Always
  UpdateNoTPMWipe Y 1=Always
  I2C Y 1=Always
  FlashRead   Y 1=Always
  OpenNoDevMode   Y 1=Always
  OpenFromUSB Y 1=Always
  OverrideBattY 1=Always
read_tpm_nvmem: object at 0x100a not found
[50.223548 Console unlock allowed]
read_tpm_nvmem: object at 0x1007 not found
TPM:
Capabilities are modified.
Use 'ccd help' to print subcommands

> ccd testlab
CCD test lab mode enabled


> 
> see above, the ccd being closed w/default capabilities set is
> preventing the flash chip from being visible/read/written.
> 
> I've used ccd to read/write many an AP flash, including APL/GLK Chromebooks.
> 

Including a Samsung octopus board?  Samsung didn't "cut corners" on the design 
implementation?

I'm hoping very much that the problem is something simple.  But still:

$ sudo ./flashrom -p raiden_debug_spi:target=AP
flashrom abb3b091 on Linux 5.12.14-arch1-1 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Raiden target: 2
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.


After running flashrom, the machine appears always to reboot.  The Cr50 console 
says:

[631.035522 enable_spi_pinmux: AP]
[631.106361 usb_spi_board_disable]
[631.668071 AP UART on]
[631.669563 CCD state: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX]
[631.884475 deferred_tpm_rst_isr]
[631.885501 AP on]
[631.886077 tpm_reset_request(0, 0)]
[631.886932 tpm_reset_now(0)]
[631.890377 tpm_init]
tpm_manufactured: manufactured
[631.892402 tpm_reset_now: done]
[632.031471 AC: R-]


Are there any other things to try, before heating-up the soldering iron?  Is 
there any way to cross-check what flashrom is seeing?  Is there any way for 
Cr50 to directly access the AP boot flash memory itself and then report through 
the Cr50 console, without involving flashrom?

I see something called "spihash", which gives:

> spihash ap
[1396.457412 enable_spi_pinmux: AP]
[1396.460723 spi_hash_pp_done: AP]
>

Then, there is a delay, followed spontaneously by:

[1456.460903 spi_hash_disable]
[1457.020969 AP UART on]
[1457.022476 CCD state: UARTAP+TX UARTEC+TX I2C SPI USBEC+TX]
[1457.237365 deferred_tpm_rst_isr]
[1457.238426 AP on]
[1457.239028 tpm_reset_request(0, 0)]
[1457.239898 tpm_reset_now(0)]
[1457.243381 tpm_init]
tpm_manufactured: manufactured
[1457.245449 tpm_reset_now: done]
[1457.384220 AC: R-]


It doesn't look like "spihash ap" is returning anything.  But then, from what 
little I've been able to find, the hash is only suppose to perform some kind of 
security validation.  And "spihash ec" acts about the same.

As to the "broken hardware" theory, have you ever heard of anyone attaching a 
flash programmer to a Google octopus board and successfully reading flash 
memory content *in circuit*?


Thanks
James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[Matt DeVillier]

On Thu, Jul 22, 2021 at 3:56 PM James Feeney  wrote:
>
> On 7/3/21 8:22 AM, Matt DeVillier wrote:
>
> Thanks for that.
>
> > I don't see the command you used to flash -- what was that? You also
> > didn't clear the WP range (flashrom --wp-range 0,0) which has
> > historically been needed on small core/Atom boards, but if you didn't
> > get an error flashing/erasing then you're probably fine.
>
> >> $ flashrom -p host -l layout.txt -i BIOS  -w coreboot.rom
>
> The write-protect range was already 0,0, so I didn't bother with setting that.
>
> > display backlight means it's booted to ramstage, since that's where
> > FSP-S will init the backlight. It most likely means coreboot ran
> > successfully and the payload is the issue.
> >
> > How to debug? Get yourself a Suzy-Q cable, rebuild with the serial
> > console enabled, flash via Suzy-Q, and then monitor via the
> > /dev/ttyUSB1 serial port (CPU UART)
> >
> > see:
> > https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_stab/docs/case_closed_debugging_cr50.md
> > https://wiki.mrchromebox.tech/Unbricking#Unbricking.2FFlashing_with_a_Suzy-Q_cable
> >
>
> I finally received a SuzyQable.  There was a supply issue.
>
> And, after lots of reading at
>
> https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_stab/docs/case_closed_debugging_cr50.md
>
> and related, followed by a bit of trial and error, and then observing the AP 
> console, the boot sequence ends with
>
> ...
> CBFS: Found 'fallback/payload' @0xf2d00 size 0x3ce03
> Checking segment from ROM address 0xffc3402c
> Checking segment from ROM address 0xffc34048
> Loading segment from ROM address 0xffc3402c
>   code (compression=1)
>   New segment dstaddr 0x0111 memsize 0x8ccd4 srcaddr 0xffc34064 filesize 
> 0x3cdcb
> Loading Segment: addr: 0x0111 memsz: 0x0008ccd4 filesz: 
> 0x0003cdcb
> using LZMA
> Loading segment from ROM address 0xffc34048
>   Entry Point 0x01110015
> BS: BS_PAYLOAD_LOAD run times (exec / console): 147 / 46 ms
> CSE FWSTS1: 0x8245
> CSE FWSTS2: 0x3085
> CSE FWSTS3: 0x
> CSE FWSTS4: 0x0008
> CSE FWSTS5: 0x
> CSE FWSTS6: 0x4000
> ME: Manufacturing Mode  : NO
> ME: FPF status  : fused
> Putting xHCI port 0 into host mode.
> xHCI port 0 host switch over took 0 ms
> BS: BS_PAYLOAD_LOAD exit times (exec / console): 17 / 28 ms
> mp_park_aps done after 0 msecs.
> Jumping to boot code at 0x01110015(0x79b38000)
>
>
> And then - nothing - other than that the screen backlight comes on.
>
> So yes, as you say, seems like coreboot works, and my u-boot does not.
>
>
> > if you want to try a tested/verified prebuilt image w/Tianocore
> > payload, you can use:
> > https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom
> > https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom.sha1
> >
>
>
> Compiling flashrom from from both
>
> git clone https://chromium.googlesource.com/chromiumos/third_party/flashrom
> WARNERROR=no CONFIG_MEC1308=no CONFIG_ENE_LPC=no make
>
> and
>
> git clone 
> https://chromium.googlesource.com/chromiumos/platform/standalone-hdctools
> flashrom install
>
> which seem to act the same, and then running
>
> sudo ./flashrom -p raiden_debug_spi:target=AP
>
> I get "No EEPROM/flash device found".  Running with -V, I see flashrom is 
> just reading all 1's.

you need to open the CCD first. With the battery disconnected, from a
terminal attached to /dev/ttyUSB0, run:
ccd open
ccd reset factory
ccd

that should show the ccd state as open, with all capabilities in
column 1 set to 'Y'.

then flashrom will be able to detect / read / write the flash chip

>
> Hmm.  Nothing I can do until this is made to work.
>
> While waiting for the SuzyQable, I had tried reading the flash memory with 
> the TUMPA flash programmer.  No joy.  I suppose it is possible that I may 
> have burned-out something on the Chromebook board.  However, this seems 
> highly unlikely, because the AP can still boot from the flash memory, and 
> because of the apparent circuit layout.  While I do not have a schematic for 
> this Samsung Chromebook 4, listening to
>
> OSFC 2018 - Google Secure Microcontroller and CCD | Vadim Bendebury
> Oct 2, 2018
> https://www.youtube.com/watch?v=gC-lbMNmIsg
>
> and noting particularly the block diagram in slide 9, from
>
> https://2018.osfc.io/talks/google-secure-microcontroller-and-ccd-closed-case-debugging.html
> https://2018.osfc.io/uploads/talk/paper/7/gsc_copy.pdf
>
> - the "AP PROG" AND "EC PROG" labels on H1 are backwards - it very much 
> appears that both the AP and the Google H1 security chip access the AP flash 
> through a separate multiplexer chip of some kind.  As best as I can tell, 
> there is a kind of multiplexer *internal* to the H1, as seen in slide 2, 
> which connects the GPIO pins to the internal hardware protocol blocks, and 
> another *external* multiplexer that separates the AP and EC SPI buses.  Any 
> overloads, applied 

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[James Feeney]

On 7/3/21 8:22 AM, Matt DeVillier wrote:

Thanks for that.

> I don't see the command you used to flash -- what was that? You also
> didn't clear the WP range (flashrom --wp-range 0,0) which has
> historically been needed on small core/Atom boards, but if you didn't
> get an error flashing/erasing then you're probably fine.

>> $ flashrom -p host -l layout.txt -i BIOS  -w coreboot.rom

The write-protect range was already 0,0, so I didn't bother with setting that.

> display backlight means it's booted to ramstage, since that's where
> FSP-S will init the backlight. It most likely means coreboot ran
> successfully and the payload is the issue.
> 
> How to debug? Get yourself a Suzy-Q cable, rebuild with the serial
> console enabled, flash via Suzy-Q, and then monitor via the
> /dev/ttyUSB1 serial port (CPU UART)
>
> see:
> https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_stab/docs/case_closed_debugging_cr50.md
> https://wiki.mrchromebox.tech/Unbricking#Unbricking.2FFlashing_with_a_Suzy-Q_cable
> 

I finally received a SuzyQable.  There was a supply issue.

And, after lots of reading at

https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_stab/docs/case_closed_debugging_cr50.md

and related, followed by a bit of trial and error, and then observing the AP 
console, the boot sequence ends with

...
CBFS: Found 'fallback/payload' @0xf2d00 size 0x3ce03
Checking segment from ROM address 0xffc3402c
Checking segment from ROM address 0xffc34048
Loading segment from ROM address 0xffc3402c
  code (compression=1)
  New segment dstaddr 0x0111 memsize 0x8ccd4 srcaddr 0xffc34064 filesize 
0x3cdcb
Loading Segment: addr: 0x0111 memsz: 0x0008ccd4 filesz: 
0x0003cdcb
using LZMA
Loading segment from ROM address 0xffc34048
  Entry Point 0x01110015
BS: BS_PAYLOAD_LOAD run times (exec / console): 147 / 46 ms
CSE FWSTS1: 0x8245
CSE FWSTS2: 0x3085
CSE FWSTS3: 0x
CSE FWSTS4: 0x0008
CSE FWSTS5: 0x
CSE FWSTS6: 0x4000
ME: Manufacturing Mode  : NO
ME: FPF status  : fused
Putting xHCI port 0 into host mode.
xHCI port 0 host switch over took 0 ms
BS: BS_PAYLOAD_LOAD exit times (exec / console): 17 / 28 ms
mp_park_aps done after 0 msecs.
Jumping to boot code at 0x01110015(0x79b38000)


And then - nothing - other than that the screen backlight comes on.

So yes, as you say, seems like coreboot works, and my u-boot does not.


> if you want to try a tested/verified prebuilt image w/Tianocore
> payload, you can use:
> https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom
> https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom.sha1
> 


Compiling flashrom from from both

git clone https://chromium.googlesource.com/chromiumos/third_party/flashrom
WARNERROR=no CONFIG_MEC1308=no CONFIG_ENE_LPC=no make

and

git clone 
https://chromium.googlesource.com/chromiumos/platform/standalone-hdctools
flashrom install

which seem to act the same, and then running

sudo ./flashrom -p raiden_debug_spi:target=AP

I get "No EEPROM/flash device found".  Running with -V, I see flashrom is just 
reading all 1's.

Hmm.  Nothing I can do until this is made to work.

While waiting for the SuzyQable, I had tried reading the flash memory with the 
TUMPA flash programmer.  No joy.  I suppose it is possible that I may have 
burned-out something on the Chromebook board.  However, this seems highly 
unlikely, because the AP can still boot from the flash memory, and because of 
the apparent circuit layout.  While I do not have a schematic for this Samsung 
Chromebook 4, listening to

OSFC 2018 - Google Secure Microcontroller and CCD | Vadim Bendebury
Oct 2, 2018
https://www.youtube.com/watch?v=gC-lbMNmIsg

and noting particularly the block diagram in slide 9, from

https://2018.osfc.io/talks/google-secure-microcontroller-and-ccd-closed-case-debugging.html
https://2018.osfc.io/uploads/talk/paper/7/gsc_copy.pdf

- the "AP PROG" AND "EC PROG" labels on H1 are backwards - it very much appears 
that both the AP and the Google H1 security chip access the AP flash through a 
separate multiplexer chip of some kind.  As best as I can tell, there is a kind 
of multiplexer *internal* to the H1, as seen in slide 2, which connects the 
GPIO pins to the internal hardware protocol blocks, and another *external* 
multiplexer that separates the AP and EC SPI buses.  Any overloads, applied 
from attaching a flash programmer to the flash memory, would seem likely to 
have effected access to flash memory equally, by *both* the H1 and the AP.  And 
that is not the case here.  It also seems unlikely that the SPI circuitry would 
have been built without any kind of circuit protection.  But again, I have not 
seen the actual circuit schematic.  Still, it would be a very odd kind of 
circuit failure to have damaged the opposite end of only one multiplexer port.  
I also note that the operation of the Cr50, AP, and EC consoles
  seems entirely as 

[coreboot] Re: coreboot on Chromebook octopus/casta/bluebird with u-boot payload - blank screen

[Matt DeVillier]

I don't see the command you used to flash -- what was that? You also
didn't clear the WP range (flashrom --wp-range 0,0) which has
historically been needed on small core/Atom boards, but if you didn't
get an error flashing/erasing then you're probably fine.

display backlight means it's booted to ramstage, since that's where
FSP-S will init the backlight. It most likely means coreboot ran
successfully and the payload is the issue.

How to debug? Get yourself a Suzy-Q cable, rebuild with the serial
console enabled, flash via Suzy-Q, and then monitor via the
/dev/ttyUSB1 serial port (CPU UART)

see:
https://chromium.googlesource.com/chromiumos/platform/ec/+/cr50_stab/docs/case_closed_debugging_cr50.md
https://wiki.mrchromebox.tech/Unbricking#Unbricking.2FFlashing_with_a_Suzy-Q_cable

if you want to try a tested/verified prebuilt image w/Tianocore
payload, you can use:
https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom
https://mrchromebox.tech/test/fw/coreboot_tiano-bluebird-mrchromebox_20210621.rom.sha1

On Fri, Jul 2, 2021 at 7:10 PM James Feeney  wrote:
>
> Ok, I finally flashed this coreboot.rom to the Samsung Chromebook 4, 
> octopus/casta/bluebird, after disconnecting the battery and:
>
> $ flashrom -p host --wp-status
> $ flashrom -p host --wp-disable
> $ flashrom -p host -l layout.txt -i BIOS  -w coreboot.rom
> $ flashrom -p host -r cbimage.bin
>
> with
>
> $ cat -A layout.txt
> 1000:00f7efff BIOS$
>
> where flashrom says
>
> FREG0:  Flash Descriptor region (0x   - 0x  0fff) is read-only.
> FREG5:  Device Expansion region (0x 00f7 f000 - 0x 00ff ) is locked.
>
>
> Now, pressing the power button lights the display backlight, but that is all.
>
> There is no u-boot prompt, though I have no experience with what to expect 
> here.
>
> Any suggestions, please?
>
> Thanks
> James
___
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org