Posts tagged spi

flashrom tutorial

posted on 2016-01-02 16:24:55

To directly dump contents of a NOR flash chip directly via the serial peripheral interface bus (SPI), a tool called flashrom will help.


If you read this and want to do what is described, you dont need a disclaimer to know you can kill your hardware through electrostatic discharge or whatever. Else you should not be doing this anyway, except you can afford grilling things and/or insist on learning things. This is likely the only disclaimer on this site for quite some time.


Why would you want to do that at all?

Flashing new content onto flash chip usually takes place after the chips contents (also containing either the operating system or at least the bootloader or some part of it) were loaded into the RAM. With that OS running, the flash content gets exchanged with a new image. So if the image is faulty, or the flashing process gets interrupted through power loss, you won't have a bootable system anymore. A simple live disk or bootable USB stick won't help much if you can't even find the USB bus (or your other devices with the bootable operation system image) can be found.

In other words, your computer (or if you do stuff with your smartphone, your device) is bricked.

Basically, it becomes a very expensive paper weight.

If you however use the SPI bus directly for ISP (in-systems programming/in-situ programming), you do not have to care for breaking things through faulty images if you have a working one already. This enables you to test things without having to fear you will render your hardware unusable. Which leaves room for trying out things which were impossible prior.

Like fiddling directly with proprietary software which wants to prohibit you from booting a proper operating system on some hardware of choice from you. I don't know when this hobby project will be finished, but I sure learned a lot about electronics within the last half year.

needed tools

  • raspberry pi (revision does not matter, but just get a B 2 in case you don't have one yet.)
  • sd flash card (this is where you will dd your OS image onto)
  • soic clip (google that, in case you want to work on NOR flash chip, so you don't have to solder wires onto the chip directly which is ugly)
  • female-to-female jumper cables (six ones minimum for working with SPI, maybe more)

In my case a debian installation was put onto an SD card of a raspberry pi (which is ARM based, as one might know), only to find out that the existing flashrom package exists for intel architecture based processors only.


compile and install

Ok, so lets install a proper environment and build stuff by hand then, as root user:

apt install build-essential
apt install libusb-dev
apt install pciutils-dev
apt install bzip2

tar xjvf flashrom-0.9.8.tar.bz2
cd flashrom-0.9.8

make -j4
make install


Google the chip you want to work on, and look after a description of its pins. (Chances are you already did this, which told you that you could use the SPI bus at all.) Put the SOIC clip on the chip.

Google a raspberry pinout table, and connect the SPI pins (MISO, MOSI, CE0, CLOCK, GND, 3.3V) accordingly.

Use short cables, long ones may cause connection problems.

usage example

All the following was done without a power supply being connected to the board, as the chip got the power from the raspberry's 3.3V Vcc pin.

As I had no prior knowledge on how to use flashrom ('i dont even know what im doing here'[TM]), this is what I tried:

# go to $HOME and create a temp folder
mkdir flashromming
cd flashromming

# show help
flashrom -h

# try directly

# try using the programmer which might work
flashrom --programmer linux_spi

# search for spi device
ls -alh /dev/spidev0.*

# use appropriate programmer, which then found my chip
flashrom --programmer linux_spi:dev=/dev/spidev0.0

# look up help to find out how to dump the flash content into a file
flashrom -h

# actual dumping (-r = READ flash content into file)
flashrom --programmer linux_spi:dev=/dev/spidev0.0 -r nas-flash-original.bin

# always work on copies, not originals!!!
cp nas-flash-original.bin nas-flash-copy.bin

# have a look at the dumps contents
dd if=nas-flash-copy.bin | hexdump -vC | less

For starters, this worked. There is more:

# flash new content onto chip (-w = WRITE file to chip)
flashrom --programmer linux_spi:dev=/dev/spidev0.0 -w newimage.bin

# erase chip contents (-E)
flashrom --programmer linux_spi:dev=/dev/spidev0.0 -E

# verify chip contents against file (-v)
# this is only needed when in doubt which file got flashed, verifying is done automatically after each flashing procedure
flashrom --programmer linux_spi:dev=/dev/spidev0.0 -v newimage.bin


The motherboard which was used also had a serial interface (UART/RS232) which I used have a look at the boot process and for console access. When the SOIC clip was connected to the chip, it just would not boot.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apache2.4, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, python3, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, ubuntu16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

Unless otherwise credited all material Creative Commons License by sjas