Process description:

The general idea taken from thaGH05T's tutorial. You should read the chip into the firmware dump file and process it with the 'scan-n-patch' script which replaces a SVS area and creates a cleaned firmware file. With modified firmware you can flash a chip, but not entire. Actually you need remove password only and you can do it with 'flashrom'. The 'scan-n-patch' script will create a layout file and prints a command-line arguments for partial chip flashing. It is more safe approach because you will touch only small piece of the chip content, firmware itself and your settings will unchanged.

 

 

 

 

Requirements:

  1.  Raspberry PI or other SPI device and SOIC-8 clip or Easy Flash clip.
  2.  If your SPI device is not Raspberry PI then ability to run the Perl script is needed.
  3. Working 'flashrom' utility.
  4. scan-n-patch fileset (Google Drive link). 

  

Scan-n-Patch script.

'scan-n-patch' is Perl script which reads file specified as command-line argument. It looking for data signatures and can replace a portion of file content by another data.

Right now it can be launched in two modes:

  • 'SCANONLY' mode. In this mode it will search SVS area and print its parsed content, so you can see each password's record and state is active it or not.
  • 'SILENT' mode. In this mode script will skip printing some information. This mode is used for if you want analyze several files.

To specify the mode you should set SCANONLY and/or SILENT variables in the environment. Example: 

SCANONLY=1 ./scan-n-patch.pl <file_name>

 or

SCANONLY=1 SILENT=1 ./scan-n-patch.pl <file_name>

 

Instruction:

1. Read a chip and save its content to the file.

For RP command like this:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r <file_name>

Note: For Macronix flash you need specify a chip. Use '-c' option.

 

2. Check that chip has been correctly read.

   You can read a chip 2-3 times and check results with 'md5' tool or you can do that check with 'flashrom' like this:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -v <file_name>

3. Run 'scan-n-patch' with your dump file specified as command line argument.

./scan-n-patch.pl ./<file_name>

   Note that scanning process takes alot of time on RP approx. 20-25 minutes... So, be patient.

 If your dump has a password, its hash will be printed as well as how much times it was set. Make sure that 'RFT' variable has been defined. 'RFT' is a Record Format Type, it may have value 1 or 2 in other cases patching will be incorrect.

To confirm patching press 'Enter'.

In result you will get:

  •    Modified firmware file named as <file_name>.modified and placed into one directory with original dump.
  •    Layout file for 'flashrom', placed into current directory.
  •    Additional command line arguments for 'flashrom'

 4. Apply patch to the chip.

On step 3 you have got an additional command line arguments for 'flashrom' like this:

--layout ./flashrom.layout --image SVS -w ./<file_name>

To apply changes on the chip you need specify it to 'flashrom' tool:

sudo flashrom -p linux_spi:dev=/dev/spidev0.0 --layout ./flashrom.layout --image SVS -w ./<file_name>.modified

5. Shutdown RP after 'flashrom' finish, disconnect a clip and power on your Mac.

Comments   
Fast-flow@hotmail.co.uk
0 #3 2015-11-06 20:06
Got there in the end and just for the hell of it I edited my original fw manually, then with a clean dump from the database and then with your script which worked a treat. Excellent stuff and. Massive thanks to all you guys for the work you put in to help us out. Greatly appreciated
Quote
token.paul
+1 #2 token.paul 2015-10-25 06:51
Quoting fast.flow:
been having a bash at this after dumping and editing my dumps but not able to get right sizes....then tried with a clean rom (just change serial) but it still was under the original size ans i wasnt confident to mess with any other editing text.
Anyway i cant get this to run as i cant work out what directories the flashrom and scan-n-patch need to be in (unzipped and put into a folder ive named rom_scan. Any help would be appreciated and im using a rasp pi


You can place script files into any directory on your taste, as well as dump file may be located in its own directory. If you'll specify the target file with path to it as command line argument then modified firmware will be placed into directory where original dump stored but 'flashrom.layout' file will be created in directory where 'scan-n-patch' script was launched. If you have a problems with a script please create a topic on the forum.
Quote
Fast-flow@hotmail.co.uk
0 #1 2015-10-24 06:33
been having a bash at this after dumping and editing my dumps but not able to get right sizes....then tried with a clean rom (just change serial) but it still was under the original size ans i wasnt confident to mess with any other editing text.
Anyway i cant get this to run as i cant work out what directories the flashrom and scan-n-patch need to be in (unzipped and put into a folder ive named rom_scan. Any help would be appreciated and im using a rasp pi
Quote

Who's Online

We have 427 guests and no members online

N00BZ

  • xmoney
  • fizzmich
  • syscall
  • YU$oTokSic
  • TokSic

Cookies