1# Google Security Chip (GSC) Case Closed Debugging (CCD) 2 3Cr50 or Ti50 is the firmware that runs on the Google Security Chip (GSC), which 4has support for [Case Closed Debugging](CCD). 5 6This document explains how to setup CCD, so you can access all of the necessary 7features to develop firmware on your Chrome OS device, access 8[debug consoles][consoles], and [disable hardware write protect][hw-wp]. 9 10[TOC] 11 12## Overview 13 14GSC CCD was designed to restrict CCD access to device owners and is implemented 15through **CCD privilege levels** ([`Open`], [`Unlocked`], [`Locked`]) that can 16be used to enable access to different **[CCD capabilities][cap]**. Capability 17settings can be modified to require certain privilege levels to access each 18capability. Device owners can use these settings to customize CCD so that it is 19as open or restricted as they want. 20 21GSC CCD exposes [3 debug consoles][consoles]: AP, EC, and GSC as well as control 22over [Hardware Write Protect][hw-wp]. GSC CCD also allows 23[flashing the AP firmware] or [flashing the EC firmware]. 24 25### Capability and Privilege Levels {#cap-priv} 26 27Privilege Levels | 28---------------- | 29`Open` | 30`Unlocked` | 31`Locked` | 32 33Capability Setting | Definition 34------------------ | ---------- 35`IfOpened` | Specified capability is allowed if GSC Privilege Level is `Open`. 36`UnlessLocked` | Specified capability is allowed unless GSC Privilege Level is `Locked`. 37`Always` | Specified capability is always allowed, regardless of GSC Privilege Level. 38 39Capability Setting | Privilege Level Required 40------------------ | ---------------------------------------- 41`IfOpened` | `Open` 42`UnlessLocked` | `Open` or `Unlocked` 43`Always` | `Open`, `Unlocked`, `Locked` (any state) 44 45## CCD Capabilities {#cap} 46 47The default GSC privilege level is [`Locked`] with the following capability 48settings: 49 50Capability | Default | Function 51----------------- | ---------- | -------- 52`UartGscRxAPTx` | `Always` | AP console read access 53`UartGscTxAPRx` | `Always` | AP console write access 54`UartGscRxECTx` | `Always` | EC console read access 55`UartGscTxECRx` | `IfOpened` | EC console write access 56[`FlashAP`] | `IfOpened` | Allows flashing the AP 57[`FlashEC`] | `IfOpened` | Allows flashing the EC 58[`OverrideWP`] | `IfOpened` | Override hardware write protect 59`RebootECAP` | `IfOpened` | Allow rebooting the EC/AP from the GSC console 60`GscFullConsole` | `IfOpened` | Allow access to restricted GSC console commands 61`UnlockNoReboot` | `Always` | Allow unlocking GSC without rebooting the AP 62`UnlockNoShortPP` | `Always` | Allow unlocking GSC without physical presence 63`OpenNoTPMWipe` | `IfOpened` | Allow opening GSC without wiping the TPM 64`OpenNoLongPP` | `IfOpened` | Allow opening GSC without physical presence 65`BatteryBypassPP` | `Always` | Allow opening GSC without physical presence and developer mode if the battery is removed 66`Unused` | `Always` | Doesn't do anything 67`I2C` | `IfOpened` | Allow access to the I2C controller (used for measuring power) 68`FlashRead` | `Always` | Allow dumping a hash of the AP or EC flash 69`OpenNoDevMode` | `IfOpened` | Allow opening GSC without developer mode 70`OpenFromUSB` | `IfOpened` | Allow opening GSC from USB 71 72## Consoles {#consoles} 73 74GSC presents 3 consoles through CCD: AP, EC, and GSC, each of which show up on 75your host machine as a `/dev/ttyUSBX` device when a debug cable ([Suzy-Q] or 76[Type-C Servo v4]) is plugged in to the DUT. 77 78Console | Default access | Capability Name 79------- | ------------------------------------------- | --------------- 80GSC | always read/write, but commands are limited | `GscFullConsole` enables the full set of GSC console commands 81AP | read/write | `UartGscRxAPTx` / `UartGscTxAPRx` 82EC | read-only | `UartGscRxECTx` / `UartGscTxECRx` 83 84### Connecting to a Console 85 86When a debug cable ([Suzy-Q] or [Type-C Servo v4]) is plugged in to the DUT, the 873 consoles will show up as `/dev/ttyUSBX` devices. You can connect to them with 88your favorite terminal program (e.g., `minicom`, `screen`, etc). You can also 89use the [`usb_console`] command to connect to Cr50 (`18d1:5014`) or Ti50 90(`18d1:504a`) and specify the interface to choose between the consoles. 91 92```bash 93# Install `usb_console` 94(chroot) sudo emerge ec-devutils 95``` 96 97```bash 98# Connect to Cr50 (GSC) console 99(chroot) $ sudo usb_console -d 18d1:5014 100# Connect to Ti50 (GSC) console 101(chroot) $ sudo usb_console -d 18d1:504a 102``` 103 104```bash 105# Connect to AP console (on Cr50-based device) 106(chroot) $ sudo usb_console -d 18d1:5014 -i 1 107# Connect to AP console (on Ti50-based device) 108(chroot) $ sudo usb_console -d 18d1:504a -i 1 109``` 110 111```bash 112# Connect to EC console (on Cr50-based device) 113(chroot) $ sudo usb_console -d 18d1:5014 -i 2 114# Connect to EC console (on Ti50-based device) 115(chroot) $ sudo usb_console -d 18d1:504a -i 2 116``` 117 118#### Using "servod" to access the console 119 120[`servod`] can be used to create alternative console devices when combined with 121a [Servo]. 122 123First, make sure your [servo firmware is updated][update servo v4]. 124 125Next, start [`servod`]: 126 127```bash 128(chroot) $ sudo servod -b $BOARD 129``` 130 131Then use `dut-control` to display the console devices: 132 133```bash 134(chroot) $ dut-control gsc_uart_pty ec_uart_pty cpu_uart_pty 135``` 136 137Connect to the console devices with your favorite terminal program (e.g., 138`minicom`, `screen`, etc.). 139 140## CCD Open {#ccd-open} 141 142Some basic CCD functionality is accessible by default: read-only access to the 143EC console, read-write access to the AP console, and a few basic GSC console 144commands. Note that while GSC has read-write access to the AP console by 145default, the AP console itself is disabled for production devices. 146 147In order to access all CCD functionality or to modify capability settings, GSC 148CCD needs to be [`Open`]. 149 1501. Connect to the GSC console by connecting a [Suzy-Q] or [Type-C Servo v4] to 151 the DUT and running one of the following commands: 152 153 ```bash 154 # Connect to Cr50 (GSC) console 155 (chroot) $ sudo usb_console -d 18d1:5014 156 # Connect to Ti50 (GSC) console 157 (chroot) $ sudo usb_console -d 18d1:504a 158 ``` 159 160 *** note 161 **NOTE**: If another program is already connected to the GSC console, 162 you'll see `tx [Errno 16] Resource Busy`. For example, this will happen if 163 [`servod`] is running. 164 *** 165 1661. At the GSC console, use the `version` command to make sure you have a recent 167 enough version to use CCD. The relevant version is either `RW_A` or `RW_B`, 168 whichever has the asterisk next to it: 169 170 ``` 171 cr50 > version 172 173 Chip: g cr50 B2-C 174 Board: 0 175 RO_A: * 0.0.10/29d77172 176 RO_B: 0.0.10/c2a3f8f9 177 RW_A: * 0.3.23/cr50_v1.9308_87_mp.320-aa1dd98 <---- This is the version 178 RW_B: 0.3.18/cr50_v1.9308_87_mp.236-8052858 179 BID A: 00000000:00000000:00000000 Yes 180 BID B: 00000000:00000000:00000000 Yes 181 Build: 0.3.23/cr50_v1.9308_87_mp.320-aa1dd98 182 tpm2:v1.9308_26_0.36-d1631ea 183 cryptoc:v1.9308_26_0.2-a4a45f5 184 2019-10-14 19:18:05 @chromeos-ci-legacy-us-central2 185 ``` 186 1871. Production (`MP`) versions of Cr50 firmware use a [minor version][semver] of 188 `3`: `0.3.x`. Production firmware versions `0.3.9` or newer support CCD. 189 190 Production (`MP`) versions of Ti50 firmware use a [minor version][semver] of 191 `23`: `0.23.x`. 192 193 Development (`PrePVT`) versions of Cr50 firmware use a minor version of `4`: 194 `0.4.x`. Development firmware versions `0.4.9` or newer support CCD. 195 196 Development (`PrePVT`) versions of Ti50 firmware use a minor version of 197 `24`: `0.24.x`. 198 199 Your device likely supports CCD if it was manufactured in the last few 200 years. If you have an older version, follow the [Updating Cr50] instructions 201 before continuing. 202 2031. Put the device into [Recovery Mode] and enable [Developer Mode]. 204 205 *** note 206 **NOTE**: Developer Mode has to be enabled as described. Using GBB flags to 207 force Developer Mode will not work. 208 *** 209 210 If you can't put your device into [Developer Mode] because it doesn't boot, 211 follow the [CCD Open Without Booting the Device] instructions. 212 2131. Verify GSC knows the device is in [Developer Mode] by finding `TPM: 214 dev_mode` in the GSC console `ccd` command output: 215 216 ``` 217 (gsc) > ccd 218 ... 219 TPM: dev_mode <==== This is the important part 220 ... 221 ``` 222 2231. Start the CCD open process from the AP. 224 225 ```bash 226 (dut) $ gsctool -a -o 227 ``` 228 2291. Over the next 5 minutes you will be prompted to press the power button 230 multiple times. After the last power button press the device will reboot. 231 232 *** note 233 **WARNING**: Opening CCD causes GSC to forget that it is in 234 [Developer Mode], so when the device reboots, it will either say that 235 the OS image is invalid or it will enter a bootloop. Use the key 236 combinations to enter [Recovery Mode] and re-enable [Developer Mode]. 237 See [this bug] for details. 238 *** 239 *** note 240 **note**: Chromeboxes without a monitor turn off when the power 241 button is pressed. You can connect a monitor to the DUT keep the AP on 242 while pressing the power button for CCD open. 243 *** 244 2451. Use the `ccd` command on the GSC console to verify the state is [`Open`]: 246 247 ``` 248 (gsc) > ccd 249 250 State: Opened 251 ... 252 ``` 253 2541. **The [`Open`] state is lost if GSC reboots, the device loses power (e.g., 255 battery runs out and AC is not plugged in), or the battery is removed. Note 256 that GSC does not reboot when the system reboots; it only reboots if it is 257 updated, the devices loses power, the battery runs out, or it crashes**. If 258 you plan on [flashing the AP firmware] or [flashing the EC firmware], it is 259 recommended you modify the capability settings or set a CCD password, so you 260 can reopen the device in the case that you accidentally brick it with bad 261 firmware. The simplest way to do this is to reset to factory settings and 262 enable testlab mode: 263 264 ``` 265 (gsc) > ccd reset factory 266 ``` 267 268 ``` 269 (gsc) > ccd testlab enable 270 ``` 271 272 For full details, see the section on [CCD Open Without Booting the Device]. 273 274## Configuring CCD Capability Settings 275 276CCD capabilities allow you to configure CCD to restrict or open the device as 277much as you want. You can use the `ccd` command on the GSC console to check and 278modify the capabilities, but CCD has to be [`Open`] to change the capabilities. 279 280Setting capabilities you want to use to [`Always`] will make them accessible 281even if CCD loses the [`Open`] state, which happens when GSC reboots or the 282device loses power. 283 284Basic CCD functionality is covered by `UartGscTxECRx`, `UartGscRxECTx`, 285`UartGscTxAPRx`, `UartGscRxAPTx`, [`FlashAP`], [`FlashEC`], [`OverrideWP`], and 286`GscFullConsole`. 287 288``` 289(gsc) > ccd set $CAPABILITY $REQUIREMENT 290``` 291 292### Examples 293 294#### EC Console 295 296If the EC console needs to be read-write even when CCD is [`Locked`] set the 297capability to [`Always`]: 298 299``` 300(gsc) > ccd set UartGscTxECRx Always 301``` 302 303#### Restrict Consoles 304 305If you want to restrict capabilities more than [`Always`], you can set them to 306[`IfOpened`], which will make it so that it is only accessible when CCD is 307[`Open`]ed, not [`Lock`]ed: 308 309##### Restrict EC 310 311``` 312(gsc) > ccd set UartGscTxECRx IfOpened 313(gsc) > ccd set UartGscRxECTx IfOpened 314``` 315 316##### Restrict AP 317 318``` 319(gsc) > ccd set UartGscTxAPRx IfOpened 320(gsc) > ccd set UartGscRxAPTx IfOpened 321``` 322 323#### Most Accessible 324 325If you want things as accessible as possible and want all capabilities to be 326[`Always`], you can run 327 328``` 329(gsc) > ccd reset factory 330``` 331 332This will also permanently disable write protect. To reset write protect run 333 334``` 335(gsc) > wp follow_batt_pres atboot 336``` 337 338To reset capabilities to Default run 339 340``` 341(gsc) > ccd reset 342``` 343 344## Flashing EC {#flashec} 345 346Flashing the EC is restricted by the `FlashEC` capability. 347 348The steps to flash the EC differ based on the board being used, but the 349[`flash_ec`] script will handle this for you. 350 351```bash 352(chroot) $ sudo servod -b $BOARD 353(chroot) $ ~/trunk/src/platform/ec/util/flash_ec -i $IMAGE -b $BOARD 354``` 355 356## Flashing the AP {#flashap} 357 358*** note 359**WARNING**: Before attempting to flash the AP firmware, start with the 360[CCD Open] steps; if you flash broken firmware before opening CCD, you may make 361it impossible to restore your device to a working state. 362*** 363 364Flashing the AP is restricted by the `FlashAP` capability. 365 366```bash 367(chroot) $ sudo flashrom -p raiden_debug_spi:target=AP -w $IMAGE 368``` 369 370This default flashing command takes a very long time to complete, there are ways 371to [speed up the flashing process] by cutting some corners. 372 373If you have many CCD devices connected, you may want to use the GSC serial 374number: 375 376```bash 377# For Cr50-based device 378(chroot) $ lsusb -vd 18d1:5014 | grep iSerial 379# For Tir50-based device 380(chroot) $ lsusb -vd 18d1:504a | grep iSerial 381``` 382 383You can then add the serial number to the [`flashrom`] command: 384 385```bash 386(chroot) $ sudo flashrom -p raiden_debug_spi:target=AP,serial=$SERIAL -w $IMAGE 387``` 388 389**If you don't see GSC print any messages when you're running the [`flashrom`] 390command and you have more than one GSC device connected to your workstation, you 391probably need to use the serial number.** 392 393### Special Cases {#flashap-special-cases} 394 395GSC puts the device in reset to flash the AP. Due to hardware limitations GSC 396may not be able to disable hardware write protect while the device is in reset. 397If you want to reflash the AP RO firmware using CCD and your board has issues 398disabling hardware write protect, you may need to also disable software write 399protect. 400 401If you suspect the board you are using has this issue, you can try this: 402 4031. Disable write protect using the GSC console command: 404 405 ``` 406 (gsc) > wp disable 407 ``` 408 4092. Disable software write protect via CCD: 410 411 ```bash 412 (chroot) $ sudo futility flash --wp-disable --servo 413 ``` 414 415## Control Hardware Write Protect {#hw-wp} 416 417Control of hardware write protect is restricted by the `OverrideWP` capability. 418When the capability is allowed, the hardware write protect setting can be 419controlled with the `wp` command in the GSC console. Otherwise, the hardware 420write protect is determined based on the presence of the battery. 421 422Hardware Write Protect Setting | Battery State | Hardware Write Protect State 423------------------------------ | ------------------------------ | ---------------------------- 424`follow_batt_pres` | Connected | Enabled 425`follow_batt_pres` | Disconnected | Disabled 426`follow_batt_pres` | N/A (Chromebox has no battery) | Write Protect Screw means Enabled 427`enabled` | Any | Enabled 428`disabled` | Any | Disabled 429 430### Write Protect Commands 431 432``` 433(gsc) > wp [enable|disable|follow_batt_pres] 434``` 435 436There are two write protect settings: the current setting and the `atboot` 437setting. 438 439The `wp` command adjusts the current write protect setting that will last until 440GSC reboots or loses power. Note that GSC does not reboot when the rest of the 441system reboots. It will only reboot in the cases where the firmware is being 442updated, it crashes, the battery completely drains, the battery is removed, or 443power is otherwise lost. 444 445The `atboot` setting is the state of the write protect when GSC boots; it 446defaults to `follow_batt_pres`. 447 448To change the `atboot` setting, add the `atboot` arg to the end of the `wp` 449command: 450 451``` 452(gsc) > wp [enable|disable|follow_batt_pres] atboot 453``` 454 455You can query the write protect state with `gsctool`: 456 457```bash 458(dut) $ gsctool -a -w 459 460... 461Flash WP: forced disabled <-- Current hardware write protect state 462 at boot: forced disabled <-- "atboot" hardware write protect state 463 464``` 465 466`gsctool -a -w` Status | Hardware Write Protect State 467---------------------- | ------------------------------------ 468`forced disabled` | Disabled 469`forced enabled` | Enabled 470`enabled` | Enabled, following battery presence 471`disabled` | Disabled, following battery presence 472 473### Special Case Devices 474 475Bob devices have a write protect screw in addition to battery presence. The 476write protect screw will force enable write protect until it's removed. If GSC 477is set to `follow_batt_pres`, you need to remove the write protect screw and 478disconnect the battery to disable write protect. If you run `wp disable`, you 479will also need to remove the screw. 480 481If you are attempting to flash the AP, see the [Flashing the AP Special Cases] 482section for additional steps you may have to take to disable write protection. 483 484## UART Rescue mode 485 486### Overview 487 488UART Rescue Mode is a feature of the GSC RO firmware that supports programming 489the RW firmware using only the UART interface. This is used to recover a bad RW 490firmware update (which should be rare). 491 492This is also useful when bringing up new designs, as this allows to update GSC 493image even before USB CCD or TPM interfaces are operational. 494 495UART rescue works on all existing devices, all it requires is that GSC console 496is mapped to a `/dev/xxx` device on the workstation (the same device used to 497attach a terminal to the console). 498 499Rescue works as follows: when the RO starts, after printing the regular banner 500on the console it prints a magic string to the console and momentarily waits for 501the host to send a sync symbol, to indicate that an alternative RW will have to 502be loaded over UART. The RO also enters this mode if there is no valid RW to 503run. 504 505When rescue mode is triggered, the RO is expecting the host to transfer a single 506RW image in hex format. 507 508Follow the [brescue](./gsc_without_servod.md#gsc-rescue) procedure to perform a 509GSC rescue. 510 511## CCD Open Without Booting the Device {#ccd-open-no-boot} 512 513If you can’t boot your device, you won’t be able to enable [Developer Mode] to 514send the open command from the AP. If you have enabled CCD on the device before, 515GSC may be configured in a way that you can still open GSC. 516 517### Option 1: Remove the battery 518 519If you can remove the battery, you can bypass the [Developer Mode] requirements. 520`ccd open` is allowed from the GSC console if the Chrome OS Firmware Management 521Parameters (`FWMP`) do not disable CCD and the battery is disconnected. This is 522the most universal method and will work even if you haven’t enabled CCD before. 523 5241. Disconnect the battery 525 5261. Send `ccd open` from the GSC console. 527 528### Option 2: "OpenNoDevMode" and "OpenFromUSB" are set to Always 529 530If "OpenNoDevMode" and "OpenFromUSB" are set to Always, you will be able to open 531GSC from the GSC console without enabling [Developer Mode]: 532 533``` 534(gsc) > ccd open 535``` 536 537You will still need physical presence (i.e., press the power button) unless 538`testlab` mode is also enabled: 539 540``` 541(gsc) > ccd testlab 542 CCD test lab mode enabled 543``` 544 545#### Enabling 546 547If CCD is [`Open`], you can enable these settings with: 548 549``` 550(gsc) > ccd set OpenFromUSB Always 551(gsc) > ccd set OpenNoDevMode Always 552``` 553 554### Option 3: CCD Password is Set 555 556If the CCD password is set, you can open from the GSC console without 557[Developer Mode]. 558 559``` 560(gsc) > ccd open $PASSWORD 561(gsc) > ccd unlock $PASSWORD 562``` 563 564Alternatively, you can use `gsctool`, entering the password when prompted: 565 566``` 567(dut) $ gsctool -a -o 568(dut) $ gsctool -a -u 569``` 570 571#### Enabling 572 573When CCD is [`Open`], run the `gsctool` command and enter the password when 574prompted. 575 576```bash 577(chroot) $ gsctool -a -P 578``` 579 580You can use the CCD command on the GSC console to check if the password is set. 581 582``` 583(gsc) > ccd 584 ... 585 Password: [none|set] 586 ... 587``` 588 589#### Disabling 590 591When CCD is [`Open`], you can use `gsctool` to clear the password: 592 593```bash 594(dut) $ gsctool -a -P clear:$PASSWORD 595``` 596 597Alternatively, you can use the GSC console to clear the password and reset CCD 598capabilities to their default values: 599 600``` 601(gsc) > ccd reset 602``` 603 604## Troubleshooting 605 606### rddkeepalive 607 608GSC only enables CCD when it detects a debug accessory is connected (e.g., 609[Suzy-Q] or [Type-C Servo v4]). It detects the cable based on the voltages on 610the CC lines. If you are flashing the EC and AP or working with unstable 611hardware, these CC voltages may become unreliable for detecting a debug 612accessory. 613 614To work around this, you can force GSC to always assume that a debug cable is 615detected: 616 617``` 618(gsc) > rddkeepalive enable 619``` 620 621*** note 622**NOTE**: Enabling `rddkeepalive` does increase power consumption. 623*** 624 625To disable: 626 627``` 628(gsc) > rddkeepalive disable 629``` 630 631### Updating GSC {#updating-cr50} 632 633Production (`MP`) versions of Cr50 firmware use a [minor version][semver] of 634`3`: `0.3.x`. Production firmware versions `0.3.9` or newer support CCD. 635 636Production (`MP`) versions of Ti50 firmware use a [minor version][semver] of 637`23`: `0.23.x`. 638 639Development (`PrePVT`) versions of Cr50 firmware use a minor version of `4`: 640`0.4.x`. Development firmware versions `0.4.9` or newer support CCD. 641 642Development (`PrePVT`) versions of Ti50 firmware use a minor version of `24`: 643`0.24.x`. 644 645There aren't many differences between the MP and PrePVT versions of images, but 646it is a little easier to CCD [`Open`] PrePVT images. You can't run PrePVT images 647on MP devices, so if you're trying to update to PrePVT and it fails try using 648the MP image. 649 6501. Flash a test image newer than M66. 651 6521. Enable [Developer Mode] and connect a debug cable ([`Suzy-Q`] or [`Type-C 653 Servo v4`]). 654 6551. Check the running GSC version with `gsctool`: 656 657```bash 658(dut) $ sudo gsctool -a -f 659 660... 661RW 0.4.26 <-- The "RW" version is the one to check 662``` 663 6641. Update GSC using the firmware in the OS image: 665 666*Production (MP) image*: 667 668```bash 669(dut) $ sudo gsctool -a /opt/google/cr50/firmware/cr50.bin.prod 670(dut) $ sudo gsctool -a /opt/google/ti50/firmware/ti50.bin.prod 671``` 672 673*Development (PrePVT) image*: 674 675```bash 676(dut) $ sudo gsctool -a /opt/google/cr50/firmware/cr50.bin.prepvt 677(dut) $ sudo gsctool -a /opt/google/ti50/firmware/ti50.bin.prepvt 678``` 679 6801. Check the GSC version again to make sure it's either `0.3.X` or `0.4.X`, or 681 check the Ti50 version again to make sure it's either `0.23.X` or `0.24.X`. 682 683### Speed up Flashing the AP {#speed-up-ap-flash} 684 685In the [default AP flashing steps][flashap] [`flashrom`] reads the entire flash 686contents and only erases and programs the pages that have to be modified. 687However, when GSC controls the SPI bus, it can only run at 1.5 MHz, versus the 68850 MHz that the AP normally runs it at. 689 690We can take advantage of the fact that Chrome OS device AP firmware is split 691into sections, only a few of which are essential for maintaining the device 692identity and for booting the device in recovery mode to program faster by only 693reading and writing sections we care about: 694 695```bash 696# This will save device flash map and VPD sections in 697# /tmp/bios.essentials.bin. VPD sections contain information like device 698# firmware ID, WiFi calibration, enrollment status, etc. Use the below command 699# only if you need to preserve the DUT's identity, no need to run it in case 700# the DUT flash is not programmed at all, or you do not care about preserving 701# the device identity. 702sudo flashrom -p raiden_debug_spi:target=AP -i FMAP -i RO_VPD -i RW_VPD -r /tmp/bios.essentials.bin 703 704# This command will erase the entire flash chip in one shot, the fastest 705# possible way to erase. 706sudo flashrom -p raiden_debug_spi:target=AP -E 707 708# This command will program essential flash sections necessary for the 709# Chrome OS device to boot in recovery mode. Note that the SI_ALL section is 710# not always present in the flash image, do not include it if it is not in 711# dump_fmap output. 712sudo flashrom -p raiden_debug_spi:target=AP -w image-atlas.bin -i FMAP -i WP_RO [-i SI_ALL] --noverify 713 714# This command will restore the previously preserved VPD sections of the 715# flash, provided it was saved in the first step above. 716sudo flashrom -p raiden_debug_spi:target=AP -w /tmp/bios.essential.bin -i RO_VPD -i RW_VPD --noverify 717``` 718 719Once flash is programmed, the device can be booted in recovery mode and start 720Chrome OS from external storage, following the usual recovery procedure. Once 721Chrome OS is installed, AP flash can be updated to include the rest of the image 722by running [`flashrom`] or `futility` from the device bash prompt. 723 724[Case Closed Debugging]: ./case_closed_debugging.md 725[chromeos-cr50 ebuild]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/chromeos-base/chromeos-cr50/chromeos-cr50-0.0.1.ebuild 726[chromeos-ti50 ebuild]: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/main/chromeos-base/chromeos-ti50/chromeos-ti50-0.0.1.ebuild 727[Developer Mode]: https://chromium.googlesource.com/chromiumos/docs/+/main/developer_mode.md#dev-mode 728[Recovery Mode]: https://chromium.googlesource.com/chromiumos/docs/+/main/debug_buttons.md 729[Servo]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/main/docs/servo.md 730[`servod`]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/main/docs/servo.md 731[Type-C Servo v4]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/main/docs/servo_v4.md 732[update servo v4]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/main/docs/servo_v4.md#updating-firmware 733[Suzy-Q]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/main/docs/ccd.md#SuzyQ-SuzyQable 734[`hdctools`]: https://chromium.googlesource.com/chromiumos/third_party/hdctools/+/refs/heads/main/README.md 735[`FlashAP`]: #flashap 736[flashing the AP firmware]: #flashap 737[flashap]: #flashap 738[Flashing the AP Special Cases]: #flashap-special-cases 739[`FlashEC`]: #flashec 740[flashing the EC firmware]: #flashec 741[`OverrideWP`]: #hw-wp 742[`Always`]: #cap-priv 743[`IfOpened`]: #cap-priv 744[`Open`]: #cap-priv 745[`Locked`]: #cap-priv 746[`Unlocked`]: #cap-priv 747[Updating Cr50]: #updating-cr50 748[CCD Open Without Booting the Device]: #ccd-open-no-boot 749[cap]: #cap 750[consoles]: #consoles 751[hw-wp]: #hw-wp 752[`flash_ec`]: https://chromium.googlesource.com/chromiumos/platform/ec/+/main/util/flash_ec 753[CCD Open]: #ccd-open 754[`flashrom`]: https://chromium.googlesource.com/chromiumos/third_party/flashrom/+/main/README.chromiumos 755[speed up the flashing process]: #speed-up-ap-flash 756[this bug]: https://issuetracker.google.com/149420712 757[semver]: https://semver.org/ 758[`usb_console`]: https://chromium.googlesource.com/chromiumos/platform/ec/+/main/extra/usb_serial/console.py 759