G74SX in-circuit reprogram of BIOS SPI

Discussion in 'ASUS Gaming Notebook Forum' started by Sir Robin, Apr 11, 2012.

  1. Sir Robin

    Sir Robin Notebook Geek

    Likes Received:
    Trophy Points:
    Greetings Everyone!

    I originally posted this in the "G74SX 202 BIOS Now Available" thread,
    but did not see any responses. It's an older thread, so maybe a separate
    thread makes more sense. Hope you don't mind the re-posting :)

    Well, you can count me among the (dare I say) thousands of poor fools,
    that attempted to update their BIOS, using the EasyFlash Utility,
    and used that nifty feature of pulling the file directly from a NTFS
    drive partition. I wish I had checked the forums, before I attempted
    to do the update. I guess it was too much to expect Asus to support
    any kind of recovery mechanism, or make sure their update utilities actually
    worked correctly. You gotta love a company that leaves landmines in their
    code, and no way to repair the damage, short of doing a RMA. What the
    heck were they thinking? At least bundle the update files, with a Readme,
    warning not to use the error prone features of the tool.

    Okay, enough venting (at least for now) :)

    So it turns out that in-circuit reprogramming of the SPI Flash is
    fairly easy, if you have the right tools. I dumped the contents of
    the bricked BIOS, and discovered that the Easyflash tool uses an
    incorrect buffer pointer (at least when doing NTFS based updates).
    Rather than the new BIOS code, the tool wrote the contents of my
    hard drive directory tree into the flash. Nice, huh? Needless to say,
    the G74SX would do nothing, after the update (no sign of power, no
    lights, dead to the world). Side note, I was updating from 201 to 203,
    on a G74SX, purchased in the last few months.

    I tried downloading the 201, 202 and 203 BIOS files into the flash. The
    good news is that the lights started coming on. The bad news is that is
    as far as the unit gets. Holding the power button does not cause the
    power to cycle back off, so the EC is probably in a bad state. Based on
    the size of the files, and the fact that the first 512Meg is all 0xFF's,
    I suspect the update files are either incomplete (they rely on some code
    that stays resident in the flash, during update), or the file format is
    not a raw binary image.

    Does anyone, out there, know what format are the BIOS update files? Do
    they need to be parsed?

    Alternately, I was wondering if anyone has a raw image copy of their
    SPI flash available, that they could send me (PM)? It should be about
    4M in size. I believe the Linux tool "flashrom" should be able to extract
    the SPI flash image. It is available as part of the following RecoveryCD:

    Live CD - flashrom

    Would anyone be willing to boot the CD, and take a snapshot, from their G74SX?
    In return, I will gladly put together a tutorial on how to reprogram the BIOS flash.
    It would be great if enough people made snapshots, so we
    could get all 4 variants archived (V201, V202, V203, V203 + Throttle Mods).

    Thanks to everyone who participates in this forum, and for all of your
    time, expertise and efforts!

    Brave, Brave Sir Robin :)
    @tilla likes this.
  2. svl7

    svl7 T|I

    Likes Received:
    Trophy Points:
    It's a binary file.

    Bad idea, chances are you overwrite your serial nr / service tag when flashing a dump of a complete bios chip of another system.
  3. evgasr2

    evgasr2 Notebook Deity

    Likes Received:
    Trophy Points:
    Hey I have Asus G73Jh's full bios backuped by spi programmer.
    I know it wont help, but one of my friends has an asus g74 , il ask him to make a backup of his bios, can you tell me how to do that with live cd .
    thank you
  4. Sir Robin

    Sir Robin Notebook Geek

    Likes Received:
    Trophy Points:
    Thanks for confirming the format, svl7 :)
    Do you know if there the file needs to be
    offset in the flash (start programming at an
    address other than 0x00000000)?

    If those fields were stored in the SPI flash, they are long gone. Easyflash
    erased and replaced them with garbage. They must erase the entire device,
    and then attempt to rewrite the data, they want to save. Not good, if you've
    got the wrong buffer pointer, in your code :) If they truly are storing the serial
    number/service tag, in there somewhere. I can always edit the image to include the
    correct number(s). I just want to get my G74SX running again. I know others are in
    the same boat. If we can figure out how to fix the issue, in the field, it will be very
    helpful, for those who are out of warranty service. Asus should really issue a generic
    image file (complete image), for those people who need to go to a repair shop, or
    need to order a replacement chip. After all, this is 100% Asus's fault. They should
    never have let this problem occur in the first place. The least they can do, is provide
    the files necessary to fix the problem.

    Thanks evgasr2, if your friend is up for it, it would be a great help! :)

    Here are the instructions. I just verified them on a H67 based Shuttle SFF:

    1. Make sure your bios is setup to boot from CD/DVD as the first boot device
    2. Plug in a USB Flash drive (for storing the image)
    3. Insert the recover CD, and boot the system
    4. Select "boot directly to graphical interface"
    5. Once Gentoo has finished loading, you should see a console window
    6. In the console window, enter the following (assumes only one USB drive installed)
    "mkdir /mnt/flash"
    "mount /dev/sdf1 /mnt/flash"
    "cd /mnt/flash"
    "flashrom -r bios_image.bin -p internal" (flashrom should write the file to your usb drive)
    "flashrom -v bios_image.bin -p internal" (flashrom will verify the SPI contents to the file)
    "cd /"
    "umount /mnt/flash"
    7. Once you are finished, you can use the shutdown button, on the lower right
    side of the GUI, or type "shutdown now" on the console.
    8. The file will be on the top level of your USB drive.
    9. Then just remove the CD, boot to your normal OS, zip the file, and send it off :)

    One note, according to the users manual, for flashrom, it may complain if it
    detects that you are running on a laptop. Unfortunately, I do not have any way
    to confirm if it will run successfully on the G74SX. Since we are only reading the
    SPI, it should be fine. Reads between different masters, on the SPI bus, should be
    properly semaphored (EC vs processor code etc). If this is the case, we should be
    able to use the "−p internal:laptop=this_is_not_a_laptop" override.

    Thanks to anyone who is willing to give it a shot!

    Sir Robin
  5. svl7

    svl7 T|I

    Likes Received:
    Trophy Points:
    I'm not concerned about your serial... The issue is that you have a valid serial of someone else afterwards.
  6. evgasr2

    evgasr2 Notebook Deity

    Likes Received:
    Trophy Points:
    cant it be changed?
  7. Sir Robin

    Sir Robin Notebook Geek

    Likes Received:
    Trophy Points:
    I understand and share your concern. That was why I suggested PM rather
    than posting the image. Just on the outside chance, that they are doing
    something like that. My intention was to compare images, from at least
    two units, and see if any unique fields are present (outside of the BIOS
    variable storage areas). If present, I was going to try to decode the fields,
    and either null out the value, or reenter my original SN. Honestly, I am
    not convinced that Asus actually puts a unique serial number/service
    tag in each BIOS Flash. That has not been their practice, with other
    EFI based boards, with which I have experience,and they tend to avoid
    complication/cost. Adding a unique serial number, to each device manufactured,
    is a costly step, for a high volume OEM. It means either a serializing programmer,
    or a programming step, during integration testing. I did not notice any mention
    of a unique serial number, in the BIOS setup, or anywhere in their windows tools.
    It is possible that I overlooked it, however. I never went digging to find one.
    Other vendors (Toshiba, for instance), appear to provide a complete image file,
    suggesting that they do not rely on any pre-stored values in the flash (same basic design).
    It is possible that Asus chose to pre-program part of the flash, simply to avoid
    possible contention issues with the EC/ME, which are known problems, if not
    handled properly. It may have nothing to do with a unique serial number. I see from your
    other posts, that you have a great deal of experience, in this area. Can you confirm
    that Asus is indeed placing unique serial numbers/service tags, in the G74SX bios SPI?
    If so, can you provide an offset location and/or the storage format?

    Depends on the storage format. If it is encrypted, probably not, however, there may
    not be any checks to see if the field contains valid data, so nulling it out may be okay.
    If it is not encrypted, it should be something we can change. Changes should not mess
    up the BIOS checksum, since that section of code is a unique entity.

    Sir Robin
  8. Sir Robin

    Sir Robin Notebook Geek

    Likes Received:
    Trophy Points:
    Good news! :)

    I have figured out how to bring a G74SX back to life, after a failed
    BIOS update attempt. I will put together a guide, but in the mean time,
    for those who are in need, here are the basic steps:

    1. Gain access to the SPI ROM
    2. Using a SPI ISP programming adapter, or device programmer, read and store
    the bricked BIOS image (4MB, Winbond W25Q32)
    3. Download, from Asus, the BIOS update file, for the version that you were
    originally running, before the failed update attempt (V201 is on the driver
    CD, V202, V203 are on the download site).
    4. Using a hex editor, merge the two images as follows:
    Reconstructed_Image 0x0 - 0x17FFFF = Bricked_Image 0x0 - 0x17FFFF
    Reconstructed_Image 0x180000 - 0x3FFFFF = Update_Image 0x0 - 0x27FFFF
    5. Program the Reconstructed_Image into your SPI Flash
    6. Power-up or power cycle the laptop (your G74SX should be alive again)
    7. Enter BIOS setup, by pressing F2
    8. Select "Restore Defaults"
    9. Save and exit

    If you plan on reattempting the original BIOS update, be sure to follow this guide (using the
    Easy Flash method). Also be sure that Easy Flash correctly reports the image as being for the
    G74SX. If it fails to do so, abort the update (wrong buffer pointer problem):


    Some useful notes:

    1. I was wrong. Easy Flash does not erase the entire flash, during an update.
    It only replaces 0x180000 - 0x3FFFFF. The data in 0x0 - 0x17FFFF is essential to
    allow the system to boot properly. I was originally fooled by an incorrect assumption,
    I made early on, about where the update file was being placed.

    2. I have confirmed that Flashrom is not able to read the SPI flash on a G74SX,
    even with the override. The SPI accesses are terminated, with an error. I believe there
    is a way around this, but in it's current form, it is not a viable path to making a copy of
    your G74SX SPI flash. For non-laptop motherboards, it works quite well. For anyone who
    plans to play around with their BIOS, I suggest making an archival snapshot.

    3. 0x0 - 17FFFF is a locked region, on a working system (reserved for the ME, descriptors and some
    other stuff).

    4. During boot, the SPI flash occupies 0xFFC00000 - 0xFFFFFFFF of the processor address space.
    It is also aliased to other areas.

    Good luck, and let me know if this works for you,

    Sir Robin
  9. hackness

    hackness Notebook Deity

    Likes Received:
    Trophy Points:
    Does it mean you will be doing some soldering work as well?
  10. Sir Robin

    Sir Robin Notebook Geek

    Likes Received:
    Trophy Points:

    Soldering is certainly an option, for those who have already disassembled
    their unit, but may not be the best way to go, depending on your situation.
    For those who are willing to make a small "adjustment" to their
    internal shell wall, no soldering/dis-assembly is necessary, or recommended.
    The SPI flash is located on the bottom of the motherboard, just offset from
    one of the lower-cover retention tab holes. With care, an approx 3/4"x1/2"
    hole can be added to the plastic, without seriously impacting the structural
    strength of the panel (warning, the plastic cover is impregnated with metal,
    to act as an RF shield. You need to be very careful to avoid loosing shards
    into the circuitry). For this job, I used some patience, an Xacto knife,
    and a cardboard "debris catcher". Others might consider a soldering iron.
    It's hard on the tip, and the fumes are toxic, but with a little practice,
    you can cut a nice hole, without dropping any debris. To ISP read/program
    the flash, I used a Pomona SOIC-8 chip clip, tied to a Total Phase Aardvark.
    Total Phase includes a flash programming utility, for the Aardvark.
    The Aardvark is an overkill, for this application, and expensive. For
    those looking to setup their own ISP fixture, I would recommend
    a Bus Pirate, or one of the other inexpensive solutions based on USB-Serial
    controllers (FTDI, SI Labs, etc). There are also many inexpensive
    chip programmers available (Ebay). For those, just create a DIP-8 to
    Pomona clip adapter cable. Adapters using pogo-pins, also work well,
    but you need to hold them steady, while you're working with the device.
    I noticed that Flashrom supports the Bus Pirate. For those, with a Linux
    computer handy, it may be a good option (or use the Rescue CD).

    For those attempting this, be sure to only attach to the signal pins.
    Let the laptop provide the power. With the battery removed, the G74SX
    will apply 3.3V to the flash, whenever the AC brick is plugged in. As long
    as the system is not told to boot (button press) or is fully bricked, the
    chipset will not attempt to drive the SPI signals. I hooked a meter to the
    clip power/ground pins, so I could tell if the clip was attached properly.
    Avoid manipulating the clip, with the power on :)

    Good luck,

    Sir Robin

Share This Page