doc: Migrate old pages about laptops and EC

Old pages are: https://wiki.flashrom.org/Laptops https://wiki.flashrom.org/Laptop_enable Info from both is gathered into one doc. Change-Id: I26f5aef8d679d37fcaebfd830a04d09d818ffe0b Signed-off-by: Anastasia Klimchuk <aklm@flashrom.org> Reviewed-on: https://review.coreboot.org/c/flashrom/+/86243 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2025-04-26 22:52:34 +02:00 · 2025-02-01 20:23:23 +11:00 · 2025-02-01 20:23:23 +11:00 · ed84669d9f
commit ed84669d9f
parent b9cb629956
2 changed files with 171 additions and 0 deletions
--- a/doc/contrib_howtos/index.rst
+++ b/doc/contrib_howtos/index.rst
@ -7,5 +7,7 @@ Contributors howtos
    how_to_add_new_chip
    how_to_mark_chip_tested
    how_to_add_unit_test
+    laptops_and_ec
+
    ../how_to_add_docs
    ../how_to_support_flashrom
--- a/doc/contrib_howtos/laptops_and_ec.rst
+++ b/doc/contrib_howtos/laptops_and_ec.rst
@ -0,0 +1,169 @@
+======================
+Info on laptops and EC
+======================
+
+The page contains some info about flashing the EC on the laptops without official vendor support.
+
+For the info how to flash system firmware on modern laptops with vendor support, please check
+"Flashing coreboot" document in user docs.
+
+**Note the document below was migrated from old website and the content >10yrs old**
+(exept the links to mailing list and dev guide, those are up-to-date).
+
+Why laptops are difficult
+=========================
+
+Laptops, notebooks and netbooks are difficult to support and we recommend to use the vendor flashing utility.
+The embedded controller (EC) in these machines often interacts badly with flashing,
+either by blocking all read/write access to the flash chip or by crashing
+(it may power off the machine or mess with the battery or cause system instability).
+
+ECs are particularly difficult besides blocking access and crashing:
+
+* Almost all ECs do not have public datasheets with programming information.
+
+* Even if the programming information for an EC is public,
+  the errata (often needed to use the EC for flashing) are not.
+
+* Even if you have the datasheets with programming information (under NDA or by convincing the EC vendor to release them),
+  the following problems remain:
+
+  * flashrom has to detect/probe the EC. For this, it writes a magic byte sequence to a magic port.
+    The bad news is that a laptop vendor can customize the magic sequence and the magic port and the response to that,
+    so even if you try all magic sequences mentioned in the datasheet on all magic ports mentioned in the datasheet,
+    it will either not react (because the laptop vendor came up with its own secret magic sequence/port or
+    because the laptop vendor decided to disable all detection support) or it will respond with a non-default ID
+    which is not present in any table. If you are really extremely lucky,
+    the EC will react to the probing sequence mentioned in the datasheet and respond with the ID mentioned in the datasheet.
+
+  * Most ECs support 3-5 different interfaces to the flash chip. Depending on the software running on the EC,
+    none, some or all of them can be disabled. So if you want to support a given embedded controller with reasonable reliability,
+    you have to write code for all flash interfaces (usually vastly different from each other).
+
+  * During a flash erase/read/write, flashrom competes with the EC for flash access. The EC usually executes
+    its software directly from flash (no RAM involved) and starving the EC instruction decoder may crash the EC.
+    If you erase the part of the flash chip where the EC fetches its instructions from, the EC will execute garbage
+    and crash/misbehave. When (not if, it always happens) the flash chip is in ID mode during flash probing,
+    the EC will mistake the ID data for instructions and execute them, resulting in a crash.
+
+  * You have to find a way to let the EC software run for some time without requiring flash access.
+    This can be achieved by writing a loop (not really a loop, but this is just to illustrate the point)
+    to EC-internal tiny RAM and then jumping there. Only during that time
+    you can access the flash chip reliably without side effects.
+
+  * After flashing, you have to reset the EC so that it can resume running normally.
+    This is not optional because the EC controls battery charging (among others) and you want that to work.
+
+Adding support for laptops
+==========================
+
+That said, adding support for an EC is doable. Here is a cheat sheet on what to do.
+
+* Find out which flash chip you have by physical inspection of the board
+  (or by looking at the internal docs of the manufacturer or the repair manual).
+
+* Find out the controller where the flash chip is attached to. Can be the EC (likely),
+  SuperI/O (somewhat likely), Southbridge (pretty unlikely, if it were, you wouldn't be reading this).
+  This is a job done by physical inspection of the board (or by looking at the internal docs
+  of the manufacturer which sometimes only the ODM and not even the laptop vendor has).
+
+* You can post on the flashrom mailing list (see :ref:`mailing list`) that you plan to work on your EC,
+  mention the exact EC model (and laptop model). You can ask if someone has public docs for the EC,
+  knows how to get them under NDA or has vendor contacts at the EC vendor.
+  With some luck, you might even get docs (some vendors are more friendly than others).
+
+* Get hold of a BIOS image for your laptop (flashrom dump in force mode won't work reliably here).
+  Locate the EC code in the BIOS image. The EC often is 8051 compatible or has an architecture with similar limitations.
+  The EC code will be uncompressed in flash. Download BIOS images for other laptops with the same EC
+  and try to compare the EC code. It may be 100% vanilla code directly from the EC manufacturer
+  (which makes your task rather easy) or a heavily customized variant of the original code
+  (bad, because you have to analyze it).
+
+* Cross-check the EC code with the EC docs to find out which interfaces for detecting the EC
+  and which interfaces for flashing are enabled and working.
+
+* The above two steps can be skipped if you get that information from the laptop vendor.
+
+* Make sure your flash chip is removable in case something goes wrong. If it is not removable,
+  look for an in-system-programming header on the board and check if it is supported by flashrom
+  (or your hardware programmer of choice). If there is no header and the chip is soldered,
+  desolder it and solder a socket in place.
+
+* Dump the old firmware via the programming header or via reading the chip in an external programmer
+  and store it safely (backup on a readonly medium like CD-ROM). It contains your laptop serial number,
+  your MAC address, and sometimes your Windows preactivation keys.
+
+* (optional) Disconnect the battery. You don't know how the EC behaves if it crashes
+  and batteries are expensive and prone to unwanted reactions.
+
+* Start implementing and testing EC detection code. We recommend to do this either
+  as external programmer driver init code (and have the code return 1 to make sure flashrom aborts after init)
+  or in a standalone program (this helps you keep an overview).
+
+* Start implementing flasher support for your EC. The best way to do this is an external programmer driver.
+
+* Note that you can push your patch for review even if it is still in Work In Progress state, if you want to
+  get early feedback and/or share your effort with the people on the mailing list. See :doc:`/dev_guide/development_guide`.
+
+Laptop enable
+=============
+
+Most (all?) laptop designs use an EC (embedded controller) to control the backlight,
+watch the battery status, etcetera.
+
+To access the flash chip (safely), the EC needs to be suspended/stopped.
+The code to stop the EC typically is found at the end of a BIOS binary.
+This page is about that trailing part of a binary.
+
+PhoenixBIOS specifics
+---------------------
+
+This subsection is about the disassembly of a laptop BIOS file (Compal HTW20, ENE KB910QF, SMC LPC47B227?, Phoenix TrustedCore)
+that is 1052598 bytes large, the trailer starts at 0x100000 (1024 * 1024) and is 4022 bytes in size.
+
+To extract the trailer, use dd::
+
+    dd if=<romfile> of=bios.bin bs=1024k skip=1
+
+Example of a disassembly
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+The disassembler that is used is IDAPro, the freeware version.
+
+Example of how the disassembly of the trailer looks::
+
+    TRAILER:0010 09 00 00 00 00 00 00 00 00 00 00 43 6F 6D 70 61 ..........Compa
+    TRAILER:0020 6C 20 57 69 6E 50 68 6C 61 73 68 20 2D 20 46 6C l WinPhlash - Fl
+    TRAILER:0030 61 73 68 69 6E 74 2E 61 73 6D 20 76 30 2E 30 33 ashint.asm v0.03
+    TRAILER:0040 5A 46 4C 50 46 25 00 00 00 00 00 00 00 59 02 00 ZFLPF%
+
+Hints and facts
+^^^^^^^^^^^^^^^
+
+Facts:
+
+* ZFLPF is found at 0x40
+* len(ZFLPH) = 5
+
+The location of the entrypoint is stored at 0x51:
+
+(base of ZFLPF) + len(ZFLPF) + 0xc = 0x40 + 5 + 0xc = 0x51
+
+
+Let's take a look at position 0x51::
+
+    TRAILER:0051 DE 02 dw 2DEh
+
+Fact:
+
+* 0x2de + 0x1b = 0x2f9
+
+Preview of the begin of the board specific code
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+    TRAILER:02F9  ; ---------------------------------------------------------------------------
+    TRAILER:02F9 9C pushf
+    TRAILER:02FA 60 pusha
+    TRAILER:02FB E8 C2 00 call determine_lpc_pci_id