Flashing KB9012 with Bus Pirate

From DP

Jump to: navigation , search

This article is the expansion of Flashing_a_BIOS_chip_with_Bus_Pirate

Contents

Introduction

ENE KB9012 (KB9012QF) is a popular EC embedded controller found at many laptops' motherboards. It controls the essential functions of laptop: internal keyboard input, fan speed (is adjusting it according to the temperature), and so on. Unlike some other ECs, KB9012 contains the internal embedded e-flash memory of 128 KB size (131072 bytes) with a firmware. Without a working firmware installed, a laptop will refuse to boot

Until recently, computer enthusiasts who needed to replace the burned KB9012 ECs (possible result of laptop's power circuits failure) - to install a firmware to the new KB9012 they had to rely on proprietary expensive hardware and software tools. However, thanks to Paul Kocialkowski who has developed the KB9012 flashrom patches, now it is possible to flash KB9012 using the cheap open / free-as-in-freedom hardware + software: CH341A / Bus Pirate + flashrom

This expansion article below describes how to flash the KB9012 by giving an example of how to do it for Lenovo G505S - AMD based laptop that is supported by coreboot project. Even if your laptop is different, you will still benefit from reading this article because the instructions will be quite similar in your case

.

Getting the right tools

This article is the expansion of Flashing_a_BIOS_chip_with_Bus_Pirate - it is recommended that you have successfully followed and completed a previous article, so that you already have the necessary tools and skills. In addition to the tools described in this article, you will also need:

Keyboard-like flex cable

EC KB9012's firmware could be flashed through the keyboard port. While some very skilled people could solder to this port or to EC directly, it is very difficult for ordinary people because of a small pitch. That is why you need a keyboard-like flex cable

For Lenovo G505S this cable is perfect:

[*] 10x New AWM 20624 80C 60V VW-1 FFC Ribbon, Flex Flat Cable, L= 30mm (3cm), W=30.5mm, 0.5mm Pitch, 30pin, Reverse (~$7)

Link is for 10 cables. Why get just 1-2 when you could have 10 for a price of 3 ? :)

Please note that for another laptop you might need a cable with a different count of pins or different pitch

Electrical insulation tape

White - to match the color of cable ;)

[*] 10m of 18mm PVC electrical wire insulation tape (~$2.12)

It could be cheaper to buy this one locally, check your local electrical stores

CH341A programmer

Bus Pirate is too slow while dealing with KB9012. For example, reading a firmware: CH341A does it just for 13-14 minutes; Bus Pirate needs 40 minutes even at SPI speed = 8 MHz. Full set of flashrom KB9012 operations could take several hours for BP, and - while this is acceptable if you need to do it only once (e.g. flash a firmware to the recently installed replacement of burned KB9012) - it is still highly recommended to get CH341A:

[*] CH341A programmer (~$2.35)

CH341A programmer is very cheap and supported by flashrom since 0.9.9 version

Test hook clips

Test hook clip could be used to expose the GND from motherboard's corner GND copper circle. This tool is optional (as you will see later at Motherboards_GND part) but still a great tool to have

[*] 10 pcs of 5 color Test hook clips SMT TEST IC with 10 pcs dupont cable (~$2.53)

Power jack cable

This is purely optional. Although this cable could be extracted from your laptop, it is much more convenient to use a separate one:

[*] Lenovo G505S power jack cable (~$5)

Total expenses

These expenses are additional to those listed at Flashing_a_BIOS_chip_with_Bus_Pirate#Total_expenses

Chapter Item (right mouse click --> open in a new browser tab) Price
1 Keyboard-like flex cable 10x New AWM 20624 80C 60V VW-1 FFC Ribbon, Flex Flat Cable, L= 30mm (3cm), W=30.5mm, 0.5mm Pitch, 30pin, Reverse $7
2 White electrical insulation tape 10m of 18mm PVC electrical wire insulation tape $2.12
3 CH341A programmer CH341A programmer $2.35
4 Test hook clips 10 pcs of 5 color Test hook clips SMT TEST IC with 10 pcs dupont cable $2.53
5 Power jack cable Lenovo G505S power jack cable $5
6 - Total expenses X $19

.

Gathering the datasheets

Datasheets are necessary to reliably determine the pinout of laptop's keyboard, its' relation to KB9012 pinout, and learn about the hardware in general. Try your best to find a datasheet for your laptop!

Lenovo G505S (LA-A091P)

The motherboard inside Lenovo G505S has been developed by Compal and manufactured by Palwonn and Hannstar PCB providers (according to motherboard markings). Depending on modification of G505S laptop, your motherboard could be:

[*] LA-A091P rev.1.0 - discrete graphics is 8570M

[*] LA-A091P rev.1.A - discrete graphics is 8570M

[*] LA-A091P rev.1.A - discrete graphics is R5 M230

[*] LA-A092P rev.1.A - no discrete graphics

While a datasheet is publicly available only for LA-A091P rev.1.0 , other models have the similar specifications and schematics. You could find this available datasheet by searching the internet for Compal_LA-A091P_r1.0.pdf or by following one the links below:

1) SendSpace - click blue "Download" button between "Save to my account" and "File Size: 1.85MB"

2) Datafilehost - under Download button, untick V near "Download with Secured Download manager" before clicking "Download"

3) PDF archive - scroll down the page and click "Download original PDF file (PDF1.7, 1894 KB)

ENE KB9012 (KB9012QF A3)

There are multiple hardware revisions of KB9012QF : A1, A2, A3, A4. Datasheet is publicly available only for A3 hardware revision, although the other revisions should be similar. You could find this available datasheet by searching the internet for KB9012QF.pdf or by following one the links below:

1) SendSpace - click blue "Download" button between "Save to my account" and "File Size: 3.65MB"

2) Datafilehost - under Download button, untick V near "Download with Secured Download manager" before clicking "Download"

3) PDF archive - scroll down the page and click "Download original PDF file (PDF1.5, 3739 KB)

Crafting the interface

Learning the pinout

Below is an image of keyboard-like flex cable inserted to G505S LA-A091P motherboard:

G505s la-a091p keyboard cable 1.png

To determine the interface pinout, I had to extract the following information from datasheets:

1) KB9012 - 18 / 21 / 25 pages, ENE Debug Interface (EDI) pins

2) G505S (LA-A091P) - 36 and top right of 37 page, JKB1 keyboard port pins (enable 200% scale of document)

KB9012 pin KSI number JKB1 pin Signal name Signal description
59 KSI4 5 EDI_CS CS, Chip Select
60 KSI5 6 EDI_CLK CLK, Serial clock input
61 KSI6 3 EDI_DIN MOSI = DI, Serial Data Input
62 KSI7 2 EDI_DO MISO = DO, Serial Data Output
42 KSO3 18 TP_PLL_Lock Enable EDI: GND, Ground

Here is an updated image which shows the interface pinout:

G505s la-a091p keyboard cable 2.png

Flashing keyboard cable

After we learned the pinout, now we need to solder five 1P cables to keyboard-like flex cable. The pitch is 0.5mm, but there is an excellent workaround of how to solder the wires very easy! Look at this picture:

G505s la-a091p keyboard cable 3.png

Using the high quality stainless steel scissors, cut 15 mm (1.5 cm) at these thin vertical lines - surrounding the five pins which we need. Cut slowly right in the middle between the pins and watch carefully where are you cutting! Not in hurry!

Now, each needed pin could be temporarily moved away from its' neighbours, which makes the soldering very easy. Just get five of one-sided 1P copper wires (length of each should be smaller than 10cm) and then follow the instructions from article linked below:

[*] Wire_soldering (right mouse click --> open in a new browser tab)

After you have finished the soldering, put some insulation tape on the cable to isolate the not-needed pins and make a cable stronger (its' structure became weaker after your cutting)

If you have done everything correctly, you should receive this:

G505s la-a091p keyboard cable 4.png

NOTE: Instead of soldering the wires to keyboard-like flex cable, you could attach the test hook clips - but this setup is physically less reliable. Also, the bottom parts of test hook clips' ends (attached to keyboard-like flex cable) are metal - put some electrical insulation tape to prevent them touching the motherboard while flashing

1P to 3P adapter

For successful flashing we will need to unite three grounds:

[*] GND of laptop's motherboard

[*] GND of CH341A / Bus Pirate

[*] GND of ENE KB9012

That can be done using the 1P to 3P adapter. How to make it - read a previous article:

[*] Flashing_a_BIOS_chip_with_Bus_Pirate#1P_to_3P_adapter

You could re-use the 3P adapter (which has been created earlier for BIOS flashing) but it is much more convenient to have two of them. Actually you could make just 1P to 2P - because we need to unite three grounds, not four... However, it is better to make 1P to 3P for compatibility purposes - just make sure that this extra pin does not touch your board while flashing to avoid the shortening, or isolate it temporarily for a peace of mind

G505s la-a091p keyboard cable 1P-3P.png

NOTE: Instead of soldering this adapter you do the following:

1) take two of 20cm copper 1P wires

2) cut them in half to get four of 10cm one-sided 1P wires

3) remove the insulation from their not-covered-by-plastic ends

4) twist these ends and tie them together in a knot

5) wrap the electrical insulation tape around this knot

but this setup is physically less reliable

Motherboards GND

In order to unite three grounds, we need to expose motherboard's GND - which is located at these big "copper rings" where the screws are installed when a laptop is assembled. As you could see at one of the images above, I found a great "copper ring" with large distance between it and board's SMD elements, then soldered 1P wire to it

Although you could repeat it after me, this is not suitable if you don't want to solder anything to your board. Luckily, you could attach to corner GND "copper ring" without any soldering! Here are three ways of how to do it:

Just a wire

1) Get a 10 cm one-sided 1P copper wire and remove a part of insulation on its' end (using a lighter trick from Wire_soldering article)

Motherboards gnd cable 1.png

2) Pass it through a corner GND "copper ring" and twist like at this image:

Motherboards gnd cable 2.png

If to twist carefully (don't over-twist), this wire could be used for many times

NOTE: This way is less safe because those 12 strands at wire's end - are not insulated. Make sure that they do not touch anything on board while flashing, to avoid the shortening!

Insulated wire

1) Cut ~12 cm from 20cm copper 1P wire

2) Remove 4-5 cm of its' insulation (using a lighter trick from Wire_soldering article)

3) Slightly twist the end of wire and tie it in a small knot (less than 1mm diameter)

4) Insulate a knot, as well as the end of wire's insulation, using the parts of 1mm diameter shrinking tube - leaving about 2cm of not-insulated part

5) Insulate the plastic part of wire (because its' "window" has a metal part, and also to make a stronger wire)

After following these instructions you would receive something like this:

Motherboards gnd cable 3.png

Pass this wire through a corner GND "copper ring" and twist like at this image:

Motherboards gnd cable 4.png

If to twist carefully (don't over-twist), this wire could be used for many times

Test hook clip

This is a test hook clip:

Motherboards gnd cable 5.png

It is very easy to attach it to motherboards corner GND "copper ring" :

Motherboards gnd cable 6.png

.

Connecting and flashing

Connecting

Connect a flashing keyboard adapter to programmer of your choice, using the recently-obtained pinout - sorted by JKB1 pin number:

KB9012 pin KSI number JKB1 pin Signal name Signal description
62 KSI7 2 EDI_DO MISO = DO, Serial Data Output
61 KSI6 3 EDI_DIN MOSI = DI, Serial Data Input
59 KSI4 5 EDI_CS CS, Chip Select
60 KSI5 6 EDI_CLK CLK, Serial clock input
42 KSO3 18 TP_PLL_Lock Enable EDI: GND, Ground

CH341A

CH341A with connected 1P wires coming from a keyboard-like flex cable:

CH341A KB9012 connection 1.png

In some cases I need to place CH341A on top of motherboard, so I insulated the bottom of CH341A. Here is a ready-to-be-used CH341A with keyboard-like flex cable connected:

CH341A KB9012 connection 2.png

Bus Pirate

Because the pinout table is printed at another side of Bus Pirate, the order of table columns is different than if to look from the front side. This is very inconvenient... Here is a Bus Pirate v4 front pinout with the columns order already corrected:

BPv4 front pinout.png

NOTE: For Bus Pirate v3 there are different pinouts depending on its' hardware revision, so it is more reliable if you look by yourself

MISO = DO
MOSI = DI


Ready-to-be-used Bus Pirate v4 with keyboard-like flex cable connected:

BPv4 KB9012 connection.png

Flashing setup

Plug in a keyboard-like flex cable to the motherboard's keyboard port:

G505s la-a091p keyboard cable 5.png

Connect a 1P cable of motherboard's ground to programmer's and KB9012QF's grounds using the recently-created 1P to 2P/3P adapter. Grounds need to be united for the successful flashing!

KB9012 flashing setup 1.png

After you have united the three grounds, connect a power adapter to motherboard through the power jack cable (which could be extracted from your laptop, or bought separately for convenience) But, before doing that, make sure there are no extra metal stuff (scissors, screws, screwdriver bits, etc.) touching your naked motherboard

Possible flashing setup connections:

KB9012 flashing setup 2.png

Now, after everything is ready, you could start flashing!

Flashing

You must have a working PC with Linux to get and install the flashrom - using the instructions from here: http://www.flashrom.org/Downloads#Installation_from_source (or just boot from a LiveCD, but it "installs" temporary to your RAM so you will need to get it again each time)

After getting the flashrom, before running "make" command you need to apply three KB9012 flashrom patches created by Paul Kocialkowski (click on Download | patch) :

[*] http://patchwork.coreboot.org/patch/4412/

[*] http://patchwork.coreboot.org/patch/4413/

[*] http://patchwork.coreboot.org/patch/4414/

Put all these patch files to flashrom directory and apply them by the following commands:

patch < v3-1-2-Add-support-for-selecting-the-erased-bit-value-with-a-flag.patch 
patch < v3-2-2-ENE-Embedded-Debug-Interface-EDI-and-ENE-KB9012-EC-internal-flash-support.patch 
patch < 1-1-Add-support-for-reading-the-current-flash-contents-from-a-file.patch 


After patching and making, you could do any operation listed below and some others:

1) receive a flashrom help

sudo ./flashrom --help


2) erase KB9012's embedded flash

sudo ./flashrom -p buspirate_spi:dev=/dev/ttyACM0,spispeed=1M -c "KB9012 (EDI)" -E -V


3) read from KB9012's embedded flash

sudo ./flashrom -p buspirate_spi:dev=/dev/ttyACM0,spispeed=1M -c "KB9012 (EDI)" -r dump.bin -V


4) write to KB9012's embedded flash

sudo ./flashrom -p buspirate_spi:dev=/dev/ttyACM0,spispeed=1M -c "KB9012 (EDI)" -w 4flash.bin -V


5) verify KB9012's embedded flash against the file

sudo ./flashrom -p buspirate_spi:dev=/dev/ttyACM0,spispeed=1M -c "KB9012 (EDI)" -v 4check.bin -V


NOTE: there are similar commands for other programmers, e.g. for ch341a:

sudo ./flashrom -p ch341a_spi ...


After the successful flashing, carefully disconnect the flashing interface from a board. If you have flashed a working KB9012 firmware, while BIOS image is good and there are no other problems with this laptop's board, it will be able to boot. Congratulations!


This article is the expansion of Flashing_a_BIOS_chip_with_Bus_Pirate