Unfortunately, there's a bug, and it seems that it's in the BP firmware.
The first byte of large transfers is sometimes 0xff instead of the actual value. So far, I could narrow it down with some observations:
- It's always the first byte of a transfer. Other bytes aren't shifted one byte to the right or otherwise invalid, they are just fine
- Block size doesn't matter (256b and 128b transfers were tried)
- It only affects the byte if it's >=0x80 (none of the corrupted bytes was <0x80 originally)
- It doesn't affect all first bytes that are >=0x80 (some came through correctly)
My theory (not knowing the BP firmware code much) is that the BP sometimes stumbles if the first bit is set - maybe some timing issue while reading?
I attach a current flashrom build for win32 with the patch for the new transfer mode (http://patchwork.coreboot.org/patch/1986/) applied.
WARNING: This will read corrupted data!