11 thoughts on “Baytrail update”

  1. I want to flash my Winky…

    I am having difficulty finding clear information on what I can do with this model.

    I have a somewhat disabled Samsung Chromebook XE500C12 (Winky) and I have purchased a Pomona clip to be able to “UnBrick” it.

    My goal is to put GalliumOS on it. (I hope I have not got in over my head.)

    I realize I have a lot to learn.
    Here are my assumptions:
    With my “Clip” I can backup my entire ROM.
    I can put it back if need be.
    There might already be a working “Legacy BIOS” already.
    Perhaps all I need to do is tell the BIOS Stub to boot legacy and then load the OS from usb drive?

    Any information you can provide on flashing the Legacy area and telling the boot-stub to use it to put GalliumOS on it would be great.

    1. Yeah, so use the script to flash RW_LEGACY. make sure the RW_LEGACY slot is enabled (search internet for those instructions if you don’t already have them), and use ctrl +L to boot legacy slot to your GalliumOS usb.

      If you want to make the chance more permanent, check out the article for making RW_LEGACY default (use search box on this site).

      Let me know if you’re stuck.

      1. I really appreciate all the research that you have done in figuring this out and testing the various hardware. My goal is to un-brick and boot GalliumOS with as little effort as possible.

        I have a Raspberry Pi hooked up. I copied my W25Q64FW chip to a file. (really cool that I do not need to step-down the voltage and that I don’t have to de-solder the chip).

        I verified it by reading the chip three times–all the same.

        I take that ROM file and can extract out of it a BIOS.bin file using ifdtool. The BIOS.bin file from the Winky is 6291456 bytes long.

        I downloaded your BOOT_STUB: bios.cbfs.new and the Legacy file: legacy-seabios-baywell-latest.cbfs
        (These should both be correct for the Winky)

        From what I understand, I only want to replace those specific parts of the BIOS.bin file and then I can inject it again into the ROM file and write it back to the chip using the Raspberry Pi.

        I don’t know how to replace just those parts of the BIOS.bin file and I am using the flashrom utility from the Raspberry pi.

        There are other sites talking about re-compiling the entire coreboot — I don’t think the Winky is supported for this.

        Am I missing a step in how to inject your files into my BIOS.bin file?

        1. Okay, well BOOT_STUB isn’t really supported any more, so if you do use it, it is even more so at your own risk.

          You need one or the other – BOOT_STUB or RW_LEGACY, not both.

          The easiest way to do this, is use flashrom to inject the files into the right part of the ROM, rather than fiddling with the ROM file itself.

          I wouldn’t recommend you use the in distro version of flashrom on the Pi – more than not having as good support for the flash chips in Chromebooks, it also doesn’t have the ability to inject said files, as I mentioned above.

          If you follow the “Flashrom” section of this article, it will get you to a compiled version of flashrom on the Pi, that will do the job.


          What happened to your Winky to brick it, and why do you therefore think that using a copy of that ROM will do what you need?

  2. On getting third-party flashrom: (At some point and time I did know that the “in-stream” version of flashrom would not be able to flash specific parts of the chip.) I did not know that your version would work on the RPi, so I will definitely try that.

    I tried to compile using “pi-zero-w-flashrom-and-usb-gadget-debug” (the post on your site), but it would not compile on my OS version on the RPi. I will get another flash drive and try it again with other OS versions.

    On how my CB got “Bricked”: I bought a used CB off of e-bay “as is” with a note saying it could not be Power-Washed. I bought it cause it was cheap and I wanted to run Ubuntu in any case. I had your easy scripts in mind when I bought it.

    I really enjoyed the challenge and discover of a few points:
    * The version of Chrome that I had on a USB stick was older than what was previously installed. That blocked the install. (the most recent version is stored in the TPM chip). Google does not ever let you “downgrade”
    * After successfully installing the most recent version, I was unable to get to Developer Mode (said it was locked out). I can only get to a “lock out” screen — not to a CLI prompt.

    So half of me wanted to chuck it in the trash-can and the other half of me wanted to by a RPi and see if I could replace the BIOS. I regret the CB purchase. I regret it is not an ARM processor (my other CB is an ARM and I Love it).

    I am really happy with the RPi and the ability to flash a chip (even a 1.8 V chip) right on the MB with out any soldering.

    Now that I have a backup of the chip and the ability to restore it to the way it is now, I feel I can try some crazy experimentation.

    Thanks for your help — this is great fun. I love Chromebooks and I love tinkering.

    1. I compiled Flashrom under Raspbian Jessie. If you’re still stuck with that, let me know. If you aren’t too bothered about running ChromeOS on there, you can just flash a shellball ROM, then update the RW_LEGACY slot, and have done with it:


      With a shellball ROM, the HWID will be invalid, so although ChromeOS will work, it won’t update itself, and it will also complain.

      Let me know if you’re still stuck with anything.

  3. Let me quote the last words of many an adventurous person…
    “Hang on a sec — I am going to try something…”

    While I have the battery disconnected and the bottom of the CB off, I am going to “experiment” with a couple of things first — So I will have to get back you on getting the legacy boot to work. If I end up getting Gallium to boot up with CTL-L (from SD card) and chrome to boot with CTL-D that would be great. If I have to resort to the chroot environment solution to get Ubuntu that would be OK.

    I read somewhere that the “Lockout” of the Dev mode was in the “gVpdInfo”, so I took a look inside the BIOS file. I found it (at offset x0400600) and I see a 4 byte sequence at the start (where mine says [03][01][00][00]). These are probably bit-masks. I took a gamble that the “1” in the second byte would be it, but it turns out that one means “WiFi Enabled”. So I have two more chances to see if I can unblock dev mode by changing the first byte. (change it to a 2, then change it to a one to see which one it is).

    If this does not work, I will try other options.

    Note on my compile error: I did use Jessie Lite on the Pi to compile both the “flashrom” and the “idftool” It may be that because of these that I cannot get the thirdparty version of flashrom to compile. I am guessing that if I started fresh I could get it to work.

  4. Side Note: I gave up on trying to modify the vpd info area — anything I did made no difference — After booting I was prompted to load from USB stick and was stuck. (If I did load Chrome from USB stick I was still locked out of DEV.)

    I also tried extracting just the area-1 (BIOS) portion and injecting it into my original ROM copy — but that failed as well. I gave up and instead just did what you originally told me — flashing the entire 8MB bios.bin for the Winky (from the link you provided).

    This worked great. Chrome came up in DEV mode — tout suite!

    I then used your script to flash the RW_Legacy slot. That worked great. I tried CTL-L and that did not work. I found I needed to do sudo crossystem dev_boot_usb=1 dev_boot_legacy=1 (see below on usb boot for the winky).

    I was planning on booting from a jump drive and flashing my SD card. I used Etcher to make image both USB and SD_Card with a GalliumOS ISO. After CTL-L still failed, I read the the winky cannot boot from USB ever. So I changed the above dev_boot_usb=0 and was able to CTL-L boot from the Gallium ISO I wrote to my SD card.

    However, I could not install Gallium from SD to SD, so I read up an using chrx script from chrome os (with options to install gallium on the SD card):
    sudo sh chrx.sh -d galliumos -e desktop -r latest -t /dev/mmcblk1 -Z America/Denver

    (note the script is named “go” by default. My sd card is mmcblk1 (do not install to mmcblk0 or you will wipe out your Chrome hard drive.)

    This setup works very well. When I boot I see the scary screen only for a moment and it boots to Chrome. If I press CTL-L very quickly and then press ESC to get the option to boot from SD card, then I am in Gallium.

    I could not be happier, thanks for all your help.

    Two minor questions:

    1) If my wife ever borrowed my Chromebook and pressed Space on the scary screen, where would I be? If only user data is lost — not a big deal. Hopefully I would not have to “flashrom” it again.

    2) I ended up with a recent version of Chrome OS — I assume because I had used a recent load from a USB drive for my testing — before flashing the shellball. Does that mean (in the future) I could reload Chrome from USB (wiping out my BIOS) and then could reload the shellball via the Pi and end up with a newer version of Chrome OS? (I would never do this and that would be a painful method to upgrade).

    1. I really should put the command to enable legacy boot somewhere.

      Assuming you’ve left the GBB flags as is in the shellball ROM, when ;) she presses space, nothing will happen except maybe a beep.

      There are two possibilities here – you can either find a valid HWID off someone else who owns a Winky (or perhaps another Baytrail Chromebook) and write it into the ROM – this will mean updates work again, and you won’t get any warning message.

      The second option is simply to download the latest recovery image, and recover again – it’s more manual, but not too much of a pain, in my view. The recovery images are updated pretty regularly.

      You’ve certainly made progress anyway.

Leave a Reply