Extracting the shell-ball ROM using a ChromeOS image

As an example I’m performing this on Fedora 20. I assume that you’re doing it from your home directory.

1. Download the linux script for downloading ChromeOS images. From the cli type/paste:

wget https://dl.google.com/dl/edgedl/chromeos/recovery/linux_recovery.sh

2. Make the script executable so it will run:

chmod +x linux_recovery.sh

3. Run the script:


4. Type the model name of the Chromebook you’re trying to get the ROM for e.g. “HP Chromebook 14”, then type the number of the corresponding image e.g. “8”. Once the file has downloaded, the script will attempt to extract it with a view to writing to USB, however, the tmp mount in Fedora doesn’t get allocated enough space and you get the following error:

chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin: write error (disk full?). Continue? (y/n/^C)

To which I say “n”.

5. Remove the partially extracted file, or you will get space errors:

rm /tmp/tmp.crosrec/*.bin

6. Note the name of the file above, as it will be needed for subsequent commands. Unzip the file into your home directory like so, adding “.zip” onto the end of the filename you noted above:

unzip /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip

7. Use kpartx to make sense of the image’s partition structure. First of all make sure it’s installed. This is also a good time to install another dependency which will be needed later (specifically by the extract script):

sudo yum install kpartx sharutils

8. Run kpartx to add a mountable mapping to each of it’s partitions in /dev/mapper:

sudo kpartx -a /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin

9. The partition we want to get at is the system partition, which is now mapped to /dev/mapper/loop0p3 however, we have to mount it read-only otherwise mounting will fail:

sudo mount -o ro /dev/mapper/loop0p3 /mnt

10. Create a directory for the extracted files (you don’t want them messing up your home directory):

mkdir shellball

11. Do the extraction:

/mnt/usr/sbin/chromeos-firmwareupdate --sb_extract shellball

12. Write a valid hardware id (you can get a list of all id’s by running the linux_recovery.sh script without any search terms) to the shellball ROM so that ChromeOS will update, for example. After cd’ing into the shellball directory run:

./gbb_utility --set --hwid="PEPPY A2A-A2E-A5W" bios.bin bios.bin.new

13. Optionally set GBB flags as you like:

./gbb_utility --set --flags=0x489 bios.bin.new bios.bin.newer

14. Download statically linked flashrom and flash extracted BIOS:

wget https://johnlewis.ie/flashrom && chmod +x flashrom && sudo ./flashrom -w bios.bin.newer

15. Tidy up:

umount /mnt
dmsetup remove /dev/mapper/loop0p[0-9][0-9]
dmsetup remove /dev/mapper/loop0p[0-9]
losetup -d /dev/loop0

16. Remove /tmp/tmp.crosrec if you can’t wait for a reboot:

rm -rf /tmp/tmp.crosrec

Join the conversation


  1. Hello, for ID’s you type the model name you would use your Chrome Recovery in chrome or hwidmach because my hwid is blank found in the recovery.conf with an * at the end ? Like mine says ^REEF \w{3}-B\w{2}(-\w{3})*?

    Also ad a -v for verbose so people know what to mount. Mine was /dev/mapper/loop11p3

  2. when I try to use flashrom:
    sudo flashrom -p internal -w newbios.bin
    flashrom v1.2 on Linux 5.15.0-35-generic (x86_64)
    flashrom is free software, get the source code at https://flashrom.org

    Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
    coreboot table found at 0x7ab24000.
    Found chipset “Intel Apollo Lake”.
    Enabling flash write… SPI Configuration is locked down.
    FREG0: Flash Descriptor region (0x00000000-0x00000fff) is read-only.
    FREG5: Device Expansion region (0x00f7f000-0x00ffffff) is locked.
    Not all flash regions are freely accessible by flashrom. This is most likely
    due to an active ME. Please see https://flashrom.org/ME for details.
    At least some flash regions are read protected. You have to use a flash
    layout and include only accessible regions. For write operations, you’ll
    additionally need the –noverify-all switch. See manpage for more details.
    Enabling hardware sequencing because some important opcode is locked.
    Found Programmer flash chip “Opaque flash chip” (16384 kB, Programmer-specific) mapped at physical address 0x0000000000000000.
    Reading old flash chip contents… Transaction error between offset 0x00f7f000 and 0x00f7f03f (= 0x00f7f000 + 63)!
    Plz help

    1. I guess the thing that stands out is “Opaque flash chip” – sounds like flashrom doesn’t know about the rom chip

      It does sound like there is still some locking mechanism in play too

      Is this a Chromebook?

Leave a comment