Extracting the shell-ball ROM using a ChromeOS image

As an example I’m performing this on Fedora 20. I assume that you’re doing it from your home directory.

1. Download the linux script for downloading ChromeOS images. From the cli type/paste:

wget https://dl.google.com/dl/edgedl/chromeos/recovery/linux_recovery.sh

2. Make the script executable so it will run:

chmod +x linux_recovery.sh

3. Run the script:

./linux_recovery.sh

4. Type the model name of the Chromebook you’re trying to get the ROM for e.g. “HP Chromebook 14”, then type the number of the corresponding image e.g. “8”. Once the file has downloaded, the script will attempt to extract it with a view to writing to USB, however, the tmp mount in Fedora doesn’t get allocated enough space and you get the following error:

chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin: write error (disk full?). Continue? (y/n/^C)

To which I say “n”.

5. Remove the partially extracted file, or you will get space errors:

rm /tmp/tmp.crosrec/*.bin

6. Note the name of the file above, as it will be needed for subsequent commands. Unzip the file into your home directory like so, adding “.zip” onto the end of the filename you noted above:

unzip /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip

7. Use kpartx to make sense of the image’s partition structure. First of all make sure it’s installed. This is also a good time to install another dependency which will be needed later (specifically by the extract script):

sudo yum install kpartx sharutils

8. Run kpartx to add a mountable mapping to each of it’s partitions in /dev/mapper:

sudo kpartx -a /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin

9. The partition we want to get at is the system partition, which is now mapped to /dev/mapper/loop0p3 however, we have to mount it read-only otherwise mounting will fail:

sudo mount -o ro /dev/mapper/loop0p3 /mnt

10. Create a directory for the extracted files (you don’t want them messing up your home directory):

mkdir shellball

11. Do the extraction:

/mnt/usr/sbin/chromeos-firmwareupdate --sb_extract shellball

12. Write a valid hardware id (you can get a list of all id’s by running the linux_recovery.sh script without any search terms) to the shellball ROM so that ChromeOS will update, for example. After cd’ing into the shellball directory run:

./gbb_utility --set --hwid="PEPPY A2A-A2E-A5W" bios.bin bios.bin.new

13. Optionally set GBB flags as you like:

./gbb_utility --set --flags=0x489 bios.bin.new bios.bin.newer

14. Download statically linked flashrom and flash extracted BIOS:

wget https://johnlewis.ie/flashrom && chmod +x flashrom && sudo ./flashrom -w bios.bin.newer

15. Tidy up:

umount /mnt
dmsetup remove /dev/mapper/loop0p[0-9][0-9]
dmsetup remove /dev/mapper/loop0p[0-9]
losetup -d /dev/loop0

16. Remove /tmp/tmp.crosrec if you can’t wait for a reboot:

rm -rf /tmp/tmp.crosrec

81 thoughts on “Extracting the shell-ball ROM using a ChromeOS image”

  1. Hello John,

    And many thanks for your ROMs. Tried one on our company’s C720 to make sure with worked – it did, flawlessly – and next stop is to buy one of my own and apply it there.

    I will donate to you via PayPal, you certainly deserve it, regardless of whether you could help me out with this issue.

    The C720 I tested it on was our company’s, so my co-worker would like it to be restored to factory. Now, I have the backup-ddmmyy.rom and I’ve also used this shellball extraction. Which one do I use to restore the C720 to factory – in other words – Google’s bios, and from thereon screw the write-protect in again and use ChromeOS USB to restore the OS?

    I’ve tried this shellball method, running the step 12 but I get the following error:
    Please select a programmer with the –programmer parameter.
    Valid choices are: internal, dummy, nic3com, nicrealtek, gfxnvidia, drkaiser, satasii, ft2232_spi, serprog, buspirate_spi, rayer_spi, pony_spi, nicintel, nicintel_spi, ogp_spi, satamv

    Any chance you can help me out with this? Or is this the wrong way to go? Should I go with the backup-ddmmyy.rom, and how would I use it?

    Best regards and with respect to all your efforts,
    Maus

  2. The above method doesn’t seem to be working for me. If I run the command with ./flashrom, I get the following error:
    flashrom v0.9.4 : 14ce0cf : Oct 09 2013 22:16:28 UTC on Linux 3.13.0-34-generic (i686), built with libpci 3.1.10, GCC 4.7.x-google 20130114 (prerelease), little endian
    bios.bin: No such file or directory
    FAILED

    And if I run the command with just “sudo flashrom …” I get the following:
    Please select a programmer with the –programmer parameter.
    Valid choices are: internal, dummy, nic3com, nicrealtek, gfxnvidia, drkaiser, satasii, ft2232_spi, serprog, buspirate_spi, rayer_spi, pony_spi, nicintel, nicintel_spi, ogp_spi, satamv

    Oh, I’m using Ubuntu 14.04 by the way. I used the sudo command from shellball directory and outside of it as well, with the same result. Shellball directory does contain bios.bin, so I’m kind of confused why I’m getting the “no such file or directory” -error using the first method.

    Best regards,
    Maus

  3. It is right there. Output:
    total 17M
    -rw——- 1 default default 8,0M elo 29 16:55 bios.bin
    -rwxr-xr-x 1 default default 5,3K elo 29 16:55 common.sh
    -rwxr-xr-x 1 default default 4,3K elo 29 16:55 crosfw.sh
    -rwxr-xr-x 1 default default 821K elo 29 16:55 crossystem
    -rwxr-xr-x 1 default default 14K elo 29 16:55 crosutil.sh
    -rwxr-xr-x 1 default default 2,8M elo 29 16:55 dump_fmap
    -rw-r–r– 1 default default 256K elo 29 16:55 ec.bin
    -rwxr-xr-x 1 default default 1,4M elo 29 16:55 flashrom
    -rwxr-xr-x 1 default default 1,2M elo 29 16:55 gbb_utility
    -rwxr-xr-x 1 default default 1,4M elo 29 16:55 mosys
    -rw-r–r– 1 default default 31K elo 29 16:55 shflags
    -rwxr-xr-x 1 default default 24K elo 29 16:55 updater4.sh
    -rw-r–r– 1 default default 934 elo 29 16:55 updater_custom.sh
    -rw-r–r– 1 default default 904 elo 29 16:55 VERSION
    -rw-r–r– 1 default default 659 elo 29 16:55 VERSION.md5
    -rw-r–r– 1 default default 76 elo 29 16:55 VERSION.signer
    -rwxr-xr-x 1 default default 797K elo 29 16:55 vpd

    1. Are you logged in as “default”? I suspect not. So you need to change ownership of bios.bin to whatever you’re logged in as i.e. “sudo chown youruser:youruser bios.bin”, as only the user has read/write permission to that file.

      Alternatively you could use “sudo chmod 744 bios.bin” to give group and world read access.

  4. Logged in as default, here’s the terminal logs, first with just “sudo flashrom”:
    default@C720:~/Desktop/orly/shellball$ sudo flashrom -w bios.bin
    flashrom v0.9.6.1-r1563 on Linux 3.13.0-34-generic (i686)
    flashrom is free software, get the source code at http://www.flashrom.org

    Please select a programmer with the –programmer parameter.
    Valid choices are: internal, dummy, nic3com, nicrealtek, gfxnvidia, drkaiser, satasii, ft2232_spi, serprog, buspirate_spi, rayer_spi, pony_spi, nicintel, nicintel_spi, ogp_spi, satamv

    And here’s with “sudo ./flashrom”:
    default@C720:~/Desktop/orly/shellball$ sudo ./flashrom -w bios.bin
    ./flashrom: 1: ./flashrom: �: not found
    ./flashrom: 1: ./flashrom: �R�*����@�@DDQ�td: not found
    ./flashrom: 1: ./flashrom: �R: not found
    ./flashrom: 1: ./flashrom: �: not found
    ./flashrom: 1: ./flashrom: �TJc�Q��~I��QPU%��DXU%@�G: not found
    ./flashrom: 1: ./flashrom: �R����: not found
    ./flashrom: 1: ./flashrom: ./flashrom: 1: ./flashrom: EpU%�8ExU%�9E�U%�DE�U%EE�U%�: not found
    {�����%z{h������%r{h������%j{h������%b{h������%Z{h������%R{h������%J{h������%B{h�p����%:{�: not found
    ./flashrom: 1: ./flashrom: ELF: not found
    ./flashrom: 7: ./flashrom: Syntax error: “)” unexpected

    1. I don’t know why you’re getting all that dodgy output with the statically linked Flashrom, unless you’re using a Uclibc based distro, or something like that?

      Just try with the distro’s Flashrom and specify the programmer on the cmd line i.e. “-p internal”.

  5. Okay, I was using an old version of flashrom. Now the output is:
    Enabling flash write… FREG0: Warning: Flash Descriptor region (0x00000000-0x00000fff) is read-only. FREG2: Warning: Management Engine region (0x00001000-0x001fffff) is locked. Not all flash regions are freely accessible by flashrom. This is most likely due to an active ME. Please see http://flashrom.org/ME for details. Writes have been disabled for safety reasons. You can enforce write support with the ich_spi_force programmer option, but you will most likely harm your hardware! If you force flashrom you will get no support if something breaks. On a few mainboards it is possible to enable write access by setting a jumper (see its documentation or the board itself).
    OK. Found Winbond flash chip “W25Q64.V” (8192 kB, SPI) at physical address 0xff800000. Write/erase is not working yet on your programmer in its current configuration. Aborting.

    So, um, what should I do next?

  6. Oh and I’m just using the latest flashrom, downloaded by apt-get. If I open that statically linked flashrom of yours, it just opens a page full of weird text, such as: ELF�������������� ƒ4���¤�����4� ��(�”�!���������€�€$�$���������� $� ´ ´HY�0����������ô���ô€ô€D���D���������Qåtd������������������������������ $� ´ ´���0���������Råtd $� ´ ´`+�`+���� ������������GNU����������� ������������GNU�_•óÑ

    Do I need to save that in some format, chmod it and try running it?

    1. Can you download the statically linked flashrom again, and make sure you delete the one you have already, beforehand. See if that gives any different output.

  7. Here’s the output:
    default@C720:~/Desktop/orly$ wget –no-check-certificate https://johnlewis.ie/flashrom && sudo ./flashrom -w shellball/bios.bin
    –2014-09-01 15:57:08– https://johnlewis.ie/flashrom
    Resolving johnlewis.ie (johnlewis.ie)… 37.187.3.40
    Connecting to johnlewis.ie (johnlewis.ie)|37.187.3.40|:443… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: 1279220 (1,2M) [text language=”/plain”][/text]
    Saving to: ‘flashrom’

    100%[======================================>] 1 279 220 1,14MB/s in 1,1s

    2014-09-01 15:57:10 (1,14 MB/s) – ‘flashrom’ saved [1279220/1279220]

    [sudo] password for default:
    ./flashrom: 1: ./flashrom: �: not found
    ./flashrom: 1: ./flashrom: �R�*����@�@DDQ�td: not found
    ./flashrom: 1: ./flashrom: �R: not found
    ./flashrom: 1: ./flashrom: �: not found
    ./flashrom: 1: ./flashrom: ./flashrom: 1: ./flashrom: �TJc�Q��~I��QPU%��DXU%@�G: not found
    �R����: not found
    ./flashrom: 1: ./flashrom: ./flashrom: 1: ./flashrom: {�����%z{h������%r{h������%j{h������%b{h������%Z{h������%R{h������%J{h������%B{h�p����%:{�: not found
    EpU%�8ExU%�9E�U%�DE�U%EE�U%�: not found
    ./flashrom: 1: ./flashrom: ELF: not found
    ./flashrom: 7: ./flashrom: Syntax error: “)” unexpected

  8. No success from live cd, here’s the terminal logs. Sorry to be bothering you so much.

    ubuntu@ubuntu:~/Desktop$ dir
    examples.desktop shellball ubiquity.desktop
    ubuntu@ubuntu:~/Desktop$ wget –no-check-certificate https://johnlewis.ie/flashrom && sudo ./flashrom -w shellball/bios.bin
    –2014-09-01 13:39:11– https://johnlewis.ie/flashrom
    Resolving johnlewis.ie (johnlewis.ie)… 37.187.3.40
    Connecting to johnlewis.ie (johnlewis.ie)|37.187.3.40|:443… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: 1279220 (1.2M) [text language=”/plain”][/text]
    Saving to: ‘flashrom’

    100%[======================================>] 1,279,220 1.10MB/s in 1.1s

    2014-09-01 13:39:13 (1.10 MB/s) – ‘flashrom’ saved [1279220/1279220]

    sudo: ./flashrom: command not found

  9. Alright, seems to have worked out:
    ubuntu@ubuntu:~/Desktop$ sudo ./flashrom -w shellball/bios.binflashrom v0.9.4 : 14ce0cf : Oct 09 2013 22:16:28 UTC on Linux 3.13.0-32-generic (x86_64), built with libpci 3.1.10, GCC 4.7.x-google 20130114 (prerelease), little endian
    delay loop is unreliable, trying to continue Erasing and writing flash chip… Verifying flash… VERIFIED.
    SUCCESS

    Now, booting up and hoping something has changed. Do I need to do anything after boot? Or just insert the ChromeOS USB stick?

  10. Worked and didn’t brick the device.

    Now, um, it’s still having the “OS verification is off” -screen at startup, and I would like it back. If I hit space, it just beeps.

    So I think it’s blocked by gbb flags or something. How do I unblock it or install the default seabios without any gbb flags modified?

    Thanks for your help so far, nearly there.

  11. Well, I just set the flags to 0x000 and it went back to Normal mode. Now everything seems alright.

    Thanks for all. Will donate.

  12. John, since the sb_extract function also extracts gbb_utility, might not be a bad idea to have users set the gbb flags back to 0x0 and set the hwid to something meaningful before flashing :)

    1. Possibly. ;)

      I think it’s swings and roundabouts though, Matt, and I have been thinking I may as well stick a default stock ROM up, with something valid already in, and save people the bother of extracting images & whatnot. They can then change the HWID/serial/MAC to something more suitable if it’s required, if not it’ll still be enough for most.

  13. yeah, I’ve done that already with the panther and zako shell-ball ROMs I’ve posted for people who didn’t do a backup (which maybe I should force vs being optional). I left the serial and MAC alone though since no real point to change from one default value to another

  14. The right command is:
    gbb_utility –-set -–hwid=’PEPPY A2A-A2E-A5W’ bios.bin bios.bin.new or gbb_utility –-set -–hwid=”PEPPY A2A-A2E-A5W” bios.bin bios.bin.new but when i tape the command i dont have error but i dont have output file when the command is end. (I have do the command in chrome os with sudo and name the output file “newbios.bin”)

  15. gbb_utility –set –hwid=’PEPPY A2A-A2E-A5W’ bios.bin bios.bin.new or gbb_utility –set –hwid=”PEPPY A2A-A2E-A5W” bios.bin bios.bin.new *

  16. the right command is :
    sudo gbb_utility –set –hwid=’PEPPY A2A-A2E-A5W’ /home/chronos/user/Downloads/bios.bin /home/chronos/user/Downloads/newbios.bin

  17. but with to dash before set and hwid. When i tape two dash, that is transformed to one dash when i post the message.

    1. I don’t know. When I run “./gbb_utility –set –hwid=”Test” bios.bin bios.bin.new” in an extracted shellball directory, I get a bios.bin.new file in there. Maybe only specify a name rather than a full path?

  18. I can make a screenshot of the help of gbb_utility if you want ? (There are an exemple with two dash before set and hwid)

    1. I’m not going to be able to help you any further unless you screenshot running the command. There’s something subtle going on here causing the command to fail.

  19. in this screenshot i don’t have specified bios.bin file. but when i have flash my chromebook the bios file was in download.

    1. You have to have the bios.bin from the shellball, and use the command to modify that. Then you have to flash it. I know you’ve already flashed an unmodified shellball ROM, but this is where we are.

  20. Yes but i have already modified the hwid of an unmodified shellball bios and i have flash it now i have update.

  21. i have write a message:
    Kevin
    SEPTEMBER 26, 2014 AT 3:56 PM
    I have resolve the problem flash succes and i have update. Thanks a lot john ;).

  22. Hi John, great article and instructions.
    Other than using double dashes on the gbb_utility everything worked flawlessly.

  23. you can set the “WORKING_DIR=/path/to/dir” to something else, like your home directory, to avoid space errors if you edit the script. wanted to point it out in case it helped someone. thank you for all your work, john!

  24. Do you know the valid hwid to use for an HP Chromebox cb1-014?
    HP Product No. G870UA#ABA.

    /tmp/tmp.crosrec/config.txt offers me 864 choices; I am unlikely to pick the right one the first time.

    This model has a Celeron 2955U , 2 GB RAM, 16GB SSD, Intel HD graphics 440, snow white …

  25. I am trying to get a ROM for the Acer C720, but when I run the linux_recovery.sh file, most of the model names cannot be found, including the one I am looking for. Is there an updated version of this script?

    1. So, you select a model number and then it won’t download the recovery image because it can’t find it? Can you post a screenshot of when you’re running the script?

  26. i got no errors up until step 6 where i had to enter “unzip /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip”

    then i get this error “ubuntu@ubuntu:~/Downloads$ unzip /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip
    unzip: cannot find or open /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip, /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip.zip or /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip.ZIP.

  27. I don’t know what happened, I re-downloaded the script and it worked. Now I have ChromeOS firmware on again. Thanks for the help anyway.

  28. on step 8 i get the error failed to stat() /tmp/tmp.crpsrec/chromeos_6310.68.0_peppy_recovery_stable-channell_mp-v2.bin

    1. On older versions of Fedora the tmpfs size was set too small, so there’s not enough room to inflate the image. You can either increase tmpfs size or ctrl c out of the script and copy the zip somewhere else to inflate manually. Then all you need do is dd the image to your USB stick.

  29. Hi John,

    I’m trying get the stock ROM for my Acer C720, but when I search for the Model string I’m getting this loop:
    ./linux_recovery.sh: 534: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 535: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 536: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 537: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 534: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 535: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 536: ./linux_recovery.sh: [[: not found
    ./linux_recovery.sh: 537: ./linux_recovery.sh: [[: not found

    No matter what string I put in, I’m getting this loop. When I just press ENTER, I can’t find the right Model.

  30. Installed Elemtary OS a few days ago, and just downloaded the script again, but I’m getting the same output. When I just press ENTER eventually it started showing some models from 35 - Samsung Chromebook Series 5 US-Wifi to 41 - Acer AC700-1529 3G But I can’t find my model between it.

  31. Every step works until I get to step 14, when I do I get
    flashrom v0.9.4 : 14ce0cf : Oct 09 2013 22:16:28 UTC on Linux 3.17.4-301.fc21.x86_64 (x86_64), built with libpci 3.1.10, GCC 4.7.x-google 20130114 (prerelease), little endian
    Error: Image size doesn’t match
    FAILED
    I’m completley stumped. The bios.bin is 4.2mb

  32. Alright, this is a pretty stupid question, but I’m new to this sort of stuff. I’m trying to flash the stock BIOS onto my Acer C720, but I’m getting stuck on step 4. What is the number of the image for my chromebook?

Comments are closed.