Extracting the shell-ball ROM using a ChromeOS image

As an example I’m performing this on Fedora 20. I assume that you’re doing it from your home directory.

1. Download the linux script for downloading ChromeOS images. From the cli type/paste:

wget https://dl.google.com/dl/edgedl/chromeos/recovery/linux_recovery.sh

2. Make the script executable so it will run:

chmod +x linux_recovery.sh

3. Run the script:


4. Type the model name of the Chromebook you’re trying to get the ROM for e.g. “HP Chromebook 14”, then type the number of the corresponding image e.g. “8”. Once the file has downloaded, the script will attempt to extract it with a view to writing to USB, however, the tmp mount in Fedora doesn’t get allocated enough space and you get the following error:

chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin: write error (disk full?). Continue? (y/n/^C)

To which I say “n”.

5. Remove the partially extracted file, or you will get space errors:

rm /tmp/tmp.crosrec/*.bin

6. Note the name of the file above, as it will be needed for subsequent commands. Unzip the file into your home directory like so, adding “.zip” onto the end of the filename you noted above:

unzip /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin.zip

7. Use kpartx to make sense of the image’s partition structure. First of all make sure it’s installed. This is also a good time to install another dependency which will be needed later (specifically by the extract script):

sudo yum install kpartx sharutils

8. Run kpartx to add a mountable mapping to each of it’s partitions in /dev/mapper:

sudo kpartx -a /tmp/tmp.crosrec/chromeos_5712.88.0_falco_recovery_stable-channel_mp-v2.bin

9. The partition we want to get at is the system partition, which is now mapped to /dev/mapper/loop0p3 however, we have to mount it read-only otherwise mounting will fail:

sudo mount -o ro /dev/mapper/loop0p3 /mnt

10. Create a directory for the extracted files (you don’t want them messing up your home directory):

mkdir shellball

11. Do the extraction:

/mnt/usr/sbin/chromeos-firmwareupdate --sb_extract shellball

12. Write a valid hardware id (you can get a list of all id’s by running the linux_recovery.sh script without any search terms) to the shellball ROM so that ChromeOS will update, for example. After cd’ing into the shellball directory run:

./gbb_utility --set --hwid="PEPPY A2A-A2E-A5W" bios.bin bios.bin.new

13. Optionally set GBB flags as you like:

./gbb_utility --set --flags=0x489 bios.bin.new bios.bin.newer

14. Download statically linked flashrom and flash extracted BIOS:

wget https://johnlewis.ie/flashrom && chmod +x flashrom && sudo ./flashrom -w bios.bin.newer

15. Tidy up:

umount /mnt
dmsetup remove /dev/mapper/loop0p[0-9][0-9]
dmsetup remove /dev/mapper/loop0p[0-9]
losetup -d /dev/loop0

16. Remove /tmp/tmp.crosrec if you can’t wait for a reboot:

rm -rf /tmp/tmp.crosrec

Join the conversation


  1. Hello, for ID’s you type the model name you would use your Chrome Recovery in chrome or hwidmach because my hwid is blank found in the recovery.conf with an * at the end ? Like mine says ^REEF \w{3}-B\w{2}(-\w{3})*?

    Also ad a -v for verbose so people know what to mount. Mine was /dev/mapper/loop11p3

Leave a comment