Chrome OS devices/Custom firmware

From ArchWiki
Jump to: navigation, search
Warning: This article relies on third-party scripts and modifications, and may irreparably damage your hardware or data. Proceed at your own risk.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: This topic on this page were moved out from the Chromebook page as it was too bloated, hard to navigate and follow, the page here is still needs a little more work to stand by it own and we can probably move out a little more details from the Chromebook page to avoid duplicates, anyone who create hot links in other pages to specific topics in this page should be aware that some topics' headers might be change. (Discuss in Talk:Chrome OS devices/Custom firmware#)

Why flash a custom firmware?


  • Adds a much recent version of SeaBIOS.
  • Adds SeaBIOS payload of coreboot to Chrome OS devices that did not shipped with SeaBIOS.
  • Possibility of using a UEFI coreboot payload (only with Matt DeVillier's custom firmware).
  • Reduce boot time.
  • Remove developer Mode screen.
  • Enables VMX in models in which it is not active by default.
  • Fixes some issues (like suspend) without further modifications.


  • Dangerous, might brick your device.
  • Cannot boot stock Chrome OS (you can install Arnold the Bat’s Chromium OS build and it should be possible upgrade it to full blown Chrome OS with a script).
  • It is possible that some quirks will be added.[1] Keep in mind that some of this quirks are the result of using the old fallback read-only Embedded Controller (EC) firmware image, and thus they may be resolved (e.g. the one linked before) in firmware images which provide EC image updates, such as Matt DeVillier's one.

Flashing the custom firmware

There are several approaches for flashing a custom firmware:

  • Use John Lewis' script.
  • Use Matt DeVillier's Firmware Utility Script.
  • Use Matt DeVillier's ezScript (currently supports only Chromeboxes).
  • Manually with flashrom, in this case you will need to obtain the firmware by yourself or to compile it from the Coreboot sources (official or Chromium OS fork).
Note: With Linux kernel versions greater than 4.4, CONFIG_IO_STRICT_DEVMEM a new kernel security measure can make flashrom stop working, in that case you can try adding "iomem=relaxed" to your kernel parameters. [2].

Disable the hardware write protection

See the Disabling the hardware write protection at the Firmware write protection.

Flashing with John Lewis' script

Warning: Do not run the script before disabling the hardware write protection.

Understanding the script

What John Lewis' script does ?
  • Automatically downloads Chromium OS 64bit version of flashrom.
  • Backup your current firmware.
  • Disables software write protection by running # ./flashrom --wp-disable.
  • Checks the Chromebook product name with dmidecode and download the proper custom firmware.
  • Writes the custom firmware.
What the script does not do ?
  • Does not ask for confirmation.
  • Does not check if the hardware write protection is disabled.
  • Does not confirm the compatibility of a custom firmware to a specific Chromebook sub-model.
Warning: If you are flashing a custom firmware be prepared to the possibility that you might brick your device and make yourself familiar with the unbricking methods.

Running the script in Chrome OS

Note: The reason for not posting here is to force you to visit the site and read the page before proceeding.
  • After the script exited copy the backed up firmware to an external storage before rebooting the system.

You should now have a custom firmware installed on your device, cross your fingers and reboot.

If you flashed the firmware as part of the installation process then continue by following Installing Arch Linux, if the custom firmware boots the installation media correctly then you might want to enable back the hardware write protection.

Running the script in Arch Linux

Note: The reason for not posting here is to force you to visit the site and read the page before proceeding.
  • After the script exited copy the backed up firmware to an external storage before rebooting the system.

You should now have a custom firmware installed on your device, cross you fingers and reboot.

If the custom firmware boots Arch Linux correctly then you might want to enable back the hardware write protection, although John Lewis states that it's not necessary and will only make upgrading more difficult later. However, if you do not re-enable it you want to be careful not to use flashrom.

Flashing with Matt DeVillier's Firmware Utility Script

Introduction to the firmware

Matt DeVillier's firmware for Chromebooks and Chromeboxes has some differences compared to other third-party custom firmware, namely:

  • Provides a UEFI implementation via the Tianocore coreboot payload.
  • Provides updates for the Embedded Controller (EC) of some of the devices it supports, solving some hardware idiosyncrasies associated with other custom firmware.
  • Built based on latest coreboot upstream, rather than on the frozen source snapshot provided by Google.

The current major limitation of this firmware is the lack of proper UEFI NVRAM support, resulting in the impossibility of modifying UEFI Variables. This means that it defaults to booting from external devices if a valid EFI partition with a boot EFI program at the default path is detected in one of them and that it defaults to booting from esp/EFI/Boot/BOOTX64.EFI (esp being the EFI System Partition) with no option of changing this default behaviour.

Flashing the firmware

Ensure that your device is supported by looking at the supported device list. For some devices there is a legacy SeaBIOS (non-UEFI) firmware also available, although those are deprecated and will generally not receive further updates. Legacy firmware images also do not provide Embedded Controller updates.

If a UEFI ROM for your device is available, you can flash the Full ROM firmware using the Firmware Utility Script (after ensuring that you have removed your device's firmware write-protection screw). After successfully flashing the firmware, you can follow the Installation guide and install Arch Linux just like on any UEFI computer. Systemd-boot is the recommended bootloader since it installs itself by default in esp/EFI/Boot/BOOTX64.EFI, the path that this firmware tries to boot from by default.

Using the script from Arch Linux

You will need to install dmidecode. Furthermore, to ensure that flashrom can correctly flash the firmware it is necessary to boot with both the nopat and the iomem=relaxed Kernel parameters. This is due to an issue with the relatively old statically linked flashrom binary used by the script, which is required since upstream flashrom can't directly be used to flash firmware images in Chromebooks/Chromeboxes.

Flashing with ezScript

Currently ezScript supports only Intel based Chromeboxes.

Before installing this custom firmware carefully read instructions at ezScript official page. To install firmware only use install option #5 (Install/update: custom coreboot Firmware).

Manually with flashrom

The use of the upstream flashrom package is discouraged as it's missing operations like --wp-disable, --wp-status and it will not write firmware successfully to the ROM of the Chromebook unless it already been programmed externally (i.e. flashing by another device over SPI with SOIC clip), this is why it's recommended to use Chromium OS's flashrom.

Get flashrom for Arch Linux

  • Download a 64-bit statically linked Chromium OS's flashrom version.
# wget
# chmod +x flashrom

Do not forget that flashrom's location is not in $PATH, to execute it you will need to precede the command with ./, e.g. # ./flashrom.

Get flashrom for Chrome OS

Chrome OS already includes flashrom.

Basic use of flashrom

  • Disable software write protection before writing to the firmware chip.
# flashrom --wp-disable
  • Backup firmware from the firmware chip.
# flashrom -r old_firmware.bin
  • Write firmware to the firmware chip.
# flashrom -w new_firmware.bin
Tip: Find your firmware chip by running the command flashrom -V|grep 'Found' |grep 'flash chip'

Flashing back stock firmware

Note: The following assumes that your device is not bricked, if it does bricked then jump to Unbricking your Chrome OS device

Disable the hardware write protection and follow the how to manually flash firmware with flashrom to flash the backup of your stock firmware.

Unbricking your Chrome OS device

Note: This does not intended to be a thorough guide but just give you a basic understanding of the process of flashing a firmware to a bricked Chromebook. The ArchWiki is not the place for detailed hardware hacking guides so there is no sense in expanding this topic.

Required tools

  • Programmer, both the Raspberry Pi and the Bus Pirate are mentioned as compatible devices on the flashrom wiki. The Bus Pirate is preferable as it will allow you to use Chromium OS's version of flashrom that supports --wp-disable and --wp-status flags.
  • SOIC clip is recommended, see [3].
  • Female jumper wires.
  • If you want to use Chromium OS's flashrom another Linux machine (32bit or 64bit) is required.

General idea on the unbricking process

  • Connect the jumper wires to the programmer and the SOIC clip.
  • Connect the SOIC clip to the ROM chip.
  • If your programmer is running Linux (Raspberry Pi) then modprobe the spi modules.
  • If your programmer is not running Linux then connect it to your Linux machine.
  • Write the firmware with flashrom, you might need to disable software write protection by running flashrom with the --wp-disable flag (this is why Chromium OS's flashrom is handy).

Recommended reading about unbricking

Firmware write protection

Note: The information on this topic only intended to give you the basic understanding on the write protection feature in your Chromebook. The ArchWiki is not the place for detailed hardware hacking guides so there is no sense in expanding this topic.

The firmware (Coreboot and its payloads) stored on a SPI chip (usually SOIC8) that some of its storage is protected from writing (mostly Coreboot).

As long as the write protection was not disabled or the protected range was not set to (0,0) any change made to the unprotected part of the firmware (mainly SeaBIOS) should be recoverable with Chrome OS recovery media.

There are two parts of the write protection: hardware and software.

Hardware write protection

The hardware write protection is an electrical circuit that when it's closed or open it prevent writing to the software protection special registers, thus the hardware write protection only protect directly these special registers but indirectly also the data in the firmware chip.

To disable the hardware write protection you may need to remove a screw, press a switch or short a jumper.

Software write protection

The software write protection are special registers which determining if the data stored in the firmware chip is protected and also holds the range of addresses of the protected data.

Understanding the Process of Disabling the Write Protection

To disable the write protection one would need to:

  • Disable the hardware write protection of the special software register.
  • Change the value of the special software register to disable software write protection or change the range of the protected addresses so no data will be protected (start and end at 0).

Conclusion: If we will disable the software write protection and will not enable it back, then even if we will enable the hardware write protection the firmware chip will stay unprotected.

Disabling the hardware write protection

To find the location of the hardware write-protect screw/switch/jumper and how to disable it visit the ArchWiki page for your Chromebook model (see Chromebook Models[broken link: invalid section]). If there is no information about your device on the ArchWiki then turn to Developer Information for Chrome OS Devices and Coreboot's Chromebooks page.

Disabling the software write protection

Chromium OS's flashrom can manipulate the software write protection special registers.

  • Read the status of the software write protection special registers.
# flashrom --wp-status
  • Disable or enable the software write protection.
# flashrom --wp-disable
  • Change software write protection addresses range.
# flashrom --wp-range 0 0

For more details on Chromium OS's flashrom and how to obtain it, see Manually Flash Custom Firmware with flashrom.