tl;dr: don't try downgrading T100 series UEFI.

BIG FAT WARNING: do it at your own risk, I can't guarantee that everything will work fine.

BIG FAT WARNING #2: it seems I was lucky not to let the magic smoke out of the motherboard. Flash chip is designed to work at 2V maximum so level converter is very highly recommended.



I've bricked my Asus T100TA UEFI when trying to downgrade. Symptoms: after powering on the white led near the camera blinks only once, right after the blink HDD is powered down (kind of Android's bootloop). The only reasonable solution except for contacting service was to try flashing the UEFI by myself.

First try easier and safer method- USB recovery


The Flash chip

T100 uses a Winbond W25Q64FWIG 8MB SPI flash in WSON package for UEFI, it is placed near the touch panel connector

Fortunately all required pins can be accessed quite easily

GND connection is not shown, simplest way is to attach to the metal frame.

Programmer and flashing software

Simple serial programmer can be made using an Arduino- Serprog, just follow all the instruction posted on Flashrom wiki page.

Seeeduino v2.21 can work at 3.3V (there is a switch for that) which simplified construction- there was no need to use level converter. I made a simple shiled using proto PCB and 8 pin DIP socket to avoid wiring mistakes (W25Q64 WSON has the same pinout as DIP variant)

Software- install or compile latest Flashrom, instructions are in the wiki. There are available precompiled Windows builds but I didn't manage to get them to work (also they seem to limit FTDI speed to 115200).


UEFI image

Luckily I made a backup of working UEFI and a dump of flash descriptor region.

Software required: hex editor and dd

Files to download:

Image consists of 3 main parts:

  1. Flash descriptor- contains information about memory regions where Intel TXE firmware and main UEFI are located and R/W access policy
  2. Intel TXE firmware- firmware for embedded microcontroller which runs independently from OS and CPU
  3. BIOS/UEFI- as the name suggests.

Image preparation

  1. Create an empty 8MB (8*1024*1024) file filled with 0xFF: 
    dd if=/dev/zero bs=1k count=8k | tr "\000" "\377" > full_image.bin
  2. Open Meegopad T01 uefi image in hex editor. Cut out the part starting at offset 0x400000 up to the end of the file. Cut out the part between 0x0 and 0xFFF including byte at 0xFFF (this is the flash descriptor we don't want). Save the resulting file as firmware.bin
  3. Open original T100 bios file in hex editor. Cut out everything between 0x0 and 0x7FF including byte at 0x7FF and save the file as uefi.bin- this is the UEFI image (the removed part is likely a digital signature).
  4. Open created full_image.bin and copy one of flash descriptor files to the image file at offset 0x0 (or dd it with conv=notrunc). You must overwrite existing contents so the uefi_image.bin file will not change the size
  5. Copy firmware.bin to uefi_image.bin starting at offset 0x1000
  6. Copy contents of uefi.bin to uefi_image.bin starting at offset 0x400000
  7. Save changes to full_image.bin and just to be sure check it's size- it must be 8,338,608 bytes.
  8. Double check if all regions start at correct offsets: flash descriptor- 0x0, Intel TXI firmware- 0x1000, Bios/UEFI- 0x400000
  9. Take a brake before soldering and flashing ;)


Soldering

UEFI image, programmer and flashrom are ready, time for a bit of soldering.

I've prepared six short wires (4 for signals, 2 for power). Each wire is about 7cm long but it's a bit too short- some connections to Arduino had some tension (I was a bit afraid that I'll accidentaly will damage traces on PCB). On one end each wire has a pin taken from a 2.54mm pitch pin header, on the other side a pin from 2.00mm pitch pin header. Additionally smaller pins have removed plastic part but connection is hidden under a heat shrink tube.


NOW DISCONNECT THE T100 BATTERY IF YOU HAVEN'T DONE THIS ALREADY!

Soldering wires requires a fine soldering tip and some skill, pads where wires go (shown earlier) are not bigger than a tip of 2mm pitch pin. NOTE: ground connection doesn't have to be soldered but is required, I connected it to the metal plate below the motherboard.

Finished soldering:

Now connect wires to Arduino (pinout is the same for WSON and DIP/SOIC packages) but don't connect Arduino to USB yet.

Look at the green and white wires- they should be at least 1 or 2cm longer.

Flashing

Warning once more: do it at your own risk, it may or may not work. And double check wiring, especially power lines

Flashrom wiki covers ISP flashing, common problems with Intel chipsets apply in this case too. Once I flashed the image and booted the hardware I was unable to flash it again- chipset is partially powered from programmer and takes control over the flash chip.

Now the fun part:

  1. Connect Arduino to USB, check which /sys/tty* it is. I assume it's ttyUSB0
  2. Check if flashrom and programmer can recognize the chip: 
    sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000
  3. Optionally dump contents of flash to the disk: 
    sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000 -r dumped_flash.bin
  4. Flash new image: 
    sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000 -w full_image.bin
  5. Flashrom will erase, program and verify the contentes of the chip, if everything worked fine you will see something like this:

Reconnect the battery, press and hold Power button.... and hopefully you'll see this:

Still ambient light and g-sensor are not working but at least it can boot.

Bonus if modified flash descriptor was used: full RW access to all parts of the flash from OS level (at least it's what dumped descriptor says) ;)

I'll try to find what went wrong with downgrade using dump I have, no promises though.

Credits:

CodeRush for his UEFITool- I was able to check offsets and security settings in my dumped flash descriptor.

JRandomHacker for his AMI Aptio EFI modding tutorial- I made a backup of working UEFI image before trying to flash anything