Close
0%
0%

Asus T100TA resurrection

aka how I reflashed the UEFI after I've bricked it

Similar projects worth following
I was dumb enough to try downgrading Asus T100TA's UEFI which ended in not booting machine. Reason for downgrade were not working g-force and ambient light sensors ("error code 10" STATUS_DEVICE_POWER_FAILURE) after live booting Debian Jessie (again stupid move, Debian wiki says clearly to use Stretch).
It turns out it's possible to prepare a full flash image and reflash the SPI chip.

tl;dr: don't try downgrading T100 series UEFI.

BIG FAT WARNING: do it at your own risk, I can't guarantee that everything will work fine.

BIG FAT WARNING #2: it seems I was lucky not to let the magic smoke out of the motherboard. Flash chip is designed to work at 2V maximum so level converter is very highly recommended.



I've bricked my Asus T100TA UEFI when trying to downgrade. Symptoms: after powering on the white led near the camera blinks only once, right after the blink HDD is powered down (kind of Android's bootloop). The only reasonable solution except for contacting service was to try flashing the UEFI by myself.

First try easier and safer method- USB recovery


The Flash chip

T100 uses a Winbond W25Q64FWIG 8MB SPI flash in WSON package for UEFI, it is placed near the touch panel connector

Fortunately all required pins can be accessed quite easily

GND connection is not shown, simplest way is to attach to the metal frame.

Programmer and flashing software

Simple serial programmer can be made using an Arduino- Serprog, just follow all the instruction posted on Flashrom wiki page.

Seeeduino v2.21 can work at 3.3V (there is a switch for that) which simplified construction- there was no need to use level converter. I made a simple shiled using proto PCB and 8 pin DIP socket to avoid wiring mistakes (W25Q64 WSON has the same pinout as DIP variant)

Software- install or compile latest Flashrom, instructions are in the wiki. There are available precompiled Windows builds but I didn't manage to get them to work (also they seem to limit FTDI speed to 115200).


UEFI image

Luckily I made a backup of working UEFI and a dump of flash descriptor region.

Software required: hex editor and dd

Files to download:

  • official T100 UEFI image- download version NOT OLDER than the one that was installed (or Wifi won't work)
  • Meegopad T01 bios image- do not use files for T02 as they are based on a different SOC
  • Flash descriptor files- there are 2 files, original with access restrictions and modified with full access to all flash regions (not yet tested).

Image consists of 3 main parts:

  1. Flash descriptor- contains information about memory regions where Intel TXE firmware and main UEFI are located and R/W access policy
  2. Intel TXE firmware- firmware for embedded microcontroller which runs independently from OS and CPU
  3. BIOS/UEFI- as the name suggests.

Image preparation

  1. Create an empty 8MB (8*1024*1024) file filled with 0xFF:
    dd if=/dev/zero bs=1k count=8k | tr "\000" "\377" > full_image.bin
  2. Open Meegopad T01 uefi image in hex editor. Cut out the part starting at offset 0x400000 up to the end of the file. Cut out the part between 0x0 and 0xFFF including byte at 0xFFF (this is the flash descriptor we don't want). Save the resulting file as firmware.bin
  3. Open original T100 bios file in hex editor. Cut out everything between 0x0 and 0x7FF including byte at 0x7FF and save the file as uefi.bin- this is the UEFI image (the removed part is likely a digital signature).
  4. Open created full_image.bin and copy one of flash descriptor files to the image file at offset 0x0 (or dd it with conv=notrunc). You must overwrite existing contents so the uefi_image.bin file will not change the size
  5. Copy firmware.bin to uefi_image.bin starting at offset 0x1000
  6. Copy contents of uefi.bin to uefi_image.bin starting at offset 0x400000
  7. Save changes to full_image.bin and just to be sure check it's size- it must be 8,338,608 bytes.
  8. Double check if all regions start at correct offsets: flash descriptor- 0x0, Intel TXI firmware- 0x1000, Bios/UEFI- 0x400000
  9. Take a brake before soldering and flashing ;)


Soldering

UEFI image, programmer and flashrom are ready, time for a bit of soldering.

I've prepared six short wires (4 for signals, 2 for power). Each wire is about 7cm long but it's a bit too short- some connections to Arduino had some tension (I was a bit afraid that I'll accidentaly will damage traces on PCB). On one end each wire has a pin taken from a 2.54mm pitch...

Read more »

  • 1 × Asus T100TA bricked one
  • 1 × Seeduino v2.21 or another Arduino compatible board with FTDI and 3.3V power
  • 1 × Arduino proto shield PCB
  • 1 × 8-pin DIP
  • 1 × wires, goldpins, heat shrink tube etc.

View all 6 components

  • It seems I was lucky

    darth_llamah10/26/2016 at 18:54 0 comments

    I got several reports that flash chip in T100 is designed to work at maximum 2V VCC. So either I was lucky or motherboard has good overvoltage protection. Exact chip used in mine T100 (I've checked today) is Winbond W25Q64FWIG (datasheet) which is not supposed to get more than 2V. However it survived flashing twice :)

    Also, after the sucessfull resurrection I found a .docx file which seems to be a service center document- http://docslide.nl/documents/t100ta-fw-update.html
    Document has embedded archives, one of them contains an old (2xx) experimental/debugging UEFI which is a full 8MB file suitable for debricking (bonus- you get service software for all sensors onboard).

  • What possibly went wrong with downgrade

    darth_llamah01/05/2016 at 12:52 0 comments

    I finally had some time to take a look at flash dump and to compare it with "untouched" UEFI image.

    Best guess- NVRAM was unreadable for the UEFI.

    It seems that NVRAM is stored within the UEFI starting at 0x10358- untouched 314 image on the left, backup on the right:

    I also guess that default setup values are stored just before NVRAM, starting (possibly) at 0x10060

    However data dumped form the flash chip differs from the default image:

    - several bytes also in (possibly) default NVRAM data area have different values (eg. 0x10064, 0x1007B and some other bytes after that)

    - starting at 0x1010F data seems to be almost the same in both images but written with a growing offset- at the beginning it's just one byte but later (0x10358) offset grows to 10 bytes

    (314 image on the left side , dump on the right)

    But this is exactly how 227 image looks like (as before- original on the left side, dump on the right):

    My guess:

    Asus WinFlash utility moved NVRAM data (and default setup values) to the place compatible with provided UEFI image and after the reboot UEFI's built-in flasher was responsible for image update. But in my case it refused to work (although I forced WinFlash not to check image build date) and I'm not surprised that T100 didn't want to boot without access to proper NVRAM data.

    If only there was a good old "clear cmos" jumper somewhere......

View all 2 project logs

Enjoy this project?

Share

Discussions

inho0127 wrote 02/21/2019 at 08:08 point

Hello, could you send me a full BIOS ROM file for T100TA?

My email address is inho0127@hanmail.net

  Are you sure? yes | no

chancejack wrote 04/18/2018 at 08:08 point

My question maybe silly, but could you tell me why you need to compose the uefi bin file.  If I write the t100 313 or 314 bios file. Will it work?  Thank you for sharing this great project anyway. 

  Are you sure? yes | no

petry_assassinu_2007 wrote 01/24/2017 at 18:30 point

hello guys....after 2 months of bricked... finded this topic... please put link for final image....i don't understand very well what is necesary to do... "cut from here....cut from here" but i see another file.... please get tge final image to flash 😢 thanks

  Are you sure? yes | no

Domen wrote 11/24/2016 at 22:52 point

Wow, I can't belive it. After 1 week of flashing, editing-reading  many bios files,  "witchcrafting", 

yesterday T100TA decided to wake up again.

but, as soon as Win 8.1 loaded I notice WiFi is not working. "Boradcom Code 5".

Of curse, I bricked tablet when flashing bios v 314 in bios(SecureFlash or sth) and version of bios that "fixed" the tablet was v223. 

I was afraid this Wifi thing can not be fixed but later today I found driver from Dell and the problem with wifi was fixed as well. (Dell Update Package: Broadcom BCM43241 WiFi Driver, 5.93.102.19, A00)

About Flashing:

VCC voltage had to be 2.15v -2.20v, than Winbond, bios chip was detected.

CLK - (pin13 on arduino) - voltage was around -0.35V. at around -0.45v.(negative)

It was very interesting process, learning process as well. Had to use Trimmer 50k at first, later I used 100K trimmer to slowly rasing V from 3.3V pin.

Voltages on other pins, thru logic level, were around 2.20v, -2.30. Sometimes I mesured even 2.50V.

When I was raing Voltage on VCC, I tried at ~2v, but bios wasnt detected. When I reached around 2.40V or a bit more on VCC, it looks like bios chip turned on becouse V intantly droped to 2.10V on VCC and to -0.45V on CLK. 

If CLK voltage is the same or close to VCC voltage it will not detect bios.

Thanks a lot for the project, helped me a lot.

Here are few pics:




  Are you sure? yes | no

Domen wrote 10/25/2016 at 09:37 point

Hey, nice work you made here. I have to try this too, becouse of a bad flash, but I am a little lost how to wire wires from MB to Arduino Uno R3 pins. I wish you have more pictures.

In datasheet of Winbond I saw, chip needs 1.8V , is it ok to give it 3.3V.

regards

  Are you sure? yes | no

darth_llamah wrote 10/25/2016 at 16:01 point

Thanks :)

There were several variants of flash chip used for T100 production, better check exactly which one is used in yours. Mine has the 3.3V variant (I don't remember the exact model) so connecting it was pretty straightforward, I'd say for 1.8V one it would be better to use level converter

  Are you sure? yes | no

Domen wrote 10/25/2016 at 21:45 point

hmm, my have exactly the same chip like on 1st and 2nd picture posted in your project. All numbers are the same. 25Q64FWIG.

I found this datasheet (25Q64FW)

https://www.winbond.com/resource-files/w25q64fw_revk 07012016 sfdp.pdf

On 78 page I see supply voltage can be 1.65V to max 1.95V, and absolute max. ratings VCC + 0.6V.

I aslo have 3.3V / 5V Logic Level Converter Module.

  Are you sure? yes | no

darth_llamah wrote 10/26/2016 at 13:46 point

@Domen, I'll check today what exact chip part is in my T100 (I'm at work right now). 25Q64.W is how flashrom detects the chip, I'm quite sure mine is not from 25Q64FWxx series

EDIT:

It is w25q64fwig flash chip and it survived flashing @3.3V (both power and signal levels) twice. Still it's far beyond specs and I guess I was lucky not to let the magic smoke out ;)

  Are you sure? yes | no

Domen wrote 10/27/2016 at 21:09 point

:) I guess you were lucky, yes or maybe chip can handle that voltage short period of time.

Still, do you have any idea how can I get close to 2V. 

I will use logic level converter module 5V/3,3v. Can i use some resistors to get  lower voltage out of the arduino's pins.

  Are you sure? yes | no

darth_llamah wrote 10/28/2016 at 09:45 point

I'm not sure what is the minimum voltage for high logic level signal which can be reliably detected by Arduino or level shifter ( check this page: https://learn.sparkfun.com/tutorials/logic-levels). I'd rather go for 2V VCC (not 1.8V) for the flash chip as this gives better chances of success

  Are you sure? yes | no

bluefirec300 wrote 07/08/2016 at 14:36 point

Thanks again, btw the arduino UNO i using support 3.3v. now i am on holiday and i will read again the information you just left for me later. now i just wish i could get it back to life and i will leave the keyboard issue after this.

and Thanks again and appreciate! hopefully everything goes will when i start it :

  Are you sure? yes | no

bluefirec300 wrote 07/04/2016 at 23:45 point

Your work is brilliant, wonder how you know a lot about this device in deep.

By the way this is the most useful search that i have been searching for 2 days, i have done what you had done exact the same except i downgrade it due to my keyboard not working properly after i upgrade to Win 10 and the Asus Live update the latest bios for me. After i hit my keyboard ctrl or win key or alt key. the keyboard will not function until i hit the "8" key again.

Btw i will give it a try, if anything goes wrong i will just replace another motherboard :D. I have a arduino UNO but not sure if it compatible, will come back to read your project once again in details. 

Once again nice work!

  Are you sure? yes | no

darth_llamah wrote 07/05/2016 at 08:40 point

Thanks :)

Luckily I had made dumps from unprotected UEFI regions before I even started with downgrade. T100 runs on Intel hardware so almost all information and tools for UEFI image manipulation floating in the Net are helpfull.

Seriously don't try downgrading unless all other possibilities won't work.

As the first thing I'd recommend you to download this docx- http://docslide.nl/documents/t100ta-fw-update.html - it has embedded "production tools" archives including keyboard firmware with usage description ("9. MCU FW update"). Also there is full and ready to flash UEFI image ("11. Onboard Memory"- 213, seems like "experimental" build). Side note- I wish I had found this before downgrading.....

If the keyboard already has the latest firmware:

1. use Produkey (http://www.nirsoft.net/utils/product_cd_key_viewer.html) to read Win10 key

2. use MS's Media Creation Tool (https://www.microsoft.com/en-us/software-download/windows10) to make a bootable USB wint Win10 install

3. download drivers from Asus (at least Wifi driver), drivers for Win8.1 will do

4. wipe everything and do a clean install using the key from step 1

Arduino UNO alone is not enough- UEFI chip requires 3.3v signals (4V max ) while UNO outputs are 5V. Check out Flashrom wiki how to do level shifting (https://www.flashrom.org/Serprog/Arduino_flasher). Also chipset will interfere with flashing if UEFI in flash is in working state- this is a known problem with Intel hardware and is also descriped somewhere in Flashrom wiki.

Anyway I strongly recommend to try first with keyboard firmware and/or clean Windows install before diving into UEFI.

If you have any questions feel free to ask

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates