tl;dr: don't try downgrading T100 series UEFI.
BIG FAT WARNING: do it at your own risk, I can't guarantee that everything will work fine.
BIG FAT WARNING #2: it seems I was lucky not to let the magic smoke out of the motherboard. Flash chip is designed to work at 2V maximum so level converter is very highly recommended.
I've bricked my Asus T100TA UEFI when trying to downgrade. Symptoms: after powering on the white led near the camera blinks only once, right after the blink HDD is powered down (kind of Android's bootloop). The only reasonable solution except for contacting service was to try flashing the UEFI by myself.
First try easier and safer method- USB recovery
The Flash chip
T100 uses a Winbond W25Q64FWIG 8MB SPI flash in WSON package for UEFI, it is placed near the touch panel connector
Fortunately all required pins can be accessed quite easily
GND connection is not shown, simplest way is to attach to the metal frame.
Programmer and flashing software
Simple serial programmer can be made using an Arduino- Serprog, just follow all the instruction posted on Flashrom wiki page.
Seeeduino v2.21 can work at 3.3V (there is a switch for that) which simplified construction- there was no need to use level converter. I made a simple shiled using proto PCB and 8 pin DIP socket to avoid wiring mistakes (W25Q64 WSON has the same pinout as DIP variant)
Software- install or compile latest Flashrom, instructions are in the wiki. There are available precompiled Windows builds but I didn't manage to get them to work (also they seem to limit FTDI speed to 115200).
Luckily I made a backup of working UEFI and a dump of flash descriptor region.
Software required: hex editor and dd
Files to download:
- official T100 UEFI image- download version NOT OLDER than the one that was installed (or Wifi won't work)
- Meegopad T01 bios image- do not use files for T02 as they are based on a different SOC
- Flash descriptor files- there are 2 files, original with access restrictions and modified with full access to all flash regions (not yet tested).
Image consists of 3 main parts:
- Flash descriptor- contains information about memory regions where Intel TXE firmware and main UEFI are located and R/W access policy
- Intel TXE firmware- firmware for embedded microcontroller which runs independently from OS and CPU
- BIOS/UEFI- as the name suggests.
- Create an empty 8MB (8*1024*1024) file filled with 0xFF:
dd if=/dev/zero bs=1k count=8k | tr "\000" "\377" > full_image.bin
- Open Meegopad T01 uefi image in hex editor. Cut out the part starting at offset 0x400000 up to the end of the file. Cut out the part between 0x0 and 0xFFF including byte at 0xFFF (this is the flash descriptor we don't want). Save the resulting file as firmware.bin
- Open original T100 bios file in hex editor. Cut out everything between 0x0 and 0x7FF including byte at 0x7FF and save the file as uefi.bin- this is the UEFI image (the removed part is likely a digital signature).
- Open created full_image.bin and copy one of flash descriptor files to the image file at offset 0x0 (or dd it with conv=notrunc). You must overwrite existing contents so the uefi_image.bin file will not change the size
- Copy firmware.bin to uefi_image.bin starting at offset 0x1000
- Copy contents of uefi.bin to uefi_image.bin starting at offset 0x400000
- Save changes to full_image.bin and just to be sure check it's size- it must be 8,338,608 bytes.
- Double check if all regions start at correct offsets: flash descriptor- 0x0, Intel TXI firmware- 0x1000, Bios/UEFI- 0x400000
- Take a brake before soldering and flashing ;)
UEFI image, programmer and flashrom are ready, time for a bit of soldering.
I've prepared six short wires (4 for signals, 2 for power). Each wire is about 7cm long but it's a bit too short- some connections to Arduino had some tension (I was a bit afraid that I'll accidentaly will damage traces on PCB). On one end each wire has a pin taken from a 2.54mm pitch...Read more »