This is not exactly a support question. In order to remove the write protection screw from my device, I needed a special screwdriver bit and decided to ask a local computer service shop for help.
The guy said he had never heard of something like firmware modification being protected by a screw (Chromebooks, especially this old, are uncommon where I live) and at first assumed I must be an idiot following instructions hallucinated by an LLM (I don’t blame him, he must have seen a fair share of tech gore and dealt with a fair share of morons in his life.)
Once he believed me that I was following legitimate instructions, he actually got quite excited about seeing something completely new, but still admitted he couldn’t figure out how this is supposed to work.
Do any of you know? He asked me to come back and show him the result, so I thought I would find out what’s going on with that screw.
Chromebooks, like most modern computers, store their firmware on one or more SPI NOR flash chips, usually one with SOIC-8 or WSON-8 packaging. These SPI flash chips have a dedicated !WP pin (the ! indicating inverse polarity, or active low), which controls access to registers on the flash chip which are responsible for setting the WP enable, and which range(s) of the flash chip are protected.
here’s what the firmware/flash ship layout looks like on a modern x86_64 Chromebook:
FLASH 16M {
SI_ALL 3712K {
SI_DESC 4K
SI_ME
}
SI_BIOS 12672K {
RW_SECTION_A 3700K {
VBLOCK_A 8K
FW_MAIN_A(CBFS)
RW_FWID_A 64
}
RW_LEGACY(CBFS) 1M
RW_MISC 152K {
UNIFIED_MRC_CACHE(PRESERVE) 128K {
RECOVERY_MRC_CACHE 64K
RW_MRC_CACHE 64K
}
RW_ELOG(PRESERVE) 4K
RW_SHARED 4K {
SHARED_DATA 4K
}
RW_VPD(PRESERVE) 8K
RW_NVRAM(PRESERVE) 8K
}
RW_SECTION_B 3700K {
VBLOCK_B 8K
FW_MAIN_B(CBFS)
RW_FWID_B 64
}
# Make WP_RO region align with SPI vendor
# memory protected range specification.
WP_RO 4M {
RO_VPD(PRESERVE) 16K
RO_GSCVD 8K
RO_SECTION {
FMAP 2K
RO_FRID 64
GBB@4K 12K
COREBOOT(CBFS)
}
}
}
}
Google/the OEM ships the device with WP_RO region (top 4MB) marked as WP in the flash chip registers, enables software WP, then locks the registers by grounding the !WP pin.
On older Chromebooks like yours, the !WP pin is tied directly to a ground point on the mainboard, and the screw completes the circuit tying the pin to ground. When the screw is removed, the pin is no longer grounded, and the flash chip registers are no longer protected.
On modern (CR50) Chromebooks, the ground pin is wired to the GSC (Google Security Chip), and the GSC can be manipulated to enable/disable WP.
Once the !WP pin is no longer grounded, the script is able to use flashrom to disable the software WP on the chip registers, and clear the protected range (top 4MB). This allows you to have full read/write access (well, almost full – the SI_ME section is not read/writeable from a booted system) to the flash chip.