Flashrom: The Firmware Crowbar

Before we talk about Intel ME, AMD PSP, Apple T2, or any other small government living below your operating system, we must discuss the crowbar.

The crowbar is flashrom.

Not Flash ROM as a noun. Not Adobe Flash, the dead circus plugin.

flashrom, the software.

The program that looks at a firmware chip and says:

“Show me the body.”

I. What Flashrom Actually Does

The official flashrom project describes it as a utility for flashing BIOS, EFI, coreboot, firmware, option ROM images, and other flash contents on mainboards, controllers, and programmer devices.

In practical language, flashrom can:

  • detect supported flash chips
  • read flash contents
  • verify images
  • erase flash chips
  • write new images
  • talk through internal chipset programmers
  • talk through external USB/SPI programmers

This is the forbidden transition:

before flashrom:
  "The firmware is inside the machine."

after flashrom:
  "The firmware is a file. We can hash it."

Once firmware becomes a file, priests lose influence.

Engineers gain evidence.

II. The Flash Chip Is The Archive

On many PC systems, firmware lives in SPI flash.

That chip may contain:

  • UEFI or legacy BIOS code
  • Intel flash descriptor
  • BIOS region
  • Intel ME region
  • GbE firmware/configuration region
  • platform data
  • vendor recovery code
  • option ROMs
  • coreboot, if the machine has been liberated

The exact layout depends on platform, chipset, board design, and vendor decisions.

The important point:

firmware is not one mystical blob.

It is often a partitioned political territory.

RegionTypical meaningPolitical translation
Flash descriptordefines regions and access permissionsconstitution written by chipset lawyers
BIOS/UEFI regionhost firmwarevisible government
Intel ME regionmanagement/security firmwareinterior ministry below the palace
GbE regionEthernet MAC/config datanetwork identity papers
EC firmwareembedded controller code, sometimes separatekeyboard, power, fan, and battery police

This is why flashrom matters before the Intel ME discussion.

Intel ME is not a rumor when you can read the image and point at the region.

It also connects directly to the earlier coreboot decree. coreboot is the escape plan; flashrom is one of the tools that lets the escape plan touch the chip.

III. Internal Programmer: Asking The Prison Guard For The Keys

The easiest-looking mode is internal flashing.

flashrom -p internal -r backup.rom

This asks the running machine to access its own flash chip through the chipset.

Sometimes this works.

Sometimes the chipset says:

“The Supreme Vendor has locked that region.”

Sometimes the kernel blocks access. Sometimes the board needs special enable logic. Sometimes a laptop embedded controller decides this is a coup attempt and makes the machine behave like a haunted appliance.

The flashrom documentation is blunt about laptops: internal flashing can interact badly with embedded controllers, and detection is not perfect.

The lesson:

internal flashing is convenient, not automatically safe.

The prison guard may have keys. The prison guard may also have orders.

IV. External Programmer: Reading The Chip Like Contraband

External programmers avoid trusting the running system.

Common routes include:

  • CH341A-style USB SPI programmers
  • Raspberry Pi or other Linux SPI hosts using linux_spi
  • Bus Pirate and similar tools
  • Dediprog and other professional programmers

Do not confuse Dediprog with P. Diddy.

DediProg is in flashrom.

P. Diddy is in prison.

Similar syllables. Different custody chains.

One belongs near flashrom -L.

The other belongs nowhere near pin 1.

Example:

flashrom -p ch341a_spi -r dump1.rom
flashrom -p ch341a_spi -r dump2.rom
cmp dump1.rom dump2.rom
sha256sum dump1.rom dump2.rom

The ritual is not optional.

Read twice. Compare. Hash.

If your two reads differ, you do not have a firmware image.

You have a séance.

External clips also bring their own misery:

  • wrong voltage
  • poor contact
  • bad SOIC clip alignment
  • cable length problems
  • another chip sharing the bus
  • board power state confusion
  • cheap programmer quality

The CH341A is famous because it is cheap and useful.

It is also famous because cheap useful tools attract people who think pin 1 is a matter of opinion.

Pin 1 is not a matter of opinion.

Pin 1 is the border.

V. The Correct Workflow

The bad workflow:

flashrom -p internal -w random-image-from-forum.rom

This is not engineering.

This is feeding the motherboard to wolves.

The correct workflow starts with evidence:

# identify programmer and chip
flashrom -p internal -V

# read the existing image twice
flashrom -p internal -r backup1.rom
flashrom -p internal -r backup2.rom

# prove the reads match
cmp backup1.rom backup2.rom
sha256sum backup1.rom backup2.rom

# only after you can recover, consider writing
flashrom -p internal -w new-firmware.rom

For external programmers:

flashrom -p ch341a_spi -r backup1.rom
flashrom -p ch341a_spi -r backup2.rom
cmp backup1.rom backup2.rom

The Supreme Leader’s firmware decree:

never write what you cannot restore.

If you do not have a verified backup and a recovery path, you are not flashing firmware.

You are gambling with solder.

VI. Why Firmware Regions Are Annoying

Intel-era systems often use a flash descriptor that divides the chip into regions and controls access.

A typical layout may look conceptually like this:

flowchart TB
    TOP["0x00000000"]
    FD["Flash Descriptor<br/>who may touch what"]
    GBE["GbE Region<br/>Ethernet identity"]
    ME["Intel ME Region<br/>the sealed ministry"]
    BIOS["BIOS / UEFI Region<br/>host firmware"]
    END["0x00ffffff"]

    TOP --> FD --> GBE --> ME --> BIOS --> END

The descriptor may allow the host CPU to read or write some regions but not others.

This is why flashrom may successfully read the BIOS region but complain about ME region access. It is also why an external programmer can matter: it talks to the chip electrically instead of politely asking the platform security policy for permission.

Internal access:

OS -> chipset -> descriptor policy -> flash chip

External access:

programmer -> SPI pins -> flash chip

The first path negotiates with the regime.

The second path clips onto the archive at night.

VII. Flashrom Is Not A Firmware Editor

This matters.

flashrom is not UEFITool. flashrom is not ifdtool. flashrom is not me_cleaner. flashrom is not a magic BIOS decompiler.

flashrom moves bytes between chip and file.

Other tools analyze, split, modify, or interpret the image.

Tool roleExampleJob
chip read/writeflashromtalk to flash hardware
layout parsingifdtoolinspect Intel flash descriptor layout
firmware structureUEFIToolinspect UEFI volumes and files
ME reductionme_cleaneralter some Intel ME images on supported platforms
image comparisoncmp, sha256sum, diffoscopeprove what changed

The disciplined workflow separates jobs.

The undisciplined workflow downloads a random ROM, flashes it, and joins a forum with the title:

“Laptop no power after coreboot, help.”

The forum already knows.

If the chip says Winbond, this is not trivia. We have already met the company that makes the tiny flash archives where firmware regimes store their decrees.

VIII. Why Flashrom Belongs In This Series

The previous articles discussed protocols and architecture.

flashrom is different.

It is a tool that changes the power relationship.

Without flashrom, firmware is:

  • vendor update package
  • opaque capsule
  • mystery chip
  • support ticket
  • “do not touch”

With flashrom, firmware becomes:

  • backup.rom
  • hashable
  • comparable
  • extractable
  • auditable
  • recoverable, if you planned correctly

This is the difference between folklore and evidence.

The firmware vendor says:

“Trust us.”

flashrom says:

“I made a copy.”

IX. The Real Story (Suppressed)

Officially, flashrom is a free software project for flash chip access.

Unofficially, the first Pyongyang build was called:

Firmware Liberation And Supreme Hex Readout Of Motherboards.

This acronym was rejected because the Makefile wrapped at 80 columns and filed a complaint.

The early command was:

flashrom --extract-state-secrets --humiliate-vendor

Western maintainers renamed the options to:

flashrom -r backup.rom

The functionality remained.

The propaganda improved.

X. The Lesson

Firmware is where vendors hide assumptions.

flashrom is how you begin testing those assumptions.

It does not make firmware safe. It does not make every board supported. It does not bypass every lock. It does not forgive bad clips, wrong voltage, lazy backups, or forum ROMs with unknown ancestry.

But it gives engineers a weapon the vendor did not intend to emphasize:

a byte-for-byte copy of the thing below the operating system.

Tomorrow we open that copy and discuss the interior ministry inside it:

Intel ME.

— Kim Jong Rails, Supreme Leader of the Republic of Derails