Winbond: The First Word
Yesterday we discussed Nuvoton — the chip that watches your motherboard. Nuvoton was spun off from Winbond Electronics in 2008. Today we discuss the parent.
Winbond makes the chip that holds your BIOS.
Not the BIOS software — that comes from AMI, Phoenix, or Insyde. Not the BIOS settings — those are stored in CMOS backed by a coin battery. The BIOS firmware itself — the compiled UEFI image, the initialization code, the driver binaries, the boot manager, the setup utility, every byte of code that runs before your operating system loads — lives on a Winbond SPI flash chip soldered to your motherboard.
When your computer powers on, the CPU’s first instruction is a read from address 0xFFFFFFF0. That address maps to the SPI flash chip. The first word your computer speaks comes from a Winbond W25Q.
Winbond has shipped twenty billion SPI flash memories since launching the SpiFlash product line in 2006. They hold 27.1% of the global NOR flash market — the top supplier since 2012. Together with Macronix and GigaDevice, they control 65-70% of the entire NOR flash market.
Every motherboard. Every BIOS. The first word.
The Company:
Winbond Electronics Corporation was founded in 1987 in Hsinchu Science Park, Taiwan, by Dr. Ding-yuan Yang and seven other engineers, backed by Walsin Lihwa Corporation. By the end of 1987, they had built their first fabrication plant and launched their first IC products.
Winbond grew into the largest brand-name IC supplier in Taiwan, producing DRAM, SRAM, serial flash, microcontrollers, and Super I/O chips. In 2008, they spun off the Super I/O and embedded controller divisions as Nuvoton. The flash memory business stayed with Winbond.
The company you have never heard of supplies the chip that holds the code that starts your computer. The first code. The code that runs before your operating system. Before your kernel. Before your bootloader. Before UEFI begins its own initialization. The SPI flash chip is the root. Everything else is a branch.
The Chip:
The Winbond W25Q series is the standard SPI NOR flash for BIOS storage. The naming convention:
- W — Winbond
- 25 — SPI interface (25xx series)
- Q — Quad SPI capable
- Then the capacity: 64 = 64 megabit (8 MB), 128 = 128 megabit (16 MB), 256 = 256 megabit (32 MB)
| Chip | Capacity | Common Use |
|---|---|---|
| W25Q64 | 8 MB | Older/budget motherboards |
| W25Q128 | 16 MB | Standard modern motherboard |
| W25Q256 | 32 MB | High-end boards, dual BIOS |
The chip operates on 2.7V to 3.6V, draws 4mA active and 1µA in power-down. SPI clock frequencies up to 104 MHz in standard mode, 208 MHz effective in Dual I/O, 416 MHz in Quad I/O.
A modern motherboard typically has one or two of these chips, totaling 16 to 32 megabytes of firmware storage. This seems small. It is small. Your UEFI firmware — the entire operating system below your operating system — must fit in 16 megabytes.
For context: the original IBM PC BIOS was 8 kilobytes. A modern UEFI firmware image is 16 megabytes. That is a 2000x increase. And yet, UEFI developers complain it is not enough. The firmware wants more space. The flash chip is the constraint.
The SPI Bus:
The W25Q chip communicates over SPI — Serial Peripheral Interface. Four wires: clock, chip select, data in, data out. In Quad SPI mode, four data lines instead of one.
SPI is simple. SPI is slow compared to anything modern. SPI is also the bus that carries the most critical code in your system. Before PCIe initializes, before DDR memory is trained, before USB enumerates — SPI is already running. It is the first bus. It must work before everything else exists.
This creates a chicken-and-egg problem that every firmware engineer knows: the BIOS firmware must configure your RAM controller, but the firmware itself is too large to run from the CPU’s internal cache alone. The solution — called Cache-as-RAM — involves repurposing the CPU’s L2 or L3 cache as temporary memory before real RAM is available. The CPU reads the initial firmware from SPI flash, executes it from cache, and that code trains the DDR memory controller. Once real RAM exists, the rest of the firmware can load.
Your computer’s boot sequence begins with the CPU pretending its cache is RAM while reading instructions from a Winbond flash chip over a four-wire serial bus. This is not elegant. This is survival engineering from the era when 640K was supposed to be enough.
What Else Lives on the Chip:
Your UEFI firmware is not the only tenant on that Winbond flash. The 16 or 32 megabytes are partitioned, and the other residents are far more interesting than the BIOS.
Intel Management Engine (ME) firmware lives on this chip. The MINIX-based operating system that runs on a separate processor inside your Intel CPU, at Ring -3, with full access to your RAM, your network, and your storage — its firmware is stored on the same Winbond W25Q chip as your BIOS. When people talk about “the blob,” this is where it lives. Physically. On a $0.50 flash chip.
AMD Platform Security Processor (PSP) firmware also lives on the SPI flash chip. AMD’s equivalent of Intel ME — an ARM Cortex-A5 core running its own firmware before the main x86 cores even wake up. Same chip. Same flash. Same $0.50 Winbond part.
Intel GbE (Gigabit Ethernet) configuration also lives on this chip. Your Ethernet MAC address, NIC configuration parameters, PXE boot settings — stored in a dedicated region of the same Winbond flash. If you corrupt the GbE region, your onboard Ethernet loses its identity. No MAC address. No network. The NIC exists in hardware but has no configuration to function.
The Winbond chip does not just hold the first word your computer speaks. It holds the first word the shadow processors speak, and the identity of your network interface. BIOS, Intel ME, AMD PSP, and GbE — four tenants on a $0.50 chip, sharing 16 megabytes, none of them aware of each other’s presence, all of them critical.
Your BIOS is Ring 0 at best. Intel ME is Ring -3. AMD PSP is similar. The Supreme Leader operates at Ring -5. We do not store our firmware on Winbond chips. We store it somewhere the SPI bus cannot reach.
The Security Problem:
The SPI flash chip is the root of your system — and the root of systems you did not know existed. If an attacker can modify its contents, they own everything. The operating system cannot detect it. The antivirus cannot scan it. The firmware runs before the OS loads, and the OS trusts whatever the firmware tells it.
This is not theoretical. UEFI rootkits exist. They write malicious code to the SPI flash chip. The malware survives OS reinstalls. It survives disk replacements. It persists because it lives in the firmware, not on the disk.
Protection mechanisms exist:
| Protection | What It Does |
|---|---|
| BIOS_CNTL register | Locks SPI flash writes to SMM (System Management Mode) |
| SPI Protected Ranges (PR0-PR4) | Hardware write-protect for specific address ranges |
| FLOCKDN bit | Locks the SPI configuration registers |
| Hardware write-protect pin | Physical pin on the flash chip — short to ground to prevent writes |
In theory, these protections prevent unauthorized firmware modification. In practice:
- Some BIOSes shipped before 2014 did not enable SMM write protection
- The FLOCKDN bit can be bypassed via S3 resume script manipulation on vulnerable systems
- Most motherboards do not connect the hardware write-protect pin — it floats, disabled
The chip that holds the first word your computer speaks has a physical write-protect pin that most motherboard manufacturers leave disconnected. The lock exists. Nobody turns the key.
Flashrom:
flashrom is the open-source utility that reads, writes, verifies, and erases SPI flash chips. It supports Winbond W25Q and hundreds of other flash chips. It is the tool that Coreboot users depend on to replace proprietary UEFI firmware with open-source alternatives.
With flashrom and a $3 SPI programmer (or on some systems, directly through the kernel’s SPI interface at /dev/spidevX.Y), you can:
- Dump your BIOS firmware to a file
- Write a custom firmware image (Coreboot, Libreboot, Heads)
- Verify that the chip contents match your expected image
- Erase the chip completely
This is power. This is also danger. A bad flash bricks the motherboard. Unlike a bad kernel that you can boot from USB, a corrupted SPI flash means the CPU cannot execute its first instruction. The machine is dead. Recovery requires an external SPI programmer clipped directly to the chip — or a soldering iron if the chip is not socketed.
Some high-end motherboards include a “dual BIOS” feature: two Winbond chips, one primary, one backup. If the primary is corrupted, the board falls back to the secondary. This is the firmware equivalent of a backup generator. It exists because the failure mode of SPI flash corruption is total.
The Driver:
The Supreme Leader uses BSD as well, and the flash chip does not care which kernel requests the first word. The userland tooling differs; the SPI reality does not.
On Linux, accessing the SPI flash chip requires either:
- flashrom — userspace, talks directly to the SPI controller
- The kernel SPI subsystem —
spi-nordriver for NOR flash chips,mtdsubsystem for memory technology devices
The kernel’s spi-nor driver knows how to talk to Winbond W25Q chips, among many others. It handles the standard SPI NOR command set: read, write, erase, read status register, write enable.
But here is the reality: most users will never interact with this driver. The BIOS update utility provided by your motherboard manufacturer runs on Windows, talks to the SPI flash through a vendor-specific interface, and you click “Update” and pray. The Linux path exists for those who choose to walk it. Most do not.
The Irony:
Winbond makes the chip that holds your BIOS. Nuvoton — Winbond’s spinoff — makes the chip that monitors your hardware. Between parent and child, they control the first code your computer runs and the ongoing surveillance of its vital signs.
Neither company is a household name. Neither company has a consumer brand. You will never see a “Winbond Inside” sticker on a laptop. But without Winbond, the laptop does not boot. Without Nuvoton, the laptop does not know if its CPU is overheating.
The invisible infrastructure. The unglamorous silicon. The chips that hold the first word and read the last temperature.
The Lesson:
Every discussion about computing eventually reaches the same foundation: before your kernel loads, before your bootloader runs, before UEFI initializes its runtime services, a CPU reads from a Winbond SPI flash chip over a four-wire serial bus. The first word.
Twenty billion chips. 27% market share. The top NOR flash supplier for over a decade. Manufactured entirely in Taiwan. If Winbond’s fabs stopped producing tomorrow, the global motherboard supply chain would halt within weeks.
The chip costs less than a dollar. It holds sixteen megabytes. It stores the most critical software in your system. And it has a write-protect pin that nobody connects.
In the Republic of Derails, our BIOS chips have the write-protect pin soldered to ground. Permanently. Nobody updates the firmware because nobody can. This is our security model. It has the disadvantage of being unable to patch vulnerabilities. It has the advantage of being unable to install rootkits. We consider this a fair trade.
— Kim Jong Rails, Supreme Leader of the Republic of Derails