Flashing HP4530s BIOS with Raspberry Pi 3 to reset admin password

Why?

I once setup an admin password on my computer and off course forgot about it. When trying to update the rom my laptop was asking me for admin password and was not letting me update the rom without it. After some research I realised that the only way is to mess with the MX25L3206E bios chip. It turned out to be quite easy but required couple of hours of research, here is a guide for anyone trying this in the future.

What do we need?

  • Raspberry Pi running Raspbian
  • Semi advanced soldering skills or SOIC8 SOP8 Clips socket adapter

Step by step

Step 1: Install Raspbian on Raspberry pi: https://www.raspberrypi.org/downloads/raspbian/

Step 2: Install Flashroom

sudo apt-get install pciutils
sudo apt-get install libftdi-dev
sudo apt-get install libusb-dev
sudo apt-get install libpci-dev
sudo apt-get install libusb-1.0
sudo git clone https://github.com/stefanct/flashrom.git
cd flashrom
sudo make
sudo make install

Step 3: Hook up raspberry pi to HP4530s Bios chip

Raspberry Pi pinout https://www.myelectronicslab.com/wp-content/uploads/2016/06/raspbery-pi-3-gpio-pinout-40-pin-header-block-connector-.png

MX25L3206E pinout (HP4530s BIOS eprom chip) http://www.vcc2gnd.com/pic/MX25L3206E_PinOut.jpg

Which pins to connect?

Raspberry PI3 pin MX25L3206E pin
1 3.3v DC Power 7 HOLD & 3 WP (both to the same pin)
17 3.3v DC Power 8 Vcc
19 GPIO10 (SPI_MOSI) 5 SI/SIO
21 GPIO09 (SPI_MISO) 2 SO/SIO
23 GPIO11 (SPI_CLK) 6 SCLK
25 GROUND 4 GND
24 GPIO08 (SPI_CE1_N) 1 CS

Step 4: Verify connection to the BIOS chip from raspberry PI

flashrom -p linux_spi:dev=/dev/spidev0.0

Should get something like this:

Great success, we are connected and ready to read / write

Step 5: Attempt to back up old flash

flashrom -p linux_spi:dev=/dev/spidev0.0 -r oldBIOS.bin -c MX25L3206E/MX25L3208E

If successful we now have a “oldBIOS.bin” file with backup (can be edited using hex editor)

Step 6: Erase chip

flashrom -p linux_spi:dev=/dev/spidev0.0 -E -c MX25L3206E/MX25L3208E -V

Step 7: Write new binary onto the chip

flashrom -p linux_spi:dev=/dev/spidev0.0 -w “yourbinary.BIN” -c MX25L3206E/MX25L3208E -V

Replace “yourbinary.BIN” with your BIOS file, here are a couple of dumps:

 

QX90 frysky firmware update (RSSI + voltage telemetry)

What do we need need?

1. ISP programmer, I am using ISP on my ftdi usb adapter (http://i.imgur.com/0nUabaP.png)
2. Firmware (FrskyRx_F801_TELEMETRY_PFS_SBUS_240816) from this thread: https://www.rcgroups.com/forums/show…postcount=1147
3. Avrdude installed (I am using it on linux, but it should be the same syntax on windows)

Step by step:

1. Connect ISP port to RX http://i.imgur.com/xAZxm5t.jpg

ISP pinout: https://cdn.instructables.com/FR9/HX…IA4.MEDIUM.jpg
Reciever pinout: http://i.imgur.com/7Hi4lrZ.png

(make sure you are sending 3.3V and not 5V to power your rx!)

2. (only for ft232R based programmer like mine) Add the following at the end of avrdude.conf file:
programmer
id = “inland”;
desc = “FT232R Synchronous BitBang”;
type = “ftdi_syncbb”;
connection_type = usb;
reset = 7; #
sck = 5; #
mosi = 6; #
miso = 3; #
;

3. (Optional), to test connection try reading flash of your board, by executing
avrdude -c inland -p m328p -U flash:r:test.hex:i -C avrdude.conf -P usb

If you get a test.hex file created and it has hex values, we have a working connection. If it doesnt, check wiring. Also play around with position of the 1 and 2 switches on the board and repeat.

4. Flash new firmware.
avrdude -c inland -p m328p -U flash:w:FrskyRx_F802_PFS_SBUS_HUB_240816.hex:i -C avrdude.conf -P usb

Commands explained:
-c inland (setting programmer, in this case inland added in step 2, try others if this one is not working for you)
-p m328p (ATMEGA 328p)
-U flash:w:file.hex:i (file operation, write file.hex)
-C avrdude.conf (path to used avrdude.conf)
-P usb (port = USB)

5. Time to bind with new firmware, press the fs button while plugging the battery in and bind with your taranis. If successful, you will get RSSI reading right away: http://i.imgur.com/WAGtasA.jpg

6. Optionally connect V to A1 pin on the RX for voltage reading http://i.imgur.com/L5IQRDz.jpg

Credit to (RCgroups):
midelic (firmware)
damienyong, dwkchoi, pfriedel, Mephi,

UPDATE:

1. Connected as per http://i.imgur.com/7Hi4lrZ.png to isp headers of my programmer http://i.imgur.com/0nUabaP.png
2. Flashed https://www.rcgroups.com/forums/show…4&d=1472046872 using avrdude “avrdude -c inland -p m328p -U flash:w:FrskyRx_F802_PFS_SBUS_HUB_240816.hex:i -C /usr/share/arduino/hardware/tools/avr/etc/avrdude.conf -P usb”

3. Profit, now i need to figure out how to get a1 voltage reading.

Thanks for support.

ps. inland config thing from this thread: http://forum.arduino.cc/index.php?topic=216889.0

programmer
id = “inland”;
desc = “FT232R Synchronous BitBang”;
type = “ftdi_syncbb”;
connection_type = usb;
reset = 7; #
sck = 5; #
mosi = 6; #
miso = 3; #
;