dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

How to ensure the CM4 EEPROM is write protected correctly

Tue Oct 05, 2021 11:32 am

On my CM4, I am trying to achieve EEPROM write protection. I followed the steps https://www.raspberrypi.org/documentati ... figuration.

My questions are:
1. How can I ensure that my EEPROM is write-protected?. There is this document which says if there are 3 long and 2 shot flashes it means the SPI EEPROM is write-protected. https://www.raspberrypi.org/documentati ... figuration . But when would these lights be flashed or when can I observe them?

2. After connecting jumper wires on J2 (1-2, and3-4) I still can run ./rpiboot -d recovery. Ideally, shouldn't it say that the pin 3-4 is low and can't write to the EEPROM ?

3. Also is there a way to verify via software maybe "rpi-eeprom-update" error perhaps that the SPI EEPROM is now write-protected.

4. I added "eeprom_write_protect=1" in recovery/config.txt and when I flashed it , thought the specific version of bootloader did write to the EEPROM but when I use "sudo -E rpi-eeprom-config" in PI, I don't see eeprom-write protection anywhere.

Any kind of help would be highly appreciated.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 907
Joined: Thu Jun 21, 2018 4:30 pm

Re: How to ensure the CM4 EEPROM is write protected correctly

Tue Oct 05, 2021 12:34 pm

dodain wrote:
Tue Oct 05, 2021 11:32 am
On my CM4, I am trying to achieve EEPROM write protection. I followed the steps https://www.raspberrypi.org/documentati ... figuration.

My questions are:
1. How can I ensure that my EEPROM is write-protected?. There is this document which says if there are 3 long and 2 shot flashes it means the SPI EEPROM is write-protected. https://www.raspberrypi.org/documentati ... figuration . But when would these lights be flashed or when can I observe them?

2. After connecting jumper wires on J2 (1-2, and3-4) I still can run ./rpiboot -d recovery. Ideally, shouldn't it say that the pin 3-4 is low and can't write to the EEPROM ?
J2 is invisible to software and does NOT write protect the EEPROM. It just limits access to the *Write Status* register and it is the *Write Status* register which defines the write-protect regions which default to not protected. It's counterintuitive but unfortunately, that's just how these EEPROMs work.

See https://www.raspberrypi.org/documentati ... te_protect and the linked Winbond datasheet
https://www.winbond.com/resource-files/ ... 140325.pdf (See section 8.1.7 Status Register Memory Protection)

Setting eeprom_write_protect=1 when flashing the EEPROM via recovery.bin tells recovery.bin to mark the EEPROM as write-protected. If you then set the write-protect jumper nothing will be able to change those write-protect regions.

The LED error patterns indicate recovery.bin is unable to change the value of the Write Status register. So, you could use this to check the process above was successful.
dodain wrote:
Tue Oct 05, 2021 11:32 am

3. Also is there a way to verify via software maybe "rpi-eeprom-update" error perhaps that the SPI EEPROM is now write-protected.

4. I added "eeprom_write_protect=1" in recovery/config.txt and when I flashed it , thought the specific version of bootloader did write to the EEPROM but when I use "sudo -E rpi-eeprom-config" in PI, I don't see eeprom-write protection anywhere.
Any kind of help would be highly appreciated.
If the write-protect regions are defined then the bootloader will indicate this on the HDMI diagnostics screen by displaying RO in the 'bootloader:' line. Although, as mentioned previously, it can't know whether the jumper has been set without trying and failing to modify the WriteStatus register.

A true test would be to modify flashrom or use some direct SPI commands to independently verify that the bootloader is giving you the correct status! Although, that's a fair amount of work :)

dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 7:39 am

@tim thanks for the prompt response. A silly question, please do excuse me, how do I flash the recovery.bin on PI (the exact commands). I can download the recovery.bin file from https://github.com/raspberrypi/rpi-eepr ... e/critical and what are the next steps?

I tried doing curl -L -o pieeprom.original.bin https://github.com/raspberrypi/rpi-eepr ... covery.bin and then running ./update-pieeprom.sh but it gave the error "ERROR: /media/dodain/HDD/CM4/usbboot/recovery/pieeprom.original.bin: Expected size 524288 bytes actual size 106432 bytes" .

Also this 2 documentation contradict each other. The first one https://www.raspberrypi.org/documentati ... figuration says to edit the config.txt in the recovery/config.txt and add "eeprom_write_protect=1" to achieve eeprom write protection and then flast the pieeeprom.bin using ./rpiboot -d recovery. Whereas the second document https://www.raspberrypi.org/documentati ... te_protect suggests flashing recovery.bin , which bring back to the question of how to flash recovery.bin in compute Module 4. Kinda confused :P

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 907
Joined: Thu Jun 21, 2018 4:30 pm

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 8:54 am

dodain wrote:
Wed Oct 06, 2021 7:39 am
@tim thanks for the prompt response. A silly question, please do excuse me, how do I flash the recovery.bin on PI (the exact commands). I can download the recovery.bin file from https://github.com/raspberrypi/rpi-eepr ... e/critical and what are the next steps?

I tried doing curl -L -o pieeprom.original.bin https://github.com/raspberrypi/rpi-eepr ... covery.bin and then running ./update-pieeprom.sh but it gave the error "ERROR: /media/dodain/HDD/CM4/usbboot/recovery/pieeprom.original.bin: Expected size 524288 bytes actual size 106432 bytes" .
The curl command will overwrite the EEPROM image binary (pieeprom.original.bin) with the tool which flashes the EEPROM (recovery.bin). It detects this and warns that this isn't a valid EEPROM image.

There's no need to change the 'recovery.bin' file in usbboot for CM4 and the default pieeprom.original.bin is the latest version recommended for use with CM4.

dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 9:57 am

It actually takes us back to the original post. I did change the config.txt in the recovery/config.txt and added the "eeprom_write_protect=1". Then I flashed it using ./sudo rpi-boot -d recovery and later lowed the J2 3and 4.

With the pins lowered (physical protection) and everything above done, I replaced the pieeprom.original.bin with a different version of bootloader and flashed it using ./sudo rpi-boot -d recovery and to my surprise, it got flashed and I verified via "vcgencmd bootloader_config" and the new bootloader version was showed.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 907
Joined: Thu Jun 21, 2018 4:30 pm

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 11:08 am

dodain wrote:
Wed Oct 06, 2021 9:57 am
It actually takes us back to the original post. I did change the config.txt in the recovery/config.txt and added the "eeprom_write_protect=1". Then I flashed it using ./sudo rpi-boot -d recovery and later lowed the J2 3and 4.

With the pins lowered (physical protection) and everything above done, I replaced the pieeprom.original.bin with a different version of bootloader and flashed it using ./sudo rpi-boot -d recovery and to my surprise, it got flashed and I verified via "vcgencmd bootloader_config" and the new bootloader version was showed.
recovery.bin will output messages in the UART log when it changes the write-protect status register. The HDMI diagnostics screen will also show 'RO' if the EEPROM is write protected. Please can you verify those two things and attach logs after running with "eeprom_write_protect=1"

dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 12:43 pm

Sure, let me give it a try again and I will update shortly.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 907
Joined: Thu Jun 21, 2018 4:30 pm

Re: How to ensure the CM4 EEPROM is write protected correctly

Wed Oct 06, 2021 2:01 pm

dodain wrote:
Wed Oct 06, 2021 12:43 pm
Sure, let me give it a try again and I will update shortly.
UART logging is enabled by default in usbboot/recovery so you just need to collect a USB serial cable and collect logs with the terminal of your choice (Putty / MiniCom / Screen etc)

https://github.com/raspberrypi/usbboot/ ... config.txt

GPIO 14, 15 @115200 bps
https://www.raspberrypi.com/documentati ... pin-header

dodain
Posts: 7
Joined: Fri Oct 01, 2021 7:12 am

Re: How to ensure the CM4 EEPROM is write protected correctly

Thu Oct 14, 2021 6:49 am

Thanks Tim,

I was on road, so excuse for the late reply. I did verify via 3 sources and the EEPROM got write protected correctly.

1. Following are the UART logs after write protecting and updating the EEPROM.

SIG pieeprom.sig 4ad73618518de6e10cc3b991903b0b06a5a4b9aeade1b90481b8255a14a2894
Reading EEPROM: 524288
EEPROM is write protected (bc)
FATAL error-code 0x8000bfbc @ 0x00000000 0x00000000 0x00000000


2. After write protection, I got the error LEDs 3 long and 2 short blinks.
3. The HDMI would display a red light when updating the EEPROM after write protecting it.

Thanks a lot again for all the help.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 907
Joined: Thu Jun 21, 2018 4:30 pm

Re: How to ensure the CM4 EEPROM is write protected correctly

Thu Oct 14, 2021 11:52 am

Thanks for replying with the logs. That shows the expected behaviour when an EEPROM update is attempted on a write-protected EEPROM.

N.B. recovery.bin only updates the EEPROM if the new image is different i.e. if you have to try to flash a different image to trigger the write protect failure.

Return to “Compute Module”