Flashing coreboot on MacBook Air 5,2 using external SPI programmer

Recently I ported coreboot on MacBook Air 5,2 (13'' Mid 2012). This model has WSON-8 packaged SPI flash chip, which means you can't just use SOIC-8 clip such as Pomona 5250. I'll show you how to flash it using the J5100 debug connector on the mainboard and SPI adapter.

Open the laptop and find the debug connector:

You'll need an SPI adapter that plugs into it. I used the A4052 EasyFlash adapter; to use it, you also need 8-pin JST-SH 1.0mm male cable that plugs into this adapter's 8-pin header on the other side:

Here's the pinout of the adapter, left to right:

1  CS
2  3v3
4  Hold (NC)
5  WP (NC)
6  CLK
7  GND

Connect the JST-SH cable's wires to your SPI programmer (e.g. ft2232h, ch341a, Raspberry Pi 3 or whatever you use), all except VCC (3v3), then detach battery connector from the mainboard:

Plug the adapter into the J5100:

The 3v3 pin of J5100 is not connected directly to the flash chip (U6100) so I do not recommend to use it, it's very unreliable and almost never works. Instead, connect the 3v3 pin of your programmer to U7930's 3v3. It's connected directly to the SPI chip:

Try to probe the chip with flashrom (replace YOUR_PROGRAMMER with your programmer, e.g. linux_spi:dev=/dev/spidev0.0 for Raspberry Pi or ch341a_spi for CH341A):

$ sudo flashrom -p YOUR_PROGRAMMER

If the chip was successfully detected, you will see something like this:

flashrom v1.1-rc1-2-g93db6e1-dirty on Linux 4.14.24-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Micron/Numonyx/ST flash chip "N25Q064..3E" (8192 kB, SPI) on linux_spi.

Dump chip contents twice and compare the checksums. If they don't match, something's wrong with your setup:

$ sudo flashrom -p YOUR_PROGRAMMER -r backup01.bin
$ sudo flashrom -p YOUR_PROGRAMMER -r backup02.bin
$ md5 backup*

Building and flashing coreboot

Clone the coreboot repository:

$ git clone --recurse-submodules https://review.coreboot.org/coreboot.git && cd coreboot

Build the toolchain (you must have gnat compiler installed, it's required for building libgfxinit which is written in Ada):

$ make crossgcc-i386 CPUS=$(nproc)
$ make iasl

Now run make menuconfig and configure coreboot:

General setup --->
    [*] Use CMOS for configuration values

Mainboard --->
    Mainboard vendor (Apple)
    Mainboard model (MacBookAir5,2)

Devices --->
    Graphics initialization (Use libgfxinit)

Under the Payload menu, select payload of your taste.

If you want microcode updates:

General setup --->
    [*] Allow use of binary-only repository

If you want to "neutralize" Intel ME, first extract modules from the backup:

$ ifdtool -x backup01.bin

Then add descriptor and ME to the config:

Chipset --->
    [*] Add Intel descriptor.bin file
    (/path/to/flashregion_0_flashdescriptor.bin) Path and filename of the descriptor.bin file
    [*]   Add Intel ME/TXE firmware 
    (/path/to/flashregion_2_intel_me.bin) Path to management engine firmware
    [ ]     Verify the integrity of the supplied ME/TXE firmware
    [*]     Strip down the Intel ME/TXE firmware

Run make to build coreboot. At the end you should have build/coreboot.rom file. Don't flash the whole ROM to the chip, in most cases you only need to flash the bios region:

$ sudo flashrom -p YOUR_PROGRAMMER --ifd -i bios -N -w build/coreboot.rom

If you neutralized ME, flash the me region as well:

$ sudo flashrom -p YOUR_PROGRAMMER --ifd -i me -N -w build/coreboot.rom

When it's done, unplug the SPI adapter from the board, plug the battery connector, power up the laptop and enjoy open source firmware on your MacBook.

If you have any comments, contact me by email.