flashrom is a utility for identifying, reading, writing, and verifying flash memory chips. It supports hundreds of flash chip types and numerous programmers (internal chipsets, USB devices, SPI interfaces, JTAG), making it essential for firmware extraction, modification, and hardware security research.
# Install from repositories
sudo apt-get update
sudo apt-get install flashrom
# Or build from source
git clone https://review.coreboot.org/flashrom.git
cd flashrom
make
sudo make install
# Verify installation
flashrom --version
# Using Homebrew
brew install flashrom
# Verify installation
flashrom --version
# Already included, but update
sudo apt-get update
sudo apt-get install flashrom
# Check available programmers
flashrom -p internal --list-supported
| Programmer Type | Examples | Use Case |
|---|
| Internal | coreboot BIOS, chipset | Motherboard firmware |
| USB | CH341a, FT232H, USB Blaster | External SPI programming |
| JTAG | OpenOCD, Tigard, Bus Pirate | Debug interface access |
| SPI | dirtyjtag, Raspberry Pi GPIO | Direct chip interface |
| Serial | Serial port adapters | Legacy devices |
| Parallel | Parallel port (legacy) | Old hardware |
# Detect flash chip automatically
sudo flashrom -p internal
# Specify programmer explicitly
sudo flashrom -p internal:ich_spi_mode=auto
# List supported flash chips
flashrom --list-supported
# Verbose detection output
sudo flashrom -p internal -V
# Using CH341a USB programmer
sudo flashrom -p ch341a_spi
# Using FT232H
sudo flashrom -p ft2232_spi:type=232H,port=A
# Using Raspberry Pi GPIO
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512
# Using Bus Pirate
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M
# Get detailed chip info
sudo flashrom -p internal -c "chip_model" -i
# List chip name and capacity
sudo flashrom -p internal | grep -E "Found|Size"
# Detect all parameters without reading
sudo flashrom -p internal -n
# Read entire flash to file
sudo flashrom -p internal -r firmware_backup.bin
# Read with verbose output
sudo flashrom -p internal -r firmware_backup.bin -V
# Read specific region only
sudo flashrom -p internal -l 0x000000 -s 0x100000 -r firmware_64kb.bin
# Verify read completed
ls -lh firmware_backup.bin
md5sum firmware_backup.bin
# Read firmware three times to verify consistency
sudo flashrom -p internal -r firmware_read1.bin
sudo flashrom -p internal -r firmware_read2.bin
sudo flashrom -p internal -r firmware_read3.bin
# Compare checksums
md5sum firmware_read*.bin
# Binary comparison
cmp firmware_read1.bin firmware_read2.bin && echo "Files identical"
# CH341a USB programmer
sudo flashrom -p ch341a_spi -r firmware_ch341.bin
# FT232H interface
sudo flashrom -p ft2232_spi:type=232H -r firmware_ft232.bin
# Raspberry Pi SPI
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r firmware_pi.bin
# OpenOCD with JTAG
sudo flashrom -p openocd_spi -r firmware_openocd.bin
# CRITICAL: Always backup first
sudo flashrom -p internal -r original_firmware.bin
# Verify backup size
ls -lh original_firmware.bin
# Create checksum
sha256sum original_firmware.bin > firmware.sha256
# Write firmware image
sudo flashrom -p internal -w modified_firmware.bin
# Write with chip erase first
sudo flashrom -p internal -E
sudo flashrom -p internal -w modified_firmware.bin
# Write with progress output
sudo flashrom -p internal -w modified_firmware.bin -V
# Write specific region
sudo flashrom -p internal -l 0x1000 -s 0x10000 -w config_section.bin
# Write only bootloader region
sudo flashrom -p internal -l 0x0 -s 0x10000 -w bootloader.bin
# Write only kernel region
sudo flashrom -p internal -l 0x10000 -s 0x100000 -w kernel.bin
# Write only filesystem region
sudo flashrom -p internal -l 0x110000 -s 0x6f0000 -w filesystem.bin
# Read back and compare
sudo flashrom -p internal -r verification.bin
cmp original_firmware.bin verification.bin
# Checksum comparison
sudo flashrom -p internal -r verify.bin
sha256sum verify.bin
sha256sum original_firmware.bin
# Verbose verification
sudo flashrom -p internal -v modified_firmware.bin
# Write with automatic verify
sudo flashrom -p internal -w firmware.bin --verify
# Manual verify with offset checking
sudo flashrom -p internal -r verify.bin
hexdump -C verify.bin | head -20
hexdump -C modified_firmware.bin | head -20
# Erase entire flash chip
sudo flashrom -p internal -E
# Erase with confirmation
sudo flashrom -p internal -E -y
# Erase specific region only
sudo flashrom -p internal -l 0x10000 -s 0x100000 -E
# List sector layout
sudo flashrom -p internal -A
# Erase single sector (if supported)
sudo flashrom -p internal --erase-region=0x0,0x1000
# Erase multiple regions
sudo flashrom -p internal --erase-region=0x0,0x10000 --erase-region=0x100000,0x50000
CH341a Pin Layout:
GND -> Flash GND (pin 8)
3.3V -> Flash VCC (pin 4)
CLK -> Flash CLK (pin 6)
MOSI -> Flash SI (pin 5)
MISO -> Flash SO (pin 2)
CS -> Flash CS (pin 1)
# FT232H pin configuration
# Pin 1 (TDI) -> MOSI
# Pin 2 (GND) -> GND
# Pin 3 (TDO) -> MISO
# Pin 4 (TCK) -> CLK
# Pin 5 (3.3V) -> VCC
# Pin 9 (CS) -> Chip Select
# Install libftdi
sudo apt-get install libftdi-dev
# Load FTDI driver
sudo modprobe ftdi_sio
# Enable SPI on Raspberry Pi
sudo raspi-config
# Navigate to: Interfacing Options > SPI > Enable
# Pin mapping for standard SPI:
GPIO 10 (MOSI) -> Flash SI
GPIO 9 (MISO) -> Flash SO
GPIO 11 (SCLK) -> Flash CLK
GPIO 8 (CE0) -> Flash CS
GND -> Flash GND
3.3V -> Flash VCC
# Test SPI connection
ls /dev/spidev*
# Read with Raspberry Pi
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r firmware.bin
# Detect BIOS flash chip
sudo flashrom -p internal
# Read BIOS firmware
sudo flashrom -p internal -r bios_backup.bin
# Analyze with binwalk
binwalk bios_backup.bin
# Extract components
binwalk -e bios_backup.bin
# Examine structure
strings bios_backup.bin | grep -E "BIOS|vendor|version"
# Connect programmer to target device
# Identify flash chip model from PCB
# Read firmware
sudo flashrom -p ch341a_spi -r device_firmware.bin
# Verify read
file device_firmware.bin
ls -lh device_firmware.bin
# Check for common formats
binwalk device_firmware.bin
strings device_firmware.bin | head -20
# Read full flash
sudo flashrom -p internal -r full_flash.bin
# Extract bootloader (usually first 64KB)
dd if=full_flash.bin of=bootloader.bin bs=1024 count=64
# Analyze bootloader
strings bootloader.bin | grep -E "boot|version"
hexdump -C bootloader.bin | head -20
# Compare bootloaders
sha256sum bootloader.bin /path/to/reference/bootloader.bin
# Read original firmware
sudo flashrom -p internal -r original.bin
# Create modified version
cp original.bin patched.bin
# (Use hex editor or dd to modify specific bytes)
# Verify patch location
hexdump -C original.bin | grep -A2 -B2 "patch_location"
hexdump -C patched.bin | grep -A2 -B2 "patch_location"
# Write patched firmware
sudo flashrom -p internal -E
sudo flashrom -p internal -w patched.bin --verify
# Read all flash
sudo flashrom -p internal -r device_full.bin
# Analyze components
binwalk -e device_full.bin
# Modify selected components
# (edit filesystem, kernel, etc)
# Rebuild complete image
cat bootloader.bin kernel.bin filesystem.bin > modified_full.bin
# Verify size matches original
ls -lh device_full.bin modified_full.bin
# Write new image
sudo flashrom -p internal -w modified_full.bin
# Script for multiple device programming
#!/bin/bash
for device in device1 device2 device3; do
echo "Programming $device..."
sudo flashrom -p internal -w firmware_${device}.bin
sudo flashrom -p internal -v firmware_${device}.bin
[ $? -eq 0 ] && echo "SUCCESS: $device" || echo "FAILED: $device"
done
# Connect external programmer
# Identify original firmware if available
# Erase corrupted flash
sudo flashrom -p ch341a_spi -E
# Write known-good firmware
sudo flashrom -p ch341a_spi -w original_firmware.bin
# Verify write
sudo flashrom -p ch341a_spi -v original_firmware.bin
# Power cycle device
# Verify programmer connection
sudo flashrom -p internal -n
# Check for voltage issues
# (use multimeter: measure 3.3V on VCC pin)
# Try with verbose output
sudo flashrom -p internal -V
# Check system logs
dmesg | tail -20
# Check current SPI speed
sudo flashrom -p ch341a_spi
# Reduce speed if unreliable
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=256 -r firmware.bin
# Increase speed if reliable
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=1024 -r firmware.bin
# Run with sudo (safest approach)
sudo flashrom -p internal -r firmware.bin
# Or add user to plugdev group
sudo usermod -a -G plugdev $USER
newgrp plugdev
# Reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger
# Read multiple times to verify
sudo flashrom -p internal -r test1.bin
sudo flashrom -p internal -r test2.bin
cmp test1.bin test2.bin
# Check for bit errors
sha256sum test1.bin test2.bin
# Try different speed/voltage settings
- Always backup before writing to any flash device
- Verify checksums of backup files immediately after reading
- Use external programmer for critical devices (motherboards, BIOS)
- Test on non-critical hardware before working on valuable devices
- Double-check wiring before powering on any hardware
- Keep device powered during read/write operations
- Document modifications with timestamps and references
- Use protective equipment (ESD strap) when handling electronics
- Test recovery procedure with external programmer setup
- Maintain firmware backups in multiple secure locations
| Manufacturer | Series | Typical Uses | Notes |
|---|
| Winbond | W25Q (SPI) | BIOS, IoT | Most common |
| Macronix | MX25L (SPI) | Routers, embedded | Wide support |
| Spansion | S25FL (SPI) | Industrial | Reliable |
| Micron | MT25Q (SPI) | High-reliability | Aerospace-grade |
| SST | SST25VF (SPI) | Legacy systems | Older devices |
| Samsung | K8D (NAND) | Mobile devices | NAND flash |
| SK Hynix | HY27UF (NAND) | Legacy hardware | Older chips |
# Extract firmware
sudo flashrom -p internal -r firmware.bin
# Analyze with Ghidra
ghidra firmware.bin
# Identify memory layout
strings firmware.bin | grep -E "0x[0-9a-f]{8}"
# Read and analyze
sudo flashrom -p internal -r firmware.bin
binwalk firmware.bin
# Extract components
binwalk -e firmware.bin
cd _firmware.bin.extracted
