Bootloader unlock on samsung arm chromebook


Well one more post on chromebook. This chromebook is so secure that its really difficult to break its boot sequence and take control of the bootloader. explains the sequence. Some people might have been frustrated with that mandatory key press in developer mode. Archlinux guys have found a way to flash nv-uboot(non verified uboot) to spi firmware. This way you get a grub like interface to boot kernel of your wish.

Courtesy post in arch forum.

SPI is read-only by default. You can open the chromebook and remove a sticker in the motherboard which makes SPI read-write


0. Take a backup of all important data. Anything can go wrong. Have a bootable external mmc ready in case if anything goes wrong

1. Open backcover of chromebook. Follow instructions from ifixit


2. Next to usb-3 port lies a round ring shape circuit. Remove the stricker from it which will unshort the connection. This will make spi read-write. Make sure there are no traces of metal around it

3. Boot into chromeos. ctrl+alt+T and enter into sudo prompt
    $flashrom —wp-disable
    $flashrom —wp-status

check if write-protection is disabled. If not, go back and clean the circuit. I opened it twice. Download nv uboot image from (source: Strats’s post at Archlinux forum) gunzip it. You should be having a 4MB bin file. If downloaded bin is corrupt, you might endup with a bricked device. MD5 of extracted binary: CA50D23D315F1378B43E4552D8D441AD

    // Take backup and then flash
    $flashrom -p linux_spi:dev=/dev/spidev1.0 -r orig_image-snow.bin
    $flashrom -p linux_spi:dev=/dev/spidev1.0 -w nv_image-snow.bin
    $sync and reboot
4. Press space on reboot to get into uboot prompt. 
    $setenv bootdelay 1
    $vboot_twostop          will boot into chromeos
5. Booting custom OS
    format mmc in gpt format. Use cgpt/parted
    create a fat partition for boot, say size 256 MB - mmcblk1p1. Copy vmlinux(or any other kernel) from /boot of chromeos into this partition. Create an ext4 partition for rootfs - mmcblk1p2. copy any linux rootfs. Arch, suse-jeos and fedora worked for me
    At uboot prompt

    // choose 2nd mmc device. Internal mmc is dev 0
    $mmc dev 1

    // ls contents in filesystem. I get lot of dcache warnings. Still works
    $fatls mmc 1:1 /

    // load kernel to memory
    $fatload mmc 1:1 ${loadaddr} /vmlinux

   // set kernel boot parameters
    $setenv bootargs console=tty1 root=/dev/mmcblk1p2 rootfstype=ext4 rootwait rw   

    $bootm ${loadaddr}
    Now you have the freedom to boot any kernel without signing it.
    Disclaimer: TRY AT YOUR OWN RISK