Add cr50 CCD documentation

BUG=none
BRANCH=none
TEST=none

Change-Id: Ie98a333ad2fa3ef92bf42a7d86bfa4ca8f18be61
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1269649
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>

2 files changed, 619 insertions, 17 deletions

diff --git a/docs/case_closed_debugging.md b/docs/case_closed_debugging.md
index c3d0eb62ca..ba0ec438ad 100644
--- a/docs/case_closed_debugging.md
+++ b/docs/case_closed_debugging.md
@@ -1,5 +1,5 @@
-Case Closed Debugging
-=====================
+Case Closed Debugging (CCD)
+===========================
 
 Case closed debugging is a feature of the EC codebase that can bridge UART
 consoles and SPI busses from a DUT (Device Under Test) to the host machine via
@@ -10,9 +10,10 @@ access and firmware flashing for kernel and system developers.
 Prerequisites
 -------------
 
-### Ryu
-Currently only Ryu has support for case closed debugging.  The first version of
-Ryu that supported case closed debugging was P3.
+### Supported Devices
+We have added CCD support for two chip families: stm32 and gchips. Ryu,
+servo\_micro, and servo\_v4 use the stm32 support. Cr50 uses gchips support.
+All boards with Cr50 have support for case closed debugging.
 
 ### Suzy-Q
 Suzy-Q is a Type-C dongle that exposes USB2.0/3.0 on a Type-A socket, case
@@ -57,8 +58,10 @@ charge the device.
 Suzy-Q should be connected to the DUT using the Type-C cable and connector
 integrated into Suzy-Q.  This connector may need to be flipped to make case
 closed debugging work because the SBU lines that are used to expose the PD
-MCU's USB interface are not orientation invariant.  Suzy-Q should be connected
-to the Host with a Type-A (Host) to Micro Type-B (Suzy-Q) cable.
+MCU's USB interface are not orientation invariant.  Only one port on the DUT
+will support CCD.  Try using the other port if the CCD device doesn't appear.
+Suzy-Q should be connected to the Host with a Type-A (Host) to Micro Type-B
+(Suzy-Q) cable.
 
 ### Host
 The Udev rule file should be installed, it will generate useful symlinks in
@@ -88,8 +91,13 @@ The raiden module solves this by identifying a CCD serial port by the subclass
 and protocol numbers of the USB device interface.  This means that there does
 not need to be a list of CCD capable device IDs anywhere.
 
-Use
----
+Basic CCD
+---------
+Here's the basic information for how to use CCD. Cr50 has more complicated
+usage and setup instructions. See the cr50 specific CCD doc for more in depth
+instructions.
+
+### Consoles
 
 The serial consoles exposed by case closed debugging can be found in
 `/dev/google/<device name>/serial/<console name>` and can be opened with any
@@ -103,6 +111,7 @@ reboots of either the Host or the DUT.  The `<console name>` field is just the
 associated with this console device.  This allows a single DUT to expose
 multiple serial consoles in a discoverable and consistent manner.
 
+### Flash AP
 Programming the AP SPI flash with a new firmware image can be done with flashrom
 using the command:
 
@@ -115,6 +124,15 @@ can be used to identify the intended DUT.  Flashrom programmer parameters are
 added to the programmer name (the -p argument) by appending a colon and then a
 comma separated list of key=value pairs.
 
+Cr50 can be used to flash the AP or EC.  You will need to specify the AP as the
+target device, so cr50 knows to flash the AP.
+`sudo flashrom -p raiden_debug_spi:target=AP -w image.bin`
+
+### Flash EC
+You can use `util/flash_ec` to flash the EC.  Steps for flashing the EC are more
+complex and board specific than flashing the AP.  This script will handle all
+the board specific setup.
+
 Known Issues
 ------------
 
@@ -122,16 +140,33 @@ Known Issues
 you need to attach a flash drive, or use Fastboot/adb you'll need to swap
 cables.
 
-2. Software sync of the EC/PD processor and the jump from RO to RW versions
-will cause the case closed debugging USB device to disconnect and reconnect.
-This can be prevented by disabling software sync.  This is done by setting the
-`GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC` and `GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC` flags
-with `gbb_utility`.
+2. Ryu implementation: software sync of the EC/PD processor and the jump from
+RO to RW versions will cause the case closed debugging USB device to disconnect
+and reconnect. This can be prevented by disabling software sync.  This is done
+by setting the `GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC` and `
+GBB_FLAG_DISABLE_PD_SOFTWARE_SYNC` flags with`gbb_utility.
 
 Troubleshooting
 ---------------
+Check for the CCD device using the following vendor:product IDs
+
+| Device | VID:PID |
+| :---| :---: |
+| servo_micro | 18d1:501a |
+| servo_v4 | 18d1:501b |
+| ryu | 18d1:500f |
+| cr50 | 18d1:5014 |
+
+1. Can't see the CCD device on the host.
+
+	1. Type-C cable from Suzy-Q to the DUT may be upside down.  The SBU lines
+	used for case closed debugging are not orientation invariant.
+	2. You may be using the wrong device port. Try using the other port.
+	3. The device may not be charged enough to boot. Suzy-Q can't charge the
+	device or supply enough power for the DUT to boot. Make sure the device
+	is somewhat charged.
 
-1. No console interfaces are avaiable in the `/dev/google/<name>` directory.
+2. No console interfaces are available in the `/dev/google/<name>` directory.
 
 	1. Kernel module may not be loaded.
 	2. Udev rules file might not be installed correctly.
@@ -139,12 +174,12 @@ Troubleshooting
 	4. Type-C cable from Suzy-Q to the DUT may be upside down.  The SBU lines
 	used for case closed debugging are not orientation invariant.
 
-2. Garbage messages (AT command set) show up on one or more consoles.
+3. Garbage messages (AT command set) show up on one or more consoles.
 
 	1. ModemManager has claimed the interface, Udev rules file may not be
 	installed correctly.
 
-3. Console interfaces appear and then quickly disappear
+4. Console interfaces appear and then quickly disappear
 
 	1. Software sync from the AP has replaced the PD firmware with a version
 	that is not compatible with case closed debugging.
diff --git a/docs/case_closed_debugging_cr50.md b/docs/case_closed_debugging_cr50.md
new file mode 100644
index 0000000000..5aabff1b8f
--- /dev/null
+++ b/docs/case_closed_debugging_cr50.md
@@ -0,0 +1,567 @@
+# Google Security Chip (GSC) Case Closed Debugging (CCD)
+
+Cr50 is the firmware that runs on the Google Security Chip. It has support for
+Case Closed Debugging (CCD). This support is complete enough to replace servo.
+This doc explains how to setup CCD, so you can access all of the necessary
+features to develop firmware on your device or control different components.
+Please run through the basic setup steps before trying to flash the AP
+firmware. CCD could help recover your device if you flash broken firmware, but
+**if you brick your device before setting up CCD, you may not be able to enable
+it**.
+
+[TOC]
+
+# Background
+
+Cr50 CCD was designed to restrict CCD access to device owners. There are **CCD
+privilege levels** that can be used to enable access to different CCD
+capabilities **Open, Unlocked, Locked**.
+
+All CCD functionality has been assigned to different **CCD capabilities**.
+Capability settings can be modified to require certain privilege levels to
+access the each capability. Setting a capability requirement to **IfOpened**
+will require a level of **Open** to access that capability. A requirement of
+**UnlessLocked** will require the device to be **Open** or **Unlocked** to
+access the capability. Setting the requirement to **Always** will make the
+capability always accessible.
+
+Owners can use these settings to customize the CCD so it is as open or
+restricted as they want.
+
+# CCD Capabilities
+
+Cr50 is locked by default. Here are all of the Capabilities and their default
+settings.
+
+| Capability      | Default  | Function                                        |
+| --------------- | -------- | ----------------------------------------------- |
+| UartGscRxAPTx   | Always   | controls reading from the AP console            |
+| UartGscTxAPRx   | Always   | controls writing to the AP console              |
+| UartGscRxECTx   | Always   | controls reading from the EC console            |
+| UartGscTxECRx   | IfOpened | controls writing to the EC console              |
+| FlashAP         | IfOpened | controls flashing the AP                        |
+| FlashEC         | IfOpened | controls flashing the EC                        |
+| OverrideWP      | IfOpened | controls controlling write protect              |
+| RebootECAP      | IfOpened | controls rebooting the EC/AP from the cr50 console |
+| GscFullConsole  | IfOpened | controls access to restricted Cr50 console commands |
+| UnlockNoReboot  | Always   | controls unlocking Cr50 without rebooting the AP |
+| UnlockNoShortPP | Always   | controls unlocking Cr50 without physical presence |
+| OpenNoTPMWipe   | IfOpened | controls opening Cr50 without wiping the TPM    |
+| OpenNoLongPP    | IfOpened | controls opening Cr50 without physical presence |
+| BatteryBypassPP | Always   | controls opening cr50 without physical presence and dev mode if the battery is removed |
+| UpdateNoTPMWipe | Always   | controls updating cr50 without wiping the TPM   |
+| I2C             | IfOpened | controls access to the I2C master (used for measuring power) |
+| FlashRead       | Always   | controls dumping a hash of the AP or EC flash   |
+| OpenNoDevMode   | IfOpened | controls opening cr50 without dev mode          |
+| OpenFromUSB     | IfOpened | controls opening cr50 from USB                  |
+
+# CCD Setup
+
+Some basic CCD functionality is accessible by default. There is read-only access
+to the EC console and read-write access to the AP console. There are some basic
+cr50 console commands you can run.
+
+Cr50 CCD needs to be opened to access all CCD functionality or to modify
+capability settings so the device doesn't need to be open to access CCD
+functionality.
+
+### Basic Steps for CCD setup
+
+1.  Use instructions from the case\_closed\_debugging doc to connect to the cr50
+    console.
+
+2.  [Open CCD](#Open-CCD)
+
+3.  [Modify capabilities](#Enable-Open-Without-Requiring-Device-to-Boot) to make
+    it easier to open cr50 or access necessary capabilities - this step is
+    optional, but **the open state will be lost if cr50 reboots or the device
+    loses power**. If your use of CCD will possibly brick the device, it is
+    recommended you modify the capability settings or set a ccd password, so you
+    can reopen the device.
+
+4.  Use CCD
+
+### Open CCD
+
+The first cr50 image with CCD support was 0.3.9. If you are not running 0.3.9,
+you need to download the image and update cr50 from the AP or using Suzy-Q.
+https://storage.googleapis.com/chromeos-localmirror/distfiles/cr50.r0.0.10.w0.3.9.tbz2
+
+You can download the cr50 image and then flash cr50 using Suzy-Q from the chroot
+
+    from chroot > sudo gsctool cr50.r0.0.10.w0.3.9/cr50.bin.prod
+
+If you are only briefly using ccd and aren’t doing anything that may brick the
+device, you can probably just stick to opening cr50. **The open state will be lost
+after cr50 reboot. If you don’t want to have to reopen cr50, you may want to
+setup the ccd capabilities so you can use them without needing cr50 to be
+open.**
+
+#### Standard Process (Requires Booting to Kernel)
+
+If your device can boot, you can open Cr50 by entering dev mode and then sending
+the ccd open command from the kernel.
+
+##### Enter dev mode
+
+Entering dev mode has to be done manually. Using the gbb flags to force dev mode
+will not work.
+
+1.  First, on a root shell on the device, check the force dev mode flag isn’t
+    set GBB flags by running. If you can’t access the shell, because you aren’t
+    in dev mode, then you’re fine. You can skip steps 1, 2, and 3.
+
+        AP > /usr/share/vboot/bin/get_gbb_flags.sh
+
+2.  Clear 0x8 from the GBB flags and set the new value
+
+        AP > /usr/share/vboot/bin/set_gbb_flags.sh $OLD_FLAG_VALUE & ~0x8
+
+3.  Reboot the device
+
+4.  Put the device into recovery mode
+
+    -   **Tablets/Detachables** - hold power button vol up and vol down for 10
+        seconds. Release and wait until the device boots into recovery
+    -   **Clamshells/Convertibles** - press power button escape refresh
+    -   **Chromeboxes** - Use a paperclip to press the recovery button while
+        plugging in AC.
+    -   **Using servo** - If cr50 is open or you are using a flex cable you
+        can, you can use `dut-control power_state:rec`
+
+5.  Enable developer mode
+
+    -   **Tablets/Detachables** - After the device boots into recovery, press
+        volume up and volume down at the same time to get to the enable dev mode
+	menu. Use volume up button to navigate to “confirm disabling os
+	verification” use the power button to select it
+    -   **Clamshells/Convertibles** - press ctrl+d on keyboard or AP console to
+        select developer mode then enter to enable it.
+    -   **Chromeboxes** - Use a paper clip to press the dedicated recovery
+        button
+
+6.  Verify Cr50 knows the device is in dev mode. The TPM state will print
+    `dev_mode` if cr50 knows the device is in dev mode. If it doesn’t say
+    `dev_mode`, ccd open will fail. If you see "`TPM: dev_mode`" you are okay to
+    CCD open now. **If you don’t see `TPM: dev_mode`, recheck the gbb flags to
+    make sure they aren’t forcing dev mode. Retry the manual entry of dev
+    mode.**
+
+```
+    cr50 > ccd
+          State: Locked
+          Password: none
+          Flags: 0x000001
+          Capabilities: 0000000000000000
+          UartGscRxAPTx   Y 0=Default (Always)
+          UartGscTxAPRx   Y 0=Default (Always)
+          UartGscRxECTx   Y 0=Default (Always)
+          UartGscTxECRx   - 0=Default (IfOpened)
+          FlashAP         - 0=Default (IfOpened)
+          FlashEC         - 0=Default (IfOpened)
+          OverrideWP      - 0=Default (IfOpened)
+          RebootECAP      - 0=Default (IfOpened)
+          GscFullConsole  - 0=Default (IfOpened)
+          UnlockNoReboot  Y 0=Default (Always)
+          UnlockNoShortPP Y 0=Default (Always)
+          OpenNoTPMWipe   - 0=Default (IfOpened)
+          OpenNoLongPP    - 0=Default (IfOpened)
+          BatteryBypassPP Y 0=Default (Always)
+          UpdateNoTPMWipe Y 0=Default (Always)
+          I2C             - 0=Default (IfOpened)
+          FlashRead       Y 0=Default (Always)
+          OpenNoDevMode   - 0=Default (IfOpened)
+          OpenFromUSB     - 0=Default (IfOpened)
+          TPM: dev_mode                         <==== This is the important part
+          Use 'ccd help' to print subcommands
+```
+
+##### Run ccd open
+
+You can start the open process from the AP. Once you start the process, you will
+need to press the power button when prompted open cr50.
+
+1.  Start the ccd open process from the AP.
+
+         AP shell > gsctool -a -o
+
+2.  Over the next 5 minutes you will be prompted to tap the power button.
+
+3.  After the process is finished, use ‘ccd’ on the cr50 console to verify the
+    state is open
+
+The Open setting will be lost whenever cr50 reboots. Make sure to setup ccd so
+you will be able to recover the device even if Open is lost. To open cr50 you
+need access to the AP. If your debugging will make the AP inaccessible and you
+want to ensure that you can recover the device, you either need to modify the
+capability settings so you can access the capabilities necessary to recover the
+device while cr50 is locked or you need to modify the capabilities so you don't
+need the AP to open cr50.
+
+If you need to reflash the AP or EC, you can set the FlashEC or FlashAP
+capabilities to Always.
+
+If you want to be able to open cr50 without the AP, set OpenNoDevMode and
+OpenFromUSB to Always.
+
+#### CCD Open Without Booting the Device
+
+If you can’t boot the device, you won’t be able to enter dev mode and send the
+open command from the AP. You will need to follow some non-standard methods to
+open the device. If you have enabled ccd before, cr50 may be configured in a way
+that you can still open cr50. If you haven't setup CCD before, you will need to
+remove the battery to enable CCD.
+
+##### Can remove the Battery
+
+If you can remove the battery, you can bypass the AP command/dev mode
+requirements. `ccd open` is allowed from the console if FWMP doesn’t disable ccd
+and the battery is disconnected. This is the most universal method and will work
+even if you haven’t enabled ccd before. Some devices are glued shut if you
+can’t/don’t want to unglue your device do not rely on this method. Setup ccd
+correctly before flashing the AP/EC.
+
+1.  Disconnect the battery
+
+2.  Send ‘ccd open’ from the cr50 console.
+
+##### CCD testlab is enabled
+
+You can check if testlab is enabled cr50 from the console.
+
+    cr50 > ccd testlab
+            CCD test lab mode enabled
+
+If it’s enabled, you can open cr50 from the console without physical presence.
+
+    cr50 > ccd testlab open
+
+##### OpenNoDevMode and OpenFromUSB are set to Always
+
+This requires >=0.3.10. If these capabilities are set, you will be able to open
+cr50 from the console without dev mode.
+
+    cr50 > ccd open
+
+##### CCD Password is Set
+
+You can run ccd open with the password to open from the console.
+
+    cr50 > ccd open $PASSWORD
+
+### Configure CCD
+
+Cr50 capabilities allow you to configure CCD to restrict or open the device as
+much as you want. You can use the `ccd` command to check and modify the
+capabilities. Cr50 has to be open to change the capabilities. Setting
+capabilities you want to use to Always will make them accessible even if cr50
+loses the open state. If you are using capabilities that may cause cr50 to
+reboot or may brick the device, you should set the capabilities needed to
+recover the device to Always or setup the capabilities so you can open cr50
+without booting the device.
+
+Basic ccd functionality is covered by UartGscTxECRx, UartGscRxECTx,
+UartGscTxAPRx, UartGscRxAPTx, FlashAP, FlashEC, OverrideWP, and GscFullConsole.
+
+You can go through the capability descriptions and figure out which ccd
+capabilities you want to use. After you figure that out you can modify the
+capabilities to Always be accessible.
+
+    > ccd set $CAP $REQ
+
+For example if the EC console needs to be read-write even when Cr50 is locked
+set the capability to Always.
+
+    > ccd set UartGscTxECRx Always
+
+If you want to restrict capabilities more you can set them to IfOpened. If you
+don’t want the AP/EC uart to be accessible at all when cr50 is locked, you can
+set them all to IfOpened.
+
+Restrict EC
+
+    > ccd set UartGscTxECRx IfOpened
+    > ccd set UartGscRxECTx IfOpened
+
+Restrict AP
+
+    > ccd set UartGscTxAPRx IfOpened
+    > ccd set UartGscRxAPTx IfOpened
+
+If you want things as accessible as possible and want all capabilities to be
+Always, you can run
+
+    > ccd reset factory
+
+This will also permanently disable write protect. To reset write protect run
+
+    > wp follow_batt_pres atboot
+
+To reset capabilities to Default run
+
+    > ccd reset
+
+#### Enable Open Without Requiring Device to Boot
+
+By default Cr50 requires enabling dev mode before you can open the device and
+the open command has to be sent from the AP. You can change the capabilities to
+remove these requirements if you think your development may prevent the device
+from booting. You can also set the ccd password to get around these
+requirements. These options offer different pros and cons. You can decide which
+is best for you.
+
+##### Set Capabilities
+
+After opening cr50, you can set these capabilities to reduce the restrictions
+required to open cr50.
+
+    > ccd set OpenFromUSB Always
+    > ccd set OpenNoDevMode Always
+
+##### CCD Password
+
+A ccd password can also be used to get around the open restrictions. The
+password will be required to reopen or unlock cr50, so keep track of the
+password. It can't be reset unless cr50 is open, so if you forget it, nothing
+can be done to reopen cr50.
+
+###### Set Password
+
+Run the gsctool command and enter the password when prompted. It will prompt
+for the password twice.
+
+    from ap shell > gsctool -a -P
+
+You can use the ccd command to check if the password is set.
+
+    cr50 > ccd
+           ...
+           Password: [none|set]
+           ...
+
+###### Clear Password
+
+You can clear the password by opening cr50 and then running the gsctool command
+agatin. When prompted for the password enter `clear:$PASSWORD` at both prompts.
+
+You can also use the cr50 `ccd reset` command when cr50 is open. This will clear
+the password and reset all ccd capabilities to default.
+
+###### Use Password
+
+After the password has been set you can use it to run ccd commands from the cr50
+console.
+
+    cr50 > ccd open $PASSWORD
+    cr50 > ccd unlock $PASSWORD
+
+You can use it from the AP shell
+
+    cr50 > gsctool -a -o
+    cr50 > gsctool -a -u
+
+enter the password when prompted
+
+# Using CCD
+
+## Rddkeepalive
+
+Cr50 only enables ccd when it detects a debug accessory is connected. It detects
+the cable based on the voltages on the CC lines. If you are flashing the EC and
+AP, these cc voltages may become unreliable for detecting a debug accessory. You
+can use a cr50 command to tell cr50 to ignore the voltages on these cc lines and
+just keep ccd enabled. There are many things that could interfere with rdd, so
+it’s probably best to run this before doing anything else using ccd.
+
+    cr50 > rddkeepalive enable
+
+This command is useful for making sure ccd stays enabled during debugging. It
+will increase cr50 power a lot when the debug cable is disconnected. If you’re
+worried about that, disable rddkeepalive when you're not using ccd.
+
+    cr50 > rddkeepalive disable
+
+## Consoles
+
+Cr50 presents 3 consoles through CCD. It has the AP, EC, and Cr50 console. The
+AP and EC consoles can be restricted using the 4 ccd uart capabilities
+**UartGscRxAPTx, UartGscTxAPRx, UartGscRxECTx, UartGscTxECRx**. The default
+setup is the AP is read write. The EC is read only. Cr50 console input/output
+can’t be suppressed.  You can only use the **GscFullConsole** capability to
+enable restricted console commands.
+
+Cr50 will create 3 /dev/ttyUSBX devices. They’re the cr50, AP, and EC console.
+The cr50 console normally has the lowest number. The AP and EC are the other
+two. You can figure out which one is which by pressing the power button or
+rebooting the device and looking at the uart output. If you have a bunch of
+devices, you can unplug suzyq and see which devices disappear to figure out the
+relevant ones.
+
+Servo can also figure this out for you. You can start servo like you normally do
+
+    chroot > sudo servod -b $BOARD
+
+After starting servo, you can use dut-control to get the consoles
+
+    chroot > dut-control cr50_uart_pty ec_uart_pty cpu_uart_pty
+
+## Flashing EC
+
+This is restricted by the **FlashEC** capability. This must be accessible to
+flash the EC.
+
+The steps to flash the EC differ a lot based on what board you’re using. You
+should stick to using `flash_ec` to handle flashing the ec, because the steps
+can get pretty complicated and are board specific.
+
+You will need to start servod then `flash_ec` will handle sending the correct
+cr50 console commands and updating the EC.
+
+    chroot > sudo servod -b $BOARD
+    chroot > ~/trunk/src/platform/ec/util/flash_ec -i $IMAGE -b $BOARD
+
+## Flashing the AP
+
+This is restricted by the **FlashAP** capability. This must be accessible to
+flash the AP.
+
+Flashing the AP is standard across boards.
+
+    chroot > sudo flashrom -p raiden_debug_spi:target=AP -w $IMAGE
+
+If you have a lot of ccd devices plugged in, you may want to use the cr50
+serialname. You can get this by running
+
+    chroot > lsusb -vd 18d1:5014 | grep iSer
+
+You can add the serialname to the flashrom command using
+
+    chroot > sudo flashrom -p raiden_debug_spi:target=AP,serial=$SERIAL -w $IMAGE
+
+**If you don’t see cr50 print any messages when you’re running the flashrom
+command, you probably need to use the serialname.**
+
+## WP control
+
+This is restricted by the **OverrideWP** capability. If this capability is
+accessible, you can use the cr50 `wp` command. If it's not, you can only control
+write protect using battery presence.
+
+### WP console command
+
+You can use the cr50 console command to change the write protect settings.
+
+There are three write protect settings: `forced enabled, forced disabled,
+follow_batt_pres`.
+
+*   **`follow_batt_pres`** - DEFAULT SETTING - use battery presence to determine
+    the write protect setting. If the battery is connected, enable write
+    protect. If the battery is disconnected, disable write protect. If the board
+    doesn’t have a battery, then normally a screw is used. If the screw is
+    present, enable wp. If it’s not, disable wp.
+
+*   **`enabled`** - enable write protect no matter the state of the battery.
+    Protect things like the AP/EC flash and various other components that use
+    this write protect signal
+
+*   **`disabled`** - write protect is deasserted no matter the state of the
+    battery. You’ll be able to modify things like AP RO
+
+You can set these from the cr50 console
+
+    cr50 > wp [enable|disable|follow_batt_pres]
+
+This setting will persist until it is cleared using the wp command or until cr50
+reboots/loses power. After these resets, cr50 will default to the atboot
+setting. The default setting is follow\_batt\_pres, so cr50 will go back to
+following battery presence after reboot unless the atboot setting has been
+overridden.
+
+Using the `atboot` arg will update the current and atboot wp state. If the
+`atboot` arg is given to the wp command, then the setting will persist until it
+is cleared by the wp command. It won’t be reset by anything else, so if you only
+want to disable/enable write protect for a short time, make sure atboot is set
+to `follow_batt_pres`. If you want to permanently disable or enable write
+protect and want to ignore the battery, this is a good setting to update.
+
+    cr50 > wp [enable|disable|follow_batt_pres]
+
+You can use the wp command to get the write protect state even if the capability
+is restricted.
+
+```
+    cr50 > wp
+
+           Flash WP: [forced ]enabled|disabled
+             atboot: forced enabled | force disabled | follow_batt_pres
+```
+
+Gsctool also supports getting the write protect state
+
+    AP > gsctool -a -W
+
+The output will show the current and atboot setting.
+
+The current wp setting will not explicitly show that write protect is currently
+following battery presence. You have to get this by checking if the wp state is
+‘forced’ enabled/disabled. Forced means write protect is being overridden by the
+console command. If it just shows the state without forced, write protect is
+following battery presence.
+
+The atboot setting shows what the wp state will reset to after reboot.
+
+### Battery Presence
+
+If the OverriedWP command isn’t accessible, you can use battery presence to
+change the wp state as long as the wp setting is still `follow_batt_pres`.
+
+*   wp disable - disconnect the battery
+
+*   wp enable - connect the battery
+
+If the wp setting has been overridden by ccd, this won’t work until the current
+wp setting is reset to `follow_batt_pres`
+
+    cr50 > wp follow_batt_pres atboot
+
+#### HW WP quirks
+
+##### Chromeboxes
+
+Chromeboxes do not have batteries, so cr50 can't use battery presence for write
+protect. They use a write protect screw. You need to remove the write protect
+screw to disable write protect if cr50 is set to `follow_batt_pres`.
+
+##### Bob
+
+Bob's have a write protect screw in addition to battery presence. The write
+protect screw will force enable write protect until it's removed. If cr50 is set
+to `follow_batt_pres`, you need to remove the write protect screw and disconnect
+the battery to disable write protect. If you run `wp disable`, you will also
+need to remove the screw.
+
+# CCD as a Servo replacement
+
+Once cr50 is open and all capabilities have been set to Always, cr50 should be
+able to be used as a servo replacement. It has all of the capabilities servo
+does and support has been added to hdctools to convert servo controls to cr50
+and ec console commands.
+
+If you start servod and select the ccd device, you should be able to use servo
+dut-control comands normally.
+
+    chroot > sudo servod -b $BOARD
+
+If cr50 reboots or usb disconnects for some reason, servod will lose the
+connection to the cr50 usb. Support has just been added to hdctools to
+reinitialize all of the servo ccd interfaces, so things should come back up
+after the disconnect, but it might still have bugs.
+
+Servo can take care of a lot of the less intuitive things for you like during
+init it will send `rddkeepalive enable`. It will also find the AP, EC, and Cr50
+uart. Servod knows how to interact with the i2c endpoint, so you can use servod
+to read power from the INAs if they’re populated.
+
+Suzyq doesn’t have all of the necessary things to replace servo for FAFT, but
+you should be able to use it for normal debugging functionality. You will need
+a type c servo v4 for ccd if you need to run FAFT.