[EN] FlySky i6 part 3: Firmware patching

I said in the previous post that I would work on the official updater of the Tx, and I did spent a lot of time on it… Then i realised that I already had all the hardware to use the « Debug1 » port wich was on the pcb… But hey, it’s not really wasted time as I need to do a custom updater for the people who don’t have the hardware!

Oh yeah, I almost forgot, but if I need to do this custom updater, it’s because I already have a working 8 channels firmware 😉

The Debug1 port is a SWD port, wich is kind of like a JTAG port. It can be used to debug the software currently running on the MCU. It is like when you work on your favorite IDE and use the debugger to execute your code in steps, check the values in the variables or in the registers, and so on. The SWD also allows to flash the chip! So I had all the tools to hack this thing! So let’s get to work!

First thing first, I’ll give a brief overview of the toolchain I used. I needed a JTAG/SWD probe. Luckily I had a FPGA dev board lying around (a Papilio One) wich happens to use a FT2232 chip to program the fpga chip. I only had to populate the extra JTAG port on this board and tadaa, a JTAG probe. But I needed a software able to use it. I used OpenOCD, wich required a lot of time to be configured. At least for me, it’s the first time I use JTAG, the first time I do ARM developpement (in assy !),… So much for a first! I can share the configuration files if somebody is interested, just ask in the comments. Finaly, the last bit of software I’m using is a telnet client to communicate with openOCD.

So I can do stepping, registers reading, flash reading and writing. I am now the true master of this little chip! The first thing to do is then to suck the flash memory out of it and to analyze it with our favorite disassembler: IDA.

image2

Yes, it’s quite ugly, but it is really powerful. I spent hours and hours working on this, trying to figure out little parts of the code ( again, it’s my first time with ARM assembly ). I found some interesting stuf, such as some functions to update the screen, where the font is located in flash, …

The program has a bootloader, to allow programming via the serial port (wich is used by the official updater), and anything before the offset 0x1800 is the bootloader. It’s impossible to change this part of the code with the updater, only with the debug port I’m using. After a lot of work, I found the place in RAM where the program stock our 6 channels values. I had to patch the program to relocate it to another place wich had room for more than 6 channels, then modify the function which update this place in ram to add 2 more channels (I added only 2 for now, but it’s easy to add more), then modify the function wich read this ram to send it to the SPI controller. It doesn’t look like a big deal, but for me it was big enough!

After that, I applied the patches to the program and flashed the MCU.

Aaaaaand, it’s gone. The TX isn’t event booting. I debugged it and found that it was stuck in a loop inside the bootloader. It was entering this loop because of a function which was using some XORing. Usually XORing means some kind of cryptography, or checksum computing. Here it was some kind of integrity check of the firmware, wich used a signature located at 0xF2D3. With the debugger I found the computed checksum of the patched firmware wich was compared with the old checksum in 0xF2D3, and replaced the old cheksum with the computed one. And tada, the TX is working, and the 2 additionnal channels are there and working!

I know I could analyze the code to discover what kind of checksum it is doing, but if it’s working, why botter? ( maybe another time… )

image3

Aux 3 and 4 are linked with the switch A and switch D respectively. Aux 1 and 2 are working as usual: they can be configured in the TX menu. ( with a stock FS-i6, aux 3 and 4 would be stuck to 1500)

So now that it is working, I would like to give it to everyone. And that’s why I now have to work on the updater, to make it to flash my patched firmware instead of the official one!

Again, if you want any other files I made or used, feel free to ask in the comments.

Thom

PS: Help me to buy a new oscilloscope: Donate on PayPal !
Any help is really appreciated 😉

/!\ Everything is given « as is », I’m not responsible of any harm you do to your hardware! /!\

If you don’t know what you can do with this patched firmware, my advice is: don’t use it! I’m working on a safer and cleaner way to patch the firmware.

Downloads:

Original flash dump with IDA database

Patched firmware (binary)

Advertisements

25 réflexions au sujet de « [EN] FlySky i6 part 3: Firmware patching »

  1. hi Thom
    Is it possible to read / save the existing firmware ?
    Have a hardware identical Reely Transmitter and would like the Flysky times trying without to block the way back !

    greetz

    J'aime

  2. Hello.
    I have a FY-Q7 that looks like is the same as FlySky i6 but rebranded from Flying3d x8 quad.
    This Tx has a diffrent firmware than the i6 and i would like to chang it to the original i6 firmware, so i can use it with other quads.
    As i red somewhere in rcgroups, someone tried to do the update, but the Tx got bricked 😦
    Looks like the bootloader that Flysky put in the firmware is in another memory address or something and updating the firmware will override the bootloader.
    My question is, will this custom updater developed by you, using a normal FTDI, be able to change the firmware to the original i6/10ch firmware?
    If not, does buying a JTAG + geting all the toolchain + learning how to do it worth the effort or is just better for me to buy a new fs-i6?

    Thank you very much

    J'aime

    1. Hi. Do you have a full binary image of the flash of this TX? I could look into it. In the meantime, don´t use my updater, as it is copying at the same memory locations as the official one.

      J'aime

    1. Sorry I wasn’t really paying attention to this blog lately.
      First, I used Zadig2.2 to install the WinUSB driver for the FT2232. Then I used a couple of files.
      Since it is often asked, I’ll create a repository on github with all the configration files I used or created and post it here.

      J'aime

  3. Could you share your config files? I’ve decided to toy a bit with this radio however being total noob I’m having issues.

    So far I have:
    -connected to MKL using openOCD->ST-Link with klx.cfg target – throws some warrnings here and there
    -connected to OOCD with telnet

    Tried connecting with ida however it crashes as soon as connection is made – supposedly there is some issue with oocd and gdblike clients with oocd version 0.8+ (mine is 0.10). However earlier versions don’t have KLX targets and it is not simple matter of copying them from newer version.

    J'aime

  4. I know it’s cheeky to ask, but what would be really really useful would be to take the error level that is displayed on the transmitter, invert it so that it becomes RSSI and transmit it back to the receiver in one of the aux channels. Cleanflight has a function « RSSI on AUX » – see your own screenshot above. With this function we could have RSSI displayed on the OSD. Now that is a very missing feature on the FlySky TxRx combo!

    J'aime

  5. Can you assign all the switches to channels in order to make it a 10ch radio?? Also is it possible to use the additional channels through ppm in order to use the ia6 rx also??

    J'aime

  6. hello, I have also the updater .bin file (well, there are two, almost identical .bin files in the updater .exe)

    Looking at your ‘fsi6_patch2_lock.bin’ file (64kb) – it is larger than the updater.exe bin files (each 55kb).

    I can swop the updater.exe file with your file, but I am not certain is a good idea yet, without understanding the size differences (I don’t want to brick the i6 I have)

    Also, if you know or can tell me how to make the MCU enter firmware/update mode, but not using software menu of the i6? Is there a way to short a pin? RESET & GND? which pins are these on the MKL16Z64VLH4?

    I think it is important to be able to ‘hardware switch’ into firmware update mode should anything go wrong with the experimenting.

    I read about teensy swd hack: http://mcuoneclipse.com/2014/08/09/hacking-the-teensy-v3-1-for-swd-debugging/
    it is using similar chip, so similar way to enter debugging/update mode for i6?

    J'aime

    1. Hello,
      my patched firmware is bigger because it includes the bootloader section, and unprogrammed sections. It is a copy of the full flash memory (wich is 64kB).
      You could try to mod the updater.exe, but I’ll really soon share my own updater wich will be easy to use.
      You should’nt be too much worried about bricking the device with the com port updating, because it won’t touch the bootloader section of the firmware. The bootloader is where the updating is handled. So even if the firmware you’re updating is corrupted, you should always be able to reprogram the official firmware.
      In fact this is what I am testing now, before releasing my easy to use updater.

      If you still want to do SWD debuging, you just need a JTAG/SWD debugger. There already is an existing debug port on the i6, no need to mod the circuit.

      Thom

      J'aime

  7. Thanks. Great work. I have patched my transmitter and all good. Inspired me to put together a mini ibus to ppm and pwm converter to use the extra channels with my ia6b. Details of the converter on bitbucket

    J'aime

  8. This is reealy impressive Thom, Congrats!
    I realy like the way you explain the process you’ve gone trough. I would be interested to hear in a following post about what functions have been patched (asm diff with your modifications). And also about the steps you took from dumping the image with openocd, modifiing it with IDA and creating the final image.
    Keep the posts comming 😉

    J'aime

      1. Yes of course. Imagin you fly a motorglider and you want to land IT.
        For better come down you want to use your ailerons as flaperons. That means that both ailerons have to go up. Normely they move in the oposite direction. Therefore you need an mixer.
        But in this case you need a further mixer because if both ailerons go up the nose of the plane will go up.
        You have to compensate this with elevator.
        This ist only 1 example but if you fly a rc plane you really need plenty of mixes.
        And AT this Radio you have only 3 mixes that is not very much. The software of this Radio is really poor.

        J'aime

      2. Hi, I didn’t thought about this because I’m only flying a multicopter, but yes it could be interesting to add this! I’ll keep it in ma todo list, wich is becoming really long, so I don’t promise you any deadline 😉
        I think it would take a quite large amount of time, because the user menu would have to be modified, and that’s definitely not easy at this stage of developement :/

        J'aime

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s