I said in the previous post that I would work on the official updater of the Tx, and I did spent a lot of time on it… Then i realised that I already had all the hardware to use the « Debug1 » port wich was on the pcb… But hey, it’s not really wasted time as I need to do a custom updater for the people who don’t have the hardware!
Oh yeah, I almost forgot, but if I need to do this custom updater, it’s because I already have a working 8 channels firmware 😉
The Debug1 port is a SWD port, wich is kind of like a JTAG port. It can be used to debug the software currently running on the MCU. It is like when you work on your favorite IDE and use the debugger to execute your code in steps, check the values in the variables or in the registers, and so on. The SWD also allows to flash the chip! So I had all the tools to hack this thing! So let’s get to work!
First thing first, I’ll give a brief overview of the toolchain I used. I needed a JTAG/SWD probe. Luckily I had a FPGA dev board lying around (a Papilio One) wich happens to use a FT2232 chip to program the fpga chip. I only had to populate the extra JTAG port on this board and tadaa, a JTAG probe. But I needed a software able to use it. I used OpenOCD, wich required a lot of time to be configured. At least for me, it’s the first time I use JTAG, the first time I do ARM developpement (in assy !),… So much for a first! I can share the configuration files if somebody is interested, just ask in the comments. Finaly, the last bit of software I’m using is a telnet client to communicate with openOCD.
So I can do stepping, registers reading, flash reading and writing. I am now the true master of this little chip! The first thing to do is then to suck the flash memory out of it and to analyze it with our favorite disassembler: IDA.
Yes, it’s quite ugly, but it is really powerful. I spent hours and hours working on this, trying to figure out little parts of the code ( again, it’s my first time with ARM assembly ). I found some interesting stuf, such as some functions to update the screen, where the font is located in flash, …
The program has a bootloader, to allow programming via the serial port (wich is used by the official updater), and anything before the offset 0x1800 is the bootloader. It’s impossible to change this part of the code with the updater, only with the debug port I’m using. After a lot of work, I found the place in RAM where the program stock our 6 channels values. I had to patch the program to relocate it to another place wich had room for more than 6 channels, then modify the function which update this place in ram to add 2 more channels (I added only 2 for now, but it’s easy to add more), then modify the function wich read this ram to send it to the SPI controller. It doesn’t look like a big deal, but for me it was big enough!
After that, I applied the patches to the program and flashed the MCU.
Aaaaaand, it’s gone. The TX isn’t event booting. I debugged it and found that it was stuck in a loop inside the bootloader. It was entering this loop because of a function which was using some XORing. Usually XORing means some kind of cryptography, or checksum computing. Here it was some kind of integrity check of the firmware, wich used a signature located at 0xF2D3. With the debugger I found the computed checksum of the patched firmware wich was compared with the old checksum in 0xF2D3, and replaced the old cheksum with the computed one. And tada, the TX is working, and the 2 additionnal channels are there and working!
I know I could analyze the code to discover what kind of checksum it is doing, but if it’s working, why botter? ( maybe another time… )
Aux 3 and 4 are linked with the switch A and switch D respectively. Aux 1 and 2 are working as usual: they can be configured in the TX menu. ( with a stock FS-i6, aux 3 and 4 would be stuck to 1500)
So now that it is working, I would like to give it to everyone. And that’s why I now have to work on the updater, to make it to flash my patched firmware instead of the official one!
Again, if you want any other files I made or used, feel free to ask in the comments.
PS: Help me to buy a new oscilloscope: Donate on PayPal !
Any help is really appreciated 😉
/!\ Everything is given « as is », I’m not responsible of any harm you do to your hardware! /!\
If you don’t know what you can do with this patched firmware, my advice is: don’t use it! I’m working on a safer and cleaner way to patch the firmware.