How does one start porting the fw to another platform?

Discussions related to the firmware code development
EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

How does one start porting the fw to another platform?

Post by EA5JAQ » Sun Aug 14, 2022 11:26 am

Hi!

I have a couple RT50s (aka TYT MD-680D) I use for when I’m hiking as they’re pretty strong radios. The internals are pretty similar to the ones found in a GD77 (MK22FN512, HR-C6000, AT1846S, etc.), and I wanted to try myself if I’m capable of porting the OpenGD77S version to this handheld.

I’ve programmed in C several times although I’m not an expert. In fact, a year ago I played around for a couple months with the OpenGD77 source code customizing things and I could get to understand almost every part of the firmware (obviously, I did this complying with the license terms, as my only intention was to improve my coding skills).

My question is, where or how can I start porting this firmware to this radio? I’m guessing a first step would be to be able to flash the firmware to this device, get it to turn on and then see which functions need to be adapted. I remember I read somewhere that the firmware has to be encrypted after being compiled, and that the encryption key is specific to each model of radio, but that there’s a way to crack it.

There’s no way to find an original .bin or .sgl file of the radio’s firmware, as the firmware updater is an .exe file that does everything (it connects to the radio and flashes the firmware), and I don’t know if this means that there’s no way of knowing this programming encryption password. If it’s not possible to flash the firmware in a conventional way (aka, using the firmware loader), is there any other way like using some kind of in-circuit programmer or debugger soldered to the MCU?

Thanks a lot, I know this will take me a lot of work (and it won’t probably be possible to do), but I’m willing to try it out.

73

VK3KYY
Posts: 7437
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: How does one start porting the fw to another platform?

Post by VK3KYY » Sun Aug 14, 2022 9:15 pm

You can connect a programmer to the CPU in the radio, but you will not be able to read the firmware because all radios enable the Read Protection in the CPU

You can erase the CPU but then your radio would be useless.

With the GD77 etc, the encryption was broken by DG4KLU, but he keeps his methods secret.
The MD9600 encryption was broken by someone in the MD380Tools team.


I think someone broke the encryption on the Ailuance HD1, which uses an exe file, but I don't know who did this.

Search for 'radiotool' on github and contact them,

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Thu Aug 18, 2022 6:26 pm

Thank you so much! I'll try to reach them and see what I can find out :)

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Fri Oct 07, 2022 6:02 am

Just to close this topic:

Using a serial port sniffer and the help of the radio_tool developer I could identify the protocol the radio uses to receive the firmware file (YModem). I could also get the original binary with the sniffer and even create some sort of firmware loader with a simple TeraTerm script (just opens the port, sends the program command, and sends over the fw file via YModem). Then the radio “verifies” the firmware (aka: checks that is smaller than 432 kB, so it doesn’t accept the OpenGD77S binary, and also checks that the binary ends with several 0xFF rows, nothing else).

But I think I’ve hit a dead end and this is not doable, as I think the firmware file might be encrypted (at first I didn’t think it was, as you can notice patterns in it), and if it is, there is no way that I know to get the key. I wanted to check different fw versions to see if by comparing them I could get any clues but TYT and Retevis won’t send me different versions than the last one. I tried just flashing a shorter version of the OpenGD77S but to reduce that much the size I had to erase part of the 2nd codec section. Anyway, the radio doesn’t even make the boot sound. I compiled a custom version that sends data over the COM port but it also does nothing.

So overall, this would be too much of an effort for a non-popular (and discontinued) radio that I just have lying around, and I don’t have the knowledge to do it. But thanks for the help!

73

VK3KYY
Posts: 7437
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: How does one start porting the fw to another platform?

Post by VK3KYY » Fri Oct 07, 2022 8:17 pm

Nowadays the most practical method to hack the firmware encryption is connect to the SWD connections on the MCU, and use a glitch attack in order to enable the SWD and read functions, which will be disabled by the manufacturer.

But this is not easy.

If you manage to glitch the MCU to enable SWD and can read the bootloader, you then need to reverse engineer the operation of the bootloader to understand the upload protocol and also the encryption method and encryption key

I use Ghidra for reverse engineering, but I know some people use Radare2 and some people have access to IDA Pro

Overall this process is not easy and it takes many hours of work

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Sat Oct 08, 2022 6:19 am

Thank you, right now I’m pretty busy with work but I will give it a go in a couple months. Sounds like hard work but since I started playing around with the OpenGD77 code I’ve learnt a lot, so the hundreds of hours are well spent.

Also, if by some miracle I manage to make it work, then there’s even more work (finding and solving bugs, reverse engineering the radio’s 7-segment hidden display and making it work, etc). The radio inside is identical to the GD77S (except it’s only UHF and 10W, and it’s got a simple display), so it shouldn’t be that hard, but still a lot of work.

Just to be clear, the only way to flash a firmware to the radio is by figuring out how the bootloader works? Or is there some workaround like backing up the original bootloader (to avoid bricking the radio) and just erasing the MCU flash and writing the firmware and some generic bootloader (or the one in the GD77/GD77S) using the SWD connections and not the stock usb cable? Sorry if it’s a dumb question, in the past and in university I’ve only dealt with C code, and then the IDE dealt with all the boring stuff like programming the MCU haha

VK3KYY
Posts: 7437
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia

Re: How does one start porting the fw to another platform?

Post by VK3KYY » Sat Oct 08, 2022 8:29 pm

EA5JAQ wrote:
Sat Oct 08, 2022 6:19 am
Thank you, right now I’m pretty busy with work but I will give it a go in a couple months. Sounds like hard work but since I started playing around with the OpenGD77 code I’ve learnt a lot, so the hundreds of hours are well spent.

Also, if by some miracle I manage to make it work, then there’s even more work (finding and solving bugs, reverse engineering the radio’s 7-segment hidden display and making it work, etc). The radio inside is identical to the GD77S (except it’s only UHF and 10W, and it’s got a simple display), so it shouldn’t be that hard, but still a lot of work.

Just to be clear, the only way to flash a firmware to the radio is by figuring out how the bootloader works? Or is there some workaround like backing up the original bootloader (to avoid bricking the radio) and just erasing the MCU flash and writing the firmware and some generic bootloader (or the one in the GD77/GD77S) using the SWD connections and not the stock usb cable? Sorry if it’s a dumb question, in the past and in university I’ve only dealt with C code, and then the IDE dealt with all the boring stuff like programming the MCU haha
MCU is read protected. You can't simply attach to the SWD pins and read the bootloader

You can erase the MCU which will unlock it, but the MCU will then be completely blank.

You could then load the GD77 bootloader onto the radio, but if the MCU pins for SK1 and SK2 are different, you will not be able to enter upload mode

If you attached SWD pins you could upload the firmware directly, but it will not contain the AMBE codec, because of copyright.

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Sat Oct 08, 2022 10:09 pm

Looks like SK1 is connected to pin 71 (Port C pin 7) and SK2 to pin 43 (Port A pin 13). I think the GD77 uses Port B 1 and 9 if I remember correctly. So if I use the GD77 patched bootloader it won’t enter DFU mode.

Only options are:
- Glitch attack, try to get the bootloader, decompile it, etc…
- Just erase the radio (effectively bricking it if this doesn’t work), load the GD77 bootloader, and load the firmware using SWD (i think i have the source code from an old OpenGD77 with the original codec binary parts, i can manually add them after compiling). Once I have a stable build, close the radio up and never ever open it up again.

Ah, and I’ll have to check that everything is connected to the right pin and if it isn’t I’ll have to modify the code.

I’ll try everything in a couple months, hope something works!

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Wed Oct 19, 2022 9:02 am

*removed*
Last edited by EA5JAQ on Wed Oct 19, 2022 9:14 am, edited 2 times in total.

EA5JAQ
Posts: 86
Joined: Thu Jul 16, 2020 6:08 am

Re: How does one start porting the fw to another platform?

Post by EA5JAQ » Wed Oct 19, 2022 9:13 am

Hi all!

I was checking out an MCU ROM backup I took from my DM-1801 and I noticed that between the bootloader and the start of the firmware (aka, between 0x3800 and 0x3FF0) there is an additional section. But I just saw that the bootloader for the GD77 and GD77S ends at 0x3FF0 and immediately after, at 0x4000, the actual firmware starts (at least in the patched bootloaders I could find).

I assume this are the signature bytes that for the GD77 are at 0x7F800, right?

To run OpenGD77 in my Retevis RT50, my plan now is just to manually add the compiled firmware (i'll have to change in the code where every button is connected) after the GD77S bootloader, manually substitute both codec sections with the ones I extracted from my DM-1801 MCU ROM backup, fill with 0xFF until the end (0x7FFFF) and SWD it to the radio. I'll never be able to put my radio into DFU mode (as SK1 and SK2 are not connected to the same place) but at least I'll run OpenGD77 on it!! (or I'll try to and brick the radio in the process :lol: ) So, if I use the patched bootloader and do this, I won't have problems with the signature bytes?

Another doubt I have, I found in my computer old flash and eeprom backups for the GD77. Do those work for the GD77S or does it use a different system?

Thanks! :)

73

Post Reply