rogerclarkmelbourne
commented
4 years ago Very interesting.
Closed KG5RKI closed 4 years ago
rogerclarkmelbourne
commented
4 years ago Very interesting.
KG5RKI
commented
4 years ago Very interesting.
hey @rogerclarkmelbourne can you hit me up at tydweaver@gmail.com? I wanna share something with you privately, in case it is helpful to you.
rogerclarkmelbourne
commented
4 years ago Thanks
I sent you an email
FYI. There are a couple of guys in Italy porting the OpenGD77 to the MD-380, but the radios which uses the AT1846S RF chip (and the C6000) are an easier target, and I suspect the MD-9600 is one of these, because TYT seem to use the AT1846S their dual band radios.
The MD UV-380 definitely uses the AT1846S, but I don't know if the bootloader is the same on this radio, which would allow the encryption to be broken.
KG5RKI
commented
4 years ago mduv380 uses a bootloader that is the same or more similar to the md2017. Unfortunately, Travis' trick to dump the bootloader does not work on anything I have tried except md380, so I had to find a new way to get the encryption keys. The mduv380/390/rt3s use the same encryption key as md2017. Interesting enough, if you change the radio identifier using the factory util to make it match a 2017 for example, it will run fw meant for a 2017 (with bugs ofc, but still interesting).
EDIT: Took some pics of my md9600 when I took it apart to play around. https://photos.app.goo.gl/2t7yWTA1R9bZEF8Z9
Also I took a look at the CS580 which has a similar mcu to the gd-77 I think, and it does not seem to even use encryption or try to prevent any modifications o_O.
One more thing, on the website for the CS800 support they have a bldr available for flashing for use with the factory usb bldr that stm32f4 family uses. You can modify this and go down the chain to allow for modifications on that radio as well.
rogerclarkmelbourne
commented
4 years ago @KG5RKI
Thanks.
If the encryption key / hash table is known, then I presume you can encode your own application code and get the bootloader to accept.
So to dump the bootloader just requires an application to be written which enumerates on USB as a COM port, and it could then just dump the bootloader as hex bytes into a terminal program.
This would not be super efficient, but would probably be the easiest way to get the bootloader binary
Once the binary has been downloaded, it can be patched using Ghidra to remove any nasty code that disables the SWD and read protects the MCU, and then the new booloader can be flashed on via SWD.
I'm not sure how advanced they are with their code, but the Italian guys porting the OpenGD77 to the MD-380 may have a version which has functional USB COM (CDCACM)
rogerclarkmelbourne
commented
4 years ago @KG5RKI
BTW. Please feel free to email
n1zzo
commented
4 years ago Indeed we have a working USB COM, we have also support for:
We are slowly working out the RF part now.
KG5RKI
commented
4 years ago you can dump the bldr if you want, I did it by just modifying the firmware to write it to the external spi which I then dumped with hardware cause I was too lazy to hook up uart to it lol. Anyway, if you just setup some fw with the same base address and wrap it using the keys I've provided it will flash without any issues. Don't forget to fix up the header and include the resource binary at the front. Like I said, same process as md2017.
Figured out encryption key for md9600 fw. Use it like you do for md2017.
EDIT: Also works on RT90 fw, if you hadn't guessed..