See below for updates.

IF YOU BREAK YOUR BOOT0 PIN. DO NOT DM ME ASKING FOR HELP. THAT'S IT. YOU BREAK THAT PIN AND YOU CANT FLASH. YOUR CHIP IS STUCK WITH WHATEVER HWFLY PUT ON IT


Pre-requisites:

---

• Raspberry Pi Zero W
  • You may use another flasher if you desire.
• Pinout Diagram
• Modchip Diagram
• FULL_CHIP_STOCK.bin
• Modchip Diagram, find the PA9(TX) and the PA10(RX) pins on your modchip, and do the following:
  • Connect GPIO14(TX) on your Raspberry Pi Zero W to the PA10(RX) pin on your modchip.
  • Connect GPIO15(RX) on your Raspberry Pi Zero W to the PA9(TX) pin on your modchip.

1. Solder a wire to each of the following pinouts on the Raspberry Pi Zero W:
   • 3.3V
   • Ground
   • GPIO 14 (UART TX)
   • GPIO 15 (UART RX)
2. Do the following to prepare the modchip:
   1. Lift pin 44 (also known as BOOT0).
   2. You will need a way to power the chip, so you need to find two 3.3v points. It can be on a MOSFET, but it will differ based on the revision of the modchip.
   3. Connect Ground on your Raspberry Pi Zero W to the Ground pin on your modchip.
   4. Check the Modchip Diagram, find the PA9(TX) and the PA10(RX) pins on your modchip, and do the following:
      • Connect GPIO14(TX) on your Raspberry Pi Zero W to the PA10(RX) pin on your modchip.
      • Connect GPIO15(RX) on your Raspberry Pi Zero W to the PA9(TX) pin on your modchip.
3. Boot your Raspberry Pi Zero W and do the following:
   1. In the terminal, type the following command, and press enter:
      

      sudo nano /boot/config.txt

   2. Add the following line to the end of the file:
      

      dtoverlay=pi3-miniuart-bt

   3. Press CTRL + X to save and exit the editor.
   4. In the terminal, type the following command, and press enter:
      

      sudo nano /boot/cmdline.txt

   5. Remove the following line from the file:
      

      console=serial0,115200

   6. Press CTRL + X to save and exit the editor.
   7. Restart your Raspberry Pi with this command
      

      sudo /sbin/reboot

   8. In the terminal, type the following commands, and press enter after each command:
      
      

      git clone https://github.com/Pheeeeenom/stm32flash.git
      cd stm32flash
      sudo make install

4. Now you will flash the modchip.
   Note: This will remove read protection, and the modchip will wipe itself (that is what we want).
   1. In the terminal, type the following command, and press enter:
      

      stm32flash -k /dev/serial0

   2. Now to flash Spacecraft-NX Version 0.2.0, type the following, and press enter:
      

      stm32flash -v -w ./FULL_CHIP_STOCK.bin /dev/serial0

5. Once you're done flashing your modchip, remove the wiring from the modchip, and restore the 3.3v pin on the modchip to its original position.

Please post pictures of your work here to further the identification of the different board revisions!


UPDATE: So it seems like stitching the spacecraft bootloader and firmware together from the repo causes unstable glitching behaviors. For now, consistent glitching behavior works with this bootload/firmware combo. This is the original file on the OLED variant chip which has 0.2.0 spacecraft. As for glitching, I'll figure it out, give me some time...unless someone else wants to hop in and reverse the differences.

For now, this at least solves the 0.1.0 HWFLY gen 3 issue. More to come.

UPDATE 2: This is only going to work on some HWFLY chips. Older ones use higher protection than the new revisions that seem to use the QFN FPGA.

UPDATE 3: This should fully work on OLED modchips with the QFN FPGA. https://github.com/Pheeeeenom/firmware

 

[james194zt2]

Except the author of this tutorial someone was able to reflash the modchip ?

I believe so yes. It us with the locked out chips that are the issue, I have a couple of the GD32 chips on their way over from China and hoping to get late next week fingers crossed and swap it out.

Going to have a play with them then and see if I can flash and get it working, the only thing I wonder if it it is the FPGA implementation causing issues, Spacecraft was design for SX Core and SX Lite not the HWFly modchips. We are assuming I believe that the FPGA implementation was reproduced by the Chinese cloners and that they didn't manage to get hold of the TX version. I have been doing some binary analysis and there are large changes in both the 0.2 official Spacecraft and what has been dumped from the 0.2 HWFly modchips so maybe this some of the modifications are what makes this work with their FPGA implementation.

I am going to have a play this weekend, first thing I will do is record the boot process a few times through a logic analyzer on the working install, focusing on the traffic between the SPI interface of the GD32 and the FPGA, then if it fails on the new chip I can see if we get the same sort of signals going between them.

I have been trying to get hold of a legit SX Core for a few weeks but they are like gold dust, would love to try and play around with one of them as well and compare what the process is like. Although to be fair I am sure the Chinese cloners will be far beyond me in skills for hacking that hardware in the first place and will have spotted more than I will spot, although they are doing it for profit not because they want to annoy the cloners so who knows we might get some success as it will be get it implemented as quick as possible for them!

 

[urherenow]

Well, crap. Looks like a COVID fair-up in China is affecting businesses and shipping. I had order a buttload of stuff, including

- GDLink-OB GD-Link CMSIS-DAP burner emulator downloader

But just got a refund for it and a message:

Sorry, because of the serious epidemic situation in Xi'an, the supplier's goods can't be sent to Shenzhen. The goods can only be sent to you after the epidemic situation in Xi'an is over

Here's hoping that everything I assume is true, between what the seller told me about the chip I ordered, and the installation diagram they sent me. The OLED model I ordered just might come with a USB adapter and all it takes to reset the chip (to be flashed again) is a pair of metallic tweezers to short out 2 points while powering on. In which case, I guess I don't need this programmer thing anyway...

 

[mvmiranda]

Well, crap. Looks like a COVID fair-up in China is affecting businesses and shipping. I had order a buttload of stuff, including

- GDLink-OB GD-Link CMSIS-DAP burner emulator downloader

But just got a refund for it and a message:

Sorry, because of the serious epidemic situation in Xi'an, the supplier's goods can't be sent to Shenzhen. The goods can only be sent to you after the epidemic situation in Xi'an is over

Here's hoping that everything I assume is true, between what the seller told me about the chip I ordered, and the installation diagram they sent me. The OLED model I ordered just might come with a USB adapter and all it takes to reset the chip (to be flashed again) is a pair of metallic tweezers to short out 2 points while powering on. In which case, I guess I don't need this programmer thing anyway...

That really sucks! :/
Things are getting worse again I just hope everything be right soon!
Ppl, keep safe!

Back to what you said, what OLED model would this be?

 

[urherenow]

https://www.aliexpress.com/item/1005003698689759.html?spm=a2g0o.9042311.0.0.27424c4d1b7RBt

Price has gone up another $10 since I ordered it. I paid $110 and it's now showing $120. I asked a bunch of questions, and the seller said they would have to "talk to the factory", then replied later that it has v0.2.0 flashed to it already. After a few more questions, they sent me an instruction page that someone else already posted here in a different thread. But I guess it won't hurt to post here (the part on the bottom right corner is what gets me excited... although with some of the resent replies to this thread, I'm now worried if the v.0.2.0 that's on it is modified or not, and if flashing a later version direct from the github page will work or not... or brick it...)...

 

[Acide0]

I believe so yes. It us with the locked out chips that are the issue, I have a couple of the GD32 chips on their way over from China and hoping to get late next week fingers crossed and swap it out.

Going to have a play with them then and see if I can flash and get it working, the only thing I wonder if it it is the FPGA implementation causing issues, Spacecraft was design for SX Core and SX Lite not the HWFly modchips. We are assuming I believe that the FPGA implementation was reproduced by the Chinese cloners and that they didn't manage to get hold of the TX version. I have been doing some binary analysis and there are large changes in both the 0.2 official Spacecraft and what has been dumped from the 0.2 HWFly modchips so maybe this some of the modifications are what makes this work with their FPGA implementation.

I am going to have a play this weekend, first thing I will do is record the boot process a few times through a logic analyzer on the working install, focusing on the traffic between the SPI interface of the GD32 and the FPGA, then if it fails on the new chip I can see if we get the same sort of signals going between them.

I have been trying to get hold of a legit SX Core for a few weeks but they are like gold dust, would love to try and play around with one of them as well and compare what the process is like. Although to be fair I am sure the Chinese cloners will be far beyond me in skills for hacking that hardware in the first place and will have spotted more than I will spot, although they are doing it for profit not because they want to annoy the cloners so who knows we might get some success as it will be get it implemented as quick as possible for them!

That’s pretty strange that the only one here who was able to flash it is the author it’s self… when I read every one else was not able to do it even professional in modding scene….

 

[lufeig]

it's pretty strange that the only one finding it suspicious is you.

I mean, op already explained why not all modchips are flasheable using this method.

It seems you didn't read or didn't understand every post.

 

[lufeig]

https://www.aliexpress.com/item/1005003698689759.html?spm=a2g0o.9042311.0.0.27424c4d1b7RBt

Price has gone up another $10 since I ordered it. I paid $110 and it's now showing $120. I asked a bunch of questions, and the seller said they would have to "talk to the factory", then replied later that it has v0.2.0 flashed to it already. After a few more questions, they sent me an instruction page that someone else already posted here in a different thread. But I guess it won't hurt to post here (the part on the bottom right corner is what gets me excited... although with some of the resent replies to this thread, I'm now worried if the v.0.2.0 that's on it is modified or not, and if flashing a later version direct from the github page will work or not... or brick it...)...

Luckily I purchased mine from the same link on Jan 1st. It was US$ 105 then.

If everything goes well I should receive it next week. Brazilian customs received it yesterday.

 

[james194zt2]

That’s pretty strange that the only one here who was able to flash it is the author it’s self… when I read every one else was not able to do it even professional in modding scene….

Not really this page has several thousand views now, generally you will only find the people who are having problems will post!! So there might be hundreds who flashed and not reported anything here.

The process used in the opening post is sound, I was looking at a similar thing myself with BOOT0 except op used the RX/TX pins because the standard SWD method wouldn't have worked due to the protection levels of the chip. Sadly for some of us the chip has maximum protection level (level 2), so we cannot do anything as a fuse is burnt out to prevent any form of access/flashing of the chip, this method works on level 1 protected chips which some appear to be.

 

[Magnus Hydra]

https://www.aliexpress.com/item/1005003698689759.html?spm=a2g0o.9042311.0.0.27424c4d1b7RBt

Price has gone up another $10 since I ordered it. I paid $110 and it's now showing $120. I asked a bunch of questions, and the seller said they would have to "talk to the factory", then replied later that it has v0.2.0 flashed to it already. After a few more questions, they sent me an instruction page that someone else already posted here in a different thread. But I guess it won't hurt to post here (the part on the bottom right corner is what gets me excited... although with some of the resent replies to this thread, I'm now worried if the v.0.2.0 that's on it is modified or not, and if flashing a later version direct from the github page will work or not... or brick it...)...

What is factory settings?

 

[james194zt2]

https://www.aliexpress.com/item/1005003698689759.html?spm=a2g0o.9042311.0.0.27424c4d1b7RBt

Price has gone up another $10 since I ordered it. I paid $110 and it's now showing $120. I asked a bunch of questions, and the seller said they would have to "talk to the factory", then replied later that it has v0.2.0 flashed to it already. After a few more questions, they sent me an instruction page that someone else already posted here in a different thread. But I guess it won't hurt to post here (the part on the bottom right corner is what gets me excited... although with some of the resent replies to this thread, I'm now worried if the v.0.2.0 that's on it is modified or not, and if flashing a later version direct from the github page will work or not... or brick it...)...

I wonder why the SX Coreis $28 more than OLED, it has less PCBs etc...and costs less to produce! Such scams these lot, just makes me more determined to crack this even more!! Quicker we can open source these chips the better!

 

[urherenow]

What is factory settings?

Not sure what you're asking. My guess is that it wipes out both the firmware, and the bootloader, which kicks it into DFU mode (so that you can flash an update). But that's just a hopeful guess... I don't have the chip yet.

 

[mvmiranda]

Not sure what you're asking. My guess is that it wipes out both the firmware, and the bootloader, which kicks it into DFU mode (so that you can flash an update). But that's just a hopeful guess... I don't have the chip yet.

I though about something completely different by "factory reset".
Maybe the trained data or glitch timings, assuming this chip has this feature.

Anyway, I'm buying one now, for science, of course!

 

[james194zt2]

I though about something completely different by "factory reset".
Maybe the trained data or glitch timings, assuming this chip has this feature.

Anyway, I'm buying one now, for science, of course!

The "glitch settings" are stored in the MCU, there is no training though sadly as they have crippled the MCU memory area so it is read only so can't store the timings. Flashing the GD32 MCU won't affect that side of things but installing an unlocked MCU will, but apparently once flashed glitching can stop working, can't experiment though sadly with that until my replacement GD32 chips arrive and I can replace this locked out chip with one that is not crippled.

 

[0x3000027E]

What is factory settings?

DFU mode

 

[Acide0]

it's pretty strange that the only one finding it suspicious is you.

I mean, op already explained why not all modchips are flasheable using this method.

It seems you didn't read or didn't understand every post.

lol no there is a lot of people thinking the same hahaha they just don’t ask it…

so I ask if someone have been able to do it could post it here please !!

 

[0x3000027E]

lol no there is a lot of people thinking the same hahaha they just don’t ask it…

so I ask if someone have been able to do it could post it here please !!

It's a difficult process, but I certainly wouldn't question the method. Mena is top dawg.

 

[FAKEdemicBioPYSCHONANOWAR]

So all is not lost if you already have an oled switch with spacecraft 0.1? But not all boards can be updated from what I gather. So you still maybe lost depending..?!

 

[TheUnknownOne]

Well, crap. Looks like a COVID fair-up in China is affecting businesses and shipping. I had order a buttload of stuff, including

- GDLink-OB GD-Link CMSIS-DAP burner emulator downloader

But just got a refund for it and a message:

Sorry, because of the serious epidemic situation in Xi'an, the supplier's goods can't be sent to Shenzhen. The goods can only be sent to you after the epidemic situation in Xi'an is over

Here's hoping that everything I assume is true, between what the seller told me about the chip I ordered, and the installation diagram they sent me. The OLED model I ordered just might come with a USB adapter and all it takes to reset the chip (to be flashed again) is a pair of metallic tweezers to short out 2 points while powering on. In which case, I guess I don't need this programmer thing anyway...

Yes that is how the chip works, already had to do it. Chip works very well now

 

[Acide0]

It's a difficult process, but I certainly wouldn't question the method. Mena is top dawg.

Difficult process let me laugh… what is difficult here ? yeah I know find someone who have been able to do it …. I´m waiting return from people who have succes with it.

 

[urherenow]

Yes that is how the chip works, already had to do it. Chip works very well now

You got yours already from the same seller (or at least with that same installation instruction)? Which software is used to flash it (link please)? The page doesn't really specify, only that you turn it on with the 2 points shorted...