Hacking Bricked EZFlash cart.

[k0walski]

Hello everyone! It seems that I've bricked the FPGA somehow during kernel update (which actually didn't happen at all since the update process was not even started - there was a message that something wrong with my sd card).

After that I couldn't enter the update menu at all. Actually, the EZOS even doesn't boot. My GBA just shows own boot logo and that's it. Maybe my sd card has corrupted the contents of the FPGA or NOR... or SPI flash on the back side. I've started checking the SPI, but I can't find its original image anywhere.

I was able to create a dump from SPI, but it would be nice to have at least the checksum of the contents to verify the image is correct. And, it also would be really nice to have the pinout for the jtag interface on the board (don't want to de-solder the FPGA to check which points are connected even though I can)... I assume it goes directly to FPGA, since NOR should be connected to FPGA directly...
So any help is appreciated. Thanks.

 

[mrgone]

Hello everyone! It seems that I've bricked the FPGA somehow during kernel update (which actually didn't happen at all since the update process was not even started - there was a message that something wrong with my sd card).

After that I couldn't enter the update menu at all. Actually, the EZOS even doesn't boot. My GBA just shows own boot logo and that's it. Maybe my sd card has corrupted the contents of the FPGA or NOR... or SPI flash on the back side. I've started checking the SPI, but I can't find its original image anywhere.

I was able to create a dump from SPI, but it would be nice to have at least the checksum of the contents to verify the image is correct. And, it also would be really nice to have the pinout for the jtag interface on the board (don't want to de-solder the FPGA to check which points are connected even though I can)... I assume it goes directly to FPGA, since NOR should be connected to FPGA directly...
So any help will be appreciated. Thanks.

you should make a new thread,
not resurrecting a 2 years old thread with a different content

 

[k0walski]

you should make a new thread,
not resurrecting a 2 years old thread with a different content

Thank you very much for moving this post to the new thread. My 24h thread creation timeout should expire in half an hour I guess...

 

[hippy dave]

Did you try this? https://gbatemp.net/threads/how-to-make-your-sd-card-to-ez-flash-omega-de-recovery-able.584611/

 

[k0walski]

Did you try this? https://gbatemp.net/threads/how-to-make-your-sd-card-to-ez-flash-omega-de-recovery-able.584611/

Yes, I've prepared sd-card earlier. Unfortunately the cart itself doesn't boot into the recovery mode at all. All I can see is Nintendo logo screen.

P.S. - or maybe there are other key combinations to enter recovery mode?

 

[DrunkenMonk]

Yes, I've prepared sd-card earlier. Unfortunately the cart itself doesn't boot into the recovery mode at all. All I can see is Nintendo logo screen.

P.S. - or maybe there are other key combinations to enter recovery mode?

If you can dump the spi flash in it's current state then contact ez flash and give them the dump, they should be able to create a recovery dump for you that you can restore, that's what I ended up having to do after I encountered corruption from the pre-release test firmware before

 

[k0walski]

If you can dump the spi flash in it's current state then contact ez flash and give them the dump, they should be able to create a recovery dump for you that you can restore, that's what I ended up having to do after I encountered corruption from the pre-release test firmware before

That might work. But to whom should I send the dump?

Just small info... My current investigation lead me to the following:
SPI flash (on the back side of the board) has two entries, one at offset 0x10000, another - at 0x50000. Both entries have same size, but their checksums don't match. I assume it should be some kind of a boot loader used by FPGA... but FPGA itself doesn't seem to be working at all. I was able to boot the cart only two times... As a matter of fact, I've just ordered EZ Flash Omega DE.... (to have at least one working)...

 

[k0walski]

...

If EZ-Flash2 could say his opinion about that. I've sent him a PM, maybe this helps...

 

[EZ-Flash2]

I do not recommend that users do the repair themselves, contacting the dealer for warranty is the fastest and best solution.

 

[k0walski]

I do not recommend that users do the repair themselves, contacting the dealer for warranty is the fastest and best solution.

Well, I completely agree (in general). But in my case, I know what I'm doing and I know how do the bit-bang instead of h/w SPI protocol, how to compile an application for Z80 CPU using SDCC toolchain, Yocto and other stuff including PCB prototyping, flashing controllers etc...
That's why I'm kindly asking for the images for FPGA (restore contents, I won't ask for the source, of course), on-board JTAG pinout (wouldn't like to do guess work)... Ideally, verify the checksums for SPI flash on the back side... Because I've never seen the behavior I described before...
Of course if you can help. If it's not for sharing - that's ok, I understand, no problem.
Thanks!

 

[EZ-Flash2]

Well, I completely agree (in general). But in my case, I know what I'm doing and I know how do the bit-bang instead of h/w SPI protocol, how to compile an application for Z80 CPU using SDCC toolchain, Yocto and other stuff including PCB prototyping, flashing controllers etc...
That's why I'm kindly asking for the images for FPGA (restore contents, I won't ask for the source, of course), on-board JTAG pinout (wouldn't like to do guess work)... Ideally, verify the checksums for SPI flash on the back side... Because I've never seen the behavior I described before...
Of course if you can help. If it's not for sharing - that's ok, I understand, no problem.
Thanks!

Sorry, we can't provide FPGA data, anyone with this data will be able to clone card in large quantities, so contacting dealer is indeed a good way.

 

[k0walski]

Sorry, we can't provide FPGA data, anyone with this data will be able to clone card in large quantities, so contacting dealer is indeed a good way.

I understand. It might have happened that I've bought one of these clones... That's probably why I'm getting such strange behavior. I'll try to contact the seller.
Thanks anyway!

 

[k0walski]

So, as a follow-up to this topic... I've got another cart. This time it's EZ Flash Omega DE. Which works perfectly. I've updated it (was a bit scary after I bricked the first one) successfully. So, I assume the first one wasn't original or, probably, faulty by-default. Anyway, now Omega DE works like a charm!