Tutorial [Tutorial] How to flash the HWFLY Clone chips

Andrey_Egorov

New Member
Newbie
Joined
Jan 13, 2022
Messages
4
Trophies
0
Age
29
XP
4
Country
Russia
Can I just flash a new GB32 with oled fiirmware and replace the one on hwfly lite ?
Hi. I tested different types of chips, orig sx core and hwfly versions with spacecraft v1/v2 on board. I'm not sure fpga is 100% write protected. Perhaps she checks the software version with the software version in gd32. If you transplant gd32 from any of the chips (orig, 0.1.0 sc, 0.2.0 sc), swap them - the chips stop working. I suggested that it might be possible to buy a new gd32, write sc 0.1.0 to it, and after that, try to update the chip to 0.2.0 using sc-nx updater. I have debug discovery boards for stm32, until I figured out how to flash your bin on the controller
 
  • Like
Reactions: BigOnYa

james194zt2

Well-Known Member
Newcomer
Joined
Jan 4, 2022
Messages
57
Trophies
0
Age
40
XP
135
Country
United Kingdom
Hi. I tested different types of chips, orig sx core and hwfly versions with spacecraft v1/v2 on board. I'm not sure fpga is 100% write protected. Perhaps she checks the software version with the software version in gd32. If you transplant gd32 from any of the chips (orig, 0.1.0 sc, 0.2.0 sc), swap them - the chips stop working. I suggested that it might be possible to buy a new gd32, write sc 0.1.0 to it, and after that, try to update the chip to 0.2.0 using sc-nx updater. I have debug discovery boards for stm32, until I figured out how to flash your bin on the controller
I will be really surprised if that FPGA is not fully as write protected as possible, this is the "Achilles heel" of the HWFly, with that cracked there is nothing stopping any of us grabbing an order from PCBWay and making our own boards.

The biggest pain with it is that is a reball job to take it on and off, I was going to do some digging in to that next after I had cracked the STM32 on this board, it looked like several pins are not exposed on the PCB so knowing our luck it is almost guaranteed to be the ones we need to work on it!

Have you got the firmware for the 0.1 HWFly? I asked about an issue I was having over at Spacecrafts site and the dev told me that the 0.1 firmware on these is a heavily modified of Spacecraft 0.1, so a straight dump of the original version from the devs on to a blank STM32 is probably not going to work.

The first step I wanted to try was to flash a brand new STM32 with the original firmware AFTER removing the write protection flags out with the original firmware, then taking it from there really.
 
  • Like
Reactions: leerz

Andrey_Egorov

New Member
Newbie
Joined
Jan 13, 2022
Messages
4
Trophies
0
Age
29
XP
4
Country
Russia
Hi. I tested different types of chips, orig sx core and hwfly versions with spacecraft v1/v2 on board. I'm not sure fpga is 100% write protected. Perhaps she checks the software version with the software version in gd32. If you transplant gd32 from any of the chips (orig, 0.1.0 sc, 0.2.0 sc), swap them - the chips stop working. I suggested that it might be possible to buy a new gd32, write sc 0.1.0 to it, and after that, try to update the chip to 0.2.0 using sc-nx updater. I have debug discovery boards for stm32, until I figured out how to flash your bin on the controller
Well, fpga is unequivocally read-protected, I'm not sure that this necessarily means that it is also write-protected. I don't have a hwfly 0.1 dump, but I have the hwfly v1 core/lite chips, and the hardware to work with stm32 (stlink v2, stm32f4x-discovery)
 

Andrey_Egorov

New Member
Newbie
Joined
Jan 13, 2022
Messages
4
Trophies
0
Age
29
XP
4
Country
Russia
I will be really surprised if that FPGA is not fully as write protected as possible, this is the "Achilles heel" of the HWFly, with that cracked there is nothing stopping any of us grabbing an order from PCBWay and making our own boards.

The biggest pain with it is that is a reball job to take it on and off, I was going to do some digging in to that next after I had cracked the STM32 on this board, it looked like several pins are not exposed on the PCB so knowing our luck it is almost guaranteed to be the ones we need to work on it!

Have you got the firmware for the 0.1 HWFly? I asked about an issue I was having over at Spacecrafts site and the dev told me that the 0.1 firmware on these is a heavily modified of Spacecraft 0.1, so a straight dump of the original version from the devs on to a blank STM32 is probably not going to work.

The first step I wanted to try was to flash a brand new STM32 with the original firmware AFTER removing the write protection flags out with the original firmware, then taking it from there really.
Well, fpga is unequivocally read-protected, I'm not sure that this necessarily means that it is also write-protected. I don't have a hwfly 0.1 dump, but I have the hwfly v1 core/lite chips, and the hardware to work with stm32 (stlink v2, stm32f4x-discovery)
 

james194zt2

Well-Known Member
Newcomer
Joined
Jan 4, 2022
Messages
57
Trophies
0
Age
40
XP
135
Country
United Kingdom
Well, fpga is unequivocally read-protected, I'm not sure that this necessarily means that it is also write-protected. I don't have a hwfly 0.1 dump, but I have the hwfly v1 core/lite chips, and the hardware to work with stm32 (stlink v2, stm32f4x-discovery)

Yes definitely read protected from my understanding, not even looked at it! but my understanding is it is write protected as well hence why it can't learn timings of the specific console. Plus generally read protect forces write protect as well on the NAND side of things.

The issue is the STM32 of a lot of us are level 2 protected so we cant read them over STLink/UART etc... and dump the firmware, never mind write it sadly.
 

Mena

Well-Known Member
OP
Member
Joined
Oct 5, 2020
Messages
128
Trophies
0
Age
27
XP
565
Country
United States
Out of interest, has the firmware and bootloader for the 0.1 HWFly core been dumped somehow? Was going to try and dump it over the weekend (GD32 vs ChipWhisper to glitch the level 2 flag), but wondered if we already had it to have a look inside?

I am assuming it is in the BOOT0 file due to the tool to compare if it is 0.1 or 0.2 Spacecraft as well? but is it complete and I am doubting it includes the bootloader even if it is in there.
If you’re going to glitch it, you’ll need to do an invasive hw sanding to access IO2 on QSPI
 

Andrey_Egorov

New Member
Newbie
Joined
Jan 13, 2022
Messages
4
Trophies
0
Age
29
XP
4
Country
Russia
Yes definitely read protected from my understanding, not even looked at it! but my understanding is it is write protected as well hence why it can't learn timings of the specific console. Plus generally read protect forces write protect as well on the NAND side of things.

The issue is the STM32 of a lot of us are level 2 protected so we cant read them over STLink/UART etc... and dump the firmware, never mind write it sadly.
Well, that's why I thought that you can buy a new clean gd32, not blocked, flash it to 0.1.0 sc or hwfly 0.1 (if you can count) and then try to update to 0.2.0 or to the modification that is presented here. But if firmware 0.1 in hwfly and sc 0.1 are different, nothing will probably come of this idea
 

james194zt2

Well-Known Member
Newcomer
Joined
Jan 4, 2022
Messages
57
Trophies
0
Age
40
XP
135
Country
United Kingdom
If you’re going to glitch it, you’ll need to do an invasive hw sanding to access IO2 on QSPI
Possibly, although it looks like you can glitch the GD32 in to level 1, which will re-enable to the SWD interface, then apparently if you attempt a read, you can then glitch the read out command and corrupt it so that you can read out the firmware from what I have been investigating.

I am hoping to use this attack vector to start with without going physical on it, then look at disabling the flags in the bootloader on a blank STM32 before removing and installing this new chip back on my board.

I know it doesn't help people who are struggling with the flashing of the firmware, but I think having all of the firmware versions with the level 2 flag disabled will help an experienced installer, they should be able to whip that GD32 chip and replace with a new chip costing a couple of $ in a matter of minutes instead of these chips just being dumped.

Ideally the key is the FPGA I would love that to get dumped so we can kick all these dodgy clones out of the door, the price point is disgusting and the fact they are purposely crippling them is the icing on the cake to this.
 

james194zt2

Well-Known Member
Newcomer
Joined
Jan 4, 2022
Messages
57
Trophies
0
Age
40
XP
135
Country
United Kingdom
Well, that's why I thought that you can buy a new clean gd32, not blocked, flash it to 0.1.0 sc or hwfly 0.1 (if you can count) and then try to update to 0.2.0 or to the modification that is presented here. But if firmware 0.1 in hwfly and sc 0.1 are different, nothing will probably come of this idea
Yes I was discussing doing similar on here last weekend, that is my plan as well (waiting for the parts to arrive from China still about a week out from arriving), I mean we can try flashing official 0.1 on to it, hopefully it will work but I am not convinced from what I have read on here and the Spacecraft dev issue list.

This is why I really want to start with the base HWFly firmware from the chip with the flag modified then go from there as it should be identical then to what is on there, check it works and it then gives us a good base point of reference.
 

mvmiranda

Well-Known Member
Member
Joined
Oct 29, 2013
Messages
1,442
Trophies
0
Age
40
Location
Brazil, Sao Paulo
Website
www.gamemod.com.br
XP
1,422
Country
Brazil
View attachment 293507

I'm trying to flash the hwfly lite with RPI and it didn't work.
SWD connection using the GD-programmer / the ST-Link didnt work either. Yes I've lifted pin 44

FYI, as soon as we connect the chip to the RPI, the LED starts blinking purple, red, and off.
Correct!
I forgot mentioning this chip behavior but I have the same here as well!
 

Mena

Well-Known Member
OP
Member
Joined
Oct 5, 2020
Messages
128
Trophies
0
Age
27
XP
565
Country
United States
What is the normal behaviour out of interest when you turn it on? Mine went a solid red for a couple of seconds and then went off. Just wondered if that was the correct thing to happen?
without 3v3 that's the behavior i got
 
General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: I already own 2 I just wanted another remote lol