Thread: Discussion Walkera DEVO Tx Hacking
View Single Post
Old Apr 06, 2012, 10:28 PM
PhracturedBlue is offline
Find More Posts by PhracturedBlue
Registered User
Joined Jan 2012
682 Posts
Finally! I figured out why working with the Walkera images is so hard. They are post-processed in some way during upload. I spent a log time trying to figure out why my checksum code wasn't working. Well, the code I was loading was getting corrupted during upload.
I used the code that rcH4x0r posted to read back the initialization of the firmware, and indeed, it is different. Here is the data from the dfu starting at 0x08004130:
Code:
0000000: dff8 0cd0 00f0 a0fc 0048 0047 b579 0208  .........H.G.y..
0000010: 481d 0020 7047 0848 8847 0849 89f3 0890  H.. pG.H.G.I....
0000020: 0748 0047 fee7 fee7 fee7 fee7 fee7 fee7  .H.G............
0000030: fee7 fee7 fee7 fee7 4541 0008 481d 0020  ........EA..H.. 
0000040: 3141 0008 40ea 0103 a307 0ad1 02e0 0881  1A..@...........
0000050: 121f 08c8 042a fad2 03e0 11f8 013b 00f8  .....*.......;..
0000060: 013b 521e f9d2 7047 d2ba 01e0 00f8 012b  .;R...pG.......+
0000070: 491e fbd2 7047 0022 f6e7 10bd 0446 0846  I...pG.".....F.F
0000080: 1146 0246 2046 fff7 efff 2046 10c5 0346  .F.F F.... F...F
0000090: 00e0 401c 0278 002a fbd1 11f8 012b 00f8  ..@..x.*.....+..
00000a0: 012b 002a f9d1 1846 7047 0146 0020 00e0  .+.*...FpG.F. ..
00000b0: 401c 0a5c 002a fbd1 7047 30bd 0446 0020  @..\.*..pG0..F. 
00000c0: 0346 00e0 5b1c 9b42 03d2 e05c 855c 401b  .F..[..B...\.\@.
00000d0: f8d0 30c5 0346 11f8 012b 00f8 012b 002a  ..0..F...+...+.*
00000e0: f9d1 1846 7047 f0bc 1446 20f0 0046 21f0  ...FpG...F ..F!.
00000f0: 0041 00f0 0042 9642 05d2 3046 0e46 0146  .A...B.B..0F.F.F
and here is what was read from the Tx for the same address range:
Code:
0000000: dff8 0cd0 00f0 98fc 0048 0047 ad79 0208  .........H.G.y..
0000010: 481d 0020 7047 0848 8047 0849 81f3 0888  H.. pG.H.G.I....
0000020: 0748 0047 fee7 fee7 fee7 fee7 fee7 fee7  .H.G............
0000030: fee7 fee7 fee7 fee7 4541 0008 481d 0020  ........EA..H.. 
0000040: 3141 0008 40ea 0103 9b07 0ad1 02e0 08c9  1A..@...........
0000050: 121f 08c0 042a fad2 03e0 11f8 013b 00f8  .....*.......;..
0000060: 013b 521e f9d2 7047 d2b2 01e0 00f8 012b  .;R...pG.......+
0000070: 491e fbd2 7047 0022 f6e7 10b5 0446 0846  I...pG.".....F.F
0000080: 1146 0246 2046 fff7 efff 2046 10bd 0346  .F.F F.... F...F
0000090: 00e0 401c 0278 002a fbd1 11f8 012b 00f8  ..@..x.*.....+..
00000a0: 012b 002a f9d1 1846 7047 0146 0020 00e0  .+.*...FpG.F. ..
00000b0: 401c 0a5c 002a fbd1 7047 30b5 0446 0020  @..\.*..pG0..F. 
00000c0: 0346 00e0 5b1c 9342 03d2 e05c cd5c 401b  .F..[..B...\.\@.
00000d0: f8d0 30bd 0346 11f8 012b 00f8 012b 002a  ..0..F...+...+.*
00000e0: f9d1 1846 7047 f0b4 1446 20f0 0046 21f0  ...FpG...F ..F!.
00000f0: 0041 00f0 0042 8e42 05d2 3046 0e46 0100  .A...B.B..0F.F..
note the 7th bit is 0xa0 in the dfu and 0x98 in the dump from the Tx.
I think the transformation is something like (dfu->rom): if byte >= 0x88 && byte <= 0xcf, byte = byte - 8. if byte >= 0x80 and byte < 0x88, byte += 0x48

So in writing code to dump the rom, we got lucky. The code rcH4x0r generated has no bytes that meet this criteria, so it worked as desired. The code I wrote sometimes had these bytes and sometimes not, which is why I was getting so frustrated.

Edit: I used the reverse translation above with my checksum code, and I was able to prove that the bootloader rcH4x0r downloaded is complete and correct. So now I can load arbitrary code into the dfu and actually have it work rather than behave mysteriously, and we have both the proper firmware code as well as the proper bootloader!
PhracturedBlue is offline Find More Posts by PhracturedBlue
Last edited by PhracturedBlue; Apr 06, 2012 at 11:20 PM.
Reply With Quote