fwrret
@firmware.blog
24 | 🇮🇨 | 🏳️🌈 | breaking things(reverse engineering) is fun
more technical posts: https://firmware.blog/
more technical posts: https://firmware.blog/
Con la tontería llevo más de una semana archivando wplace de Tenerife y partes de canarias (También lo estoy expandiendo a otras partes de la península!). Que bonito que se ve! Cuando tenga tiempo, pongo los datos accesibles pa todos y un visualizador.
August 18, 2025 at 6:46 PM
Con la tontería llevo más de una semana archivando wplace de Tenerife y partes de canarias (También lo estoy expandiendo a otras partes de la península!). Que bonito que se ve! Cuando tenga tiempo, pongo los datos accesibles pa todos y un visualizador.
This is what I have done so far, I don't think there is nothing more interesting here as the rest of the magic happens on the other MCU and analyzing how all the data is passed is very painful. I'm very tempted to you know, replace some boot and assets images, but this thing cost +400€.
July 3, 2025 at 5:50 PM
This is what I have done so far, I don't think there is nothing more interesting here as the rest of the magic happens on the other MCU and analyzing how all the data is passed is very painful. I'm very tempted to you know, replace some boot and assets images, but this thing cost +400€.
Why we should use tasks if we have a counters and switch cases? Really, see this shit. The different cases do different subtasks. What I have identified so far is one for the TPMS stuff, another for updating all the global attrs, one for the LCD and another for comm with the other MCU.
July 3, 2025 at 5:50 PM
Why we should use tasks if we have a counters and switch cases? Really, see this shit. The different cases do different subtasks. What I have identified so far is one for the TPMS stuff, another for updating all the global attrs, one for the LCD and another for comm with the other MCU.
There are a lot of task running normally, most of them are from the different sdks and libs. Where all "the magic" happens is in the Mainboard task.
July 3, 2025 at 5:50 PM
There are a lot of task running normally, most of them are from the different sdks and libs. Where all "the magic" happens is in the Mainboard task.
The software stack is an FreeRTOS plus + awtk (GUI) + FSC-Blueware (BT) + EC-SDK (screen mirror). The "architecture" is basically the awtk GUI obtains the all the information that it needs from a list of "global attributes" or communicating directly to the BT and EC sdk.
July 3, 2025 at 5:50 PM
The software stack is an FreeRTOS plus + awtk (GUI) + FSC-Blueware (BT) + EC-SDK (screen mirror). The "architecture" is basically the awtk GUI obtains the all the information that it needs from a list of "global attributes" or communicating directly to the BT and EC sdk.
And of course for the BT and WIFI it uses the Feasycomm FSC-BW121 (it uses the RTL8821CS). Fun fact, I was unable to find the fcc id and the MAC address of both BTs (le and normal) and Wi-Fi are fake/not registered! (34:FA:4A C0:FA:4A 34:C6:4A).
July 3, 2025 at 5:50 PM
And of course for the BT and WIFI it uses the Feasycomm FSC-BW121 (it uses the RTL8821CS). Fun fact, I was unable to find the fcc id and the MAC address of both BTs (le and normal) and Wi-Fi are fake/not registered! (34:FA:4A C0:FA:4A 34:C6:4A).
So the main MCU is the Amt630hV100. There is little to nothing online about it. I found something on CSDN, but I was not able to download it. Besides the LCD, it seems that to this mcu is connected an MMC mem for the fw, an CMT2300A (for TPMS?) and another mcu that communicates to the rest of the 🏍️
July 3, 2025 at 5:50 PM
So the main MCU is the Amt630hV100. There is little to nothing online about it. I found something on CSDN, but I was not able to download it. Besides the LCD, it seems that to this mcu is connected an MMC mem for the fw, an CMT2300A (for TPMS?) and another mcu that communicates to the rest of the 🏍️
The image is 8mb long and contains the application code, the boot animation (BANI) and the "ROMA" which are the resources files. There is not a fancy FS like littleFS, there is basically a superblock the contains the file path, address and length. Boot anim are concatenated jpg images.
July 3, 2025 at 5:50 PM
The image is 8mb long and contains the application code, the boot animation (BANI) and the "ROMA" which are the resources files. There is not a fancy FS like littleFS, there is basically a superblock the contains the file path, address and length. Boot anim are concatenated jpg images.
My motorbike (Zontes GK350) has an instrument panel that can do a bunch of things, including screen mirroring through an app (Carbit ride). How did they make it?
July 3, 2025 at 5:50 PM
My motorbike (Zontes GK350) has an instrument panel that can do a bunch of things, including screen mirroring through an app (Carbit ride). How did they make it?
Dumped the ROM, SRAM, "flash" and OTP. I used rdreg_phy6202.py modifying the reset method to use the one in flash_st17h66.py. Now it's time for Ghidra.
June 25, 2025 at 6:51 PM
Dumped the ROM, SRAM, "flash" and OTP. I used rdreg_phy6202.py modifying the reset method to use the one in flash_st17h66.py. Now it's time for Ghidra.
Finally, I had some time to plug into the UART, and got something!. It seems to use this SDK github.com/17HXX/ST17H6.... I was also able to put it into the RESET mode. The official tools it is the PhyPlusKit, which was documented and there are some dumping tools here github.com/pvvx/PHY62x2....
June 24, 2025 at 7:42 PM
Finally, I had some time to plug into the UART, and got something!. It seems to use this SDK github.com/17HXX/ST17H6.... I was also able to put it into the RESET mode. The official tools it is the PhyPlusKit, which was documented and there are some dumping tools here github.com/pvvx/PHY62x2....
Here are pics of another tags, in this case for Google find my device. Same MCU.
May 17, 2025 at 9:23 AM
Here are pics of another tags, in this case for Google find my device. Same MCU.
Here are some internal pics of the PCB of the cheap AliExpress Apple tag "Sualio tag" (FindMy-001)
May 10, 2025 at 12:17 PM
Here are some internal pics of the PCB of the cheap AliExpress Apple tag "Sualio tag" (FindMy-001)
Aaaa just arrived today, looks soooo cool.
February 8, 2025 at 10:18 PM
Aaaa just arrived today, looks soooo cool.
La traducción suena fatal
January 30, 2025 at 3:32 PM
La traducción suena fatal
Realmente cuando vi comentado este cambio por primera vez, no me lo creía , pero es que hay jollas aún peores en sus políticas para no deshumanizar. Excepciones principales, colectivo LGTB y género.
January 14, 2025 at 2:54 PM
Realmente cuando vi comentado este cambio por primera vez, no me lo creía , pero es que hay jollas aún peores en sus políticas para no deshumanizar. Excepciones principales, colectivo LGTB y género.
Solstol dumping in progress
January 8, 2025 at 7:25 PM
Solstol dumping in progress
Para todos lo que uséis la tablet en la cama, necesitáis esto
December 26, 2024 at 1:59 PM
Para todos lo que uséis la tablet en la cama, necesitáis esto
Y está diferencia tan grande?
December 23, 2024 at 9:24 AM
Y está diferencia tan grande?
That's some Christmas Spirit
December 7, 2024 at 5:15 PM
That's some Christmas Spirit