Patching Pulse Oximeter Firmware
46 points
by stgl
6 days ago
| 2 comments
| stefan-gloor.ch
| HN
rossant
11 hours ago
[-]
> As a side note: replacing the chip took longer than expected. I accidentally ordered a GD32F350R8T6, instead of the GD32F350RBT6 that was in the device originally. These two types differ in their flash sizes: 64 kB vs 128 kB. Don’t ask me why GigaDevice thought this naming scheme and this font was a good idea

An 8 looking almost exactly like a B. What a terrible idea.

reply
05
9 hours ago
[-]
Blame STM. Those clones copy (..among other things) the naming convention from STMicroelectronics parts like stm32f103c8t6/stm32f103cBt6. Guess what's the only difference between those.

Oh, and .. since STM likes binning/product segmentation, there's a good chance that if you ignore the reported flash size and still try to flash the full 128K, it works on those models..

reply
djmips
10 hours ago
[-]
Also the self patching back into protected mode! ugh - good thing they ordered more than one!
reply
grishka
8 hours ago
[-]
Doesn't the protection usually work such that it prevents reading the firmware but still allows you to erase and reflash it?
reply
fusslo
6 hours ago
[-]
Assuming the other commenter is correct and the mcu is a clone of an ST product, then it's possible that the protection are fuses that destroy the pathways to the memory. They're one-time writable and cannot be undone. At my work that is how we protect our firmware with a similar ST product.

I'm not sure how it works in-silicon. Would be interesting to know how... but it's sunday afternoon

reply
the_biot
9 hours ago
[-]
The article mentions suspiciously similar looking devices on Aliexpress for less than $10, but it looks like under $3 even. This seems like a very cool thing to hack on, for that price.
reply