38
edits
Changes
Jump to navigation
Jump to search
Reverse engineer more firmware locations
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Vector table and other interesting addresses: * 0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.* 0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?* 0xFF00 - software string. Ex: "May 17, 2017 - V1.45"* 0xFFE4- AVD vector* 0xFFE6 - SCI / UART vector* 0xFFE8 - Timer B vector* 0xFFEA - Timer A vector* 0xFFEC - SPI vector* 0xFFEE - vector unused on this chip* 0xFFF0 - EI3 vector* 0xFFF2 - EI2 vector* 0xFFF4 - EI1 vector* 0xFFF6 - EI0 vector* 0xFFF8 - MCC/RTC vector* 0xFFFA - vector unused on this chip* 0xFFFC - Trap vector* 0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
