mbirth/gcd-parser
1
0
Fork 0
Code Issues 5 Pull Requests Activity

Another use for this: crossflash. #1

New Issue
Open
opened 2019-06-26 08:25:22 +01:00 by Zibri · 11 comments
Zibri commented 2019-06-26 08:25:22 +01:00 (Migrated from github.com)
Copy Link

Here is a Fenix 5X flashed with a Descent Mk1 firmware:

Fenix 5X flashed with a Descent Mk1 firmware

Click the image for the video!

If you have any more ideas contact me...

Here is a Fenix 5X flashed with a Descent Mk1 firmware: [![Fenix 5X flashed with a Descent Mk1 firmware](https://img.youtube.com/vi/5ZRj96NE4Yo/0.jpg)](https://www.youtube.com/watch?v=5ZRj96NE4Yo "Fenix 5X flashed with a Descent Mk1 firmware") Click the image for the video! If you have any more ideas contact me...
🎉 2
mbirth commented 2019-06-26 09:19:00 +01:00 (Migrated from github.com)
Copy Link

Awesome! I've made this tool to "convert" my Fenix 5 Plus into a D2 Delta. Cool to see it's working with the 5X/Descent, too. Does it do depth measurements as well? I thought the "normal" 5X is missing the sensor.

Awesome! I've made this tool to "convert" my Fenix 5 Plus into a D2 Delta. Cool to see it's working with the 5X/Descent, too. Does it do depth measurements as well? I thought the "normal" 5X is missing the sensor.
Zibri commented 2019-06-26 09:37:31 +01:00 (Migrated from github.com)
Copy Link

You got my cheat :D Everything works EXCEPT the diving features because my 5X misses the additional depth sensor the descent seems to have. For diving I use the great Dive IQ app. Question: do you have any link for the tactix charlie firmware? Please contect me on fb (fb.me/Zibri) so we can chat/discuss.

You got my cheat :D Everything works EXCEPT the diving features because my 5X misses the additional depth sensor the descent seems to have. For diving I use the great Dive IQ app. Question: do you have any link for the tactix charlie firmware? Please contect me on fb (fb.me/Zibri) so we can chat/discuss.
inevity commented 2020-01-16 11:50:41 +00:00 (Migrated from github.com)
Copy Link

@Zibri Looks like that

  Fenix 5X Descent Mk1
SKU 006-B2604-00 006-B2859-00
Sensor 006-B2663-00 006-B2664-00
BT    
WIFI 006-B2196-01 006-B2196-01
GPS 006-B2957-00 006-B1621-00
DISPLAY 006-B2605-00 006-B2869-00

How do you deal with the gps difference? and about the Display driver or firmware?

@Zibri Looks like that   | Fenix 5X | Descent Mk1 -- | -- | -- SKU | 006-B2604-00 | 006-B2859-00 Sensor | 006-B2663-00 | 006-B2664-00 BT |   |   WIFI | 006-B2196-01 | 006-B2196-01 GPS | 006-B2957-00 | 006-B1621-00 DISPLAY | 006-B2605-00 | 006-B2869-00 How do you deal with the gps difference? and about the Display driver or firmware?
mbirth commented 2020-01-16 12:06:36 +00:00 (Migrated from github.com)
Copy Link

@inevity GPS 2957 is the same hardware as 1621, but the 2957 driver adds support for Galileo.

The wrong display part seemed to only make the clock hands appear in the wrong style as both devices most probably share the same display.

@inevity GPS 2957 is the same hardware as 1621, but the 2957 driver adds support for Galileo. The wrong display part seemed to only make the clock hands appear in the wrong style as both devices most probably share the same display.
Zibri commented 2020-01-16 13:41:40 +00:00 (Migrated from github.com)
Copy Link

I think there is a way to make descent firmware play along with 5X hardware since they are basically the same thing. Unfortunately there are many combinations of GPS/WIFI/Sensor firmwares and I don't have much time... Damn I wish so much to find a watch like the fenix 5x but with a linux/android based firmware! Anyway the descent diving app sucks. DiveIQ is way better.

I think there is a way to make descent firmware play along with 5X hardware since they are basically the same thing. Unfortunately there are many combinations of GPS/WIFI/Sensor firmwares and I don't have much time... Damn I wish so much to find a watch like the fenix 5x but with a linux/android based firmware! Anyway the descent diving app sucks. DiveIQ is way better.
ghost commented 2020-06-13 22:24:32 +01:00 (Migrated from github.com)
Copy Link

Hello, you just changed hwid and checksums ?
It doesnt work with fenix 6... it says update failed

thanks

Hello, you just changed hwid and checksums ? It doesnt work with fenix 6... it says update failed thanks
mbirth commented 2020-06-14 00:08:33 +01:00 (Migrated from github.com)
Copy Link

The Fenix 6 has an encrypted firmware. I believe they use different encryption keys for different models so it can't decode a firmware from a different model. And since nobody know the encryption keys at the moment, we can't convert firmwares.

The Fenix 6 has an encrypted firmware. I believe they use different encryption keys for different models so it can't decode a firmware from a different model. And since nobody know the encryption keys at the moment, we can't convert firmwares.
jochu38 commented 2022-01-18 09:04:39 +00:00 (Migrated from github.com)
Copy Link

Is the encryption still an issue with the fenix 6? Id like to put the delta kill switch and stealth mode features onto my fenix 6xPro solar watch

Is the encryption still an issue with the fenix 6? Id like to put the delta kill switch and stealth mode features onto my fenix 6xPro solar watch
mbirth commented 2022-01-18 14:51:43 +00:00 (Migrated from github.com)
Copy Link

@jochu38 Sadly I still don't know of anyone who found a way to decrypt the firmwares. And I also don't own one of these newer watches to experiment with. Maybe there's still a preboot mode to force-feed a firmware via WebUpdater. That's how I started with all this. But I doubt this, as I very much believe all decryption is happening in the main firmware during staging (=decrypting the firmware from the GCD file into the staging area) and the bootloader is just installing the already-decrypted firmware and doesn't know anything about encryption/decrypting.

@jochu38 Sadly I still don't know of anyone who found a way to decrypt the firmwares. And I also don't own one of these newer watches to experiment with. Maybe there's still a preboot mode to force-feed a firmware via WebUpdater. That's how I started with all this. But I doubt this, as I very much believe all decryption is happening in the main firmware during staging (=decrypting the firmware from the GCD file into the staging area) and the bootloader is just installing the already-decrypted firmware and doesn't know anything about encryption/decrypting.
enbarberis commented 2022-01-21 08:12:28 +00:00 (Migrated from github.com)
Copy Link

Do you know if Fenix 6 firmware was always encrypted ? Maybe older versions are un-encrypted?

Do you know if Fenix 6 firmware was always encrypted ? Maybe older versions are un-encrypted?
mbirth commented 2022-01-21 14:47:41 +00:00 (Migrated from github.com)
Copy Link

They started encryption with the MARQ models already. And even though I'm 99% sure, the bootloaders for the MARQ Aviator and those of the other MARQ models (which all share the same firmware) are identical, they are completely different in encrypted form:

Bootloader of normal MARQ models v3.10 (67628 Bytes total):

28 08 01 00 │ 63 0F D5 58 │ 66 27 50 95 │ AA FA B7 91 │ 2E D1 A5 1A │ 2A 69 25 C8 │ F3 CF E3 64 │ F6 96 55 18 │ 4A 9F EF 29

Bootloader of MARQ Aviator v3.10 (67628 Bytes total):

28 08 01 00 │ 2C 8D C7 58 │ 59 E0 9C E1 │ B9 A4 F6 0C │ 9B 6F 9F 73 │ 80 6B 48 38 │ 9F 9B 86 E2 │ 0A BE 96 42 │ 14 24 5F F4

And even the same bootloader of a later version seems to use a different encryption key:

Boot loader of normal MARQ models v3.31 (67628 Bytes total):

28 08 01 00 │ 8D 2E 5E 8A │ 0B A7 97 25 │ EA 6E 7B A2 │ BA C5 0C 4D │ 1A BD 91 1C │ CD 14 97 25 │ 09 66 94 A7 │ DC 3D 38 8F

There might be an encryption key hidden somewhere in that binary data, but I didn't yet have the time and willpower to investigate further. ;)

They started encryption with the MARQ models already. And even though I'm 99% sure, the bootloaders for the MARQ Aviator and those of the other MARQ models (which all share the same firmware) are identical, they are completely different in encrypted form: Bootloader of normal MARQ models v3.10 (67628 Bytes total): ``` 28 08 01 00 │ 63 0F D5 58 │ 66 27 50 95 │ AA FA B7 91 │ 2E D1 A5 1A │ 2A 69 25 C8 │ F3 CF E3 64 │ F6 96 55 18 │ 4A 9F EF 29 ``` Bootloader of MARQ Aviator v3.10 (67628 Bytes total): ``` 28 08 01 00 │ 2C 8D C7 58 │ 59 E0 9C E1 │ B9 A4 F6 0C │ 9B 6F 9F 73 │ 80 6B 48 38 │ 9F 9B 86 E2 │ 0A BE 96 42 │ 14 24 5F F4 ``` And even the same bootloader of a later version seems to use a different encryption key: Boot loader of normal MARQ models v3.31 (67628 Bytes total): ``` 28 08 01 00 │ 8D 2E 5E 8A │ 0B A7 97 25 │ EA 6E 7B A2 │ BA C5 0C 4D │ 1A BD 91 1C │ CD 14 97 25 │ 09 66 94 A7 │ DC 3D 38 8F ``` There might be an encryption key hidden somewhere in that binary data, but I didn't yet have the time and willpower to investigate further. ;)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
mbirth
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mbirth/gcd-parser#1
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?