How is firmware dumped/modified from mod chips like yihi SX3**, and would languages are used to prog

[vaperXant]

If I wanted to modify a yihi chip like the SX330 or SX350,
First Situation, Say I have a update released by Yihi. What programming language would it be written in(assuming some variant of C like arduino, or maybe even machine language) and would any additional work need to be done to convert or dump it into a readable/writable format

Second situation, Say I didn't have a update available, how could I dump firmware if possible.

Lastly, I understand Yihi has released a software to make connection/link with relevant drivers.

What type of options besides boot screen changes would this make available, and yes I understand the risks, im just curious.

 

[BlueridgeDog]

No different than sending an image to an Arduino. You could in theory take apart an update and reverse engineer it so that you could stream in changes. At the point of going to the chip, I would assume it is compiled to machine language specific to that chip. You could also look at the chip used and then search for the IDE that works with that chip.

 

[Alexander Mundy]

You would need to know the specific microprocessor used and a reverse compiler for it. Even then I have found reverse compilers leave a lot to be desired so a lot of manual clean up is necessary. You still wouldn't have the addresses of variables and reserved memory blocks and what they are used for. If for some ungodly reason they left the bits set to allow you to dump the firmware you would have a better chance but still a lot of work to do even if you are familiar with programming. If they obfuscated it it would be a nightmare. BTW, I tried to dump the SX350 and no go. Spent a day and overnight session while the wife was out of town reverse engineering the boot screen and menu items graphics for the original releases, but they have changed the way they are stored or obfuscated them further in the more recent releases.

 

[vaperXant]

You would need to know the specific microprocessor used and a reverse compiler for it. Even then I have found reverse compilers leave a lot to be desired so a lot of manual clean up is necessary. You still wouldn't have the addresses of variables and reserved memory blocks and what they are used for. If for some ungodly reason they left the bits set to allow you to dump the firmware you would have a better chance but still a lot of work to do even if you are familiar with programming. If they obfuscated it it would be a nightmare. BTW, I tried to dump the SX350 and no go. Spent a day and overnight session while the wife was out of town reverse engineering the boot screen and menu items graphics for the original releases, but they have changed the way they are stored or obfuscated them further in the more recent releases.

Damn, I was hoping it was easy. Do the blow the connections?

 

[Alexander Mundy]

Different manufactures do it differently. I have a good hunch the SX350 uses an STM32. In that case they can protect section(s) of flash from readout and or writing during initial programming leaving other section(s) write and or read enabled. Attempting to reset this protection causes a global flash erase.