Unbricking a Lerdge-X board (the sequel)

A project log for Lerdge 3d Printer Mainboard Hacking

Breaking the encryption on the Lerdge series mainboards so I can try porting Marlin 2.0 to it.

J.C. NelsonJ.C. Nelson 12/21/2018 at 19:586 Comments

As I noted, I had overwritten my bootloader with non functional code. Having uploaded and let everyone else test the loader, it was time for me to do it, too. To do this, I needed to put the board into serial loader mode so the ST-Link would have time to get ahold of the chip. 

To do that, I pulled Boot0 high (connected it to the +3.3v from the ST-Link, which I'm using to power the board), and Boot1 Low (connected it to the middle pin on a sensor port.

I was immediately able to reset the chip, flash the lerdge base bootloader on, and get my beautiful "NO APP" Error message. 

This is 100% expected - after a reflash, there's no app on the board. If you wanted to move back to Lerdge's firmware, you'd proceed with a normal force update mode.


Evgeny Zyatkov wrote 09/19/2019 at 19:50 point

Hello !

How to restore factory firmware?

I tried to flash the bootloader "lerdgexboot1.0.2.patched.bin " and "lerdgexboot_1.0.4.bin " via st-link.

Bootloaders report "No find App!!"

I put Lerdge FW to SD-card in \Lerdge_X_system\Firmware\Lerdge_X_firmware_force.bin  but it does not work :(

I try encrypted and decrypted.

I tried to format the SD-card with both Windows and Linux ( "sudo mkfs.fat /dev/mmcblk1 -F 32 -s 1 -S 512 -I" )

Open On-Chip Debugger 0.9.0 (2018-01-21-13:43)
Licensed under GNU GPL v2
For bug reports, read
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
adapter speed: 2000 kHz
adapter_nsrst_delay: 100
none separate
srst_only separate srst_nogate srst_open_drain connect_deassert_srst
none separate
Info : Unable to match requested speed 2000 kHz, using 1800 kHz
Info : Unable to match requested speed 2000 kHz, using 1800 kHz
Info : clock speed 1800 kHz
Info : STLINK v2 JTAG v34 API v2 SWIM v7 VID 0x0483 PID 0x3748
Info : using stlink api v2
Info : Target voltage: 3.265209
Info : stm32f4x.cpu: hardware has 6 breakpoints, 4 watchpoints
target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x0800a688 msp: 0x2001a5f0
Info : device id = 0x100*****
Info : flash size = 512kbytes
stm32f2x unlocked.
INFO: a reset or power cycle is required for the new settings to take effect.
auto erase enabled
auto unlock enabled
target state: halted
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x20000042 msp: 0x2001a5f0
wrote 65536 bytes from file fw.bin in 2.515835s (25.439 KiB/s)
st-flash 1.5.1-38-gc3577b5
2019-09-19T21:47:52 INFO common.c: Loading device parameters....
2019-09-19T21:47:52 INFO common.c: Device connected is: F4 device, id 0x100*****
2019-09-19T21:47:52 INFO common.c: SRAM size: 0x30000 bytes (192 KiB), Flash: 0x80000 bytes (512 KiB) in pages of 16384 bytes
2019-09-19T21:47:52 INFO common.c: Ignoring 12 bytes of 0xff at end of file
2019-09-19T21:47:52 INFO common.c: Attempting to write 65524 (0xfff4) bytes to stm32 address: 134217728 (0x8000000)
EraseFlash - Sector:0x0 Size:0x4000 
Flash page at addr: 0x08000000 erasedEraseFlash - Sector:0x1 Size:0x4000 
Flash page at addr: 0x08004000 erasedEraseFlash - Sector:0x2 Size:0x4000 
Flash page at addr: 0x08008000 erasedEraseFlash - Sector:0x3 Size:0x4000 
Flash page at addr: 0x0800c000 erased
2019-09-19T21:47:53 INFO common.c: Finished erasing 4 pages of 16384 (0x4000) bytes
2019-09-19T21:47:53 INFO common.c: Starting Flash write for F2/F4/L4
2019-09-19T21:47:53 INFO flash_loader.c: Successfully loaded flash loader in sram
enabling 32-bit flash writes
size: 32768
size: 32756
2019-09-19T21:47:54 INFO common.c: Starting verification of write complete
2019-09-19T21:47:55 INFO common.c: Flash written and verified! jolly good!

  Are you sure? yes | no

J.C. Nelson wrote 09/20/2019 at 02:15 point

I have successfully unbricked both my X and K boards by flashing the patched and backup bootloaders, either  one. After that, it should say "No find App" or something similar, and that's when you do the force update.

  Are you sure? yes | no

Bryan wrote 04/24/2019 at 12:13 point

ok so only have the the force.bin file in the firmware folder? Should I have the new firmware anywhere else on the sd card? The issue I'm having after putting the wrong firmware on it is when I power it on it searches for the lerdge k ui file path and since it cant find that path it errors out,so I'm stuck in this evil firmware loop. I'm not the best with software but am trying to learn as much as I can so this is all very much so over my head lol

  Are you sure? yes | no

Bryan wrote 04/24/2019 at 00:39 point

I made the mistake of flashing the board with the Lerdge K 3.0.0 instead of the Lerdge X 3.0.0 firmware  but cannot figure out how to unbrick it. Can you please explain how to do this for us less fortunate folks who are unfamiliar with all of that craziness lol. I am so not familiar with all of this and need your help, if not ill be buying a new board

  Are you sure? yes | no

J.C. Nelson wrote 04/24/2019 at 04:44 point

If all you did was update with the wrong firmware, a force update should work. To do that, take a nice, clean SD card and extract the lerdge-x firmware into it. You need to have a folder called /Lerdge_X_system/Firmware and in that, the filename should be Lerdge_X_firmware_force.bin. If you also have a Lerdge_X_firmware.bin, delete that (you want only the force one there). Put the SD card in and reboot.  The way I recall it, Lerdge's firmware zips already have the right structure, you just go in and delete the Lerdge_X_firmware.bin, leaving the force one. It should flip to the flashing screen and flash it right over. The X and the K are very similar hardware, so it should be possible to flash back.  

  Are you sure? yes | no

cmshelton2010 wrote 12/22/2018 at 00:53 point

Thanks J.C. excellent work , you and your family have a great Christmas and New year holiday . 

  Are you sure? yes | no