Patching Pulse Oximeter Firmware

> As a side note: replacing the chip took longer than expected. I accidentally ordered a GD32F350R8T6, instead of the GD32F350RBT6 that was in the device originally. These two types differ in their flash sizes: 64 kB vs 128 kB. Don’t ask me why GigaDevice thought this naming scheme and this font was a good idea

An 8 looking almost exactly like a B. What a terrible idea.

Also the self patching back into protected mode! ugh - good thing they ordered more than one!

Blame STM. Those clones copy (..among other things) the naming convention from STMicroelectronics parts like stm32f103c8t6/stm32f103cBt6. Guess what's the only difference between those.

Oh, and .. since STM likes binning/product segmentation, there's a good chance that if you ignore the reported flash size and still try to flash the full 128K, it works on those models..

The article mentions suspiciously similar looking devices on Aliexpress for less than $10, but it looks like under $3 even. This seems like a very cool thing to hack on, for that price.

Doesn't the protection usually work such that it prevents reading the firmware but still allows you to erase and reflash it?

Assuming the other commenter is correct and the mcu is a clone of an ST product, then it's possible that the protection are fuses that destroy the pathways to the memory. They're one-time writable and cannot be undone. At my work that is how we protect our firmware with a similar ST product.

I'm not sure how it works in-silicon. Would be interesting to know how... but it's sunday afternoon