Differences

This shows you the differences between two versions of the page.

--- disassembled_devices:vcds_clone_cable [2025/10/26 00:43] – [Hex V2] admin
+++ disassembled_devices:vcds_clone_cable [2025/10/26 01:01] (current) – [Patching RDP2 theoretically] admin
@@ Line 43: / Line 43: @@
 > KolimerVIILoader，Device serial number is 3N00XXXX，Tag serial number is F33-415407
-If you have a clone Hex v2 with Badrax or Kolimer loader you must pay a fee to unlock your hex v2 to allow future updates by FLY - [[https://www.digital-kaos.co.uk/forums/showthread.php/99750-VAG-COM-VCDS-EVERYTHING?p=4732973&viewfull=1#post4732973|Source]]. This is no ad: Do not support clones. \\
+If you have a clone Hex v2 with Badrax or Kolimer loader you must pay a fee to unlock your hex v2 to allow future updates by FLY ([[https://www.digital-kaos.co.uk/forums/showthread.php/99750-VAG-COM-VCDS-EVERYTHING?p=4732973&viewfull=1#post4732973|Source]]). This is no ad: Do not support clones. \\
@@ Line 91: / Line 91: @@
 Updating can be done over USB if your cable is updateable and not bricked (be aware of fly-loader bricking cables intentionally!) \\
-Flashing can be done via SWD programming interface if RDP2 is not set. If RDP2 is set and your cable is bricked, the easiest choice is to replace the STM32 MCU. You can get STM32F405VGT6 [[https://aliexpress.com/item/1005006862646663.html|e.g. on aliexpress for ~3€]] (probably clones?). Desolder bricked RDP2 MCU and replace with fresh one //(use the Flux, Luke! Always flush&Wash, this time with Isopropanol)// - better flash a RDP0 firmware then. \\
+Flashing can be done via SWD programming interface if RDP2 is not set. "brick-by-fly" sets RDP2. If RDP2 is set and your cable is bricked, the easiest choice is to replace the STM32 MCU. You can get STM32F405VGT6 [[https://aliexpress.com/item/1005006862646663.html|e.g. on aliexpress for ~3€]] (probably clones? it works fine). Desolder bricked RDP2 MCU and replace with fresh one //(use the Flux, Luke! Always flush&Wash, this time with Isopropanol)// - better flash a RDP0 firmware then. \\
 Tip to remove LQFP64 package without hot air rework station: take a rotary tool and cut through all pins carefully, then make PCB clean.
 Alternative: Coat wire with tin and solder nonstop to all pins to be able to desolder all pins concurrently with a soldering iron - [[https://www.youtube.com/watch?v=Vou2xlJkuoU|see this random YT video]] \\
@@ Line 108: / Line 108: @@
 ❌ Patching out potential security functions which use RSA keys of OTP in dump is not described here - it is probably an excessive task. \\
-**How to theoretically remove RDP2 from dump? idk, I have not tried myself (only had one spare MCU after brick-by-fly) - I imagine the easiest first approach to try it would like this:** \\
+**How to theoretically remove RDP2 from dump? idk, I have not tried myself (only had one spare MCU after brick-by-fly) - I imagine the easiest first approach to try it could be like this:** \\
 . Load the Dump into a Disassembler like Ghidra, Binary Ninja, Radare2 or IDA Pro. \\
@@ Line 127: / Line 127: @@
 </code>
-Search for:
+Search for sth like:
 <code>
 LDR  R0, =0x40023C14   ; FLASH->OPTCR
@@ Line 139: / Line 139: @@
 . Repack the Binary \\
 Save your modified binary. \\
-Cross your fingers and reflash it to a (clean / RDP0) MCU __on your own risk__ and write up your methods. \\
+Cross your fingers that this is sufficient and reflash it to a (clean / RDP0) MCU __on your own risk__ and write up your methods -(I have no spare MCU atm, do you take the risk?:). \\
 Use STM32CubeProgrammer or OpenOCD to flash to unlocked MCU with ST-Link V2 or J-Link as programmer. \\