You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi — opening this as a detailed field report in case it helps future work on the 5125 (or other Huawei-Goodix variants). Issue #20 was closed as not planned back in 2022 with no technical discussion; this report fills in what I found.
TL;DR: 27c6:5125 silicon appears protocol-compatible with 51x7. Chip ID register, firmware-family name, OTP, NOP/enable_chip/reset, register reads, preset_psk_read, and MCU query all work identically in both APP (factory) and IAP modes. However, after erasing the factory app firmware and flashing GF_ST411SEC_APP_12109.bin (the 51x7 target), preset_psk_read(0xbb020003) returns success=False in APP mode — even though the same command succeeded both before the flash (on factory firmware GF_ST411SEC_APP_12508) and in IAP mode after the PSK was written. The subsequent TLS handshake (request_tls_connection) then times out.
So either:
The 5125 stores the provisioned PSK somewhere the 5117 APP firmware doesn't look, or
The 5117 APP firmware's PSK-read command has a hardware dependency that differs on the 5125 silicon.
Factory PSK hash differs from the 51x7 PMK_HASH (ba1a…2d43), as expected — the device was provisioned with a different PSK at the factory.
2. Erase → IAP → write PSK → flash
Using a forked driver_51x7 main loop with VALID_FIRMWARE = GF_ST411SEC_APP_12[0-9]{3} and IAP_FIRMWARE = MILAN_ST411SEC_IAP_12[0-9]{3} to accept our factory firmware. Each destructive step gated by explicit user confirmation.
mcu_erase_app(0, False) → sensor re-enumerated; now reports an IAP name in the MILAN_ST411SEC_IAP_12xxx range (PID stayed at 5125 during IAP).
preset_psk_write(0xbb010003, PSK_WHITE_BOX) in IAP → returned True.
preset_psk_read(0xbb020003) in IAP → success=True, psk == PMK_HASH (51x7's expected hash). So the PSK write landed correctly at the IAP's PSK location.
So the flash succeeded at every layer up to and including the MCU config upload. Only PSK read and the subsequent TLS handshake fail.
I tried the same sequence a second time with the 51x0 variant (GF_ST411SEC_APP_12117.bin) — identical outcome: flash succeeds, preset_psk_read in APP mode fails the same way.
Hypothesis
The 5125 silicon persists the written PSK to a storage region that's reachable by the factory firmware's PSK subsystem (and by the IAP bootloader), but not by the 5117 APP firmware's PSK subsystem. From the chip ID match plus OTP stability, the actual sensor silicon is the same family; the difference seems to be in the secure storage layout or how the APP firmware addresses it.
Either:
There's a provisioning command the factory firmware knows that commits PSK to APP-mode storage which the 5117 firmware never learns about, or
The PSK storage offset/key material derivation differs in a way baked into the 5117 firmware image.
Current device state
After the flash, the sensor is:
Alive, responsive to base protocol commands
Reporting as 27c6:5117 with firmware GF_ST411SEC_APP_12109
Unable to complete TLS handshake under either goodix-fp-dump's driver_51x7 or gulp/libfprint-1's goodix-5117-support branch (both require preset_psk_read to succeed in APP mode)
No longer functional under Windows either — the factory PSK has been overwritten. I do not have the original factory firmware dump.
Ask
Has anyone else here poked at 27c6:5125 or similar Huawei-Goodix variants (5130 from Add trivial preprocessor #33 looks related)?
Is there a way to extract a raw 5125 factory firmware image from a second device, or is this something that would have to come from Goodix themselves?
Are there known commands for committing PSK to APP-mode storage that aren't exercised by the 51x7 flow?
Happy to run more probes on this device if someone has a hypothesis to test. I've scripted the probes/flash in a way that's reproducible for future 5125 owners who want to repeat the experiment (though my current loss of Windows functionality means I'd recommend others capture a firmware dump before erasing).
Thanks for all the reverse-engineering work that got us this far.
Summary
Hi — opening this as a detailed field report in case it helps future work on the 5125 (or other Huawei-Goodix variants). Issue #20 was closed as not planned back in 2022 with no technical discussion; this report fills in what I found.
TL;DR: 27c6:5125 silicon appears protocol-compatible with 51x7. Chip ID register, firmware-family name, OTP, NOP/enable_chip/reset, register reads,
preset_psk_read, and MCU query all work identically in both APP (factory) and IAP modes. However, after erasing the factory app firmware and flashingGF_ST411SEC_APP_12109.bin(the 51x7 target),preset_psk_read(0xbb020003)returnssuccess=Falsein APP mode — even though the same command succeeded both before the flash (on factory firmwareGF_ST411SEC_APP_12508) and in IAP mode after the PSK was written. The subsequent TLS handshake (request_tls_connection) then times out.So either:
Hardware
Goodix Fingerprint Device)27c6:5125GF_ST411SEC_APP_12508a2 04 25 00(identical to 51x7)DQ2757.then binaryWhat was tried
All steps were driven by this repo's
driver_51x7.pywith widened firmware regexes and interactive confirmation prompts.1. Read-only probes (factory firmware, PID 5125)
All of the following succeeded with sensible values:
nopenable_chip(True)+nopreset(True, False, 20)success=True, number=2048firmware_version()GF_ST411SEC_APP_12508read_sensor_register(0x0000, 4)a2042500(matches 51x7)read_sensor_register(0x0082, 2)8028read_sensor_register(0x0220, 2)880bread_otp()query_mcu_state(0x55, reply=True)00003000000000002000000011200000preset_psk_read(0xbb020003)success=True, flags=0xbb020003, psk=c03ccf94…5013c7d9Factory PSK hash differs from the 51x7
PMK_HASH(ba1a…2d43), as expected — the device was provisioned with a different PSK at the factory.2. Erase → IAP → write PSK → flash
Using a forked
driver_51x7main loop withVALID_FIRMWARE = GF_ST411SEC_APP_12[0-9]{3}andIAP_FIRMWARE = MILAN_ST411SEC_IAP_12[0-9]{3}to accept our factory firmware. Each destructive step gated by explicit user confirmation.mcu_erase_app(0, False)→ sensor re-enumerated; now reports an IAP name in theMILAN_ST411SEC_IAP_12xxxrange (PID stayed at 5125 during IAP).preset_psk_write(0xbb010003, PSK_WHITE_BOX)in IAP → returnedTrue.preset_psk_read(0xbb020003)in IAP →success=True, psk == PMK_HASH(51x7's expected hash). So the PSK write landed correctly at the IAP's PSK location.update_firmware(firmware/51x7/GF_ST411SEC_APP_12109.bin)(75032 bytes, CRC-32-MPEG0x5a7e0d1d) →write_firmwareloop +check_firmwarepassed.reset(False, True, 20)issued.GF_ST411SEC_APP_12109. ✅3. Post-flash verification (APP mode, PID 5117)
nop,enable_chip,nopfirmware_version()GF_ST411SEC_APP_12109✅reset(True, False, 20)success=True, number=2048✅read_sensor_register(0x0000, 4)a2042500✅read_otp()upload_config_mcu(DEVICE_CONFIG)True✅set_powerdown_scan_frequency(100)True✅preset_psk_read(0xbb020003)success=False(returned error response,message[0] != 0x00)request_tls_connection()So the flash succeeded at every layer up to and including the MCU config upload. Only PSK read and the subsequent TLS handshake fail.
I tried the same sequence a second time with the
51x0variant (GF_ST411SEC_APP_12117.bin) — identical outcome: flash succeeds,preset_psk_readin APP mode fails the same way.Hypothesis
The 5125 silicon persists the written PSK to a storage region that's reachable by the factory firmware's PSK subsystem (and by the IAP bootloader), but not by the 5117 APP firmware's PSK subsystem. From the chip ID match plus OTP stability, the actual sensor silicon is the same family; the difference seems to be in the secure storage layout or how the APP firmware addresses it.
Either:
Current device state
After the flash, the sensor is:
GF_ST411SEC_APP_12109driver_51x7or gulp/libfprint-1'sgoodix-5117-supportbranch (both requirepreset_psk_readto succeed in APP mode)Ask
Happy to run more probes on this device if someone has a hypothesis to test. I've scripted the probes/flash in a way that's reproducible for future 5125 owners who want to repeat the experiment (though my current loss of Windows functionality means I'd recommend others capture a firmware dump before erasing).
Thanks for all the reverse-engineering work that got us this far.