How to Hack into a Bricked Flex 3000 that has Improper Firmware Installed

Bricked your Flex 3000 with bad firmware? Maybe not. Hack your radio.

Recently I purchased a used Flex 3000, and life was good. This was until HP pushed out a PCIE update sometimes last September for my PC. Being a responsible adult, I decided to install all the latest updates for my old ProDesk 400 mini tower PC that runs the Flex radio. This is where the fun begins.

Everything went smoothly and the PC got a full firmware update. But then, when loading PowerSDR, it couldn’t find the Flex radio. Uh oh. So, following guidance from the Flex community on connectivity issues, I completely un-installed PowerSDR, and re-installed it. On initial start up there some configuration that the program does, including flashing the EEPROM on the radio with new firmware from a .bin file. This is where a mistake was made.

From what I can gather, older models of Flex radios don’t tell PowerSDR tell which Flex you have on initial start-up after installing PowerSDR, as far as a 3000 vs. 5000 anyways. And so it asks you, in a tiny pop-up window, “Is this a Flex 5000 radio?” Selecting “Yes” will then push 5000 firmware to the radio. If you select “No” it asks “Is this a Flex 3000 radio?”. Selecting “Yes” pushes 3000 firmware to the radio. 30 years of installing windows software has trained me to just continually click “Yes” to any pop-up during a software install and so when the pop-up appeared, I clicked “Yes” to the first question, not even looking at the dialog. Whoops. Somehow it successfully pushed the 5000 firmware to the radio. I have no idea how, as every later attempt to do the opposite was unsuccessful.

Loading 5000 firmware on to the 3000 Flex bricked the radio. It would still load PowerSDR but there were no signals on the waterfall, and the fan would run on high constantly. The temp sensor was reporting over 500 degrees Celsius. The VFO was laggy to respond, and other quirks were noticed.

There were intermittent FireWire connection issues as well. Troubleshooting this, I found that I would need to rollback the PCIE drivers to a legacy version. Some glitch with the newer Windows drivers and the new HP PCIE firmware, along with the older firmware on the radio had made the FireWire connection buggy. Rolling the Windows FireWire drivers back to the “legacy” drivers made everything on that front happy, but the radio was still stuck with 5000 firmware on it.

There is exactly one mention on the entire internet of this happening, on the FlexRadio forums, over two years ago. Where someone from Germany had the issue with a used Flex he had purchased in this condition. The only cryptic answer in the post is that “my friend rewrote the starting frequency” and now the radio works. Reaching out to him on the forum post or at his email address yielded nothing.

Unable to determine what this referred to (I can only assume they got into the Expert settings and changed the IF freq somehow to make it work with 5000 firmware), I began installing every version of PowerSDR I could find, in the hopes one would allow me to push 3000 firmware back on to the radio. Every time I was met with the error that the firmware does not match the product ID, and so it wouldn’t do it. It also would not allow me to rollback the 5000 firmware to an earlier version. Some utilities provided “tool2.exe” and “burn.bat” had driver conflicts. I did find some good utilities, long since abandoned by Flex, that would wipe all the hidden files and folders left after uninstalling software, letting me do a complete wipe before installing the newest software.

I opened a support ticket with Flex asking for help or guidance and was told to kick rocks, basically. They don’t support their older radios. It’s weird that they wouldn’t at least attempt to help, instead they just copy and pasted canned messages instructing me to uninstall and reinstall the PowerSDR software, and then closing the ticket repeatedly as “Solved”.

I opened the 3000 firmware and 5000 firmware in a hex editor, to compare and to try to find where the “Product ID” was stored, but was unable to find it, having a limited knowledge of hex editing and having never decompiled anything into an assembly language since my high school Computer Math class decades ago.

I also tried modifying the “System” file for the FlexRadio firmware loader program to see both the 3000 and the 5000 as the same product, but that did not work either. The FlexRadio firmware loader would ask if I wanted to continue, but then would not allow it. Why ask if you’re not going to allow it?

My Flex 3000 showing it is a Flex 5000 (Product:1) while attempting to load 3000 firmware
The Flex program does not allow a conflicting upload of firmware

After 3 days of troubleshooting, I reached out to NM0J, who I knew also had a Flex 3000. What I didn’t know is that he is a genius with things like this. After some back and forth discussing the problem, NM0J was able to find the hex address where the product ID was stored in the Flex 3000 firmware, and edited his file to make it look like it was a Flex 5000, as shown below:

Screenshot showing “File info” of modified 3000 firmware reporting that it’s for a 5000: “Product:1”.
This is shown on NM0J’s PC, where 3000 firmware (Product:2) is properly installed.

NM0J also edited the FlexRadio.exe to ignore the Product ID mismatch, and while it looked like it was working on his end, putting the .exe on my PC and running it did not provide any results that were successful.

However the modified firmware worked like a charm.

For those dealing with this, that wish to attempt at their own risk, the hex address for the Product ID, in the 3000 firmware, is Offset 0x5696C

DO THIS AT YOUR OWN RISK. This was done using KE9NS’s version of PowerSDR 2.8.0 and the 2.1.4.112 Firmware. PowerSDR 2.8.0 is maintained by a 3rd party, and not FlexRadio. Other versions of the firmware may be different. YMMV.

If you are unable to hex edit your own firmware I will provide the files to those who need them, but only if you reach out to me personally at the email on my QRZ page. There are some prerequisites you’ll need to have in place to use the modified firmware file that I have; specific versions of the software, installed properly, with any other version properly wiped first. I can go over these things with you, and then would be happy to provide the firmware file needed to unbrick the radio.

NM0J’s modified firmware file allowed me to push 3000 firmware on to the Flex 3000 radio that was self-identifying as a Flex 5000 using Flex’s firmware loader software. I was then able to push a vanilla copy of the firmware to the Flex that was provided by FlexRadio, effectively putting the radio back to how it should be. I fired it up and promptly made a QSO with someone in Uruguay on 10 Meters. HOORAY!

The moral of the story here is, make every effort to not load 5000 firmware on to a 3000. Had I paid attention instead of using muscle memory to click “Ok” on every pop-up, I would not have had to go through this all.