Bypassing GPD Win 2 Firmware Downgrade Protection
There are three different firmwares for the GPD Win 2 gamepad - each having different “opinions” in terms of bindings and joystick behaviors. It is not possible to downgrade the firmware after updating - leaving one stuck with whatever opinions the latest firmware has.
Some of the various differences in gamepad behavior are listed below.
- v1.11
- D-pad as WASD keys
- Left joystick as scroll wheel
- v1.18
- D-pad as scroll wheel
- Left joystick as WASD keys
- v1.19
- Joystick diagonal behavior altered
Patching the installers
I’ve previously had luck with p7zip extracting executables so that’s where I started. All three of the extracted executables contained the same files. Pruning duplicates left me with the following files - all the exact same size.
$ du */.*
296 v111/.rdata
1172 v111/.text
296 v118/.rdata
1172 v118/.text
296 v119/.rdata
1172 v119/.text
I proceeded to use xxd to dump the executables to hex files.
$ xxd v111.exe v111.xxd
$ xxd v118.exe v118.xxd
$ xxd v119.exe v119.xxd
Versions 1.18 and 1.19 were compared first as each more similar to each other than v1.11 in terms of features.
$ diff v118.xxd v119.xxd
The diff output ended up being exactly 2092 lines - a good sign! I started by searching for the minor version of each firmware - 18 and 19. There were two locations where the diff indicated that 18 was changed to 19.
16c16
344c344
< 00001570: e8a0 cf00 00c7 8630 0100 0018 0100 008a .......0........
---
> 00001570: e8a0 cf00 00c7 8630 0100 0019 0100 008a .......0........
367c367
< 000016e0: 0000 52ff d681 3d84 6057 0018 0100 0076 ..R...=.`W.....v
---
> 000016e0: 0000 52ff d681 3d84 6057 0019 0100 0076 ..R...=.`W.....v
Comparing 1.11 to 1.18 further reinforced my assumption:
344c344
< 00001570: e8a0 cf00 00c7 8630 0100 0011 0100 008a .......0........
---
> 00001570: e8a0 cf00 00c7 8630 0100 0018 0100 008a .......0........
367c367
< 000016e0: 0000 52ff d681 3d84 6057 0011 0100 0076 ..R...=.`W.....v
---
> 000016e0: 0000 52ff d681 3d84 6057 0018 0100 0076 ..R...=.`W.....v
Through trial and error, I discovered that the first line is used only for display in the UI - no reason to change it. The second line is used in the check which prevents downgrading the firmware.
I changed 0018 to 0099 in the second line and transformed the dump back to a binary.
Also changed 0100 to 9900 to allow downgrading from the GPD Win Max firmware.
367c367
< 000016e0: 0000 52ff d681 3d84 6057 0099 9900 0076 ..R...=.`W.....v
---
> 000016e0: 0000 52ff d681 3d84 6057 0019 0100 0076 ..R...=.`W.....v
$ xxd -r v118.xxd v118_patched.exe
Retro
This simple change allowed me to bypass the installer’s downgrade “protection” without altering how the firmware identifies itself. I was able to install each version of the firmware without issue.
Downloads for the patched installers:
*Released for GPD Win Max, but also works with the GPD Win 2. The deadzones are greatly reduced, but the axes are mapped incorrectly. I used xboxdrv on Linux to remap them:
sudo xboxdrv --detach-kernel-driver --axismap=X1=Y1,-Y1=X1,-X2=Y2,Y2=X2
**Installers were patched, but I didn’t test them or it doesn’t work properly.