RT-900 Firmware Flash Protocol Packet Structure
Added 2025-04-05 19:32:04 +0000 UTCu8 leader; // always 0xAA
u8 command;
u8 blockNumber; // flash address is 0x08003000 + (blockNumber * 0x400)
u16 dataLength; // big endian
u8 data[dataLength];
u16 crc16; // crc16/xmodem everything from command to the end of the data section
u8 trailer; // always 0xEF
From what I can tell, data is not encrypted or obfuscated. If there is any kind of obfuscation I think it's happening at the firmware level not any deeper, so unobfuscated/unencrypted binaries will probably work.