YoshKoz/ezwriter-reverse
GitHub: YoshKoz/ez-flash-ii-usb-flasher
Stars: 0 | Forks: 0
# EZ-Writer II / EZ-Flash II USB Flasher
Dump GBA ROMs and save files from Game Boy Advance cartridges on modern Windows (10/11), Linux, and macOS.
Open-source replacement for the Windows XP-era EZ-Writer II (EZ Flash II) USB cartridge reader/writer.
**No kernel drivers. Just WinUSB + libusb.**
[](LICENSE)
[]()
[](https://www.rust-lang.org/)
[]()
## Quick Start
**1. Install driver** — [Download Zadig](https://zadig.akeo.ie/) → Run as Admin → Options → List All Devices → select `EZ-Writer II` → `WinUSB` → Install Driver.
**2. Build**
cd src\ezwriter-cli
cargo build --release
**3. Dump a cartridge**
ezwriter-cli firmware-download src\ezwriter-cli\tusbez.bin
ezwriter-cli dump myrom # → myrom.gba
ezwriter-cli save-read 0 2048 --output myrom.sav
`tusbez.bin` is the original 8051 firmware extracted from the EZ-Writer driver. It's uploaded to the Cypress AN2131's RAM at every connect (the chip has no persistent ROM). Included in the repo under [`src/ezwriter-cli/`](src/ezwriter-cli/).
## Status
| Feature | Status |
|---------|--------|
| ROM dump | Done |
| Save read | Done |
| Cartridge header parse | Done |
| GUI (egui, 5 tabs) | Done |
| Save write | Done |
| ROM write | Experimental |
## GUI
cd src\ezwriter-gui
cargo build --release
.\target\release\ezwriter-gui.exe
Keep `loader_table1.bin` and `loader_table2.bin` next to the `.exe`.
Tabs: Status · Cart Info · Read ROM · Read Save · Write Save
## How It Works
### System Architecture
flowchart LR
PC["Your PC(ezwriter-cli / ezwriter-gui)"] USB["USB bus
(libusb + WinUSB)"] MCU["Cypress AN2131Q
8051 CPU @ 48 MHz"] CART["EZ-Flash II
GBA Cartridge"] PC <--> USB USB <-->|"EP0 (control)
EP2 (bulk OUT)
EP6 (bulk IN)"| MCU MCU <-->|"GPIO / parallel bus"| CART style PC fill:#1a1a2e,color:#fff,stroke:#e94560 style USB fill:#16213e,color:#fff,stroke:#0f3460 style MCU fill:#0f3460,color:#fff,stroke:#e94560 style CART fill:#533483,color:#fff,stroke:#e94560 ### Boot Sequence sequenceDiagram participant H as Host PC participant D as EZ-Writer participant C as GBA Cart rect rgb(30, 30, 50) Note over H,D: Phase 1 — Bootloader mode H->>D: Plug in (0547:2131) H->>D: Vendor 0xA0: hold CPU reset H->>D: Vendor 0xA0: download tusbez.bin H->>D: Vendor 0xA0: start CPU Note over D: 8051 boots firmware end rect rgb(40, 20, 50) Note over H,D: Phase 2 — Active mode D-->>H: Re-enumerate (0548:1005) H->>D: Bulk EP2 OUT: cart commands D->>C: GBA bus protocol C-->>D: ROM / save data D-->>H: Bulk EP6 IN: response end ### Data Flow ┌──────────────────┐ ┌────────────────────┐ ┌────────────────────┐ │ Your App │ │ EZ-USB AN2131Q │ │ EZ-Flash II │ │ (CLI / GUI) │ │ 8051 firmware │ │ GBA Cartridge │ │ libusb + WinUSB │ │ tusbez.bin │ │ NOR flash + SRAM │ └──────────────────┘ └────────────────────┘ └────────────────────┘ │ │ └──────── USB (EP0/EP2/EP6) ──────────────┘ │ GPIO / parallel bus │ ▼ Cartridge operations **Why not kernel driver?** Original drivers are unsigned x32-only (won't load on modern Windows) and just wrap USB bulk IOCTLs anyway. WinUSB + libusb does the same thing cleanly. Full protocol reference: [docs/protocol_notes.md](docs/protocol_notes.md)
Project structure
ezwriter-reverse/ ├── analyze_driver.py ─ Driver binary analysis (root) ├── disasm_ezwinit.py ─ ezwinit.sys disassembly (root) ├── disasm_full.py ─ Full firmware disassembly (root) ├── disasm_fwloader.py ─ Firmware loader disassembly (root) ├── src/ezwriter-cli/ ─ Rust CLI (libusb, clap) ├── src/ezwriter-gui/ ─ Rust GUI (egui/eframe) ├── src/*.py ─ RE/prototyping scripts (src/) ├── docs/ ─ Protocol notes, driver analysis ├── driver/winusb-inf/ ─ WinUSB INF + install scripts ├── original/ ─ EZClient v3.26 (reference only) ├── original_backup/ ─ Extracted firmware + drivers └── captures/ ─ USB packet dumps标签:通知系统