It seems that the checksum at the end is just a standard 32 bit dword checksum. I have attached my updated decoder/encoder. It now has an a flag to decode and a flag to encode. The encode flag will rewrite the flash binary with the correct checksums, so you can modify your firmware and reflash. I also tried updating the bitrates at 0x66bd48. I originally tried all 6 bitrates updated to 24k, but after 2 seconds of recording, I get the error "Cannot write", and it stops recording. Next I went to the XLP recording mode, which seems to start at 0x66bd18, and I shifted all the bitrates down, and added 24k to the highest bitrate. This let it record, and my video came out to slightly larger than before (1 minute video unmodified was 118megs, and after this change it came out to 124megs). This is still under the limit for 18k (which would result in a 132meg file), so I don't know if this proves anything, but at least the values can be changed to a limited extent and it still works. Changing the XLP recording mode to 24k for all six values causes it to fail with the cannot write error after about 4 seconds (so it can record a bit longer). Next I think I'm going to make some modifications to my encryptor/decryptor that will allow you to pull out and re-insert any section. What offsets & lengths are you guys using for the code section (i.e. what exactly are you extracting)? Which version of IDA are you guys using? I tried loading some of the IDA scripts posted earlier into 4.9, but that failed.