Vida CEM swapping

[McGherkin]

i'll have to have alook again but i think the teensy can only be powered either by external power supply or the USB not both.

Ooh - good point. Might just have a go without running a power supply first then!

[oscilloscope]

i'll have to have alook again but i think the teensy can only be powered either by external power supply or the USB not both.

Ooh - good point. Might just have a go without running a power supply first then!

and also without the USB connection then you can not watch the process happen on the IDE serial monitor.

[5ft24]

Okay. I think I will still give the Teensy an auxiliary 5v power just to make sure it's sufficiently powered up though.

Yeah the schematic says to connect one of the CAN boards to CAN HS+ and HS- and the other to LS+ and LS-, OBD Pins 6,14,3, and 11 respectively. Plus the CAN Gnd on Pin 5 to the Teensy Gnd, and I can add a 6th wire from the plug to Pin 16 through the 5v converter to power the Teensy.

I had intermittent issues powering through the USB port to the teensy. I used a 12v to 5V buck converter and it runs smooth as silk

[oscilloscope]

Okay. I think I will still give the Teensy an auxiliary 5v power just to make sure it's sufficiently powered up though.

Yeah the schematic says to connect one of the CAN boards to CAN HS+ and HS- and the other to LS+ and LS-, OBD Pins 6,14,3, and 11 respectively. Plus the CAN Gnd on Pin 5 to the Teensy Gnd, and I can add a 6th wire from the plug to Pin 16 through the 5v converter to power the Teensy.

I had intermittent issues powering through the USB port to the teensy. I used a 12v to 5V buck converter and it runs smooth as silk

Oh I thought it couldn't be mixed , I can't seem to find why I assumed they couldnt Maybe it's on the data sheet thing when I bought the Teensy.

[bosse]

https://copperhilltech.com/teensy-4-0-t ... d-microsd/


This one is nice.

[vtl]

https://copperhilltech.com/teensy-4-0-t ... d-microsd/


This one is nice.

Does it have a free IO pin left for the cracker to snoop on the CAN transceiver's RX lane?

[denvro]

I bumped into this topic, because I want to update the region/market parameters (radio frequency etc.) in my MY04 V70R. Great work! I will take my time to read through this thread, acquire the necessary hw + sw, crack my pin, read my CEM's bin and see if I can change some parameters

I'm already owning a (Chinese) DICE, Vida and a free version of VDASH. But subscription fee's and/or software packages are so expensive! And I'm programmer enough to fix this myself with the documentation in this thread. Thanks for all the time and effort you guys put into it!

[andrewgabler]

Potentially dumb question, but should the key be in the ignition for this process? Position 1,2 or started?

[RickHaleParker]

Potentially dumb question, but should the key be in the ignition for this process? Position 1,2 or started?

On P2s, no key inserted.

[dikidera]

I do not. I do have an oscilloscope, and I have noticed the WE pin going low every now and then when the ECU is operating normally. As soon as I start the SBL it remains HIGH, but that is because I have not issued any commands to it. I will have to solder a wire to it, but this time it will be thinner so if it decides to break, it won't take the pin off this time.

According too the Hitachi data sheet for SH7055, it suggests FWE pin needs to be in a reset state to allow for read/write enable. Which then places it in programmer mode. , I am assuming that Hitachi version of the sh7055 is the same as the renesas. Before there transition. Assuming that's the pin you mean ?

No that is a different pin. The WE pin belongs to the 29LV200BC flash chip. I've been away for a while due to personal issues and cannot come back to the project for a little while longer.

I'm analyzing TCM's SBL at the moment. It's definely work by same algorithm as ECM flashing process. CAN sequence looks like on 0xE6 TCM:
1. Shutdown everything by 0xFF 0x86 request
2. Send 0xE6 0xC0
3. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
4. Send 0xE6 0xAE with bootloader as payload
5. Send 0xE6 0x9C 0xFF 0xFF 0x82 0x00 // jump to addr 0xFFFF8200
6. Send 0XE6 0xA0 to jump execution point to addr from pt 5.
7. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
8. Send 0xE6 0xF8 // erase memory block
9. Send 0xE6 0x9C 0x00 0x00 0x80 0x00 // jump to addr 0x8000
10. Send 0xE6 0xAE with flash payload
11. Send 0xFF 0xC8 to start add ECUs in normal mode.

I omitted the checksum check because I don't know algorithm for TCM. In my TCM's flash this check just disabled.

I didn't find 0xAE command processing ATM. Maybe additional bootloader should be loaded. But next command looks like enabling of flashing:

Code: Select all

ROM:FFFF9666 flashing_FFFF9666:                      ; CODE XREF: sub_FFFF9596+C8j
ROM:FFFF9666                 mov.w   #PJDR_W, r2
ROM:FFFF9668                 mov.w   @r2, r0
ROM:FFFF966A                 xor     #h'40, r0
ROM:FFFF966C                 mov.w   r0, @r2
ROM:FFFF966E                 mov.w   #FLASH_FECS_B, r2
ROM:FFFF9670                 mov.b   @r2, r0
ROM:FFFF9672                 and     #h'FE, r0
ROM:FFFF9674                 mov.b   r0, @r2
ROM:FFFF9676                 mov.w   #FLASH_FPCS_B, r2
ROM:FFFF9678                 mov.b   @r2, r0
ROM:FFFF967A                 or      #1, r0
ROM:FFFF967C                 mov.b   r0, @r2
ROM:FFFF967E                 mov     #0, r1
ROM:FFFF9680                 mov.w   #FLASH_FTDAR_B, r2
ROM:FFFF9682                 mov.b   r1, @r2
ROM:FFFF9684                 mov.w   #h'A5, r0
ROM:FFFF9686                 mov.w   #FLASH_FKEY_B, r1
ROM:FFFF9688                 mov.b   r0, @r1
ROM:FFFF968A                 bra     loc_FFFF96A4
ROM:FFFF968C                 nop

The AE command(write) is from the ECM PBL. The SBL just adds a few more commands, more specifically just F8(delete sector or entire flash). So yeah SBL is just an extension to the PBL.

Here are the ECM SBL commands, some...don't do anything from what I've seen, they just send a CAN reply back but don't really do anything else, the rest is still hard to decipher their purpose. The behaviour depends on FFFFDFA0 and FFFFDFA8, which I am still unclear WHAT they represent.



But like I said, might take a while after some events happened, you just can't have the same trust in your partner when they've done something bad behind your back.