In a four-hundred-horse open sleigh
O’er the roads we go
Boosting all the way
Bells on bob tail ring
Making spirits bright
What fun it is to cut and trim
Jason's o'er the eeprom tonight!
Jingle bells, Whiteford Smells,
Nigel laid an egg.
Oh! what fun it is to ride
In a four-hundred-horse open sleigh.
Jingle bells, Kayhan Smells,
ASL all the way! (Dont Pay)
Hey! what fun it is to ride
In a four-hundred-horse open sleigh
The following is how to put a Mark 1 FG Falcon Instrument Cluster into boot/programming mode and take a firmware dump, all done via CAN.
"No man, there's no access to the FLASH (there appears to be write access to RAM, but read RAM tries to launch another exe from Orion).
There's no firmware file from Ford either."
Specs: MS bus, 125000 BAUD, send on 0x720, receive on 0x728 (all totally standard).
Send: B2 AA BB CC DD EE 11 22 repeatedly until you get back a 4 byte short packet: 05 50 00 00
You are now in programing mode
Code: Select all
Send: AA 5A 5A 5A 5A 5A 5A 5A to leave the mode, once you are done.
Send: B3... to read I.E. address 0x000003FC, 8 bytes => B3 FC 3F 00 00 01 00 00 (min)
Send: B3... to read I.E. address 0x000003FC, 16 bytes => B3 FC 3F 00 00 02 00 00
Send: B3... to read I.E. address 0x000003FC, 17 bytes => B3 FC 3F 00 00 03 00 00
Send: B3... to read I.E. address 0x000003FC, 0x3C004 bytes => B3 FC 3F 00 00 01 78 00 (the entire firmware)
So there's 3C008 left, but we know you can only make requests in multiples of 8.
I.E. 01 78 00 means 0x007801 * 8 so the format is B3 AA AA AA AA LL LL LL (AAAAAAAA=Address, LLLLLL=Length/8 rounded up)
"There are ACK CAN packets that the Cluster will send back for most things, and I don't know what they are, but then
again if the process went smoothly (no noise on the wires) then not checking for them probably wouldn't affect much,
other than knowing when to continue. These units will stay in the pgm mode indefinitely without any activity on the
CANBUS - and I don't see any issues with getting back into that mode if the Cluster firmware part was erased (not the
bootloader obviously). Information on the chip that might be of use: 256KB Flash, starts at 0x00000000 goes to 0x0003FFFF,
bootloader is at 0x00000000-0x00003FFB according to the file, firmware starts at 0x00003FFC, but the erase blocks command
in the file is actually set for 64 blocks @ 0x00004000 (one block is 0x1000 [4KB] bytes long). That actually puts the
erase 16KB past the end of flash memory - I guess they didn't care since it doesn't exist, and if they wanted to start
at 0, it would still erase all the flash with that length."
Its easier to start spamming the message 720#B2AABBCCDDEE1122 and then send an ecuReset 720#021101, then the first
thing that the cluster gets on boot is instruction to go to programming mode. An eight byte response is gotten if
this message is sent instead:
Send: B3 AA BB CC DD EE 11 22 until you recieve response on 0x728 of 00 00 00 00 00 00 00 00
Two commands necessary to enter programming mode via a socketcan interface:
Code: Select all
cangen can0 -I 720 -D B2AABBCCDDEE1122 -L 8 -g 20 &
Code: Select all
cansend can0 720#0211010000000000