Re: FORD technical service bulletin : ICC touch screen display
|
|
I have not found a way to read the entire EEPROM yet, so still looking there, but I can confirm that the last block of 4KB FLASH memory contains the "original VIN" - shown below is the "map" of an FGX Cluster tested for blocks of FLASH that are used (XX=used, __=blank, which was all I could tell from the special V850 programming mode I was able to enter)...
FLASH READER
Hit return to start
Starting
Sync...
Freq...
Baud...
OK.
Boot OK
// Reading 000000-000FFF...
Failed(16).
00000000: XX 00001000: XX 00002000: XX 00003000: XX
00004000: __ 00005000: XX 00006000: XX 00007000: XX
00008000: XX 00009000: XX 0000A000: XX 0000B000: XX
0000C000: XX 0000D000: XX 0000E000: XX 0000F000: XX
00010000: XX 00011000: XX 00012000: __ 00013000: __
00014000: __ 00015000: XX 00016000: XX 00017000: XX
00018000: XX 00019000: XX 0001A000: XX 0001B000: XX
0001C000: XX 0001D000: XX 0001E000: XX 0001F000: XX
00020000: XX 00021000: XX 00022000: XX 00023000: XX
00024000: XX 00025000: XX 00026000: XX 00027000: XX
00028000: XX 00029000: XX 0002A000: XX 0002B000: XX
0002C000: XX 0002D000: XX 0002E000: XX 0002F000: XX
00030000: XX 00031000: XX 00032000: XX 00033000: XX
00034000: XX 00035000: XX 00036000: XX 00037000: XX
00038000: XX 00039000: XX 0003A000: XX 0003B000: XX
0003C000: XX 0003D000: XX 0003E000: XX 0003F000: XX
00040000: XX 00041000: XX 00042000: XX 00043000: XX
00044000: XX 00045000: XX 00046000: XX 00047000: XX
00048000: XX 00049000: XX 0004A000: XX 0004B000: XX
0004C000: XX 0004D000: XX 0004E000: XX 0004F000: XX
00050000: XX 00051000: XX 00052000: XX 00053000: XX
00054000: XX 00055000: XX 00056000: XX 00057000: XX
00058000: XX 00059000: XX 0005A000: XX 0005B000: XX
0005C000: XX 0005D000: XX 0005E000: XX 0005F000: XX
00060000: XX 00061000: __ 00062000: __ 00063000: __
00064000: __ 00065000: __ 00066000: __ 00067000: __
00068000: __ 00069000: __ 0006A000: __ 0006B000: __
0006C000: __ 0006D000: __ 0006E000: __ 0006F000: __
00070000: __ 00071000: __ 00072000: __ 00073000: __
00074000: __ 00075000: __ 00076000: __ 00077000: __
00078000: __ 00079000: __ 0007A000: __ 0007B000: __
0007C000: __ 0007D000: __ 0007E000: __ 0007F000: XX
@ 0x7F000 ? 0xFC, 0x59, 0xA1, // b...Y. (RQST 22F106)
@ 0x7F100 ? 0x57, 0x34, 0x31, // b..W41 (RQST 22F114)
@ 0x7F10B 0x11 bytes (17) is the VIN number (RQST 22F190)
@ 0x7F116 0x06 bytes (06) ? :-
000001111111111111
BCDEF0123456789ABC
6FPAAAJGCMEU65281
___________^^^^^^
(0x101 = 257 - 3 = 254)
>22F106 62 F1 06
FC 59 A1 00 01 00 FC 06 04 02 47 02 02 00 00 00 00 00 00 00 00 00 00 00 02 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A1 00 00 3B 01 00 00 00 04 00 00 00 00 00 00 00 01 00 00 10 00 00 00 00 00 12 01 F2 50 00 00 02 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 02 00 01 00 00 00 00 01 00 00 00 00 00 00 00 01 00 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
(0x102 = 258 - 3 = 255)
>22F114 62 F1 14
_W _4 _1 __ _s _q _0 _0 _5 __ __ _6 _F _P _A _A _A _J _G _C _M _E _U _6 _5 _2 _8 _1
57 34 31 82 73 71 30 30 35 0D 0A 36 46 50 41 41 41 4A 47 43 4D 45 55 36 35 32 38 31 00 0D 0A 00 00 0D 0A 00 00 0D 0A 00 00 0D 0A 00 00 0D 0A 00 00 0D 0A 00 00 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
You can see the boot area has firmware which we don't have access to, but from 0x15000 to 0x7E000 is the firmware I was able to obtain.
I'm interested in the last block though (@ 0x7F000) which isn't part of the firmware. Seems that read-by-ID gets a quarter KB with requests 22F106 and another with 22F114, which is where the original VIN and some (non-as-built) config options are set. I can see the firmware decompiled code only accesses these two areas, and a few other places specifically check out the last 6 bytes of the original VIN in some calculations.
I suspect I can build a 4KB firmware file and flash it into that last block, but I'll probably do that on the FGX unit which I pulled the blue and red LEDs off to see if it still "works" afterwards with my copied EEPROM installed. We may have to blast, no wait, I may just need some time...
Erased FLASH tends to return values of 0xFF, so I assume I will need to set any unused bytes to 0x00 in that last block (looking at the existing data)... I hope there isn't a checksum value anywhere there though, because I won't know how to calculate one when I erase the last FGX Cluster FLASH block and set my new data in there. That poor FGX Cluster isn't ever going to be used again in any case - so no great loss I suppose.
Last edited by JasonACT; 18-06-2021 at 09:38 PM.
|