|
Title: Cluster and service mode ? Post by: H2Deetoo on December 02, 2014, 12:53:00 AM Hi guys,
This is my first post on this forum. I have a VW Passat 2008 and I am about to replace its cluster with a VDO 3AA 920 880 A cluster (fullcolor TFT from 2011). There were several things I wanted to do before placing it: - Change the car pictogram to display the correct car model - Enable needlesweep/staging - Change mileage to show actual value The 3AA 920 880 A is a cluster with a NEC (D70F3426 also Renesas) cpu and 24C64 eeprom. First I desoldered the eeprom, read it, and soldered it back just to have a valid backup. Then I soldered 3 wires to it on the board (GND, SCL and SDA) and now I can read/write it in circuit. It seems the pictogram and staging cannot be enabled by adaptation or coding, so I enabled them by changed the eeprom content. I found the addresses on another forum. I also wrote a tool which communicates using canbus and now I can increment the mileage of my cluster (as if the car was driving). But playing around with cluster got me interested, and now I am trying to understand how to read/write the eeprom contents using canbus. My cluster uses UDS and I found some commands already to read/write eeprom but ofcourse you need to be authorized first. Authorization is done with command 27 xx, and it seems my cluster sends a 4 byte seed and expects a 4 byte answer. Bruting is not an option because the cluster only allows 4 or 5 tries and then it blocks itself for some time. The xx can be 3 different values for my cluster and it indicates a specific level for which you are authorized (reading, writing, or other). If you look at some of the expensive cluster tools, they all mention that in order to read/write the eeprom via canbus you need to put the cluster in service mode first. This is done by writing FF's to a specific area of the eeprom: [VAG with NEC MCU + 24C64 inside] - range 0x13A0 - 0x1450 in hex editor with FF FF .. Now does anybody here know what is the next step to do after this? I wrote a canlogger so I can log some of the cluster tools, but the ones I tried don't support my cluster :( Does anyone have a firmware dump of this type of cluster? Many regards, H2Deetoo Title: Re: Cluster and service mode ? Post by: H2Deetoo on December 02, 2014, 01:07:48 AM Here are 2 examples of the seed I get:
23-11-2014 15:40:02 : 714 [8] 02 27 03 55 55 55 55 55 23-11-2014 15:40:02 : 77E [8] 06 67 03 8F 98 29 51 AA 23-11-2014 15:45:42 : 714 [8] 02 27 03 55 55 55 55 55 23-11-2014 15:45:42 : 77E [8] 06 67 03 9D FD 1B 48 AA |