|
k0mpresd
|
 |
« Reply #375 on: March 19, 2020, 08:15:05 AM »
|
|
|
You have a Gen 4 or Gen 5 read ?
gen4 is split into two separate files for a full read. the BL and then the rest of the data is split by a chunk of ram address ranges. |
|
|
|
|
Logged
|
|
|
|
Praga
Full Member
Karma: +4/-3
 Offline
Posts: 62
|
|
« Reply #376 on: March 19, 2020, 08:27:28 AM »
|
|
|
gen4 is split into two separate files for a full read.
the BL and then the rest of the data is split by a chunk of ram address ranges.
Please post what you have. Interested to see how much different it is from Gen 2 |
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #377 on: March 25, 2020, 11:43:40 AM »
|
|
|
Here is a few dumps for gen 4 VAG units, I have every flash of every Gen 2 to 4 Haldex unit ever made for VAG, Landrover, Ford, Volvo.
I am not a software type guy, or a remapper, but I do know the actual PCB and hardware inside and out, I have drawn it all out.
Don't know if I can really be of any use in any of this, but I keep an eye on this thread as finding people who tinker with haldex controllers is pretty niche.
I dump them as one long file, and I dump them from the BDM pins on the board.
0-8000 is the first part of the flash/boot loader
then 8000 - 18000 is the "hole" - e.g. the memory
then 18000 onward is the actual flash
When I write the file back, I write the first 0-8000 first, then the 18000 onward section.
I have just discovered the security login pin for the Gen 2 and Gen 4 units today, using a brute force method, it has taken a good few days getting 2 tries every 3.5 seconds.
|
|
|
|
« Last Edit: March 25, 2020, 12:18:32 PM by threepot »
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #378 on: March 25, 2020, 01:17:59 PM »
|
|
|
On the Gen5 controller the checksum is just an Add16. In order to read/write the newer controllers you need to write a loader or vr_read. I can help if someone wants to upload a G5 full read so I can solve the seed/key.
I can't help with a Gen 5 read, as I have not done one yet, but very interested in making it happen. And knowledge that may push this forward is very much appreciated from anyone. |
|
|
|
« Last Edit: February 11, 2021, 01:54:26 PM by threepot »
|
Logged
|
|
|
|
|
aef
|
|
« Reply #379 on: March 26, 2020, 01:29:50 AM »
|
|
|
nice!
What is your background/job when you have all of the files?
|
|
|
|
|
Logged
|
|
|
|
Praga
Full Member
Karma: +4/-3
Offline
Posts: 62
|
|
« Reply #380 on: March 26, 2020, 01:21:47 PM »
|
|
|
I can't help with a Gen 5 read, as I have not done one yet, but very interested in making it happen. And knowledge that may push this forward is very much appreciated from anyone. So far I have worked out these points for the JTAG interface.  And bought a mini wiggler, because it was all I found when researching trying to read and write XC2734 but things have got in the way and it is still in its box  During this lock down I will try and get this freed from its box and maybe working.  Excellent. I am keen to start reading/writing to Gen 4 soon. Everything has stopped with the Lockdown... But I have plenty to test / dump / break so open to ideas.  |
|
|
|
|
Logged
|
|
|
|
|
RBPE
|
|
« Reply #381 on: March 26, 2020, 01:54:58 PM »
|
|
|
nice!
What is your background/job when you have all of the files?
Burglar/recently covid carrying ex Haldex worker - delete as applicable!  |
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #382 on: March 26, 2020, 04:31:00 PM »
|
|
|
 I'm not admitting anything guv! But I did stay up till 4am last night - not coughing to death - just trying to get that damn miniwiggler to wiggle just right for me. Without success though, it will not detect the XC2734, I'm doing something wrong somewhere. Got the software all running Ok, i'm just missing something on the board connections. I have no idea what I'm doing with JTAG. To be fair, I never know what I'm doing, but enough late nights tends to prevail in success and an education at the same time. Anyone have any half clues?
|
|
|
|
|
Logged
|
|
|
|
|
aef
|
|
« Reply #383 on: March 27, 2020, 03:01:03 AM »
|
|
|
Why dont you access the pins direct @ the chip? Is it too small for needles?
Pin5 is your orange pin according to data sheet for example.
|
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #384 on: March 27, 2020, 08:25:54 AM »
|
|
|
I tried via DAP
DAP0 - Pin 37 or Pin 53
DAP1 - Pin 5 or Pin 55
All using
RESET = Pin 62 PORST
VCC = 5v
GND = GND
Anyone have any input?
|
|
|
|
« Last Edit: February 11, 2021, 01:55:26 PM by threepot »
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #385 on: March 27, 2020, 10:24:58 AM »
|
|
|
Think I might have found some good meat to cook with.....
|
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #386 on: March 27, 2020, 01:08:22 PM »
|
|
|
As Dave Jones would say "We're in like Flynn" !!
Oh my, the miniwiggler has connected and detected the XC2000 Family device.
|
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #387 on: March 27, 2020, 01:27:22 PM »
|
|
|
Here is the flash from an 0cq907554d Gen 5 Haldex Controller  |
|
|
|
|
Logged
|
|
|
|
threepot
Newbie
Karma: +4/-0
Offline
Posts: 15
|
|
« Reply #388 on: March 27, 2020, 02:37:11 PM »
|
|
|
And a 0ay907554f flash. I tried to write the data from one onto the other, but I did something stupid! I erased it first, ready to rewrite it. Then rebooted it. But the JTAG Debug mode runs from the flash. If you erase it you can no longer connect to it because the boot loader has just been erased. That's bricked one then! Lesson No 1, do not erase the bootloader These Gen 5 Haldex controllers are also the same as the Golf GTi "VAQ" E-diff controller. I will dump one of those next. |
|
|
|
|
Logged
|
|
|
|
Praga
Full Member
Karma: +4/-3
Offline
Posts: 62
|
|
« Reply #389 on: March 28, 2020, 06:06:08 AM »
|
|
|
Here is the flash from an 0cq907554d Gen 5 Haldex Controller Well done !! Can you use the wiggler to write ? |
|
|
|
|
Logged
|
|
|
|
|
