03-07 Truck Instrument Cluster Firmware

[Fixed until broken]

Ok First I know its not a PCM but this seem liked the best place to post. Second this tread isn't about the EEprom ( Vin, ODO, Hours, Trip, T-tem, Speedo Tables, and other stuff on the EEprom)

So far I have been focused on the 03/04 Silverado cluster. It has a MCU. It is labeled 9399059.. I believe its a custom order c161JI that has on chip flash. This Flash is where it controls if the cluster has steering wheel controls or not. I repair these clusters and run into damaged MCU's (I have a source for them in china but they are blank) I need some help writing to these. I've been posting on EEVblog's forum about it but IDK can I share a link to that on here or rules?

I have 2 different bins I attached one. I pulled them with Flashit before I figured out what the program data area's where so its got a lot junk in it. All that really matters is 0000-7FF0 and 18000-02FFFF. those are the program areas I think. I emailed Flashit they were supper helpful but said flash it will not be able to program this MCU because it was a custom order.

So I figured out how to pull the data with Minimon. That works but I cant figure out how to write with it. The project is getting over my head. I want to learn. One of the members of EEVblog found this in the BIN and said it was also in the driver on minimon so it should be able to it. I just haven't had success.

Code: Select all

-------- EraseSector -------------

//start erase
w[2AAAA] = AA
w[25554] = 55
w[2AAAA] = 80
w[25554] = AA
w[2AAAA] = 55
w[SectorStart] = 30
w[SectorStart] = 30
//wait for completion
do {
	w[2AAAA] = FA
	status = w[20000]
} while (status & 1)



-------- ProgramPage -------------
// start preload
w[2AAAA] = 50
w[PageStart] = wData[0]
// preload
for(i=1; i<1F; i++) {
	w[2A0F2] = wData[i]
}
//confirm
w[2AAAA] = AA
w[25554] = 55
w[2AAAA] = A0
w[PageStart] = wData[1F]
w[PageStart] = wData[1F]
//wait for completion
do {
	w[2AAAA] = FA
	status = w[20000]
} while (status & 1)

Anyone have one of these board and want to try help? all you need is a Serial port or adapter. Pull pin 80 and 89 down to get it into BSL then Minimon can talk to it. Note this is just the 03/04 05-07 has a different MCU that supports Jtag. Ill work on it after this one.

[Fixed until broken]

Just a short update.

I ordered a Logic analyzer to help me see what exactly is going on over the serial port. I also learned wire shark doesn't do com ports sadly. Man logic analyzers from china are cheap as hell and are actually pretty good per people I have talked to that own them.

I wasted $10 on a Chinese Ulink... IDK when I am going learn my lesson on the cheap debuggers from china. I wasn't using the Ulink for 03/04 It was for the 05-07. I decided to Just buy a real miniwiggler for them. Jlinks don't support C166 or C166v2 cores thats only reason I've been on this rabbit hole of a new debugger. I think the Ulink would work I just don't have a MDK5 license.

[antus]

I dont have that hardware, but just wanted to post in support of your work. Very interested to see how you go with this. I have used j-link before, and have a generic logic analyser that I can use with sigrok, and I dont see too many people playing around with these tools.

[Fixed until broken]

I dont have that hardware, but just wanted to post in support of your work. Very interested to see how you go with this. I have used j-link before, and have a generic logic analyser that I can use with sigrok, and I dont see too many people playing around with these tools.

Thank you. I was planning on using sigrok with the logic analyzer. I got one of the older saleae clones from china. I wasn't going to use the saleae software with it. What I have seen online it looks Sigrok is better anyways.

My biggest short fall is that I really am lacking when it comes to programming. So when I run into stuff needing a custom script if I cant make it Arduino IDE than I cant make it lol. I know these MCU's can be programmed over the class 2 bus so someone with some skills could disassembly that Bin and use it to add support on like LS droid, Xprog or of those tools. That would only be half of my goal. Being able to to flash steering wheel controls onto boards that don't have it. The other half is being able to program blank MCU's. I can get them from china to fix all my boards that people fried the the MCU on them trying to fix the board.

[Fixed until broken]

Ok I got my Logic analyzer. Here is all the data I collected today. first I pulled another bin today with Minimon. I also saved it as an intel hex since that should work better with minimon. I also saved it as a bin

I captured some screenshots of it trying to write to the MCU with Sigrok in the background. I also captured the read procedure with Sigrok incase anyone was interested in that. Its attached as a sigrok file.

I noticed the firmware seems to be the same from 018000-02FFFF In both the steering wheel and non steering control firmware. its only 0000-7FFF that has anything different.

Hopefully someone can make sense of why I cant write to it.

[Fixed until broken]

Update 9/26
So last time I posted on here I was trying use the wrong command with minimon I was trying to load to memory on accident not program to flash. When you hit the P button all it does is Erase the flash and then fail to program. I have tried every setting I can think of in minimon. The really annoying thing is that clearly just failing on minimon side because it sends the same data across the Uart for Erase as it does for program. In other words Minimon never actually tries to flash it. It seems to be some setting in minimon but I have tried everything. On EEVBlog one of the users agrees minimon probably just wont work.

Now I know its not much but I got $75 on paypal for whoever can either get minimon to work or write me a custom script lol. I am not good enough at programming to do it myself. I have access to like 8 of these at the moment so I can get a bunch of bins to look at if you need them. Only rule on the script is I am going to give out for free to everyone that works on these. I know $75 is like nothing for a custom script but I didn't want to ask for it for free. If its in C# I woundn't be completely useless for debugging. I hate to be a PLZ broo but I feel I have hit a road block

[Fixed until broken]

Ok I had to reupload it. I was missing the most important part of the video but here is the new one. Its a video covering every part I have figured out so far but I am still missing how to program it. https://youtu.be/lvFUQ_b-JZo

[j_ds_au]

Just a thought ...

Since the chips you're getting are out of China, how do you know that they're not fake?

For example, FTDI drivers detect fake FT232 chips and then refuse to work with them. Perhaps this behaviour is Minimon's version of this? You could (potentially) sacrifice an original chip to see if Minimon treats it any different.

Joe.

[Fixed until broken]

All of the testing as been on original MCU's I havent actually tested the ones I ordered from UTsource yet. I have tried a few different serial adapters before back in January but I will revisit that tonight. I guess I didn't really explain whats going on when you try to program. here is a capture I did of what Minimon Tx's to the MCU when you use erase and program.

Code: Select all

 
Program TX:
8400C000440348803D5AF05AF06B66FDC0FF2892E6F3AAAAE6F45000D7000200B843DC0BA84A08A218B0DC0EB84D2892E6F3F2A0DC0BA84A08A218B0D7000200B843B0293DF7E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE6F4A000D7000200B843DC0BA84ADC0EB84DE6F3AAAAE6F4FA00D7000200B843E001D7000200A8918AF9F300F0A5F0B6E6F94000E00FDC0BA94ADC0EA95D08A118B008D118E041452D03E6FF1100DB00289148903DF0DB0046F820003D2CE6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F35E5EE6F45E00D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E6F35A5AE6F45A00D7000200B843E00FDB0046F821003D2A9A8902C0E0170D01E007E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F33C3CE6F43C00D7000200B843E6F6F83F2892DC0BA85A08A218B0DC07B856DC07A8560862B0093DF5E00FDB0048813D37BB45E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE6F48000D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E6F43000DC02B841E6F3AAAAE6F4FA00D7000200B843E001D7000200A8918AF9F300E00FDB0048863D52E018BB0BE6F3AAAAE6F4FA00D7000200B843DC02A891E00FDB0048E03D07E0019A8902C0E012CB00E002CB0048E13D06E6F100409A89F8C0E012CB0048E23D06E6F100609A89F0C0E012CB0048E33D04E6F10080E012CB0048E43D03E001E022CB0048E53D04E6F10080E022CB0048E63D03E001E032CB0048E73D04E6F10080E032CB0046FE08003D03E001E042CB0046FE09003D04E6F10080E042CB00E6FF3300CB0046F810003D28BBB7E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE0F4D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E0A4DC02B841E00FDB0046F811003D2D9A8902C0E0170D01E007BB87E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE004D7000200B843E6F6F83F2892DC0BA85A08A218B0DC07B856DC07A8560862B0093DF5E054DC02B841E00FDB00E01FDB0033

EraseTX:
8400C000440348803D5AF05AF06B66FDC0FF2892E6F3AAAAE6F45000D7000200B843DC0BA84A08A218B0DC0EB84D2892E6F3F2A0DC0BA84A08A218B0D7000200B843B0293DF7E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE6F4A000D7000200B843DC0BA84ADC0EB84DE6F3AAAAE6F4FA00D7000200B843E001D7000200A8918AF9F300F0A5F0B6E6F94000E00FDC0BA94ADC0EA95D08A118B008D118E041452D03E6FF1100DB00289148903DF0DB0046F820003D2CE6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F35E5EE6F45E00D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E6F35A5AE6F45A00D7000200B843E00FDB0046F821003D2A9A8902C0E0170D01E007E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F33C3CE6F43C00D7000200B843E6F6F83F2892DC0BA85A08A218B0DC07B856DC07A8560862B0093DF5E00FDB0048813D37BB45E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE6F48000D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E6F43000DC02B841E6F3AAAAE6F4FA00D7000200B843E001D7000200A8918AF9F300E00FDB0048863D52E018BB0BE6F3AAAAE6F4FA00D7000200B843DC02A891E00FDB0048E03D07E0019A8902C0E012CB00E002CB0048E13D06E6F100409A89F8C0E012CB0048E23D06E6F100609A89F0C0E012CB0048E33D04E6F10080E012CB0048E43D03E001E022CB0048E53D04E6F10080E022CB0048E63D03E001E032CB0048E73D04E6F10080E032CB0046FE08003D03E001E042CB0046FE09003D04E6F10080E042CB00E6FF3300CB0046F810003D28BBB7E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE0F4D7000200B843E6F35455E6F4AA00D7000200B843E6F3AAAAE6F45500D7000200B843E0A4DC02B841E00FDB0046F811003D2D9A8902C0E0170D01E007BB87E6F3AAAAE6F4AA00D7000200B843E6F35455E6F45500D7000200B843E6F3AAAAE004D7000200B843E6F6F83F2892DC0BA85A08A218B0DC07B856DC07A8560862B0093DF5E054DC02B841E00FDB00E01FDB0033

As you can see its exactly the same. It never actually try's to program it.
Thank you for the suggestion.

[Fixed until broken]

I got it! It works now. BTW the OS has no checksums or at least in the parts I have messed with. I did a full video on it. you can see here. https://youtu.be/G0HPysDnCD4 If you want the bins off the board you can get them here https://github.com/garnerm91/0304-mcu