search

dnoermann / car-tools

Tools for working with VW PQ25 Plattform Vehicles
40 stars 13 forks source link

WiP: Flashing with free tools #3

Open danielkucera opened 7 months ago

danielkucera commented 7 months ago

Hello, I am working on flashing the chip with opensource tools (because expensive flashing tools are expensive flash tools :smile: ). Currently I am able to read the flash using OpenOCD with FT2232H (but any JTAG adapter should work).

IMG20240129121314

One just needs following set of scripts: https://github.com/danielkucera/openocd-xpc56-scripts/tree/master

Then run:

$ openocd -f spc.cfg 
Open On-Chip Debugger 0.11.0+dev-00059-g56506d2ed (2024-01-26-00:37)
Licensed under GNU GPL v2
For bug reports, read
    http://openocd.org/doc/doxygen/bugs.html
DEPRECATED! use 'adapter speed' not 'adapter_khz'
Info : clock speed 2000 kHz
Info : JTAG tap: mcp5675.cpu tap/device found: 0x0aec101d (mfg: 0x00e (Freescale (Motorola)), part: 0xaec1, ver: 0x0)
Warn : gdb services need one or more targets defined

Sending IDCODE command

IDCODE: 0aec101d
Info : JTAG tap: mcp5675.once enabled
Info : JTAG tap: mcp5675.cpu disabled
OnCE JTAG ID = 0x07e2f01d shall be 07e2f01d
OSR = 0x0241

Enter debug mode...
asserted
ocr set
OSR = 0x0241

deasserted
OSR = 0x0209

cpuid1 1b0100ff
40003f80 00000000 00000000 0000fff0 4d525250 00000300
MCU ID 1: 0xc3f90004
MCU ID 2: 0xc3f90008
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : accepting 'telnet' connection on tcp/4444

Then using telnet:

$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> once_save_bin mcp5675.once 0 2097152 firmware.hex

wait for it to finish, then:

xxd -r -p < firmware.hex > firmware.bin

and you have the FW file.

I'll work now on the erasing and flashing as that is a bit more difficult and needs some code upload.

Credits go to: https://review.openocd.org/c/openocd/+/6124 And NXP support: https://community.nxp.com/t5/MPC5xxx/Unable-to-put-MCP5675K-into-debug-mode/m-p/1796402#M24794

echu2013 commented 7 months ago

Very interesting! which flash are you dumping ? IC?

danielkucera commented 7 months ago

Yep, the MCP5675K

echu2013 commented 7 months ago

Yep, the MCP5675K

I have an IC with nec v850e :-/

dnoermann commented 7 months ago

Cool, thanks for sharing that Informations, i add it to my Guide

danielkucera commented 7 months ago

I can also patch the CP locations and erase block with swap keys but not yet able to reliably flash it back (there are bit errors after writing). I am still trying to finish this. Will report back.