HW: 8M2T-10849-VC
Calibration: 8M2T-10849-VE
FW (DID F188): Updated from 8M2T-14C026-CC to 8M2T-14C026-CE
ECU Software (DID F121) from 8M2T-14C026-EC to 8M2T-14C026-ED
Bootloader (SBL) used for Update 7M2T-14C025-AA
(The firmware-files could be downloaded here http://www.ucdsys.ru/calibration/ by enterind the partnumber)
The update-procedure in UCDS is given like this:
Code: Select all
00:00:09.914: Requesting security mode...Please wait...
00:00:09:929: Security mode granted!
00:00:09:928: Loading Secondary Bootloader...
00:00:10:363: Secondary Bootloader successfully loaded and initialized.
00:00:10:427: Erasing flash...
00:00:10:431: Erasing flash block 1 from 1...
00:00:18:170: Erasing flash finished.
00:00:18:231: Programming flash block 1 from 1...
00:03:45:755: Checking...
00:03:55:549: Erasing flash...
00:03:55:557: Erasing flash block 1 from 1...
00:04:06:015: Erasing flash finished.
00:04:05:071: Programming flash block 1 from 1...
00:10:59:132: Checking...
00:11:19:315: Performing check routine procedure...
00:11:19:530: Reset modules...
00:11:19:639: All operations done.
The upload of the SBL starts in line 691 of the logfile, beginning with the green bytes: "46,718 720 8 13 FE 36 01 01 00 FF 71"
and ends in line 851: "46,923 720 8 2A 50 45 56 33 30 31 46" (Note: Byte 0x46 is not part of the image)
The binary part of the Firmware (*-CE) starts at line 968: "54,967 720 8 13 FE 36 01 7C C7 55 AA "
and ends in line 152.278: "22,454 720 8 28 C7 55 AA AA 55 C7 F0 "
And the ECU software (*-ED) starts in line 152.307: "42,817 720 8 13 FE 36 01 00 00 00 FF "
and ends in line 460.957: "35,872 720 8 24 EF EF EF 85 B6 24 CD "
This means all update setup (security mode) is done in the lines prior to 690 and i guess we can focus on ID 720, 728 there. Which in fact leaves only these lines:
Code: Select all
Time ID DLC Data Comment
45,613 720 8 02 10 02 00 00 00 00 00
45,624 728 8 06 50 02 00 19 01 F4 00
46,633 720 8 02 27 01 00 00 00 00 00
46,634 728 8 05 67 01 BA AB EF 00 00
46,637 720 8 05 27 02 42 6C 4B 00 00
46,641 728 8 02 67 02 00 00 00 00 00
46,703 720 8 10 0B 34 00 44 00 00 00
46,704 728 8 30 00 01 00 00 00 00 00
46,706 720 8 21 00 00 00 06 CC 00 00
46,710 728 8 04 74 20 03 FE 00 00 00
46,718 720 8 13 FE 36 01 01 00 FF 71
The next byte is the "OBD SID" ("Service ID" or sometims called "Mode"). Here it is 0x10, which from this table https://www.obd-2.de/programmierer-tips.html means: "Initiate diagnose function".
The last byte in the first message, 0x02 is the "OBD PID", a kind of parameter for the mode.
The OBD2 standard defines that each request is answered by using the requested Service added a ACK or NAK flag in the requested service-ID. By adding 0x40 to the ID it tells us, "OK". So 0x10 becomes 0x50 in the answer, 0x27 becomes 0x67, and so on.
In the next request it uses 0x27 = Protected access.
At 46,703 things are changing. The first data bytes does not seem to have the length of data, but seem to be direct data somehow. From timecode 47,718 on, the binary image of the bootloader is send. As from the VBF files the length of the bootloader is 0x6CC which we find in this message: "46,706 720 8 21 00 00 00 06 CC 00 00 "
. Maybe we need reverse engineering Ford IDS tool (if it can update IPC)
