Clone Mondeo MK4 BCM

[Go4IT]

Anybody here who did this already, without using expensive legacy tools?
Or can provide any helpful informantion?

For me, i would try to do it "the hard way", mean by connecting to the R32C MCU reading out it's flash.
On the board there is a R32C (Group 152) MCU unit. It stores at max. 768kb of Flash memory. Maybe there is also some external Flash/EEPROM, don't know.
The R32C R5F64524KFD (Renessas) does not have a JTAG but uses an UART (UART0) for programming/debugging. There are many hints available for the unpopulated debug-header on the BCM board, but most infos you find use legacy tools (expensive, unclear of their process).

I've attached the BCM-Firmware as VBF and extracted, flattened BIN, if that is of interest.

[DGAlexandru]

You have experience with IDA .. why don't you try to understand the BootLoader that is sent by CAN and see if you can use it to dump its contents over CAN (OBD)?
We have it for IPC, other free and paid tools are able to do it for PCM.. maybe the BCMII has it also.

Unfortunately Ursadon never gave me access to the source code of IPCUpdate.. and as I'm not that good in programming to make a stable communication over RS232 and ELM / ELS.. I couldn't create a tool like his.. which could be used also for other modules...

[Go4IT]

Thanks, but meanwhile i made it and could sucessfully clone my own BCM onto another one bought through ebay and it works like a charm. No immo, no problems.

[DGAlexandru]

How did you managed to clone it?

[Go4IT]

In a short

Determined how a R32C MCU is to be programmed. It uses simple UART protocol. Next where the needed pins are and found them on an unpopulated header under the black roof connector:

bcm_header_pinout.png

Also found a way to disable the hardware-watchdog, used an simple USB/UART connector and Renesas Flash-Development-Toolkit to download all Flash content from the MCU (Chip-Password was simple default: FF FF FF FF FF FF FF).

Then uploaded the contents (User Flash, Data Flash, E2 Data Flash) to another BCM and coud run this in my car without any issues.

[DGAlexandru]

Very eazy!
10x for sharing

[Go4IT]

I will create a full tutorial in my Wiki soo and link it here.
You might be able to do this also with expensive hardware/software tools like XPROG, Orange5, etc. But why wasting money? I did it all with free and inexpensive tools. Only an UART adapter is needed for 5€.

[Syntax]

Can you please post whole FW from 0x0 ? With vector table, PBL etc...
I would like to look at the outcode/incode calculation.

[Go4IT]

Can you please post whole FW from 0x0 ? With vector table, PBL etc...

You don't need that, everything is already in the firmware files!

Look at the memory map of the R32C:

01-12-_2023_08-17-35.png

And now the layout of the VBF:

bcm_vbf_map.png

VBF contains the lower yellow block, starting at 0xFFF4_0000 up to 0xFFFF_FFFF. And as you see marked on the right side, this block containts the vector-table.

Now you might only need the CCC which is inside Data Flash (yellow marked "Internal ROM") starting at 0x006_0000 followed by E2 Flash starting at 0x006_2000.

I would like to look at the outcode/incode calculation.

Sounds interesting. Would love to share findings in firmware from you.

[DGAlexandru]

Well... not exactly...
In the Data space most probabbly is also at least some part of the IMMO algorithm.

In RKE / KeyLess Module this is the case - the firmware update files are the same for old (7S7T-xxx-C* or D*) and new Incode/Outcode, but on the newer models - those after 08.2010 - the CPU is locked on BDM exactly for this - so you can't read (easillly) the new algorithm.