7G9T 14B533GF Door module FORD
7G9T 14B533GF Door module FORD
Can any one help I need a pin out for this module,
You do not have the required permissions to view the files attached to this post.
Digimod
Re: 7G9T 14B533GF Door module FORD
Shure, but what exactly do you need or trying to do?
From the partnumber it is a driver door module, used in Ford-Models build between 2007 and 2010. Here you find plenty of information about this particular door module:
https://mk4-wiki.denkdose.de/en/artikel ... dule/start
Also a pinout description of the two connectors: https://mk4-wiki.denkdose.de/en/artikel ... pinout_ddm
And a teardown i made for my own: https://mk4-wiki.denkdose.de/artikel/tu ... 3-cd/start
including some further informations. I also desoldered all the parts, identified and registered them, remove the tin and solder mask, scanned both layers of the PCB and wanted to make a schematic of it. But i found that the classic tools for this job (Eagle, Target3001, Fritzing, etc.) do not have the possibility to start with a PCB. You must first draw a schematic. So what was needed here is a reverse engineering tool, which i don't really found, or at least not a working one. Maybe this reverse engineering is worth an own article here!
And, surprise surprise, we found in the parts list an old pal controlling all this stuff, a V850 MCU (70F3233M2)
I've also got the firmware to program these and, of course, many CAN-logs. It is no problem to use them "on the desk" by simulating some essential messages on the CAN like IGNITION and CCC. With it, i managed to use mirror lamps, folding and such.
From the partnumber it is a driver door module, used in Ford-Models build between 2007 and 2010. Here you find plenty of information about this particular door module:
https://mk4-wiki.denkdose.de/en/artikel ... dule/start
Also a pinout description of the two connectors: https://mk4-wiki.denkdose.de/en/artikel ... pinout_ddm
And a teardown i made for my own: https://mk4-wiki.denkdose.de/artikel/tu ... 3-cd/start
including some further informations. I also desoldered all the parts, identified and registered them, remove the tin and solder mask, scanned both layers of the PCB and wanted to make a schematic of it. But i found that the classic tools for this job (Eagle, Target3001, Fritzing, etc.) do not have the possibility to start with a PCB. You must first draw a schematic. So what was needed here is a reverse engineering tool, which i don't really found, or at least not a working one. Maybe this reverse engineering is worth an own article here!
And, surprise surprise, we found in the parts list an old pal controlling all this stuff, a V850 MCU (70F3233M2)
I've also got the firmware to program these and, of course, many CAN-logs. It is no problem to use them "on the desk" by simulating some essential messages on the CAN like IGNITION and CCC. With it, i managed to use mirror lamps, folding and such.
Re: 7G9T 14B533GF Door module FORD
The module is out of a 2010 FL galaxy titanium x.
I w anted to run on the bench, I can generate ignition, not certain about central car configuration setting I’ll have to have a look.
I would like to read the flash it’s all a lerning sequence, I like the work you have done I’m now off to read it all
I w anted to run on the bench, I can generate ignition, not certain about central car configuration setting I’ll have to have a look.
I would like to read the flash it’s all a lerning sequence, I like the work you have done I’m now off to read it all
Digimod
Re: 7G9T 14B533GF Door module FORD
To hack the MCU it may not be necessary to know the schematics of the module, so this is another riddle to get solved.
What we need is a goal to achieve and an attack-vector. I see two possibilites for now. First, try to get "inside" using JTAG (generic) or UART (Renesas specific) and second to manipulate the Firmware update files.
From the datasheet of the 70F3233:
µPD70F3233
Architecture: V850ES/FF2
Size: TQFP80 (fine pitch, 12x12mm)
Memory: 256 KB Flash / 12 KB RAM
Remark "Without power-on clear function" (whatever this means)
"(16) On-chip debug function (Flash memory product only)
An on-chip debug function (Flash memory product only) that uses the communication specifications of JTAG
(Joint Test Action Group) and that is used via an N-Wire in-circuit emulator is provided. The normal port
function and on-chip debug function are selected by using the input level of a control pin and on-chip debug
mode setting register (OCDM)."
and also interessting:
3.3 Operation Modes
The V850ES/Fx2 have the following operation modes.
FLMD0 FLMD1 Operation Mode
0 X Normal operation mode
1 0 Flash memory programming mode
1 1 Setting prohibited
("x" = don't care)
(1) Normal operation mode
After system reset is released, each pin related to the bus interface is set in the port mode, execution branches
to the reset entry address of the internal ROM, and instruction processing is started. When the PMCDL,
PMCCM, PMCCS, and PMCCT registers are set in the control mode by software, an external device can be
connected to the external memory area.
(2) Flash memory programming mode
When this mode is specified, the internal flash memory can be programmed by using a flash programmer.
(3) On-chip debug mode
The V850ES/FJ2 is provided with an on-chip debug function that employ the JTAG (Joint Test Action Group)
communication specifications and that is executed via an N-Wire emulator. For details, see CHAPTER 27 ONCHIP
DEBUG FUNCTION."
3.3.1 Specifying operation mode
Specify the operation mode by using the FLMD0 and FLMD1 pins. In the normal mode, make sure that the
FLMD0/IC pin goes low when reset is released.
In the flash memory programming mode, a high level is input to the FLMD0 pin from the flash programmer if a flash
programmer is connected, but it must be input from an external circuit in the self-programming mode.
What we need is a goal to achieve and an attack-vector. I see two possibilites for now. First, try to get "inside" using JTAG (generic) or UART (Renesas specific) and second to manipulate the Firmware update files.
From the datasheet of the 70F3233:
µPD70F3233
Architecture: V850ES/FF2
Size: TQFP80 (fine pitch, 12x12mm)
Memory: 256 KB Flash / 12 KB RAM
Remark "Without power-on clear function" (whatever this means)
"(16) On-chip debug function (Flash memory product only)
An on-chip debug function (Flash memory product only) that uses the communication specifications of JTAG
(Joint Test Action Group) and that is used via an N-Wire in-circuit emulator is provided. The normal port
function and on-chip debug function are selected by using the input level of a control pin and on-chip debug
mode setting register (OCDM)."
and also interessting:
3.3 Operation Modes
The V850ES/Fx2 have the following operation modes.
FLMD0 FLMD1 Operation Mode
0 X Normal operation mode
1 0 Flash memory programming mode
1 1 Setting prohibited
("x" = don't care)
(1) Normal operation mode
After system reset is released, each pin related to the bus interface is set in the port mode, execution branches
to the reset entry address of the internal ROM, and instruction processing is started. When the PMCDL,
PMCCM, PMCCS, and PMCCT registers are set in the control mode by software, an external device can be
connected to the external memory area.
(2) Flash memory programming mode
When this mode is specified, the internal flash memory can be programmed by using a flash programmer.
(3) On-chip debug mode
The V850ES/FJ2 is provided with an on-chip debug function that employ the JTAG (Joint Test Action Group)
communication specifications and that is executed via an N-Wire emulator. For details, see CHAPTER 27 ONCHIP
DEBUG FUNCTION."
3.3.1 Specifying operation mode
Specify the operation mode by using the FLMD0 and FLMD1 pins. In the normal mode, make sure that the
FLMD0/IC pin goes low when reset is released.
In the flash memory programming mode, a high level is input to the FLMD0 pin from the flash programmer if a flash
programmer is connected, but it must be input from an external circuit in the self-programming mode.
You do not have the required permissions to view the files attached to this post.