How to gain firmware of PAM module BS7T-15K866-AE ?

[Go4IT]

Hi there. I have this PAM module and wonder how to get to it's firmware. On the board it uses an MC9S12DG128 uC, no external Flash or EEPROM, so it's all on the chip.
I gather the firmware-update file (VBF) from the Ford website, and it has several blocks in it:

Code: Select all

       erase = { { 0x00388000, 0x0000343a },
                 { 0x00398000, 0x00000c81 },
                 { 0x003a8000, 0x00000e4c },
                 { 0x003b8000, 0x00004000 },
                 { 0x003c8000, 0x00003658 },
                 { 0x003d8000, 0x00002d6b },
                 { 0x003e8000, 0x00000140 },
                 { 0x003e8a00, 0x000005f6 },
                 { 0x003e9200, 0x0000080e },
                 { 0x003ea000, 0x00000efa },
                 { 0x003f8000, 0x00001f92 }

The MC9S12 belongs to the HCS12 family of Renesas (former Motorola) MCUs. It has an 16 Bit CPU, so adressable memory range would normally be limited to 64k (0x0000-0xFFFF). The datasheet of the chip tells about a paging mechanism, which may be the first two hex-digits of the memory locations shown in the updatefile above. The VBF contains START-ADDRESS-ON-TARGET followed by LENGHT in each braced block. The MC9S12DG128 has 128 KB Flash, 8 KB RAM and 2 KB EEPROM, so i would expect a maximum of 4 blocks, if at all.

I've read in the specs that the MCU can be protected against readout via BDM (has no JTAG, but proprietary BDM format) and i bet they did!

Any idea how to get to it's full firmware?

[paxtonix]

latest firmware

Code: Select all

Bootloader: 6G92-14C093-AC
Software: 7G92-14C090-AG
SW Part2: 8G92-14C377-CB

Primary firmware

Code: Select all

Loader 6G92-14C093-AC
Firmware BS7T-14C090-AC
Calibration BS7T-14C377-AA

any chance knowing the reason for dump ?

[Gwe89]

I would also like to dump the PAM as I have the autopam mod from conversmod and I would like to read the firmware and make vbf and gateway to make this work and release this to public

[Go4IT]

I see a slight chance by using UDS commands. We need to crack the secret key (seed) to start an authorized session and maybe then be able to use a memory read command to read out the contents of the internal Flash.
As the PAM uses an HCS12 derivate MCU, it has no JTAG interface, nor external Flash. Hard to beat from the hardware side...

[paxtonix]

We need to crack the secret key (seed) to start an authorized session .

@Go4It.

we already have them all form Ursadon.

https://gist.github.com/Ursadon/8941ff5 ... e09f060eec

[Gwe89]

I'm not a wizard with things like coding ect so please dont slate me
Is there any way the fw could be read while updating the module?

[Go4IT]

Read an update (=write) are two different tasks. You can't read while writing, nowhere

[DGAlexandru]

You can't read while writing, nowhere

Actually you can
You can sniff the CAN BUS while you do an update to a moddule in order to be able to create a VBF from it.
This way I was able to get the Convers mod firmware at first... Then I did it by Jtag.. Now with the tool found here.

What mod do you think it is done to the PAM module? I update it with UC DS and it works for Convers.. Of course, for FaceLift you need to use the right FW version depending on the type of the AudioUnit... but it should work even if you don't update it - only some old PreFL PAM modules need it.

[Go4IT]

From the early past i know a case where one needed to update his PAM because it did not provide any distance-data in CAN message ID 0x131. After update Convers+ with Mod it also updated the PAM, the distance-informations where there.

I don't know if there are FW versions für special audio units, can't really think of. But i know there where some rare Sonys out there which applies the beeper sounds through the audio speakers instead of those special tiny speakers above the clocks and in the rear.

On FL the distances-data is needed for rear view camera, because it is shown as overlay in the picture.

[drobec.eu]

Here is full firmware MCU (EEprom and Flash) on PAM Module 7G92,8G92,BS7T...