MicroHacker Forum

Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/

Rfa module differences mondeo mk4 prefl

https://microhacker.denkdose.de/viewtopic.php?t=328

Page 2 of 3

Re: Rfa module differences mondeo mk4 prefl

Posted: 29 Apr 2022, 19:54
by Go4IT
Wow, those parts are really cheap. NVC1413BD is a simple line-driver IC called "MC1413", costs some cents. The relay is a standard Panasonic automotive one, costs about 4,50€ per part, maybe cheaper somewhere else. There is also an extra diode nearby, i guess a simple freerun for the coil of the relay. And there is also a little capacitor, i guess a blocking cap with 10nF or such. Both needs to be desoldered and classified... but this should be all that needed.

Re: Rfa module differences mondeo mk4 prefl

Posted: 29 Apr 2022, 20:14
by ZvonimirG
Yes that is only difference between two, everything else looks same on both modules and off course different firmware

Re: Rfa module differences mondeo mk4 prefl

Posted: 06 May 2022, 05:14
by DGAlexandru
Same FW also, just some different bytes in EEPROM.

Re: Rfa module differences mondeo mk4 prefl

Posted: 06 May 2022, 11:37
by ZvonimirG
That is good to know 👍

Re: Rfa module differences mondeo mk4 prefl

Posted: 06 May 2022, 17:28
by Go4IT
DGAlexandru wrote: 06 May 2022, 05:14 Same FW also, just some different bytes in EEPROM.
Can you point them out?

Re: Rfa module differences mondeo mk4 prefl

Posted: 07 May 2022, 17:07
by Go4IT
I finally found the external RESET-Circuit. It's made out of a SMD part marked "W1s" which is a combined NPN and PNP transistor in a single SOT-363 package. To prevent it from interfere the BDM-readout, just bridge the base to +5V, shown as solid red line here
kvm_7s7t-19g481_disable_reset.png

Re: Rfa module differences mondeo mk4 prefl

Posted: 08 May 2022, 09:35
by Go4IT
The 384 KB of Flash memory is organized in three 128 KB areas in the global address map. The first area starts at global address 0x78_0000 up to 0x79_FFFF. To access the data in this area 16KB-blocks of it are mapped into local address space 0x8000-0xBFFF by setting the PPAGE register at 0x30 to values 0xE0 - 0xE7. The next area starts at 0x7C_0000 and corresponds to PPAGES 0xF0 - 0xF7. And the last area from 0x7E_0000 uses pages 0xF8 - 0xFF.
memory_maps_384kb.png
When i look into Main-FW VBF file (7S7T-14C104-*), i found that it programs these areas:

Code: Select all

                 { 0x00004000, 0x00003000 },
                 { 0x0000c000, 0x00001ffc },
                 { 0x00e08000, 0x00004000 },
                 { 0x00e18000, 0x00004000 },
                 { 0x00e28000, 0x00004000 },
                 { 0x00e39000, 0x00003000 },
                 { 0x00e48000, 0x00004000 },
                 { 0x00e58000, 0x00004000 },
                 { 0x00e68000, 0x00004000 },
                 { 0x00e78000, 0x00004000 },
                 { 0x00f08000, 0x00004000 },
                 { 0x00f18000, 0x00004000 },
                 { 0x00f28000, 0x00004000 },
                 { 0x00f38000, 0x00004000 },
                 { 0x00f48000, 0x00004000 },
                 { 0x00f58000, 0x00004000 },
                 { 0x00f68000, 0x00004000 },
                 { 0x00f78000, 0x00004000 },
                 { 0x00f88000, 0x00004000 },
                 { 0x00f98000, 0x00004000 },
                 { 0x00fa8000, 0x00004000 },
                 { 0x00fb8000, 0x00004000 },
                 { 0x00fc8000, 0x00004000 },
                 { 0x00fe8000, 0x00004000 }
The first two looks like they are in local memory map, but we know that by default 0x4000 represents PPAGE 0xFD and 0xC000 0xFF.
So in fact this programs PPAGES 0xE0-0xE7, 0xF0-F7, 0xF8-0xFF => the full 384KB range of the Flash (execpt that 0xFD is not fully programmed, only 0x3000 Bytes and 0xFF only 0x1FFC Bytes).

So now we know what to put into the readout-areas to get a full dump of the KVM firmware using USBDM:

Code: Select all

E08000 E0BFFF
E18000 E1BFFF
E28000 E2BFFF
E38000 E3BFFF
E48000 E4BFFF
E58000 E5BFFF
E68000 E6BFFF
E78000 E7BFFF

F08000 F0BFFF
F18000 F1BFFF
F28000 F2BFFF
F38000 F3BFFF
F48000 F4BFFF
F58000 F5BFFF
F68000 F6BFFF
F78000 F7BFFF

F88000 F8BFFF
F99000 F9BFFF
FA8000 FABFFF
FB8000 FBBFFF
FC8000 FCBFFF
FD8000 FDAFFF
FE8000 FEBFFF
FF8000 FF9FFC

Re: Rfa module differences mondeo mk4 prefl

Posted: 11 May 2022, 20:45
by ZvonimirG
Today I successfully flashed dead KVM module thanks to Go4it findings for watch dog reset circuit and advice from DGAlexandru from other KVM thread to rather hold reset and not apply power when prompted by ucds
IMG_20220511_221727_copy_1024x541.jpg
After flashing module again shows up in pool modules
IMG_20220511_221509_copy_1024x682.jpg
IMG_20220511_212916_copy_1024x461.jpg

Re: Rfa module differences mondeo mk4 prefl

Posted: 13 May 2022, 00:33
by DGAlexandru
So you were able to flash it back by using only OBD?

I never thought that the Reset from WatchDog might not be controlled by the BootLoader.. or maybe the Reset comes too fast so the BootLoader is not yet fully transferred and / or active... and this is why sometimes it worked for me and other times it didn't: it was all about luck in synchronization - sending the BL before the Reset was triggered by the WatchDog.

Re: Rfa module differences mondeo mk4 prefl

Posted: 13 May 2022, 10:26
by amplified
Zvonimir, so you have the pinout for module?
All times are UTC
Page 2 of 3

Powered by phpBB® Forum Software © phpBB Limited