MicroHacker Forum

would you use the j tag port to load the files or use can bus

Stevebe wrote: ↑25 Mar 2019, 19:06 would you use the j tag port to load the files or use can bus

This can/should be done over CAN-Bus. JTAG is dangerous, because the MAC-chip has something like an "intrusion detection an lockdown" mechanism. If you try to access the RAM/Flash via JTAG it locks itself down and can never be recovered. I killed a Convers this way myself It can only be overwritten if you have the bootstrap sources, which are not inside the update files.

Have you guys got the VBF tool?

Gwe89 wrote: ↑01 Apr 2019, 11:11 Have you guys got the VBF tool?

I don't have it. But the vbf format is very simple:

N bytes - Header until "}" symbol
[4 byte — address block1]
[4 byte — length block1]
[x byte — data block1]
[2 byte — CRC16 CCITT of block1]
…
[4 byte — address block3]
[4 byte — length block3]
[x byte — data block3]
[2 byte — CRC16 CCITT of block3]

So you can easy extract .bin from .vbf using any HEX editor

Go4IT wrote: ↑25 Mar 2019, 06:14 I have a UCDS and also had captured the CAN comms of updating an IPC with new firmware. I will provide that log here, maybe it‘s of some use for you... but there are parts regarding random seed which are useless to replay, i guess, but give it a try.

It would be nice if you provide can dump of fw update. I think, that seed is predefined. Maybe 20-30 variants of keys

Ursadon wrote: ↑01 Apr 2019, 12:01 So you can easy extract .bin from .vbf using any HEX editor

Right, do it all the time because those dammned VBF tool will only export as HEX or S19 and not directly to BIN.
I also had documented this in the Wiki https://mk4-wiki.denkdose.de/en/artikel/vbf/start

Ursadon wrote: ↑01 Apr 2019, 12:07 It would be nice if you provide can dump of fw update. I think, that seed is predefined. Maybe 20-30 variants of keys

I would instantly, but i can't find the log i made a while ago and now i currently have no working Convers to play with
Hopefully i get the one i lent back, or i need to buy another one...
But the update scheme will be the same for other modules?! So if i capture any update, would it be sufficient?

Well I have vbf tool if its any use to you

Go4IT wrote: ↑01 Apr 2019, 13:13

Ursadon wrote: ↑01 Apr 2019, 12:07 It would be nice if you provide can dump of fw update. I think, that seed is predefined. Maybe 20-30 variants of keys

But the update scheme will be the same for other modules?! So if i capture any update, would it be sufficient?

I have a dump for PAM, but I think the procedure for IPC is a bit different.
Also, the last 4 bytes in external flash is not a CRC32. I tried to bruteforce it by reveng uility (http://reveng.sourceforge.net/) but no luck.

I dunno nothing about CRC calcs. Awesome infos on link, thanks!
For the Update-Thing, i opened another thread.