How to find the Service-Menu in vFL Convers+ Firmware

Disassemble Convers+ firmware 7M2T-14C026-AG using IDA Pro
Post Reply
Go4IT
Pro
Posts: 967
Joined: 08 Feb 2019, 12:25

How to find the Service-Menu in vFL Convers+ Firmware

Post by Go4IT »

In this thread i try to find the internal service menu, which anyone can enter by pressing and holding down the "OK" button of the steering wheel while switching on the ignition.

Some facts about the function:
To enter the menu IPC needs to fully started up, so showing the normal operation display after startup animation shown. It is also needed that OK button is pressed before the IPC starts up. Pressing it while the startup animation is shown does not lead into the menu. Also if there are malfunctions which shows an error like "engine malfunction" or something else, it seems that the service menu is not shown. This is also a problem when using it on-the-desk (without built into a car), where it usually issues a lot of warnings because of missing infrastructure.

The first thing that happen is the "TEST" is shown in the IPC dialog on the left side:
ipc_vfl_service_menu_start.png
After that, you can (and should) release "OK" button to get the tests startet. After you release the button, the "Gauge sweep" message appears, and the needles starts to move up and down again:
ipc_vfl_service_menu_gauge-sweep.png
Now you navigate through all tests, back and forth, using the DOWN or UP key on the steering wheel.
It taints the LCD display fully red, followed by green and blue, a color-map (LUT) and then a LED test comes in, and so forth.
You can see the whole procedure for example in this video on YT https://www.youtube.com/watch?v=M8PkRyV7qAQ

What am i looking for:
1.) I'd like to find the entrypoint of the test function. It must be called after the OK/IGN sequence is detected and hopefully it is possible to call this whenever wanted, e.g. by setting the programcounter (PC) in JTAG debug mode.
2.) I want to learn how it works at all
3.) Get some usefull information about how the IPC is controlling it's hardware, e.g. sweep the needles, activates LEDs, reads out A/D signales, etc.

Here i'm focusing on the genuine 7M2T-14C026-AG (MAIN) and 7M2T-14C026-BC (FLASH) firmware. See Topic viewtopic.php?t=297 for setup of IDA Pro.
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Return to “Disassemble Convers+ Firmware”