How to find the Service-Menu in vFL Convers+ Firmware
Posted: 02 Nov 2021, 12:08
In this thread i try to find the internal service menu, which anyone can enter by pressing and holding down the "OK" button of the steering wheel while switching on the ignition.
Some facts about the function:
To enter the menu IPC needs to fully started up, so showing the normal operation display after startup animation shown. It is also needed that OK button is pressed before the IPC starts up. Pressing it while the startup animation is shown does not lead into the menu. Also if there are malfunctions which shows an error like "engine malfunction" or something else, it seems that the service menu is not shown. This is also a problem when using it on-the-desk (without built into a car), where it usually issues a lot of warnings because of missing infrastructure.
The first thing that happen is the "TEST" is shown in the IPC dialog on the left side: After that, you can (and should) release "OK" button to get the tests startet. After you release the button, the "Gauge sweep" message appears, and the needles starts to move up and down again: Now you navigate through all tests, back and forth, using the DOWN or UP key on the steering wheel.
It taints the LCD display fully red, followed by green and blue, a color-map (LUT) and then a LED test comes in, and so forth.
You can see the whole procedure for example in this video on YT https://www.youtube.com/watch?v=M8PkRyV7qAQ
What am i looking for:
1.) I'd like to find the entrypoint of the test function. It must be called after the OK/IGN sequence is detected and hopefully it is possible to call this whenever wanted, e.g. by setting the programcounter (PC) in JTAG debug mode.
2.) I want to learn how it works at all
3.) Get some usefull information about how the IPC is controlling it's hardware, e.g. sweep the needles, activates LEDs, reads out A/D signales, etc.
Here i'm focusing on the genuine 7M2T-14C026-AG (MAIN) and 7M2T-14C026-BC (FLASH) firmware. See Topic viewtopic.php?t=297 for setup of IDA Pro.
Some facts about the function:
To enter the menu IPC needs to fully started up, so showing the normal operation display after startup animation shown. It is also needed that OK button is pressed before the IPC starts up. Pressing it while the startup animation is shown does not lead into the menu. Also if there are malfunctions which shows an error like "engine malfunction" or something else, it seems that the service menu is not shown. This is also a problem when using it on-the-desk (without built into a car), where it usually issues a lot of warnings because of missing infrastructure.
The first thing that happen is the "TEST" is shown in the IPC dialog on the left side: After that, you can (and should) release "OK" button to get the tests startet. After you release the button, the "Gauge sweep" message appears, and the needles starts to move up and down again: Now you navigate through all tests, back and forth, using the DOWN or UP key on the steering wheel.
It taints the LCD display fully red, followed by green and blue, a color-map (LUT) and then a LED test comes in, and so forth.
You can see the whole procedure for example in this video on YT https://www.youtube.com/watch?v=M8PkRyV7qAQ
What am i looking for:
1.) I'd like to find the entrypoint of the test function. It must be called after the OK/IGN sequence is detected and hopefully it is possible to call this whenever wanted, e.g. by setting the programcounter (PC) in JTAG debug mode.
2.) I want to learn how it works at all
3.) Get some usefull information about how the IPC is controlling it's hardware, e.g. sweep the needles, activates LEDs, reads out A/D signales, etc.
Here i'm focusing on the genuine 7M2T-14C026-AG (MAIN) and 7M2T-14C026-BC (FLASH) firmware. See Topic viewtopic.php?t=297 for setup of IDA Pro.