ford 6000 tms470R1VF288

[midnightman]

Hi

Can anyone give me a code from this dump. Ford 6000 with TMS470R1VF288

Many thanks

[midnightman]

anyone got any or idea or the code location in j mem . it is not the same location as tms470/689

thanks

[Dunker]

Somewhere around/after 0x103000, look for "CRADLE PHONE", its after that. Code usually followed by xx xx 00 00 04 00 00. Might be same as other MCU with FF FF above the code on the line before.

(xx xx is the code- sorry didnt make it clear)

[midnightman]

I now have the code for this set. The code is 7608. I cannot find this code in J Mem or the bin file I attached.
There is no data in that section of the memory that you suggest.

Anymore more ideas as to where it is located

Thanks

[sgm777]

If a code 7608 that look on the line 06B5C0

[midnightman]

Thanks . I can see where the code is now in this dump. I think that the codes are stored if different locatons . I have another dump with a known code from the tms470 /288 and the code is not at that location .
I have attached another bin file with a code of 2600. There seems to be quite a few instances of this 2600 in this memory

Thanks to all

[sgm777]

Thanks . I can see where the code is now in this dump. I think that the codes are stored if different locatons . I have another dump with a known code from the tms470 /288 and the code is not at that location .
I have attached another bin file with a code of 2600. There seems to be quite a few instances of this 2600 in this memory

Thanks to all

The code position in specified address

[alexics]

The code position in specified address

What happens if you change this value when in debug mode? Does the code change? I think it won't as this is only a variable used to check the entered code. The code itself is not in the micro and it is not in the eeprom 24c16.

[Dunker]

I now have the code for this set. The code is 7608. I cannot find this code in J Mem or the bin file I attached.
There is no data in that section of the memory that you suggest.

Anymore more ideas as to where it is located

Thanks

Sometimes J-Mem doesnt connect correctly. If you try a few times it will. Here is a picture of a TMS470VF288 connected with J-Mem. Code is 5970. You can change the code by over-writing whatever is there.

[alexics]

Sometimes J-Mem doesnt connect correctly. If you try a few times it will. Here is a picture of a TMS470VF288 connected with J-Mem. Code is 5970. You can change the code by over-writing whatever is there.

That is interesting. So the data in the eeprom must only be timer and checksum. Can you see where the eeprom data is in the mem dump?

Also if you change the code does anything else in the eeprom change?

[Dunker]

I havent looked to be honest. What I will say is that when you change the code and then click disconnect target you must then enter the code into the radio without disconnecting the power. The code in the radio will be changed permanently.

If you change the code via J-Mem, click disconnect target, kill power to radio, reconnect power then enter code it will fail - the code will be what it was before. I ought to look at it a bit more but I'm gearing up to go to the TT so it will have to wait.

Has anyone actually reversed the program in the 470 to see what it does with the eeprom data that corresponds to the timer etc? Saying that, is it worth the effort.

[Dunker]

Can you see where the eeprom data is in the mem dump?

I had 20 minutes on this tonight but it was a TMS470-689 MCU. The relevant eeprom data is in the dump of the mcu. See the attached file. Also there is an eeprom dump of the same radio with a different code and nothing else apart from the usual changes. I've also swapped eeprom dumps without altering anything in the MCU and the code changes so on the 689 the code is only in the eeprom. I suppose I ought to check a 288 to see if thats the same.

[<edit>]

Yep, the 288 is definitely the same. I've eventually got a 288 in for decode and I've checked it with different codes. Just by changing the eeprom data the radios code can be changed.

So basically its the same as most other stuff out there but with the added level of security in that the radio reads the eeprom, un-encrypts the data to get the code, checks what we enter and if successful re-encrypts the code and stores it back in the eeprom. We have the program code and the hardware to set breakpoints on a running radio so all that is required is the time to reverse the encryption/un-encryption algo. I will have a Mars Bar that the algo is the same on the 288 and the 689.

[</edit>]

This obviously means that at startup the 689 MCU reads the eeprom and unencrypts the code and then works from RAM until a code is entered and then writes back to eeprom. This should be easily reversible given we have a memory dump to work with - I think IDA supports the 470 now . But like I said before - is it worth the effort, the Segger is cheap enough to do what we need.

[alexics]

I had 20 minutes on this tonight but it was a TMS470-689 MCU. The relevant eeprom data is in the dump of the mcu. See the attached file. Also there is an eeprom dump of the same radio with a different code and nothing else apart from the usual changes. I've also swapped eeprom dumps without altering anything in the MCU and the code changes so on the 689 the code is only in the eeprom. I suppose I ought to check a 288 to see if thats the same.

This obviously means that at startup the 689 MCU reads the eeprom and unencrypts the code and then works from RAM until a code is entered and then writes back to eeprom. This should be easily reversible given we have a memory dump to work with - I think IDA supports the 470 now . But like I said before - is it worth the effort, the Segger is cheap enough to do what we need.

But surely reading an eeprom is quicker and does not rely on the code data always being in the same place in memory. Ford are notorious for changing things in different processor 'mask' types. The eeprom data seems to be static. Plus it is the challenge. I think it may be based upon the same principal as used in the 2008. That used a rolling code but the code was only 3 digits. It took me nine months to work that one out.

[alexics]

When you get back from the TT send me a PM I have some ideas. Enjoy the bikes m8. RIP Joey Dunlop.