How to recover MAC7116 internal Flash of Ford Convers+ IPC?

Thread Starter

picoamp

Joined Sep 13, 2018
22
Hello,

i have played with JTAG on such a cluster, didn't knowing that it has internal protection mechanisms which locked the device so it does not start anymore.

Now, after a while digging into docs of the chip, i know there are only two ways to recover from this stage: 1. by a usercode backdoor, if such exists or by providing an 8 byte password sequence in a special JTAG unlock sequence. Both i don't know and couldn't find out.

Last but not least, there is also a special JTAG procedure to mass erase the chips internal Flash memories (program+data) which also unlocks the device, but needs to be reprogrammed than. It was easy to download the firmware files from the Ford update server, but they lack the area from 0x0000-0x4FFF of internal flash. This is where the bootloader resides. The other parts i could download are for the area above 0x5000 for the program flash, the 2 MB file of the external Flash (contains mostly data, like graphics) and a small (0x6CC) SBL which would be uploaded and run into SRAM of module and used for updating the module inplace.

Any help is highly appreciated, because i found myself in a trap now...
 

Papabravo

Joined Feb 24, 2006
19,024
I don't think they want you doing what you were doing, and this is the condign punishment. IMHO they have you well and truly by the short ones.
 
Top