Here is the test report via VVDI Prog by DK forum expert. You are at your risk.
First try with UPA-S using the Tomsad supplied CAS4 cable and software.
steps to unlock and read this CAS4 module (5M48H)
Things look good, there is some sort of Coax cable and CAS-4 listed on the menu....
Wait, this doesn't look good, there is only 1 connection photo and it's not the same as our CAS!
I guess we are dead in the water before we even set sail, NEXT!
Wait, this doesn't look good, there is only 1 connection photo and it's not the same as our CAS!
I guess we are dead in the water before we even set sail, NEXT!
Next try using Xhorse VVDI Prog with software V4.4.4.(latest goes to V4.5.54)
I see 3 options I can select. Backup, R/W/unlock and unlock.
This seems a little confusing, I'm guessing we should start with Backup.
There is 4 different connection diagrams available and our CAS is listed.
It appears we don't have to remove any of the components but have to cut 2 tracks instead.
Also, if it fails to unlock, we have to heat the thing up to 70 degrees and try again.
Time to get the microscope out and get my solder on...
I see 3 options I can select. Backup, R/W/unlock and unlock.
This seems a little confusing, I'm guessing we should start with Backup.
There is 4 different connection diagrams available and our CAS is listed.
It appears we don't have to remove any of the components but have to cut 2 tracks instead.
Also, if it fails to unlock, we have to heat the thing up to 70 degrees and try again.
Time to get the microscope out and get my solder on...
Ok, so the cutting and wiring is all done, it was pretty easy under the scope but i think you would have trouble trying to do it with the naked eye.
The purple wire does not match the color code on the connection diagram but it was the only one left over, so it had to be the right one.
The three fine connections were also made under a microscope, so no telling me it was my dodgy soldering if this thing bricks the CAS!
The purple wire does not match the color code on the connection diagram but it was the only one left over, so it had to be the right one.
The three fine connections were also made under a microscope, so no telling me it was my dodgy soldering if this thing bricks the CAS!
First up, we are going to back up the D-Flash.
We click "new" and "read" and the programmer goes through some sort of initialization and checks the chip ID.
First issue I get is "FFFF" displayed for chip ID, not good.
I do some reading and watching youtube videos and apparently this is normal.
I click ok and it tries to unlock the chip.
After about 10 seconds it says success and starts to read.
The read finishes after about 30 seconds and says "operation success", HURRAH!
I look at the screen dump and all I see are F's everywhere, BOO!
I flick through the entire dump and I see data, HURRAH!
It seems the D-Flash read OK.
We click "new" and "read" and the programmer goes through some sort of initialization and checks the chip ID.
First issue I get is "FFFF" displayed for chip ID, not good.
I do some reading and watching youtube videos and apparently this is normal.
I click ok and it tries to unlock the chip.
After about 10 seconds it says success and starts to read.
The read finishes after about 30 seconds and says "operation success", HURRAH!
I look at the screen dump and all I see are F's everywhere, BOO!
I flick through the entire dump and I see data, HURRAH!
It seems the D-Flash read OK.
D-flash by VVDI Prog rar.
Next up is the P-Flash.
I don't reset the programmer or anything, I just click on P-Flash, new and read.
It goes through the same initialization and FFFF on the chip ID, I click OK with confidence.
The unlocking take about the same time and then it starts to read.
1%..... 20 seconds later, still 1%......
Sweat starts to bead on my forehead as I am now sure this has just bricked the CAS.
2%...... Wait, it's moving!
It was a very long process to get to 100%, 28 minutes to be exact.
Operation success and the screen fills with lovely, lovely data and it looks like it was another win on the P-Flash.
So it appears that VVDI Prog was able to read this CAS ok, even though the read time was very long on the P-Flash.
Mind you, when I read CAS-3 using VVDI Prog, I get a very long read time on the flash.
Other people say that their unit only takes about 5 mins to read a full flash, not sure why my unit takes longer.
All the dumps are here guys, let me know if you want me to do any special tests with this thing before I put it away.
P-Flash by VVDI Prog
I don't reset the programmer or anything, I just click on P-Flash, new and read.
It goes through the same initialization and FFFF on the chip ID, I click OK with confidence.
The unlocking take about the same time and then it starts to read.
1%..... 20 seconds later, still 1%......
Sweat starts to bead on my forehead as I am now sure this has just bricked the CAS.
2%...... Wait, it's moving!
It was a very long process to get to 100%, 28 minutes to be exact.
Operation success and the screen fills with lovely, lovely data and it looks like it was another win on the P-Flash.
So it appears that VVDI Prog was able to read this CAS ok, even though the read time was very long on the P-Flash.
Mind you, when I read CAS-3 using VVDI Prog, I get a very long read time on the flash.
Other people say that their unit only takes about 5 mins to read a full flash, not sure why my unit takes longer.
All the dumps are here guys, let me know if you want me to do any special tests with this thing before I put it away.
P-Flash by VVDI Prog
Tempted to try and read this with UPA-S using the same wire up.
Once this CAS has been unlocked though, I think it makes it easier to be read again. Unless VVDI-Prog locks it again?
Yes you must lock it again to test if upa s can unlock and read.
Last time I load cas4 dump to tango it needed the isn to decrypt it. Looks like vvdi has decrypt function also.
So I am going to look at the R/W/Unlock menu and see what happens.
There is not many instructions, so I can only assume that this is the section where you can unlock, read, write and then re-lock the MCU.
I select D-flash and click "Reset Sec", it goes through the same initialization, and tells me "Chip is Crypt FF" then operation Success.
This does not seem to be what we want, I can only assume we want "DE-crypt" or something along those lines.
I hit Reset Sec again and it produces "Chip is not crypt FE", this looks better.
I can now also get the correct chip ID when I ID it.
I can read the D-flash and i'm reading the P-flash as I type (another 30 mins).
The D-Flash is the same as the backup version.
I wonder why it had to unlock the chip as I though it was unlocked when we read the backup?
After the D-flash has been read, I will try and write back the D-Flash from PremierD and see if it works.
Once this CAS has been unlocked though, I think it makes it easier to be read again. Unless VVDI-Prog locks it again?
Yes you must lock it again to test if upa s can unlock and read.
Last time I load cas4 dump to tango it needed the isn to decrypt it. Looks like vvdi has decrypt function also.
So I am going to look at the R/W/Unlock menu and see what happens.
There is not many instructions, so I can only assume that this is the section where you can unlock, read, write and then re-lock the MCU.
I select D-flash and click "Reset Sec", it goes through the same initialization, and tells me "Chip is Crypt FF" then operation Success.
This does not seem to be what we want, I can only assume we want "DE-crypt" or something along those lines.
I hit Reset Sec again and it produces "Chip is not crypt FE", this looks better.
I can now also get the correct chip ID when I ID it.
I can read the D-flash and i'm reading the P-flash as I type (another 30 mins).
The D-Flash is the same as the backup version.
I wonder why it had to unlock the chip as I though it was unlocked when we read the backup?
After the D-flash has been read, I will try and write back the D-Flash from PremierD and see if it works.
Yes when Chip shows again FF Security is set to ON.
When try for eg now xprog it will show you that mcu is secured.
Ok, wrote another D-flash to it ok, verified ok.
Locked the MCU with "set sec" and used the bytes "FF" to lock it.
Then unlocked the MCU again, read it and all was good.
Wrote my original D-Flash back and once again locked it.
When it's locked, you cant ID the chip, you get "FFFF", when its unlocked, you get the correct ID.
When try for eg now xprog it will show you that mcu is secured.
Ok, wrote another D-flash to it ok, verified ok.
Locked the MCU with "set sec" and used the bytes "FF" to lock it.
Then unlocked the MCU again, read it and all was good.
Wrote my original D-Flash back and once again locked it.
When it's locked, you cant ID the chip, you get "FFFF", when its unlocked, you get the correct ID.
Done.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.