1. Home
  2. Embedded Programming
  3. Where do I connect to the board?

Where do I connect to the board?

Hi all. I want to change the text labels displayed on my car radio to my nativ language instead of English. I have been told that it operates Siemens/Infineon c167-crlm.

I have come to the conclusion that Rowley's CrossWorks and CrossConnec may be a good choice - that is also within my economic reach (this being purely private hobby project).

But before throwing money at this - can I connect to the board at all?

It looks like this:

formatting link
formatting link

So far, this is my first travel into the realms of "embedded" ... Any help or pointers will be highly appreciated!

Thx

Steff

Reply to
steff_dk
Loading thread data ...

Even if you could, they've probably set some protections bits which will prevent you from downloading the code into Crossworks. You probably have to erase the entire chip too first before you can program it again.

Meindert

Reply to
Meindert Sprang

Correct me if I'm wrong, but to my knowledge CrossWorks does not support the C167.

--
Regards,
Richard.

+ http://www.FreeRTOS.org
14 official architecture ports, 1000 downloads per week.

+ http://www.SafeRTOS.com
Certified by TÜV as meeting the requirements for safety related systems.
Reply to
FreeRTOS.org

to

Well, I do have the firmware running on it now, on a CD as well. Maybe a more suitable solution is to change the firmware and then flas it.

Does anyone know if the firmware is manipulated during install, or if i is just copied directly from the cd to flash memory in this process?

Can anyone recommend some litterature/webpages etc. on flashing a device?

Thanks!

Reply to
steff_dk

If this were a device I made the bootloader for, all you would have now would be a CD full of seemingly random bytes, which would also be protected against tampering by several checksums. Checksums are required to detect failed updates or otherwise broken flashes, and encryption came as a useful side-effect to compression.

The manufacturer of your device knows. I would consider a unverified 1:1 copy rather unusual. The minimum is some checksum and control (=which device is this firmware for, at what address in the flash does it go, etc.) headers.

Okay, you *may* be lucky and find the strings somewhere, but if you have to ask where to connect, you still have some way to go :-)

Stefan

Reply to
Stefan Reuther

Wrong. It's a NEC controller: UPD70F3079AYGC

Look here for further info:

formatting link
*&langcode=E

And yes, the controller does have In-System Programming capabilities. There might be lock bits for ip protection, however.

You'll need the special NEC development tools for that.

Mit freundlichen Grüßen

Frank-Christian Krügel

Reply to
Frank-Christian Kruegel

I am lucky! ;-) Strings are in this file from the firmware (on the cd for flashing):

formatting link
It's a straight forward file as I see it in winhex:
formatting link

First 32 bytes are excluded from the checksummed data - the the firs checksum 4 bytes: x00 x60 x00 x38 then 56 bytes of data and then nex checksum incremented to: x00 x60 x38 x38.

Editing this files strings (see screendump above) should present n immediate danger, if I choose to flash it, right? I mean as long as th checksum increments as it does now.

Quite right :-/ but hey - I'm in it for the challenge, and to learn so I' having great fun already! Thanks all!

Reply to
steff_dk

Ha, beginners :-)

I would interpret these as some kind of address/length pairs, not checksums. But I have looked just a minute.

I'd probably give it a try (hey, I happily did that with DOS programs years ago, but there I could easily keep a backup copy). If it accepts the patched firmware and doesn't fail another hidden checksum check, why not.

That aside, the reason why our bootloader tries to reject patched firmware is simply that we don't want returns from people who edited it, did something wrong, and made their device nonfunctional. Hence, if you break your device, you got a problem.

If you really want to connect with a debugger, locate the main controller, get the data sheet and look where its JTAG/ISP pins are. Nothing magic behind that. But they probably will not offer you a ready-made socket for your JTAG plug.

Stefan

Reply to
Stefan Reuther

Ooh - I thought the big gray >Ha, beginners :-)

I know - I hate them too :-))))

That's my main worry - the device costs about EUR 1,000.00 used, s naturally I don't want to break it :-) and that's why I thought on-chip-debugging was better that hacking th firmware cd and see if it accepted that.

From the link Frank-Christian provided I may alrady have that. But that would mean taking the microcontroller off the board => risk operation isn't it? I'm pretty sure that soldering it back on with m skills will involve bridging at least 2-3 pins at a time ...

Reply to
steff_dk

formatting link
says: The contents written to the internal flash memory with a programmer canno be read. This is in order to protect the written program. If it is absolutely necessary to read the program, consult your authorize NEC Electronics distributor. In some cases, it may be possible to take the device to NEC Electronic and have its contents read.

Bastards! :-D Okay - disassembling the firmware it is :-/

Reply to
steff_dk

You didn't read the documents I've provided the link for.

This controller doesn't have JTAG but a proprietary ISP port, and IDA Pro won't know the V850 opcodes. This means you MUST have the NEC tools.

ISP means In-System programming, so the controller can remain on the board provided that the external connections to the ISP pins and to Vpp allow this.

See document #3 from my link, chapter 17.

Mit freundlichen Grüßen

Frank-Christian Krügel

Reply to
Frank-Christian Kruegel

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.