I use TopJTAG flash Programmer to read/write the flash.
The flash array data bus organization is 32bit (1 chip X 32), and the flash is cfi compliant.
I assume the flash are connected parrallel, flashchip 1 holds D0 until D15 and flashchip 2 holds D16 until D31.


The signal pins are connected according to the scheme below:
Flash Pin JTAG device PIN Active
CE W11/ cs0_n Low
OE U11/ rd_n Low
flash 1 - WE W12/ we0_n Low
flaSH 2 - WE Y17/ we0_n Low

A0 Y9 / a2
A1 W9 / a3
etc continue until A23 (notice the offset of 2 adress lines A0 and A1 are not used)
A23 AA1 / a25

The datalines are connected 1 on 1, so
D0 AB10/d0
continue
D31 AA20/d31
First flash #WE -W12 - i can read/write, CFI is OK
second flash #WE - Y17 - I can write, but I can erase it only fully, can not erase it partly,
because the programm writes - common flash interface (CFI) Compliant - NO
Screenshots are attached - "CFI-OK" is the first flash
"CFI-error" is the second flash

How To Solve That Problem?
P.S. processor is SH7785, two flashes are Spansion GL512L

Best Regards

what tool is jtag?gl512n all i have remove bga relfash.

Segger J-Link

anybody was reading this flashes by Jtag?

Contact me on Skype,I have that working unit,so I can try and help you via JTAG.
TBH I never read it via JTAG.It is time to start now I guess :)

Hello
through trial and errors
I recorded for 7785
Now we need to write v850


Can someone read it? is there a firmware v850?

Hello,

V850 chip is need to be programmed with the file D1_OS81050_FW_V01_10_07_CS_V02_01_11.ipf (attached)
from the firmware disk, but unfortunatelly i don't know how to do it.
Besides there are 2 files(attached): 'V850bolo' and 'V850app'. Does anybody know how to paste together these files?

Thanks in advance.
Best Regards

now many tool can read/write 70f3366

I have such tool. The problem is that i don't have a file for writing. Dump file is damaged.

did you read damaged dump from V850?

this is a dump

Contains of your V850 dump is the same as from the update files

Yes, i see, but it doesn't work that way
Probably, these files should be paste together another way

Hi.


I've the same problem, I select the flash 1, choosing WE - W12/ we0_n Low and flash 1 program correctly, but when I try to program the flash 2, selecting WE - Y17/ we0_n Low, then I get this error message indicating that the flash is not CFI compliant. I see that you finally did it work, can you indicate me what I'm doing wrong, please?

Thanks in advance.

Hello,

V850 chip is need to be programmed with the file D1_OS81050_FW_V01_10_07_CS_V02_01_11.ipf (attached)
from the firmware disk, but unfortunatelly i don't know how to do it.
Besides there are 2 files(attached): 'V850bolo' and 'V850app'. Does anybody know how to paste together these files?

Thanks in advance.
Best Regards
Old topic but .. i've compared your dump with the one from the firmware.
If i'm right the dump is from 8R0906961DQ (HNav_EU_K0257_6_D1) but it appears that after the V850bolo.bin there are something missing in your dump.
If you compare with V850app.bin you will see that in the dump the addresses from 0x00000000 till 0x000000bf (in the V850app.bin) are missing from your dump but they are in the V850app.bin

Could you share what tool did you used to read the V850 chip :)

Hi
I used it to connect
power to regular connector
Regards

V850 chip in my navigation is locked.

It seems that the MMI3GEmergencyApp should be able to flash the V850.
If you look at it you can find "ForceIocUpdateFromEmergency".
Now i wonder if i put ForceIocUpdateFromEmergency = "true" in the metainfo2.txt and force the unit in Emergency mode will it be able to fix my issue.
Because i have somehow different problem ... wrong firmware, 3GP firmware in 3G High unit.
That's why i'm not sure that even if that parameter is correct and it's places is in the metainfo2.txt that the MMI3GEmergencyApp will be able to do it because of the wrong firmware :(

Cheers.

V850 chip is locked. this does not prevent him to write down

It shouldn't be hardware locked as the update process is able to write to it, it's just needs to be in bootloader mode in order to write.
I know for sure that MMI3GEmergencyApp can put it in that mode. I also know that it's possible to recover it from that mode just don't know the exact steps .... yet.
If we sniff one unit during update procedure maybe we can see what is happening behind the curtains.
Keldo and some others can do that w/o even touching the chip so it's possible. The updater can do it to.
Harman/Becker for sure know that there is a chance that during the update the power might goes down and the unit should be able to recover from that.....
After all this is not some fancy satellite ... it's just a multimedia unit :)
If you find something i will write :)

It is easy, just write chip

Getting there :) Using the parameter from above the MMI went in bolo mode after the emergency flash finished but i had an error in the metainfo somewhere ... will try again tomorrow.
If i got you right, i will give the V850 power on pin 9 and 11 and should not power the MMI right?

http://uploads.tapatalk-cdn.com/20161008/ba91fbb0b81a6928489697ff9766e6f5.jpg

The main CPU cannot see the V850 :(
Will have to try with direct connection :(
KR.


Sent from my iPhone using Tapatalk

I can restore MMI 3G, 3GP and RNS850 from any state. I can make from 3G - 3GP, have V850 working dump, write 2 flash by JTAG and other many year i lost for it.

We all know about you :) I admire your work and even asked you once about converting 3G high to 3G plus but you never answered me.
If you can help here with some guidelines or something then you are welcome. If you just want to make an advertisement... then we got your point. The fact is that with trial and error I was able to get the IPL back and then flashed the unit. If I succeed with V850 then good if I don't ... well that's life.
You can post your prices so that we know.
Cheers.


Sent from my iPad using Tapatalk

Where are you from ?
Can you sen divece for me ?

You have PM:)


Sent from my iPhone using Tapatalk

Where are you from ?
Can you sen divece for me ?

I'm from Bulgaria.
I do prefer to fix it locally just because it's interesting to me. I've tried many ways in order to fix it w/o removing the chip or trying to reprogram it on board. Even disassembled part of the code, that's how I found the way to try and force the IOC update :)
It seems that we will need to try wit direct connection to the chip :(

Cheers.

I gave you the information as a record processor

Hi congobg,

Did you have any luck in this issue?

There is a 100% working solution by jtag. You can repair any 3g/3g+/rns-850 even if complet dead (no hardware fault)

First of all you need this jtag tool;

diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html

Jtag pinout picture;
420982


So if anyone need full information and all tools, can contact me pm (full pack with everything for jtag coast arround 1k eu)

you got pm

How did you read v850 70f3366. I have Orange 5 clone and it should do it but no go yet...

JTAG connection

Answer was erased! See next post!

Getting there :) Using the parameter from above the MMI went in bolo mode after the emergency flash finished but i had an error in the metainfo somewhere ... will try again tomorrow.
If i got you right, i will give the V850 power on pin 9 and 11 and should not power the MMI right?

Hi, I think your error depends the drive ID of the metainfo2.txt. The routine for recovering the MuIOC allways search for it on the device "CD".
If you start it with the same FW version on CD it will run succesfull...
Otherwise you can direct use a patched "update.txt" file in /mnt/efs-persist/SWDL/

Good luck!
Tschako

Thanks Tschako I will try that next time.
Meanwhile the unit is working, flashed the v850 the hard way, hope that I won't need to do that anymore:)


Sent from my iPhone using Tapatalk

Haha, yes!
A good way todo some update & flash activities is the usage of the update routine by placing a prepared "update.txt" file in the SWDL folder.
It will batched after reboot like an update session. Especially, in case the panel isn?t available a nice way.

someone have dumps or data for bmw cic v850? share or for sell, pm...

Hello
I have MMI 3G who have upgraded by a guy with a firmware of MMI3G+

So the TTL could not operate (problem FPGA...)

I need help on this procedure with JTAG (tools ...soft ..process)

Best regard

with this tool you can read write %100 ;

http://www.diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html

with this tool you can read write %100 ;

http://www.diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html
out if subject but i'd like to ask if it is possible with this tool to read renesas r4f70580sv?
Thank you very much!

Ok for the tools....
But for the soft and the command to pass into the soft...?
I could pay a little for this infos but it is only for one MMI...

If you want to repair just 1 unit the price is high for all, but if you want to repair over 4-5 unit then you can get the money back what you will spend for it.

Hi everybody I am trying to read the flash with segger jlink and topjtag programmer according the schematic from the first page but have some issues. The readings are not correct, there are allot of ff comparing with original firmware. For example if I try to read the fpga and make more readings, the readings differ, some times it reads more data and some times read less data followed by ff. Can anyone knows how to solve this problem? What frequency to use on jtag? Do I need to get tiao usb multi protocol adapter?

First of all you need to buy a Tiao Jtag tool, and you cannot read or write all in one time, you need to split the files.... (because mmi restart self every 5min.)

Ok, I already place the order for Tiao but I hope that segger can read too. I try on portions, I read first the IPL, next fpga and so on. It reads but it reads incorrectly. On the first page eprst use segger and he manage to read.

I was try also a year ago with segger but never done, when you get your Tiao all will be fine!

Today i had some strange experience with one MMI 3GP unit.
I was able to write both flash chips but, when Y17 (flash chip 2) i was able to write only on portions of 256k each.
I used 5Mgh TCK, do not check write status (really slow write w/o this) and use unlock bypass mode.
Used TIAO USB JTAG with TopJTAG Flash.
This way i flashed the IPL in one pass, FPGA on three passes and emg ifs on 19 passes :(
Anyone have idea what is not right. Flash chip 1 is ok, 2 MB pieces and the 5-6 min timeout is ok.

Regards.

Today get my tiao usb but cannot see any device in jtag chain. With segger I identify correctly the renesas sh4 and can read. There is some settings that I must do to use tiao?

Ofcourse without boot settings or files its not possible to communicate...

I use topjtag flash programmer with the same settings like for segger but I chose tiao adapter from top jtag. I try all jumper settings on tiao, same result, no device find on jtag chain. On segger top jtag identifies at once the renesas mcu on jtag chain. I use r7785b bsdl file

I managed at last to communicate, Ive chose tiao interface type a instead of type b and it works

What about a24? To read both flashes need a0-a24 connected but according the connection from first page I connect only a0-a23, and can read only a half of firmware.

Sorry. Wrong post..

Hi mates, any news?

What about a24? To read both flashes need a0-a24 connected but according the connection from first page I connect only a0-a23, and can read only a half of firmware.
There is a lot of small points, without the manual all operation nearly impossible....

anyone done similar things for bmw cic and have flash and v850 files? I have done some extracting from spdatens and need someone to confirm that Im doing something right :D.

Can someone help me how to proceed?527527

did you succeed? I did something similar

Hi Gsmflashch,
I need your help. I did the jtag pinout following your picture. I need your help to flash my dead mmi 3g.
Thanks

Hi Gsmflashch,
I need your help. I did the jtag pinout following your picture. I need your help to flash my dead mmi 3g.
Thanks
I think you need to read complet (my post). If you want to repair few unit then contact me, but if its just for one unit the solution will be expensive for that..

I think you need to read complet (my post). If you want to repair few unit then contact me, but if its just for one unit the solution will be expensive for that..

I just need one in my vehicle. I really need your help. What do you suggest?

I just need one in my vehicle. I really need your help. What do you suggest?

contact me pm. You can send your unit maybe to someone who can repair it..

contact me pm. You can send your unit maybe to someone who can repair it..

I have sent you a pm

Hello
I return on this post for contact the professionnals of the MMI 3GP

Is it possible to find the login of a module radio tuner like the MMI (for to access to eprom reading with VCP) ?
It think it is reverse engineering ?

Many thnaks for your responses here or in PM (cost ??)

Best regard

Hello,
can you pls help me with settings TopJTAG and Tiao...
Bsdl from Renesas - TopJTAG - error.
Thank you

Hello,
can you pls help me with settings TopJTAG and Tiao...
Bsdl from Renesas - TopJTAG - error.
Thank you
Hey.
I have the same question.
How to configure BSDL? I have a BSDL error.
Have a successful communication session?
Thanks. Regards.

How to update v850?

How to update v850?
direct connection to MCU and upload correct image v850

this is a dump
How did you get this dump? I tried different options, the processor is silent, does not want to give anything away

There is a 100% working solution by jtag. You can repair any 3g/3g+/rns-850 even if complet dead (no hardware fault)

First of all you need this jtag tool;

diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html

So if anyone need full information and all tools, can contact me pm (full pack with everything for jtag).

Regards

Hey.
I have the same question.
How to configure BSDL? I have a BSDL error.
Have a successful communication session?
Thanks. Regards.

bsdl contains a forbidden character, remove it


direct connection to MCU and upload correct image v850

how to create the right image for v850.
i tried combining together bolo + app, but it did not bring success, mmi does not start, turns with a fan

Part. are you able to help repair mmi3g? Would you say how to read jtag or something else v850 and 2xgl512? you can reply to this email. andrzej.jaskulski@onet.pl

Hi
I saw your post and I'm wondering if jlink segger can be used to read renesas mcu via jtag. Thanks

hi, can someone please post full settings for using Jlink Segger with TopFlash software to read/write chips? I keep getting "no jtag chain found" error

Hello need dump for bouth gl512 .t.y

Hello any one...

Hello. Anyone sucessfull recovered v850 and can help? Connected to v850, but can’t read it, only erase.

anyone? :)