Since trendy family home equipment now have an MCU inside, they typically have a diagnostic interface and — generally — extra. Living proof: Miele washing machines, just like the one which [Severin] just lately mounted, resulting in the firmware turning into sad and refusing to work. This fortuitously turned out to be recoverable by clearing the MCU’s fault reminiscence, however should you’re unfortunate, you’ll have to recalibrate the machine, which requires very particular and proprietary software program.
Naturally, this led [Severin] down the trail of investigating how precisely the Miele Diagnostic Utility (MDU) and the Program Correction (PC) interface talk. Apparently, the PC interface makes use of an infrared LED/receiver mixture that’s typically mixed with a standing LED, as indicated by a ‘PC’ image. This interface makes use of the well-known IrDA normal, however [Severin] nonetheless needed to observe down the serial protocol.
Analysis began with digging right into a spare 2010-era Miele EDPW 206 controller board with the 65C02-like Mitsubishi 740 sequence of 8-bit MCUs. These function a masks ROM for the firmware, so no simple firmware dumping. Happily, the Miele@Residence ‘good equipment’ function makes use of a module that communicates through UART with the MCU, utilizing a really comparable protocol, together with switching from 2400 to 9600 baud after a handshake. An enterprising German consumer had a go at reverse-engineering this Miele@Residence serial protocol, which proved to be extremely helpful right here.
What’s annoying is that the PC interface requires a particular unlock sequence, which was a ache to determine. Happily, the SYNC pin on the MCU’s pins for (right here unused) exterior reminiscence was lively. It supplied perception by which code path was being adopted, making it a lot simpler to find out the unlock sequence. Because it turned out, 11 00 00 02 13 have been the magic numbers to ship as the primary sequence.
After this, [Severin] was capable of check out new instructions, together with 30 which, because it seems, can be utilized to dump the masks ROM. This enabled the creation of a DIY transceiver you may tape to a completely assembled washer, for testing. As of now, the subsequent goal is a Miele G651 I Plus-3 dishwasher, which annoyingly appears to make use of a special unlock key.
In fact, you may simply trash the electronics and roll your personal. That occurs extra typically than you would possibly suppose.
Because of [Daniel] for the tip.
