Reverse Engineering The Miele Diagnostic Interface
Since modern household appliances now have an MCU inside, they often have a diagnostic interface and — sometimes — more. Case in point: Miele washing machines, like the one that [Severin] recently fixed, leading to the firmware becoming unhappy and refusing to work. This fortunately turned out to be recoverable by clearing the MCU’s fault memory, but if you’re unlucky, you will have to recalibrate the machine, which requires very special and proprietary software.
Naturally, this led [Severin] down the path of investigating how exactly the Miele Diagnostic Utility (MDU) and the Program Correction (PC) interface communicate. Interestingly, the PC interface uses an infrared LED/receiver combination that’s often combined with a status LED, as indicated by a ‘PC’ symbol. This interface uses the well-known IrDA standard, but [Severin] still had to track down the serial protocol.
Research started with digging into a spare 2010-era Miele EDPW 206 controller board with the 65C02-like Mitsubishi 740 series of 8-bit MCUs. These feature a mask ROM for the firmware, so no easy firmware dumping. Fortunately, the Miele@Home ‘smart appliance’ feature uses a module that communicates via UART with the MCU, using a very similar protocol, including switching from 2400 to 9600 baud after a handshake. An enterprising German user had a go at reverse-engineering this Miele@Home serial protocol, which proved to be incredibly useful here.
What is annoying is that the PC interface requires a special unlock sequence, which was a pain to figure out. Fortunately, the SYNC pin on the MCU’s pins for (here unused) external memory was active. It provided insight in which code path was being followed, making it much easier to determine the unlock sequence. As it turned out, 11 00 00 02 13 were the magic numbers to send as the first sequence.
After this, [Severin] was able to try out new commands, including 30 which, as it turns out, can be used to dump the mask ROM. This enabled the creation of a DIY transceiver you can tape to a fully assembled washing machine, for testing. As of now, the next target is a Miele G651 I Plus-3 dishwasher, which annoyingly seems to use a different unlock key.
Of course, you can just trash the electronics and roll your own. That happens more often than you might think.
Thanks to [Daniel] for the tip.
Post Comment