Miele appliances manufactured after 2005 that use flash memory instead of a mask ROM typically allow for firmware updates. These updates are handled by an embedded bootloader, which is identified by the string Miele_Flashloader_V1_2005_GTESKT in memory (GTE/SKT being the department that developed the flashloader).
Reverse-engineering this flashloader (on a Miele ELPW 517-B board) reveals the following commands that can be sent to the device:
0x00: Queries device information (response includes string 05_00_00029_00p, software ID and a few other bytes)0x01: Computes the CRC-16 of a block of memory0x02: Reads a block of memory (from any address!)0x03: Writes a fixed-size block into the page buffer0x04: Overwrites a block of the page buffer with a specified value0x05: Copies the page buffer into flash0x06: Writes into the page buffer (with arbitrary length)0x07: Resets the microcontroller to jump back into application firmware0x08: Unlocks access to the previous commands (except for 0x01, which can always be sent)
These commands seem to be part of the original flashloader and are supported by all devices. However, the ELPW 517-B has a few additional commands that were likely added in later versions of the flashloader:
0x0a or 0x0b: Verifies the CRC-16 of a region of the page buffer and copies that region into flash0x0c: Applies a patch to the page buffer (with some kind of custom patch algorithm)0x0d: Erases a specified range of the flash0x0e: Overwrites the full page buffer with 0xff0x12: Writes a fixed-size block into the page buffer, automatically incrementing the index after every write
Next up, we'll have to implement this protocol on the host side. I've got a very basic implementation ready, but we still need support for automatically changing the serial port's configuration (the flashloader requires the UART to be configured for 8N2).
Having a working implementation of the flashloader protocol enables us to dump the flash memory from any supported Miele device, bypassing any readout protections present in firmware. Entering the flashloader mode also doesn't require any access keys.
Miele appliances manufactured after 2005 that use flash memory instead of a mask ROM typically allow for firmware updates. These updates are handled by an embedded bootloader, which is identified by the string
Miele_Flashloader_V1_2005_GTESKTin memory (GTE/SKT being the department that developed the flashloader).Reverse-engineering this flashloader (on a Miele ELPW 517-B board) reveals the following commands that can be sent to the device:
0x00: Queries device information (response includes string05_00_00029_00p, software ID and a few other bytes)0x01: Computes the CRC-16 of a block of memory0x02: Reads a block of memory (from any address!)0x03: Writes a fixed-size block into the page buffer0x04: Overwrites a block of the page buffer with a specified value0x05: Copies the page buffer into flash0x06: Writes into the page buffer (with arbitrary length)0x07: Resets the microcontroller to jump back into application firmware0x08: Unlocks access to the previous commands (except for0x01, which can always be sent)These commands seem to be part of the original flashloader and are supported by all devices. However, the ELPW 517-B has a few additional commands that were likely added in later versions of the flashloader:
0x0aor0x0b: Verifies the CRC-16 of a region of the page buffer and copies that region into flash0x0c: Applies a patch to the page buffer (with some kind of custom patch algorithm)0x0d: Erases a specified range of the flash0x0e: Overwrites the full page buffer with0xff0x12: Writes a fixed-size block into the page buffer, automatically incrementing the index after every writeNext up, we'll have to implement this protocol on the host side. I've got a very basic implementation ready, but we still need support for automatically changing the serial port's configuration (the flashloader requires the UART to be configured for
8N2).Having a working implementation of the flashloader protocol enables us to dump the flash memory from any supported Miele device, bypassing any readout protections present in firmware. Entering the flashloader mode also doesn't require any access keys.