I thought I knew, but how wrong was I?
While probing the read by ID function (65K reads) in the Cluster, even before entering any special security mode, I got quite a few results. Some binary bits and bytes. 2 VINs, mine from the reprogrammed EEPROM, and the original. And some looked like Ford part numbers. I plugged the 4 part numbers I saw into the Ford "calibration files" download web-page and [just] one gave me a result.
I've now got the Cluster "vbf executable" firmware!
It has a text header, says Volvo along with quite a few other things. I removed the header (making the final binary file size what the text in the header said it should be) and after checking what was left, to cut a slightly longer story short, noticed the last 2 bytes in the file were some sort of checksum. Had to remove those, then add back 2 bytes up front to match the correct file size again.
I had installed "Ghidra" and "Java 11" - made a new project, imported the binary file, selected options to say V850 code and it loads at 0x15000 (location is mentioned in the original vbf header) and it de-compiles nicely!
I can see the seed-key function (value 0xC541A9, part of the algorithm, is a dead give-away there). I can see the read-by-ID routine too. Some of those readable IDs (out of 65K) have a 3rd byte sub-function though, so, oh - I don't have all the data I can possibly read yet. I was going to read the values out of my car tonight, but I'll hang off now until I can get them all.
I do feel like I've just time-travelled about 3 months into the future though
(Incidentally, I plugged the
ICC part numbers I also got previously in, but got NOTHING back at all!)