How to change VCMII module type (Ford/Mazda/Landrover/…)

I fixed the issue with error 500 on the VCMII module type change.


All standard recovery functionality has been preserved
You can still boot to recovery and flash software via normal methods.

Additional Features:

  • Root password “hackedVCM” (no quotes)
  • Telenet server
  • FTP server
  • Testmode web server (all original testmode functionality preserved including serial number change)
  • Added change module type (Ford, Mazda, whatever) to web server
    ‘Other Functions’ > ‘Set Module Type’
  • SD card & JFFS2 partition are mounted RW in the same place they would be in production, /mnt/sd & /etc/vci/config respectively.
  • Added WiFi support in recovery but leaving the interface disabled for now. I have concerns about browning out the device if external power isn’t present as USB only power isn’t sufficient. If you want to test it out you can use standard linux ifconfig commands to bring the interface up, all drivers are present.
  • Custom recovery currently survives reflash (until they change the way they deploy updates)

To Do:
The next thing I am working on is my custom web browser based flasher.

To deploy the firmware:
If you are updating from my previous firmware you only need to perform steps 1, & 4-7.

  1. Download and extract the firmware from this post
  2. Use the testmode exploit from my first post and then launch telnet
  3. Run the following commands to change the root password (non persistent):
    1. echo “root:\$1\$quzG9B6u\$qqNRmEdJ0igLcxha0qzp3/:0:0:root:/:/bin/bash” > /etc/passwd.tmp
    2. tail -n 14 /etc/passwd >> /etc/passwd.tmp
    3. mv /etc/passwd.tmp /etc/passwd
    4. chmod a+r /etc/passwd
  4. launch your favorite FTP client and connect to using user ‘root’ and password ‘hackedVCM’
  5. upload the two firmware files ‘’ & ‘’ to the ‘/tmp’ folder
  6. Returning to the Telnet session, run the following commands to flash the new recovery firmware:
    1. /usr/local/mtd/flash_unlock /dev/mtd4
    2. /usr/local/mtd/flashcp -v /tmp/ /dev/mtd4
    3. /usr/local/mtd/flash_unlock /dev/mtd5
    4. /usr/local/mtd/flashcp -v /tmp/ /dev/mtd5
  7. Reboot your VCMII into recovery (hold the button in while applying power and keep it depressed until the VCM beeps)

Congrats, You are now on the hacked recovery firmware. You should be able to cross-flash to Ford/Mazda/Landrover/whatever after changing the module type to an appropriate value. Same goes for serial number changes.

As of right now I don’t see a reason to modify the production firmware that normally boots as everything we are trying to accomplish can be done in recovery.


Download: VCM2 FW 20151219!IFJznTpb!4EQRcpXggxp148Qhr_VUb4aYuIEZaL7tcTy5E4u0nWA