01-22-2013, 08:36 PM
|
#265
|
|
Kuruma Otaku
Join Date: Dec 2009
Drives: Mk3 Supra with Semi-built 7MGTE
Location: Greater Vancouver (New West)
Posts: 6,854
Thanks: 2,398
Thanked 2,265 Times in 1,234 Posts
Mentioned: 78 Post(s)
Tagged: 2 Thread(s)
|
Quote:
3. You seem to keep questioning how to reverse engineer ECUs, so let me tell you how. I expect the you will be sharing what you have learned as well...
a) 2001-2005 WRX - 68HC916Y5 based
* get the chip docs!
* get a BDM from P&E Microsystems
* solder a BDM header the ECU using the handy solder pads Denso left for this purpose
* read out the rom (including the TPU area) with a couple clicks of the BDM software
* get IDA Pro
* write your own HC16 module for IDA Pro because you don't want to spend the money to buy IDA Pro advanced
* publish the source of your HC16 module for free for others to use
* start disassembling - find all the references to code that accesses the serial port
* notice that there is TPU code that uses the serial port ???
* figure out that the TPU area is a bootloader!
* learn what the bootloader wants, including checksums, etc.
* learn how the bootloader keeps the WDT happy
* get a HC16 assembler (COSMIC)
* write a simple kernel program to read out the CPU
* write a better kernel program to reflash the CPU
* discover that your 02 WRX works, but your 04 WRX won't enter the bootloader
* read out 04 WRX with BDM and go through the serial code
* find seed/key algorithm before jumping to bootloader!
* add see/key to PC reflash program
b) 2004+ Subaru DBW - SH7055 and SH7058 based
* get the chip docs!
* try using the same initialization sequence as the WRX
* it works!!!
* build SH cross-compiler
* start writing test kernels - some trial and error here
* the ECU is being reset by a watchdog!
* start tracing pins on the board with a scope - PB15 is twiddling!
* add WDT code to kernel - it works!
* write flashing code - test - test - test
* reprogram using boot mode (solder into ECU) when you screw up
* write another kernel for SH7058 that uses built in reflash functions
c) EVO 7/8 - SH7052 based
* get the chip docs!
* borrow a MUTIII - very handy
* snoop a TSB reflash using the MUTIII (only get one chance!)
* identify init sequence and kernel upload - no seed/key - this is easy!
* Mitsubishi uses boot mode for bootloader, which makes development and flash failures easily recoverable...
* write a simple kernel to dump all of ram so I can see what the Mitsubishi bootloader looks like
* buy IDA Pro Advanced - don't want to write any more modules!
* disassemble bootloader completely to understand how it all works, including initialization codes
* modify Subaru SH7055 kernel to work with SH7052 - easy!
* done!
d) EVO 9 - SH7055 derivative
* get the chip docs!
* borrow a MUTIII
* snoop a reflash using the MUTIII
* same init sequence!
* try loading my SH7055 kernel, and the ECU takes it, but doesn't seem to run the code
* I am stuck in the bootloader for some reason!
* from the snooping, I can see how to read / erase / write with the bootloader, but I want to use my own kernel - but how - I need to be able to read out the bootloader to find out how to load a kernel...
* create a EVO 9 ROM with a trojan kernel in it.
* flash this into the ECU, but is doesn't respond
* start tracing board and discover that there is a WDT that needs to run off of PD8 - but only when not in the init mode
* add WDT code to trojan kernel
* flash it and it runs!
* read out EVO 9 bootloader still left in RAM
* see command to load a kernel!
* see that bootloader uses built in flashing function like SH7058
* make new SH7055 kernel to support new flashing method like SH7058
* it works!
|
From here: http://forums.nasioc.com/forums/show...5&postcount=73
From another post in the thread @ Silverpike posted. Anyone have insight into what prerequisites are needed to understand this?
__________________
Because titanium. |
|
|