cracking the ecu....
#26
A bunch of bytes of FF, with a strings of 20 bytes sprinkled at even spacings. That almost certainly isn't execution code as it would be a very unusual opcode. You'll notice that from 80xxxx on, there is a lot more repetition and a lot more strings of FF's and 00's. Make me think that its the data segment.
I was hoping there would be more debug symbols, but it looks like they stripped all of those out. That makes sense to save space. I ran a sh-2 disassembler on the whole thing, but the results don't looks so great. I get unrecognized about every 20 instructions or so.
I'm starting to wonder what the exe packaged with the flash does. I wonder if the flash file is packed, scrambled, or encrypted.
I was hoping there would be more debug symbols, but it looks like they stripped all of those out. That makes sense to save space. I ran a sh-2 disassembler on the whole thing, but the results don't looks so great. I get unrecognized about every 20 instructions or so.
I'm starting to wonder what the exe packaged with the flash does. I wonder if the flash file is packed, scrambled, or encrypted.
Last edited by tuj; 02-01-2006 at 08:07 AM.
#27
Registered User
Join Date: May 2004
Location: toronto, canada
Posts: 477
Likes: 0
Received 0 Likes
on
0 Posts
i doubt they'd encrypt the flash file. If they did you wouldn't be able to decipher anything from the hex code.
I have the rest of the week off so i'm gonna fool around with this for the rest of the week. I'm bored as hell and need a little home project
MrJynx
I have the rest of the week off so i'm gonna fool around with this for the rest of the week. I'm bored as hell and need a little home project
MrJynx
#28
Yeah, I don't actually think its encrypted, but I haven't been able to get the offsets right to get a good dissassembly listing. What scares me tho, is that Renesas has a pdf on their site about their encryption and security technology for the sh processors, and how tamper-proof they are, etc. If they put a public key in ROM in the ecu and encrypted the flash with a private key, it would be game over for trying to hack the flash.
#31
Administrator
Originally Posted by tuj
I'm starting to wonder what the exe packaged with the flash does. I wonder if the flash file is packed, scrambled, or encrypted.
i believe its the execution for loading itelf onto the WDS. the techs download the update onto a floppy then load the floppy into the wds and it loads into the wds.
#32
Originally Posted by alnielsen
20 is hex for a space. The FF would most likly be a blank spot. Nothing unusual.
#35
So I tried various combinations of alignments, and I can't get a disassembly without an unrecognized opcode every 10 instructions or so. I'm using sh2d32 to disassemble, so someone with access to IDA Pro might have better luck.
#37
The biggest problem is that debugging the SH2e requires the E6000 emulator, which is both hardware and software. I think with an emulator and an evaluation sh2e board, one could load the flash, and debug on-chip.
I'm still curious as to what the exe does. My take is that the flash is in some sort of intermediate format, but I wouldn't go so far as to say its encrypted. There are patterns that definitely aren't the pseudo-random noise that encryption would produce.
I'm still curious as to what the exe does. My take is that the flash is in some sort of intermediate format, but I wouldn't go so far as to say its encrypted. There are patterns that definitely aren't the pseudo-random noise that encryption would produce.
#38
Is this title ok?
I've been looking at this a long time ago, but never have time to follow up, however here is the info I found thus far:
There are offset and indicators separating the header and the binary data. There are patterns which one may be able to locate and figure out the data, etc.
In the binary data, there are 4 bytes significant indicator:
30 00 24 00 - begin after the header,
follow by: 3a 02 00 00 04 00 00 [1 byte value changes in decreasing order] 3a 02 00 00 02 00 00 fc
Then follow by 38 bytes datastream with format as follow:
3a 20 [1 function/address byte] [2 function address bytes] [32 bytes data] [check sum byte?]
This pattern repeat until end of file with the follow pattern:
3a 00 00 00 01 ff
The map most likely somewhere in the 32 bytes data at the end or near the last few block of the files. There are patten of 1, 2, 3 etc... which probably indicate timing, etc.
As for the entire file checksum? well, probably it's not that hard to figure out either.
I have access to the software to flash the ECM, but do not have the hardware to do so. If anyone have access to the SAE2534 library or other hardware might want to take a crack of reflashing the ECM?
I have a dump of the binary into hex value in text with block pattern formatted which I can't upload it because it's over 480k in size zipped.
PM me a location where I can attach the file if interest.
Here is an example of the pattern. Notice 01, 05, then ff, fe, which an indication of negative number, -1, -2, etc.
3a 20 23 00 00 01 01 01 01 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 01 01 01 01 01 01 01 01 01 01 01 01 01 61
3a 20 23 20 00 01 01 01 01 01 01 01 01 04 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fc 03 fc ff fe ff fe 91
3a 20 23 40 00 ff fe ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe ff fe a9
There are offset and indicators separating the header and the binary data. There are patterns which one may be able to locate and figure out the data, etc.
In the binary data, there are 4 bytes significant indicator:
30 00 24 00 - begin after the header,
follow by: 3a 02 00 00 04 00 00 [1 byte value changes in decreasing order] 3a 02 00 00 02 00 00 fc
Then follow by 38 bytes datastream with format as follow:
3a 20 [1 function/address byte] [2 function address bytes] [32 bytes data] [check sum byte?]
This pattern repeat until end of file with the follow pattern:
3a 00 00 00 01 ff
The map most likely somewhere in the 32 bytes data at the end or near the last few block of the files. There are patten of 1, 2, 3 etc... which probably indicate timing, etc.
As for the entire file checksum? well, probably it's not that hard to figure out either.
I have access to the software to flash the ECM, but do not have the hardware to do so. If anyone have access to the SAE2534 library or other hardware might want to take a crack of reflashing the ECM?
I have a dump of the binary into hex value in text with block pattern formatted which I can't upload it because it's over 480k in size zipped.
PM me a location where I can attach the file if interest.
Here is an example of the pattern. Notice 01, 05, then ff, fe, which an indication of negative number, -1, -2, etc.
3a 20 23 00 00 01 01 01 01 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 01 01 01 01 01 01 01 01 01 01 01 01 01 61
3a 20 23 20 00 01 01 01 01 01 01 01 01 04 04 04 00 00 00 00 00 00 00 00 00 00 00 00 00 03 fc 03 fc ff fe ff fe 91
3a 20 23 40 00 ff fe ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe 03 fc ff fe ff fe ff fe ff fe ff fe a9
#41
Banned
iTrader: (3)
Originally Posted by tuj
Originally Posted by olddragger
I will never understand this car.
olddragger
olddragger
Now I have to use both hands and one foot to translate HEX to decimal.
#43
Administrator
http://www.drewtech.com/products/index.html
drewtech makes several pass thru devices. the mongoose cable is a new stripped down version from them. its about $200 bucks and is fully compliant with j2354 and all the can and ISO protocols. its also USB which is nice. then all you need is the program on your laptop from mazdatechinfo.
there is also a api avaialble from them to program your own pass thru ap. its on their site under support
drewtech makes several pass thru devices. the mongoose cable is a new stripped down version from them. its about $200 bucks and is fully compliant with j2354 and all the can and ISO protocols. its also USB which is nice. then all you need is the program on your laptop from mazdatechinfo.
there is also a api avaialble from them to program your own pass thru ap. its on their site under support
#45
No respecter of malarkey
iTrader: (25)
Originally Posted by zoom44
http://www.drewtech.com/products/index.html
drewtech makes several pass thru devices. the mongoose cable is a new stripped down version from them. its about $200 bucks and is fully compliant with j2354 and all the can and ISO protocols. its also USB which is nice. then all you need is the program on your laptop from mazdatechinfo.
there is also a api avaialble from them to program your own pass thru ap. its on their site under support
drewtech makes several pass thru devices. the mongoose cable is a new stripped down version from them. its about $200 bucks and is fully compliant with j2354 and all the can and ISO protocols. its also USB which is nice. then all you need is the program on your laptop from mazdatechinfo.
there is also a api avaialble from them to program your own pass thru ap. its on their site under support
ooooh, that's new since I was last on their site
Harrison was working on getting the CANScan to also operate as a PassThru device, haven't pinged him in a while though so I'm not sure where he stands on it
#46
Originally Posted by MrJynx
we need game console hackers in here!
Very similar stuff going on here, keep up the good work.
On the flash for the ECU, I doubt the security is very strong, since they aren't trying to prevent the piracy of video games or something like that, I would only expect to see a checksum in there, and not to prevent modifying the flash code, but simply to not execute corrupted code if the flash got messed up, to prevent engine damage.
#47
Registered User
Thread Starter
iTrader: (1)
Join Date: Dec 2003
Location: Nebraska
Posts: 310
Likes: 0
Received 0 Likes
on
0 Posts
guys, I am amazed at the attention to detail and the desire to work together on this project...
I looked at it from a highly simplistic viewpoint, but being a programmer myself, I know that what can be done, can be undone...
What you guys have already uncovered has been nothing short of amazing...
What do you need? work together... and see if you can become the next RX-8 Idol!!!
I looked at it from a highly simplistic viewpoint, but being a programmer myself, I know that what can be done, can be undone...
What you guys have already uncovered has been nothing short of amazing...
What do you need? work together... and see if you can become the next RX-8 Idol!!!
#48
Banned
iTrader: (3)
"Mushy mushy Stig Sam"?
I presume that is supposed to be "Moshi-Moshi Stig San!".
I'm really piqued by the possibility of doing my own PCM flashes - even if it is the OEM Mazda stuff. Just the idea of having my own WDS equivalent gives me goose-bumps.
But I'm a geek, so I digress...
I presume that is supposed to be "Moshi-Moshi Stig San!".
I'm really piqued by the possibility of doing my own PCM flashes - even if it is the OEM Mazda stuff. Just the idea of having my own WDS equivalent gives me goose-bumps.
But I'm a geek, so I digress...