|
|
Post by dino2gnt on Dec 15, 2021 14:55:17 GMT
The screenshots that I've seen look very well annotated.
My experience here stops at using GNU binutils to disassemble M32R binaries. An HC16 plugin in IDA Pro or something else?
Just curious about your tool set.
|
|
|
|
Post by admin on Dec 15, 2021 16:08:33 GMT
IDA Pro with the built-in HC16 plugin.
Someone else showed me the basics, how Chrysler structured their code, then he disappeared.
From there I'm self-taught and limited at 8-bit microcontrollers.
Tried disassembling 32-bit firmware (NGC PCM) but I was so lost...
|
|
|
|
Post by dino2gnt on Dec 16, 2021 5:51:53 GMT
I'm not great at it myself, and its been since before COVID that I spent significant time on it. With the M32R, I think the entire ISA is ~120 instructions and everything is aligned on word boundaries, so it breaks down to assembly very neatly. I was able to write a few small patches to fix behaviors that annoyed me, but nothing super in-depth, just using binutils and a hex editor. Very curious about HC16. I have a USB-BDM interface for 68HC16 on my desk, it may be a race to see which one gets used first; your scanner or the BDM.  |
|
|
|
Post by admin on Dec 16, 2021 17:34:53 GMT
Ha! Don't downplay yourself, patching microcontroller firmware is a big deal.
Well here's to exploiting backdoors Chrysler engineers kindly left for us, I hope you find the discoveries useful!
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Dec 19, 2021 0:08:26 GMT
IDA Pro with the built-in HC16 plugin. Someone else showed me the basics, how Chrysler structured their code, then he disappeared. From there I'm self-taught and limited at 8-bit microcontrollers. Tried disassembling 32-bit firmware (NGC PCM) but I was so lost... Wj 4L 2003 disassembling Ida aka Piton Attachments:56044563AI.BIN (256 KB)
56044563AI.RAR (765.84 KB)
|
|
|
|
Post by admin on Dec 19, 2021 8:50:01 GMT
Piton, this is a goldmine, thank you for sharing!
The code arrangement looks different, still familiar, than of my SBEC3 but you got it figured out as well.
Excellent work!
Do you know where security seed 2 is used?
I see you have SCI ID 36 hanging, this may be useful from SBEC3 code:
ROM:35098 jmp OBD2_ROUTINE ; SCI ID 36 OBD2 GATEWAY
ROM:35098 ; ----------------------
ROM:35098 ; TX: 36 XX YY ZZ
ROM:35098 ; RX: 36 XX YY ZZ KK YY MM NN PP QQ RR SS CS
ROM:35098 ;
ROM:35098 ; XX: OBD2 MODE
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; ZZ: unknown
ROM:35098 ; KK: OBD2 MODE + $40
ROM:35098 ; YY: OBD2 PID
ROM:35098 ; MM: result HB
ROM:35098 ; NN: result LB
ROM:35098 ; PP QQ RR SS: unknown
ROM:35098 ; CS: full checksum
ROM:35098 ;
ROM:35098 ; Example: Mode 1 PID 00 (PIDs supported [01-20])
ROM:35098 ;
ROM:35098 ; TX: 36 01 00 00
ROM:35098 ; RX: 36 01 00 00 41 00 BE 3E B8 10 00 BE FA
ROM:35098 ;
ROM:35098 ; PIDs supported [01-20] = BE 3E
ROM:35098 ;
ROM:35098 ; Example: Mode 4 (Clear DTCs)
ROM:35098 ;
ROM:35098 ; TX: 36 04 00 00
ROM:35098 ; RX: 36 04 00 00 44 00 00 00 00 00 00 BB 39
ROM:32318 OBD2_ROUTINE:
ROM:32318
ROM:32318 clrw word_A27, Z
ROM:3231C clrw word_A29, Z
ROM:32320 clrw word_A2B, Z
ROM:32324 clrw word_A2D, Z
ROM:32328 brset byte_A20, Z, #1, loc_327B6
ROM:3232E brset byte_A20, Z, #2, loc_32978
ROM:32334 brset byte_A20, Z, #4, loc_32B1A
ROM:3233A ldd word_A38, Z
ROM:3233E cmpa #1 ; OBD2 Mode 1: show current data
ROM:32340 lbeq CurrentData
ROM:32344 cmpa #2 ; OBD2 Mode 2: show freeze frame data
ROM:32346 lbeq FreezeFrameData
ROM:3234A cmpa #3 ; OBD2 Mode 3: show stored Diagnostic Trouble Codes (DTC)
ROM:3234C lbeq ShowStoredDTCs
ROM:32350 cmpa #4 ; OBD2 Mode 4: clear Diagnostic Trouble Codes (DTC) and stored values
ROM:32352 lbeq ClearDTCs
ROM:32356 cmpa #6 ; OBD2 Mode 6: test results, other component/system monitoring
ROM:32358 lbeq TestResults
ROM:3235C cmpa #7 ; OBD2 Mode 7: show pending Diagnostic Trouble Codes (detected during current or last driving cycle)
ROM:3235E lbeq ShowPendingDTCs
ROM:32362 jmp Mode_1_PID_NA
ROM:32366 ; ---------------------------------------------------------------------------
ROM:32366
ROM:32366 CurrentDataJmps:
ROM:32366 jmp Mode_1_PID_00 ; Mode 1 PID 00: PIDs supported [01-20]
ROM:3236A ; ---------------------------------------------------------------------------
ROM:3236A jmp Mode_1_PID_01 ; Mode 1 PID 01: Monitor status since DTCs cleared
ROM:3236E ; ---------------------------------------------------------------------------
ROM:3236E jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 02: Freeze DTC---
ROM:32372 ; ---------------------------------------------------------------------------
ROM:32372 jmp Mode_1_PID_03 ; Mode 1 PID 03: Fuel system status
ROM:32376 ; ---------------------------------------------------------------------------
ROM:32376 jmp Mode_1_PID_04 ; Mode 1 PID 04: Calculated engine load
ROM:3237A ; ---------------------------------------------------------------------------
ROM:3237A jmp Mode_1_PID_05 ; Mode 1 PID 05: Engine coolant temperature
ROM:3237E ; ---------------------------------------------------------------------------
ROM:3237E jmp Mode_1_PID_06 ; Mode 1 PID 06: Short term fuel trim - Bank 1
ROM:32382 ; ---------------------------------------------------------------------------
ROM:32382 jmp Mode_1_PID_07 ; Mode 1 PID 07: Long term fuel trim - Bank 1
ROM:32386 ; ---------------------------------------------------------------------------
ROM:32386 jmp Mode_1_PID_08 ; Mode 1 PID 08: Short term fuel trim - Bank 2
ROM:3238A ; ---------------------------------------------------------------------------
ROM:3238A jmp Mode_1_PID_09 ; Mode 1 PID 09: Long term fuel trim - Bank 2
ROM:3238E ; ---------------------------------------------------------------------------
ROM:3238E jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 0A: Fuel pressure---
ROM:32392 ; ---------------------------------------------------------------------------
ROM:32392 jmp Mode_1_PID_0B ; Mode 1 PID 0B: Intake manifold absolute pressure
ROM:32396 ; ---------------------------------------------------------------------------
ROM:32396 jmp Mode_1_PID_0C ; Mode 1 PID 0C: Engine speed
ROM:3239A ; ---------------------------------------------------------------------------
ROM:3239A jmp Mode_1_PID_0D ; Mode 1 PID 0D: Vehicle speed
ROM:3239E ; ---------------------------------------------------------------------------
ROM:3239E jmp Mode_1_PID_0E ; Mode 1 PID 0E: Timing advance
ROM:323A2 ; ---------------------------------------------------------------------------
ROM:323A2 jmp Mode_1_PID_0F ; Mode 1 PID 0F: Intake air temperature
ROM:323A6 ; ---------------------------------------------------------------------------
ROM:323A6 jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 10: Mass air flow sensor (MAF) air flow rate---
ROM:323AA ; ---------------------------------------------------------------------------
ROM:323AA jmp Mode_1_PID_11 ; Mode 1 PID 11: Throttle position
ROM:323AE ; ---------------------------------------------------------------------------
ROM:323AE jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 12: Commanded secondary air status---
ROM:323B2 ; ---------------------------------------------------------------------------
ROM:323B2 jmp Mode_1_PID_13 ; Mode 1 PID 13: Oxygen sensors present (in 2 banks)
ROM:323B6 ; ---------------------------------------------------------------------------
ROM:323B6 jmp Mode_1_PID_14 ; Mode 1 PID 14: Oxygen Sensor 1
ROM:323B6 ; A: Voltage
ROM:323B6 ; B: Short term fuel trim
ROM:323BA ; ---------------------------------------------------------------------------
ROM:323BA jmp Mode_1_PID_15 ; Mode 1 PID 15: Oxygen Sensor 2
ROM:323BA ; A: Voltage
ROM:323BA ; B: Short term fuel trim
ROM:323BE ; ---------------------------------------------------------------------------
ROM:323BE jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 16: Oxygen Sensor 3
ROM:323BE ; A: Voltage
ROM:323BE ; B: Short term fuel trim---
ROM:323C2 ; ---------------------------------------------------------------------------
ROM:323C2 jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 17: Oxygen Sensor 4
ROM:323C2 ; A: Voltage
ROM:323C2 ; B: Short term fuel trim---
ROM:323C6 ; ---------------------------------------------------------------------------
ROM:323C6 jmp Mode_1_PID_18 ; Mode 1 PID 18: Oxygen Sensor 5
ROM:323C6 ; A: Voltage
ROM:323C6 ; B: Short term fuel trim
ROM:323CA ; ---------------------------------------------------------------------------
ROM:323CA jmp Mode_1_PID_19 ; Mode 1 PID 19: Oxygen Sensor 6
ROM:323CA ; A: Voltage
ROM:323CA ; B: Short term fuel trim
ROM:323CE ; ---------------------------------------------------------------------------
ROM:323CE jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 1A: Oxygen Sensor 7
ROM:323CE ; A: Voltage
ROM:323CE ; B: Short term fuel trim---
ROM:323D2 ; ---------------------------------------------------------------------------
ROM:323D2 jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 1B: Oxygen Sensor 8
ROM:323D2 ; A: Voltage
ROM:323D2 ; B: Short term fuel trim---
ROM:323D6 ; ---------------------------------------------------------------------------
ROM:323D6 jmp Mode_1_PID_1C ; Mode 1 PID 1C: OBD standards this vehicle conforms to
ROM:323DA ; ---------------------------------------------------------------------------
ROM:323DA jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 1D: Oxygen sensors present (in 4 banks)---
ROM:323DE ; ---------------------------------------------------------------------------
ROM:323DE jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 1E: Auxiliary input status---
ROM:323E2 ; ---------------------------------------------------------------------------
ROM:323E2 jmp Mode_1_PID_NA ; N/A ---Mode 1 PID 1F: Run time since engine start---
ROM:323E6 ; ---------------------------------------------------------------------------
ROM:323E6 jmp Mode_1_PID_20 ; Mode 1 PID 20: PIDs supported [21-40]
ROM:323EA ; ---------------------------------------------------------------------------
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Dec 19, 2021 12:55:11 GMT
|
|
|
|
Post by admin on Dec 19, 2021 13:18:24 GMT
Really impressive work! The rest of the description of the SBEC controller is informative.
Did you find a way to influence those systems and edit tables without re-flashing the SBEC?
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Dec 19, 2021 14:32:58 GMT
Really impressive work! The rest of the description of the SBEC controller is informative. Did you find a way to influence those systems and edit tables without re-flashing the SBEC? I solved the problem with the SBEC flashing 20 years ago. Everything turned out to be very simple there. When a high voltage was applied to the TX pin (+ 12V), the 68hc11 processor went into the boot mode by default, then loaded its program that wrote to the EPROM. The problem was to erase the EPROM with a UV lamp. Mode PIN 2,3 jeep.avtograd.ru/cherokee/injection/mopar/sbec/sbec_structure.pdf |
|
|
|
Post by dino2gnt on Dec 21, 2021 18:33:05 GMT
Very neat! If you're interested in older SMEC, SBEC or '95 USDM FCC binaries, I have access to some from turbo-mopar.com. I think almost everything from that generation is HC11 based?
The USDM SBEC3 ECUs that I typically deal with are all potted in sort of silicone. Even something as simple as following board traces is difficult. That's part of the reason these have been treated like a black box for decades.
|
|
Piton
Junior Member
Posts: 94
|
Post by Piton on Dec 25, 2021 9:32:25 GMT
|
|
|
|
Post by dino2gnt on Jan 26, 2022 3:28:59 GMT
Here's a test for your disassembly skills, Daniel. This should be a complete flash image. *edit - this is a 05293190AC
Datasheet this was actually an SGS-Thomson M28F220-90M3, but it's pin compatible with the TMS28F200AZ and is the same specs as far as I can see. Was probably just cheaper that week..
Many Bothans died to bring us this information 
Dino
Attachments:m28f200-take2.bin (256 KB)
|
|
|
|
Post by admin on Jan 26, 2022 8:29:21 GMT
Thank you! So it turns out that the programming voltage is not another obstacle made by engineers to make things worse, but the flash chip literally needs it. Noted!
This step is missing from the re-programming thread that when you transmit a new flash block to the ECU the SCI_RX pin needs to be pulled up to +20V. When done and +20V is disconnected the ECU echoes back the flash block.
As for the flash image the content is nearly identical with 04606653AA, a binary I spent lots of time with, except the first few kilobytes where tables and such variables are stored. The functions are the same! It looks like a standard SBEC3 routine from 1996. Same SCI ID 26 behavior: 128 kB flash readable, the rest unreachable.
Bless their heart!
|
|
|
|
Post by dino2gnt on Jan 26, 2022 15:28:50 GMT
Thank you! So it turns out that the programming voltage is not another obstacle made by engineers to make things worse, but the flash chip literally needs it. Noted! Can't it be both?  But yes, there's an 8V Zener diode n the circuit somewhere that "guards" the flash chips +12V Vpp, so +20V on the line = +12V on Vpp. +12V on Vpp is required both to unlock the chip for write and to provide the power required to reprogram the flash. This step is missing from the re-programming thread that when you transmit a new flash block to the ECU the SCI_RX pin needs to be pulled up to +20V. When done and +20V is disconnected the ECU echoes back the flash block. That's my understanding, too. Makes the reflash communication tricky because it'll have to switch between logic-level communication and +20V for every block transmitted. As for the flash image the content is nearly identical with 04606653AA, a binary I spent lots of time with, except the first few kilobytes where tables and such variables are stored. The functions are the same! It looks like a standard SBEC3 routine from 1996. Same SCI ID 26 behavior: 128 kB flash readable, the rest unreachable. Surprisingly not surprising that they are similar. Is there anything interesting or useful in the other 128K ? That should be the boot block, parameter blocks, etc. |
|
|
|
Post by admin on Jan 26, 2022 16:03:35 GMT
I have no idea where the bootloader part resides. First half of the flash memory seems to contain many unknown engine related calculations, the ISO 9141 transceiver routine and the SCI-bus high-speed mode handler. Second half is where diagnostic tasks are done, like CCD/SCI-bus message transmission and interpretation. The OBD2 gateway is here as well that gets its information from ISO 9141. Piton did a great job reversing the engine calculations as well. I was always focusing on diagnostic messages only. Two halves make a whole I guess? |
|
But yes, there's an 8V Zener diode n the circuit somewhere that "guards" the flash chips +12V Vpp, so +20V on the line = +12V on Vpp. +12V on Vpp is required both to unlock the chip for write and to provide the power required to reprogram the flash.